diff --git a/clusters/mitre-enterprise-attack-relationship.json b/clusters/mitre-enterprise-attack-relationship.json deleted file mode 100644 index 39d53a8..0000000 --- a/clusters/mitre-enterprise-attack-relationship.json +++ /dev/null @@ -1,17277 +0,0 @@ -{ - "authors": [ - "MITRE" - ], - "description": "MITRE Relationship", - "name": "Enterprise Attack - Relationship", - "source": "https://github.com/mitre/cti", - "type": "mitre-enterprise-attack-relationship", - "uuid": "fc605f90-1707-11e8-9d6a-9f165ac2ab5c", - "values": [ - { - "meta": { - "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", - "target-uuid": "2f1a9fd0-3b7c-4d77-a358-78db13adbe78" - }, - "uuid": "cfc7da70-d7c5-4508-8f50-1c3107269633", - "value": "menuPass (G0045) uses EvilGrab (S0152)" - }, - { - "meta": { - "source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", - "target-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7" - }, - "uuid": "ea61c268-d0d1-4cbe-8b26-16f70f515a04", - "value": "Remsec (S0125) uses Security Software Discovery (T1063)" - }, - { - "meta": { - "source-uuid": "0998045d-f96e-4284-95ce-3c8219707486", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "04ecc705-0027-4dda-85fe-d6ce028ef05e", - "value": "SEASHARPEE (S0185) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "41d61146-4a42-4897-b4a1-a706130a322d", - "value": "APT3 (G0022) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "b2203c59-4089-4ee4-bfe1-28fa25f0dbfe", - "target-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776" - }, - "uuid": "ed2c177c-18fc-4bfd-9169-48af1557a542", - "value": "Cherry Picker (S0107) uses Exfiltration Over Alternative Protocol (T1048)" - }, - { - "meta": { - "source-uuid": "8901ac23-6b50-410c-b0dd-d8174a86f9b3", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "ab3ac76f-5ddc-44dc-bb2f-670d6bf08e0b", - "value": "Shamoon (S0140) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "target-uuid": "a257ed11-ff3b-4216-8c9d-3938ef57064c" - }, - "uuid": "eb91c7d8-2cfb-4d8b-905a-d146bc8178e2", - "value": "BRONZE BUTLER (G0060) uses Pass the Ticket (T1097)" - }, - { - "meta": { - "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", - "target-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba" - }, - "uuid": "bd83109f-198a-43b0-a4c9-c13dd671c2da", - "value": "OilRig (G0049) uses Remote Services (T1021)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "644b6c21-90f0-43b7-8da4-7f6f24ddabb6", - "value": "APT28 (G0007) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "d7e57ff2-f14b-44fa-97e3-8bc976cb9bd5", - "value": "Remsec (S0125) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "5be33fef-39c0-4532-84ee-bea31e1b5324", - "target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9" - }, - "uuid": "ee5e40d0-f72e-4e0b-8b10-cd5c2057cdc0", - "value": "ISMInjector (S0189) uses Scheduled Task (T1053)" - }, - { - "meta": { - "source-uuid": "2f1a9fd0-3b7c-4d77-a358-78db13adbe78", - "target-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967" - }, - "uuid": "5599906d-5be3-420c-9f84-e762d85c2511", - "value": "EvilGrab (S0152) uses Audio Capture (T1123)" - }, - { - "meta": { - "source-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "47f521b8-37e4-489d-b6eb-25f35de80aae", - "value": "Magic Hound (G0059) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "2a7914cf-dff3-428d-ab0f-1014d1c28aeb", - "target-uuid": "51dea151-0898-4a45-967c-3ebee0420484" - }, - "uuid": "a317b097-b819-441b-b344-9f129ba6cb40", - "value": "FIN6 (G0037) uses Remote Desktop Protocol (T1076)" - }, - { - "meta": { - "source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6", - "target-uuid": "03342581-f790-4f03-ba41-e82e67392e23" - }, - "uuid": "e76b1b21-17c1-4e3b-ac3a-92fb8afc4130", - "value": "APT34 (G0057) uses Net (S0039)" - }, - { - "meta": { - "source-uuid": "5e7ef1dc-7fb6-4913-ac75-e06113b59e0c", - "target-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433" - }, - "uuid": "62c8913c-c193-4feb-ab58-88343838336d", - "value": "MiniDuke (S0051) uses Fallback Channels (T1008)" - }, - { - "meta": { - "source-uuid": "6713ab67-e25b-49cc-808d-2b36d4fbc35c", - "target-uuid": "294e2560-bd48-44b2-9da2-833b5588ad11" - }, - "uuid": "f879eea1-2a05-484d-adbb-c3504813fc5d", - "value": "Ke3chang (G0004) uses ipconfig (S0100)" - }, - { - "meta": { - "source-uuid": "7331c66a-5601-4d3f-acf6-ad9e3035eb40", - "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" - }, - "uuid": "8447c89e-a743-430e-8ef5-41abfcde1a01", - "value": "Group5 (G0043) uses Input Capture (T1056)" - }, - { - "meta": { - "source-uuid": "381fcf73-60f6-4ab2-9991-6af3cbc35192", - "target-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4" - }, - "uuid": "b349ef5f-4a05-4eef-afe4-1543b8c832fa", - "value": "Sandworm Team (G0034) uses BlackEnergy (S0089)" - }, - { - "meta": { - "source-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73", - "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - }, - "uuid": "b6fc7740-4e5f-4f4c-8b1e-d0e3368eee03", - "value": "ADVSTORESHELL (S0045) uses Obfuscated Files or Information (T1027)" - }, - { - "meta": { - "source-uuid": "247cb30b-955f-42eb-97a5-a89fef69341e", - "target-uuid": "9ca488bd-9587-48ef-b923-1743523e63b2" - }, - "uuid": "55f58d30-b633-4094-97bb-6ab872c0f480", - "value": "APT32 (G0050) uses SOUNDBITE (S0157)" - }, - { - "meta": { - "source-uuid": "22addc7b-b39f-483d-979a-1b35147da5de", - "target-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433" - }, - "uuid": "70a93fc8-83c0-4407-8224-ae447af1235a", - "value": "WinMM (S0059) uses Fallback Channels (T1008)" - }, - { - "meta": { - "source-uuid": "e48df773-7c95-4a4c-ba70-ea3d15900148", - "target-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896" - }, - "uuid": "521146dd-185d-4a8c-a3b4-b3caedbc7a14", - "value": "DownPaper (S0186) uses Query Registry (T1012)" - }, - { - "meta": { - "source-uuid": "160af6af-e733-4b6a-a04a-71c620ac0930", - "target-uuid": "92a78814-b191-47ca-909c-1ccfe3777414" - }, - "uuid": "b0d10c67-94bf-4bb3-8122-6f4d9e8106c1", - "value": "Third-party Software Mitigation (T1072) mitigates Third-party Software (T1072)" - }, - { - "meta": { - "source-uuid": "4f6aa78c-c3d4-4883-9840-96ca2f5d6d47", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "0d9114a6-6452-4668-95eb-f91bcb300d2d", - "value": "TEXTMATE (S0146) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "a653431d-6a5e-4600-8ad3-609b5af57064", - "target-uuid": "00d0b012-8a03-410e-95de-5826bf542de6" - }, - "uuid": "4d68b3eb-9689-4a6d-b6ab-367fbc5ddade", - "value": "Deep Panda (G0009) uses Indicator Removal from Tools (T1066)" - }, - { - "meta": { - "source-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "0a507d28-ef6b-417b-a968-e82608e8b6a8", - "value": "Magic Hound (G0059) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "cfd2cd3b-93e7-4b3e-ab46-f8bcafdbdfcf", - "target-uuid": "0a5231ec-41af-4a35-83d0-6bdf11f28c65" - }, - "uuid": "ef2b823b-2fb1-442a-9d91-cf088242f6a6", - "value": "Execution through Module Load Mitigation (T1129) mitigates Execution through Module Load (T1129)" - }, - { - "meta": { - "source-uuid": "fb261c56-b80e-43a9-8351-c84081e7213d", - "target-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810" - }, - "uuid": "c327c333-46c4-4e23-81e0-2f0e07c24c11", - "value": "BACKSPACE (S0031) uses Shortcut Modification (T1023)" - }, - { - "meta": { - "source-uuid": "ad4f146f-e3ec-444a-ba71-24bffd7f0f8e", - "target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e" - }, - "uuid": "fb6a804a-1929-4c13-a78d-1cf724c09e77", - "value": "RIPTIDE (S0003) uses Commonly Used Port (T1043)" - }, - { - "meta": { - "source-uuid": "c5574ca0-d5a4-490a-b207-e4658e5fd1d7", - "target-uuid": "cb7bcf6f-085f-41db-81ee-4b68481661b5" - }, - "uuid": "a4106a52-b3e7-4aa9-b2ca-125f206dbf91", - "value": "Scarlet Mimic (G0029) uses CallMe (S0077)" - }, - { - "meta": { - "source-uuid": "2a7914cf-dff3-428d-ab0f-1014d1c28aeb", - "target-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81" - }, - "uuid": "da395019-238a-4c4e-b4cd-43947e8aa019", - "value": "FIN6 (G0037) uses Valid Accounts (T1078)" - }, - { - "meta": { - "source-uuid": "88c621a7-aef9-4ae0-94e3-1fc87123eb24", - "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" - }, - "uuid": "af883d09-3f26-4267-9081-4783447e3283", - "value": "gh0st (S0032) uses File Deletion (T1107)" - }, - { - "meta": { - "source-uuid": "9752aef4-a1f3-4328-929f-b64eb0536090", - "target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790" - }, - "uuid": "d0b2e189-e764-44ec-9373-2f23212f6a45", - "value": "RawPOS (S0169) uses New Service (T1050)" - }, - { - "meta": { - "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "115562b8-9d7c-435e-af6e-0be6249742d0", - "value": "Lazarus Group (G0032) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff" - }, - "uuid": "22ccfcb8-cb4a-4b9e-bc2d-c0bd2701e2e9", - "value": "APT28 (G0007) uses Pass the Hash (T1075)" - }, - { - "meta": { - "source-uuid": "ff6840c9-4c87-4d07-bbb6-9f50aa33d498", - "target-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839" - }, - "uuid": "78b504a4-2bdd-44dd-b954-a7fa120f1efd", - "value": "Flame (S0143) uses Exploitation of Vulnerability (T1068)" - }, - { - "meta": { - "source-uuid": "894aab42-3371-47b1-8859-a4a074c804c8", - "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" - }, - "uuid": "510c2f8c-4570-4c19-8c36-7004f8bbf561", - "value": "Stealth Falcon (G0038) uses System Network Configuration Discovery (T1016)" - }, - { - "meta": { - "source-uuid": "9e729a7e-0dd6-4097-95bf-db8d64911383", - "target-uuid": "246fd3c7-f5e3-466d-8787-4c13d9e3b61c" - }, - "uuid": "27b05a62-5310-40d9-9e49-b4dce3afad55", - "value": "Darkhotel (G0012) uses Taint Shared Content (T1080)" - }, - { - "meta": { - "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "a8b248fe-a27c-40fd-83d5-f4382035d656", - "value": "APT3 (G0022) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "91000a8a-58cc-4aba-9ad0-993ad6302b86", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "c8b0afbb-12eb-4b45-a1e1-b11755de2976", - "value": "StreamEx (S0142) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6", - "target-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81" - }, - "uuid": "78364654-f94c-4b7b-b5ec-19bedb58ec4f", - "value": "APT34 (G0057) uses Valid Accounts (T1078)" - }, - { - "meta": { - "source-uuid": "28adf6fd-ab6c-4553-9aa7-cef18a191f33", - "target-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4" - }, - "uuid": "ea46cbd0-7134-4ede-a117-47380ddd9b5c", - "value": "Data Compressed Mitigation (T1002) mitigates Data Compressed (T1002)" - }, - { - "meta": { - "source-uuid": "247cb30b-955f-42eb-97a5-a89fef69341e", - "target-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81" - }, - "uuid": "70bc1a16-3c57-4198-b2f9-c7f27bec271c", - "value": "APT32 (G0050) uses Valid Accounts (T1078)" - }, - { - "meta": { - "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "6ab291a5-8061-4ad4-a6a7-07a6142e4c27", - "value": "Lazarus Group (G0032) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "ccd61dfc-b03f-4689-8c18-7c97eab08472", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "3a9abcd5-52ba-44f1-96a5-1593f816b9f0", - "value": "CHOPSTICK (S0023) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "251fbae2-78f6-4de7-84f6-194c727a64ad", - "target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d" - }, - "uuid": "21717b6b-1fc6-4619-9877-bb36237a8efd", - "value": "Lurid (S0010) uses Custom Cryptographic Protocol (T1024)" - }, - { - "meta": { - "source-uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e", - "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - }, - "uuid": "5bb90849-cdfe-4cc0-9ca3-128f17b2a1d1", - "value": "Helminth (S0170) uses Process Discovery (T1057)" - }, - { - "meta": { - "source-uuid": "166c0eca-02fd-424a-92c0-6b5106994d31", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "2025480a-6d91-4ef5-a6ea-cc025c8aecfb", - "value": "ZLib (S0086) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "ff6840c9-4c87-4d07-bbb6-9f50aa33d498", - "target-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67" - }, - "uuid": "57e6eba5-cb21-4a0d-b524-4981f49037b1", - "value": "Flame (S0143) uses Create Account (T1136)" - }, - { - "meta": { - "source-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "a29d9514-3284-4ac2-a93a-e17750519534", - "value": "PlugX (S0013) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "2daa14d6-cbf3-4308-bb8e-213c324a08e4", - "target-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776" - }, - "uuid": "1e2baacb-9033-49a9-890a-f48c87ab1531", - "value": "HAMMERTOSS (S0037) uses Exfiltration Over Alternative Protocol (T1048)" - }, - { - "meta": { - "source-uuid": "495b6cdb-7b5a-4fbc-8d33-e7ef68806d08", - "target-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0" - }, - "uuid": "11de35bf-195d-4097-a27a-d2e2b7c433b3", - "value": "Volgmer (S0180) uses Uncommonly Used Port (T1065)" - }, - { - "meta": { - "source-uuid": "c0c45d38-fe57-4cd4-b2b2-9ecd0ddd4ca9", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "fdc4c379-e6e6-4454-933d-2a9a4a78cf98", - "value": "TinyZBot (S0004) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "a653431d-6a5e-4600-8ad3-609b5af57064", - "target-uuid": "96b08451-b27a-4ff6-893f-790e26393a8e" - }, - "uuid": "70dc6b5c-c524-429e-a6ab-0dd40f0482c1", - "value": "Deep Panda (G0009) uses Sakula (S0074)" - }, - { - "meta": { - "source-uuid": "64d76fa5-cf8f-469c-b78c-1a4f7c5bad80", - "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" - }, - "uuid": "93812c9c-39f1-4bf6-adda-601d0ffd88bf", - "value": "BBSRAT (S0127) uses File Deletion (T1107)" - }, - { - "meta": { - "source-uuid": "f6d1d2cb-12f5-4221-9636-44606ea1f3f8", - "target-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f" - }, - "uuid": "d07f2da6-6497-414f-96c1-9dd60155b169", - "value": "OSInfo (S0165) uses Network Share Discovery (T1135)" - }, - { - "meta": { - "source-uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2", - "target-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5" - }, - "uuid": "dd9c1644-259d-4980-8058-fdc3c72fac7b", - "value": "JHUHUGIT (S0044) uses Rundll32 (T1085)" - }, - { - "meta": { - "source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841", - "target-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d" - }, - "uuid": "6b0b404e-7e1b-4f8f-8b78-85016f36f8e9", - "value": "RTM (S0148) uses Code Signing (T1116)" - }, - { - "meta": { - "source-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73", - "target-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4" - }, - "uuid": "c0e78590-0266-43e0-8fb5-efd95556c20c", - "value": "ADVSTORESHELL (S0045) uses Data Compressed (T1002)" - }, - { - "meta": { - "source-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", - "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" - }, - "uuid": "d5166d3e-246b-473c-9ff0-c5cc97dd91de", - "value": "BlackEnergy (S0089) uses File Deletion (T1107)" - }, - { - "meta": { - "source-uuid": "2a7914cf-dff3-428d-ab0f-1014d1c28aeb", - "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - }, - "uuid": "e0bc7e9b-aec8-4e78-baed-f635ee7bd196", - "value": "FIN6 (G0037) uses Credential Dumping (T1003)" - }, - { - "meta": { - "source-uuid": "687c23e4-4e25-4ee7-a870-c5e002511f54", - "target-uuid": "01a5a209-b94c-450b-b7f9-946497d91055" - }, - "uuid": "6a58662b-4eb1-4172-b387-13e9b574368a", - "value": "DustySky (S0062) uses Windows Management Instrumentation (T1047)" - }, - { - "meta": { - "source-uuid": "26fed817-e7bf-41f9-829a-9075ffac45c2", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "c39e878e-a496-4271-9998-2d5c9511e0a4", - "value": "Kasidet (S0088) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", - "target-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff" - }, - "uuid": "9a286577-ccfc-4793-96ce-02c17dc0f4ae", - "value": "Cobalt Strike (S0154) uses Pass the Hash (T1075)" - }, - { - "meta": { - "source-uuid": "7a6e5ca3-562f-4185-a323-f3b62b5b2e6b", - "target-uuid": "6e6845c2-347a-4a6f-a2d1-b74a18ebd352" - }, - "uuid": "bdd223c2-8d3a-4c99-b261-402b7daaace5", - "value": "LSASS Driver Mitigation (T1177) mitigates LSASS Driver (T1177)" - }, - { - "meta": { - "source-uuid": "96150c35-466f-4f0a-97a9-ae87ee27f751", - "target-uuid": "02fefddc-fb1b-423f-a76b-7552dd211d4d" - }, - "uuid": "49dd2ac1-cd3a-46db-89d7-307c65971a3d", - "value": "Bootkit Mitigation (T1067) mitigates Bootkit (T1067)" - }, - { - "meta": { - "source-uuid": "8901ac23-6b50-410c-b0dd-d8174a86f9b3", - "target-uuid": "ffe742ed-9100-4686-9e00-c331da544787" - }, - "uuid": "38ea7367-26e7-4a6a-b735-e98e3a35450a", - "value": "Shamoon (S0140) uses Windows Admin Shares (T1077)" - }, - { - "meta": { - "source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "147e009d-48db-40bc-999c-70aa1e770a0c", - "value": "Remsec (S0125) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "f047ee18-7985-4946-8bfb-4ed754d3a0dd", - "target-uuid": "b1de6916-7a22-4460-8d26-6b5483ffaa2a" - }, - "uuid": "08d91d3c-b7c7-4cbc-a4eb-29edd3be3e3a", - "value": "APT30 (G0013) uses SHIPSHAPE (S0028)" - }, - { - "meta": { - "source-uuid": "495b6cdb-7b5a-4fbc-8d33-e7ef68806d08", - "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" - }, - "uuid": "a49ed7b1-8160-48ae-a65f-feeb4747c522", - "value": "Volgmer (S0180) uses Standard Cryptographic Protocol (T1032)" - }, - { - "meta": { - "source-uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", - "target-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67" - }, - "uuid": "570c8981-9a08-4c4f-8927-a22148bb880e", - "value": "Dragonfly (G0035) uses Create Account (T1136)" - }, - { - "meta": { - "source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", - "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - }, - "uuid": "43edea0b-efb8-41ab-bdda-f5aa62de439f", - "value": "Remsec (S0125) uses Obfuscated Files or Information (T1027)" - }, - { - "meta": { - "source-uuid": "f108215f-3487-489d-be8b-80e346d32518", - "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" - }, - "uuid": "707d131d-39ff-4ea0-a8ef-63dd7ca2a854", - "value": "Komplex (S0162) uses System Owner/User Discovery (T1033)" - }, - { - "meta": { - "source-uuid": "fbe9387f-34e6-4828-ac28-3080020c597b", - "target-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44" - }, - "uuid": "4de4a09b-5727-4462-b288-23278e74634e", - "value": "FIN10 (G0051) uses Scripting (T1064)" - }, - { - "meta": { - "source-uuid": "326af1cd-78e7-45b7-a326-125d2f7ef8f2", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "0d8aa058-426a-45c9-af5b-898746ae5862", - "value": "Crimson (S0115) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69", - "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" - }, - "uuid": "0d3e115b-ff08-4bff-8802-be3d21cec68f", - "value": "Prikormka (S0113) uses Standard Cryptographic Protocol (T1032)" - }, - { - "meta": { - "source-uuid": "196f1f32-e0c2-4d46-99cd-234d4b6befe1", - "target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0" - }, - "uuid": "2843ccc2-4869-48a0-8967-b9856a778a2c", - "value": "Felismus (S0171) uses Masquerading (T1036)" - }, - { - "meta": { - "source-uuid": "5c167af7-c2cb-42c8-ae67-3fb275bf8488", - "target-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a" - }, - "uuid": "4fa2cbf0-9721-4bbe-86b4-334848cd3dd6", - "value": "Timestomp Mitigation (T1099) mitigates Timestomp (T1099)" - }, - { - "meta": { - "source-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", - "target-uuid": "799ace7f-e227-4411-baa0-8868704f2a69" - }, - "uuid": "c9dca829-6417-4121-9462-650ac852b8c2", - "value": "BlackEnergy (S0089) uses Indicator Removal on Host (T1070)" - }, - { - "meta": { - "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", - "target-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa" - }, - "uuid": "4923be5e-dd24-4289-adca-e9dbf545b9c2", - "value": "OilRig (G0049) uses System Service Discovery (T1007)" - }, - { - "meta": { - "source-uuid": "7bec698a-7e20-4fd3-bb6a-12787770fb1a", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "2d659138-90e5-4b67-8956-02120d99506f", - "value": "3PARA RAT (S0066) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "76abb3ef-dafd-4762-97cb-a35379429db4", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "61047751-c353-4190-bc37-19ad959bc35e", - "value": "Gazer (S0168) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "09b2cd76-c674-47cc-9f57-d2f2ad150a46", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "a88332d2-d03f-4139-b11c-19e82459189b", - "value": "POWRUNER (S0184) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "199463de-d9be-46d6-bb41-07234c1dd5a6", - "target-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa" - }, - "uuid": "ae9befd5-d8b7-4492-9b47-422a40d610cc", - "value": "GeminiDuke (S0049) uses System Service Discovery (T1007)" - }, - { - "meta": { - "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", - "target-uuid": "294e2560-bd48-44b2-9da2-833b5588ad11" - }, - "uuid": "13984eec-6c33-4bab-a22c-5c061ddd6e44", - "value": "APT1 (G0006) uses ipconfig (S0100)" - }, - { - "meta": { - "source-uuid": "dc5d1a33-62aa-4a0c-aa8c-589b87beb11e", - "target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d" - }, - "uuid": "6586cae6-bf7a-4b1d-ab5c-53106d1db5c4", - "value": "ChChes (S0144) uses Custom Cryptographic Protocol (T1024)" - }, - { - "meta": { - "source-uuid": "2eb9b131-d333-4a48-9eb4-d8dec46c19ee", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "a9727d1b-777a-4c3e-8bcc-e0cbff7431d8", - "value": "CosmicDuke (S0050) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "c416b28c-103b-4df1-909e-78089a7e0e5f", - "target-uuid": "830c9528-df21-472c-8c14-a036bf17d665" - }, - "uuid": "a58ad2d1-7200-4ba8-9c24-fc640306ea2f", - "value": "RTM (G0048) uses Web Service (T1102)" - }, - { - "meta": { - "source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542", - "target-uuid": "1ce03c65-5946-4ac9-9d4d-66db87e024bd" - }, - "uuid": "27e7f34e-9750-4cf0-8260-33f2996ee38c", - "value": "APT29 (G0016) uses Domain Fronting (T1172)" - }, - { - "meta": { - "source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6", - "target-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db" - }, - "uuid": "45a89f5b-a7de-46c9-93d6-15f2170128e4", - "value": "APT34 (G0057) uses PsExec (S0029)" - }, - { - "meta": { - "source-uuid": "d2dce10b-3562-4d61-b2f5-7c6384b038e2", - "target-uuid": "a127c32c-cbb0-4f9d-be07-881a792408ec" - }, - "uuid": "2e3b8b06-5148-4313-8b1b-d75789838c84", - "value": "Mshta Mitigation (T1170) mitigates Mshta (T1170)" - }, - { - "meta": { - "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", - "target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0" - }, - "uuid": "1b51b49a-1f3a-4b5d-aea3-989e9ccb72ad", - "value": "Cobalt Strike (S0154) uses PowerShell (T1086)" - }, - { - "meta": { - "source-uuid": "17b40f60-729f-4fe8-8aea-cc9ee44a95d5", - "target-uuid": "46944654-fcc1-4f63-9dad-628102376586" - }, - "uuid": "3f8a74a9-55fe-4f9c-bddb-00b715ca3668", - "value": "RedLeaves (S0153) uses DLL Search Order Hijacking (T1038)" - }, - { - "meta": { - "source-uuid": "3240cbe4-c550-443b-aa76-cc2a7058b870", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "2121683c-ab01-4212-b2d2-af290dd8ed17", - "value": "SNUGRIDE (S0159) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "5ce5392a-3a6c-4e07-9df3-9b6a9159ac45", - "target-uuid": "7bec698a-7e20-4fd3-bb6a-12787770fb1a" - }, - "uuid": "3b3435a2-6a24-4527-be6f-03d09ef2b917", - "value": "Putter Panda (G0024) uses 3PARA RAT (S0066)" - }, - { - "meta": { - "source-uuid": "96566860-9f11-4b6f-964d-1c924e4f24a4", - "target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0" - }, - "uuid": "90e64a7a-42e6-4b95-ae85-5ac324d7f6e2", - "value": "Starloader (S0188) uses Masquerading (T1036)" - }, - { - "meta": { - "source-uuid": "251fbae2-78f6-4de7-84f6-194c727a64ad", - "target-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4" - }, - "uuid": "982d9af7-45bb-4cc0-9819-aaadb3304783", - "value": "Lurid (S0010) uses Data Compressed (T1002)" - }, - { - "meta": { - "source-uuid": "bba595da-b73a-4354-aa6c-224d4de7cb4e", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "fb866766-d3a5-46f6-9d0e-afc6bd1c7962", - "value": "cmd (S0106) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "083bb47b-02c8-4423-81a2-f9ef58572974", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "f19234f6-5b59-4229-aae1-70df380a076a", - "value": "Backdoor.Oldrea (S0093) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "17862c7d-9e60-48a0-b48e-da4dc4c3f6b0", - "target-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f" - }, - "uuid": "21caad94-1568-4e40-8e38-c0f7e854aede", - "value": "Patchwork (G0040) uses Data Encoding (T1132)" - }, - { - "meta": { - "source-uuid": "b8d57b16-d8e2-428c-a645-1083795b3445", - "target-uuid": "64196062-5210-42c3-9a02-563a0d1797ef" - }, - "uuid": "cf699238-7091-4d79-9741-d792152f37c1", - "value": "Communication Through Removable Media Mitigation (T1092) mitigates Communication Through Removable Media (T1092)" - }, - { - "meta": { - "source-uuid": "55033a4d-3ffe-46b2-99b4-2c1541e9ce1c", - "target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0" - }, - "uuid": "bbf116bf-6f8a-44f4-9d98-db6ccbbff333", - "value": "Carbanak (G0008) uses Masquerading (T1036)" - }, - { - "meta": { - "source-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "284ffb1b-ad42-468e-9897-94c25024f0d4", - "value": "ADVSTORESHELL (S0045) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "7331c66a-5601-4d3f-acf6-ad9e3035eb40", - "target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688" - }, - "uuid": "8e69c855-db70-4b5e-866b-f9ce0b786156", - "value": "Group5 (G0043) uses Screen Capture (T1113)" - }, - { - "meta": { - "source-uuid": "e8268361-a599-4e45-bd3f-71c8c7e700c0", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "ae370b88-fd93-4803-a154-aa3debf2327b", - "value": "httpclient (S0068) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "09b2cd76-c674-47cc-9f57-d2f2ad150a46", - "target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688" - }, - "uuid": "ed522c9c-038b-43c0-af66-e81b954104f2", - "value": "POWRUNER (S0184) uses Screen Capture (T1113)" - }, - { - "meta": { - "source-uuid": "0c8465c0-d0b4-4670-992e-4eee8d7ff952", - "target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9" - }, - "uuid": "d4d35e55-6a09-47ef-8de5-160468276025", - "value": "at (S0110) uses Scheduled Task (T1053)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "3094a14f-ccd2-4ba4-a3f6-c6d2721f02db", - "value": "APT28 (G0007) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "5e595477-2e78-4ce7-ae42-e0b059b17808", - "target-uuid": "e906ae4d-1d3a-4675-be23-22f7311c0da4" - }, - "uuid": "f758836e-91b2-4651-ba72-d827553b668c", - "value": "POSHSPY (S0150) uses Windows Management Instrumentation Event Subscription (T1084)" - }, - { - "meta": { - "source-uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6", - "target-uuid": "00d0b012-8a03-410e-95de-5826bf542de6" - }, - "uuid": "fe9c9381-99d7-4798-ab41-3e5cdbda5e21", - "value": "Turla (G0010) uses Indicator Removal from Tools (T1066)" - }, - { - "meta": { - "source-uuid": "2eb9b131-d333-4a48-9eb4-d8dec46c19ee", - "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" - }, - "uuid": "6d2d4146-bf9e-4b75-9a23-052c09e99eeb", - "value": "CosmicDuke (S0050) uses Input Capture (T1056)" - }, - { - "meta": { - "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", - "target-uuid": "bba595da-b73a-4354-aa6c-224d4de7cb4e" - }, - "uuid": "99800503-d535-4fae-a318-dfa034dca663", - "value": "menuPass (G0045) uses cmd (S0106)" - }, - { - "meta": { - "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "f661bda3-d524-44b3-aeb0-d8dd8879a569", - "value": "APT3 (G0022) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "efed95ba-d7e8-47ff-8c53-99c42426ee7c", - "target-uuid": "691c60e2-273d-4d56-9ce6-b67e0f8719ad" - }, - "uuid": "34ebfdf4-ef2c-4a6c-8bfa-69704d8f7694", - "value": "PROMETHIUM (G0056) uses Truvasys (S0178)" - }, - { - "meta": { - "source-uuid": "0f862b01-99da-47cc-9bdb-db4a86a95bb1", - "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" - }, - "uuid": "1ec53623-4050-498b-ba9e-f149d203036c", - "value": "Emissary (S0082) uses System Network Configuration Discovery (T1016)" - }, - { - "meta": { - "source-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", - "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - }, - "uuid": "b7930db8-2cb9-4ecf-b3d3-7425f99140d8", - "value": "Mimikatz (S0002) uses Credential Dumping (T1003)" - }, - { - "meta": { - "source-uuid": "7343e208-7cab-45f2-a47b-41ba5e2f0fab", - "target-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88" - }, - "uuid": "a423dc5c-c506-4cc5-b65c-0c9269d18fb6", - "value": "XTunnel (S0117) uses Network Service Scanning (T1046)" - }, - { - "meta": { - "source-uuid": "82cb34ba-02b5-432b-b2d2-07f55cbf674d", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "57e1f6b0-7fbd-49b4-8f5d-876b759437ac", - "value": "Trojan.Karagany (S0094) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "9e9b9415-a7df-406b-b14d-92bfe6809fbe", - "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" - }, - "uuid": "7b5919ce-efab-45d1-855b-f827d7489b2b", - "value": "Nidiran (S0118) uses Standard Cryptographic Protocol (T1032)" - }, - { - "meta": { - "source-uuid": "f3bdec95-3d62-42d9-a840-29630f6cdc1a", - "target-uuid": "b42378e0-f147-496f-992a-26a49705395b" - }, - "uuid": "8797579b-e3be-4209-a71b-255a4d08243d", - "value": "DragonOK (G0017) uses PoisonIvy (S0012)" - }, - { - "meta": { - "source-uuid": "166c0eca-02fd-424a-92c0-6b5106994d31", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "50271beb-48b1-411e-86b5-990b4cbb1fb5", - "value": "ZLib (S0086) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "08d20cd2-f084-45ee-8558-fa6ef5a18519", - "target-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be" - }, - "uuid": "6a0f3ebb-c805-402f-bb2e-aac2f8d174fa", - "value": "Downdelph (S0134) uses Bypass User Account Control (T1088)" - }, - { - "meta": { - "source-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73", - "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" - }, - "uuid": "53cc6b0b-66ec-4f7d-a725-f65b076b5428", - "value": "ADVSTORESHELL (S0045) uses File Deletion (T1107)" - }, - { - "meta": { - "source-uuid": "67e6d66b-1b82-4699-b47a-e2efb6268d14", - "target-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44" - }, - "uuid": "837af41c-0553-4d1d-a38e-e43e2aad5c35", - "value": "SeaDuke (S0053) uses Scripting (T1064)" - }, - { - "meta": { - "source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", - "target-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044" - }, - "uuid": "8baf3f0d-0ab4-4691-8ef7-8b9af8a8069c", - "value": "Remsec (S0125) uses Disabling Security Tools (T1089)" - }, - { - "meta": { - "source-uuid": "cb7bcf6f-085f-41db-81ee-4b68481661b5", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "c3d3bb7d-65cc-4915-bc28-492d341e6dbd", - "value": "CallMe (S0077) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", - "target-uuid": "cf23bf4a-e003-4116-bbae-1ea6c558d565" - }, - "uuid": "fd518b7a-b35d-4689-89f6-525efbeee18f", - "value": "OilRig (G0049) uses FTP (S0095)" - }, - { - "meta": { - "source-uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6", - "target-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077" - }, - "uuid": "87b74ba7-99c4-464c-86d2-1dd8c8b578b1", - "value": "Turla (G0010) uses System Time Discovery (T1124)" - }, - { - "meta": { - "source-uuid": "b6b3dfc7-9a81-43ff-ac04-698bad48973a", - "target-uuid": "00d0b012-8a03-410e-95de-5826bf542de6" - }, - "uuid": "e79c65f4-f9d2-4568-96a4-b6e00d3bad71", - "value": "Daserf (S0187) uses Indicator Removal from Tools (T1066)" - }, - { - "meta": { - "source-uuid": "a653431d-6a5e-4600-8ad3-609b5af57064", - "target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0" - }, - "uuid": "6fdc3210-9754-4157-b386-8fcd680e732c", - "value": "Deep Panda (G0009) uses PowerShell (T1086)" - }, - { - "meta": { - "source-uuid": "88c621a7-aef9-4ae0-94e3-1fc87123eb24", - "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - }, - "uuid": "a564f3da-349a-4e65-826c-8ca60bc920bf", - "value": "gh0st (S0032) uses Process Discovery (T1057)" - }, - { - "meta": { - "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", - "target-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60" - }, - "uuid": "4ce5e752-97d6-4803-a49c-0f905729a133", - "value": "Threat Group-3390 (G0027) uses Mimikatz (S0002)" - }, - { - "meta": { - "source-uuid": "e1161124-f22e-487f-9d5f-ed8efc8dcd61", - "target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e" - }, - "uuid": "a23ab6bc-e5cc-46a9-b77f-747ae6fc6a9b", - "value": "Mis-Type (S0084) uses Commonly Used Port (T1043)" - }, - { - "meta": { - "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "dea36846-b8ad-4926-a242-9fa2d12069c8", - "value": "menuPass (G0045) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", - "target-uuid": "e6415f09-df0e-48de-9aba-928c902b7549" - }, - "uuid": "137e1ddc-403b-49b5-a214-20b82bab446e", - "value": "Remsec (S0125) uses Exfiltration Over Physical Medium (T1052)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c" - }, - "uuid": "46f853ea-3f45-4570-a155-826bec98456d", - "value": "APT28 (G0007) uses Credentials in Files (T1081)" - }, - { - "meta": { - "source-uuid": "66b1dcde-17a0-4c7b-95fa-b08d430c2131", - "target-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa" - }, - "uuid": "abee00d3-8417-468b-84a4-40c7d0ac4f7d", - "value": "S-Type (S0085) uses System Service Discovery (T1007)" - }, - { - "meta": { - "source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542", - "target-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60" - }, - "uuid": "067814b5-aa57-45e0-9bdf-5536b077c224", - "value": "APT29 (G0016) uses Mimikatz (S0002)" - }, - { - "meta": { - "source-uuid": "7f8730af-f683-423f-9ee1-5f6875a80481", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "c80250a5-79c0-4a46-a0e3-49d6bcd574c6", - "value": "Sys10 (S0060) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6", - "target-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60" - }, - "uuid": "7a783e7e-a735-42d7-874d-633b37e21033", - "value": "APT34 (G0057) uses Mimikatz (S0002)" - }, - { - "meta": { - "source-uuid": "26fed817-e7bf-41f9-829a-9075ffac45c2", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "49af09c8-1460-485d-9f09-dacea47fa016", - "value": "Kasidet (S0088) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "2dd34b01-6110-4aac-835d-b5e7b936b0be" - }, - "uuid": "bceada36-e6ba-49b9-b9f8-99e37e6cbf9e", - "value": "APT28 (G0007) uses OLDBAIT (S0138)" - }, - { - "meta": { - "source-uuid": "66b1dcde-17a0-4c7b-95fa-b08d430c2131", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "7fbb56bf-cadd-4663-8067-f233d4c9c751", - "value": "S-Type (S0085) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", - "target-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f" - }, - "uuid": "757bed64-558b-4ea7-84b9-b82d8b23f9b2", - "value": "APT1 (G0006) uses Email Collection (T1114)" - }, - { - "meta": { - "source-uuid": "dd9a85ad-6a92-4986-a215-b01d0ce7b987", - "target-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce" - }, - "uuid": "4d6def4b-69cf-4dca-848b-53de73536ad6", - "value": "Permission Groups Discovery Mitigation (T1069) mitigates Permission Groups Discovery (T1069)" - }, - { - "meta": { - "source-uuid": "9ea525fa-b0a9-4dde-84f2-bcea0137b3c1", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "b8e50d79-c024-4dc1-aad2-d7181fbbf1bb", - "value": "MoonWind (S0149) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "6713ab67-e25b-49cc-808d-2b36d4fbc35c", - "target-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa" - }, - "uuid": "7b529102-f95c-4ca1-a5c4-5a3497ab3674", - "value": "Ke3chang (G0004) uses System Service Discovery (T1007)" - }, - { - "meta": { - "source-uuid": "8901ac23-6b50-410c-b0dd-d8174a86f9b3", - "target-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81" - }, - "uuid": "5e6e745f-d756-4b6e-90e1-3adcf848570b", - "value": "Shamoon (S0140) uses Valid Accounts (T1078)" - }, - { - "meta": { - "source-uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6", - "target-uuid": "ffe742ed-9100-4686-9e00-c331da544787" - }, - "uuid": "4a6248d4-4fa1-404a-abed-84e9b7c32dbe", - "value": "Turla (G0010) uses Windows Admin Shares (T1077)" - }, - { - "meta": { - "source-uuid": "c5574ca0-d5a4-490a-b207-e4658e5fd1d7", - "target-uuid": "dfb5fa9b-3051-4b97-8035-08f80aef945b" - }, - "uuid": "79934567-99e6-4184-8b04-717a1b401006", - "value": "Scarlet Mimic (G0029) uses Psylo (S0078)" - }, - { - "meta": { - "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "target-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433" - }, - "uuid": "ab687dca-2741-4920-a71e-e0e0444809c5", - "value": "Lazarus Group (G0032) uses Fallback Channels (T1008)" - }, - { - "meta": { - "source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "9b36e877-e637-46b8-bdf1-def74c977472", - "value": "Remsec (S0125) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13", - "target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0" - }, - "uuid": "110690db-fd9b-425a-9269-ec082f0af3f9", - "value": "Magic Hound (G0059) uses PowerShell (T1086)" - }, - { - "meta": { - "source-uuid": "65341f30-bec6-4b1d-8abf-1a5620446c29", - "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - }, - "uuid": "5077f774-95a4-459e-b88c-cb3a4dd5c8c6", - "value": "Reaver (S0172) uses Obfuscated Files or Information (T1027)" - }, - { - "meta": { - "source-uuid": "62ae52c9-7197-4f5b-be1d-10d2e1df2c96", - "target-uuid": "1ce03c65-5946-4ac9-9d4d-66db87e024bd" - }, - "uuid": "b41c70df-0955-408c-90ee-7acad8b080e1", - "value": "Domain Fronting Mitigation (T1172) mitigates Domain Fronting (T1172)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73" - }, - "uuid": "5e9bee3d-ea86-4715-9fdc-199e10ef2161", - "value": "APT28 (G0007) uses ADVSTORESHELL (S0045)" - }, - { - "meta": { - "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", - "target-uuid": "294e2560-bd48-44b2-9da2-833b5588ad11" - }, - "uuid": "c354d751-4688-49c5-9f9a-0d2bc705f645", - "value": "Threat Group-3390 (G0027) uses ipconfig (S0100)" - }, - { - "meta": { - "source-uuid": "67e6d66b-1b82-4699-b47a-e2efb6268d14", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "9ef645ab-afd1-41d6-ad60-d207fd134748", - "value": "SeaDuke (S0053) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "bba595da-b73a-4354-aa6c-224d4de7cb4e", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "2c09a27c-2eea-4287-9908-964533234e71", - "value": "cmd (S0106) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6", - "target-uuid": "4664b683-f578-434f-919b-1c1aad2a1111" - }, - "uuid": "3643f451-322d-4f38-91a4-00a55a42c7f5", - "value": "Turla (G0010) uses netstat (S0104)" - }, - { - "meta": { - "source-uuid": "b42378e0-f147-496f-992a-26a49705395b", - "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" - }, - "uuid": "3ef89472-470c-42c9-be01-155efe607b78", - "value": "PoisonIvy (S0012) uses Input Capture (T1056)" - }, - { - "meta": { - "source-uuid": "65341f30-bec6-4b1d-8abf-1a5620446c29", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "797131cf-fef9-4ece-823f-e931393e72f8", - "value": "Reaver (S0172) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "58adaaa8-f1e8-4606-9a08-422e568461eb", - "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - }, - "uuid": "c8ce3bcd-b74f-497d-8f76-cc8c7333ab49", - "value": "SHOTPUT (S0063) uses Process Discovery (T1057)" - }, - { - "meta": { - "source-uuid": "fbb470da-1d44-4f29-bbb3-9efbe20f94a3", - "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - }, - "uuid": "ac72c3da-6b58-4f66-8476-8d3cc9ccf6bd", - "value": "Mivast (S0080) uses Credential Dumping (T1003)" - }, - { - "meta": { - "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", - "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - }, - "uuid": "cdbfa147-52be-411d-bcbd-f6dcbf91d7b5", - "value": "OilRig (G0049) uses Obfuscated Files or Information (T1027)" - }, - { - "meta": { - "source-uuid": "2e290bfe-93b5-48ce-97d6-edcd6d32b7cf", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "253b56a5-232f-44bc-af4d-85ccc12a0577", - "value": "Gamaredon Group (G0047) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "67fc172a-36fa-4a35-88eb-4ba730ed52a6", - "target-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f" - }, - "uuid": "a805a8d5-632c-48df-909d-c3d745652475", - "value": "BS2005 (S0014) uses Data Encoding (T1132)" - }, - { - "meta": { - "source-uuid": "ba06d68a-4891-4eb5-b634-152e05ec60ee", - "target-uuid": "c3888c54-775d-4b2f-b759-75a2ececcbfd" - }, - "uuid": "cff2088f-c003-4d03-aa8a-cca36753b930", - "value": "Data Transfer Size Limits Mitigation (T1030) mitigates Data Transfer Size Limits (T1030)" - }, - { - "meta": { - "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "target-uuid": "92d7da27-2d91-488e-a00c-059dc162766d" - }, - "uuid": "520f5440-740f-4efe-850e-ea4db340aef1", - "value": "Lazarus Group (G0032) uses Exfiltration Over Command and Control Channel (T1041)" - }, - { - "meta": { - "source-uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "fa6292a2-c184-4bc9-a37f-0c1ac61e1135", - "value": "Turla (G0010) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "67e6d66b-1b82-4699-b47a-e2efb6268d14", - "target-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81" - }, - "uuid": "32864e94-8581-4f77-bf7d-53aaf3710f60", - "value": "SeaDuke (S0053) uses Valid Accounts (T1078)" - }, - { - "meta": { - "source-uuid": "1cc934e4-b01d-4543-a011-b988dfc1a458", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "3ba2b8bc-1c5b-4cb3-8234-a7dc7b7552d0", - "value": "Matroyshka (S0167) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "e9595678-d269-469e-ae6b-75e49259de63", - "target-uuid": "830c9528-df21-472c-8c14-a036bf17d665" - }, - "uuid": "0c870326-6b8a-4279-bbd3-2c1ae23ba54a", - "value": "BADNEWS (S0128) uses Web Service (T1102)" - }, - { - "meta": { - "source-uuid": "98e8a977-3416-43aa-87fa-33e287e9c14c", - "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" - }, - "uuid": "b6970925-a435-4942-b244-60e4f57acf86", - "value": "WINDSHIELD (S0155) uses File Deletion (T1107)" - }, - { - "meta": { - "source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542", - "target-uuid": "2daa14d6-cbf3-4308-bb8e-213c324a08e4" - }, - "uuid": "df9beafa-be6b-4e61-9a27-dfb9ec7d6aa3", - "value": "APT29 (G0016) uses HAMMERTOSS (S0037)" - }, - { - "meta": { - "source-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13", - "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" - }, - "uuid": "023ff141-8ed7-4132-85a0-494fe075236b", - "value": "Magic Hound (G0059) uses Input Capture (T1056)" - }, - { - "meta": { - "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", - "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" - }, - "uuid": "51f1d23c-1ccd-4cc4-918c-39e9a66e510b", - "value": "OilRig (G0049) uses File Deletion (T1107)" - }, - { - "meta": { - "source-uuid": "9ea525fa-b0a9-4dde-84f2-bcea0137b3c1", - "target-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643" - }, - "uuid": "5cceffd9-5818-4481-bce6-4e326548d6b4", - "value": "MoonWind (S0149) uses Peripheral Device Discovery (T1120)" - }, - { - "meta": { - "source-uuid": "b6b3dfc7-9a81-43ff-ac04-698bad48973a", - "target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688" - }, - "uuid": "6db82410-1fcf-483a-be5b-cf09c361b4eb", - "value": "Daserf (S0187) uses Screen Capture (T1113)" - }, - { - "meta": { - "source-uuid": "090242d7-73fc-4738-af68-20162f7a5aae", - "target-uuid": "d69c8146-ab35-4d50-8382-6fc80e641d43" - }, - "uuid": "a33388b7-3803-442f-8e31-511eef055470", - "value": "APT17 (G0025) uses BLACKCOFFEE (S0069)" - }, - { - "meta": { - "source-uuid": "d6e88e18-81e8-4709-82d8-973095da1e70", - "target-uuid": "3cab1b76-2f40-4cd0-8d2c-7ed16eeb909c" - }, - "uuid": "bcd1d261-0228-468f-b02b-52e6784e2491", - "value": "APT16 (G0023) uses ELMER (S0064)" - }, - { - "meta": { - "source-uuid": "4c59cce8-cb48-4141-b9f1-f646edfaadb0", - "target-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4" - }, - "uuid": "fe3c4134-ddef-45f8-b83a-6865a01b9764", - "value": "Regin (S0019) uses Modify Registry (T1112)" - }, - { - "meta": { - "source-uuid": "0f862b01-99da-47cc-9bdb-db4a86a95bb1", - "target-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa" - }, - "uuid": "bae7f2fb-99d8-4acf-b61e-f37a215aa82e", - "value": "Emissary (S0082) uses System Service Discovery (T1007)" - }, - { - "meta": { - "source-uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2", - "target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790" - }, - "uuid": "b0099b28-bcb8-4214-8166-d9caed1b6491", - "value": "JHUHUGIT (S0044) uses New Service (T1050)" - }, - { - "meta": { - "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "target-uuid": "b6b3dfc7-9a81-43ff-ac04-698bad48973a" - }, - "uuid": "f52f1b34-a96a-45a0-8cc0-2f138a3f1257", - "value": "BRONZE BUTLER (G0060) uses Daserf (S0187)" - }, - { - "meta": { - "source-uuid": "7ecc3b4f-5cdb-457e-b55a-df376b359446", - "target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0" - }, - "uuid": "df69c29c-01c4-4541-988e-8a5765439d56", - "value": "Poseidon Group (G0033) uses Masquerading (T1036)" - }, - { - "meta": { - "source-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73", - "target-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638" - }, - "uuid": "2a8f0313-4059-42b9-b487-6c8f860588c0", - "value": "ADVSTORESHELL (S0045) uses Data Encrypted (T1022)" - }, - { - "meta": { - "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "2c79282f-5e60-48b9-962a-d61c3d73b334", - "value": "OilRig (G0049) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "7551188b-8f91-4d34-8350-0d0c57b2b913", - "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" - }, - "uuid": "340d4ef7-816b-4758-994f-b913df78afd7", - "value": "Elise (S0081) uses System Network Configuration Discovery (T1016)" - }, - { - "meta": { - "source-uuid": "7331c66a-5601-4d3f-acf6-ad9e3035eb40", - "target-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88" - }, - "uuid": "b9083516-7dd3-4ef2-808a-1df48894122b", - "value": "Group5 (G0043) uses Software Packing (T1045)" - }, - { - "meta": { - "source-uuid": "fbe9387f-34e6-4828-ac28-3080020c597b", - "target-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81" - }, - "uuid": "d3b787ec-795c-481b-94e5-ff42dc56d79d", - "value": "FIN10 (G0051) uses Valid Accounts (T1078)" - }, - { - "meta": { - "source-uuid": "6b616fc1-1505-48e3-8b2c-0d19337bff38", - "target-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4" - }, - "uuid": "bad90106-a150-4d76-b39f-f35aab4ac766", - "value": "Rover (S0090) uses Modify Registry (T1112)" - }, - { - "meta": { - "source-uuid": "af2ad3b7-ab6a-4807-91fd-51bcaff9acbb", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "5b686a7c-4fcd-44c2-9f57-1d88d6633ef4", - "value": "USBStealer (S0136) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "ff6840c9-4c87-4d07-bbb6-9f50aa33d498", - "target-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967" - }, - "uuid": "07d16181-ba82-42c8-a67b-8d7d5adef52d", - "value": "Flame (S0143) uses Audio Capture (T1123)" - }, - { - "meta": { - "source-uuid": "64d76fa5-cf8f-469c-b78c-1a4f7c5bad80", - "target-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392" - }, - "uuid": "59b39f06-a71c-42f7-92f2-244a183113d6", - "value": "BBSRAT (S0127) uses Service Execution (T1035)" - }, - { - "meta": { - "source-uuid": "17862c7d-9e60-48a0-b48e-da4dc4c3f6b0", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "e8068ad2-97b3-4693-a6ad-a8ee9a272890", - "value": "Patchwork (G0040) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", - "target-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f" - }, - "uuid": "e8048bf8-3931-4d6b-b4a6-475ff717cbae", - "value": "Cobalt Strike (S0154) uses Network Share Discovery (T1135)" - }, - { - "meta": { - "source-uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "f39d9e4d-b4f9-4c12-aa8e-a44f8550b57f", - "value": "JHUHUGIT (S0044) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "687c23e4-4e25-4ee7-a870-c5e002511f54", - "target-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433" - }, - "uuid": "b2ab26e2-eb90-4f19-b35a-b8a0a5438961", - "value": "DustySky (S0062) uses Fallback Channels (T1008)" - }, - { - "meta": { - "source-uuid": "2f1a9fd0-3b7c-4d77-a358-78db13adbe78", - "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" - }, - "uuid": "0fec9b91-cd45-493b-b23e-abb3ed2513a0", - "value": "EvilGrab (S0152) uses Input Capture (T1056)" - }, - { - "meta": { - "source-uuid": "0a68f1f1-da74-4d28-8d9a-696c082706cc", - "target-uuid": "d519cfd5-f3a8-43a9-a846-ed0bb40672b1" - }, - "uuid": "542bb806-3e73-42f5-8a3e-86b498093f4b", - "value": "certutil (S0160) uses Install Root Certificate (T1130)" - }, - { - "meta": { - "source-uuid": "0db09158-6e48-4e7c-8ce7-2b10b9c0c039", - "target-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b" - }, - "uuid": "5e53b45b-ca14-4e8b-8c76-0cf9cb572a92", - "value": "Misdat (S0083) uses Standard Non-Application Layer Protocol (T1095)" - }, - { - "meta": { - "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - }, - "uuid": "699ddfef-6e95-42cf-b212-dc661f790adc", - "value": "Lazarus Group (G0032) uses Process Discovery (T1057)" - }, - { - "meta": { - "source-uuid": "326af1cd-78e7-45b7-a326-125d2f7ef8f2", - "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" - }, - "uuid": "92711ee1-041b-4e35-a322-3e16790fcce2", - "value": "Crimson (S0115) uses System Network Configuration Discovery (T1016)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60" - }, - "uuid": "5cfcbf60-454a-4673-aa93-9020d04efab7", - "value": "APT28 (G0007) uses Mimikatz (S0002)" - }, - { - "meta": { - "source-uuid": "26fed817-e7bf-41f9-829a-9075ffac45c2", - "target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688" - }, - "uuid": "ade60661-8dfb-473a-8d12-014ba0273934", - "value": "Kasidet (S0088) uses Screen Capture (T1113)" - }, - { - "meta": { - "source-uuid": "2f1a9fd0-3b7c-4d77-a358-78db13adbe78", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "cd1e409b-e981-4c83-a9ea-86705a45f92c", - "value": "EvilGrab (S0152) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "58fdc63b-05b4-4db9-90fe-c80f7956292f", - "value": "BRONZE BUTLER (G0060) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", - "target-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48" - }, - "uuid": "6863078f-fe93-4b84-ad7f-dffe494d9265", - "value": "Cobalt Strike (S0154) uses Access Token Manipulation (T1134)" - }, - { - "meta": { - "source-uuid": "0f862b01-99da-47cc-9bdb-db4a86a95bb1", - "target-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce" - }, - "uuid": "8ca14a24-b8b3-4669-ae56-e7102b543dc6", - "value": "Emissary (S0082) uses Permission Groups Discovery (T1069)" - }, - { - "meta": { - "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", - "target-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670" - }, - "uuid": "5b9fbec2-0e72-44ef-94a5-a9f702469c93", - "value": "Cobalt Strike (S0154) uses Execution through API (T1106)" - }, - { - "meta": { - "source-uuid": "08d20cd2-f084-45ee-8558-fa6ef5a18519", - "target-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842" - }, - "uuid": "0e27ebb3-2d48-48f6-ab99-968c0a992c61", - "value": "Downdelph (S0134) uses Data Obfuscation (T1001)" - }, - { - "meta": { - "source-uuid": "17862c7d-9e60-48a0-b48e-da4dc4c3f6b0", - "target-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5" - }, - "uuid": "8e28cc53-3fd4-42ed-8516-71fd9ee57641", - "value": "Patchwork (G0040) uses Data from Local System (T1005)" - }, - { - "meta": { - "source-uuid": "65341f30-bec6-4b1d-8abf-1a5620446c29", - "target-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810" - }, - "uuid": "0fee8bfd-aec2-44a7-8182-530a648006f3", - "value": "Reaver (S0172) uses Shortcut Modification (T1023)" - }, - { - "meta": { - "source-uuid": "d69c8146-ab35-4d50-8382-6fc80e641d43", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "41747c46-1dd1-418b-84e9-75710f17a10c", - "value": "BLACKCOFFEE (S0069) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "7bec698a-7e20-4fd3-bb6a-12787770fb1a", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "7c0995ef-ab5d-48f9-8884-7d953c4c3247", - "value": "3PARA RAT (S0066) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "5ce5392a-3a6c-4e07-9df3-9b6a9159ac45", - "target-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d" - }, - "uuid": "a442fcac-55d7-49ff-8ecf-ca61885c27e2", - "value": "Putter Panda (G0024) uses Process Injection (T1055)" - }, - { - "meta": { - "source-uuid": "60c18d06-7b91-4742-bae3-647845cd9d81", - "target-uuid": "519630c5-f03f-4882-825c-3af924935817" - }, - "uuid": "9b88372d-4f3f-4442-906d-9ab07e22e781", - "value": "CORESHELL (S0137) uses Binary Padding (T1009)" - }, - { - "meta": { - "source-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd", - "target-uuid": "99709758-2b96-48f2-a68a-ad7fbd828091" - }, - "uuid": "2c48f039-61f7-4af4-974b-f0e0fcf95f58", - "value": "PlugX (S0013) uses Multiband Communication (T1026)" - }, - { - "meta": { - "source-uuid": "9da16278-c6c5-4410-8a6b-9c16ce8005b3", - "target-uuid": "2892b9ee-ca9f-4723-b332-0dc6e843a8ae" - }, - "uuid": "701a2767-70f3-44f1-a397-9c04517ece67", - "value": "Screensaver Mitigation (T1180) mitigates Screensaver (T1180)" - }, - { - "meta": { - "source-uuid": "691c60e2-273d-4d56-9ce6-b67e0f8719ad", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "55df3b40-b130-4313-9064-6b0fc56564d0", - "value": "Truvasys (S0178) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841", - "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" - }, - "uuid": "23e2dc58-4b8d-48d8-82fd-d051892a7d58", - "value": "RTM (S0148) uses Input Capture (T1056)" - }, - { - "meta": { - "source-uuid": "66b1dcde-17a0-4c7b-95fa-b08d430c2131", - "target-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433" - }, - "uuid": "4b23ac99-3761-46f0-ad5d-2cf63a95036a", - "value": "S-Type (S0085) uses Fallback Channels (T1008)" - }, - { - "meta": { - "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "target-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea" - }, - "uuid": "39fdd17c-5f59-4daf-bf14-95841b5ec248", - "value": "Lazarus Group (G0032) uses Connection Proxy (T1090)" - }, - { - "meta": { - "source-uuid": "d519164e-f5fa-4b8c-a1fb-cf0172ad0983", - "target-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db" - }, - "uuid": "f1af286d-9367-45de-aced-a762838e58bd", - "value": "Threat Group-1314 (G0028) uses PsExec (S0029)" - }, - { - "meta": { - "source-uuid": "7551188b-8f91-4d34-8350-0d0c57b2b913", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "bc60180b-2db6-4e0d-8b98-d349db637777", - "value": "Elise (S0081) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "02fefddc-fb1b-423f-a76b-7552dd211d4d" - }, - "uuid": "9e90e4a5-844c-4516-9044-6f35bbf27806", - "value": "APT28 (G0007) uses Bootkit (T1067)" - }, - { - "meta": { - "source-uuid": "85403903-15e0-4f9f-9be4-a259ecad4022", - "target-uuid": "30208d3e-0d6b-43c8-883e-44462a514619" - }, - "uuid": "55ffbd77-ec97-4dca-9399-b9e4b62fbbf8", - "value": "FIN5 (G0053) uses Automated Collection (T1119)" - }, - { - "meta": { - "source-uuid": "9ea525fa-b0a9-4dde-84f2-bcea0137b3c1", - "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" - }, - "uuid": "c585ae70-1bda-4751-ad34-536a78b7daad", - "value": "MoonWind (S0149) uses System Network Configuration Discovery (T1016)" - }, - { - "meta": { - "source-uuid": "40d3e230-ed32-469f-ba89-be70cc08ab39", - "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" - }, - "uuid": "6c71a59f-05e6-44cc-ace5-33200e1f0846", - "value": "Agent.btz (S0092) uses System Owner/User Discovery (T1033)" - }, - { - "meta": { - "source-uuid": "025bdaa9-897d-4bad-afa6-013ba5734653", - "target-uuid": "a8d3d497-2da9-4797-8e0b-ed176be08654" - }, - "uuid": "877a67b0-5dea-467c-9da1-8eee3bcc19a6", - "value": "NEODYMIUM (G0055) uses Wingbird (S0176)" - }, - { - "meta": { - "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "target-uuid": "242f3da3-4425-4d11-8f5c-b842886da966" - }, - "uuid": "fc79f30d-94c8-400e-ab10-21d2a2527788", - "value": "BRONZE BUTLER (G0060) uses Windows Credential Editor (S0005)" - }, - { - "meta": { - "source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6", - "target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0" - }, - "uuid": "7df747e6-81a1-4bb0-b47f-96136694f2d0", - "value": "APT34 (G0057) uses PowerShell (T1086)" - }, - { - "meta": { - "source-uuid": "68dca94f-c11d-421e-9287-7c501108e18c", - "target-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08" - }, - "uuid": "2db406cf-667d-4ad6-b768-7645f6663ac9", - "value": "Duqu (S0038) uses Account Discovery (T1087)" - }, - { - "meta": { - "source-uuid": "00c3bfcb-99bd-4767-8c03-b08f585f5c8a", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "1fda6ff7-a344-4bc3-b545-4083cc15290d", - "value": "PowerDuke (S0139) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "0f862b01-99da-47cc-9bdb-db4a86a95bb1", - "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - }, - "uuid": "021c3289-43bb-4787-9d7e-6ad17b3ce84f", - "value": "Emissary (S0082) uses Obfuscated Files or Information (T1027)" - }, - { - "meta": { - "source-uuid": "4c59cce8-cb48-4141-b9f1-f646edfaadb0", - "target-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea" - }, - "uuid": "52cf8793-2f13-45c2-8274-1a9bf5d6224a", - "value": "Regin (S0019) uses Connection Proxy (T1090)" - }, - { - "meta": { - "source-uuid": "e066bf86-9cfb-407a-9d25-26fd5d91e360", - "target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e" - }, - "uuid": "030fb5ef-3900-4f60-a1d2-0f1d67940aed", - "value": "HTTPBrowser (S0070) uses Commonly Used Port (T1043)" - }, - { - "meta": { - "source-uuid": "ff5d862a-ae6b-4833-8c15-e235d654d28e", - "target-uuid": "9b52fca7-1a36-4da0-b62d-da5bd83b4d69" - }, - "uuid": "a65de154-e0dd-445f-9f26-8459a287c790", - "value": "Component Object Model Hijacking Mitigation (T1122) mitigates Component Object Model Hijacking (T1122)" - }, - { - "meta": { - "source-uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6", - "target-uuid": "7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1" - }, - "uuid": "8cdfc8e4-b657-4ae9-b9ee-9b6107fae796", - "value": "Turla (G0010) uses Systeminfo (S0096)" - }, - { - "meta": { - "source-uuid": "17b40f60-729f-4fe8-8aea-cc9ee44a95d5", - "target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688" - }, - "uuid": "48fb8267-5d68-467b-a2c0-8302cc15ebed", - "value": "RedLeaves (S0153) uses Screen Capture (T1113)" - }, - { - "meta": { - "source-uuid": "4c59cce8-cb48-4141-b9f1-f646edfaadb0", - "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" - }, - "uuid": "385f57f4-87b6-4126-ab67-531e482ec9bc", - "value": "Regin (S0019) uses Input Capture (T1056)" - }, - { - "meta": { - "source-uuid": "02f0f92a-0a51-4c94-9bda-6437b9a93f22", - "target-uuid": "e2907cea-4b43-4ed7-a570-0fdf0fbeea00" - }, - "uuid": "c5747927-2d3d-4d3b-a4d7-56a2b37b039e", - "value": "Space after Filename Mitigation (T1151) mitigates Space after Filename (T1151)" - }, - { - "meta": { - "source-uuid": "65341f30-bec6-4b1d-8abf-1a5620446c29", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "3dcf441c-b987-4c6a-93e7-e24ae1e16475", - "value": "Reaver (S0172) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "43213480-78f7-4fb3-976f-d48f5f6a4c2a", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "512e16e9-634c-45d3-b569-c25a3072bbdc", - "value": "FLASHFLOOD (S0036) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", - "target-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60" - }, - "uuid": "630dedba-136b-4ea3-956e-f8f38e96653d", - "value": "APT1 (G0006) uses Mimikatz (S0002)" - }, - { - "meta": { - "source-uuid": "59a97b15-8189-4d51-9404-e1ce8ea4a069", - "target-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670" - }, - "uuid": "fc4811c4-103b-48b7-9e52-20d574cfc4bf", - "value": "XAgentOSX (S0161) uses Execution through API (T1106)" - }, - { - "meta": { - "source-uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69", - "target-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec" - }, - "uuid": "96e928af-dbfc-4743-a1dc-353904e21fd3", - "value": "Prikormka (S0113) uses Data from Removable Media (T1025)" - }, - { - "meta": { - "source-uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2", - "target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9" - }, - "uuid": "1aa10371-6473-416a-8b8b-17c36f700233", - "value": "JHUHUGIT (S0044) uses Scheduled Task (T1053)" - }, - { - "meta": { - "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", - "target-uuid": "6aabc5ec-eae6-422c-8311-38d45ee9838a" - }, - "uuid": "59a6700b-3ae5-4039-a07c-cbbf6eb7a78e", - "value": "Threat Group-3390 (G0027) uses Redundant Access (T1108)" - }, - { - "meta": { - "source-uuid": "9e57c770-5a39-49a2-bb91-253ba629e3ac", - "target-uuid": "6c174520-beea-43d9-aac6-28fb77f3e446" - }, - "uuid": "142800a5-62e9-48e9-97ef-186cfb68ffa1", - "value": "Security Support Provider Mitigation (T1101) mitigates Security Support Provider (T1101)" - }, - { - "meta": { - "source-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "2dd15583-34cd-4b49-a6ba-4bd647b7ff27", - "value": "Magic Hound (G0059) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73", - "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" - }, - "uuid": "85a92b0f-f8c3-41a9-a1b3-cfbf8b442b39", - "value": "ADVSTORESHELL (S0045) uses Standard Cryptographic Protocol (T1032)" - }, - { - "meta": { - "source-uuid": "f8dfbc54-b070-4224-b560-79aaa5f835bd", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "a7e5ffbc-d123-4f62-88eb-36b32656cd35", - "value": "H1N1 (S0132) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "1cc934e4-b01d-4543-a011-b988dfc1a458", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "4696a49d-caa1-4746-b106-45faf327270b", - "value": "Matroyshka (S0167) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "55033a4d-3ffe-46b2-99b4-2c1541e9ce1c", - "target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790" - }, - "uuid": "aad8c4dc-db11-48b4-b294-f63ccde5e798", - "value": "Carbanak (G0008) uses New Service (T1050)" - }, - { - "meta": { - "source-uuid": "5e7ef1dc-7fb6-4913-ac75-e06113b59e0c", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "67b49860-e1e4-4b56-bf83-108c4ac25e5c", - "value": "MiniDuke (S0051) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", - "target-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735" - }, - "uuid": "e7714693-e792-44f0-a224-9899df75fced", - "value": "APT3 (G0022) uses Remote System Discovery (T1018)" - }, - { - "meta": { - "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", - "target-uuid": "ffe742ed-9100-4686-9e00-c331da544787" - }, - "uuid": "dac7355a-9d13-4155-a053-d0c18fe92f53", - "value": "Cobalt Strike (S0154) uses Windows Admin Shares (T1077)" - }, - { - "meta": { - "source-uuid": "d3afa961-a80c-4043-9509-282cdf69ab21", - "target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790" - }, - "uuid": "0a65c303-52a6-4624-a8fb-fc7448429139", - "value": "Winnti (S0141) uses New Service (T1050)" - }, - { - "meta": { - "source-uuid": "5a3a31fe-5a8f-48e1-bff0-a753e5b1be70", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "19be6ce1-8eea-47ff-b87c-3358d390454d", - "value": "China Chopper (S0020) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "55033a4d-3ffe-46b2-99b4-2c1541e9ce1c", - "target-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60" - }, - "uuid": "c4bea2b7-e8a2-45d0-bac2-4d82576c1521", - "value": "Carbanak (G0008) uses Mimikatz (S0002)" - }, - { - "meta": { - "source-uuid": "8c918d8a-11c5-4ffd-af10-e74bc06bdfae", - "target-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5" - }, - "uuid": "98c18956-03d7-49e5-93b2-44351682331d", - "value": "Rundll32 Mitigation (T1085) mitigates Rundll32 (T1085)" - }, - { - "meta": { - "source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841", - "target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9" - }, - "uuid": "84e0c62b-b1a6-4ecd-8607-f0b516cb48f6", - "value": "RTM (S0148) uses Scheduled Task (T1053)" - }, - { - "meta": { - "source-uuid": "8901ac23-6b50-410c-b0dd-d8174a86f9b3", - "target-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4" - }, - "uuid": "af9347a3-00a9-4ece-b075-8c55bd4f4b9b", - "value": "Shamoon (S0140) uses Modify Registry (T1112)" - }, - { - "meta": { - "source-uuid": "59a97b15-8189-4d51-9404-e1ce8ea4a069", - "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" - }, - "uuid": "31cd4eb1-f7b3-4030-b087-388d55faba03", - "value": "XAgentOSX (S0161) uses System Owner/User Discovery (T1033)" - }, - { - "meta": { - "source-uuid": "4c59cce8-cb48-4141-b9f1-f646edfaadb0", - "target-uuid": "f2d44246-91f1-478a-b6c8-1227e0ca109d" - }, - "uuid": "1ee44004-6aaa-4b22-934d-4f4ef82cbbd4", - "value": "Regin (S0019) uses NTFS Extended Attributes (T1096)" - }, - { - "meta": { - "source-uuid": "22addc7b-b39f-483d-979a-1b35147da5de", - "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" - }, - "uuid": "af6e3f9e-7c71-484d-ab8e-5adaaaedea36", - "value": "WinMM (S0059) uses System Owner/User Discovery (T1033)" - }, - { - "meta": { - "source-uuid": "e9595678-d269-469e-ae6b-75e49259de63", - "target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d" - }, - "uuid": "1ba38510-0489-4305-944f-451e6869b30f", - "value": "BADNEWS (S0128) uses Custom Cryptographic Protocol (T1024)" - }, - { - "meta": { - "source-uuid": "5f9f7648-04ba-4a9f-bb4c-2a13e74572bd", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "5d46a519-1ef9-4cdb-b737-8c7b3ffb4f0e", - "value": "Pteranodon (S0147) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", - "target-uuid": "01a5a209-b94c-450b-b7f9-946497d91055" - }, - "uuid": "b9e624b0-47d1-4463-970b-fbb6ddcd7171", - "value": "Cobalt Strike (S0154) uses Windows Management Instrumentation (T1047)" - }, - { - "meta": { - "source-uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2", - "target-uuid": "03259939-0b57-482f-8eb5-87c0e0d54334" - }, - "uuid": "70d5a73c-cc14-410a-a430-5948cd21532f", - "value": "JHUHUGIT (S0044) uses Logon Scripts (T1037)" - }, - { - "meta": { - "source-uuid": "277d2f87-2ae5-4730-a3aa-50c1fdff9656", - "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - }, - "uuid": "8cbb1567-70c5-4daf-b163-cbc6cc40a794", - "value": "Strider (G0041) uses Credential Dumping (T1003)" - }, - { - "meta": { - "source-uuid": "2e290bfe-93b5-48ce-97d6-edcd6d32b7cf", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "36112f24-7814-4c75-b5b7-a1205bb28b68", - "value": "Gamaredon Group (G0047) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6", - "target-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd" - }, - "uuid": "04b44241-3ff4-4d46-9847-7cb2feaba84e", - "value": "APT34 (G0057) uses Brute Force (T1110)" - }, - { - "meta": { - "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", - "target-uuid": "c9703cd3-141c-43a0-a926-380082be5d04" - }, - "uuid": "1c812537-dfaf-40da-a71b-a49c18870b77", - "value": "APT3 (G0022) uses schtasks (S0111)" - }, - { - "meta": { - "source-uuid": "2a158b0a-7ef8-43cb-9985-bf34d1e12050", - "target-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7" - }, - "uuid": "2e77d363-e38f-40ad-a6ef-9222dc12793d", - "value": "Naikon (G0019) uses Security Software Discovery (T1063)" - }, - { - "meta": { - "source-uuid": "17b40f60-729f-4fe8-8aea-cc9ee44a95d5", - "target-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00" - }, - "uuid": "4176d195-5740-47c2-874d-51704e7d293e", - "value": "RedLeaves (S0153) uses Custom Command and Control Protocol (T1094)" - }, - { - "meta": { - "source-uuid": "e669bb87-f773-4c7b-bfcc-a9ffebfdd8d4", - "target-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b" - }, - "uuid": "69b9edd8-c1a8-4cbd-bd94-9af0fdefe013", - "value": "HIDEDRV (S0135) uses Rootkit (T1014)" - }, - { - "meta": { - "source-uuid": "247cb30b-955f-42eb-97a5-a89fef69341e", - "target-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df" - }, - "uuid": "c7017855-dc52-4e9d-977f-3af701e094c8", - "value": "APT32 (G0050) uses Web Shell (T1100)" - }, - { - "meta": { - "source-uuid": "7551188b-8f91-4d34-8350-0d0c57b2b913", - "target-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5" - }, - "uuid": "37ab6b56-033c-4cb6-8d1b-e7ff5dcf668d", - "value": "Elise (S0081) uses Rundll32 (T1085)" - }, - { - "meta": { - "source-uuid": "5a33468d-844d-4b1f-98c9-0e786c556b27", - "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - }, - "uuid": "d3b810ed-0be4-448b-b1ac-aa3a7dd16c91", - "value": "MimiPenguin (S0179) uses Credential Dumping (T1003)" - }, - { - "meta": { - "source-uuid": "94e95eeb-7cdb-4bd7-afba-f32fda303dbb", - "target-uuid": "e7eab98d-ae11-4491-bd28-a53ba875865a" - }, - "uuid": "4c2b4c0f-0ded-4f0f-ad5a-a95241ba927e", - "value": "Network Share Connection Removal Mitigation (T1126) mitigates Network Share Connection Removal (T1126)" - }, - { - "meta": { - "source-uuid": "8b880b41-5139-4807-baa9-309690218719", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "689c51b8-7e41-474e-abf6-ffdde0acc40b", - "value": "SPACESHIP (S0035) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "d1acfbb3-647b-4723-9154-800ec119006e", - "target-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4" - }, - "uuid": "953134ab-5816-43b8-b2b1-8f4c9305f57a", - "value": "Sowbug (G0054) uses Data Compressed (T1002)" - }, - { - "meta": { - "source-uuid": "38fd6a28-3353-4f2b-bb2b-459fecd5c648", - "target-uuid": "88c621a7-aef9-4ae0-94e3-1fc87123eb24" - }, - "uuid": "80c071f7-123e-468f-800d-726a1d3e4144", - "value": "APT18 (G0026) uses gh0st (S0032)" - }, - { - "meta": { - "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", - "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - }, - "uuid": "36b9f594-9a27-4281-a18e-9a5e7df70ad9", - "value": "Threat Group-3390 (G0027) uses Credential Dumping (T1003)" - }, - { - "meta": { - "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", - "target-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df" - }, - "uuid": "2dbed740-1b50-4d59-a729-a1d9e6a839df", - "value": "OilRig (G0049) uses Web Shell (T1100)" - }, - { - "meta": { - "source-uuid": "3753cc21-2dae-4dfb-8481-d004e74502cc", - "target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0" - }, - "uuid": "37ba7858-8765-4445-a65e-d2765b673b34", - "value": "FIN7 (G0046) uses Masquerading (T1036)" - }, - { - "meta": { - "source-uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", - "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" - }, - "uuid": "b0db4b00-8716-430f-a9d8-29a878a12eac", - "value": "Dragonfly (G0035) uses File Deletion (T1107)" - }, - { - "meta": { - "source-uuid": "196f1f32-e0c2-4d46-99cd-234d4b6befe1", - "target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d" - }, - "uuid": "fa035513-59b6-4f54-8b85-13ec08849453", - "value": "Felismus (S0171) uses Custom Cryptographic Protocol (T1024)" - }, - { - "meta": { - "source-uuid": "e6ef745b-077f-42e1-a37d-29eecff9c754", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "327a64df-b405-453b-83d2-528d17e8df51", - "value": "CozyCar (S0046) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6", - "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - }, - "uuid": "3fe559f9-9bee-48ea-8a7c-7d65b63419ee", - "value": "APT34 (G0057) uses Obfuscated Files or Information (T1027)" - }, - { - "meta": { - "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", - "target-uuid": "51dea151-0898-4a45-967c-3ebee0420484" - }, - "uuid": "fc2ffb01-2c4e-429d-b4fd-e0d20678504a", - "value": "APT1 (G0006) uses Remote Desktop Protocol (T1076)" - }, - { - "meta": { - "source-uuid": "24478001-2eb3-4b06-a02e-96b3d61d27ec", - "target-uuid": "428ca9f8-0e33-442a-be87-f869cb4cf73e" - }, - "uuid": "a1f198ef-af69-4c0f-b3ed-0b47ad6167fe", - "value": "Multilayer Encryption Mitigation (T1079) mitigates Multilayer Encryption (T1079)" - }, - { - "meta": { - "source-uuid": "e9595678-d269-469e-ae6b-75e49259de63", - "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" - }, - "uuid": "3e09a5ce-a6a0-4f03-8c23-a7ebb4dfd74c", - "value": "BADNEWS (S0128) uses Input Capture (T1056)" - }, - { - "meta": { - "source-uuid": "2a7914cf-dff3-428d-ab0f-1014d1c28aeb", - "target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9" - }, - "uuid": "aea8401e-774e-47b1-86ac-220cacd11a3c", - "value": "FIN6 (G0037) uses Scheduled Task (T1053)" - }, - { - "meta": { - "source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841", - "target-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00" - }, - "uuid": "865a5b25-6908-4ad9-a81d-33f3cf48e357", - "value": "RTM (S0148) uses Custom Command and Control Protocol (T1094)" - }, - { - "meta": { - "source-uuid": "0998045d-f96e-4284-95ce-3c8219707486", - "target-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df" - }, - "uuid": "bbe37d7e-ad35-4c74-a57c-9a398ef6b1be", - "value": "SEASHARPEE (S0185) uses Web Shell (T1100)" - }, - { - "meta": { - "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", - "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" - }, - "uuid": "6b5c6fc2-615a-46fc-80a4-9ab332159722", - "value": "Threat Group-3390 (G0027) uses Input Capture (T1056)" - }, - { - "meta": { - "source-uuid": "8901ac23-6b50-410c-b0dd-d8174a86f9b3", - "target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790" - }, - "uuid": "4e9c5234-65e9-4b4a-bc13-891e7aed84b2", - "value": "Shamoon (S0140) uses New Service (T1050)" - }, - { - "meta": { - "source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6", - "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" - }, - "uuid": "98852860-145c-40f0-86af-b32dd61fa008", - "value": "APT34 (G0057) uses Standard Cryptographic Protocol (T1032)" - }, - { - "meta": { - "source-uuid": "2fab555f-7664-4623-b4e0-1675ae38190b", - "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - }, - "uuid": "56e40368-38a7-4415-9ebc-8c84694bc7d6", - "value": "Lslsass (S0121) uses Credential Dumping (T1003)" - }, - { - "meta": { - "source-uuid": "c95c8b5c-b431-43c9-9557-f494805e2502", - "target-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88" - }, - "uuid": "35572bdc-c7a2-442b-8d9a-7691317b6982", - "value": "Software Packing Mitigation (T1045) mitigates Software Packing (T1045)" - }, - { - "meta": { - "source-uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", - "target-uuid": "51dea151-0898-4a45-967c-3ebee0420484" - }, - "uuid": "496e66ff-2c9f-454c-af36-49c7dc098493", - "value": "Dragonfly (G0035) uses Remote Desktop Protocol (T1076)" - }, - { - "meta": { - "source-uuid": "56f46b17-8cfa-46c0-b501-dd52fef394e2", - "target-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df" - }, - "uuid": "660d09ce-8722-42b3-8503-911dff37bf22", - "value": "ASPXSpy (S0073) uses Web Shell (T1100)" - }, - { - "meta": { - "source-uuid": "6a0ef5d4-fc7c-4dda-85d7-592e4dbdc5d9", - "target-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d" - }, - "uuid": "df5bee66-b840-405e-b9d5-2e0ced2e6808", - "value": "Sykipot (S0018) uses Process Injection (T1055)" - }, - { - "meta": { - "source-uuid": "64d76fa5-cf8f-469c-b78c-1a4f7c5bad80", - "target-uuid": "9b52fca7-1a36-4da0-b62d-da5bd83b4d69" - }, - "uuid": "8793b289-4b74-4119-8561-a9ad27dacdff", - "value": "BBSRAT (S0127) uses Component Object Model Hijacking (T1122)" - }, - { - "meta": { - "source-uuid": "d1acfbb3-647b-4723-9154-800ec119006e", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "0efa0a7a-545d-49e2-b0c4-0e251226404a", - "value": "Sowbug (G0054) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "target-uuid": "c9703cd3-141c-43a0-a926-380082be5d04" - }, - "uuid": "d691e305-8ce5-40cd-a648-b0dcab329e69", - "value": "BRONZE BUTLER (G0060) uses schtasks (S0111)" - }, - { - "meta": { - "source-uuid": "17862c7d-9e60-48a0-b48e-da4dc4c3f6b0", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "da734f6c-de0d-44f1-9521-6607b800ad43", - "value": "Patchwork (G0040) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "0ced8926-914e-4c78-bc93-356fb90dbd1f", - "target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0" - }, - "uuid": "bfdffca9-6418-486d-833f-84f3920fcb71", - "value": "HALFBAKED (S0151) uses PowerShell (T1086)" - }, - { - "meta": { - "source-uuid": "94379dec-5c87-49db-b36e-66abc0b81344", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "b9fe8dd4-a3c9-4e58-9a74-937e4de677a8", - "value": "Derusbi (S0021) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "fe98767f-9df8-42b9-83c9-004b1dec8647", - "target-uuid": "88c621a7-aef9-4ae0-94e3-1fc87123eb24" - }, - "uuid": "3f780c76-b5d5-43f9-b4f2-048106f00894", - "value": "PittyTiger (G0011) uses gh0st (S0032)" - }, - { - "meta": { - "source-uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e", - "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" - }, - "uuid": "699ac754-3f3e-46de-9b2a-5ea450ef47fd", - "value": "Helminth (S0170) uses Input Capture (T1056)" - }, - { - "meta": { - "source-uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", - "target-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f" - }, - "uuid": "59b95288-b954-4118-9a88-8e2ad85a1265", - "value": "Dragonfly (G0035) uses Email Collection (T1114)" - }, - { - "meta": { - "source-uuid": "5e595477-2e78-4ce7-ae42-e0b059b17808", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "be31bf6d-ce4f-4620-8940-445f35ff90a7", - "value": "POSHSPY (S0150) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6", - "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" - }, - "uuid": "9eefeafd-aca1-4e4c-8d29-ea6f9154808a", - "value": "Turla (G0010) uses System Network Configuration Discovery (T1016)" - }, - { - "meta": { - "source-uuid": "2eb9b131-d333-4a48-9eb4-d8dec46c19ee", - "target-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f" - }, - "uuid": "bcb8ac03-4f58-4cd8-af58-c3df991c8af5", - "value": "CosmicDuke (S0050) uses Email Collection (T1114)" - }, - { - "meta": { - "source-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", - "target-uuid": "ffe742ed-9100-4686-9e00-c331da544787" - }, - "uuid": "27102940-8ec1-42ad-98e5-57dc24b572eb", - "value": "PsExec (S0029) uses Windows Admin Shares (T1077)" - }, - { - "meta": { - "source-uuid": "e48df773-7c95-4a4c-ba70-ea3d15900148", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "82826722-4278-438e-a8d0-5bd9fd117b2b", - "value": "DownPaper (S0186) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0" - }, - "uuid": "2174c465-8855-4c92-a683-97eb0eba9f7c", - "value": "BRONZE BUTLER (G0060) uses Masquerading (T1036)" - }, - { - "meta": { - "source-uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69", - "target-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5" - }, - "uuid": "216ab163-818b-4303-beb6-a743b90c98bf", - "value": "Prikormka (S0113) uses Rundll32 (T1085)" - }, - { - "meta": { - "source-uuid": "55033a4d-3ffe-46b2-99b4-2c1541e9ce1c", - "target-uuid": "830c9528-df21-472c-8c14-a036bf17d665" - }, - "uuid": "a732c265-07f0-4e9b-a42c-0df6277e5b27", - "value": "Carbanak (G0008) uses Web Service (T1102)" - }, - { - "meta": { - "source-uuid": "7551188b-8f91-4d34-8350-0d0c57b2b913", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "f696324d-7fb4-44ca-82dd-3385b55fbb80", - "value": "Elise (S0081) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "2daa14d6-cbf3-4308-bb8e-213c324a08e4", - "target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0" - }, - "uuid": "a3eca9d0-bc4b-48a8-801d-9aaa757bfe72", - "value": "HAMMERTOSS (S0037) uses PowerShell (T1086)" - }, - { - "meta": { - "source-uuid": "16ade1aa-0ea1-4bb7-88cc-9079df2ae756", - "target-uuid": "2a6f4c7b-e690-4cc7-ab6b-1f821fb6b80b" - }, - "uuid": "0a6ec458-f9f7-4e51-b0eb-4fd915a48a6b", - "value": "admin@338 (G0018) uses LOWBALL (S0042)" - }, - { - "meta": { - "source-uuid": "65370d0b-3bd4-4653-8cf9-daf56f6be830", - "target-uuid": "1ce03c65-5946-4ac9-9d4d-66db87e024bd" - }, - "uuid": "b1334535-019a-4d6a-88c1-8bb6741f152b", - "value": "meek (S0175) uses Domain Fronting (T1172)" - }, - { - "meta": { - "source-uuid": "f108215f-3487-489d-be8b-80e346d32518", - "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" - }, - "uuid": "3b31b258-d3e0-4acc-9c20-de870baa64a0", - "value": "Komplex (S0162) uses File Deletion (T1107)" - }, - { - "meta": { - "source-uuid": "a653431d-6a5e-4600-8ad3-609b5af57064", - "target-uuid": "fbb470da-1d44-4f29-bbb3-9efbe20f94a3" - }, - "uuid": "235fe6f1-66d1-4cf4-adb9-3bc7f081144a", - "value": "Deep Panda (G0009) uses Mivast (S0080)" - }, - { - "meta": { - "source-uuid": "cde2d700-9ed1-46cf-9bce-07364fe8b24f", - "target-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4" - }, - "uuid": "baabf444-1748-472f-b991-7a5b25e4e1bb", - "value": "Reg (S0075) uses Modify Registry (T1112)" - }, - { - "meta": { - "source-uuid": "495b6cdb-7b5a-4fbc-8d33-e7ef68806d08", - "target-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00" - }, - "uuid": "3a6c13d3-6589-4d33-9848-88e3409be0cc", - "value": "Volgmer (S0180) uses Custom Command and Control Protocol (T1094)" - }, - { - "meta": { - "source-uuid": "effb83a0-ead1-4b36-b7f6-b7bdf9c4616e", - "target-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4" - }, - "uuid": "0aac9510-f48a-4b28-ae0e-c6facc1635ae", - "value": "Replication Through Removable Media Mitigation (T1091) mitigates Replication Through Removable Media (T1091)" - }, - { - "meta": { - "source-uuid": "e48df773-7c95-4a4c-ba70-ea3d15900148", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "d7bb00a0-fbe6-4622-84ed-be32ff5d8561", - "value": "DownPaper (S0186) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "6b1c1b38-0448-4114-99eb-23aae85ada52", - "value": "APT28 (G0007) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", - "target-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466" - }, - "uuid": "033d168d-8348-47ad-af48-d297dc0d1dbb", - "value": "Cobalt Strike (S0154) uses Scheduled Transfer (T1029)" - }, - { - "meta": { - "source-uuid": "166c0eca-02fd-424a-92c0-6b5106994d31", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "3126c7fa-02eb-475f-a474-26d4d6af7a67", - "value": "ZLib (S0086) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "f8dfbc54-b070-4224-b560-79aaa5f835bd", - "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - }, - "uuid": "4527c528-8377-4349-ae5c-95c04cabd3d4", - "value": "H1N1 (S0132) uses Obfuscated Files or Information (T1027)" - }, - { - "meta": { - "source-uuid": "2d704e56-e689-4011-b989-bf4e025a8727", - "target-uuid": "06780952-177c-4247-b978-79c357fb311f" - }, - "uuid": "352d3d80-3a5f-454b-8190-fbac20979fc7", - "value": "Plist Modification Mitigation (T1150) mitigates Plist Modification (T1150)" - }, - { - "meta": { - "source-uuid": "85403903-15e0-4f9f-9be4-a259ecad4022", - "target-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db" - }, - "uuid": "7e46e7c8-e48a-4860-bbcd-224a2d12284a", - "value": "FIN5 (G0053) uses PsExec (S0029)" - }, - { - "meta": { - "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", - "target-uuid": "1d808f62-cf63-4063-9727-ff6132514c22" - }, - "uuid": "4a687e50-e6b7-41df-93b1-6fed7db10f60", - "value": "APT1 (G0006) uses WEBC2 (S0109)" - }, - { - "meta": { - "source-uuid": "dc5d1a33-62aa-4a0c-aa8c-589b87beb11e", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "a08dadbf-6f68-415f-9daa-f84571af83a2", - "value": "ChChes (S0144) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "68dca94f-c11d-421e-9287-7c501108e18c", - "target-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475" - }, - "uuid": "938a71e3-a9dc-4ad9-b1c4-b15d75967b8d", - "value": "Duqu (S0038) uses System Network Connections Discovery (T1049)" - }, - { - "meta": { - "source-uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e", - "target-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44" - }, - "uuid": "95b21e05-610e-47bf-a4b1-9d4b398e6c13", - "value": "Helminth (S0170) uses Scripting (T1064)" - }, - { - "meta": { - "source-uuid": "514e7371-a344-4de7-8ec3-3aa42b801d52", - "target-uuid": "84e02621-8fdf-470f-bd58-993bb6a89d91" - }, - "uuid": "389854e8-32d1-406c-ab58-2ee2918bf7ed", - "value": "Multi-Stage Channels Mitigation (T1104) mitigates Multi-Stage Channels (T1104)" - }, - { - "meta": { - "source-uuid": "8beac7c2-48d2-4cd9-9b15-6c452f38ac06", - "target-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842" - }, - "uuid": "96076f66-3ad6-4e54-b816-c9c3f90fa43a", - "value": "Ixeshe (S0015) uses Data Obfuscation (T1001)" - }, - { - "meta": { - "source-uuid": "ac008435-af58-4f77-988a-c9b96c5920f5", - "target-uuid": "f2d44246-91f1-478a-b6c8-1227e0ca109d" - }, - "uuid": "06a8b931-7881-4e8b-a970-c430379279ca", - "value": "NTFS Extended Attributes Mitigation (T1096) mitigates NTFS Extended Attributes (T1096)" - }, - { - "meta": { - "source-uuid": "af2ad3b7-ab6a-4807-91fd-51bcaff9acbb", - "target-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec" - }, - "uuid": "00ae99d1-db02-4007-8669-04d7fc4c1390", - "value": "USBStealer (S0136) uses Data from Removable Media (T1025)" - }, - { - "meta": { - "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", - "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - }, - "uuid": "56c927c5-f64e-4b31-9a14-7ce78fd1c8a1", - "value": "APT3 (G0022) uses Obfuscated Files or Information (T1027)" - }, - { - "meta": { - "source-uuid": "00c3bfcb-99bd-4767-8c03-b08f585f5c8a", - "target-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830" - }, - "uuid": "43d85ed6-223e-4402-bd29-be10a872359d", - "value": "PowerDuke (S0139) uses Application Window Discovery (T1010)" - }, - { - "meta": { - "source-uuid": "58adaaa8-f1e8-4606-9a08-422e568461eb", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "32ee78b3-58de-4de5-bc3d-34ea8dc90ca3", - "value": "SHOTPUT (S0063) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "88c621a7-aef9-4ae0-94e3-1fc87123eb24", - "target-uuid": "799ace7f-e227-4411-baa0-8868704f2a69" - }, - "uuid": "ad696f42-0631-43fb-893b-a5616f14f93f", - "value": "gh0st (S0032) uses Indicator Removal on Host (T1070)" - }, - { - "meta": { - "source-uuid": "7551188b-8f91-4d34-8350-0d0c57b2b913", - "target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790" - }, - "uuid": "2d4d634d-ed13-462a-916b-94798546ec6c", - "value": "Elise (S0081) uses New Service (T1050)" - }, - { - "meta": { - "source-uuid": "9e9b9415-a7df-406b-b14d-92bfe6809fbe", - "target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790" - }, - "uuid": "fa2c0697-0d47-4ee9-b5bf-845ac3453c3a", - "value": "Nidiran (S0118) uses New Service (T1050)" - }, - { - "meta": { - "source-uuid": "da8a87d2-946d-4c34-9a30-709058b98996", - "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" - }, - "uuid": "403863dd-5b73-4987-9397-e8c5b25041cc", - "value": "Input Capture Mitigation (T1056) mitigates Input Capture (T1056)" - }, - { - "meta": { - "source-uuid": "03342581-f790-4f03-ba41-e82e67392e23", - "target-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475" - }, - "uuid": "4c94f67d-6662-44ea-be75-ded8b2dbfa00", - "value": "Net (S0039) uses System Network Connections Discovery (T1049)" - }, - { - "meta": { - "source-uuid": "f5352566-1a64-49ac-8f7f-97e1d1a03300", - "target-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f" - }, - "uuid": "801f139f-1361-4d79-965e-078787f8ec36", - "value": "AutoIt backdoor (S0129) uses Data Encoding (T1132)" - }, - { - "meta": { - "source-uuid": "9ea525fa-b0a9-4dde-84f2-bcea0137b3c1", - "target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790" - }, - "uuid": "162a051d-a551-4b8c-875a-75264768e541", - "value": "MoonWind (S0149) uses New Service (T1050)" - }, - { - "meta": { - "source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542", - "target-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db" - }, - "uuid": "ba1a4084-a74f-44d6-bafe-7a09ee959270", - "value": "APT29 (G0016) uses PsExec (S0029)" - }, - { - "meta": { - "source-uuid": "8901ac23-6b50-410c-b0dd-d8174a86f9b3", - "target-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be" - }, - "uuid": "c5a7cf46-a3ab-4d33-a43f-012c0c5fdf63", - "value": "Shamoon (S0140) uses Bypass User Account Control (T1088)" - }, - { - "meta": { - "source-uuid": "68dca94f-c11d-421e-9287-7c501108e18c", - "target-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea" - }, - "uuid": "1451c4a3-5dc6-4744-8120-197f3a3134c1", - "value": "Duqu (S0038) uses Connection Proxy (T1090)" - }, - { - "meta": { - "source-uuid": "247cb30b-955f-42eb-97a5-a89fef69341e", - "target-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839" - }, - "uuid": "e0033e57-8839-42b9-8515-46e9c7dca966", - "value": "APT32 (G0050) uses Exploitation of Vulnerability (T1068)" - }, - { - "meta": { - "source-uuid": "b1de6916-7a22-4460-8d26-6b5483ffaa2a", - "target-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810" - }, - "uuid": "97ff5931-f27f-4774-b595-312f5771f91a", - "value": "SHIPSHAPE (S0028) uses Shortcut Modification (T1023)" - }, - { - "meta": { - "source-uuid": "dc43c2fe-355e-4a79-9570-3267b0992784", - "target-uuid": "aa8bfbc9-78dc-41a4-a03b-7453e0fdccda" - }, - "uuid": "c24f1b29-ee7b-4fe6-89be-6b733888a4e6", - "value": "Dylib Hijacking Mitigation (T1157) mitigates Dylib Hijacking (T1157)" - }, - { - "meta": { - "source-uuid": "0f862b01-99da-47cc-9bdb-db4a86a95bb1", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "85ca1e00-24c4-403e-8aff-9890f91e9b78", - "value": "Emissary (S0082) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "0db09158-6e48-4e7c-8ce7-2b10b9c0c039", - "target-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a" - }, - "uuid": "ea964313-8f60-4cff-800c-2ea49e2c19d7", - "value": "Misdat (S0083) uses Timestomp (T1099)" - }, - { - "meta": { - "source-uuid": "e1161124-f22e-487f-9d5f-ed8efc8dcd61", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "aeda6707-50e2-47e2-833a-18e4a5d73e88", - "value": "Mis-Type (S0084) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "e6ef745b-077f-42e1-a37d-29eecff9c754", - "target-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5" - }, - "uuid": "6e24d8d1-7376-493f-a85c-75448c80efed", - "value": "CozyCar (S0046) uses Rundll32 (T1085)" - }, - { - "meta": { - "source-uuid": "af2ad3b7-ab6a-4807-91fd-51bcaff9acbb", - "target-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e" - }, - "uuid": "fe229513-0cd9-4e9a-a333-2748ef03dfbc", - "value": "USBStealer (S0136) uses Data Staged (T1074)" - }, - { - "meta": { - "source-uuid": "d3afa961-a80c-4043-9509-282cdf69ab21", - "target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0" - }, - "uuid": "e7b5511a-3528-48d1-9224-6c5ff88b3825", - "value": "Winnti (S0141) uses Masquerading (T1036)" - }, - { - "meta": { - "source-uuid": "16f144e4-c780-4ed2-98b4-55d14e2dfa44", - "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" - }, - "uuid": "f1000a93-e87d-4acf-b71d-73c3bb05fd75", - "value": "System Owner/User Discovery Mitigation (T1033) mitigates System Owner/User Discovery (T1033)" - }, - { - "meta": { - "source-uuid": "5ce5392a-3a6c-4e07-9df3-9b6a9159ac45", - "target-uuid": "e8268361-a599-4e45-bd3f-71c8c7e700c0" - }, - "uuid": "c6ceeb68-5d8e-4105-a20a-cce2b3ef48f0", - "value": "Putter Panda (G0024) uses httpclient (S0068)" - }, - { - "meta": { - "source-uuid": "247cb30b-955f-42eb-97a5-a89fef69341e", - "target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0" - }, - "uuid": "7e7d5aa9-6860-44fe-88b9-22a6b36162e2", - "value": "APT32 (G0050) uses Masquerading (T1036)" - }, - { - "meta": { - "source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542", - "target-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88" - }, - "uuid": "ff4e1b0e-eea2-4329-aecc-e5353be8c1f4", - "value": "APT29 (G0016) uses Software Packing (T1045)" - }, - { - "meta": { - "source-uuid": "b143dfa4-e944-43ff-8429-bfffc308c517", - "target-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d" - }, - "uuid": "5e840479-61c1-44f5-8cb8-0e61ffe12b89", - "value": "Taidoor (S0011) uses Process Injection (T1055)" - }, - { - "meta": { - "source-uuid": "c3cf2312-3aab-4aaf-86e6-ab3505430482", - "target-uuid": "18d4ab39-12ed-4a16-9fdb-ae311bba4a0f" - }, - "uuid": "f388c949-b692-4863-8e3b-7c1fc21a5fbd", - "value": "Rc.common Mitigation (T1163) mitigates Rc.common (T1163)" - }, - { - "meta": { - "source-uuid": "59a97b15-8189-4d51-9404-e1ce8ea4a069", - "target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688" - }, - "uuid": "c0223316-4b0b-461e-8947-01c0f5baeef2", - "value": "XAgentOSX (S0161) uses Screen Capture (T1113)" - }, - { - "meta": { - "source-uuid": "fece06b7-d4b1-42cf-b81a-5323c917546e", - "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" - }, - "uuid": "760be456-6b72-4b86-b5aa-3297aa89bc4d", - "value": "FALLCHILL (S0181) uses System Network Configuration Discovery (T1016)" - }, - { - "meta": { - "source-uuid": "6713ab67-e25b-49cc-808d-2b36d4fbc35c", - "target-uuid": "03342581-f790-4f03-ba41-e82e67392e23" - }, - "uuid": "77f9936d-1ba7-42a8-879d-1a6e90156366", - "value": "Ke3chang (G0004) uses Net (S0039)" - }, - { - "meta": { - "source-uuid": "c61fee9f-16fb-4f8c-bbf0-869093fcd4a6", - "target-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48" - }, - "uuid": "dd315296-ffee-4f1b-aef7-2d914c458fd2", - "value": "Access Token Manipulation Mitigation (T1134) mitigates Access Token Manipulation (T1134)" - }, - { - "meta": { - "source-uuid": "58adaaa8-f1e8-4606-9a08-422e568461eb", - "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - }, - "uuid": "315aab88-9b01-4a70-8f8c-173a3f29e79c", - "value": "SHOTPUT (S0063) uses Obfuscated Files or Information (T1027)" - }, - { - "meta": { - "source-uuid": "2eb9b131-d333-4a48-9eb4-d8dec46c19ee", - "target-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839" - }, - "uuid": "63f0007e-833e-4d6a-b79e-873525979f40", - "value": "CosmicDuke (S0050) uses Exploitation of Vulnerability (T1068)" - }, - { - "meta": { - "source-uuid": "5e595477-2e78-4ce7-ae42-e0b059b17808", - "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - }, - "uuid": "70edcba2-e777-4ced-a52d-5dfc3965211c", - "value": "POSHSPY (S0150) uses Obfuscated Files or Information (T1027)" - }, - { - "meta": { - "source-uuid": "0f862b01-99da-47cc-9bdb-db4a86a95bb1", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "0040fdbd-ec7e-49b3-b715-c8c91e08666b", - "value": "Emissary (S0082) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "463f68f1-5cde-4dc2-a831-68b73488f8f4", - "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - }, - "uuid": "6fdaef62-c4da-488a-a07d-c8fca2c98d85", - "value": "MobileOrder (S0079) uses Process Discovery (T1057)" - }, - { - "meta": { - "source-uuid": "55033a4d-3ffe-46b2-99b4-2c1541e9ce1c", - "target-uuid": "72f54d66-675d-4587-9bd3-4ed09f9522e4" - }, - "uuid": "8ab176f0-009f-49e9-ba4b-f476c33697f4", - "value": "Carbanak (G0008) uses Carbanak (S0030)" - }, - { - "meta": { - "source-uuid": "e066bf86-9cfb-407a-9d25-26fd5d91e360", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "a3251b26-7012-4f26-9c5d-1fb9d69b8569", - "value": "HTTPBrowser (S0070) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "9ca488bd-9587-48ef-b923-1743523e63b2", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "5c4e0ddb-57a1-440f-82ab-146847c99be8", - "value": "SOUNDBITE (S0157) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "b136d088-a829-432c-ac26-5529c26d4c7e", - "target-uuid": "830c9528-df21-472c-8c14-a036bf17d665" - }, - "uuid": "6b39985b-2e2f-4d54-9211-aef4d94b318f", - "value": "OnionDuke (S0052) uses Web Service (T1102)" - }, - { - "meta": { - "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", - "target-uuid": "544b0346-29ad-41e1-a808-501bb4193f47" - }, - "uuid": "c1fd6ce6-26e7-49a7-abff-a64fd0fc8a35", - "value": "Cobalt Strike (S0154) uses Man in the Browser (T1185)" - }, - { - "meta": { - "source-uuid": "c5947e1c-1cbc-434c-94b8-27c7e3be0fff", - "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - }, - "uuid": "e8cb4430-db05-4029-b011-926a2ba17a4c", - "value": "Winnti Group (G0044) uses Process Discovery (T1057)" - }, - { - "meta": { - "source-uuid": "fcbe8424-eb3e-4794-b76d-e743f5a49b8b", - "target-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f" - }, - "uuid": "b274a57d-9d27-4e33-b6dc-15e007805838", - "value": "Data Encoding Mitigation (T1132) mitigates Data Encoding (T1132)" - }, - { - "meta": { - "source-uuid": "bb3c1098-d654-4620-bf40-694386d28921", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "090813dc-b370-42e1-a211-4d9e3247968a", - "value": "FakeM (S0076) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "target-uuid": "03342581-f790-4f03-ba41-e82e67392e23" - }, - "uuid": "f6d23c6b-01c8-4bea-9bc6-2c66fbbbd3ae", - "value": "BRONZE BUTLER (G0060) uses Net (S0039)" - }, - { - "meta": { - "source-uuid": "800bdfba-6d66-480f-9f45-15845c05cb5d", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "27afb647-85a1-4e89-8762-c6c7d04bc1c5", - "value": "pngdowner (S0067) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73", - "target-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5" - }, - "uuid": "12904c83-67ad-430f-96ae-20e9081c2b5d", - "value": "ADVSTORESHELL (S0045) uses Rundll32 (T1085)" - }, - { - "meta": { - "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", - "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - }, - "uuid": "2c417522-9fa6-4f95-b9d6-062c9c2401b5", - "value": "Cobalt Strike (S0154) uses Process Discovery (T1057)" - }, - { - "meta": { - "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", - "target-uuid": "5be33fef-39c0-4532-84ee-bea31e1b5324" - }, - "uuid": "00c88cab-5cb9-492a-8dce-8eab92213bc3", - "value": "OilRig (G0049) uses ISMInjector (S0189)" - }, - { - "meta": { - "source-uuid": "463f68f1-5cde-4dc2-a831-68b73488f8f4", - "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" - }, - "uuid": "28f655e0-ac0b-41bc-baaf-9a9987469fe9", - "value": "MobileOrder (S0079) uses Standard Cryptographic Protocol (T1032)" - }, - { - "meta": { - "source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6", - "target-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c" - }, - "uuid": "ec99ea0b-1020-4ccc-bdc8-d545a4d3ccf6", - "value": "APT34 (G0057) uses Deobfuscate/Decode Files or Information (T1140)" - }, - { - "meta": { - "source-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", - "target-uuid": "0ca7beef-9bbc-4e35-97cf-437384ddce6a" - }, - "uuid": "da1a5240-bbd7-4e91-9dee-9b14df6cffe2", - "value": "BlackEnergy (S0089) uses File System Permissions Weakness (T1044)" - }, - { - "meta": { - "source-uuid": "b136d088-a829-432c-ac26-5529c26d4c7e", - "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - }, - "uuid": "37ad61e7-6520-47d0-81ae-f3d129b49ac1", - "value": "OnionDuke (S0052) uses Credential Dumping (T1003)" - }, - { - "meta": { - "source-uuid": "ed7d0cb1-87a6-43b4-9f46-ef1bc56d6c68", - "target-uuid": "7d751199-05fa-4a72-920f-85df4506c76c" - }, - "uuid": "92e4cc06-5708-4486-92cc-0d25d9a755d4", - "value": "Tor (S0183) uses Multi-hop Proxy (T1188)" - }, - { - "meta": { - "source-uuid": "326af1cd-78e7-45b7-a326-125d2f7ef8f2", - "target-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec" - }, - "uuid": "9ab576ed-2ba0-4fc5-87fc-2011a7cd183d", - "value": "Crimson (S0115) uses Data from Removable Media (T1025)" - }, - { - "meta": { - "source-uuid": "7f8730af-f683-423f-9ee1-5f6875a80481", - "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" - }, - "uuid": "bb2ba4b6-d96a-4d66-ac13-aa657108b363", - "value": "Sys10 (S0060) uses System Network Configuration Discovery (T1016)" - }, - { - "meta": { - "source-uuid": "f6d1d2cb-12f5-4221-9636-44606ea1f3f8", - "target-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08" - }, - "uuid": "ab109b93-76a9-46da-8934-58751125fd1e", - "value": "OSInfo (S0165) uses Account Discovery (T1087)" - }, - { - "meta": { - "source-uuid": "f6d1d2cb-12f5-4221-9636-44606ea1f3f8", - "target-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475" - }, - "uuid": "8336111f-565e-4294-8b18-182c26da2421", - "value": "OSInfo (S0165) uses System Network Connections Discovery (T1049)" - }, - { - "meta": { - "source-uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "5d0263d9-ddd3-4195-96ae-e340caef9e0e", - "value": "JHUHUGIT (S0044) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "16ade1aa-0ea1-4bb7-88cc-9079df2ae756", - "target-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475" - }, - "uuid": "9fef204f-163a-4c9d-b9b1-8a168074063a", - "value": "admin@338 (G0018) uses System Network Connections Discovery (T1049)" - }, - { - "meta": { - "source-uuid": "98e8a977-3416-43aa-87fa-33e287e9c14c", - "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" - }, - "uuid": "32218bd0-d598-4560-9a70-ab7d5c92f986", - "value": "WINDSHIELD (S0155) uses System Owner/User Discovery (T1033)" - }, - { - "meta": { - "source-uuid": "67e6d66b-1b82-4699-b47a-e2efb6268d14", - "target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0" - }, - "uuid": "e7a0b7a4-b49b-46b9-9bfa-5db0a87dd09e", - "value": "SeaDuke (S0053) uses PowerShell (T1086)" - }, - { - "meta": { - "source-uuid": "ba2ec548-fb75-4b8c-88d6-d91a77a943cf", - "target-uuid": "01a5a209-b94c-450b-b7f9-946497d91055" - }, - "uuid": "a2ee3987-f7c9-41ce-8aca-fae8e8c2ef9a", - "value": "Windows Management Instrumentation Mitigation (T1047) mitigates Windows Management Instrumentation (T1047)" - }, - { - "meta": { - "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", - "target-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88" - }, - "uuid": "df6bc111-0e49-4e61-b38a-ee79cf682d09", - "value": "Cobalt Strike (S0154) uses Network Service Scanning (T1046)" - }, - { - "meta": { - "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", - "target-uuid": "6aabc5ec-eae6-422c-8311-38d45ee9838a" - }, - "uuid": "d329d311-422b-4144-9212-aa7da4dc273a", - "value": "OilRig (G0049) uses Redundant Access (T1108)" - }, - { - "meta": { - "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", - "target-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44" - }, - "uuid": "e8ce10b4-3b00-40c1-983a-1d87ff9a68ee", - "value": "OilRig (G0049) uses Scripting (T1064)" - }, - { - "meta": { - "source-uuid": "a8d3d497-2da9-4797-8e0b-ed176be08654", - "target-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839" - }, - "uuid": "dbccbeab-26c9-476e-b529-c193f9796cbc", - "value": "Wingbird (S0176) uses Exploitation of Vulnerability (T1068)" - }, - { - "meta": { - "source-uuid": "94379dec-5c87-49db-b36e-66abc0b81344", - "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" - }, - "uuid": "a2faf818-d21d-40a5-ad02-a3b1b2ee5d58", - "value": "Derusbi (S0021) uses File Deletion (T1107)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e" - }, - "uuid": "ec6a8fde-702a-4e38-a37b-428a8ca10b18", - "value": "APT28 (G0007) uses Data Staged (T1074)" - }, - { - "meta": { - "source-uuid": "85403903-15e0-4f9f-9be4-a259ecad4022", - "target-uuid": "0e18b800-906c-4e44-a143-b11c72b3448b" - }, - "uuid": "a2c9bae6-15aa-4ce0-8f4d-01b8fc32a36d", - "value": "FIN5 (G0053) uses FLIPSIDE (S0173)" - }, - { - "meta": { - "source-uuid": "67e6d66b-1b82-4699-b47a-e2efb6268d14", - "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" - }, - "uuid": "6f8cef32-d057-40f8-be52-62d86b1049e6", - "value": "SeaDuke (S0053) uses File Deletion (T1107)" - }, - { - "meta": { - "source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "70f713e8-f4f6-483c-9ec1-524a3aee2d8e", - "value": "APT34 (G0057) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "0ced8926-914e-4c78-bc93-356fb90dbd1f", - "target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688" - }, - "uuid": "b4795040-fe94-429a-9853-f30c09ba05aa", - "value": "HALFBAKED (S0151) uses Screen Capture (T1113)" - }, - { - "meta": { - "source-uuid": "083bb47b-02c8-4423-81a2-f9ef58572974", - "target-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638" - }, - "uuid": "a1dc7c15-bd44-43b3-a32b-8e4ea9856758", - "value": "Backdoor.Oldrea (S0093) uses Data Encrypted (T1022)" - }, - { - "meta": { - "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", - "target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0" - }, - "uuid": "6e6828ca-7567-4302-8ed7-fa5821dc5bbc", - "value": "Threat Group-3390 (G0027) uses PowerShell (T1086)" - }, - { - "meta": { - "source-uuid": "326af1cd-78e7-45b7-a326-125d2f7ef8f2", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "4caf9f0d-dfe9-48ce-9b6e-812577e09711", - "value": "Crimson (S0115) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "463f68f1-5cde-4dc2-a831-68b73488f8f4", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "a02da835-676d-47df-86c6-547a7d29dbae", - "value": "MobileOrder (S0079) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", - "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - }, - "uuid": "930175b1-0f2f-4f0b-99ad-13a4b304cc29", - "value": "Dragonfly (G0035) uses Credential Dumping (T1003)" - }, - { - "meta": { - "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" - }, - "uuid": "4189f5b4-4c57-452a-a3fb-da5988804feb", - "value": "Lazarus Group (G0032) uses System Network Configuration Discovery (T1016)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529" - }, - "uuid": "cb69217e-f063-4093-bcf0-f051ecd42e25", - "value": "APT28 (G0007) uses Network Sniffing (T1040)" - }, - { - "meta": { - "source-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13", - "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" - }, - "uuid": "7ac10827-9bf6-4d60-aa16-9f2d2930b373", - "value": "Magic Hound (G0059) uses System Owner/User Discovery (T1033)" - }, - { - "meta": { - "source-uuid": "ccd61dfc-b03f-4689-8c18-7c97eab08472", - "target-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7" - }, - "uuid": "765e3b13-60f4-4b34-b03f-0d8e738b0add", - "value": "CHOPSTICK (S0023) uses Security Software Discovery (T1063)" - }, - { - "meta": { - "source-uuid": "00c3bfcb-99bd-4767-8c03-b08f585f5c8a", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "8ef27cd6-3909-4174-b57c-3dbe3061a6dd", - "value": "PowerDuke (S0139) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", - "target-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00" - }, - "uuid": "e873321b-0d76-4cd6-bc46-8231cfcdeba0", - "value": "Cobalt Strike (S0154) uses Custom Command and Control Protocol (T1094)" - }, - { - "meta": { - "source-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", - "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - }, - "uuid": "2c586158-d02b-468a-bee8-04e1bde320e1", - "value": "BlackEnergy (S0089) uses Process Discovery (T1057)" - }, - { - "meta": { - "source-uuid": "85403903-15e0-4f9f-9be4-a259ecad4022", - "target-uuid": "9752aef4-a1f3-4328-929f-b64eb0536090" - }, - "uuid": "dff84383-c4c5-4974-a33d-9e43526abf49", - "value": "FIN5 (G0053) uses RawPOS (S0169)" - }, - { - "meta": { - "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", - "target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9" - }, - "uuid": "0ca1948b-476c-4ff5-a792-f3790250bdc1", - "value": "APT3 (G0022) uses Scheduled Task (T1053)" - }, - { - "meta": { - "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "target-uuid": "b07c2c47-fefb-4d7c-a69e-6a3296171f54" - }, - "uuid": "fda1acb3-8e87-4fff-ae19-7e6a2ff9d6c3", - "value": "BRONZE BUTLER (G0060) uses gsecdump (S0008)" - }, - { - "meta": { - "source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", - "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" - }, - "uuid": "d1222ff7-b93c-40a7-99bd-217d795d8d58", - "value": "Remsec (S0125) uses System Owner/User Discovery (T1033)" - }, - { - "meta": { - "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", - "target-uuid": "03342581-f790-4f03-ba41-e82e67392e23" - }, - "uuid": "b6f70ba6-bff1-4b40-a418-356e7b6efa27", - "value": "APT1 (G0006) uses Net (S0039)" - }, - { - "meta": { - "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d" - }, - "uuid": "f146a331-3595-46be-abef-518708e34def", - "value": "Lazarus Group (G0032) uses Custom Cryptographic Protocol (T1024)" - }, - { - "meta": { - "source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6", - "target-uuid": "7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1" - }, - "uuid": "35ac37f9-7484-4fe4-8b5e-9381600ee01b", - "value": "APT34 (G0057) uses Systeminfo (S0096)" - }, - { - "meta": { - "source-uuid": "22addc7b-b39f-483d-979a-1b35147da5de", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "2e367a09-1d94-4ea4-984c-a592b769fffa", - "value": "WinMM (S0059) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "53b3b027-bed3-480c-9101-1247047d0fe6", - "target-uuid": "51dea151-0898-4a45-967c-3ebee0420484" - }, - "uuid": "1d0bbeb7-5477-4321-81cd-ef66607d7972", - "value": "Remote Desktop Protocol Mitigation (T1076) mitigates Remote Desktop Protocol (T1076)" - }, - { - "meta": { - "source-uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "7adaf2f3-52f2-40aa-b1ae-2fd2f05d9d56", - "value": "Prikormka (S0113) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841", - "target-uuid": "d519cfd5-f3a8-43a9-a846-ed0bb40672b1" - }, - "uuid": "af74c0ec-0bbe-4538-a3a3-1e967afd3d51", - "value": "RTM (S0148) uses Install Root Certificate (T1130)" - }, - { - "meta": { - "source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "820c50f3-65e8-4a3a-a71a-e079ae8badad", - "value": "Remsec (S0125) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", - "target-uuid": "58adaaa8-f1e8-4606-9a08-422e568461eb" - }, - "uuid": "d924c061-9ee2-45c2-9ea4-491a2d3f50a5", - "value": "APT3 (G0022) uses SHOTPUT (S0063)" - }, - { - "meta": { - "source-uuid": "f8dfbc54-b070-4224-b560-79aaa5f835bd", - "target-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4" - }, - "uuid": "5b2682dc-f64d-482b-8fc4-132dad2727d9", - "value": "H1N1 (S0132) uses Replication Through Removable Media (T1091)" - }, - { - "meta": { - "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" - }, - "uuid": "a1684fef-eca9-418a-ab48-b9aad4101c6c", - "value": "BRONZE BUTLER (G0060) uses Standard Cryptographic Protocol (T1032)" - }, - { - "meta": { - "source-uuid": "67e6d66b-1b82-4699-b47a-e2efb6268d14", - "target-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810" - }, - "uuid": "cfc64939-1c2c-4bc0-bfac-3492667b1bcd", - "value": "SeaDuke (S0053) uses Shortcut Modification (T1023)" - }, - { - "meta": { - "source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "1ca68d88-a287-4c48-a4f8-68611eceb445", - "value": "RTM (S0148) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73", - "target-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4" - }, - "uuid": "a71256aa-a2e3-447c-ba4e-004ba4f062b2", - "value": "ADVSTORESHELL (S0045) uses Modify Registry (T1112)" - }, - { - "meta": { - "source-uuid": "3753cc21-2dae-4dfb-8481-d004e74502cc", - "target-uuid": "4f6aa78c-c3d4-4883-9840-96ca2f5d6d47" - }, - "uuid": "e232f720-ab39-43f4-b419-ae8de115c5e6", - "value": "FIN7 (G0046) uses TEXTMATE (S0146)" - }, - { - "meta": { - "source-uuid": "5a63f900-5e7e-4928-a746-dd4558e1df71", - "target-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044" - }, - "uuid": "512879fe-8433-4c78-9345-009ed5168078", - "value": "netsh (S0108) uses Disabling Security Tools (T1089)" - }, - { - "meta": { - "source-uuid": "55033a4d-3ffe-46b2-99b4-2c1541e9ce1c", - "target-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db" - }, - "uuid": "d0f797ce-9176-4b74-8d64-fad4e1bdef4f", - "value": "Carbanak (G0008) uses PsExec (S0029)" - }, - { - "meta": { - "source-uuid": "3753cc21-2dae-4dfb-8481-d004e74502cc", - "target-uuid": "edbe24e9-aec4-4994-ac75-6a6bc7f1ddd0" - }, - "uuid": "51afbe4e-c5cd-4acd-b4e1-ff7877b78b9e", - "value": "FIN7 (G0046) uses Dynamic Data Exchange (T1173)" - }, - { - "meta": { - "source-uuid": "e1161124-f22e-487f-9d5f-ed8efc8dcd61", - "target-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433" - }, - "uuid": "a61cf8cf-87f1-4061-ae9d-31e8162bdfef", - "value": "Mis-Type (S0084) uses Fallback Channels (T1008)" - }, - { - "meta": { - "source-uuid": "d519164e-f5fa-4b8c-a1fb-cf0172ad0983", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "289e01df-60e6-4eee-830e-9d742ac10c86", - "value": "Threat Group-1314 (G0028) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "2a7914cf-dff3-428d-ab0f-1014d1c28aeb", - "target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0" - }, - "uuid": "97ea3b82-58ba-4a3e-8e6d-367755f83fa6", - "value": "FIN6 (G0037) uses PowerShell (T1086)" - }, - { - "meta": { - "source-uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "86b2980a-dd9f-4553-8f65-69f75f0f4332", - "value": "Helminth (S0170) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", - "target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9" - }, - "uuid": "a901eaf4-7cbe-43c2-9c03-7d716357edc9", - "value": "menuPass (G0045) uses Scheduled Task (T1053)" - }, - { - "meta": { - "source-uuid": "7f8730af-f683-423f-9ee1-5f6875a80481", - "target-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce" - }, - "uuid": "2cfa6113-1995-494a-b767-61d3f371e0ea", - "value": "Sys10 (S0060) uses Permission Groups Discovery (T1069)" - }, - { - "meta": { - "source-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", - "target-uuid": "01a5a209-b94c-450b-b7f9-946497d91055" - }, - "uuid": "0c0b4142-96e7-440b-a01f-f2bda05649b1", - "value": "BlackEnergy (S0089) uses Windows Management Instrumentation (T1047)" - }, - { - "meta": { - "source-uuid": "6a0ef5d4-fc7c-4dda-85d7-592e4dbdc5d9", - "target-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735" - }, - "uuid": "7fe49f05-8f96-4fc2-bc5b-b2eea59efca3", - "value": "Sykipot (S0018) uses Remote System Discovery (T1018)" - }, - { - "meta": { - "source-uuid": "8e461ca3-0996-4e6e-a0df-e2a5bbc51ebc", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "453914ae-8d76-4796-b507-dafc33adf005", - "value": "4H RAT (S0065) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "196f1f32-e0c2-4d46-99cd-234d4b6befe1", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "e9011839-ca57-434d-a0cc-007594247110", - "value": "Felismus (S0171) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", - "target-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5" - }, - "uuid": "8f6701a2-91cc-449e-98e1-e83bd2f7317c", - "value": "APT3 (G0022) uses Data from Local System (T1005)" - }, - { - "meta": { - "source-uuid": "f8dfbc54-b070-4224-b560-79aaa5f835bd", - "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - }, - "uuid": "0d4e8cb8-c265-449a-b010-f4614135572f", - "value": "H1N1 (S0132) uses Credential Dumping (T1003)" - }, - { - "meta": { - "source-uuid": "a8d3d497-2da9-4797-8e0b-ed176be08654", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "fe786b29-e621-48e2-84b5-aed35e6930fe", - "value": "Wingbird (S0176) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "ccd61dfc-b03f-4689-8c18-7c97eab08472", - "target-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4" - }, - "uuid": "40a8f80d-5497-4218-849c-3c0b63796641", - "value": "CHOPSTICK (S0023) uses Modify Registry (T1112)" - }, - { - "meta": { - "source-uuid": "82cb34ba-02b5-432b-b2d2-07f55cbf674d", - "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - }, - "uuid": "b149adfe-547f-4cd4-af4a-ea7018a203c1", - "value": "Trojan.Karagany (S0094) uses Credential Dumping (T1003)" - }, - { - "meta": { - "source-uuid": "876f6a77-fbc5-4e13-ab1a-5611986730a3", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "487d67d7-b697-4de4-abde-decee8b17c44", - "value": "T9000 (S0098) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "ab3580c8-8435-4117-aace-3d9fbe46aa56", - "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" - }, - "uuid": "7a1e7afa-7052-4e47-8725-66e485efda43", - "value": "Unknown Logger (S0130) uses System Network Configuration Discovery (T1016)" - }, - { - "meta": { - "source-uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69", - "target-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c" - }, - "uuid": "5033a0a2-ef95-4ec6-b5ac-d7cfbd7be9f0", - "value": "Prikormka (S0113) uses Credentials in Files (T1081)" - }, - { - "meta": { - "source-uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "e39b5b63-b29a-4322-9dca-8bca7dedf474", - "value": "Dragonfly (G0035) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", - "target-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a" - }, - "uuid": "e025dccd-ead3-44d8-af26-f2c3b27667f5", - "value": "Cobalt Strike (S0154) uses Timestomp (T1099)" - }, - { - "meta": { - "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "target-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638" - }, - "uuid": "f4188b9b-c2fe-41b7-96e0-e28d99671b9d", - "value": "BRONZE BUTLER (G0060) uses Data Encrypted (T1022)" - }, - { - "meta": { - "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", - "target-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392" - }, - "uuid": "d26a9de1-0ec7-41dd-94fe-21a51bedf37f", - "value": "Cobalt Strike (S0154) uses Service Execution (T1035)" - }, - { - "meta": { - "source-uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", - "target-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44" - }, - "uuid": "39076217-a5bf-4b1b-b085-8dbf7ba92265", - "value": "Dragonfly (G0035) uses Scripting (T1064)" - }, - { - "meta": { - "source-uuid": "fb261c56-b80e-43a9-8351-c84081e7213d", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "80aab758-d3fc-4380-b114-e552bdace832", - "value": "BACKSPACE (S0031) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "3753cc21-2dae-4dfb-8481-d004e74502cc", - "target-uuid": "72f54d66-675d-4587-9bd3-4ed09f9522e4" - }, - "uuid": "7577e14c-ceba-4646-98ce-41e7fa9ae851", - "value": "FIN7 (G0046) uses Carbanak (S0030)" - }, - { - "meta": { - "source-uuid": "7551188b-8f91-4d34-8350-0d0c57b2b913", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "14135aaa-6080-48c1-8a08-d6ee9bb15c3d", - "value": "Elise (S0081) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea" - }, - "uuid": "10cc3288-d06c-456c-bc0e-b10a8c5abeaa", - "value": "APT28 (G0007) uses Connection Proxy (T1090)" - }, - { - "meta": { - "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "target-uuid": "bba595da-b73a-4354-aa6c-224d4de7cb4e" - }, - "uuid": "42897880-fe55-4f54-a42c-f85ba19fb39a", - "value": "BRONZE BUTLER (G0060) uses cmd (S0106)" - }, - { - "meta": { - "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "target-uuid": "02fefddc-fb1b-423f-a76b-7552dd211d4d" - }, - "uuid": "7ca1b40d-d1de-48ab-b8ad-023ad9877def", - "value": "Lazarus Group (G0032) uses Bootkit (T1067)" - }, - { - "meta": { - "source-uuid": "6713ab67-e25b-49cc-808d-2b36d4fbc35c", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "5c8fba10-9d8a-4257-a458-8f58efc8d912", - "value": "Ke3chang (G0004) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "196f1f32-e0c2-4d46-99cd-234d4b6befe1", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "fdf9f632-03ce-4e8c-88bf-3798bb7f5ef4", - "value": "Felismus (S0171) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "e9595678-d269-469e-ae6b-75e49259de63", - "target-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f" - }, - "uuid": "79f0712b-2cb1-47df-8ea1-26fb1502a831", - "value": "BADNEWS (S0128) uses Data Encoding (T1132)" - }, - { - "meta": { - "source-uuid": "5ce5392a-3a6c-4e07-9df3-9b6a9159ac45", - "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - }, - "uuid": "c952f284-e529-481f-97fb-7a6e14c25ccf", - "value": "Putter Panda (G0024) uses Obfuscated Files or Information (T1027)" - }, - { - "meta": { - "source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542", - "target-uuid": "b136d088-a829-432c-ac26-5529c26d4c7e" - }, - "uuid": "1593ae11-0bb5-4e16-804a-1383eb0cced5", - "value": "APT29 (G0016) uses OnionDuke (S0052)" - }, - { - "meta": { - "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", - "target-uuid": "30208d3e-0d6b-43c8-883e-44462a514619" - }, - "uuid": "b990e235-dcf4-48c7-800d-b8a10a62eda4", - "value": "Threat Group-3390 (G0027) uses Automated Collection (T1119)" - }, - { - "meta": { - "source-uuid": "247cb30b-955f-42eb-97a5-a89fef69341e", - "target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9" - }, - "uuid": "98908617-068d-4b6e-bcba-ad213c137b1e", - "value": "APT32 (G0050) uses Scheduled Task (T1053)" - }, - { - "meta": { - "source-uuid": "df71bb3b-813c-45eb-a8bc-f2a419837411", - "target-uuid": "687c23e4-4e25-4ee7-a870-c5e002511f54" - }, - "uuid": "3cdc74fc-a291-4253-98b4-ca33e021914a", - "value": "Molerats (G0021) uses DustySky (S0062)" - }, - { - "meta": { - "source-uuid": "76abb3ef-dafd-4762-97cb-a35379429db4", - "target-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea" - }, - "uuid": "59543467-938a-4528-961d-a539f0a5618b", - "value": "Gazer (S0168) uses Connection Proxy (T1090)" - }, - { - "meta": { - "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", - "target-uuid": "03342581-f790-4f03-ba41-e82e67392e23" - }, - "uuid": "7193ed4c-7169-46fa-9294-d74d912510d0", - "value": "menuPass (G0045) uses Net (S0039)" - }, - { - "meta": { - "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", - "target-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67" - }, - "uuid": "f0b3c919-bf39-4bc9-9488-5f30d5407c54", - "value": "APT3 (G0022) uses Create Account (T1136)" - }, - { - "meta": { - "source-uuid": "9e9b9415-a7df-406b-b14d-92bfe6809fbe", - "target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e" - }, - "uuid": "d72da887-5684-47ac-958a-84b3e8b59c0b", - "value": "Nidiran (S0118) uses Commonly Used Port (T1043)" - }, - { - "meta": { - "source-uuid": "0a68f1f1-da74-4d28-8d9a-696c082706cc", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "73f5c564-53b1-48bc-8cab-32fa4a608672", - "value": "certutil (S0160) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", - "target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790" - }, - "uuid": "bc9cfe76-2d64-4901-8e9e-c69d046cdfaa", - "value": "APT3 (G0022) uses New Service (T1050)" - }, - { - "meta": { - "source-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "9a05a8cc-8d3c-46a5-947e-bebed2ab1c5a", - "value": "ADVSTORESHELL (S0045) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "a0d8db1d-a731-4428-8209-c07175f4b1fe", - "target-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0" - }, - "uuid": "bde4d54d-16d7-4a07-a35a-9f0cc6956be2", - "value": "Uncommonly Used Port Mitigation (T1065) mitigates Uncommonly Used Port (T1065)" - }, - { - "meta": { - "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d" - }, - "uuid": "ec4d07a2-8c8b-4df8-bb9e-b8c3e23d8dc5", - "value": "BRONZE BUTLER (G0060) uses Custom Cryptographic Protocol (T1024)" - }, - { - "meta": { - "source-uuid": "03342581-f790-4f03-ba41-e82e67392e23", - "target-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67" - }, - "uuid": "7185fe1c-1565-4175-bc7e-539ff704f4cb", - "value": "Net (S0039) uses Create Account (T1136)" - }, - { - "meta": { - "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", - "target-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44" - }, - "uuid": "897dec92-49a8-4edd-8ed2-8082f134e42b", - "value": "APT3 (G0022) uses Scripting (T1064)" - }, - { - "meta": { - "source-uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2", - "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - }, - "uuid": "ae1ee1dc-6017-4177-b34c-70db166a939e", - "value": "JHUHUGIT (S0044) uses Obfuscated Files or Information (T1027)" - }, - { - "meta": { - "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "target-uuid": "ae676644-d2d2-41b7-af7e-9bed1b55898c" - }, - "uuid": "595be2e7-9f2a-4d5a-b23d-8e4822ae6199", - "value": "BRONZE BUTLER (G0060) uses Data from Network Shared Drive (T1039)" - }, - { - "meta": { - "source-uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e", - "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" - }, - "uuid": "2d8cdbf3-1be2-4e64-ba18-f8b65fcbae8f", - "value": "Helminth (S0170) uses Standard Cryptographic Protocol (T1032)" - }, - { - "meta": { - "source-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", - "target-uuid": "1df0326d-2fbc-4d08-a16b-48365f1e742d" - }, - "uuid": "3e5cf341-4707-4de3-bb06-43530ee3e90f", - "value": "Mimikatz (S0002) uses SID-History Injection (T1178)" - }, - { - "meta": { - "source-uuid": "00c3bfcb-99bd-4767-8c03-b08f585f5c8a", - "target-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077" - }, - "uuid": "6b38f460-e309-4ab1-bbc9-bd0bb30f4af9", - "value": "PowerDuke (S0139) uses System Time Discovery (T1124)" - }, - { - "meta": { - "source-uuid": "ccd61dfc-b03f-4689-8c18-7c97eab08472", - "target-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433" - }, - "uuid": "101867a2-149c-4088-a90f-7af4b86e5013", - "value": "CHOPSTICK (S0023) uses Fallback Channels (T1008)" - }, - { - "meta": { - "source-uuid": "d9f4b5fa-2a39-4bdf-b40a-ea998933cd6d", - "target-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf" - }, - "uuid": "e24bd0ff-bc9e-4d26-84ea-008acb4975a1", - "value": "Video Capture Mitigation (T1125) mitigates Video Capture (T1125)" - }, - { - "meta": { - "source-uuid": "c5574ca0-d5a4-490a-b207-e4658e5fd1d7", - "target-uuid": "bb3c1098-d654-4620-bf40-694386d28921" - }, - "uuid": "e577372f-c3c9-4e12-9bc6-3f6a1faec0ac", - "value": "Scarlet Mimic (G0029) uses FakeM (S0076)" - }, - { - "meta": { - "source-uuid": "f6ae7a52-f3b6-4525-9daf-640c083f006e", - "target-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b" - }, - "uuid": "fce7fac2-91da-4903-95dc-fb54650c0859", - "value": "PHOREAL (S0158) uses Standard Non-Application Layer Protocol (T1095)" - }, - { - "meta": { - "source-uuid": "2fb26586-2b53-4b9a-ad4f-2b3bcb9a2421", - "target-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48" - }, - "uuid": "93d83b03-8367-4655-84a5-9abaee885700", - "value": "SslMM (S0058) uses Access Token Manipulation (T1134)" - }, - { - "meta": { - "source-uuid": "7343e208-7cab-45f2-a47b-41ba5e2f0fab", - "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" - }, - "uuid": "b3973baa-0185-45a1-934d-2b29f742a2df", - "value": "XTunnel (S0117) uses Standard Cryptographic Protocol (T1032)" - }, - { - "meta": { - "source-uuid": "dc5d1a33-62aa-4a0c-aa8c-589b87beb11e", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "a802d52a-01f4-44c8-b80d-d2c746e1e31d", - "value": "ChChes (S0144) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "2a158b0a-7ef8-43cb-9985-bf34d1e12050", - "target-uuid": "2fb26586-2b53-4b9a-ad4f-2b3bcb9a2421" - }, - "uuid": "af0b0bfb-1a1e-4a06-b9e9-adeda7b6ad81", - "value": "Naikon (G0019) uses SslMM (S0058)" - }, - { - "meta": { - "source-uuid": "03342581-f790-4f03-ba41-e82e67392e23", - "target-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735" - }, - "uuid": "31ec568c-53c7-4dfb-8bfb-bfb7addca7ee", - "value": "Net (S0039) uses Remote System Discovery (T1018)" - }, - { - "meta": { - "source-uuid": "7331c66a-5601-4d3f-acf6-ad9e3035eb40", - "target-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0" - }, - "uuid": "05604d66-735a-4369-bc31-c7915bb3f2e0", - "value": "Group5 (G0043) uses Uncommonly Used Port (T1065)" - }, - { - "meta": { - "source-uuid": "f8dfbc54-b070-4224-b560-79aaa5f835bd", - "target-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842" - }, - "uuid": "c79d7110-46bb-4b6d-a256-87bd1b6379a3", - "value": "H1N1 (S0132) uses Data Obfuscation (T1001)" - }, - { - "meta": { - "source-uuid": "53cf6cc4-65aa-445a-bcf8-c3d296f8a7a2", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "61827309-9071-416b-aedf-7f82f224db2e", - "value": "NETEAGLE (S0034) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2", - "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - }, - "uuid": "1923a47b-5a48-44e6-883f-ca23a96fea46", - "value": "JHUHUGIT (S0044) uses Process Discovery (T1057)" - }, - { - "meta": { - "source-uuid": "123bd7b3-675c-4b1a-8482-c55782b20e2b", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "2b2cdb6b-c23c-4792-8cfb-8c4d9279a186", - "value": "BUBBLEWRAP (S0043) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "85403903-15e0-4f9f-9be4-a259ecad4022", - "target-uuid": "9de2308e-7bed-43a3-8e58-f194b3586700" - }, - "uuid": "ab83d817-57b8-4970-afc6-fbd70c6e3760", - "value": "FIN5 (G0053) uses pwdump (S0006)" - }, - { - "meta": { - "source-uuid": "d1acfbb3-647b-4723-9154-800ec119006e", - "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - }, - "uuid": "d93265a6-1f92-472b-9e47-48b7863d8171", - "value": "Sowbug (G0054) uses Credential Dumping (T1003)" - }, - { - "meta": { - "source-uuid": "e6ef745b-077f-42e1-a37d-29eecff9c754", - "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - }, - "uuid": "932fa199-f4c0-4c39-bb30-a412607ee299", - "value": "CozyCar (S0046) uses Credential Dumping (T1003)" - }, - { - "meta": { - "source-uuid": "8901ac23-6b50-410c-b0dd-d8174a86f9b3", - "target-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896" - }, - "uuid": "2dfbcf5d-8563-440c-bd9c-0cfc15059bd5", - "value": "Shamoon (S0140) uses Query Registry (T1012)" - }, - { - "meta": { - "source-uuid": "96b08451-b27a-4ff6-893f-790e26393a8e", - "target-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be" - }, - "uuid": "3efe41c1-48be-48fc-90d8-5ae70df3cd97", - "value": "Sakula (S0074) uses Bypass User Account Control (T1088)" - }, - { - "meta": { - "source-uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2", - "target-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433" - }, - "uuid": "0d43f3a7-70ed-4d04-857e-3a9fbce86cfb", - "value": "JHUHUGIT (S0044) uses Fallback Channels (T1008)" - }, - { - "meta": { - "source-uuid": "687c23e4-4e25-4ee7-a870-c5e002511f54", - "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - }, - "uuid": "f33725f4-cce5-4868-b494-d73419c76bdf", - "value": "DustySky (S0062) uses Process Discovery (T1057)" - }, - { - "meta": { - "source-uuid": "d519164e-f5fa-4b8c-a1fb-cf0172ad0983", - "target-uuid": "92a78814-b191-47ca-909c-1ccfe3777414" - }, - "uuid": "b38cfcfd-b8e3-4a9c-ade9-8a8bfeb04694", - "value": "Threat Group-1314 (G0028) uses Third-party Software (T1072)" - }, - { - "meta": { - "source-uuid": "85b39628-204a-48d2-b377-ec368cbcb7ca", - "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - }, - "uuid": "4afcb9c9-e490-446b-97b1-1c151974242f", - "value": "TINYTYPHON (S0131) uses Obfuscated Files or Information (T1027)" - }, - { - "meta": { - "source-uuid": "463f68f1-5cde-4dc2-a831-68b73488f8f4", - "target-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0" - }, - "uuid": "cfccba1b-5aa0-46ef-b668-d9f7e25b53ae", - "value": "MobileOrder (S0079) uses Uncommonly Used Port (T1065)" - }, - { - "meta": { - "source-uuid": "5ce5392a-3a6c-4e07-9df3-9b6a9159ac45", - "target-uuid": "8e461ca3-0996-4e6e-a0df-e2a5bbc51ebc" - }, - "uuid": "47835d17-73e1-427f-85b0-b55b610fa9ad", - "value": "Putter Panda (G0024) uses 4H RAT (S0065)" - }, - { - "meta": { - "source-uuid": "65341f30-bec6-4b1d-8abf-1a5620446c29", - "target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790" - }, - "uuid": "ecca0af0-1549-4068-b01d-bab711c491c5", - "value": "Reaver (S0172) uses New Service (T1050)" - }, - { - "meta": { - "source-uuid": "fbb470da-1d44-4f29-bbb3-9efbe20f94a3", - "target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e" - }, - "uuid": "8278fc85-24af-4f8a-9b82-3f233f18f5a6", - "value": "Mivast (S0080) uses Commonly Used Port (T1043)" - }, - { - "meta": { - "source-uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", - "target-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044" - }, - "uuid": "c2bd7b04-b090-478a-8e83-6b4656c14bb0", - "value": "Dragonfly (G0035) uses Disabling Security Tools (T1089)" - }, - { - "meta": { - "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "target-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830" - }, - "uuid": "170e2f76-5b6a-4eee-8ea4-d1171368b4a9", - "value": "Lazarus Group (G0032) uses Application Window Discovery (T1010)" - }, - { - "meta": { - "source-uuid": "9ab7de33-99b2-4d8d-8cf3-182fa0015cc2", - "target-uuid": "03259939-0b57-482f-8eb5-87c0e0d54334" - }, - "uuid": "87f4c47d-b94d-4a1e-9c4b-be671a99e6f0", - "value": "Logon Scripts Mitigation (T1037) mitigates Logon Scripts (T1037)" - }, - { - "meta": { - "source-uuid": "5967cc93-57c9-404a-8ffd-097edfa7bdfc", - "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" - }, - "uuid": "66bec558-ff92-42ff-a8c1-5b47d071d606", - "value": "Hi-Zor (S0087) uses File Deletion (T1107)" - }, - { - "meta": { - "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", - "target-uuid": "ffe742ed-9100-4686-9e00-c331da544787" - }, - "uuid": "96797ece-5783-4d34-a399-32496c8705ac", - "value": "APT3 (G0022) uses Windows Admin Shares (T1077)" - }, - { - "meta": { - "source-uuid": "a0cb9370-e39b-44d5-9f50-ef78e412b973", - "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - }, - "uuid": "fad2a504-6e00-4892-bf88-b49d6d18788c", - "value": "Axiom (G0001) uses Credential Dumping (T1003)" - }, - { - "meta": { - "source-uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "acca43ee-1e88-4d39-a953-7626173a89b2", - "value": "Helminth (S0170) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "96b08451-b27a-4ff6-893f-790e26393a8e", - "target-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09" - }, - "uuid": "5c34be50-c7be-40c2-80bb-f3bc7db5cdd7", - "value": "Sakula (S0074) uses DLL Side-Loading (T1073)" - }, - { - "meta": { - "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", - "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" - }, - "uuid": "fcfb3ce0-01a0-4f92-8e18-b323202d095d", - "value": "APT3 (G0022) uses System Owner/User Discovery (T1033)" - }, - { - "meta": { - "source-uuid": "e066bf86-9cfb-407a-9d25-26fd5d91e360", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "380db9ad-f6ad-4988-8a28-b773313f07b7", - "value": "HTTPBrowser (S0070) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "a52edc76-328d-4596-85e7-d56ef5a9eb69", - "target-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff" - }, - "uuid": "1dc42b4c-4a93-4fc6-bad3-b5498ad500b1", - "value": "Pass-The-Hash Toolkit (S0122) uses Pass the Hash (T1075)" - }, - { - "meta": { - "source-uuid": "d1acfbb3-647b-4723-9154-800ec119006e", - "target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0" - }, - "uuid": "d6d66a6f-dbc8-4d7b-b3fc-634f2765429a", - "value": "Sowbug (G0054) uses Masquerading (T1036)" - }, - { - "meta": { - "source-uuid": "76abb3ef-dafd-4762-97cb-a35379429db4", - "target-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810" - }, - "uuid": "7ec988a7-712a-45ae-b6b3-db26a6515b80", - "value": "Gazer (S0168) uses Shortcut Modification (T1023)" - }, - { - "meta": { - "source-uuid": "9de2308e-7bed-43a3-8e58-f194b3586700", - "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - }, - "uuid": "57a1f1a8-f1c0-4b7c-b5b4-f283a278833c", - "value": "pwdump (S0006) uses Credential Dumping (T1003)" - }, - { - "meta": { - "source-uuid": "247cb30b-955f-42eb-97a5-a89fef69341e", - "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" - }, - "uuid": "ce212487-1291-4fe6-9f0b-f697516a7824", - "value": "APT32 (G0050) uses File Deletion (T1107)" - }, - { - "meta": { - "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", - "target-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81" - }, - "uuid": "44273d72-b0d9-42ee-9e8e-53d1b39f0651", - "value": "menuPass (G0045) uses Valid Accounts (T1078)" - }, - { - "meta": { - "source-uuid": "5391ece4-8866-415d-9b5e-8dc5944f612a", - "target-uuid": "45d84c8b-c1e2-474d-a14d-69b5de0a2bc0" - }, - "uuid": "fb5e24e6-58f1-4ef0-9094-147319487f15", - "value": "Source Mitigation (T1153) mitigates Source (T1153)" - }, - { - "meta": { - "source-uuid": "6713ab67-e25b-49cc-808d-2b36d4fbc35c", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "a5a63d5c-acf7-4720-866d-fcf6e576a58f", - "value": "Ke3chang (G0004) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "d519164e-f5fa-4b8c-a1fb-cf0172ad0983", - "target-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81" - }, - "uuid": "c6358f18-fc64-46f5-8939-66e5258dd83d", - "value": "Threat Group-1314 (G0028) uses Valid Accounts (T1078)" - }, - { - "meta": { - "source-uuid": "d5e96a35-7b0b-4c6a-9533-d63ecbda563e", - "target-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea" - }, - "uuid": "1b27cec5-241a-4c2e-a3db-e9cea241496c", - "value": "HTRAN (S0040) uses Connection Proxy (T1090)" - }, - { - "meta": { - "source-uuid": "2a7914cf-dff3-428d-ab0f-1014d1c28aeb", - "target-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db" - }, - "uuid": "9c8fa95a-cbbe-4ef6-999d-21b4080b54f6", - "value": "FIN6 (G0037) uses PsExec (S0029)" - }, - { - "meta": { - "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", - "target-uuid": "01a5a209-b94c-450b-b7f9-946497d91055" - }, - "uuid": "04203d88-5fe1-4e63-be65-51a17705716b", - "value": "menuPass (G0045) uses Windows Management Instrumentation (T1047)" - }, - { - "meta": { - "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0" - }, - "uuid": "d36e83a0-5370-4d78-862d-4dbe8921709d", - "value": "BRONZE BUTLER (G0060) uses PowerShell (T1086)" - }, - { - "meta": { - "source-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd", - "target-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b" - }, - "uuid": "14b393f2-6d67-4d4f-8f88-75c8b421c4e2", - "value": "PlugX (S0013) uses Trusted Developer Utilities (T1127)" - }, - { - "meta": { - "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", - "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - }, - "uuid": "6dc0543b-1a60-4e9a-9527-595220854f53", - "value": "Cobalt Strike (S0154) uses Credential Dumping (T1003)" - }, - { - "meta": { - "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", - "target-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d" - }, - "uuid": "aa243e70-fba4-4f8a-8b5e-1ac826eac593", - "value": "Cobalt Strike (S0154) uses Process Injection (T1055)" - }, - { - "meta": { - "source-uuid": "09b2cd76-c674-47cc-9f57-d2f2ad150a46", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "aabb13d6-a73b-42aa-8014-696b94ff2416", - "value": "POWRUNER (S0184) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "target-uuid": "ffe742ed-9100-4686-9e00-c331da544787" - }, - "uuid": "e6cafa6a-22ce-49f7-8136-dc5a51c3aaeb", - "value": "Lazarus Group (G0032) uses Windows Admin Shares (T1077)" - }, - { - "meta": { - "source-uuid": "073cc04d-ac46-4f5a-85d7-83a91ecd6a19", - "target-uuid": "c0df6533-30ee-4a4a-9c6d-17af5abdf0b2" - }, - "uuid": "daca6956-64b8-468f-aa64-0ce4a4f7ad28", - "value": "Setuid and Setgid Mitigation (T1166) mitigates Setuid and Setgid (T1166)" - }, - { - "meta": { - "source-uuid": "43213480-78f7-4fb3-976f-d48f5f6a4c2a", - "target-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec" - }, - "uuid": "e30a790b-8f09-4bdc-8116-275d00880333", - "value": "FLASHFLOOD (S0036) uses Data from Removable Media (T1025)" - }, - { - "meta": { - "source-uuid": "247cb30b-955f-42eb-97a5-a89fef69341e", - "target-uuid": "f6ae7a52-f3b6-4525-9daf-640c083f006e" - }, - "uuid": "bb8fd9d4-4362-40c6-ab09-f05f843c2cef", - "value": "APT32 (G0050) uses PHOREAL (S0158)" - }, - { - "meta": { - "source-uuid": "166c0eca-02fd-424a-92c0-6b5106994d31", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "98a9bef7-8aff-4cbb-958b-14cb72954b8a", - "value": "ZLib (S0086) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "96e239be-ad99-49eb-b127-3007b8c1bec9", - "target-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643" - }, - "uuid": "062ebca3-abf7-449a-ad84-f04a3cada4dd", - "value": "Equation (G0020) uses Peripheral Device Discovery (T1120)" - }, - { - "meta": { - "source-uuid": "e48df773-7c95-4a4c-ba70-ea3d15900148", - "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" - }, - "uuid": "6cf42ee6-a064-4d8a-99d4-8aa0f878ae2a", - "value": "DownPaper (S0186) uses System Owner/User Discovery (T1033)" - }, - { - "meta": { - "source-uuid": "cbf646f1-7db5-4dc6-808b-0094313949df", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "41edf1d6-15a7-4da5-9bfd-ebee9d53f71e", - "value": "CloudDuke (S0054) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "a1dd2dbd-1550-44bf-abcc-1a4c52e97719", - "target-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529" - }, - "uuid": "9c012fcf-876b-4101-aa28-6af8b00a51d2", - "value": "Responder (S0174) uses Network Sniffing (T1040)" - }, - { - "meta": { - "source-uuid": "af2ad3b7-ab6a-4807-91fd-51bcaff9acbb", - "target-uuid": "e6415f09-df0e-48de-9aba-928c902b7549" - }, - "uuid": "2b97e16e-8c39-4e5e-ad90-15c10f15d923", - "value": "USBStealer (S0136) uses Exfiltration Over Physical Medium (T1052)" - }, - { - "meta": { - "source-uuid": "5f9f7648-04ba-4a9f-bb4c-2a13e74572bd", - "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" - }, - "uuid": "c8bceb4a-0cf2-43c9-9729-20ed706c4c72", - "value": "Pteranodon (S0147) uses File Deletion (T1107)" - }, - { - "meta": { - "source-uuid": "9e2bba94-950b-4fcf-8070-cb3f816c5f4e", - "target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790" - }, - "uuid": "8d976244-6d4e-443a-98c0-52fe1d94c388", - "value": "hcdLoader (S0071) uses New Service (T1050)" - }, - { - "meta": { - "source-uuid": "5f9f7648-04ba-4a9f-bb4c-2a13e74572bd", - "target-uuid": "92d7da27-2d91-488e-a00c-059dc162766d" - }, - "uuid": "acc40539-13a0-4577-a862-e348962bf0fc", - "value": "Pteranodon (S0147) uses Exfiltration Over Command and Control Channel (T1041)" - }, - { - "meta": { - "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" - }, - "uuid": "500130c0-d049-4e67-9bcc-d60a5f6dfd4c", - "value": "Lazarus Group (G0032) uses System Owner/User Discovery (T1033)" - }, - { - "meta": { - "source-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", - "target-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c" - }, - "uuid": "aec49e52-c54e-45be-a476-70aa0dc42cfb", - "value": "BlackEnergy (S0089) uses Credentials in Files (T1081)" - }, - { - "meta": { - "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "6a1693a7-1e85-48b6-9097-11339a987099", - "value": "Threat Group-3390 (G0027) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "e066bf86-9cfb-407a-9d25-26fd5d91e360", - "target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0" - }, - "uuid": "654d9e83-9501-4de8-8828-1a1ebf36bc8f", - "value": "HTTPBrowser (S0070) uses Masquerading (T1036)" - }, - { - "meta": { - "source-uuid": "e6ef745b-077f-42e1-a37d-29eecff9c754", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "22301618-a676-4d94-975a-2a56e5a7f919", - "value": "CozyCar (S0046) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "94379dec-5c87-49db-b36e-66abc0b81344", - "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" - }, - "uuid": "af66e48f-3232-4f78-ad3e-5a404f7ae3a1", - "value": "Derusbi (S0021) uses System Owner/User Discovery (T1033)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "e669bb87-f773-4c7b-bfcc-a9ffebfdd8d4" - }, - "uuid": "720c211e-2219-496d-8a34-c3f37dfbe5bf", - "value": "APT28 (G0007) uses HIDEDRV (S0135)" - }, - { - "meta": { - "source-uuid": "17e919aa-4a49-445c-b103-dbb8df9e7351", - "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - }, - "uuid": "3a66ff23-3dcc-45b9-821a-8d6527b6e242", - "value": "POWERSOURCE (S0145) uses Obfuscated Files or Information (T1027)" - }, - { - "meta": { - "source-uuid": "6b616fc1-1505-48e3-8b2c-0d19337bff38", - "target-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec" - }, - "uuid": "6d87588e-2202-4616-a536-e43a2606721b", - "value": "Rover (S0090) uses Data from Removable Media (T1025)" - }, - { - "meta": { - "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "target-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776" - }, - "uuid": "0a8ee649-e907-4a73-8513-3019b2d771a0", - "value": "Lazarus Group (G0032) uses Exfiltration Over Alternative Protocol (T1048)" - }, - { - "meta": { - "source-uuid": "72f54d66-675d-4587-9bd3-4ed09f9522e4", - "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" - }, - "uuid": "a9bd68ed-2602-4225-838e-2d9b7f8761b4", - "value": "Carbanak (S0030) uses Standard Cryptographic Protocol (T1032)" - }, - { - "meta": { - "source-uuid": "b42378e0-f147-496f-992a-26a49705395b", - "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" - }, - "uuid": "b41c9b77-536b-49bc-8cb9-a873aa121002", - "value": "PoisonIvy (S0012) uses Standard Cryptographic Protocol (T1032)" - }, - { - "meta": { - "source-uuid": "67e6d66b-1b82-4699-b47a-e2efb6268d14", - "target-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f" - }, - "uuid": "76333b56-47b1-40c6-9223-c4cf6673362f", - "value": "SeaDuke (S0053) uses Email Collection (T1114)" - }, - { - "meta": { - "source-uuid": "dc5d1a33-62aa-4a0c-aa8c-589b87beb11e", - "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - }, - "uuid": "e6f69552-fe0e-4b40-ad20-4410048277e6", - "value": "ChChes (S0144) uses Process Discovery (T1057)" - }, - { - "meta": { - "source-uuid": "247cb30b-955f-42eb-97a5-a89fef69341e", - "target-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00" - }, - "uuid": "4477e350-645d-40de-8de7-7a6e1680c2e0", - "value": "APT32 (G0050) uses Custom Command and Control Protocol (T1094)" - }, - { - "meta": { - "source-uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69", - "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - }, - "uuid": "290a1ceb-68e1-42ae-be81-f474038aaa05", - "value": "Prikormka (S0113) uses Obfuscated Files or Information (T1027)" - }, - { - "meta": { - "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", - "target-uuid": "cde2d700-9ed1-46cf-9bce-07364fe8b24f" - }, - "uuid": "49404706-aa42-4914-a273-2eeb217e6477", - "value": "OilRig (G0049) uses Reg (S0075)" - }, - { - "meta": { - "source-uuid": "59a97b15-8189-4d51-9404-e1ce8ea4a069", - "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" - }, - "uuid": "f5fee3da-a3ef-4a81-a70c-9660ab1fb3d6", - "value": "XAgentOSX (S0161) uses File Deletion (T1107)" - }, - { - "meta": { - "source-uuid": "e066bf86-9cfb-407a-9d25-26fd5d91e360", - "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" - }, - "uuid": "ab7faed6-3c50-4b04-a31b-ac2c933a51ef", - "value": "HTTPBrowser (S0070) uses Input Capture (T1056)" - }, - { - "meta": { - "source-uuid": "2eb9b131-d333-4a48-9eb4-d8dec46c19ee", - "target-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5" - }, - "uuid": "dad229e7-fcc6-4c1d-99c3-47d54fbc6892", - "value": "CosmicDuke (S0050) uses Data from Local System (T1005)" - }, - { - "meta": { - "source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", - "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" - }, - "uuid": "2b4a8be2-8403-43d4-addd-79c504e3dec8", - "value": "Remsec (S0125) uses File Deletion (T1107)" - }, - { - "meta": { - "source-uuid": "5967cc93-57c9-404a-8ffd-097edfa7bdfc", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "aaca7907-7a43-4ebb-bd2b-bf7f497d9134", - "value": "Hi-Zor (S0087) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "6713ab67-e25b-49cc-808d-2b36d4fbc35c", - "target-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4" - }, - "uuid": "ab7eb363-c775-4065-a80d-1b324f22d0b8", - "value": "Ke3chang (G0004) uses Data Compressed (T1002)" - }, - { - "meta": { - "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", - "target-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce" - }, - "uuid": "d39e3775-9221-4020-b826-edc111e36c7c", - "value": "OilRig (G0049) uses Permission Groups Discovery (T1069)" - }, - { - "meta": { - "source-uuid": "dcd81c6e-ebf7-4a16-93e0-9a97fa49c88a", - "target-uuid": "0b32ec39-ba61-4864-9ebe-b4b0b73caf9a" - }, - "uuid": "dc4e54ed-ca71-4dd1-a61e-714222c0c76d", - "value": "CopyKittens (G0052) uses TDTESS (S0164)" - }, - { - "meta": { - "source-uuid": "0a9c51e0-825d-4b9b-969d-ce86ed8ce3c3", - "target-uuid": "52f3d5a6-8a0f-4f82-977e-750abf90d0b0" - }, - "uuid": "c56de8bc-ad9e-415a-8840-ae294ed4f88a", - "value": "Power Loader (S0177) uses Extra Window Memory Injection (T1181)" - }, - { - "meta": { - "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e" - }, - "uuid": "88896f55-5606-4b21-8616-e7965a863dd8", - "value": "Lazarus Group (G0032) uses Commonly Used Port (T1043)" - }, - { - "meta": { - "source-uuid": "d69c8146-ab35-4d50-8382-6fc80e641d43", - "target-uuid": "84e02621-8fdf-470f-bd58-993bb6a89d91" - }, - "uuid": "25ad5783-c7fe-4715-b4ce-c03b36ccdfa8", - "value": "BLACKCOFFEE (S0069) uses Multi-Stage Channels (T1104)" - }, - { - "meta": { - "source-uuid": "5cbe0d3b-6fb1-471f-b591-4b192915116d", - "target-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d" - }, - "uuid": "cb2d2f2d-face-430b-995d-c9bd35db5b90", - "value": "Suckfly (G0039) uses Code Signing (T1116)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "9b52fca7-1a36-4da0-b62d-da5bd83b4d69" - }, - "uuid": "54d3eadf-0363-47d1-b51d-a16d6a99c42e", - "value": "APT28 (G0007) uses Component Object Model Hijacking (T1122)" - }, - { - "meta": { - "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "0c03f2b4-a752-4d74-9c26-5306132a3329", - "value": "OilRig (G0049) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "ae41895a-243f-4a65-b99b-d85022326c31", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "b03aafb3-dc03-4e12-9354-69a579b60aaf", - "value": "Dust Storm (G0031) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "2e290bfe-93b5-48ce-97d6-edcd6d32b7cf", - "target-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44" - }, - "uuid": "f73df541-6b55-42d1-aec3-53660fda1508", - "value": "Gamaredon Group (G0047) uses Scripting (T1064)" - }, - { - "meta": { - "source-uuid": "f6d1d2cb-12f5-4221-9636-44606ea1f3f8", - "target-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735" - }, - "uuid": "8765dd7e-33cc-4040-927d-bf0aa16d3d79", - "value": "OSInfo (S0165) uses Remote System Discovery (T1018)" - }, - { - "meta": { - "source-uuid": "b6b3dfc7-9a81-43ff-ac04-698bad48973a", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "d6204645-83ff-4b26-a011-9b58bab2d597", - "value": "Daserf (S0187) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "684feec3-f9ba-4049-9d8f-52d52f3e0e40", - "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" - }, - "uuid": "98bdcea2-1c8d-4a65-b75d-075a00d6e87c", - "value": "System Network Configuration Discovery Mitigation (T1016) mitigates System Network Configuration Discovery (T1016)" - }, - { - "meta": { - "source-uuid": "800bdfba-6d66-480f-9f45-15845c05cb5d", - "target-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c" - }, - "uuid": "a6e4853a-78a6-4c88-a7c5-58793d3e4dcd", - "value": "pngdowner (S0067) uses Credentials in Files (T1081)" - }, - { - "meta": { - "source-uuid": "fb261c56-b80e-43a9-8351-c84081e7213d", - "target-uuid": "92d7da27-2d91-488e-a00c-059dc162766d" - }, - "uuid": "9267fe42-6290-4342-8024-38d703db4376", - "value": "BACKSPACE (S0031) uses Exfiltration Over Command and Control Channel (T1041)" - }, - { - "meta": { - "source-uuid": "af2ad3b7-ab6a-4807-91fd-51bcaff9acbb", - "target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0" - }, - "uuid": "a67d4b9b-0c8f-41d8-a7f2-6d4c61fcb1ea", - "value": "USBStealer (S0136) uses Masquerading (T1036)" - }, - { - "meta": { - "source-uuid": "6713ab67-e25b-49cc-808d-2b36d4fbc35c", - "target-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475" - }, - "uuid": "eaa06586-e33e-4e4c-91ca-76935c22e012", - "value": "Ke3chang (G0004) uses System Network Connections Discovery (T1049)" - }, - { - "meta": { - "source-uuid": "8c553311-0baa-4146-997a-f79acef3d831", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "35ec37ba-44aa-49b1-9379-3f6070554c62", - "value": "RARSTONE (S0055) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "0db09158-6e48-4e7c-8ce7-2b10b9c0c039", - "target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e" - }, - "uuid": "81b183bc-de6a-457c-a3f3-a1168e8456f1", - "value": "Misdat (S0083) uses Commonly Used Port (T1043)" - }, - { - "meta": { - "source-uuid": "17b40f60-729f-4fe8-8aea-cc9ee44a95d5", - "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" - }, - "uuid": "6d51e34d-d2ee-41aa-9ec7-dc74c84ebe9f", - "value": "RedLeaves (S0153) uses File Deletion (T1107)" - }, - { - "meta": { - "source-uuid": "76abb3ef-dafd-4762-97cb-a35379429db4", - "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" - }, - "uuid": "d219ed2b-2877-450f-9a69-a30f36497d14", - "value": "Gazer (S0168) uses System Owner/User Discovery (T1033)" - }, - { - "meta": { - "source-uuid": "0640214c-95af-4c04-a574-2a1ba6dda00b", - "target-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896" - }, - "uuid": "b003a96b-81f7-436c-99a6-a25323f759ac", - "value": "Query Registry Mitigation (T1012) mitigates Query Registry (T1012)" - }, - { - "meta": { - "source-uuid": "91000a8a-58cc-4aba-9ad0-993ad6302b86", - "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - }, - "uuid": "0cbc1f3f-7a32-4056-bfa6-25186ac5e6a4", - "value": "StreamEx (S0142) uses Process Discovery (T1057)" - }, - { - "meta": { - "source-uuid": "4c59cce8-cb48-4141-b9f1-f646edfaadb0", - "target-uuid": "ffe742ed-9100-4686-9e00-c331da544787" - }, - "uuid": "b98c506f-3dd3-45c1-b81a-3e23bcfe6198", - "value": "Regin (S0019) uses Windows Admin Shares (T1077)" - }, - { - "meta": { - "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", - "target-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044" - }, - "uuid": "6f884bda-0c39-4d3b-97e3-29ae9099fa45", - "value": "Threat Group-3390 (G0027) uses Disabling Security Tools (T1089)" - }, - { - "meta": { - "source-uuid": "e6ef745b-077f-42e1-a37d-29eecff9c754", - "target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790" - }, - "uuid": "cb0ebed2-4cac-437b-b5b2-37ee716af3f0", - "value": "CozyCar (S0046) uses New Service (T1050)" - }, - { - "meta": { - "source-uuid": "2a158b0a-7ef8-43cb-9985-bf34d1e12050", - "target-uuid": "8c553311-0baa-4146-997a-f79acef3d831" - }, - "uuid": "7dba7706-128e-43a7-a240-6d456c9003a2", - "value": "Naikon (G0019) uses RARSTONE (S0055)" - }, - { - "meta": { - "source-uuid": "9752aef4-a1f3-4328-929f-b64eb0536090", - "target-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e" - }, - "uuid": "b25f5d90-f6cc-47e9-89f1-5527886bf536", - "value": "RawPOS (S0169) uses Data Staged (T1074)" - }, - { - "meta": { - "source-uuid": "ae41895a-243f-4a65-b99b-d85022326c31", - "target-uuid": "66b1dcde-17a0-4c7b-95fa-b08d430c2131" - }, - "uuid": "0ec4a49c-0adc-41fb-afc2-e99f1e7c5200", - "value": "Dust Storm (G0031) uses S-Type (S0085)" - }, - { - "meta": { - "source-uuid": "17b40f60-729f-4fe8-8aea-cc9ee44a95d5", - "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - }, - "uuid": "6610332d-86a5-46dc-a0a1-31c2fe31f164", - "value": "RedLeaves (S0153) uses Obfuscated Files or Information (T1027)" - }, - { - "meta": { - "source-uuid": "242f3da3-4425-4d11-8f5c-b842886da966", - "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - }, - "uuid": "935971d6-0af2-4683-971a-9acb523733fe", - "value": "Windows Credential Editor (S0005) uses Credential Dumping (T1003)" - }, - { - "meta": { - "source-uuid": "f2e8c7a1-cae1-45c4-baf0-6f21bdcbb2c2", - "target-uuid": "830c9528-df21-472c-8c14-a036bf17d665" - }, - "uuid": "bb8149a2-fdda-4c3a-9e02-f530c4ee7962", - "value": "GLOOXMAIL (S0026) uses Web Service (T1102)" - }, - { - "meta": { - "source-uuid": "7dbb67c7-270a-40ad-836e-c45f8948aa5a", - "target-uuid": "01a5a209-b94c-450b-b7f9-946497d91055" - }, - "uuid": "e8e4b87c-3d30-4627-8060-5b5116d057fc", - "value": "KOMPROGO (S0156) uses Windows Management Instrumentation (T1047)" - }, - { - "meta": { - "source-uuid": "f8dfbc54-b070-4224-b560-79aaa5f835bd", - "target-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044" - }, - "uuid": "1082a68e-549b-47d5-9eb3-e719f01ce42b", - "value": "H1N1 (S0132) uses Disabling Security Tools (T1089)" - }, - { - "meta": { - "source-uuid": "6713ab67-e25b-49cc-808d-2b36d4fbc35c", - "target-uuid": "7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1" - }, - "uuid": "301de16e-3829-4fb0-b217-dcdfca7398c9", - "value": "Ke3chang (G0004) uses Systeminfo (S0096)" - }, - { - "meta": { - "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "target-uuid": "99709758-2b96-48f2-a68a-ad7fbd828091" - }, - "uuid": "7e221899-d90a-4c9a-8ea4-77110c45f0f9", - "value": "Lazarus Group (G0032) uses Multiband Communication (T1026)" - }, - { - "meta": { - "source-uuid": "8e461ca3-0996-4e6e-a0df-e2a5bbc51ebc", - "target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d" - }, - "uuid": "6613ed52-5c6c-43f2-bd0c-9809769cb022", - "value": "4H RAT (S0065) uses Custom Cryptographic Protocol (T1024)" - }, - { - "meta": { - "source-uuid": "495b6cdb-7b5a-4fbc-8d33-e7ef68806d08", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "35697909-4c19-4799-a5ac-3153750619f8", - "value": "Volgmer (S0180) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "88b7dbc2-32d3-4e31-af2f-3fc24e1582d7", - "target-uuid": "7551188b-8f91-4d34-8350-0d0c57b2b913" - }, - "uuid": "8859897c-66f5-4754-8cb8-2c6e6b8b8e2e", - "value": "Lotus Blossom (G0030) uses Elise (S0081)" - }, - { - "meta": { - "source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", - "target-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b" - }, - "uuid": "4ee54acd-fc04-43c2-8cf6-2200a802d0b9", - "value": "Remsec (S0125) uses Standard Non-Application Layer Protocol (T1095)" - }, - { - "meta": { - "source-uuid": "809b79cd-be78-4597-88d1-5496d1d9993a", - "target-uuid": "b53dbcc6-147d-48bb-9df4-bcb8bb808ff6" - }, - "uuid": "d17c02f0-bd1f-4c16-8fe7-28d347407f2e", - "value": "Trap Mitigation (T1154) mitigates Trap (T1154)" - }, - { - "meta": { - "source-uuid": "0472af99-f25c-4abe-9fce-010fa3450e72", - "target-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c" - }, - "uuid": "5a491b91-739f-498b-b8f2-b14aaea07893", - "value": "Credentials in Files Mitigation (T1081) mitigates Credentials in Files (T1081)" - }, - { - "meta": { - "source-uuid": "64d76fa5-cf8f-469c-b78c-1a4f7c5bad80", - "target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e" - }, - "uuid": "b3bc844c-bebf-4756-8d33-6e16ca4ee6a1", - "value": "BBSRAT (S0127) uses Commonly Used Port (T1043)" - }, - { - "meta": { - "source-uuid": "59a97b15-8189-4d51-9404-e1ce8ea4a069", - "target-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c" - }, - "uuid": "b9e2fac9-fc1a-4e13-ac68-1a5796b04d72", - "value": "XAgentOSX (S0161) uses Credentials in Files (T1081)" - }, - { - "meta": { - "source-uuid": "d1acfbb3-647b-4723-9154-800ec119006e", - "target-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f" - }, - "uuid": "cc495391-9abd-4df1-8ad7-ec8d84feaeb9", - "value": "Sowbug (G0054) uses Network Share Discovery (T1135)" - }, - { - "meta": { - "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", - "target-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce" - }, - "uuid": "e590aaaa-40fd-4f61-93f3-f2d6daee65a4", - "value": "APT3 (G0022) uses Permission Groups Discovery (T1069)" - }, - { - "meta": { - "source-uuid": "a653431d-6a5e-4600-8ad3-609b5af57064", - "target-uuid": "01a5a209-b94c-450b-b7f9-946497d91055" - }, - "uuid": "d295beee-439c-44f9-9908-4cb194331de9", - "value": "Deep Panda (G0009) uses Windows Management Instrumentation (T1047)" - }, - { - "meta": { - "source-uuid": "68dca94f-c11d-421e-9287-7c501108e18c", - "target-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638" - }, - "uuid": "03fc71a1-c589-4396-b5c7-70dfde49c55c", - "value": "Duqu (S0038) uses Data Encrypted (T1022)" - }, - { - "meta": { - "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", - "target-uuid": "51dea151-0898-4a45-967c-3ebee0420484" - }, - "uuid": "bd78bfa6-f30e-4429-ac06-0039d553a69d", - "value": "menuPass (G0045) uses Remote Desktop Protocol (T1076)" - }, - { - "meta": { - "source-uuid": "687c23e4-4e25-4ee7-a870-c5e002511f54", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "f9773935-853e-4d5e-9345-9587fd77340d", - "value": "DustySky (S0062) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "3753cc21-2dae-4dfb-8481-d004e74502cc", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "74859e2a-7a8f-4b87-b75c-7286b3de685c", - "value": "FIN7 (G0046) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "a653431d-6a5e-4600-8ad3-609b5af57064", - "target-uuid": "ffe742ed-9100-4686-9e00-c331da544787" - }, - "uuid": "f43ab4db-5dea-4a1f-977a-f5d779330193", - "value": "Deep Panda (G0009) uses Windows Admin Shares (T1077)" - }, - { - "meta": { - "source-uuid": "234e7770-99b0-4f65-b983-d3230f76a60b", - "target-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967" - }, - "uuid": "8b5d4742-35a6-4ab7-993c-e20831ab0020", - "value": "Janicab (S0163) uses Audio Capture (T1123)" - }, - { - "meta": { - "source-uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2", - "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" - }, - "uuid": "edaa004e-8239-40d8-a4f0-8849c4f0e87f", - "value": "JHUHUGIT (S0044) uses File Deletion (T1107)" - }, - { - "meta": { - "source-uuid": "85b39628-204a-48d2-b377-ec368cbcb7ca", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "753f9861-f0b8-4467-ac5e-4457bd350095", - "value": "TINYTYPHON (S0131) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", - "target-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08" - }, - "uuid": "5a6942dc-eab7-4f45-b5fa-6149774e2acc", - "value": "menuPass (G0045) uses Account Discovery (T1087)" - }, - { - "meta": { - "source-uuid": "64d76fa5-cf8f-469c-b78c-1a4f7c5bad80", - "target-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09" - }, - "uuid": "6b19a5ae-3f6a-4950-94da-22d94477d5d2", - "value": "BBSRAT (S0127) uses DLL Side-Loading (T1073)" - }, - { - "meta": { - "source-uuid": "08d20cd2-f084-45ee-8558-fa6ef5a18519", - "target-uuid": "46944654-fcc1-4f63-9dad-628102376586" - }, - "uuid": "f4f5b6a4-26d5-4352-a25d-001a51a0a121", - "value": "Downdelph (S0134) uses DLL Search Order Hijacking (T1038)" - }, - { - "meta": { - "source-uuid": "0e18b800-906c-4e44-a143-b11c72b3448b", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "e3b79cfa-6ea8-4e7a-85f8-9862702d466a", - "value": "FLIPSIDE (S0173) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "fe0aeb41-1a51-4152-8467-628256ea6adf", - "target-uuid": "62dfd1ca-52d5-483c-a84b-d6e80bf94b7b" - }, - "uuid": "812b36a3-ed93-4b45-95c3-39a9ac9c36f5", - "value": "Modify Existing Service Mitigation (T1031) mitigates Modify Existing Service (T1031)" - }, - { - "meta": { - "source-uuid": "16ade1aa-0ea1-4bb7-88cc-9079df2ae756", - "target-uuid": "294e2560-bd48-44b2-9da2-833b5588ad11" - }, - "uuid": "e38e741c-a7ef-420a-911a-1d2cf6abf49d", - "value": "admin@338 (G0018) uses ipconfig (S0100)" - }, - { - "meta": { - "source-uuid": "1cc934e4-b01d-4543-a011-b988dfc1a458", - "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - }, - "uuid": "47a95ac1-e37a-40ea-bf1e-e99ff4483998", - "value": "Matroyshka (S0167) uses Credential Dumping (T1003)" - }, - { - "meta": { - "source-uuid": "2eb9b131-d333-4a48-9eb4-d8dec46c19ee", - "target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d" - }, - "uuid": "fbae4191-679a-45b2-8ebb-8adb5348f4d0", - "value": "CosmicDuke (S0050) uses Custom Cryptographic Protocol (T1024)" - }, - { - "meta": { - "source-uuid": "88c621a7-aef9-4ae0-94e3-1fc87123eb24", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "68852bf2-c3cf-4d59-b1c1-f6af8fb61be6", - "value": "gh0st (S0032) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "af2ad3b7-ab6a-4807-91fd-51bcaff9acbb" - }, - "uuid": "d26b3aeb-972f-471e-ab59-dc1ee2aa532e", - "value": "APT28 (G0007) uses USBStealer (S0136)" - }, - { - "meta": { - "source-uuid": "9ea525fa-b0a9-4dde-84f2-bcea0137b3c1", - "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" - }, - "uuid": "609d3d8c-1995-43ef-a102-a39d668a774d", - "value": "MoonWind (S0149) uses Standard Cryptographic Protocol (T1032)" - }, - { - "meta": { - "source-uuid": "17b40f60-729f-4fe8-8aea-cc9ee44a95d5", - "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" - }, - "uuid": "bd8aaa70-710d-45a7-bb43-6b2e37f7c797", - "value": "RedLeaves (S0153) uses System Owner/User Discovery (T1033)" - }, - { - "meta": { - "source-uuid": "08d20cd2-f084-45ee-8558-fa6ef5a18519", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "9c7a9bd0-4f52-4c10-8e79-3b6e72d431d1", - "value": "Downdelph (S0134) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "fe98767f-9df8-42b9-83c9-004b1dec8647", - "target-uuid": "b42378e0-f147-496f-992a-26a49705395b" - }, - "uuid": "8d65162b-650d-4a38-9c19-cc6c8e85a2e9", - "value": "PittyTiger (G0011) uses PoisonIvy (S0012)" - }, - { - "meta": { - "source-uuid": "43213480-78f7-4fb3-976f-d48f5f6a4c2a", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "3ebad12d-fd33-4289-93dc-1f5af5e90b66", - "value": "FLASHFLOOD (S0036) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "84d633a4-dd93-40ca-8510-40238c021931", - "target-uuid": "dc27c2ec-c5f9-4228-ba57-d67b590bda93" - }, - "uuid": "36adf5c8-2426-41e1-807d-f4d7958b9d54", - "value": "Hidden Files and Directories Mitigation (T1158) mitigates Hidden Files and Directories (T1158)" - }, - { - "meta": { - "source-uuid": "54246e2e-683f-4bf2-be4c-d7d5a60e7d22", - "target-uuid": "0dbf5f1b-a560-4d51-ac1b-d70caab3e1f0" - }, - "uuid": "126bfb52-654a-4056-be93-37a06f8d6a32", - "value": "LLMNR/NBT-NS Poisoning Mitigation (T1171) mitigates LLMNR/NBT-NS Poisoning (T1171)" - }, - { - "meta": { - "source-uuid": "ccd61dfc-b03f-4689-8c18-7c97eab08472", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "731710ae-a6b9-47b7-b8b2-8526ce60be2f", - "value": "CHOPSTICK (S0023) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "16ade1aa-0ea1-4bb7-88cc-9079df2ae756", - "target-uuid": "b42378e0-f147-496f-992a-26a49705395b" - }, - "uuid": "7b355dcf-9a9f-43b3-9989-128f5171b5c3", - "value": "admin@338 (G0018) uses PoisonIvy (S0012)" - }, - { - "meta": { - "source-uuid": "e6ef745b-077f-42e1-a37d-29eecff9c754", - "target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0" - }, - "uuid": "a4a49b56-e220-4a81-a0da-43b63c012cfe", - "value": "CozyCar (S0046) uses Masquerading (T1036)" - }, - { - "meta": { - "source-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", - "target-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c" - }, - "uuid": "028c3adf-4182-4250-9642-2ce5c448f710", - "value": "Mimikatz (S0002) uses Credentials in Files (T1081)" - }, - { - "meta": { - "source-uuid": "8b880b41-5139-4807-baa9-309690218719", - "target-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638" - }, - "uuid": "23df6015-0167-481c-84aa-3d15d3e38a85", - "value": "SPACESHIP (S0035) uses Data Encrypted (T1022)" - }, - { - "meta": { - "source-uuid": "894aab42-3371-47b1-8859-a4a074c804c8", - "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - }, - "uuid": "4d3e4232-1330-45a9-9e90-9914eed276a5", - "value": "Stealth Falcon (G0038) uses Credential Dumping (T1003)" - }, - { - "meta": { - "source-uuid": "00c3bfcb-99bd-4767-8c03-b08f585f5c8a", - "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" - }, - "uuid": "789cf81d-bfc9-4c1a-a34a-57e41981894a", - "value": "PowerDuke (S0139) uses File Deletion (T1107)" - }, - { - "meta": { - "source-uuid": "1cc934e4-b01d-4543-a011-b988dfc1a458", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "c476a0da-44fd-4492-86ae-407aabab3735", - "value": "Matroyshka (S0167) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", - "target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790" - }, - "uuid": "c48f6a1b-1599-4e82-a7b6-1f7b5186e99e", - "value": "BlackEnergy (S0089) uses New Service (T1050)" - }, - { - "meta": { - "source-uuid": "09b2cd76-c674-47cc-9f57-d2f2ad150a46", - "target-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475" - }, - "uuid": "e0cf8a56-e8e1-43b0-9efc-f167d1cf21de", - "value": "POWRUNER (S0184) uses System Network Connections Discovery (T1049)" - }, - { - "meta": { - "source-uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6", - "target-uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f" - }, - "uuid": "bd2a23f7-88cd-47d2-b30e-9356d0204a8e", - "value": "Turla (G0010) uses Tasklist (S0057)" - }, - { - "meta": { - "source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", - "target-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08" - }, - "uuid": "9e587add-08b7-4ecb-a40a-664b9cff1d0f", - "value": "Remsec (S0125) uses Account Discovery (T1087)" - }, - { - "meta": { - "source-uuid": "7551188b-8f91-4d34-8350-0d0c57b2b913", - "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - }, - "uuid": "68bbad6c-1685-4275-bd36-b885a64caf6d", - "value": "Elise (S0081) uses Obfuscated Files or Information (T1027)" - }, - { - "meta": { - "source-uuid": "2a158b0a-7ef8-43cb-9985-bf34d1e12050", - "target-uuid": "b77b563c-34bb-4fb8-86a3-3694338f7b47" - }, - "uuid": "2a220ca3-88f4-40eb-8041-184c412950d4", - "value": "Naikon (G0019) uses Ping (S0097)" - }, - { - "meta": { - "source-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", - "target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688" - }, - "uuid": "147d2e66-25de-42ea-8592-eb51333f595c", - "value": "BlackEnergy (S0089) uses Screen Capture (T1113)" - }, - { - "meta": { - "source-uuid": "00c3bfcb-99bd-4767-8c03-b08f585f5c8a", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "24ea53e3-a51f-4c4a-b3de-2e1d09ed69e8", - "value": "PowerDuke (S0139) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "aaa92b37-f96c-4a0a-859c-b1cb6faeb13d", - "target-uuid": "a6525aec-acc4-47fe-92f9-b9b4de4b9228" - }, - "uuid": "0bc1693e-d481-46d7-bd62-3ed6884986d2", - "value": "Graphical User Interface Mitigation (T1061) mitigates Graphical User Interface (T1061)" - }, - { - "meta": { - "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", - "target-uuid": "c3888c54-775d-4b2f-b759-75a2ececcbfd" - }, - "uuid": "0b36c1d0-d016-4c12-bf61-6dc14b29c7e0", - "value": "Threat Group-3390 (G0027) uses Data Transfer Size Limits (T1030)" - }, - { - "meta": { - "source-uuid": "2a7914cf-dff3-428d-ab0f-1014d1c28aeb", - "target-uuid": "242f3da3-4425-4d11-8f5c-b842886da966" - }, - "uuid": "6ed5961a-224a-419b-b696-8962813158f2", - "value": "FIN6 (G0037) uses Windows Credential Editor (S0005)" - }, - { - "meta": { - "source-uuid": "5967cc93-57c9-404a-8ffd-097edfa7bdfc", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "4f08676f-51c1-4cb5-94a7-08922e4886c6", - "value": "Hi-Zor (S0087) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", - "target-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd" - }, - "uuid": "c74f0442-88c6-4f2b-abb1-c2f269a93d69", - "value": "Dragonfly (G0035) uses Brute Force (T1110)" - }, - { - "meta": { - "source-uuid": "9ea525fa-b0a9-4dde-84f2-bcea0137b3c1", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "5c84d301-b6d1-4af8-9c25-1260e05fa924", - "value": "MoonWind (S0149) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "8e461ca3-0996-4e6e-a0df-e2a5bbc51ebc", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "43a63e7a-d673-47c0-9af5-76dcd5a5d9b8", - "value": "4H RAT (S0065) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "495b6cdb-7b5a-4fbc-8d33-e7ef68806d08", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "9f1c680d-042e-4291-bf9c-85c51120aa8b", - "value": "Volgmer (S0180) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", - "target-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09" - }, - "uuid": "d4d07662-749c-4116-a83c-e4045eddad43", - "value": "menuPass (G0045) uses DLL Side-Loading (T1073)" - }, - { - "meta": { - "source-uuid": "2dd34b01-6110-4aac-835d-b5e7b936b0be", - "target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0" - }, - "uuid": "3a241a6c-11ee-4abc-a551-b5d4e594aad4", - "value": "OLDBAIT (S0138) uses Masquerading (T1036)" - }, - { - "meta": { - "source-uuid": "e066bf86-9cfb-407a-9d25-26fd5d91e360", - "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - }, - "uuid": "291b7fbf-5b5f-460a-8009-cadb383b3262", - "value": "HTTPBrowser (S0070) uses Obfuscated Files or Information (T1027)" - }, - { - "meta": { - "source-uuid": "2e290bfe-93b5-48ce-97d6-edcd6d32b7cf", - "target-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643" - }, - "uuid": "d30d8fa0-7f24-41e5-ae8d-e4449e88d2f0", - "value": "Gamaredon Group (G0047) uses Peripheral Device Discovery (T1120)" - }, - { - "meta": { - "source-uuid": "40d3e230-ed32-469f-ba89-be70cc08ab39", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "fcc12c1f-1a46-49f4-a872-99cb97968bf0", - "value": "Agent.btz (S0092) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "4f170666-7edb-4489-85c2-9affa28a72e0", - "target-uuid": "01df3350-ce05-4bdf-bdf8-0a919a66d4a8" - }, - "uuid": "a48d44d2-a84c-45dc-9a59-2bc21f2f2301", - "value": ".bash_profile and .bashrc Mitigation (T1156) mitigates .bash_profile and .bashrc (T1156)" - }, - { - "meta": { - "source-uuid": "196f1f32-e0c2-4d46-99cd-234d4b6befe1", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "4887f5b0-45ed-4848-a984-4e72263e33d8", - "value": "Felismus (S0171) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "af2ad3b7-ab6a-4807-91fd-51bcaff9acbb", - "target-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643" - }, - "uuid": "f7740e3c-c143-40b7-a8da-e797f5d74b50", - "value": "USBStealer (S0136) uses Peripheral Device Discovery (T1120)" - }, - { - "meta": { - "source-uuid": "64d76fa5-cf8f-469c-b78c-1a4f7c5bad80", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "4af1ec66-5007-49df-8a10-df2c8ed7edc8", - "value": "BBSRAT (S0127) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", - "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" - }, - "uuid": "48042284-2fde-43f0-a3dc-f64e9f16bd77", - "value": "APT3 (G0022) uses System Network Configuration Discovery (T1016)" - }, - { - "meta": { - "source-uuid": "3240cbe4-c550-443b-aa76-cc2a7058b870", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "e27e75c2-5734-4602-8a32-c56bb50f890b", - "value": "SNUGRIDE (S0159) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "68dca94f-c11d-421e-9287-7c501108e18c", - "target-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4" - }, - "uuid": "0f3af4de-b1cc-4cc2-9eb7-9aa46cdebfcd", - "value": "Duqu (S0038) uses Data Compressed (T1002)" - }, - { - "meta": { - "source-uuid": "26fed817-e7bf-41f9-829a-9075ffac45c2", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "305ecc72-e820-44cb-ab52-593ccca814ff", - "value": "Kasidet (S0088) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "f047ee18-7985-4946-8bfb-4ed754d3a0dd", - "target-uuid": "43213480-78f7-4fb3-976f-d48f5f6a4c2a" - }, - "uuid": "a18071ad-fe4f-4014-ad9a-1b0a66df3eab", - "value": "APT30 (G0013) uses FLASHFLOOD (S0036)" - }, - { - "meta": { - "source-uuid": "65341f30-bec6-4b1d-8abf-1a5620446c29", - "target-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638" - }, - "uuid": "98d3455f-49cc-4539-ba35-4b11bec0ddcd", - "value": "Reaver (S0172) uses Data Encrypted (T1022)" - }, - { - "meta": { - "source-uuid": "9a5b7194-88e0-4579-b82f-e3c27b8cca80", - "target-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67" - }, - "uuid": "7b88fc6b-32c0-4c3d-9ea3-505543c7f374", - "value": "Create Account Mitigation (T1136) mitigates Create Account (T1136)" - }, - { - "meta": { - "source-uuid": "17862c7d-9e60-48a0-b48e-da4dc4c3f6b0", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "3f954be4-205c-4cec-92f9-36715e204a49", - "value": "Patchwork (G0040) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "7636484c-adc5-45d4-9bfe-c3e062fbc4a0", - "target-uuid": "e48df773-7c95-4a4c-ba70-ea3d15900148" - }, - "uuid": "e9b0af76-f6b1-43b0-ac0e-ea23582f575b", - "value": "Charming Kitten (G0058) uses DownPaper (S0186)" - }, - { - "meta": { - "source-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", - "target-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643" - }, - "uuid": "7cac6ccb-d070-47da-8ebf-4034b0fddb7c", - "value": "BlackEnergy (S0089) uses Peripheral Device Discovery (T1120)" - }, - { - "meta": { - "source-uuid": "c5e9cb46-aced-466c-85ea-7db5572ad9ec", - "target-uuid": "6856ddd6-2df3-4379-8b87-284603c189c3" - }, - "uuid": "d92b5b68-4c3e-436f-a922-997467831409", - "value": "Trojan.Mebromi (S0001) uses System Firmware (T1019)" - }, - { - "meta": { - "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "cc705bf0-ba29-443e-9cd5-aef247505210", - "value": "APT3 (G0022) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "2eb9b131-d333-4a48-9eb4-d8dec46c19ee", - "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - }, - "uuid": "4d7add6f-ebd5-477f-9958-a5176835da2e", - "value": "CosmicDuke (S0050) uses Credential Dumping (T1003)" - }, - { - "meta": { - "source-uuid": "308855d1-078b-47ad-8d2a-8f9b2713ffb5", - "target-uuid": "ffe742ed-9100-4686-9e00-c331da544787" - }, - "uuid": "243bf0fe-68eb-4d82-bbbf-d551611a0cd8", - "value": "Windows Admin Shares Mitigation (T1077) mitigates Windows Admin Shares (T1077)" - }, - { - "meta": { - "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", - "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - }, - "uuid": "d8e375a3-f455-4c66-bc63-251f320ec8b1", - "value": "OilRig (G0049) uses Process Discovery (T1057)" - }, - { - "meta": { - "source-uuid": "8b36d944-f274-4d46-9acd-dbba6927ce7a", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "9213f7ac-c548-4139-950b-5481a94570f9", - "value": "Registry Run Keys / Start Folder Mitigation (T1060) mitigates Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd", - "target-uuid": "830c9528-df21-472c-8c14-a036bf17d665" - }, - "uuid": "3d97f57c-2a7c-4626-8b05-9d345047d3ad", - "value": "PlugX (S0013) uses Web Service (T1102)" - }, - { - "meta": { - "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", - "target-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81" - }, - "uuid": "8ac07a3f-9468-47a3-8ecc-c432f80e03f4", - "value": "APT3 (G0022) uses Valid Accounts (T1078)" - }, - { - "meta": { - "source-uuid": "fbe9387f-34e6-4828-ac28-3080020c597b", - "target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9" - }, - "uuid": "8b3f374c-9f56-4493-8b85-72d0750d0c59", - "value": "FIN10 (G0051) uses Scheduled Task (T1053)" - }, - { - "meta": { - "source-uuid": "8b880b41-5139-4807-baa9-309690218719", - "target-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e" - }, - "uuid": "9e214d5b-7d46-4135-bc42-4caab16b39d8", - "value": "SPACESHIP (S0035) uses Data Staged (T1074)" - }, - { - "meta": { - "source-uuid": "ae9d818d-95d0-41da-b045-9cabea1ca164", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "3acdd018-80a0-4005-bab9-0cf89acfa43a", - "value": "PinchDuke (S0048) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "dcd81c6e-ebf7-4a16-93e0-9a97fa49c88a", - "target-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d" - }, - "uuid": "f6915cfa-4c11-4830-bcd8-aa648596b895", - "value": "CopyKittens (G0052) uses Code Signing (T1116)" - }, - { - "meta": { - "source-uuid": "7bec698a-7e20-4fd3-bb6a-12787770fb1a", - "target-uuid": "6aabc5ec-eae6-422c-8311-38d45ee9838a" - }, - "uuid": "3f327394-55be-4dac-8e79-93c49be0426a", - "value": "3PARA RAT (S0066) uses Redundant Access (T1108)" - }, - { - "meta": { - "source-uuid": "2e290bfe-93b5-48ce-97d6-edcd6d32b7cf", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "c63c7dc5-e374-4bf0-9839-0f940ac6d46c", - "value": "Gamaredon Group (G0047) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "85403903-15e0-4f9f-9be4-a259ecad4022", - "target-uuid": "242f3da3-4425-4d11-8f5c-b842886da966" - }, - "uuid": "432f40d2-5309-4cc1-9544-2943233c3c2c", - "value": "FIN5 (G0053) uses Windows Credential Editor (S0005)" - }, - { - "meta": { - "source-uuid": "96b08451-b27a-4ff6-893f-790e26393a8e", - "target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d" - }, - "uuid": "4e5dff55-c686-4fa6-bad1-caa8507083d9", - "value": "Sakula (S0074) uses Custom Cryptographic Protocol (T1024)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - }, - "uuid": "e71903c4-a7af-4317-adf0-10f76d3d4e15", - "value": "APT28 (G0007) uses Credential Dumping (T1003)" - }, - { - "meta": { - "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", - "target-uuid": "5a84dc36-df0d-4053-9b7c-f0c388a57283" - }, - "uuid": "7909f5a6-3924-4259-aedd-2e48123f563a", - "value": "APT1 (G0006) uses CALENDAR (S0025)" - }, - { - "meta": { - "source-uuid": "85403903-15e0-4f9f-9be4-a259ecad4022", - "target-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e" - }, - "uuid": "2af3c673-c0c6-4246-aacc-984eb370e7b9", - "value": "FIN5 (G0053) uses Data Staged (T1074)" - }, - { - "meta": { - "source-uuid": "876f6a77-fbc5-4e13-ab1a-5611986730a3", - "target-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf" - }, - "uuid": "e5a2a20c-1ef7-49a9-a9fa-2b89231793b8", - "value": "T9000 (S0098) uses Video Capture (T1125)" - }, - { - "meta": { - "source-uuid": "b2203c59-4089-4ee4-bfe1-28fa25f0dbfe", - "target-uuid": "317fefa6-46c7-4062-adb6-2008cf6bcb41" - }, - "uuid": "cb4af413-9bd7-4f1a-a693-57d11ffccbf5", - "value": "Cherry Picker (S0107) uses AppInit DLLs (T1103)" - }, - { - "meta": { - "source-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73", - "target-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670" - }, - "uuid": "cc2099fb-4785-4884-b274-4f3e8a3b8d99", - "value": "ADVSTORESHELL (S0045) uses Execution through API (T1106)" - }, - { - "meta": { - "source-uuid": "b6b3dfc7-9a81-43ff-ac04-698bad48973a", - "target-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88" - }, - "uuid": "2f507d82-1df4-4c9c-804a-2e6060944142", - "value": "Daserf (S0187) uses Software Packing (T1045)" - }, - { - "meta": { - "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "4eec017c-8bf2-4eda-8c92-15926fc7e5aa", - "value": "Lazarus Group (G0032) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "2eb9b131-d333-4a48-9eb4-d8dec46c19ee", - "target-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec" - }, - "uuid": "ff61ebde-befe-488a-89d0-dc4c49e60d59", - "value": "CosmicDuke (S0050) uses Data from Removable Media (T1025)" - }, - { - "meta": { - "source-uuid": "cfc2d2fc-14ff-495f-bd99-585be47b804f", - "target-uuid": "7c93aa74-4bc0-4a9e-90ea-f25f86301566" - }, - "uuid": "a38d4ac5-1d3d-4a2f-9493-ff3e2a4669b8", - "value": "Application Shimming Mitigation (T1138) mitigates Application Shimming (T1138)" - }, - { - "meta": { - "source-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13", - "target-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44" - }, - "uuid": "675f24e0-c445-4eb3-a191-16fb181f6e30", - "value": "Magic Hound (G0059) uses Scripting (T1064)" - }, - { - "meta": { - "source-uuid": "f3d0c735-330f-43c2-8e8e-51bcfa51e8c3", - "target-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00" - }, - "uuid": "647032ac-0432-4785-9d50-06b9970bcbcb", - "value": "Custom Command and Control Protocol Mitigation (T1094) mitigates Custom Command and Control Protocol (T1094)" - }, - { - "meta": { - "source-uuid": "59a97b15-8189-4d51-9404-e1ce8ea4a069", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "63a7bbf6-bb2e-41e7-8893-c3f7f207a7a7", - "value": "XAgentOSX (S0161) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "fde50aaa-f5de-4cb8-989a-babb57d6a704", - "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - }, - "uuid": "a8e6ca7b-5d75-429a-b8f8-de97d5c277b3", - "value": "Net Crawler (S0056) uses Credential Dumping (T1003)" - }, - { - "meta": { - "source-uuid": "fb261c56-b80e-43a9-8351-c84081e7213d", - "target-uuid": "84e02621-8fdf-470f-bd58-993bb6a89d91" - }, - "uuid": "a6962782-1942-42f5-a627-f205376e2ec2", - "value": "BACKSPACE (S0031) uses Multi-Stage Channels (T1104)" - }, - { - "meta": { - "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", - "target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0" - }, - "uuid": "c7823efd-005f-49ad-94cf-ebc44a87abed", - "value": "APT1 (G0006) uses Masquerading (T1036)" - }, - { - "meta": { - "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", - "target-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba" - }, - "uuid": "f16c18f0-c5ac-4ea2-bfd0-222e63c09018", - "value": "menuPass (G0045) uses Remote Services (T1021)" - }, - { - "meta": { - "source-uuid": "dfb5fa9b-3051-4b97-8035-08f80aef945b", - "target-uuid": "92d7da27-2d91-488e-a00c-059dc162766d" - }, - "uuid": "ac3b6751-e615-44f6-a086-0c236742d8fd", - "value": "Psylo (S0078) uses Exfiltration Over Command and Control Channel (T1041)" - }, - { - "meta": { - "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", - "target-uuid": "51dea151-0898-4a45-967c-3ebee0420484" - }, - "uuid": "d2858dfa-504f-416d-8801-41a1a9561f22", - "value": "APT3 (G0022) uses Remote Desktop Protocol (T1076)" - }, - { - "meta": { - "source-uuid": "4e6b9625-bbda-4d96-a652-b3bb45453f26", - "target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9" - }, - "uuid": "abb4a85a-d98a-46f7-965b-48d9f88fe9b6", - "value": "RemoteCMD (S0166) uses Scheduled Task (T1053)" - }, - { - "meta": { - "source-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13", - "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - }, - "uuid": "a4c59c09-2abd-4c49-8156-0ccc9214b66e", - "value": "Magic Hound (G0059) uses Process Discovery (T1057)" - }, - { - "meta": { - "source-uuid": "196f1f32-e0c2-4d46-99cd-234d4b6befe1", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "9f653750-2ee6-4d00-906b-c71f1d217288", - "value": "Felismus (S0171) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "3753cc21-2dae-4dfb-8481-d004e74502cc", - "target-uuid": "0ced8926-914e-4c78-bc93-356fb90dbd1f" - }, - "uuid": "49d09bc3-cdc0-479b-8516-f64bff9b6757", - "value": "FIN7 (G0046) uses HALFBAKED (S0151)" - }, - { - "meta": { - "source-uuid": "6713ab67-e25b-49cc-808d-2b36d4fbc35c", - "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" - }, - "uuid": "6fb6c639-cefa-4c7f-af89-26cb5fcd4030", - "value": "Ke3chang (G0004) uses System Network Configuration Discovery (T1016)" - }, - { - "meta": { - "source-uuid": "2a158b0a-7ef8-43cb-9985-bf34d1e12050", - "target-uuid": "007b44b6-e4c5-480b-b5b9-56f2081b1b7b" - }, - "uuid": "8119ee71-e017-4ba0-9aeb-a14c46f64f1a", - "value": "Naikon (G0019) uses HDoor (S0061)" - }, - { - "meta": { - "source-uuid": "894aab42-3371-47b1-8859-a4a074c804c8", - "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" - }, - "uuid": "73da57b5-e64f-44ee-85f7-d294c21fb534", - "value": "Stealth Falcon (G0038) uses Standard Cryptographic Protocol (T1032)" - }, - { - "meta": { - "source-uuid": "16ade1aa-0ea1-4bb7-88cc-9079df2ae756", - "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" - }, - "uuid": "1b141c9e-a679-40c7-ad7b-ac40ac586471", - "value": "admin@338 (G0018) uses System Network Configuration Discovery (T1016)" - }, - { - "meta": { - "source-uuid": "6b616fc1-1505-48e3-8b2c-0d19337bff38", - "target-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e" - }, - "uuid": "9cef6fec-e4eb-49eb-85db-880138f335bd", - "value": "Rover (S0090) uses Data Staged (T1074)" - }, - { - "meta": { - "source-uuid": "f6d1d2cb-12f5-4221-9636-44606ea1f3f8", - "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" - }, - "uuid": "d8a5e73d-fe56-42d7-a53d-09a90c21308b", - "value": "OSInfo (S0165) uses System Network Configuration Discovery (T1016)" - }, - { - "meta": { - "source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542", - "target-uuid": "199463de-d9be-46d6-bb41-07234c1dd5a6" - }, - "uuid": "3ae8d262-d2f8-4fa5-adb4-e379d43b9c37", - "value": "APT29 (G0016) uses GeminiDuke (S0049)" - }, - { - "meta": { - "source-uuid": "326af1cd-78e7-45b7-a326-125d2f7ef8f2", - "target-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7" - }, - "uuid": "198d7156-eff4-4a6e-8e59-ab8a656f77a8", - "value": "Crimson (S0115) uses Security Software Discovery (T1063)" - }, - { - "meta": { - "source-uuid": "a8d3d497-2da9-4797-8e0b-ed176be08654", - "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" - }, - "uuid": "2e5039ef-913f-4808-9685-32f64f4dbf49", - "value": "Wingbird (S0176) uses File Deletion (T1107)" - }, - { - "meta": { - "source-uuid": "bb3c1098-d654-4620-bf40-694386d28921", - "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" - }, - "uuid": "4b6bee9b-469e-48ce-84fa-5322de03470a", - "value": "FakeM (S0076) uses Standard Cryptographic Protocol (T1032)" - }, - { - "meta": { - "source-uuid": "7343e208-7cab-45f2-a47b-41ba5e2f0fab", - "target-uuid": "519630c5-f03f-4882-825c-3af924935817" - }, - "uuid": "0c143634-89e1-47a0-9044-4ca39ccff76a", - "value": "XTunnel (S0117) uses Binary Padding (T1009)" - }, - { - "meta": { - "source-uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e", - "target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0" - }, - "uuid": "5b69fc3c-1bf7-4092-be94-755790ccf41f", - "value": "Helminth (S0170) uses PowerShell (T1086)" - }, - { - "meta": { - "source-uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e", - "target-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810" - }, - "uuid": "3537c31f-bd6f-4cad-97ac-4ec3d8a9478b", - "value": "Helminth (S0170) uses Shortcut Modification (T1023)" - }, - { - "meta": { - "source-uuid": "4664b683-f578-434f-919b-1c1aad2a1111", - "target-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475" - }, - "uuid": "28189361-4cd2-4925-a095-d7ebd07ebd57", - "value": "netstat (S0104) uses System Network Connections Discovery (T1049)" - }, - { - "meta": { - "source-uuid": "495b6cdb-7b5a-4fbc-8d33-e7ef68806d08", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "084ac639-2502-4020-8938-65352349acbb", - "value": "Volgmer (S0180) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "af2ad3b7-ab6a-4807-91fd-51bcaff9acbb", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "03ab3120-4c6e-4de2-982a-fe22d466f748", - "value": "USBStealer (S0136) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "df71bb3b-813c-45eb-a8bc-f2a419837411", - "target-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d" - }, - "uuid": "361cbd71-b178-44d0-9802-78a310938bad", - "value": "Molerats (G0021) uses Code Signing (T1116)" - }, - { - "meta": { - "source-uuid": "2fb26586-2b53-4b9a-ad4f-2b3bcb9a2421", - "target-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433" - }, - "uuid": "329678a6-eb6b-499b-90a8-059d1cf1a35f", - "value": "SslMM (S0058) uses Fallback Channels (T1008)" - }, - { - "meta": { - "source-uuid": "ae9d818d-95d0-41da-b045-9cabea1ca164", - "target-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5" - }, - "uuid": "d77a4123-3d46-4317-8921-f6eb8c34c585", - "value": "PinchDuke (S0048) uses Data from Local System (T1005)" - }, - { - "meta": { - "source-uuid": "083bb47b-02c8-4423-81a2-f9ef58572974", - "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - }, - "uuid": "b6ae274b-f0b3-4694-ab8d-37e0c62cff35", - "value": "Backdoor.Oldrea (S0093) uses Process Discovery (T1057)" - }, - { - "meta": { - "source-uuid": "00c3bfcb-99bd-4767-8c03-b08f585f5c8a", - "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - }, - "uuid": "1c677f35-b73b-47bc-b162-1fd036a38def", - "value": "PowerDuke (S0139) uses Obfuscated Files or Information (T1027)" - }, - { - "meta": { - "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", - "target-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81" - }, - "uuid": "78f237da-f58b-4849-b2ee-cf1f3f7a1a42", - "value": "Threat Group-3390 (G0027) uses Valid Accounts (T1078)" - }, - { - "meta": { - "source-uuid": "c5947e1c-1cbc-434c-94b8-27c7e3be0fff", - "target-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b" - }, - "uuid": "05e05236-1635-48d7-8ee3-33319c01c815", - "value": "Winnti Group (G0044) uses Rootkit (T1014)" - }, - { - "meta": { - "source-uuid": "b6b3dfc7-9a81-43ff-ac04-698bad48973a", - "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" - }, - "uuid": "ce9dbe5b-1b16-41d6-a7af-a2a1b33c4552", - "value": "Daserf (S0187) uses Standard Cryptographic Protocol (T1032)" - }, - { - "meta": { - "source-uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063", - "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - }, - "uuid": "1c7b9a1b-e874-4881-884a-e3c3d1fd8aed", - "value": "Cleaver (G0003) uses Credential Dumping (T1003)" - }, - { - "meta": { - "source-uuid": "9e729a7e-0dd6-4097-95bf-db8d64911383", - "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" - }, - "uuid": "37c94531-1e56-4640-93fd-e9fd65da4f80", - "value": "Darkhotel (G0012) uses Input Capture (T1056)" - }, - { - "meta": { - "source-uuid": "5be33fef-39c0-4532-84ee-bea31e1b5324", - "target-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c" - }, - "uuid": "566d783a-2d86-4b9a-8ca0-5013de5f7fb4", - "value": "ISMInjector (S0189) uses Deobfuscate/Decode Files or Information (T1140)" - }, - { - "meta": { - "source-uuid": "2fb26586-2b53-4b9a-ad4f-2b3bcb9a2421", - "target-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810" - }, - "uuid": "79ecf1f6-a17d-4374-a84c-811669e39261", - "value": "SslMM (S0058) uses Shortcut Modification (T1023)" - }, - { - "meta": { - "source-uuid": "af2ad3b7-ab6a-4807-91fd-51bcaff9acbb", - "target-uuid": "64196062-5210-42c3-9a02-563a0d1797ef" - }, - "uuid": "c612eb88-d7e0-46cc-a9bc-d0da2977ff00", - "value": "USBStealer (S0136) uses Communication Through Removable Media (T1092)" - }, - { - "meta": { - "source-uuid": "2f1a9fd0-3b7c-4d77-a358-78db13adbe78", - "target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688" - }, - "uuid": "b2b873cd-8618-426e-9cae-9e6755acafad", - "value": "EvilGrab (S0152) uses Screen Capture (T1113)" - }, - { - "meta": { - "source-uuid": "9ca488bd-9587-48ef-b923-1743523e63b2", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "a403648d-4c23-46bd-9688-1face1407b42", - "value": "SOUNDBITE (S0157) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "target-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08" - }, - "uuid": "fa155ccc-b9db-48f6-bb1a-a367596668ad", - "value": "BRONZE BUTLER (G0060) uses Account Discovery (T1087)" - }, - { - "meta": { - "source-uuid": "5a63f900-5e7e-4928-a746-dd4558e1df71", - "target-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea" - }, - "uuid": "69c1806d-e6ae-4c11-bce6-8fbebd8bbee5", - "value": "netsh (S0108) uses Connection Proxy (T1090)" - }, - { - "meta": { - "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", - "target-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0" - }, - "uuid": "e7379230-882e-4b5c-bee1-629e9028e97f", - "value": "APT3 (G0022) uses Uncommonly Used Port (T1065)" - }, - { - "meta": { - "source-uuid": "09b2cd76-c674-47cc-9f57-d2f2ad150a46", - "target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0" - }, - "uuid": "b4c7e12f-6921-4007-ab15-595969bf9eca", - "value": "POWRUNER (S0184) uses PowerShell (T1086)" - }, - { - "meta": { - "source-uuid": "687c23e4-4e25-4ee7-a870-c5e002511f54", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "2892eada-7633-4428-80e0-0e965d5faf5c", - "value": "DustySky (S0062) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063", - "target-uuid": "c0c45d38-fe57-4cd4-b2b2-9ecd0ddd4ca9" - }, - "uuid": "49957d89-7449-476a-b542-d7811a86c230", - "value": "Cleaver (G0003) uses TinyZBot (S0004)" - }, - { - "meta": { - "source-uuid": "199463de-d9be-46d6-bb41-07234c1dd5a6", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "1b3cc0cb-de43-405b-bfa5-f0bececabf8c", - "value": "GeminiDuke (S0049) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "3240cbe4-c550-443b-aa76-cc2a7058b870", - "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" - }, - "uuid": "f02f0a58-a76b-4966-8717-8a9b40b07e81", - "value": "SNUGRIDE (S0159) uses Standard Cryptographic Protocol (T1032)" - }, - { - "meta": { - "source-uuid": "6713ab67-e25b-49cc-808d-2b36d4fbc35c", - "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - }, - "uuid": "c7e6d4a6-8d99-4134-848a-f4f712eb4316", - "value": "Ke3chang (G0004) uses Process Discovery (T1057)" - }, - { - "meta": { - "source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", - "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - }, - "uuid": "3076f49e-0db2-4652-a07d-653027aeef1e", - "value": "Remsec (S0125) uses Process Discovery (T1057)" - }, - { - "meta": { - "source-uuid": "fbe9387f-34e6-4828-ac28-3080020c597b", - "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" - }, - "uuid": "3d602fec-cf94-4aa4-a4d9-cad286e6881f", - "value": "FIN10 (G0051) uses System Owner/User Discovery (T1033)" - }, - { - "meta": { - "source-uuid": "26fed817-e7bf-41f9-829a-9075ffac45c2", - "target-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044" - }, - "uuid": "f81df2c8-1edd-4734-a1c9-cca6e4c56607", - "value": "Kasidet (S0088) uses Disabling Security Tools (T1089)" - }, - { - "meta": { - "source-uuid": "5a84dc36-df0d-4053-9b7c-f0c388a57283", - "target-uuid": "830c9528-df21-472c-8c14-a036bf17d665" - }, - "uuid": "2244e21e-b7f6-476f-8f58-67db772f9736", - "value": "CALENDAR (S0025) uses Web Service (T1102)" - }, - { - "meta": { - "source-uuid": "0f862b01-99da-47cc-9bdb-db4a86a95bb1", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "73171e71-b769-41ff-874a-ff76da43541f", - "value": "Emissary (S0082) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - }, - "uuid": "51d06864-d5de-4286-b2bb-561a8d2c4d49", - "value": "APT28 (G0007) uses Process Discovery (T1057)" - }, - { - "meta": { - "source-uuid": "a0cb9370-e39b-44d5-9f50-ef78e412b973", - "target-uuid": "9b99b83a-1aac-4e29-b975-b374950551a3" - }, - "uuid": "b9f4c6ef-d0bd-4651-9445-4705e1fd85f2", - "value": "Axiom (G0001) uses Accessibility Features (T1015)" - }, - { - "meta": { - "source-uuid": "894aab42-3371-47b1-8859-a4a074c804c8", - "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - }, - "uuid": "4de2ac9b-4e51-4d73-8fe3-d7d1659778b8", - "value": "Stealth Falcon (G0038) uses Process Discovery (T1057)" - }, - { - "meta": { - "source-uuid": "6b616fc1-1505-48e3-8b2c-0d19337bff38", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "e90717f3-fad2-4978-be15-7dfb647d034d", - "value": "Rover (S0090) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "247cb30b-955f-42eb-97a5-a89fef69341e", - "target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0" - }, - "uuid": "5f00edf9-fcfc-4514-8d06-bc69f91f9260", - "value": "APT32 (G0050) uses PowerShell (T1086)" - }, - { - "meta": { - "source-uuid": "40d3e230-ed32-469f-ba89-be70cc08ab39", - "target-uuid": "e6415f09-df0e-48de-9aba-928c902b7549" - }, - "uuid": "8b96fb11-8b54-4bed-9e6c-cd93b29c5c20", - "value": "Agent.btz (S0092) uses Exfiltration Over Physical Medium (T1052)" - }, - { - "meta": { - "source-uuid": "3753cc21-2dae-4dfb-8481-d004e74502cc", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "b077d81d-0449-493f-9b93-23dc0fb0b62d", - "value": "FIN7 (G0046) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "0b32ec39-ba61-4864-9ebe-b4b0b73caf9a", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "af4d45e1-1aa4-444c-b176-31df7aaf9374", - "value": "TDTESS (S0164) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842" - }, - "uuid": "dc10e96f-1d3c-4ab9-8df6-acdc8238ec6c", - "value": "APT28 (G0007) uses Data Obfuscation (T1001)" - }, - { - "meta": { - "source-uuid": "96e239be-ad99-49eb-b127-3007b8c1bec9", - "target-uuid": "10d5f3b7-6be6-4da5-9a77-0f1e2bbfcc44" - }, - "uuid": "51006a56-a1fa-4467-b930-6488de0d32bd", - "value": "Equation (G0020) uses Component Firmware (T1109)" - }, - { - "meta": { - "source-uuid": "bba595da-b73a-4354-aa6c-224d4de7cb4e", - "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" - }, - "uuid": "d7d3cf5c-e541-4639-95c6-8cdea60b084d", - "value": "cmd (S0106) uses File Deletion (T1107)" - }, - { - "meta": { - "source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542", - "target-uuid": "cbf646f1-7db5-4dc6-808b-0094313949df" - }, - "uuid": "a7180b8e-c580-49ab-bbfb-e56e8ab48823", - "value": "APT29 (G0016) uses CloudDuke (S0054)" - }, - { - "meta": { - "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "target-uuid": "51dea151-0898-4a45-967c-3ebee0420484" - }, - "uuid": "c79796c1-88d6-4cd8-95d3-4f81d3755859", - "value": "Lazarus Group (G0032) uses Remote Desktop Protocol (T1076)" - }, - { - "meta": { - "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", - "target-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60" - }, - "uuid": "51372934-2c81-4db7-aa38-cbb173698cc2", - "value": "menuPass (G0045) uses Mimikatz (S0002)" - }, - { - "meta": { - "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "5909e6e9-c620-4278-9bdc-113f09e5799b", - "value": "Cobalt Strike (S0154) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "55033a4d-3ffe-46b2-99b4-2c1541e9ce1c", - "target-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81" - }, - "uuid": "58882b0d-0f4a-4e12-b8c1-f43c53fd96f4", - "value": "Carbanak (G0008) uses Valid Accounts (T1078)" - }, - { - "meta": { - "source-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", - "target-uuid": "ffe742ed-9100-4686-9e00-c331da544787" - }, - "uuid": "53d7b242-3ed6-4281-9829-e25d425e28fe", - "value": "BlackEnergy (S0089) uses Windows Admin Shares (T1077)" - }, - { - "meta": { - "source-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13", - "target-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0" - }, - "uuid": "35b912d8-bf46-4dec-b2eb-c48c0056af6e", - "value": "Magic Hound (G0059) uses Uncommonly Used Port (T1065)" - }, - { - "meta": { - "source-uuid": "687c23e4-4e25-4ee7-a870-c5e002511f54", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "c008b7f3-0507-4987-a7e4-8c4d57cb4ca5", - "value": "DustySky (S0062) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "b60dcc78-83b0-4fe2-b874-6f22f99b6087", - "value": "Magic Hound (G0059) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "60c18d06-7b91-4742-bae3-647845cd9d81", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "5301c007-7c00-4b4d-b355-864db8de052f", - "value": "CORESHELL (S0137) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542", - "target-uuid": "799ace7f-e227-4411-baa0-8868704f2a69" - }, - "uuid": "5bda4ebe-cd21-469e-9495-952df7254f17", - "value": "APT29 (G0016) uses Indicator Removal on Host (T1070)" - }, - { - "meta": { - "source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542", - "target-uuid": "00c3bfcb-99bd-4767-8c03-b08f585f5c8a" - }, - "uuid": "da3a85c7-7590-48b1-8a22-2f8b00060f83", - "value": "APT29 (G0016) uses PowerDuke (S0139)" - }, - { - "meta": { - "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", - "target-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88" - }, - "uuid": "ef1cdbe7-29c9-4be9-a3f7-96e5b7bae031", - "value": "APT3 (G0022) uses Software Packing (T1045)" - }, - { - "meta": { - "source-uuid": "66b1dcde-17a0-4c7b-95fa-b08d430c2131", - "target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e" - }, - "uuid": "09e8b282-61ee-4107-94f5-d03e28199fe9", - "value": "S-Type (S0085) uses Commonly Used Port (T1043)" - }, - { - "meta": { - "source-uuid": "d5dce4b9-f1fa-4c03-aff9-ce177246cb64", - "target-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392" - }, - "uuid": "87131e3c-9d73-4910-a56d-f917d6660a7d", - "value": "Service Execution Mitigation (T1035) mitigates Service Execution (T1035)" - }, - { - "meta": { - "source-uuid": "96b08451-b27a-4ff6-893f-790e26393a8e", - "target-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5" - }, - "uuid": "a79ff150-e765-4303-9668-ff553d6000cd", - "value": "Sakula (S0074) uses Rundll32 (T1085)" - }, - { - "meta": { - "source-uuid": "64d76fa5-cf8f-469c-b78c-1a4f7c5bad80", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "8beb37e3-5cf0-4229-ae27-186a37133521", - "value": "BBSRAT (S0127) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69", - "target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688" - }, - "uuid": "290c4e3b-00be-411f-b0c8-919e85e08a49", - "value": "Prikormka (S0113) uses Screen Capture (T1113)" - }, - { - "meta": { - "source-uuid": "5a3a31fe-5a8f-48e1-bff0-a753e5b1be70", - "target-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df" - }, - "uuid": "bea7bd3c-1251-4858-8957-a6dc3bb840d2", - "value": "China Chopper (S0020) uses Web Shell (T1100)" - }, - { - "meta": { - "source-uuid": "00c3bfcb-99bd-4767-8c03-b08f585f5c8a", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "e465e173-04d8-4a2b-8953-a2fa3b44aec0", - "value": "PowerDuke (S0139) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "target-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735" - }, - "uuid": "95805281-96b1-49ea-95ee-9d654178c5c3", - "value": "BRONZE BUTLER (G0060) uses Remote System Discovery (T1018)" - }, - { - "meta": { - "source-uuid": "ace4daee-f914-4707-be75-843f16da2edf", - "target-uuid": "44dca04b-808d-46ca-b25f-d85236d4b9f8" - }, - "uuid": "9952a93f-d009-48e5-a618-8e8f97a55685", - "value": "Bash History Mitigation (T1139) mitigates Bash History (T1139)" - }, - { - "meta": { - "source-uuid": "b143dfa4-e944-43ff-8429-bfffc308c517", - "target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d" - }, - "uuid": "cf859589-38ac-4152-b206-08740ccf503b", - "value": "Taidoor (S0011) uses Custom Cryptographic Protocol (T1024)" - }, - { - "meta": { - "source-uuid": "1c0711c8-2a73-48a1-893d-ff88bcd23824", - "target-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466" - }, - "uuid": "130275cb-368e-4168-a4bf-60b39566bc50", - "value": "Scheduled Transfer Mitigation (T1029) mitigates Scheduled Transfer (T1029)" - }, - { - "meta": { - "source-uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e", - "target-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d" - }, - "uuid": "259a5116-2492-4d7b-b300-1cf9b8c79f00", - "value": "Helminth (S0170) uses Code Signing (T1116)" - }, - { - "meta": { - "source-uuid": "876f6a77-fbc5-4e13-ab1a-5611986730a3", - "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" - }, - "uuid": "0649f7fd-3aa1-4646-a7a4-2334088c6c74", - "value": "T9000 (S0098) uses System Network Configuration Discovery (T1016)" - }, - { - "meta": { - "source-uuid": "bba595da-b73a-4354-aa6c-224d4de7cb4e", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "745106bb-3641-488e-ae1c-547cd6ea9b7a", - "value": "cmd (S0106) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", - "target-uuid": "a60657fa-e2e7-4f8f-8128-a882534ae8c5" - }, - "uuid": "614c18a5-2cee-48ac-898d-e1b85a91e44d", - "value": "Threat Group-3390 (G0027) uses OwaAuth (S0072)" - }, - { - "meta": { - "source-uuid": "bba595da-b73a-4354-aa6c-224d4de7cb4e", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "fb60b027-facd-4be2-b8b2-0fb9351ea235", - "value": "cmd (S0106) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "5e7ef1dc-7fb6-4913-ac75-e06113b59e0c", - "target-uuid": "830c9528-df21-472c-8c14-a036bf17d665" - }, - "uuid": "1f972385-7f1c-4cbd-a071-951973e6d229", - "value": "MiniDuke (S0051) uses Web Service (T1102)" - }, - { - "meta": { - "source-uuid": "8901ac23-6b50-410c-b0dd-d8174a86f9b3", - "target-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392" - }, - "uuid": "73a53379-746e-46db-b101-1fc45df5e458", - "value": "Shamoon (S0140) uses Service Execution (T1035)" - }, - { - "meta": { - "source-uuid": "ff6840c9-4c87-4d07-bbb6-9f50aa33d498", - "target-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4" - }, - "uuid": "00b0af92-df59-4d56-ac3e-18f6f1f72957", - "value": "Flame (S0143) uses Replication Through Removable Media (T1091)" - }, - { - "meta": { - "source-uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", - "target-uuid": "82cb34ba-02b5-432b-b2d2-07f55cbf674d" - }, - "uuid": "fa9a8640-75e5-458c-99c0-e5e85aa32a77", - "value": "Dragonfly (G0035) uses Trojan.Karagany (S0094)" - }, - { - "meta": { - "source-uuid": "cf23bf4a-e003-4116-bbae-1ea6c558d565", - "target-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776" - }, - "uuid": "ac3ee298-bef0-4a52-9050-3dcef1701408", - "value": "FTP (S0095) uses Exfiltration Over Alternative Protocol (T1048)" - }, - { - "meta": { - "source-uuid": "ccd61dfc-b03f-4689-8c18-7c97eab08472", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "2fa20fad-4ede-42f4-8ce5-7f5a6ce83ed8", - "value": "CHOPSTICK (S0023) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "72f54d66-675d-4587-9bd3-4ed09f9522e4", - "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" - }, - "uuid": "82384148-90fd-4bfa-a734-e9c8b37b584f", - "value": "Carbanak (S0030) uses Input Capture (T1056)" - }, - { - "meta": { - "source-uuid": "b2203c59-4089-4ee4-bfe1-28fa25f0dbfe", - "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" - }, - "uuid": "171380bf-41ff-43da-86fe-c131f5f7b97b", - "value": "Cherry Picker (S0107) uses File Deletion (T1107)" - }, - { - "meta": { - "source-uuid": "68dca94f-c11d-421e-9287-7c501108e18c", - "target-uuid": "1c338d0f-a65e-4073-a5c1-c06878849f21" - }, - "uuid": "f64acb43-91b8-431a-ad0a-ad22afe5851a", - "value": "Duqu (S0038) uses Process Hollowing (T1093)" - }, - { - "meta": { - "source-uuid": "26fed817-e7bf-41f9-829a-9075ffac45c2", - "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" - }, - "uuid": "e45cdf20-e182-4346-8c98-a48575282ae6", - "value": "Kasidet (S0088) uses Input Capture (T1056)" - }, - { - "meta": { - "source-uuid": "2a7914cf-dff3-428d-ab0f-1014d1c28aeb", - "target-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44" - }, - "uuid": "1f764874-0e08-4799-9487-a9e12c499c13", - "value": "FIN6 (G0037) uses Scripting (T1064)" - }, - { - "meta": { - "source-uuid": "ec418d1b-4963-439f-b055-f914737ef362", - "target-uuid": "f792d02f-813d-402b-86a5-ab98cb391d3b" - }, - "uuid": "0ac55ad4-0f16-416e-bf88-67ee1aad85ab", - "value": "InstallUtil Mitigation (T1118) mitigates InstallUtil (T1118)" - }, - { - "meta": { - "source-uuid": "94379dec-5c87-49db-b36e-66abc0b81344", - "target-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d" - }, - "uuid": "7fd4fe68-0f2a-485c-9b10-6847428ef5da", - "value": "Derusbi (S0021) uses Process Injection (T1055)" - }, - { - "meta": { - "source-uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2", - "target-uuid": "9b52fca7-1a36-4da0-b62d-da5bd83b4d69" - }, - "uuid": "988cb889-b385-4e8f-be06-7d41c4da0dd7", - "value": "JHUHUGIT (S0044) uses Component Object Model Hijacking (T1122)" - }, - { - "meta": { - "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", - "target-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475" - }, - "uuid": "12ea66f1-566a-404f-a948-f76b9047710e", - "value": "menuPass (G0045) uses System Network Connections Discovery (T1049)" - }, - { - "meta": { - "source-uuid": "09b2cd76-c674-47cc-9f57-d2f2ad150a46", - "target-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896" - }, - "uuid": "d078f862-c090-4e79-808b-ff69887a920c", - "value": "POWRUNER (S0184) uses Query Registry (T1012)" - }, - { - "meta": { - "source-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", - "target-uuid": "6c174520-beea-43d9-aac6-28fb77f3e446" - }, - "uuid": "41f04732-8fdc-4b2f-9e22-7b78ff650e5d", - "value": "Mimikatz (S0002) uses Security Support Provider (T1101)" - }, - { - "meta": { - "source-uuid": "402e92cd-5608-4f4b-9a34-a2c962e4bcd7", - "target-uuid": "e99ec083-abdd-48de-ad87-4dbf6f8ba2a4" - }, - "uuid": "a6a8e3e4-faa7-4c9f-9460-fabbbc8c844c", - "value": "Launch Daemon Mitigation (T1160) mitigates Launch Daemon (T1160)" - }, - { - "meta": { - "source-uuid": "85403903-15e0-4f9f-9be4-a259ecad4022", - "target-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81" - }, - "uuid": "e25b4146-2f52-4c5b-a1f8-3e868e767f84", - "value": "FIN5 (G0053) uses Valid Accounts (T1078)" - }, - { - "meta": { - "source-uuid": "56db6ccc-433d-4411-8383-c3fd7053e2c8", - "target-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670" - }, - "uuid": "678be242-66fd-40b8-bbf1-24c3dda77895", - "value": "Execution through API Mitigation (T1106) mitigates Execution through API (T1106)" - }, - { - "meta": { - "source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542", - "target-uuid": "ed7d0cb1-87a6-43b4-9f46-ef1bc56d6c68" - }, - "uuid": "bd5b6f31-2248-4af8-8e8e-e3273aaa57e4", - "value": "APT29 (G0016) uses Tor (S0183)" - }, - { - "meta": { - "source-uuid": "fece06b7-d4b1-42cf-b81a-5323c917546e", - "target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d" - }, - "uuid": "35f02c40-d46f-44fa-8ba2-5106357494b4", - "value": "FALLCHILL (S0181) uses Custom Cryptographic Protocol (T1024)" - }, - { - "meta": { - "source-uuid": "b77b563c-34bb-4fb8-86a3-3694338f7b47", - "target-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735" - }, - "uuid": "9b2356e1-6544-40a7-a694-8ac36a1da1b7", - "value": "Ping (S0097) uses Remote System Discovery (T1018)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "a1dd2dbd-1550-44bf-abcc-1a4c52e97719" - }, - "uuid": "89363ca8-1cf3-4c40-972c-6e2787a05b43", - "value": "APT28 (G0007) uses Responder (S0174)" - }, - { - "meta": { - "source-uuid": "cde2d700-9ed1-46cf-9bce-07364fe8b24f", - "target-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896" - }, - "uuid": "5365d764-76fa-49ce-b76b-d0344322b037", - "value": "Reg (S0075) uses Query Registry (T1012)" - }, - { - "meta": { - "source-uuid": "17b40f60-729f-4fe8-8aea-cc9ee44a95d5", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "c33c2a0f-eb88-43ef-be7b-6311bef2da3d", - "value": "RedLeaves (S0153) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "894aab42-3371-47b1-8859-a4a074c804c8", - "target-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44" - }, - "uuid": "0d63f3cf-bace-4210-9b76-199c5cdb8764", - "value": "Stealth Falcon (G0038) uses Scripting (T1064)" - }, - { - "meta": { - "source-uuid": "76abb3ef-dafd-4762-97cb-a35379429db4", - "target-uuid": "2892b9ee-ca9f-4723-b332-0dc6e843a8ae" - }, - "uuid": "b4f8c479-aab5-481d-aa04-922677da108a", - "value": "Gazer (S0168) uses Screensaver (T1180)" - }, - { - "meta": { - "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", - "target-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475" - }, - "uuid": "4d82bac6-ec9d-4f4b-a471-169728a830a4", - "value": "APT3 (G0022) uses System Network Connections Discovery (T1049)" - }, - { - "meta": { - "source-uuid": "7343e208-7cab-45f2-a47b-41ba5e2f0fab", - "target-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea" - }, - "uuid": "d3234cf8-0ef7-4447-ae3a-9624f3229265", - "value": "XTunnel (S0117) uses Connection Proxy (T1090)" - }, - { - "meta": { - "source-uuid": "8e461ca3-0996-4e6e-a0df-e2a5bbc51ebc", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "26968975-5f01-4b4b-9cdc-ef3b76710304", - "value": "4H RAT (S0065) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "ae41895a-243f-4a65-b99b-d85022326c31", - "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - }, - "uuid": "86461465-cb29-4fc9-8fa8-8956c0f94536", - "value": "Dust Storm (G0031) uses Obfuscated Files or Information (T1027)" - }, - { - "meta": { - "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "target-uuid": "5a63f900-5e7e-4928-a746-dd4558e1df71" - }, - "uuid": "9f62c4e4-02d4-497b-8039-cc4e816386a5", - "value": "Lazarus Group (G0032) uses netsh (S0108)" - }, - { - "meta": { - "source-uuid": "94379dec-5c87-49db-b36e-66abc0b81344", - "target-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a" - }, - "uuid": "60137eb6-ed8c-41ce-bf75-6b45cdafe751", - "value": "Derusbi (S0021) uses Timestomp (T1099)" - }, - { - "meta": { - "source-uuid": "0f862b01-99da-47cc-9bdb-db4a86a95bb1", - "target-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d" - }, - "uuid": "106aae81-fab1-42b3-97b0-4f0c1d67c896", - "value": "Emissary (S0082) uses Process Injection (T1055)" - }, - { - "meta": { - "source-uuid": "af2ad3b7-ab6a-4807-91fd-51bcaff9acbb", - "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" - }, - "uuid": "e5efa7ca-3e2a-4f08-ac2c-f5f317c9caf7", - "value": "USBStealer (S0136) uses File Deletion (T1107)" - }, - { - "meta": { - "source-uuid": "277d2f87-2ae5-4730-a3aa-50c1fdff9656", - "target-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8" - }, - "uuid": "edea5971-fc27-4637-8de9-aabcd50784a7", - "value": "Strider (G0041) uses Remsec (S0125)" - }, - { - "meta": { - "source-uuid": "7551188b-8f91-4d34-8350-0d0c57b2b913", - "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" - }, - "uuid": "1a028242-1896-4867-a691-c97867f1663d", - "value": "Elise (S0081) uses Standard Cryptographic Protocol (T1032)" - }, - { - "meta": { - "source-uuid": "94379dec-5c87-49db-b36e-66abc0b81344", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "5d2ca571-9e66-4949-b3a1-978c47398b18", - "value": "Derusbi (S0021) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "0b32ec39-ba61-4864-9ebe-b4b0b73caf9a", - "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" - }, - "uuid": "0061f7aa-fe4e-41e5-8ebf-e9f526bda08f", - "value": "TDTESS (S0164) uses File Deletion (T1107)" - }, - { - "meta": { - "source-uuid": "68dca94f-c11d-421e-9287-7c501108e18c", - "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" - }, - "uuid": "dbf13cc5-f61b-41fd-96fa-d0bac20549bc", - "value": "Duqu (S0038) uses System Network Configuration Discovery (T1016)" - }, - { - "meta": { - "source-uuid": "495b6cdb-7b5a-4fbc-8d33-e7ef68806d08", - "target-uuid": "62dfd1ca-52d5-483c-a84b-d6e80bf94b7b" - }, - "uuid": "96a09c57-4848-464e-8649-142152c91db9", - "value": "Volgmer (S0180) uses Modify Existing Service (T1031)" - }, - { - "meta": { - "source-uuid": "876f6a77-fbc5-4e13-ab1a-5611986730a3", - "target-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077" - }, - "uuid": "0d2a66c5-fb8e-4cbb-9526-579b5c9c881c", - "value": "T9000 (S0098) uses System Time Discovery (T1124)" - }, - { - "meta": { - "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", - "target-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88" - }, - "uuid": "0d889b2d-eda4-45dc-99bf-c530b7d4b05f", - "value": "menuPass (G0045) uses Network Service Scanning (T1046)" - }, - { - "meta": { - "source-uuid": "6a0ef5d4-fc7c-4dda-85d7-592e4dbdc5d9", - "target-uuid": "dd43c543-bb85-4a6f-aa6e-160d90d06a49" - }, - "uuid": "2b6da092-7380-4bd3-bd4c-f136a5b9b4cc", - "value": "Sykipot (S0018) uses Two-Factor Authentication Interception (T1111)" - }, - { - "meta": { - "source-uuid": "fb261c56-b80e-43a9-8351-c84081e7213d", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "16cb7ede-b431-4711-bcb1-91bc925663e5", - "value": "BACKSPACE (S0031) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "76abb3ef-dafd-4762-97cb-a35379429db4", - "target-uuid": "514ede4c-78b3-4d78-a38b-daddf6217a79" - }, - "uuid": "07f83a39-8bb0-44f1-9c81-7291ba10dd03", - "value": "Gazer (S0168) uses Winlogon Helper DLL (T1004)" - }, - { - "meta": { - "source-uuid": "7f8730af-f683-423f-9ee1-5f6875a80481", - "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" - }, - "uuid": "fea6e347-95f5-4d97-8781-4cc15d6b5b0c", - "value": "Sys10 (S0060) uses System Owner/User Discovery (T1033)" - }, - { - "meta": { - "source-uuid": "dc5d1a33-62aa-4a0c-aa8c-589b87beb11e", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "2e44b66a-0f81-4f60-94aa-c450556bc243", - "value": "ChChes (S0144) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e", - "target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9" - }, - "uuid": "09266cb7-26b3-4959-bcff-a91e309b5588", - "value": "Helminth (S0170) uses Scheduled Task (T1053)" - }, - { - "meta": { - "source-uuid": "4e6b9625-bbda-4d96-a652-b3bb45453f26", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "b3831788-f18f-4315-997e-275e425c0d31", - "value": "RemoteCMD (S0166) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "66b1dcde-17a0-4c7b-95fa-b08d430c2131", - "target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0" - }, - "uuid": "11874e26-e692-43da-bb54-760e51a4714f", - "value": "S-Type (S0085) uses Masquerading (T1036)" - }, - { - "meta": { - "source-uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f", - "target-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa" - }, - "uuid": "40c5a024-37db-478b-b90f-27f184bf8f60", - "value": "Tasklist (S0057) uses System Service Discovery (T1007)" - }, - { - "meta": { - "source-uuid": "876f6a77-fbc5-4e13-ab1a-5611986730a3", - "target-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7" - }, - "uuid": "74e84133-f84a-469a-bfd7-1a514af2f15e", - "value": "T9000 (S0098) uses Security Software Discovery (T1063)" - }, - { - "meta": { - "source-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13", - "target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e" - }, - "uuid": "bb784f1f-fb42-4587-9fe2-9dd5c8dffa5c", - "value": "Magic Hound (G0059) uses Commonly Used Port (T1043)" - }, - { - "meta": { - "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", - "target-uuid": "dc5d1a33-62aa-4a0c-aa8c-589b87beb11e" - }, - "uuid": "845482a1-a062-407d-a83e-90d883d1d91b", - "value": "menuPass (G0045) uses ChChes (S0144)" - }, - { - "meta": { - "source-uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6", - "target-uuid": "da5880b4-f7da-4869-85f2-e0aba84b8565" - }, - "uuid": "35a9c64c-c305-46bf-a216-c8bb1b051614", - "value": "Turla (G0010) uses ComRAT (S0126)" - }, - { - "meta": { - "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", - "target-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08" - }, - "uuid": "b2dbbb46-9659-4277-8753-c469c4bfe409", - "value": "Threat Group-3390 (G0027) uses Account Discovery (T1087)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2" - }, - "uuid": "75d04175-c43d-46cd-be08-5f4c91f767ed", - "value": "APT28 (G0007) uses JHUHUGIT (S0044)" - }, - { - "meta": { - "source-uuid": "9752aef4-a1f3-4328-929f-b64eb0536090", - "target-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638" - }, - "uuid": "53ad6525-7888-4651-bd43-c010b489ccc0", - "value": "RawPOS (S0169) uses Data Encrypted (T1022)" - }, - { - "meta": { - "source-uuid": "17862c7d-9e60-48a0-b48e-da4dc4c3f6b0", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "c5da001c-2c17-4e83-8e5c-21863ead4bd9", - "value": "Patchwork (G0040) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "2e290bfe-93b5-48ce-97d6-edcd6d32b7cf", - "target-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec" - }, - "uuid": "788e8246-d835-42c6-b8b4-7efad31e4a84", - "value": "Gamaredon Group (G0047) uses Data from Removable Media (T1025)" - }, - { - "meta": { - "source-uuid": "7551188b-8f91-4d34-8350-0d0c57b2b913", - "target-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08" - }, - "uuid": "c987dc63-ef3d-43aa-9344-bd9fd528c55d", - "value": "Elise (S0081) uses Account Discovery (T1087)" - }, - { - "meta": { - "source-uuid": "a8d3d497-2da9-4797-8e0b-ed176be08654", - "target-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09" - }, - "uuid": "1bbb499c-81c8-4e94-8305-86b199e8298b", - "value": "Wingbird (S0176) uses DLL Side-Loading (T1073)" - }, - { - "meta": { - "source-uuid": "5ce5392a-3a6c-4e07-9df3-9b6a9159ac45", - "target-uuid": "800bdfba-6d66-480f-9f45-15845c05cb5d" - }, - "uuid": "0cde085d-12ca-4cde-a99c-c37d63d7dc2e", - "value": "Putter Panda (G0024) uses pngdowner (S0067)" - }, - { - "meta": { - "source-uuid": "fece06b7-d4b1-42cf-b81a-5323c917546e", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "5dd257c0-c2cb-422a-9991-93ff667c5ad6", - "value": "FALLCHILL (S0181) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "fdb1ae84-7b00-4d3d-b7dc-c774beef6425", - "target-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27" - }, - "uuid": "bb55d7e7-28af-4efd-8384-289f1a8b173e", - "value": "Account Manipulation Mitigation (T1098) mitigates Account Manipulation (T1098)" - }, - { - "meta": { - "source-uuid": "f2cb6ce2-188d-4162-8feb-594f949b13dd", - "target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9" - }, - "uuid": "8bbb18a7-5eab-4832-beac-f52f30b54862", - "value": "Scheduled Task Mitigation (T1053) mitigates Scheduled Task (T1053)" - }, - { - "meta": { - "source-uuid": "85403903-15e0-4f9f-9be4-a259ecad4022", - "target-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44" - }, - "uuid": "39590383-ba69-4d8f-9520-e893cd4ebcdf", - "value": "FIN5 (G0053) uses Scripting (T1064)" - }, - { - "meta": { - "source-uuid": "9e729a7e-0dd6-4097-95bf-db8d64911383", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "d021d378-a5ff-4020-972c-cc9152e824b0", - "value": "Darkhotel (G0012) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "9ea525fa-b0a9-4dde-84f2-bcea0137b3c1", - "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" - }, - "uuid": "0e58b447-7b3e-404c-b8e5-003734c34574", - "value": "MoonWind (S0149) uses Input Capture (T1056)" - }, - { - "meta": { - "source-uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f", - "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - }, - "uuid": "32a470e7-4bbc-43e8-ae8e-09b382dd441f", - "value": "Tasklist (S0057) uses Process Discovery (T1057)" - }, - { - "meta": { - "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", - "target-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88" - }, - "uuid": "13d8aec7-3e49-41f8-b57c-475cdc0d9632", - "value": "Threat Group-3390 (G0027) uses Network Service Scanning (T1046)" - }, - { - "meta": { - "source-uuid": "687c23e4-4e25-4ee7-a870-c5e002511f54", - "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" - }, - "uuid": "5e2e672a-02d4-4510-a629-942d44a558f1", - "value": "DustySky (S0062) uses Input Capture (T1056)" - }, - { - "meta": { - "source-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73", - "target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e" - }, - "uuid": "d3c8d1a9-9413-4633-9cbf-4bc34bb5054d", - "value": "ADVSTORESHELL (S0045) uses Commonly Used Port (T1043)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688" - }, - "uuid": "48f662fe-1ba2-4c19-b782-dd06d9fb67fa", - "value": "APT28 (G0007) uses Screen Capture (T1113)" - }, - { - "meta": { - "source-uuid": "2f1a9fd0-3b7c-4d77-a358-78db13adbe78", - "target-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf" - }, - "uuid": "6782d7bb-5e81-4656-9445-fbd6ae1f2bdb", - "value": "EvilGrab (S0152) uses Video Capture (T1125)" - }, - { - "meta": { - "source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542", - "target-uuid": "ae9d818d-95d0-41da-b045-9cabea1ca164" - }, - "uuid": "02462741-4148-48b3-881b-1b813ce62fcc", - "value": "APT29 (G0016) uses PinchDuke (S0048)" - }, - { - "meta": { - "source-uuid": "16ade1aa-0ea1-4bb7-88cc-9079df2ae756", - "target-uuid": "03342581-f790-4f03-ba41-e82e67392e23" - }, - "uuid": "a36263d1-d109-4c94-930a-6be1e9615527", - "value": "admin@338 (G0018) uses Net (S0039)" - }, - { - "meta": { - "source-uuid": "16dd03c6-0dfb-4d77-89cd-9ff3ee6e533d", - "target-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967" - }, - "uuid": "06cd0498-7ebb-41e6-9399-c43c82487540", - "value": "Audio Capture Mitigation (T1123) mitigates Audio Capture (T1123)" - }, - { - "meta": { - "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", - "target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e" - }, - "uuid": "b1e7f787-2d43-442b-8bd1-4fa064f089b2", - "value": "Threat Group-3390 (G0027) uses Commonly Used Port (T1043)" - }, - { - "meta": { - "source-uuid": "c5947e1c-1cbc-434c-94b8-27c7e3be0fff", - "target-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d" - }, - "uuid": "f28627be-fddd-455c-b001-abddaaa29fa7", - "value": "Winnti Group (G0044) uses Code Signing (T1116)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5" - }, - "uuid": "8f269f6c-9e8b-4296-ab47-2f60c9156b58", - "value": "APT28 (G0007) uses Rundll32 (T1085)" - }, - { - "meta": { - "source-uuid": "dc5d1a33-62aa-4a0c-aa8c-589b87beb11e", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "92c901ce-5edb-417f-8af5-d569203e241c", - "value": "ChChes (S0144) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "687c23e4-4e25-4ee7-a870-c5e002511f54", - "target-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7" - }, - "uuid": "ad50f322-18b6-43c7-bf6b-f77f4932fdad", - "value": "DustySky (S0062) uses Security Software Discovery (T1063)" - }, - { - "meta": { - "source-uuid": "cb7bcf6f-085f-41db-81ee-4b68481661b5", - "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" - }, - "uuid": "bf8ae26c-c28c-4de7-a3e2-ad1a2851c1c0", - "value": "CallMe (S0077) uses Standard Cryptographic Protocol (T1032)" - }, - { - "meta": { - "source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841", - "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" - }, - "uuid": "fe4ed27a-6d45-4e6a-bbc0-7ebe15a38046", - "value": "RTM (S0148) uses File Deletion (T1107)" - }, - { - "meta": { - "source-uuid": "5cbe0d3b-6fb1-471f-b591-4b192915116d", - "target-uuid": "9e9b9415-a7df-406b-b14d-92bfe6809fbe" - }, - "uuid": "01b924d7-42dd-412f-a9af-cabcb46512ea", - "value": "Suckfly (G0039) uses Nidiran (S0118)" - }, - { - "meta": { - "source-uuid": "9752aef4-a1f3-4328-929f-b64eb0536090", - "target-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5" - }, - "uuid": "92fb7408-1638-43b7-95a3-0cfeebd7624d", - "value": "RawPOS (S0169) uses Data from Local System (T1005)" - }, - { - "meta": { - "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", - "target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0" - }, - "uuid": "e104cf3c-a802-4e06-8abc-6293cea9492f", - "value": "menuPass (G0045) uses PowerShell (T1086)" - }, - { - "meta": { - "source-uuid": "b6b3dfc7-9a81-43ff-ac04-698bad48973a", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "24503815-4ac5-4d57-9e95-ebeb84e0c11b", - "value": "Daserf (S0187) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "22addc7b-b39f-483d-979a-1b35147da5de", - "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - }, - "uuid": "13204383-a747-4f7f-a75c-858ddc76beab", - "value": "WinMM (S0059) uses Process Discovery (T1057)" - }, - { - "meta": { - "source-uuid": "ff6840c9-4c87-4d07-bbb6-9f50aa33d498", - "target-uuid": "51ea26b1-ff1e-4faa-b1a0-1114cd298c87" - }, - "uuid": "2858ec3b-5814-4515-9dda-f8009fbf4cd3", - "value": "Flame (S0143) uses Exfiltration Over Other Network Medium (T1011)" - }, - { - "meta": { - "source-uuid": "8c553311-0baa-4146-997a-f79acef3d831", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "345c6135-7557-4292-8214-66618ba17edd", - "value": "RARSTONE (S0055) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "96b08451-b27a-4ff6-893f-790e26393a8e", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "3b9e7ec8-8b10-4fe4-87b3-38b7710dbbb9", - "value": "Sakula (S0074) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "efa98949-4b58-4407-8fa2-366c06dc2ed9", - "value": "BlackEnergy (S0089) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "5f9f7648-04ba-4a9f-bb4c-2a13e74572bd", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "44908b0a-993a-4339-b30f-f0f1a64c0753", - "value": "Pteranodon (S0147) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", - "target-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81" - }, - "uuid": "9779ccbc-c376-4a6e-a43f-56a782892302", - "value": "OilRig (G0049) uses Valid Accounts (T1078)" - }, - { - "meta": { - "source-uuid": "894aab42-3371-47b1-8859-a4a074c804c8", - "target-uuid": "01a5a209-b94c-450b-b7f9-946497d91055" - }, - "uuid": "94b4648a-4108-468c-be51-cca365fd97ac", - "value": "Stealth Falcon (G0038) uses Windows Management Instrumentation (T1047)" - }, - { - "meta": { - "source-uuid": "fde50aaa-f5de-4cb8-989a-babb57d6a704", - "target-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392" - }, - "uuid": "9453d60b-4f3f-494f-985d-e29094ef8945", - "value": "Net Crawler (S0056) uses Service Execution (T1035)" - }, - { - "meta": { - "source-uuid": "2daa14d6-cbf3-4308-bb8e-213c324a08e4", - "target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d" - }, - "uuid": "3ebc8829-f260-4d75-817a-cd23a4ebb194", - "value": "HAMMERTOSS (S0037) uses Custom Cryptographic Protocol (T1024)" - }, - { - "meta": { - "source-uuid": "82cb34ba-02b5-432b-b2d2-07f55cbf674d", - "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - }, - "uuid": "51a03c8a-1983-4bdd-b326-78ec67f86f06", - "value": "Trojan.Karagany (S0094) uses Process Discovery (T1057)" - }, - { - "meta": { - "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "target-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044" - }, - "uuid": "ae61abba-14fb-4d4e-9f8e-a3b18500b449", - "value": "Lazarus Group (G0032) uses Disabling Security Tools (T1089)" - }, - { - "meta": { - "source-uuid": "6713ab67-e25b-49cc-808d-2b36d4fbc35c", - "target-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638" - }, - "uuid": "bde913a9-9895-4414-b79a-3156159033aa", - "value": "Ke3chang (G0004) uses Data Encrypted (T1022)" - }, - { - "meta": { - "source-uuid": "c0c45d38-fe57-4cd4-b2b2-9ecd0ddd4ca9", - "target-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044" - }, - "uuid": "bdde6ad0-b6eb-4e3a-80e4-8a9db6a9570d", - "value": "TinyZBot (S0004) uses Disabling Security Tools (T1089)" - }, - { - "meta": { - "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", - "target-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44" - }, - "uuid": "ea40711b-461d-4629-b1fd-5f020b1f3257", - "value": "APT1 (G0006) uses Scripting (T1064)" - }, - { - "meta": { - "source-uuid": "3cab1b76-2f40-4cd0-8d2c-7ed16eeb909c", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "76e75bfe-b72c-471b-9a26-eab5ed04a812", - "value": "ELMER (S0064) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "61d02387-351a-453e-a575-160a9abc3e04", - "target-uuid": "6a3be63a-64c5-4678-a036-03ff8fc35300" - }, - "uuid": "9064fd2e-4e0a-44e4-8bde-6e6c4cf8495f", - "value": "Re-opened Applications Mitigation (T1164) mitigates Re-opened Applications (T1164)" - }, - { - "meta": { - "source-uuid": "16ade1aa-0ea1-4bb7-88cc-9079df2ae756", - "target-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce" - }, - "uuid": "7d047513-5fbf-4d9e-8a5d-54317123e34c", - "value": "admin@338 (G0018) uses Permission Groups Discovery (T1069)" - }, - { - "meta": { - "source-uuid": "9e9b9415-a7df-406b-b14d-92bfe6809fbe", - "target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0" - }, - "uuid": "9b1709f3-5062-42f1-82d9-191e66e1d14a", - "value": "Nidiran (S0118) uses Masquerading (T1036)" - }, - { - "meta": { - "source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542", - "target-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be" - }, - "uuid": "fdcda836-4a21-45d2-8269-31b82aa3c08e", - "value": "APT29 (G0016) uses Bypass User Account Control (T1088)" - }, - { - "meta": { - "source-uuid": "e6ef745b-077f-42e1-a37d-29eecff9c754", - "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - }, - "uuid": "91d4c776-c259-46b0-b511-b344ca027009", - "value": "CozyCar (S0046) uses Obfuscated Files or Information (T1027)" - }, - { - "meta": { - "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", - "target-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776" - }, - "uuid": "70495f42-0a81-485c-8f30-c75af61f1c6a", - "value": "OilRig (G0049) uses Exfiltration Over Alternative Protocol (T1048)" - }, - { - "meta": { - "source-uuid": "82fbc58b-171d-4a2d-9a20-c6b2a716bd08", - "target-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d" - }, - "uuid": "f9ca3697-51a1-494b-8a61-06e516f29860", - "value": "Code Signing Mitigation (T1116) mitigates Code Signing (T1116)" - }, - { - "meta": { - "source-uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69", - "target-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4" - }, - "uuid": "fada6223-ba24-4c26-aa89-3998f07604f9", - "value": "Prikormka (S0113) uses Data Compressed (T1002)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "a1fe7df1-7c20-422e-8e86-042cd11b3501", - "value": "APT28 (G0007) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643" - }, - "uuid": "56d023cf-4390-40d9-afc6-cb0d40b4cdd1", - "value": "APT28 (G0007) uses Peripheral Device Discovery (T1120)" - }, - { - "meta": { - "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790" - }, - "uuid": "e42eef1a-107e-40a3-9227-45621e277ff3", - "value": "Lazarus Group (G0032) uses New Service (T1050)" - }, - { - "meta": { - "source-uuid": "16ade1aa-0ea1-4bb7-88cc-9079df2ae756", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "5c816fc0-c4e3-47ef-8193-ef88eabdfc7e", - "value": "admin@338 (G0018) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "9ea525fa-b0a9-4dde-84f2-bcea0137b3c1", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "72fe5021-bace-41e4-9cc6-73af415225ac", - "value": "MoonWind (S0149) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "38952eac-cb1b-4a71-bad2-ee8223a1c8fe", - "target-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce" - }, - "uuid": "f36a8899-940f-4c8f-924d-eef2f056744d", - "value": "dsquery (S0105) uses Permission Groups Discovery (T1069)" - }, - { - "meta": { - "source-uuid": "e0703d4f-3972-424a-8277-84004817e024", - "target-uuid": "c4ad009b-6e13-4419-8d21-918a1652de02" - }, - "uuid": "f132ff40-9e9d-49b8-a47d-832a21e1e56d", - "value": "Path Interception Mitigation (T1034) mitigates Path Interception (T1034)" - }, - { - "meta": { - "source-uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69", - "target-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e" - }, - "uuid": "df207207-01b2-456b-9dc4-7afd5ffeeb46", - "value": "Prikormka (S0113) uses Data Staged (T1074)" - }, - { - "meta": { - "source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542", - "target-uuid": "5e595477-2e78-4ce7-ae42-e0b059b17808" - }, - "uuid": "2db640ab-413b-4c49-9842-3bf190c5e184", - "value": "APT29 (G0016) uses POSHSPY (S0150)" - }, - { - "meta": { - "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" - }, - "uuid": "089efdf8-b07a-4cda-aa5d-e60f9501ffd1", - "value": "BRONZE BUTLER (G0060) uses File Deletion (T1107)" - }, - { - "meta": { - "source-uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "4a4a5d60-ec17-49a2-b651-ea8918410fc2", - "value": "JHUHUGIT (S0044) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "4c59cce8-cb48-4141-b9f1-f646edfaadb0", - "target-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529" - }, - "uuid": "fcfe071b-e527-44e9-9970-9243a354f563", - "value": "Regin (S0019) uses Network Sniffing (T1040)" - }, - { - "meta": { - "source-uuid": "fb261c56-b80e-43a9-8351-c84081e7213d", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "3f14994e-149d-4cca-85b8-eec0964120d3", - "value": "BACKSPACE (S0031) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "49c7a467-98ce-4764-af86-c950ed951d13", - "value": "Helminth (S0170) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", - "target-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd" - }, - "uuid": "412b7fbf-bc21-4373-9f2c-5f0a26482536", - "value": "Threat Group-3390 (G0027) uses PlugX (S0013)" - }, - { - "meta": { - "source-uuid": "26fed817-e7bf-41f9-829a-9075ffac45c2", - "target-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7" - }, - "uuid": "95a1ac52-e022-4c81-96cc-b7b39ca776d3", - "value": "Kasidet (S0088) uses Security Software Discovery (T1063)" - }, - { - "meta": { - "source-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", - "target-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff" - }, - "uuid": "6b83bc1e-edfc-4c6a-961f-d3757ae6a234", - "value": "Mimikatz (S0002) uses Pass the Hash (T1075)" - }, - { - "meta": { - "source-uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", - "target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0" - }, - "uuid": "05076bd4-e4cb-4234-90ae-c7ce45feb41f", - "value": "Dragonfly (G0035) uses PowerShell (T1086)" - }, - { - "meta": { - "source-uuid": "234e7770-99b0-4f65-b983-d3230f76a60b", - "target-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d" - }, - "uuid": "fb3b8f32-0991-4d05-a80d-a4736372ad2a", - "value": "Janicab (S0163) uses Code Signing (T1116)" - }, - { - "meta": { - "source-uuid": "77fd4d73-6b79-4593-82e7-e4a439cc7604", - "target-uuid": "04ef4356-8926-45e2-9441-634b6f3dcecb" - }, - "uuid": "918956f2-db79-4721-8741-3b461a280e51", - "value": "LC_LOAD_DYLIB Addition Mitigation (T1161) mitigates LC_LOAD_DYLIB Addition (T1161)" - }, - { - "meta": { - "source-uuid": "d0fcf37a-b6c4-4745-9c43-4fcdb8bfc88e", - "target-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842" - }, - "uuid": "4b12c645-96fc-45ac-b515-8333d6e254ef", - "value": "Data Obfuscation Mitigation (T1001) mitigates Data Obfuscation (T1001)" - }, - { - "meta": { - "source-uuid": "a90da496-b460-47e8-92e7-cc36eb00bd9a", - "target-uuid": "215190a9-9f02-4e83-bb5f-e0589965a302" - }, - "uuid": "f4aaf7ec-7ff1-4519-bd93-3eaf3074d11f", - "value": "Regsvcs/Regasm Mitigation (T1121) mitigates Regsvcs/Regasm (T1121)" - }, - { - "meta": { - "source-uuid": "2fb26586-2b53-4b9a-ad4f-2b3bcb9a2421", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "fbfc610a-5355-40fc-b5a1-059e89a1eb8d", - "value": "SslMM (S0058) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "76abb3ef-dafd-4762-97cb-a35379429db4", - "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - }, - "uuid": "deb7df24-689e-4e4e-909f-a270241ab65a", - "value": "Gazer (S0168) uses Obfuscated Files or Information (T1027)" - }, - { - "meta": { - "source-uuid": "a8d3d497-2da9-4797-8e0b-ed176be08654", - "target-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392" - }, - "uuid": "91ca1017-0b33-4fa1-a61f-b3dae24c7e40", - "value": "Wingbird (S0176) uses Service Execution (T1035)" - }, - { - "meta": { - "source-uuid": "f6d1d2cb-12f5-4221-9636-44606ea1f3f8", - "target-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce" - }, - "uuid": "bc85f8f4-5d65-484c-af82-6adbe42083d9", - "value": "OSInfo (S0165) uses Permission Groups Discovery (T1069)" - }, - { - "meta": { - "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "target-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0" - }, - "uuid": "7aa43cd7-ada3-49c9-8dc7-9492fa22c7d8", - "value": "Lazarus Group (G0032) uses Uncommonly Used Port (T1065)" - }, - { - "meta": { - "source-uuid": "876f6a77-fbc5-4e13-ab1a-5611986730a3", - "target-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643" - }, - "uuid": "ea93ff11-939f-449a-a222-4273d9fc9f3c", - "value": "T9000 (S0098) uses Peripheral Device Discovery (T1120)" - }, - { - "meta": { - "source-uuid": "e48df773-7c95-4a4c-ba70-ea3d15900148", - "target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0" - }, - "uuid": "e3909a5f-ebfb-48e1-b0fc-5737217a994b", - "value": "DownPaper (S0186) uses PowerShell (T1086)" - }, - { - "meta": { - "source-uuid": "495b6cdb-7b5a-4fbc-8d33-e7ef68806d08", - "target-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa" - }, - "uuid": "6139509a-709b-4ef4-81fb-25b9a35e2c60", - "value": "Volgmer (S0180) uses System Service Discovery (T1007)" - }, - { - "meta": { - "source-uuid": "2a158b0a-7ef8-43cb-9985-bf34d1e12050", - "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" - }, - "uuid": "7138c1e4-6791-424b-adc1-5b4c7d5e3cca", - "value": "Naikon (G0019) uses System Network Configuration Discovery (T1016)" - }, - { - "meta": { - "source-uuid": "92e6d080-ca3f-4f95-bc45-172a32c4e502", - "target-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839" - }, - "uuid": "d2a028a0-3c4f-4984-be51-80dbcf93a1a9", - "value": "Exploitation of Vulnerability Mitigation (T1068) mitigates Exploitation of Vulnerability (T1068)" - }, - { - "meta": { - "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", - "target-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff" - }, - "uuid": "3b35fec9-ee0d-4c2d-9936-0aa06ad6a49a", - "value": "APT1 (G0006) uses Pass the Hash (T1075)" - }, - { - "meta": { - "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", - "target-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735" - }, - "uuid": "b26eb7d2-1147-4c2b-a1eb-4a457e081e22", - "value": "Cobalt Strike (S0154) uses Remote System Discovery (T1018)" - }, - { - "meta": { - "source-uuid": "09b2cd76-c674-47cc-9f57-d2f2ad150a46", - "target-uuid": "01a5a209-b94c-450b-b7f9-946497d91055" - }, - "uuid": "35419603-7bc2-40f6-8e5d-4e7a8f13ebb7", - "value": "POWRUNER (S0184) uses Windows Management Instrumentation (T1047)" - }, - { - "meta": { - "source-uuid": "92c28497-2820-445e-9f3e-a03dd77dc0c8", - "target-uuid": "92d7da27-2d91-488e-a00c-059dc162766d" - }, - "uuid": "cd38481c-7c23-4e72-b1b4-056830f5f7f3", - "value": "Exfiltration Over Command and Control Channel Mitigation (T1041) mitigates Exfiltration Over Command and Control Channel (T1041)" - }, - { - "meta": { - "source-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73", - "target-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466" - }, - "uuid": "5eb253cb-2e81-4f51-bd0e-d1734283491c", - "value": "ADVSTORESHELL (S0045) uses Scheduled Transfer (T1029)" - }, - { - "meta": { - "source-uuid": "8b880b41-5139-4807-baa9-309690218719", - "target-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810" - }, - "uuid": "8a48e090-ab8c-414e-b559-7a0437c92850", - "value": "SPACESHIP (S0035) uses Shortcut Modification (T1023)" - }, - { - "meta": { - "source-uuid": "9ea525fa-b0a9-4dde-84f2-bcea0137b3c1", - "target-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44" - }, - "uuid": "1782bb6e-7a06-4dfb-96f5-dd671d8a02d5", - "value": "MoonWind (S0149) uses Scripting (T1064)" - }, - { - "meta": { - "source-uuid": "d1acfbb3-647b-4723-9154-800ec119006e", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "9f618c0f-79b8-4990-a02b-6e3187b14033", - "value": "Sowbug (G0054) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "b136d088-a829-432c-ac26-5529c26d4c7e", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "b4228f64-bc0c-47a5-a3d8-d9aabdf66bfc", - "value": "OnionDuke (S0052) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69", - "target-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638" - }, - "uuid": "56fac514-4461-4d8c-93a0-d12cade25169", - "value": "Prikormka (S0113) uses Data Encrypted (T1022)" - }, - { - "meta": { - "source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "fc1ec654-af35-4a7d-b2f6-54b4d8378cfb", - "value": "APT34 (G0057) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73", - "target-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e" - }, - "uuid": "5d397a8d-2195-440d-a0f5-bbf6c3e8f6e4", - "value": "ADVSTORESHELL (S0045) uses Data Staged (T1074)" - }, - { - "meta": { - "source-uuid": "b96680d1-5eb3-4f07-b95c-00ab904ac236", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "59d4e54d-66b8-4603-b189-ba67160da44d", - "value": "Pisloader (S0124) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "e6ef745b-077f-42e1-a37d-29eecff9c754", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "04e4f0d1-32a9-4d64-a733-3316b0bf2740", - "value": "CozyCar (S0046) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "40d3e230-ed32-469f-ba89-be70cc08ab39", - "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" - }, - "uuid": "dc187ed1-3987-4575-b1af-dc150e4329f8", - "value": "Agent.btz (S0092) uses System Network Configuration Discovery (T1016)" - }, - { - "meta": { - "source-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "17bc0957-1509-4faf-bb51-a6a9e1959978", - "value": "Magic Hound (G0059) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "3240cbe4-c550-443b-aa76-cc2a7058b870", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "c75cc595-79d7-4a77-9647-d2323aad93d0", - "value": "SNUGRIDE (S0159) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", - "target-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475" - }, - "uuid": "fe8a320f-e5e5-4503-8c3a-5c21b628a61d", - "value": "Threat Group-3390 (G0027) uses System Network Connections Discovery (T1049)" - }, - { - "meta": { - "source-uuid": "38fd6a28-3353-4f2b-bb2b-459fecd5c648", - "target-uuid": "b96680d1-5eb3-4f07-b95c-00ab904ac236" - }, - "uuid": "95842c88-c596-44c7-a16e-40d98e2457cc", - "value": "APT18 (G0026) uses Pisloader (S0124)" - }, - { - "meta": { - "source-uuid": "7dbb67c7-270a-40ad-836e-c45f8948aa5a", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "42dc03ec-03fb-4bf0-8f5f-e90d1aacd6e7", - "value": "KOMPROGO (S0156) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "b96680d1-5eb3-4f07-b95c-00ab904ac236", - "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - }, - "uuid": "cbc4c186-028e-4a24-93ff-5f2bb7edd98a", - "value": "Pisloader (S0124) uses Obfuscated Files or Information (T1027)" - }, - { - "meta": { - "source-uuid": "ff6840c9-4c87-4d07-bbb6-9f50aa33d498", - "target-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7" - }, - "uuid": "4a9f7553-b3ee-405b-9c81-f487b4bed868", - "value": "Flame (S0143) uses Security Software Discovery (T1063)" - }, - { - "meta": { - "source-uuid": "af2ad3b7-ab6a-4807-91fd-51bcaff9acbb", - "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - }, - "uuid": "016dc21c-ade9-43cc-9d88-a0c4c0891ccc", - "value": "USBStealer (S0136) uses Obfuscated Files or Information (T1027)" - }, - { - "meta": { - "source-uuid": "55033a4d-3ffe-46b2-99b4-2c1541e9ce1c", - "target-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5" - }, - "uuid": "539f8bc3-3fb4-43af-8918-9a65239cdff6", - "value": "Carbanak (G0008) uses Rundll32 (T1085)" - }, - { - "meta": { - "source-uuid": "ccd61dfc-b03f-4689-8c18-7c97eab08472", - "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" - }, - "uuid": "954961e4-0bf5-496e-b200-e63d99c006de", - "value": "CHOPSTICK (S0023) uses Input Capture (T1056)" - }, - { - "meta": { - "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", - "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" - }, - "uuid": "ed283e07-a029-4d23-aa8f-55f92abb5203", - "value": "APT3 (G0022) uses Input Capture (T1056)" - }, - { - "meta": { - "source-uuid": "76abb3ef-dafd-4762-97cb-a35379429db4", - "target-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d" - }, - "uuid": "c354bbc0-74c4-4805-b6e6-f33f49272f86", - "value": "Gazer (S0168) uses Code Signing (T1116)" - }, - { - "meta": { - "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", - "target-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896" - }, - "uuid": "e30c24d3-d440-4395-88b3-3192a02c4364", - "value": "OilRig (G0049) uses Query Registry (T1012)" - }, - { - "meta": { - "source-uuid": "beb45abb-11e8-4aef-9778-1f9ac249784f", - "target-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be" - }, - "uuid": "483a70b9-eae9-4d5f-925c-95c2dd7b9fa5", - "value": "Bypass User Account Control Mitigation (T1088) mitigates Bypass User Account Control (T1088)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" - }, - "uuid": "a3de3705-8085-4992-9b90-1cb8ef532b5c", - "value": "APT28 (G0007) uses System Owner/User Discovery (T1033)" - }, - { - "meta": { - "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", - "target-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea" - }, - "uuid": "d13aaa09-5465-4439-b100-444242601a98", - "value": "Cobalt Strike (S0154) uses Connection Proxy (T1090)" - }, - { - "meta": { - "source-uuid": "2e5d3a83-fe00-41a5-9b60-237efc84832f", - "target-uuid": "519630c5-f03f-4882-825c-3af924935817" - }, - "uuid": "83cfa11e-f221-4dc4-b184-943c2c7f4562", - "value": "Moafee (G0002) uses Binary Padding (T1009)" - }, - { - "meta": { - "source-uuid": "894aab42-3371-47b1-8859-a4a074c804c8", - "target-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896" - }, - "uuid": "746b0def-62c8-438d-b5ec-aa6b7dbfb860", - "value": "Stealth Falcon (G0038) uses Query Registry (T1012)" - }, - { - "meta": { - "source-uuid": "7f8730af-f683-423f-9ee1-5f6875a80481", - "target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d" - }, - "uuid": "19c33297-1efd-4489-b09c-a4230ce194f4", - "value": "Sys10 (S0060) uses Custom Cryptographic Protocol (T1024)" - }, - { - "meta": { - "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", - "target-uuid": "6aabc5ec-eae6-422c-8311-38d45ee9838a" - }, - "uuid": "13f986d2-949b-42c8-bd4b-b8a833b9d5de", - "value": "APT3 (G0022) uses Redundant Access (T1108)" - }, - { - "meta": { - "source-uuid": "fbe9387f-34e6-4828-ac28-3080020c597b", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "33c8fb30-3515-4582-ad29-34fa0d7e15e5", - "value": "FIN10 (G0051) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "8b880b41-5139-4807-baa9-309690218719", - "target-uuid": "e6415f09-df0e-48de-9aba-928c902b7549" - }, - "uuid": "04e2c418-8f6c-453c-8e17-4d3aeec0f755", - "value": "SPACESHIP (S0035) uses Exfiltration Over Physical Medium (T1052)" - }, - { - "meta": { - "source-uuid": "cdecc44a-1dbf-4c1f-881c-f21e3f47272a", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "ab637576-5bf9-423f-b5e8-6d1ac26bbb5c", - "value": "Remote File Copy Mitigation (T1105) mitigates Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", - "target-uuid": "00d0b012-8a03-410e-95de-5826bf542de6" - }, - "uuid": "fb6ffb5c-5405-4515-a120-7a34414933ea", - "value": "OilRig (G0049) uses Indicator Removal from Tools (T1066)" - }, - { - "meta": { - "source-uuid": "68dca94f-c11d-421e-9287-7c501108e18c", - "target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e" - }, - "uuid": "4ac3f9d6-73e6-49d0-a49a-329eca1f5a3a", - "value": "Duqu (S0038) uses Commonly Used Port (T1043)" - }, - { - "meta": { - "source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542", - "target-uuid": "7d751199-05fa-4a72-920f-85df4506c76c" - }, - "uuid": "54188543-7746-4158-9a9f-5556bb99ec7a", - "value": "APT29 (G0016) uses Multi-hop Proxy (T1188)" - }, - { - "meta": { - "source-uuid": "88b7dbc2-32d3-4e31-af2f-3fc24e1582d7", - "target-uuid": "0f862b01-99da-47cc-9bdb-db4a86a95bb1" - }, - "uuid": "764b5d56-83a1-4c8d-824a-2021c7fe8052", - "value": "Lotus Blossom (G0030) uses Emissary (S0082)" - }, - { - "meta": { - "source-uuid": "c88151a5-fe3f-4773-8147-d801587065a4", - "target-uuid": "327f3cc5-eea1-42d4-a6cd-ed34b7ce8f61" - }, - "uuid": "e1275bcd-0462-4f79-b18f-2132b0bb74ec", - "value": "Application Deployment Software Mitigation (T1017) mitigates Application Deployment Software (T1017)" - }, - { - "meta": { - "source-uuid": "c0c45d38-fe57-4cd4-b2b2-9ecd0ddd4ca9", - "target-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810" - }, - "uuid": "8ce2219f-6c25-46a2-8215-a78871e2773a", - "value": "TinyZBot (S0004) uses Shortcut Modification (T1023)" - }, - { - "meta": { - "source-uuid": "083bb47b-02c8-4423-81a2-f9ef58572974", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "087721ee-6643-4453-8a76-8768ced7e506", - "value": "Backdoor.Oldrea (S0093) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "a653431d-6a5e-4600-8ad3-609b5af57064", - "target-uuid": "68f7e3a1-f09f-4164-9a62-16b648a0dd5a" - }, - "uuid": "4fab8d06-e6fb-472f-91ee-f2fd29ef444e", - "value": "Deep Panda (G0009) uses Regsvr32 (T1117)" - }, - { - "meta": { - "source-uuid": "383caaa3-c46a-4f61-b2e3-653eb132f0e7", - "target-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f" - }, - "uuid": "42ab2855-fe9b-4ed2-bef7-db3a9dcf5a89", - "value": "Email Collection Mitigation (T1114) mitigates Email Collection (T1114)" - }, - { - "meta": { - "source-uuid": "1cc934e4-b01d-4543-a011-b988dfc1a458", - "target-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d" - }, - "uuid": "47415cec-25f8-4425-9125-157e1637a687", - "value": "Matroyshka (S0167) uses Process Injection (T1055)" - }, - { - "meta": { - "source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841", - "target-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077" - }, - "uuid": "4c3890f0-378d-4cef-8db7-0258161ff3f7", - "value": "RTM (S0148) uses System Time Discovery (T1124)" - }, - { - "meta": { - "source-uuid": "00c3bfcb-99bd-4767-8c03-b08f585f5c8a", - "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" - }, - "uuid": "0db8a021-2f3a-41cc-abc6-d8723c7e802b", - "value": "PowerDuke (S0139) uses System Network Configuration Discovery (T1016)" - }, - { - "meta": { - "source-uuid": "234e7770-99b0-4f65-b983-d3230f76a60b", - "target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688" - }, - "uuid": "fc67e15c-ae09-45e1-925f-8a6b0e8ca4ab", - "value": "Janicab (S0163) uses Screen Capture (T1113)" - }, - { - "meta": { - "source-uuid": "7aee8ea0-0baa-4232-b379-5d9ce98352cf", - "target-uuid": "66f73398-8394-4711-85e5-34c8540b22a5" - }, - "uuid": "9692d2b6-c933-4c1a-8ea0-1f0babfeeec9", - "value": "Hooking Mitigation (T1179) mitigates Hooking (T1179)" - }, - { - "meta": { - "source-uuid": "a653431d-6a5e-4600-8ad3-609b5af57064", - "target-uuid": "91000a8a-58cc-4aba-9ad0-993ad6302b86" - }, - "uuid": "66a3ab46-abcb-4234-a786-638044cfc50e", - "value": "Deep Panda (G0009) uses StreamEx (S0142)" - }, - { - "meta": { - "source-uuid": "2eb9b131-d333-4a48-9eb4-d8dec46c19ee", - "target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9" - }, - "uuid": "e32b53b5-b112-483a-8d95-56bf3f43671f", - "value": "CosmicDuke (S0050) uses Scheduled Task (T1053)" - }, - { - "meta": { - "source-uuid": "f8dfbc54-b070-4224-b560-79aaa5f835bd", - "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" - }, - "uuid": "2d090e9d-f9fb-4f73-99df-0e17a7489adb", - "value": "H1N1 (S0132) uses File Deletion (T1107)" - }, - { - "meta": { - "source-uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2", - "target-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839" - }, - "uuid": "976202db-cdfa-4c4e-bc09-9b3cad90e6fb", - "value": "JHUHUGIT (S0044) uses Exploitation of Vulnerability (T1068)" - }, - { - "meta": { - "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", - "target-uuid": "5a3a31fe-5a8f-48e1-bff0-a753e5b1be70" - }, - "uuid": "71daf1fe-a979-4cbc-bb0d-4e2d6c79274a", - "value": "Threat Group-3390 (G0027) uses China Chopper (S0020)" - }, - { - "meta": { - "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "bd745d11-93d8-45db-8a68-08a52383375a", - "value": "Lazarus Group (G0032) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6", - "target-uuid": "30489451-5886-4c46-90c9-0dff9adc5252" - }, - "uuid": "5c0645e4-f0c7-4bb4-bedb-29a96a472fe0", - "value": "Turla (G0010) uses Arp (S0099)" - }, - { - "meta": { - "source-uuid": "12c13879-b7bd-4bc5-8def-aacec386d432", - "target-uuid": "68f7e3a1-f09f-4164-9a62-16b648a0dd5a" - }, - "uuid": "0727c98a-b7e0-45ba-a20e-632d394ef422", - "value": "Regsvr32 Mitigation (T1117) mitigates Regsvr32 (T1117)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "ccd61dfc-b03f-4689-8c18-7c97eab08472" - }, - "uuid": "24013fde-5ce7-4995-9d9f-d2ced31b9d9a", - "value": "APT28 (G0007) uses CHOPSTICK (S0023)" - }, - { - "meta": { - "source-uuid": "33f76731-b840-446f-bee0-53687dad24d9", - "target-uuid": "62166220-e498-410f-a90a-19d4339d4e99" - }, - "uuid": "3e9d8f68-a9c6-4be7-9639-56b64d4f600a", - "value": "Image File Execution Options Injection Mitigation (T1183) mitigates Image File Execution Options Injection (T1183)" - }, - { - "meta": { - "source-uuid": "38fd6a28-3353-4f2b-bb2b-459fecd5c648", - "target-uuid": "e066bf86-9cfb-407a-9d25-26fd5d91e360" - }, - "uuid": "e9612cb1-79a5-4987-aa83-b84aa7fa050f", - "value": "APT18 (G0026) uses HTTPBrowser (S0070)" - }, - { - "meta": { - "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", - "target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688" - }, - "uuid": "854a3a7e-09a7-4523-ac7f-d625a0b50b6b", - "value": "Cobalt Strike (S0154) uses Screen Capture (T1113)" - }, - { - "meta": { - "source-uuid": "5a63f900-5e7e-4928-a746-dd4558e1df71", - "target-uuid": "bb0e0cb5-f3e4-4118-a4cb-6bf13bfbc9f2" - }, - "uuid": "581f8dd6-edd4-467b-a3d5-3177870b0264", - "value": "netsh (S0108) uses Netsh Helper DLL (T1128)" - }, - { - "meta": { - "source-uuid": "51b37302-b844-4c08-ac98-ae6955ed1f55", - "target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688" - }, - "uuid": "366214ea-29b0-458a-a852-7a76420783d2", - "value": "Screen Capture Mitigation (T1113) mitigates Screen Capture (T1113)" - }, - { - "meta": { - "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", - "target-uuid": "9b99b83a-1aac-4e29-b975-b374950551a3" - }, - "uuid": "a92197a8-ec5c-4366-92af-f45078a3bfd7", - "value": "APT3 (G0022) uses Accessibility Features (T1015)" - }, - { - "meta": { - "source-uuid": "67e6d66b-1b82-4699-b47a-e2efb6268d14", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "bcdbb8dc-87e5-4f29-8ff2-d660e53015cb", - "value": "SeaDuke (S0053) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", - "target-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839" - }, - "uuid": "b942cd55-6fed-49a1-ba05-af23836b518f", - "value": "Cobalt Strike (S0154) uses Exploitation of Vulnerability (T1068)" - }, - { - "meta": { - "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", - "target-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d" - }, - "uuid": "ab6a19e4-ce00-46cd-ae83-0798471e4a4a", - "value": "Threat Group-3390 (G0027) uses External Remote Services (T1133)" - }, - { - "meta": { - "source-uuid": "6b616fc1-1505-48e3-8b2c-0d19337bff38", - "target-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9" - }, - "uuid": "59261bc8-0220-4e37-8018-7a3618a5dd1b", - "value": "Rover (S0090) uses Automated Exfiltration (T1020)" - }, - { - "meta": { - "source-uuid": "85b39628-204a-48d2-b377-ec368cbcb7ca", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "6cfd1f0f-0355-4b1a-af29-84ed992bbb71", - "value": "TINYTYPHON (S0131) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "e8268361-a599-4e45-bd3f-71c8c7e700c0", - "target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d" - }, - "uuid": "5b3d2b2f-73f4-4fef-9cb9-b11db3eb4c4f", - "value": "httpclient (S0068) uses Custom Cryptographic Protocol (T1024)" - }, - { - "meta": { - "source-uuid": "17862c7d-9e60-48a0-b48e-da4dc4c3f6b0", - "target-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be" - }, - "uuid": "d16d59aa-f056-4cc7-9f67-0e80db9cdacb", - "value": "Patchwork (G0040) uses Bypass User Account Control (T1088)" - }, - { - "meta": { - "source-uuid": "53cf6cc4-65aa-445a-bcf8-c3d296f8a7a2", - "target-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433" - }, - "uuid": "a713d0d3-2897-4da2-995f-df3a40f04b29", - "value": "NETEAGLE (S0034) uses Fallback Channels (T1008)" - }, - { - "meta": { - "source-uuid": "17862c7d-9e60-48a0-b48e-da4dc4c3f6b0", - "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - }, - "uuid": "1df7df54-c4c1-49f0-a0c3-11102db44f2c", - "value": "Patchwork (G0040) uses Credential Dumping (T1003)" - }, - { - "meta": { - "source-uuid": "3cab1b76-2f40-4cd0-8d2c-7ed16eeb909c", - "target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e" - }, - "uuid": "b4b71687-5aed-4cde-ba59-c37bb5231878", - "value": "ELMER (S0064) uses Commonly Used Port (T1043)" - }, - { - "meta": { - "source-uuid": "16a8ac85-a06f-460f-ad22-910167bd7332", - "target-uuid": "519630c5-f03f-4882-825c-3af924935817" - }, - "uuid": "1a3de27b-377c-4390-9911-2da8aaa705e3", - "value": "Binary Padding Mitigation (T1009) mitigates Binary Padding (T1009)" - }, - { - "meta": { - "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", - "target-uuid": "b77b563c-34bb-4fb8-86a3-3694338f7b47" - }, - "uuid": "e5f75ae0-45f5-48b8-938f-f0d9e17e53eb", - "value": "menuPass (G0045) uses Ping (S0097)" - }, - { - "meta": { - "source-uuid": "6a0ef5d4-fc7c-4dda-85d7-592e4dbdc5d9", - "target-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08" - }, - "uuid": "2eb985a1-e73e-4554-8638-2e6f27690ec0", - "value": "Sykipot (S0018) uses Account Discovery (T1087)" - }, - { - "meta": { - "source-uuid": "2daa14d6-cbf3-4308-bb8e-213c324a08e4", - "target-uuid": "830c9528-df21-472c-8c14-a036bf17d665" - }, - "uuid": "c7420523-7dc0-4118-a075-93f9c0268627", - "value": "HAMMERTOSS (S0037) uses Web Service (T1102)" - }, - { - "meta": { - "source-uuid": "0db09158-6e48-4e7c-8ce7-2b10b9c0c039", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "b4e77f71-970a-4b24-938f-0d50ecea1969", - "value": "Misdat (S0083) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "64d76fa5-cf8f-469c-b78c-1a4f7c5bad80", - "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - }, - "uuid": "b82f51f9-74a0-43e1-b3c6-63df3a90c9eb", - "value": "BBSRAT (S0127) uses Process Discovery (T1057)" - }, - { - "meta": { - "source-uuid": "5cbe0d3b-6fb1-471f-b591-4b192915116d", - "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - }, - "uuid": "a0c55c8d-6192-4faa-a5a2-1742fb5815a0", - "value": "Suckfly (G0039) uses Credential Dumping (T1003)" - }, - { - "meta": { - "source-uuid": "e066bf86-9cfb-407a-9d25-26fd5d91e360", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "259b878f-147e-443b-8360-aabc00cf6d73", - "value": "HTTPBrowser (S0070) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", - "target-uuid": "4664b683-f578-434f-919b-1c1aad2a1111" - }, - "uuid": "5744b31d-6633-44ca-8170-17489fec124c", - "value": "OilRig (G0049) uses netstat (S0104)" - }, - { - "meta": { - "source-uuid": "691c60e2-273d-4d56-9ce6-b67e0f8719ad", - "target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0" - }, - "uuid": "84bc4ba8-ab0e-4c60-92ed-26496a831611", - "value": "Truvasys (S0178) uses Masquerading (T1036)" - }, - { - "meta": { - "source-uuid": "17b40f60-729f-4fe8-8aea-cc9ee44a95d5", - "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" - }, - "uuid": "9b8ff36d-ff96-460a-b5cf-d369e7f598d9", - "value": "RedLeaves (S0153) uses System Network Configuration Discovery (T1016)" - }, - { - "meta": { - "source-uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6", - "target-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd" - }, - "uuid": "5682d524-80f0-4fd8-9960-6f54eeafce96", - "value": "Turla (G0010) uses Brute Force (T1110)" - }, - { - "meta": { - "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "39791d22-fec7-4459-8321-c9aa824d5fc1", - "value": "BRONZE BUTLER (G0060) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "dcd81c6e-ebf7-4a16-93e0-9a97fa49c88a", - "target-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5" - }, - "uuid": "896cd1de-ffa7-4f69-a981-2859cc756601", - "value": "CopyKittens (G0052) uses Rundll32 (T1085)" - }, - { - "meta": { - "source-uuid": "2a158b0a-7ef8-43cb-9985-bf34d1e12050", - "target-uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f" - }, - "uuid": "f2d601c9-8cc7-4425-b76f-fbc9997b55fd", - "value": "Naikon (G0019) uses Tasklist (S0057)" - }, - { - "meta": { - "source-uuid": "00c3bfcb-99bd-4767-8c03-b08f585f5c8a", - "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - }, - "uuid": "62f9aa2c-b0c1-4028-a2b8-c436e30ace4b", - "value": "PowerDuke (S0139) uses Process Discovery (T1057)" - }, - { - "meta": { - "source-uuid": "59a97b15-8189-4d51-9404-e1ce8ea4a069", - "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" - }, - "uuid": "11ed82c1-88af-4c23-860e-185505389288", - "value": "XAgentOSX (S0161) uses Input Capture (T1056)" - }, - { - "meta": { - "source-uuid": "2fb26586-2b53-4b9a-ad4f-2b3bcb9a2421", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "8904bd95-4844-4fe4-b6b6-47e4a4f8d85d", - "value": "SslMM (S0058) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "3e9f8875-d2f7-4380-a578-84393bd3b025", - "target-uuid": "c3bce4f4-9795-46c6-976e-8676300bbc39" - }, - "uuid": "d35b9e63-a236-47f4-9fa8-d04719858115", - "value": "Windows Remote Management Mitigation (T1028) mitigates Windows Remote Management (T1028)" - }, - { - "meta": { - "source-uuid": "85403903-15e0-4f9f-9be4-a259ecad4022", - "target-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735" - }, - "uuid": "3ef6a3fb-0d59-4ba5-b2d0-dc32d547b74f", - "value": "FIN5 (G0053) uses Remote System Discovery (T1018)" - }, - { - "meta": { - "source-uuid": "25e53928-6f33-49b7-baee-8180578286f6", - "target-uuid": "6856ddd6-2df3-4379-8b87-284603c189c3" - }, - "uuid": "ab524992-5666-466b-8c12-ec79b269901b", - "value": "System Firmware Mitigation (T1019) mitigates System Firmware (T1019)" - }, - { - "meta": { - "source-uuid": "17e919aa-4a49-445c-b103-dbb8df9e7351", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "d04d6101-f6f6-42a2-8679-351956b75228", - "value": "POWERSOURCE (S0145) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", - "target-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d" - }, - "uuid": "11247a95-272b-4ae2-8dae-2cd049328734", - "value": "Remsec (S0125) uses Process Injection (T1055)" - }, - { - "meta": { - "source-uuid": "9ea525fa-b0a9-4dde-84f2-bcea0137b3c1", - "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - }, - "uuid": "1035fe41-56b9-4966-bf3b-109ae950c908", - "value": "MoonWind (S0149) uses Process Discovery (T1057)" - }, - { - "meta": { - "source-uuid": "2eb9b131-d333-4a48-9eb4-d8dec46c19ee", - "target-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776" - }, - "uuid": "3d4dabc2-3bee-409a-a05d-e107677cfdc7", - "value": "CosmicDuke (S0050) uses Exfiltration Over Alternative Protocol (T1048)" - }, - { - "meta": { - "source-uuid": "a60657fa-e2e7-4f8f-8128-a882534ae8c5", - "target-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a" - }, - "uuid": "37804b22-63b4-4b24-846e-6541688d9213", - "value": "OwaAuth (S0072) uses Timestomp (T1099)" - }, - { - "meta": { - "source-uuid": "6713ab67-e25b-49cc-808d-2b36d4fbc35c", - "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - }, - "uuid": "c8db7b65-563d-47ba-9e06-cabdbade47e9", - "value": "Ke3chang (G0004) uses Credential Dumping (T1003)" - }, - { - "meta": { - "source-uuid": "e333cf16-5bfa-453e-8e6a-3a4c63d6bfcc", - "target-uuid": "53bfc8bf-8f76-4cd7-8958-49a884ddb3ee" - }, - "uuid": "d9ae86e6-377b-45d5-b32c-89776fd7755c", - "value": "Launchctl Mitigation (T1152) mitigates Launchctl (T1152)" - }, - { - "meta": { - "source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6", - "target-uuid": "cde2d700-9ed1-46cf-9bce-07364fe8b24f" - }, - "uuid": "e603a78c-ecbc-46b2-95cc-08251c1faea9", - "value": "APT34 (G0057) uses Reg (S0075)" - }, - { - "meta": { - "source-uuid": "083bb47b-02c8-4423-81a2-f9ef58572974", - "target-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f" - }, - "uuid": "98abda72-4760-4e8c-ab6c-5ed080868cfc", - "value": "Backdoor.Oldrea (S0093) uses Email Collection (T1114)" - }, - { - "meta": { - "source-uuid": "2497ac92-e751-4391-82c6-1b86e34d0294", - "target-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9" - }, - "uuid": "b8306976-370f-403d-9983-fe3327c00709", - "value": "Automated Exfiltration Mitigation (T1020) mitigates Automated Exfiltration (T1020)" - }, - { - "meta": { - "source-uuid": "b8eb28e4-48a6-40ae-951a-328714f75eda", - "target-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433" - }, - "uuid": "3ac3a282-e1be-45f8-8974-0a94e5d43644", - "value": "BISCUIT (S0017) uses Fallback Channels (T1008)" - }, - { - "meta": { - "source-uuid": "166c0eca-02fd-424a-92c0-6b5106994d31", - "target-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa" - }, - "uuid": "b7601a08-a52d-4daa-acb9-2f5e3392b6c3", - "value": "ZLib (S0086) uses System Service Discovery (T1007)" - }, - { - "meta": { - "source-uuid": "7551188b-8f91-4d34-8350-0d0c57b2b913", - "target-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d" - }, - "uuid": "f72d9605-eea6-4ed4-8502-231d4c21431f", - "value": "Elise (S0081) uses Process Injection (T1055)" - }, - { - "meta": { - "source-uuid": "e066bf86-9cfb-407a-9d25-26fd5d91e360", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "b052a076-6d4e-49f5-95ac-16264ef05b1d", - "value": "HTTPBrowser (S0070) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "c5fa4766-4468-4afd-9b5f-5ce4f443729d", - "value": "Prikormka (S0113) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "123bd7b3-675c-4b1a-8482-c55782b20e2b", - "target-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b" - }, - "uuid": "b9b0e376-f249-432f-a0d3-dfa259b4757a", - "value": "BUBBLEWRAP (S0043) uses Standard Non-Application Layer Protocol (T1095)" - }, - { - "meta": { - "source-uuid": "8c553311-0baa-4146-997a-f79acef3d831", - "target-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d" - }, - "uuid": "22a75bbf-5490-40cb-bdb7-a0eda5e95d21", - "value": "RARSTONE (S0055) uses Process Injection (T1055)" - }, - { - "meta": { - "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", - "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - }, - "uuid": "28b27852-4125-4639-a07b-0b97dfdb650a", - "value": "APT1 (G0006) uses Credential Dumping (T1003)" - }, - { - "meta": { - "source-uuid": "123bd7b3-675c-4b1a-8482-c55782b20e2b", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "ea4c3651-b2a3-418e-8d3b-3c8075b988ef", - "value": "BUBBLEWRAP (S0043) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "687c23e4-4e25-4ee7-a870-c5e002511f54", - "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - }, - "uuid": "40772ec1-2f25-425f-aad5-635f64ba8fd2", - "value": "DustySky (S0062) uses Obfuscated Files or Information (T1027)" - }, - { - "meta": { - "source-uuid": "247cb30b-955f-42eb-97a5-a89fef69341e", - "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - }, - "uuid": "db91e39d-daa4-4f9c-a7a6-be67eba712d2", - "value": "APT32 (G0050) uses Obfuscated Files or Information (T1027)" - }, - { - "meta": { - "source-uuid": "b96680d1-5eb3-4f07-b95c-00ab904ac236", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "ce4707f0-d5b8-4dd6-b5ab-cf1483dd236f", - "value": "Pisloader (S0124) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "8901ac23-6b50-410c-b0dd-d8174a86f9b3", - "target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0" - }, - "uuid": "3c630128-27ba-4c71-b09a-c9ac39e7acac", - "value": "Shamoon (S0140) uses Masquerading (T1036)" - }, - { - "meta": { - "source-uuid": "aeff5887-8f9e-48d5-a523-9b395e2ce80a", - "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - }, - "uuid": "ef79ec2f-fd7f-4f0b-851c-d215693987be", - "value": "Credential Dumping Mitigation (T1003) mitigates Credential Dumping (T1003)" - }, - { - "meta": { - "source-uuid": "495b6cdb-7b5a-4fbc-8d33-e7ef68806d08", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "720cc0d6-9285-425b-bda2-3bdd59b4ea8f", - "value": "Volgmer (S0180) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "00c3bfcb-99bd-4767-8c03-b08f585f5c8a", - "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" - }, - "uuid": "5efe685d-66a6-4f1f-8779-4aae5db859d0", - "value": "PowerDuke (S0139) uses System Owner/User Discovery (T1033)" - }, - { - "meta": { - "source-uuid": "a653431d-6a5e-4600-8ad3-609b5af57064", - "target-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df" - }, - "uuid": "44f230bb-b59a-4f30-8203-5e5ffd9796f5", - "value": "Deep Panda (G0009) uses Web Shell (T1100)" - }, - { - "meta": { - "source-uuid": "fbb470da-1d44-4f29-bbb3-9efbe20f94a3", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "d7699bcf-5732-40f5-a715-d430b00b043e", - "value": "Mivast (S0080) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "f6d1d2cb-12f5-4221-9636-44606ea1f3f8", - "target-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896" - }, - "uuid": "60198640-1e5a-4b8e-9a69-5f275f7e0e68", - "value": "OSInfo (S0165) uses Query Registry (T1012)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839" - }, - "uuid": "cce31baa-5862-4df5-806f-15aaa7410fa5", - "value": "APT28 (G0007) uses Exploitation of Vulnerability (T1068)" - }, - { - "meta": { - "source-uuid": "5967cc93-57c9-404a-8ffd-097edfa7bdfc", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "27a64a3a-62cb-4c1b-adfc-5070e2f1e744", - "value": "Hi-Zor (S0087) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "752db800-ea54-4e7a-b4c1-2a0292350ea7", - "target-uuid": "7d751199-05fa-4a72-920f-85df4506c76c" - }, - "uuid": "4ce0f95f-577c-4a02-a355-328cf376ceba", - "value": "Multi-hop Proxy Mitigation (T1188) mitigates Multi-hop Proxy (T1188)" - }, - { - "meta": { - "source-uuid": "68dca94f-c11d-421e-9287-7c501108e18c", - "target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9" - }, - "uuid": "bdee01a7-16cb-417e-8d9b-c98afd445bbc", - "value": "Duqu (S0038) uses Scheduled Task (T1053)" - }, - { - "meta": { - "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", - "target-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd" - }, - "uuid": "1334cbe3-8613-4279-9a1f-58781c2656a4", - "value": "APT3 (G0022) uses Brute Force (T1110)" - }, - { - "meta": { - "source-uuid": "2a7914cf-dff3-428d-ab0f-1014d1c28aeb", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "4b45b720-a606-4c52-a28a-2ef298f9b42f", - "value": "FIN6 (G0037) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "af2ad3b7-ab6a-4807-91fd-51bcaff9acbb", - "target-uuid": "30208d3e-0d6b-43c8-883e-44462a514619" - }, - "uuid": "7a892ca0-f915-4dc1-817a-cdcfb6777f28", - "value": "USBStealer (S0136) uses Automated Collection (T1119)" - }, - { - "meta": { - "source-uuid": "12cba7de-0a22-4a56-b51e-c514c67c3b43", - "target-uuid": "ce73ea43-8e77-47ba-9c11-5e9c9c58b9ff" - }, - "uuid": "0fe893d6-a52f-4828-a792-eeb6a3e4f979", - "value": "Hidden Users Mitigation (T1147) mitigates Hidden Users (T1147)" - }, - { - "meta": { - "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", - "target-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4" - }, - "uuid": "a73f9ed3-7f51-4709-a63f-f5ef59aa25cf", - "value": "Threat Group-3390 (G0027) uses Data Compressed (T1002)" - }, - { - "meta": { - "source-uuid": "82cb34ba-02b5-432b-b2d2-07f55cbf674d", - "target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688" - }, - "uuid": "0bd9fd2b-e2f7-48f1-8988-31c041691585", - "value": "Trojan.Karagany (S0094) uses Screen Capture (T1113)" - }, - { - "meta": { - "source-uuid": "80a014ba-3fef-4768-990b-37d8bd10d7f4", - "target-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88" - }, - "uuid": "229e8b6e-6c16-406a-8def-7588aaae4fcb", - "value": "Uroburos (S0022) uses Software Packing (T1045)" - }, - { - "meta": { - "source-uuid": "65341f30-bec6-4b1d-8abf-1a5620446c29", - "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" - }, - "uuid": "f6cb3957-be7f-41bf-ad44-3dfbd7a5dfe2", - "value": "Reaver (S0172) uses System Network Configuration Discovery (T1016)" - }, - { - "meta": { - "source-uuid": "fbe9387f-34e6-4828-ac28-3080020c597b", - "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" - }, - "uuid": "059f8b03-59f9-45da-9c12-862f50e5fe45", - "value": "FIN10 (G0051) uses File Deletion (T1107)" - }, - { - "meta": { - "source-uuid": "91000a8a-58cc-4aba-9ad0-993ad6302b86", - "target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790" - }, - "uuid": "5576c38e-6b03-4ea9-8936-60eeddb749a7", - "value": "StreamEx (S0142) uses New Service (T1050)" - }, - { - "meta": { - "source-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd", - "target-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670" - }, - "uuid": "deafd60c-af1a-40eb-bc43-287b37553fae", - "value": "PlugX (S0013) uses Execution through API (T1106)" - }, - { - "meta": { - "source-uuid": "f5352566-1a64-49ac-8f7f-97e1d1a03300", - "target-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be" - }, - "uuid": "5cd8b8a9-fd11-4405-8369-b12398b94def", - "value": "AutoIt backdoor (S0129) uses Bypass User Account Control (T1088)" - }, - { - "meta": { - "source-uuid": "03342581-f790-4f03-ba41-e82e67392e23", - "target-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077" - }, - "uuid": "12455fe5-42dd-420e-839e-8a96886488f7", - "value": "Net (S0039) uses System Time Discovery (T1124)" - }, - { - "meta": { - "source-uuid": "910482b1-6749-4934-abcb-3e34d58294fc", - "target-uuid": "772bc7a8-a157-42cc-8728-d648e25c7fe7" - }, - "uuid": "65a4317d-86b2-40c1-9d27-a067bcc2ad80", - "value": "Distributed Component Object Model Mitigation (T1175) mitigates Distributed Component Object Model (T1175)" - }, - { - "meta": { - "source-uuid": "ccd61dfc-b03f-4689-8c18-7c97eab08472", - "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" - }, - "uuid": "f29a3a93-e697-4d6f-8087-eec72856bae5", - "value": "CHOPSTICK (S0023) uses Standard Cryptographic Protocol (T1032)" - }, - { - "meta": { - "source-uuid": "2a7914cf-dff3-428d-ab0f-1014d1c28aeb", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "20c7d1a2-be94-4f58-83a9-7eb9e05c4449", - "value": "FIN6 (G0037) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "58adaaa8-f1e8-4606-9a08-422e568461eb", - "target-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08" - }, - "uuid": "33630ee4-24dc-4339-b29f-3d8b39e7daae", - "value": "SHOTPUT (S0063) uses Account Discovery (T1087)" - }, - { - "meta": { - "source-uuid": "3753cc21-2dae-4dfb-8481-d004e74502cc", - "target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9" - }, - "uuid": "1f7b17e9-9ad3-42dd-ab92-e3afe752247b", - "value": "FIN7 (G0046) uses Scheduled Task (T1053)" - }, - { - "meta": { - "source-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", - "target-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27" - }, - "uuid": "6e641c36-188b-480e-b177-e412cd000b34", - "value": "Mimikatz (S0002) uses Account Manipulation (T1098)" - }, - { - "meta": { - "source-uuid": "89f63ae4-f229-4a5c-95ad-6f22ed2b5c49", - "target-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27" - }, - "uuid": "f76355cb-9aa5-403c-aae4-8faed799ac31", - "value": "Skeleton Key (S0007) uses Account Manipulation (T1098)" - }, - { - "meta": { - "source-uuid": "b6b3dfc7-9a81-43ff-ac04-698bad48973a", - "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - }, - "uuid": "92b34cc0-b059-4294-824f-bb92298f3ae6", - "value": "Daserf (S0187) uses Obfuscated Files or Information (T1027)" - }, - { - "meta": { - "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", - "target-uuid": "b07c2c47-fefb-4d7c-a69e-6a3296171f54" - }, - "uuid": "6e366a30-cf75-4a47-855f-91a006014ada", - "value": "APT1 (G0006) uses gsecdump (S0008)" - }, - { - "meta": { - "source-uuid": "247cb30b-955f-42eb-97a5-a89fef69341e", - "target-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39" - }, - "uuid": "ab9b78cc-2b83-4074-beeb-0af4aad906d3", - "value": "APT32 (G0050) uses Cobalt Strike (S0154)" - }, - { - "meta": { - "source-uuid": "59a97b15-8189-4d51-9404-e1ce8ea4a069", - "target-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643" - }, - "uuid": "6c8303dd-6ecc-47ea-abd6-6d5b2e557d96", - "value": "XAgentOSX (S0161) uses Peripheral Device Discovery (T1120)" - }, - { - "meta": { - "source-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73", - "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" - }, - "uuid": "0d328be7-85d2-4558-a4e3-cc5ce8bc7e2e", - "value": "ADVSTORESHELL (S0045) uses Input Capture (T1056)" - }, - { - "meta": { - "source-uuid": "a8d3d497-2da9-4797-8e0b-ed176be08654", - "target-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d" - }, - "uuid": "e7baabf7-9300-432d-aa78-000ac099d4d3", - "value": "Wingbird (S0176) uses Process Injection (T1055)" - }, - { - "meta": { - "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", - "target-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09" - }, - "uuid": "99c0cda4-91b1-4845-9891-9a4b89c128f9", - "value": "APT3 (G0022) uses DLL Side-Loading (T1073)" - }, - { - "meta": { - "source-uuid": "5967cc93-57c9-404a-8ffd-097edfa7bdfc", - "target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e" - }, - "uuid": "5b650388-4ab3-4c56-a69e-df7eba7f0756", - "value": "Hi-Zor (S0087) uses Commonly Used Port (T1043)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" - }, - "uuid": "5ea36f9f-f5b6-4494-be0a-061058d6b1f1", - "value": "APT28 (G0007) uses File Deletion (T1107)" - }, - { - "meta": { - "source-uuid": "2a6f4c7b-e690-4cc7-ab6b-1f821fb6b80b", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "12cc7738-bb90-4e77-a96d-8e4f312e07d4", - "value": "LOWBALL (S0042) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "94379dec-5c87-49db-b36e-66abc0b81344", - "target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d" - }, - "uuid": "a7cb0193-e854-4361-b1a1-fc4e68354c59", - "value": "Derusbi (S0021) uses Custom Cryptographic Protocol (T1024)" - }, - { - "meta": { - "source-uuid": "166c0eca-02fd-424a-92c0-6b5106994d31", - "target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790" - }, - "uuid": "3f02c07f-663f-4c54-b7e0-c2b2dbe82335", - "value": "ZLib (S0086) uses New Service (T1050)" - }, - { - "meta": { - "source-uuid": "fbe9387f-34e6-4828-ac28-3080020c597b", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "75b383eb-5483-4c44-a721-ee1cffa6edb7", - "value": "FIN10 (G0051) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542", - "target-uuid": "2eb9b131-d333-4a48-9eb4-d8dec46c19ee" - }, - "uuid": "eeae630c-0c58-4397-90fb-05f5b60b720f", - "value": "APT29 (G0016) uses CosmicDuke (S0050)" - }, - { - "meta": { - "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", - "target-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5" - }, - "uuid": "f4865a5c-c17c-408a-94de-2feac0d006fd", - "value": "Cobalt Strike (S0154) uses Data from Local System (T1005)" - }, - { - "meta": { - "source-uuid": "68dca94f-c11d-421e-9287-7c501108e18c", - "target-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d" - }, - "uuid": "7c3b845e-56ca-4580-b060-a3fa42b86a86", - "value": "Duqu (S0038) uses Process Injection (T1055)" - }, - { - "meta": { - "source-uuid": "0f862b01-99da-47cc-9bdb-db4a86a95bb1", - "target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790" - }, - "uuid": "ea6289bb-c974-4e4c-bdc4-1c3211a6d1d4", - "value": "Emissary (S0082) uses New Service (T1050)" - }, - { - "meta": { - "source-uuid": "4c59cce8-cb48-4141-b9f1-f646edfaadb0", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "2fe9c7cf-44aa-495b-bde6-80cbfc4fbed9", - "value": "Regin (S0019) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "98e8a977-3416-43aa-87fa-33e287e9c14c", - "target-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896" - }, - "uuid": "47f611f4-b9f0-42ef-9629-ee4a56e737ed", - "value": "WINDSHIELD (S0155) uses Query Registry (T1012)" - }, - { - "meta": { - "source-uuid": "894aab42-3371-47b1-8859-a4a074c804c8", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "782da600-bc3b-4dae-89d1-4a79522bed02", - "value": "Stealth Falcon (G0038) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69", - "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - }, - "uuid": "5c84cfe2-a395-47c6-831a-4491f8585a00", - "value": "Prikormka (S0113) uses Credential Dumping (T1003)" - }, - { - "meta": { - "source-uuid": "cf23bf4a-e003-4116-bbae-1ea6c558d565", - "target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e" - }, - "uuid": "05352dad-ecbb-477c-a05c-5eb3d67ae9ae", - "value": "FTP (S0095) uses Commonly Used Port (T1043)" - }, - { - "meta": { - "source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542", - "target-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff" - }, - "uuid": "5de21fc4-c460-4da4-9dc4-2acdd54640a8", - "value": "APT29 (G0016) uses Pass the Hash (T1075)" - }, - { - "meta": { - "source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", - "target-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475" - }, - "uuid": "24bce281-7858-4a42-bfd6-601800fb63f7", - "value": "Remsec (S0125) uses System Network Connections Discovery (T1049)" - }, - { - "meta": { - "source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", - "target-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839" - }, - "uuid": "131fde9c-7a83-4603-9c1e-c41f815fb14c", - "value": "Remsec (S0125) uses Exploitation of Vulnerability (T1068)" - }, - { - "meta": { - "source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542", - "target-uuid": "5e7ef1dc-7fb6-4913-ac75-e06113b59e0c" - }, - "uuid": "7243a679-467e-4c31-b413-547016b9c3ad", - "value": "APT29 (G0016) uses MiniDuke (S0051)" - }, - { - "meta": { - "source-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", - "target-uuid": "56ff457d-5e39-492b-974c-dfd2b8603ffe" - }, - "uuid": "1c5b8ff2-400a-4e0f-a819-3cc8f1bc76b8", - "value": "Mimikatz (S0002) uses Private Keys (T1145)" - }, - { - "meta": { - "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", - "target-uuid": "9de2308e-7bed-43a3-8e58-f194b3586700" - }, - "uuid": "4aa62b6b-7441-4ece-9cb0-2a5bcb46f966", - "value": "menuPass (G0045) uses pwdump (S0006)" - }, - { - "meta": { - "source-uuid": "5be33fef-39c0-4532-84ee-bea31e1b5324", - "target-uuid": "1c338d0f-a65e-4073-a5c1-c06878849f21" - }, - "uuid": "b1df64c9-782d-4452-8c4a-5ef933503c13", - "value": "ISMInjector (S0189) uses Process Hollowing (T1093)" - }, - { - "meta": { - "source-uuid": "9e729a7e-0dd6-4097-95bf-db8d64911383", - "target-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4" - }, - "uuid": "5bad7b38-36b5-4208-9895-e4a113c511a3", - "value": "Darkhotel (G0012) uses Replication Through Removable Media (T1091)" - }, - { - "meta": { - "source-uuid": "2dd34b01-6110-4aac-835d-b5e7b936b0be", - "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - }, - "uuid": "8e82a523-fc73-4f3b-98dc-3b1e7199cd93", - "value": "OLDBAIT (S0138) uses Obfuscated Files or Information (T1027)" - }, - { - "meta": { - "source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", - "target-uuid": "b8c5c9dd-a662-479d-9428-ae745872537c" - }, - "uuid": "46f301cd-8ae3-431a-931b-df4bb4fee271", - "value": "Remsec (S0125) uses Password Filter DLL (T1174)" - }, - { - "meta": { - "source-uuid": "d69c8146-ab35-4d50-8382-6fc80e641d43", - "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" - }, - "uuid": "9fe01f98-e0b3-4749-b9a6-eb10c216c548", - "value": "BLACKCOFFEE (S0069) uses File Deletion (T1107)" - }, - { - "meta": { - "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", - "target-uuid": "4fa49fc0-9162-4bdb-a37e-7aa3dcb6d38b" - }, - "uuid": "cf467be5-c162-4763-801b-32cb57a514ef", - "value": "APT1 (G0006) uses xCmd (S0123)" - }, - { - "meta": { - "source-uuid": "91000a8a-58cc-4aba-9ad0-993ad6302b86", - "target-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5" - }, - "uuid": "1b4ee147-dc39-43d2-b468-fcd308e6cbae", - "value": "StreamEx (S0142) uses Rundll32 (T1085)" - }, - { - "meta": { - "source-uuid": "68dca94f-c11d-421e-9287-7c501108e18c", - "target-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842" - }, - "uuid": "c0905059-1f3c-414c-8027-b8ec2e4b3c89", - "value": "Duqu (S0038) uses Data Obfuscation (T1001)" - }, - { - "meta": { - "source-uuid": "23bff3ce-021c-4e7a-9aee-60fd40bc7c6c", - "target-uuid": "9e80ddfb-ce32-4961-a778-ca6a10cfae72" - }, - "uuid": "2e5931ef-cc28-49e8-b0c1-7705227ee5cf", - "value": "Sudo Mitigation (T1169) mitigates Sudo (T1169)" - }, - { - "meta": { - "source-uuid": "7c1796c7-9fc3-4c3e-9416-527295bf5d95", - "target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e" - }, - "uuid": "a34d1e30-dcf5-4743-93e5-e4834e980f0f", - "value": "Commonly Used Port Mitigation (T1043) mitigates Commonly Used Port (T1043)" - }, - { - "meta": { - "source-uuid": "5f9f7648-04ba-4a9f-bb4c-2a13e74572bd", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "35ae6625-8563-493c-8950-1230bd0fd122", - "value": "Pteranodon (S0147) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "1cc934e4-b01d-4543-a011-b988dfc1a458", - "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" - }, - "uuid": "1f99a883-e78f-423d-9837-2b5ebb14fe63", - "value": "Matroyshka (S0167) uses Input Capture (T1056)" - }, - { - "meta": { - "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", - "target-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e" - }, - "uuid": "1b45f3b5-b7a4-4424-a8ff-1b1f1c1a55d9", - "value": "Threat Group-3390 (G0027) uses Data Staged (T1074)" - }, - { - "meta": { - "source-uuid": "7dbb67c7-270a-40ad-836e-c45f8948aa5a", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "f3bbff8f-5f4b-40aa-a55f-e3880a582868", - "value": "KOMPROGO (S0156) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "09b2cd76-c674-47cc-9f57-d2f2ad150a46", - "target-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce" - }, - "uuid": "533deac3-2f27-4256-bb11-7d68d8824d47", - "value": "POWRUNER (S0184) uses Permission Groups Discovery (T1069)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "7343e208-7cab-45f2-a47b-41ba5e2f0fab" - }, - "uuid": "92c68b65-18b8-44e9-a368-692048ba9611", - "value": "APT28 (G0007) uses XTunnel (S0117)" - }, - { - "meta": { - "source-uuid": "f8dfbc54-b070-4224-b560-79aaa5f835bd", - "target-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88" - }, - "uuid": "98aeed7c-e88b-4c5b-8e8e-21ee3534abe9", - "value": "H1N1 (S0132) uses Software Packing (T1045)" - }, - { - "meta": { - "source-uuid": "16ade1aa-0ea1-4bb7-88cc-9079df2ae756", - "target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0" - }, - "uuid": "4da943df-a7dc-499f-a8b7-ca8d298d8ff6", - "value": "admin@338 (G0018) uses Masquerading (T1036)" - }, - { - "meta": { - "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", - "target-uuid": "e066bf86-9cfb-407a-9d25-26fd5d91e360" - }, - "uuid": "75c3b5f6-a0ca-4afc-baad-ef19ed4317b3", - "value": "Threat Group-3390 (G0027) uses HTTPBrowser (S0070)" - }, - { - "meta": { - "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", - "target-uuid": "99709758-2b96-48f2-a68a-ad7fbd828091" - }, - "uuid": "290c0a54-2702-4d6e-97db-1eafa9a7a1f3", - "value": "Cobalt Strike (S0154) uses Multiband Communication (T1026)" - }, - { - "meta": { - "source-uuid": "0e5bdf42-a7f7-4d16-a074-4915bd262f80", - "target-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776" - }, - "uuid": "6f991c49-462a-4cb8-8096-15c77f7ccace", - "value": "Exfiltration Over Alternative Protocol Mitigation (T1048) mitigates Exfiltration Over Alternative Protocol (T1048)" - }, - { - "meta": { - "source-uuid": "fb261c56-b80e-43a9-8351-c84081e7213d", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "5697b245-d888-40ab-af72-9236c6daa273", - "value": "BACKSPACE (S0031) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "e64a09d0-4205-4aca-8acb-f6926233d107", - "value": "Prikormka (S0113) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "a60657fa-e2e7-4f8f-8128-a882534ae8c5", - "target-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638" - }, - "uuid": "a83992e1-5be5-433e-b3f1-d9ccde98c9ca", - "value": "OwaAuth (S0072) uses Data Encrypted (T1022)" - }, - { - "meta": { - "source-uuid": "b2c5d3ca-b43a-4888-ad8d-e2d43497bf85", - "target-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842" - }, - "uuid": "04ba0d26-d931-423e-a3de-713892c0af97", - "value": "P2P ZeuS (S0016) uses Data Obfuscation (T1001)" - }, - { - "meta": { - "source-uuid": "a8d3d497-2da9-4797-8e0b-ed176be08654", - "target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790" - }, - "uuid": "a8aac75d-ef58-4dda-97a8-9584a6a6baaf", - "value": "Wingbird (S0176) uses New Service (T1050)" - }, - { - "meta": { - "source-uuid": "67e6d66b-1b82-4699-b47a-e2efb6268d14", - "target-uuid": "a257ed11-ff3b-4216-8c9d-3938ef57064c" - }, - "uuid": "02a7ea5c-695c-4932-9160-6e0441789670", - "value": "SeaDuke (S0053) uses Pass the Ticket (T1097)" - }, - { - "meta": { - "source-uuid": "65341f30-bec6-4b1d-8abf-1a5620446c29", - "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" - }, - "uuid": "3bf633d0-5578-4e3a-a599-52f3946f6623", - "value": "Reaver (S0172) uses File Deletion (T1107)" - }, - { - "meta": { - "source-uuid": "894aab42-3371-47b1-8859-a4a074c804c8", - "target-uuid": "92d7da27-2d91-488e-a00c-059dc162766d" - }, - "uuid": "e1592867-e02f-4c1f-a9f2-1c60e25a1301", - "value": "Stealth Falcon (G0038) uses Exfiltration Over Command and Control Channel (T1041)" - }, - { - "meta": { - "source-uuid": "a13e35cc-8c90-4d77-a965-5461042c1612", - "target-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810" - }, - "uuid": "2482623f-65a7-4da5-8cb2-64279319e3dc", - "value": "Shortcut Modification Mitigation (T1023) mitigates Shortcut Modification (T1023)" - }, - { - "meta": { - "source-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "f5a175ba-ed26-44f8-9828-c2aa0e1f7d86", - "value": "BlackEnergy (S0089) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "5a63f900-5e7e-4928-a746-dd4558e1df71", - "target-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7" - }, - "uuid": "f0d218a3-9f7b-4f21-aa4a-34dc25f05b61", - "value": "netsh (S0108) uses Security Software Discovery (T1063)" - }, - { - "meta": { - "source-uuid": "00c3bfcb-99bd-4767-8c03-b08f585f5c8a", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "f0b00a47-9d63-4d05-b771-022a21a4ed06", - "value": "PowerDuke (S0139) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69", - "target-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f" - }, - "uuid": "9cf37d0b-a23d-4514-961d-94d1cc6e2bef", - "value": "Prikormka (S0113) uses Data Encoding (T1132)" - }, - { - "meta": { - "source-uuid": "5f9f7648-04ba-4a9f-bb4c-2a13e74572bd", - "target-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e" - }, - "uuid": "c93bb2b9-bd22-4e14-b884-2141168387b2", - "value": "Pteranodon (S0147) uses Data Staged (T1074)" - }, - { - "meta": { - "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "target-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e" - }, - "uuid": "5f055076-79d1-44e8-95cb-43fc515df2f6", - "value": "Lazarus Group (G0032) uses Data Staged (T1074)" - }, - { - "meta": { - "source-uuid": "b07c2c47-fefb-4d7c-a69e-6a3296171f54", - "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - }, - "uuid": "108a1655-faba-4016-a276-c224665cb5c4", - "value": "gsecdump (S0008) uses Credential Dumping (T1003)" - }, - { - "meta": { - "source-uuid": "2a7914cf-dff3-428d-ab0f-1014d1c28aeb", - "target-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638" - }, - "uuid": "0c78e3a7-45c5-454f-8905-a831fbede841", - "value": "FIN6 (G0037) uses Data Encrypted (T1022)" - }, - { - "meta": { - "source-uuid": "fb261c56-b80e-43a9-8351-c84081e7213d", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "991c16bd-c17b-479a-8f45-385467323c0a", - "value": "BACKSPACE (S0031) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "4689b9fb-dca4-473e-831b-34717ad50c97", - "target-uuid": "830c9528-df21-472c-8c14-a036bf17d665" - }, - "uuid": "91af9744-413c-4e9c-bfdb-a9ca167e9bb5", - "value": "Web Service Mitigation (T1102) mitigates Web Service (T1102)" - }, - { - "meta": { - "source-uuid": "800bdfba-6d66-480f-9f45-15845c05cb5d", - "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" - }, - "uuid": "7985b09e-9241-489c-a0f2-45a6f5c782f1", - "value": "pngdowner (S0067) uses File Deletion (T1107)" - }, - { - "meta": { - "source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542", - "target-uuid": "01a5a209-b94c-450b-b7f9-946497d91055" - }, - "uuid": "ab51525b-93c6-4ea8-bd83-b9547f1317bb", - "value": "APT29 (G0016) uses Windows Management Instrumentation (T1047)" - }, - { - "meta": { - "source-uuid": "e9595678-d269-469e-ae6b-75e49259de63", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "a2a31eb7-0b22-416c-b12d-e52e5f37f8b8", - "value": "BADNEWS (S0128) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "0b32ec39-ba61-4864-9ebe-b4b0b73caf9a", - "target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790" - }, - "uuid": "e2b4bcf2-58a6-49ed-bc72-21226ff419bd", - "value": "TDTESS (S0164) uses New Service (T1050)" - }, - { - "meta": { - "source-uuid": "d45f03a8-790a-4f90-b956-cd7e5b8886bf", - "target-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81" - }, - "uuid": "3c3f26b3-d676-4e17-adca-2a8ea4643148", - "value": "Valid Accounts Mitigation (T1078) mitigates Valid Accounts (T1078)" - }, - { - "meta": { - "source-uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6", - "target-uuid": "03342581-f790-4f03-ba41-e82e67392e23" - }, - "uuid": "cd79beea-20ee-4b4f-aad1-5cc34d27398c", - "value": "Turla (G0010) uses Net (S0039)" - }, - { - "meta": { - "source-uuid": "6a0ef5d4-fc7c-4dda-85d7-592e4dbdc5d9", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "c1421d39-cb5d-4bac-a931-9c641066c0fd", - "value": "Sykipot (S0018) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "c11ac61d-50f4-444f-85d8-6f006067f0de", - "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" - }, - "uuid": "c954a1f5-c925-4c5c-ad64-62545dfbe383", - "value": "route (S0103) uses System Network Configuration Discovery (T1016)" - }, - { - "meta": { - "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", - "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - }, - "uuid": "9066dcee-7c80-429c-a5cc-77458e891349", - "value": "menuPass (G0045) uses Credential Dumping (T1003)" - }, - { - "meta": { - "source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6", - "target-uuid": "09b2cd76-c674-47cc-9f57-d2f2ad150a46" - }, - "uuid": "96235e56-e55a-4146-a9a6-956f8f1f7dcf", - "value": "APT34 (G0057) uses POWRUNER (S0184)" - }, - { - "meta": { - "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", - "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" - }, - "uuid": "9b7bf5d9-23a0-4190-80c0-b27b906bafcc", - "value": "APT3 (G0022) uses File Deletion (T1107)" - }, - { - "meta": { - "source-uuid": "463f68f1-5cde-4dc2-a831-68b73488f8f4", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "56d858ef-2d62-4aa9-b050-699de9b048e9", - "value": "MobileOrder (S0079) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "target-uuid": "01a5a209-b94c-450b-b7f9-946497d91055" - }, - "uuid": "64a17aba-5182-4666-bd37-dafa9d835fe8", - "value": "Lazarus Group (G0032) uses Windows Management Instrumentation (T1047)" - }, - { - "meta": { - "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", - "target-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44" - }, - "uuid": "23dca74f-2b3e-46c0-b7a3-9d9eab932f58", - "value": "Cobalt Strike (S0154) uses Scripting (T1064)" - }, - { - "meta": { - "source-uuid": "0f862b01-99da-47cc-9bdb-db4a86a95bb1", - "target-uuid": "519630c5-f03f-4882-825c-3af924935817" - }, - "uuid": "d200ba08-8179-495e-a854-9b13be5c0f93", - "value": "Emissary (S0082) uses Binary Padding (T1009)" - }, - { - "meta": { - "source-uuid": "d1acfbb3-647b-4723-9154-800ec119006e", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "e20b57e5-c010-4b9e-a04e-660daa8b5c87", - "value": "Sowbug (G0054) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "7551188b-8f91-4d34-8350-0d0c57b2b913", - "target-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a" - }, - "uuid": "6deeb486-90c3-4279-8549-17c81ea2466b", - "value": "Elise (S0081) uses Timestomp (T1099)" - }, - { - "meta": { - "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", - "target-uuid": "00d0b012-8a03-410e-95de-5826bf542de6" - }, - "uuid": "febbf503-d7e5-4896-90b9-35b6a811b19b", - "value": "APT3 (G0022) uses Indicator Removal from Tools (T1066)" - }, - { - "meta": { - "source-uuid": "495b6cdb-7b5a-4fbc-8d33-e7ef68806d08", - "target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e" - }, - "uuid": "2902ccff-873a-4ebc-bdf4-caaae629ae9d", - "value": "Volgmer (S0180) uses Commonly Used Port (T1043)" - }, - { - "meta": { - "source-uuid": "23b6a0f5-fa95-46f9-a6f3-4549c5e45ec8", - "target-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88" - }, - "uuid": "047ee6d3-1b85-4a0f-96a6-6ead4be43548", - "value": "Night Dragon (G0014) uses Software Packing (T1045)" - }, - { - "meta": { - "source-uuid": "2eb9b131-d333-4a48-9eb4-d8dec46c19ee", - "target-uuid": "ae676644-d2d2-41b7-af7e-9bed1b55898c" - }, - "uuid": "3e7c9978-4db1-4ee1-ae27-640acee5a543", - "value": "CosmicDuke (S0050) uses Data from Network Shared Drive (T1039)" - }, - { - "meta": { - "source-uuid": "1cc934e4-b01d-4543-a011-b988dfc1a458", - "target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688" - }, - "uuid": "a56aafe6-4a54-4ce5-b927-8b56826b3445", - "value": "Matroyshka (S0167) uses Screen Capture (T1113)" - }, - { - "meta": { - "source-uuid": "d1acfbb3-647b-4723-9154-800ec119006e", - "target-uuid": "ae676644-d2d2-41b7-af7e-9bed1b55898c" - }, - "uuid": "5f3eb1ae-782e-4e49-8e1e-650f3e5a1139", - "value": "Sowbug (G0054) uses Data from Network Shared Drive (T1039)" - }, - { - "meta": { - "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", - "target-uuid": "03342581-f790-4f03-ba41-e82e67392e23" - }, - "uuid": "3fb836b7-41cf-40d1-bd56-14e45e6bbd02", - "value": "OilRig (G0049) uses Net (S0039)" - }, - { - "meta": { - "source-uuid": "a8d3d497-2da9-4797-8e0b-ed176be08654", - "target-uuid": "6e6845c2-347a-4a6f-a2d1-b74a18ebd352" - }, - "uuid": "019eb3cf-35df-4109-a006-1b91331866c3", - "value": "Wingbird (S0176) uses LSASS Driver (T1177)" - }, - { - "meta": { - "source-uuid": "76abb3ef-dafd-4762-97cb-a35379429db4", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "2fb450c6-e236-4b81-b5ac-a9d4be0cf167", - "value": "Gazer (S0168) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "0f862b01-99da-47cc-9bdb-db4a86a95bb1", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "2c158663-599b-45a8-b946-6d545206428d", - "value": "Emissary (S0082) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "e1161124-f22e-487f-9d5f-ed8efc8dcd61", - "target-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f" - }, - "uuid": "7f1c30eb-051f-4d1a-9d81-1ee46f7779c7", - "value": "Mis-Type (S0084) uses Data Encoding (T1132)" - }, - { - "meta": { - "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", - "target-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433" - }, - "uuid": "12daddcc-b964-485e-8c2d-10f554d78bcc", - "value": "OilRig (G0049) uses Fallback Channels (T1008)" - }, - { - "meta": { - "source-uuid": "f108215f-3487-489d-be8b-80e346d32518", - "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - }, - "uuid": "9a62c02a-e373-494e-af73-f8b3274e8c9b", - "value": "Komplex (S0162) uses Process Discovery (T1057)" - }, - { - "meta": { - "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", - "target-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5" - }, - "uuid": "aec0a948-428f-4327-b466-a0472da12928", - "value": "Threat Group-3390 (G0027) uses Data from Local System (T1005)" - }, - { - "meta": { - "source-uuid": "23061b40-a7b6-454f-8950-95d5ff80331c", - "target-uuid": "d519cfd5-f3a8-43a9-a846-ed0bb40672b1" - }, - "uuid": "85bddba6-3848-4d2d-a4fa-4c4b71274a02", - "value": "Install Root Certificate Mitigation (T1130) mitigates Install Root Certificate (T1130)" - }, - { - "meta": { - "source-uuid": "55033a4d-3ffe-46b2-99b4-2c1541e9ce1c", - "target-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044" - }, - "uuid": "1ae1ce05-3db2-4a97-8e58-0ed3d65d9d22", - "value": "Carbanak (G0008) uses Disabling Security Tools (T1089)" - }, - { - "meta": { - "source-uuid": "d69c8146-ab35-4d50-8382-6fc80e641d43", - "target-uuid": "830c9528-df21-472c-8c14-a036bf17d665" - }, - "uuid": "8b0e9de1-a7b0-479e-aee7-76f2549508c6", - "value": "BLACKCOFFEE (S0069) uses Web Service (T1102)" - }, - { - "meta": { - "source-uuid": "c085476e-1964-4d7f-86e1-d8657a7741e8", - "target-uuid": "9b99b83a-1aac-4e29-b975-b374950551a3" - }, - "uuid": "1da0f3c7-d9e2-4379-a84c-782fc94a75d5", - "value": "Accessibility Features Mitigation (T1015) mitigates Accessibility Features (T1015)" - }, - { - "meta": { - "source-uuid": "2a158b0a-7ef8-43cb-9985-bf34d1e12050", - "target-uuid": "cf23bf4a-e003-4116-bbae-1ea6c558d565" - }, - "uuid": "0ead6cee-20a4-46fb-a9c1-8686a776f455", - "value": "Naikon (G0019) uses FTP (S0095)" - }, - { - "meta": { - "source-uuid": "17862c7d-9e60-48a0-b48e-da4dc4c3f6b0", - "target-uuid": "830c9528-df21-472c-8c14-a036bf17d665" - }, - "uuid": "b3a9c32f-c6d0-46d4-8936-dd4fec61d305", - "value": "Patchwork (G0040) uses Web Service (T1102)" - }, - { - "meta": { - "source-uuid": "dc5d1a33-62aa-4a0c-aa8c-589b87beb11e", - "target-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044" - }, - "uuid": "2ade8c03-2395-4175-9a22-8541836f27cd", - "value": "ChChes (S0144) uses Disabling Security Tools (T1089)" - }, - { - "meta": { - "source-uuid": "53cf6cc4-65aa-445a-bcf8-c3d296f8a7a2", - "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - }, - "uuid": "16043223-3846-4138-93d0-671339ba3646", - "value": "NETEAGLE (S0034) uses Process Discovery (T1057)" - }, - { - "meta": { - "source-uuid": "5e595477-2e78-4ce7-ae42-e0b059b17808", - "target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0" - }, - "uuid": "8d5d9206-a213-465d-b384-6152eb2796a0", - "value": "POSHSPY (S0150) uses PowerShell (T1086)" - }, - { - "meta": { - "source-uuid": "876f6a77-fbc5-4e13-ab1a-5611986730a3", - "target-uuid": "30208d3e-0d6b-43c8-883e-44462a514619" - }, - "uuid": "11bc3d01-fc44-415c-b5a3-5576f5cb6057", - "value": "T9000 (S0098) uses Automated Collection (T1119)" - }, - { - "meta": { - "source-uuid": "96913243-2b5e-4483-a65c-bb152ddd2f04", - "target-uuid": "46944654-fcc1-4f63-9dad-628102376586" - }, - "uuid": "069e82d5-89f2-4477-a1f5-115be8ab040a", - "value": "DLL Search Order Hijacking Mitigation (T1038) mitigates DLL Search Order Hijacking (T1038)" - }, - { - "meta": { - "source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542", - "target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9" - }, - "uuid": "4a0887ab-3ec3-436a-b378-6e28847dfb1e", - "value": "APT29 (G0016) uses Scheduled Task (T1053)" - }, - { - "meta": { - "source-uuid": "9ca488bd-9587-48ef-b923-1743523e63b2", - "target-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4" - }, - "uuid": "6592447f-31c8-46d0-8e88-47584fa301f0", - "value": "SOUNDBITE (S0157) uses Modify Registry (T1112)" - }, - { - "meta": { - "source-uuid": "f9b3e5d9-7454-4b7d-bce6-27620e19924e", - "target-uuid": "6aabc5ec-eae6-422c-8311-38d45ee9838a" - }, - "uuid": "9691a6a8-12d0-45a7-8217-11d1793234cb", - "value": "Redundant Access Mitigation (T1108) mitigates Redundant Access (T1108)" - }, - { - "meta": { - "source-uuid": "c620e3a1-fff5-424f-abea-d2b0f3616f67", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "c28d6f10-431f-493c-8abd-918240c5c970", - "value": "System Information Discovery Mitigation (T1082) mitigates System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6", - "target-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475" - }, - "uuid": "3325e625-d76b-42df-b952-749dabb57517", - "value": "Turla (G0010) uses System Network Connections Discovery (T1049)" - }, - { - "meta": { - "source-uuid": "17b40f60-729f-4fe8-8aea-cc9ee44a95d5", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "f4902ad9-b1bb-41ce-a448-55e2d9437503", - "value": "RedLeaves (S0153) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "4b62ab58-c23b-4704-9c15-edd568cd59f8", - "target-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b" - }, - "uuid": "89433640-bf49-48b3-9f26-76423cd36f77", - "value": "Hacking Team UEFI Rootkit (S0047) uses Rootkit (T1014)" - }, - { - "meta": { - "source-uuid": "e547ed6a-f1ca-40df-8613-2ce27927f145", - "target-uuid": "e6415f09-df0e-48de-9aba-928c902b7549" - }, - "uuid": "2083aef8-4d72-4bef-8cbc-33f2c5f4a176", - "value": "Exfiltration Over Physical Medium Mitigation (T1052) mitigates Exfiltration Over Physical Medium (T1052)" - }, - { - "meta": { - "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", - "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" - }, - "uuid": "be20faa9-64bf-4a65-86c2-dc12f5695d22", - "value": "Cobalt Strike (S0154) uses Input Capture (T1056)" - }, - { - "meta": { - "source-uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6", - "target-uuid": "80a014ba-3fef-4768-990b-37d8bd10d7f4" - }, - "uuid": "6a87ff58-10b1-4fbc-a633-d7d8a34d1b29", - "value": "Turla (G0010) uses Uroburos (S0022)" - }, - { - "meta": { - "source-uuid": "a0cb9370-e39b-44d5-9f50-ef78e412b973", - "target-uuid": "95047f03-4811-4300-922e-1ba937d53a61" - }, - "uuid": "a8122755-90fe-4b68-8fa1-55ed7be90931", - "value": "Axiom (G0001) uses Hikit (S0009)" - }, - { - "meta": { - "source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542", - "target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0" - }, - "uuid": "7f78df2e-e6e9-43f1-815b-58e4a10fc594", - "value": "APT29 (G0016) uses PowerShell (T1086)" - }, - { - "meta": { - "source-uuid": "2fb26586-2b53-4b9a-ad4f-2b3bcb9a2421", - "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" - }, - "uuid": "8d4effdd-6d91-473d-aa81-d121f1c77881", - "value": "SslMM (S0058) uses Input Capture (T1056)" - }, - { - "meta": { - "source-uuid": "03342581-f790-4f03-ba41-e82e67392e23", - "target-uuid": "ffe742ed-9100-4686-9e00-c331da544787" - }, - "uuid": "a2423ac3-94b4-4936-962b-06562115cb70", - "value": "Net (S0039) uses Windows Admin Shares (T1077)" - }, - { - "meta": { - "source-uuid": "c0c45d38-fe57-4cd4-b2b2-9ecd0ddd4ca9", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "aeaa2f37-4014-4313-9fe2-8616b352a90c", - "value": "TinyZBot (S0004) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "53cf6cc4-65aa-445a-bcf8-c3d296f8a7a2", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "617fe29d-ac48-4cd0-ae8c-19cf7cfdbedd", - "value": "NETEAGLE (S0034) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", - "target-uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e" - }, - "uuid": "ae1de9c5-6bc0-459a-b4ca-568139a5ee41", - "value": "OilRig (G0049) uses Helminth (S0170)" - }, - { - "meta": { - "source-uuid": "a60657fa-e2e7-4f8f-8128-a882534ae8c5", - "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" - }, - "uuid": "33caa1a2-8465-47b9-89c4-94f4e9a899c7", - "value": "OwaAuth (S0072) uses Input Capture (T1056)" - }, - { - "meta": { - "source-uuid": "60c18d06-7b91-4742-bae3-647845cd9d81", - "target-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f" - }, - "uuid": "35d35ecf-1326-4690-b105-23280e29c120", - "value": "CORESHELL (S0137) uses Data Encoding (T1132)" - }, - { - "meta": { - "source-uuid": "2a7914cf-dff3-428d-ab0f-1014d1c28aeb", - "target-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735" - }, - "uuid": "ade72dc6-559e-4a84-9024-1a862faec6a0", - "value": "FIN6 (G0037) uses Remote System Discovery (T1018)" - }, - { - "meta": { - "source-uuid": "fb261c56-b80e-43a9-8351-c84081e7213d", - "target-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea" - }, - "uuid": "7cbedb9a-666f-47eb-b70e-905bcf80940a", - "value": "BACKSPACE (S0031) uses Connection Proxy (T1090)" - }, - { - "meta": { - "source-uuid": "e8d22ec6-2236-48de-954b-974d17492782", - "target-uuid": "dd43c543-bb85-4a6f-aa6e-160d90d06a49" - }, - "uuid": "196a2d37-4b87-465d-8d92-2e614cda869c", - "value": "Two-Factor Authentication Interception Mitigation (T1111) mitigates Two-Factor Authentication Interception (T1111)" - }, - { - "meta": { - "source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841", - "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" - }, - "uuid": "aad1cfa0-0df0-4768-87c2-5e59da2c5e44", - "value": "RTM (S0148) uses System Owner/User Discovery (T1033)" - }, - { - "meta": { - "source-uuid": "dfb5fa9b-3051-4b97-8035-08f80aef945b", - "target-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a" - }, - "uuid": "d8a7ec97-b262-489d-bc4b-e2c7007f75bc", - "value": "Psylo (S0078) uses Timestomp (T1099)" - }, - { - "meta": { - "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" - }, - "uuid": "4c06e313-2cde-494c-a8dc-449649a1afa6", - "value": "Lazarus Group (G0032) uses Standard Cryptographic Protocol (T1032)" - }, - { - "meta": { - "source-uuid": "fe98767f-9df8-42b9-83c9-004b1dec8647", - "target-uuid": "b07c2c47-fefb-4d7c-a69e-6a3296171f54" - }, - "uuid": "7ed93170-2dba-4e59-b0f0-7c716c73bdc0", - "value": "PittyTiger (G0011) uses gsecdump (S0008)" - }, - { - "meta": { - "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "target-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638" - }, - "uuid": "552ac18c-4fac-4cb0-aefc-811a10e1c320", - "value": "Lazarus Group (G0032) uses Data Encrypted (T1022)" - }, - { - "meta": { - "source-uuid": "6b616fc1-1505-48e3-8b2c-0d19337bff38", - "target-uuid": "30208d3e-0d6b-43c8-883e-44462a514619" - }, - "uuid": "121a09bd-f603-4476-a149-a3cba52f268c", - "value": "Rover (S0090) uses Automated Collection (T1119)" - }, - { - "meta": { - "source-uuid": "6b62e336-176f-417b-856a-8552dd8c44e1", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "062b1f19-2afb-4bdc-908e-99594ff114cf", - "value": "Epic (S0091) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6", - "target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688" - }, - "uuid": "11ebf3ff-b184-4010-b238-951e041370db", - "value": "APT34 (G0057) uses Screen Capture (T1113)" - }, - { - "meta": { - "source-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "37f94533-8fbe-48d2-bf4f-f825ad75ff98", - "value": "BlackEnergy (S0089) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841", - "target-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4" - }, - "uuid": "94b4de9a-1f83-4923-8d4b-e9bafdb1bef9", - "value": "RTM (S0148) uses Modify Registry (T1112)" - }, - { - "meta": { - "source-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73", - "target-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f" - }, - "uuid": "103f1ad4-feec-4be3-9da7-ee0b2503c318", - "value": "ADVSTORESHELL (S0045) uses Data Encoding (T1132)" - }, - { - "meta": { - "source-uuid": "e9595678-d269-469e-ae6b-75e49259de63", - "target-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09" - }, - "uuid": "283e242a-72d4-4b40-8905-888595c34919", - "value": "BADNEWS (S0128) uses DLL Side-Loading (T1073)" - }, - { - "meta": { - "source-uuid": "979e6485-7a2f-42bd-ae96-4e622c3cd173", - "target-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba" - }, - "uuid": "2c0fe330-edcf-4519-a577-c3c9b086d60a", - "value": "Remote Services Mitigation (T1021) mitigates Remote Services (T1021)" - }, - { - "meta": { - "source-uuid": "2eb9b131-d333-4a48-9eb4-d8dec46c19ee", - "target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790" - }, - "uuid": "17629f20-194c-48cb-aa1c-b3da2b6f06ba", - "value": "CosmicDuke (S0050) uses New Service (T1050)" - }, - { - "meta": { - "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", - "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" - }, - "uuid": "4cc8afb8-86ab-4537-926f-3178975a7886", - "value": "menuPass (G0045) uses System Network Configuration Discovery (T1016)" - }, - { - "meta": { - "source-uuid": "34d6a2ef-370e-4d21-a34b-6208b7c78f31", - "target-uuid": "c1a452f3-6499-4c12-b7e9-a6a0a102af76" - }, - "uuid": "fcf18dc5-8ac0-4ae7-84b9-c47ebd468022", - "value": "Process Doppelgänging Mitigation (T1186) mitigates Process Doppelgänging (T1186)" - }, - { - "meta": { - "source-uuid": "7343e208-7cab-45f2-a47b-41ba5e2f0fab", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "3264e1db-0f54-4049-a45c-3a03a24709aa", - "value": "XTunnel (S0117) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "083bb47b-02c8-4423-81a2-f9ef58572974", - "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" - }, - "uuid": "d2d9a619-4379-4e15-9115-40ca9209f316", - "value": "Backdoor.Oldrea (S0093) uses System Owner/User Discovery (T1033)" - }, - { - "meta": { - "source-uuid": "9ea525fa-b0a9-4dde-84f2-bcea0137b3c1", - "target-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b" - }, - "uuid": "51c5e624-d08e-4750-91f9-fdc98ec56552", - "value": "MoonWind (S0149) uses Standard Non-Application Layer Protocol (T1095)" - }, - { - "meta": { - "source-uuid": "388606d3-f38f-45bf-885d-a9dc9df3c8a8", - "target-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044" - }, - "uuid": "b35a5218-e64d-49b5-a37d-6390edddece6", - "value": "Disabling Security Tools Mitigation (T1089) mitigates Disabling Security Tools (T1089)" - }, - { - "meta": { - "source-uuid": "2a7914cf-dff3-428d-ab0f-1014d1c28aeb", - "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" - }, - "uuid": "de840f88-b9d0-4f7e-b5c0-b666faa2d92f", - "value": "FIN6 (G0037) uses Standard Cryptographic Protocol (T1032)" - }, - { - "meta": { - "source-uuid": "b6b3dfc7-9a81-43ff-ac04-698bad48973a", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "03c08ef9-80c7-4f20-b197-ad44f702f2e0", - "value": "Daserf (S0187) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "64d76fa5-cf8f-469c-b78c-1a4f7c5bad80", - "target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d" - }, - "uuid": "805f7ba3-a904-410c-b9fd-20356c595b19", - "value": "BBSRAT (S0127) uses Custom Cryptographic Protocol (T1024)" - }, - { - "meta": { - "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", - "target-uuid": "30208d3e-0d6b-43c8-883e-44462a514619" - }, - "uuid": "a24299ed-9735-453c-bd13-66269b2d5d16", - "value": "OilRig (G0049) uses Automated Collection (T1119)" - }, - { - "meta": { - "source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "343d285a-e910-487b-8e85-dc87cdb63be3", - "value": "APT29 (G0016) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6", - "target-uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f" - }, - "uuid": "5c38fba7-20c6-4872-ad05-21f0f77e0820", - "value": "APT34 (G0057) uses Tasklist (S0057)" - }, - { - "meta": { - "source-uuid": "dcd81c6e-ebf7-4a16-93e0-9a97fa49c88a", - "target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0" - }, - "uuid": "2f68f61d-07e1-4181-a26c-93433f9f0db7", - "value": "CopyKittens (G0052) uses PowerShell (T1086)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - }, - "uuid": "1b143de7-af2d-4991-9e2e-aa85a8d7d330", - "value": "APT28 (G0007) uses Obfuscated Files or Information (T1027)" - }, - { - "meta": { - "source-uuid": "2eb9b131-d333-4a48-9eb4-d8dec46c19ee", - "target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688" - }, - "uuid": "7331b11d-1d5e-4275-ba7e-a83ec4a59259", - "value": "CosmicDuke (S0050) uses Screen Capture (T1113)" - }, - { - "meta": { - "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "target-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44" - }, - "uuid": "d57dd9d9-d075-48c4-ae54-ed0aeae575de", - "value": "BRONZE BUTLER (G0060) uses Scripting (T1064)" - }, - { - "meta": { - "source-uuid": "0b32ec39-ba61-4864-9ebe-b4b0b73caf9a", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "ce424541-5cfa-4885-ad62-f3f70fa27099", - "value": "TDTESS (S0164) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "e9595678-d269-469e-ae6b-75e49259de63", - "target-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e" - }, - "uuid": "db8f1355-57f0-446d-a261-b168497b20c6", - "value": "BADNEWS (S0128) uses Data Staged (T1074)" - }, - { - "meta": { - "source-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "6bf4098c-7667-44df-bdaa-076b9099f851", - "value": "PlugX (S0013) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "9559ecaf-2e75-48a7-aee8-9974020bc772", - "target-uuid": "85b39628-204a-48d2-b377-ec368cbcb7ca" - }, - "uuid": "13aa912e-bb51-4293-a971-9179442d516a", - "value": "MONSOON (G0042) uses TINYTYPHON (S0131)" - }, - { - "meta": { - "source-uuid": "00d7d21b-69d6-4797-88a2-c86f3fc97651", - "target-uuid": "b8c5c9dd-a662-479d-9428-ae745872537c" - }, - "uuid": "af088283-7416-466d-86f3-8b55e6d698d4", - "value": "Password Filter DLL Mitigation (T1174) mitigates Password Filter DLL (T1174)" - }, - { - "meta": { - "source-uuid": "17b40f60-729f-4fe8-8aea-cc9ee44a95d5", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "a8f11c39-df96-451e-a93a-417512f82819", - "value": "RedLeaves (S0153) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "f6ae7a52-f3b6-4525-9daf-640c083f006e", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "ecb5e830-b678-47a6-98a2-d4dbe162f09e", - "value": "PHOREAL (S0158) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "bcee7b05-89a6-41a5-b7aa-fce4da7ede9e", - "target-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff" - }, - "uuid": "396287ea-36d9-4d84-bf22-af559eb20f58", - "value": "Pass the Hash Mitigation (T1075) mitigates Pass the Hash (T1075)" - }, - { - "meta": { - "source-uuid": "2f1a9fd0-3b7c-4d77-a358-78db13adbe78", - "target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e" - }, - "uuid": "9f852541-3fc7-4036-9268-7bc6bfe94900", - "value": "EvilGrab (S0152) uses Commonly Used Port (T1043)" - }, - { - "meta": { - "source-uuid": "a766ce73-5583-48f3-b7c0-0bb43c6ef8c7", - "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" - }, - "uuid": "32ba984e-dbe9-4a8a-a1b7-16ba560d31d5", - "value": "Standard Cryptographic Protocol Mitigation (T1032) mitigates Standard Cryptographic Protocol (T1032)" - }, - { - "meta": { - "source-uuid": "d519164e-f5fa-4b8c-a1fb-cf0172ad0983", - "target-uuid": "03342581-f790-4f03-ba41-e82e67392e23" - }, - "uuid": "489e5386-b177-455f-a8b3-d3c6e7afb9b1", - "value": "Threat Group-1314 (G0028) uses Net (S0039)" - }, - { - "meta": { - "source-uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69", - "target-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643" - }, - "uuid": "33e0178f-c9b2-43db-9e63-3e664ae6bef0", - "value": "Prikormka (S0113) uses Peripheral Device Discovery (T1120)" - }, - { - "meta": { - "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", - "target-uuid": "294e2560-bd48-44b2-9da2-833b5588ad11" - }, - "uuid": "72d6fe7e-ba33-4117-8153-64226f189ed2", - "value": "OilRig (G0049) uses ipconfig (S0100)" - }, - { - "meta": { - "source-uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69", - "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" - }, - "uuid": "1879905d-a4f6-43a7-aafe-a7e436e5c559", - "value": "Prikormka (S0113) uses Input Capture (T1056)" - }, - { - "meta": { - "source-uuid": "67e6d66b-1b82-4699-b47a-e2efb6268d14", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "0191f3d3-59d3-4fcc-bfff-5fbfa0675cfd", - "value": "SeaDuke (S0053) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "f28a20fd-d173-4603-807e-2cb3f51bdf04", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "b1ee5cba-d4e0-4af0-aa5c-5faacfdb0dbc", - "value": "Command-Line Interface Mitigation (T1059) mitigates Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "6a0ef5d4-fc7c-4dda-85d7-592e4dbdc5d9", - "target-uuid": "428ca9f8-0e33-442a-be87-f869cb4cf73e" - }, - "uuid": "10c33088-630e-456d-ad0f-8a63be4d3946", - "value": "Sykipot (S0018) uses Multilayer Encryption (T1079)" - }, - { - "meta": { - "source-uuid": "59140a2e-d117-4206-9b2c-2a8662bd9d46", - "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" - }, - "uuid": "bdba5fef-c560-4b8a-9ce5-616395a73841", - "value": "Taidoor (G0015) uses Standard Cryptographic Protocol (T1032)" - }, - { - "meta": { - "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", - "target-uuid": "9de2308e-7bed-43a3-8e58-f194b3586700" - }, - "uuid": "de979692-5ca5-4874-bfc8-91cea8697ef1", - "value": "APT1 (G0006) uses pwdump (S0006)" - }, - { - "meta": { - "source-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "6f448f20-0349-4132-80ec-d46e94d52426", - "value": "ADVSTORESHELL (S0045) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542", - "target-uuid": "e906ae4d-1d3a-4675-be23-22f7311c0da4" - }, - "uuid": "337dc23f-d825-415d-886b-53c3457fbd56", - "value": "APT29 (G0016) uses Windows Management Instrumentation Event Subscription (T1084)" - }, - { - "meta": { - "source-uuid": "5f9f7648-04ba-4a9f-bb4c-2a13e74572bd", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "50f39180-6e5a-476b-b18f-d4e09e83c9d9", - "value": "Pteranodon (S0147) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", - "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" - }, - "uuid": "de168dd4-3c59-4fa4-901a-911b1ee81a31", - "value": "BlackEnergy (S0089) uses System Network Configuration Discovery (T1016)" - }, - { - "meta": { - "source-uuid": "7009ba4d-83d4-4851-9fbb-e09e28497765", - "target-uuid": "b77cf5f3-6060-475d-bd60-40ccbf28fdc2" - }, - "uuid": "66a16f64-8c0d-4647-8589-83ea8ef4fbd3", - "value": "Forced Authentication Mitigation (T1187) mitigates Forced Authentication (T1187)" - }, - { - "meta": { - "source-uuid": "17e919aa-4a49-445c-b103-dbb8df9e7351", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "afa1f53f-abd9-4e57-b4e1-4e161dd34e9b", - "value": "POWERSOURCE (S0145) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "fb261c56-b80e-43a9-8351-c84081e7213d", - "target-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4" - }, - "uuid": "2dec6ce1-e459-4266-86d5-f336ab056f17", - "value": "BACKSPACE (S0031) uses Modify Registry (T1112)" - }, - { - "meta": { - "source-uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063", - "target-uuid": "fde50aaa-f5de-4cb8-989a-babb57d6a704" - }, - "uuid": "16fd44bf-405b-49c1-96d7-0cacb5d65e74", - "value": "Cleaver (G0003) uses Net Crawler (S0056)" - }, - { - "meta": { - "source-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13", - "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - }, - "uuid": "8087d99b-cc05-4e2a-abce-687eb726a9e7", - "value": "Magic Hound (G0059) uses Obfuscated Files or Information (T1027)" - }, - { - "meta": { - "source-uuid": "8901ac23-6b50-410c-b0dd-d8174a86f9b3", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "3ded5760-4f2e-41f5-a2c5-f2b39eaf5733", - "value": "Shamoon (S0140) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "65341f30-bec6-4b1d-8abf-1a5620446c29", - "target-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896" - }, - "uuid": "f44478f1-fdd7-4e84-8b96-60e6c6a10683", - "value": "Reaver (S0172) uses Query Registry (T1012)" - }, - { - "meta": { - "source-uuid": "09b2cd76-c674-47cc-9f57-d2f2ad150a46", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "c4d77981-d2e4-4a12-8e52-5b7464cdc8fd", - "value": "POWRUNER (S0184) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "9ca488bd-9587-48ef-b923-1743523e63b2", - "target-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830" - }, - "uuid": "b640dfee-9502-4ffb-92e4-f153f8726383", - "value": "SOUNDBITE (S0157) uses Application Window Discovery (T1010)" - }, - { - "meta": { - "source-uuid": "2a6f4c7b-e690-4cc7-ab6b-1f821fb6b80b", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "25cb2c8f-79d2-4157-8329-fb86caaca0c3", - "value": "LOWBALL (S0042) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "687c23e4-4e25-4ee7-a870-c5e002511f54", - "target-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4" - }, - "uuid": "3eb29574-145d-4d4a-b4c6-e94b8a79781e", - "value": "DustySky (S0062) uses Replication Through Removable Media (T1091)" - }, - { - "meta": { - "source-uuid": "687c23e4-4e25-4ee7-a870-c5e002511f54", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "9a7ff784-436b-40c5-bfb0-25e02e1d9940", - "value": "DustySky (S0062) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "82d8e990-c901-4aed-8596-cc002e7eb307", - "target-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077" - }, - "uuid": "c593abb1-54ce-4196-a11f-f1dd65fed9aa", - "value": "System Time Discovery Mitigation (T1124) mitigates System Time Discovery (T1124)" - }, - { - "meta": { - "source-uuid": "cb7bcf6f-085f-41db-81ee-4b68481661b5", - "target-uuid": "92d7da27-2d91-488e-a00c-059dc162766d" - }, - "uuid": "dbb1d0eb-c7ee-4794-80d4-66e6281cbc63", - "value": "CallMe (S0077) uses Exfiltration Over Command and Control Channel (T1041)" - }, - { - "meta": { - "source-uuid": "7343e208-7cab-45f2-a47b-41ba5e2f0fab", - "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - }, - "uuid": "e8d2c3f1-7c86-438c-bead-6a86f9a36463", - "value": "XTunnel (S0117) uses Obfuscated Files or Information (T1027)" - }, - { - "meta": { - "source-uuid": "09b2cd76-c674-47cc-9f57-d2f2ad150a46", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "14b70990-48b0-482b-bd5a-3a99d9d9a653", - "value": "POWRUNER (S0184) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "166c0eca-02fd-424a-92c0-6b5106994d31", - "target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0" - }, - "uuid": "fb9cf04b-ad28-472a-9ee3-a2e744e0e122", - "value": "ZLib (S0086) uses Masquerading (T1036)" - }, - { - "meta": { - "source-uuid": "7bec698a-7e20-4fd3-bb6a-12787770fb1a", - "target-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a" - }, - "uuid": "d43315b0-d708-4197-b3ed-0a0b1199e434", - "value": "3PARA RAT (S0066) uses Timestomp (T1099)" - }, - { - "meta": { - "source-uuid": "a19c49aa-36fe-4c05-b817-23e1c7a7d085", - "target-uuid": "92a78814-b191-47ca-909c-1ccfe3777414" - }, - "uuid": "82268341-e0a8-4937-8618-351e147daa0c", - "value": "Wiper (S0041) uses Third-party Software (T1072)" - }, - { - "meta": { - "source-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd", - "target-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b" - }, - "uuid": "2eaea386-ee0f-42c4-bca1-ce2d22062f98", - "value": "PlugX (S0013) uses Standard Non-Application Layer Protocol (T1095)" - }, - { - "meta": { - "source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6", - "target-uuid": "0a68f1f1-da74-4d28-8d9a-696c082706cc" - }, - "uuid": "eb9366d5-2bd1-4d0b-8f55-2305827c20d1", - "value": "APT34 (G0057) uses certutil (S0160)" - }, - { - "meta": { - "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "target-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4" - }, - "uuid": "8c58cfe5-0b71-434c-939a-329b612d2337", - "value": "Lazarus Group (G0032) uses Data Compressed (T1002)" - }, - { - "meta": { - "source-uuid": "af2ad3b7-ab6a-4807-91fd-51bcaff9acbb", - "target-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a" - }, - "uuid": "553dbb57-1174-494c-9cfd-dbc83ecc74f6", - "value": "USBStealer (S0136) uses Timestomp (T1099)" - }, - { - "meta": { - "source-uuid": "5f9f7648-04ba-4a9f-bb4c-2a13e74572bd", - "target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688" - }, - "uuid": "0471088d-7b45-4fec-8946-ae5bf463286b", - "value": "Pteranodon (S0147) uses Screen Capture (T1113)" - }, - { - "meta": { - "source-uuid": "2a158b0a-7ef8-43cb-9985-bf34d1e12050", - "target-uuid": "5a63f900-5e7e-4928-a746-dd4558e1df71" - }, - "uuid": "437dd20a-234f-430b-b9ee-4524e1e12aa9", - "value": "Naikon (G0019) uses netsh (S0108)" - }, - { - "meta": { - "source-uuid": "8901ac23-6b50-410c-b0dd-d8174a86f9b3", - "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" - }, - "uuid": "86c9bd0f-4251-4103-9be5-65079750c495", - "value": "Shamoon (S0140) uses File Deletion (T1107)" - }, - { - "meta": { - "source-uuid": "80c91478-ac87-434f-bee7-11f37aec4d74", - "target-uuid": "edbe24e9-aec4-4994-ac75-6a6bc7f1ddd0" - }, - "uuid": "8467ea5f-cb0d-4eb6-b524-8bfd01e58721", - "value": "Dynamic Data Exchange Mitigation (T1173) mitigates Dynamic Data Exchange (T1173)" - }, - { - "meta": { - "source-uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69", - "target-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7" - }, - "uuid": "98b7d901-4ede-451f-bab8-3b2b37c56bfd", - "value": "Prikormka (S0113) uses Security Software Discovery (T1063)" - }, - { - "meta": { - "source-uuid": "cbf646f1-7db5-4dc6-808b-0094313949df", - "target-uuid": "830c9528-df21-472c-8c14-a036bf17d665" - }, - "uuid": "5ebd97d4-1979-40b2-b38b-b6ed44a2f32f", - "value": "CloudDuke (S0054) uses Web Service (T1102)" - }, - { - "meta": { - "source-uuid": "fae44eea-caa7-42b7-a2e2-0c815ba81b9a", - "target-uuid": "04ee0cb7-dac3-4c6c-9387-4c6aa096f4cf" - }, - "uuid": "edb697fa-d6b2-400a-acad-ccacc38c87c0", - "value": "Hidden Window Mitigation (T1143) mitigates Hidden Window (T1143)" - }, - { - "meta": { - "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "166326b3-6864-4667-aee9-4d7b24cc75d8", - "value": "OilRig (G0049) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "67e6d66b-1b82-4699-b47a-e2efb6268d14", - "target-uuid": "e906ae4d-1d3a-4675-be23-22f7311c0da4" - }, - "uuid": "f653eb7d-7027-4161-9071-b52336bd4fbc", - "value": "SeaDuke (S0053) uses Windows Management Instrumentation Event Subscription (T1084)" - }, - { - "meta": { - "source-uuid": "dc5d1a33-62aa-4a0c-aa8c-589b87beb11e", - "target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0" - }, - "uuid": "e68684df-28b4-4f06-b553-cacf14866605", - "value": "ChChes (S0144) uses Masquerading (T1036)" - }, - { - "meta": { - "source-uuid": "9ea525fa-b0a9-4dde-84f2-bcea0137b3c1", - "target-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077" - }, - "uuid": "77c63e89-71fe-47e3-babb-13e7722932ad", - "value": "MoonWind (S0149) uses System Time Discovery (T1124)" - }, - { - "meta": { - "source-uuid": "66b1dcde-17a0-4c7b-95fa-b08d430c2131", - "target-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08" - }, - "uuid": "fb0aef48-57f5-4331-acdd-25fdfdf1babb", - "value": "S-Type (S0085) uses Account Discovery (T1087)" - }, - { - "meta": { - "source-uuid": "96b08451-b27a-4ff6-893f-790e26393a8e", - "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - }, - "uuid": "266a5edd-1425-4ab1-88bf-a0d7897699eb", - "value": "Sakula (S0074) uses Obfuscated Files or Information (T1027)" - }, - { - "meta": { - "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", - "target-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e" - }, - "uuid": "87ddc052-0933-4722-9fb2-4653c4a3663c", - "value": "APT3 (G0022) uses Data Staged (T1074)" - }, - { - "meta": { - "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", - "target-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea" - }, - "uuid": "3a2d591a-f918-44b3-9e75-7520906b9aa3", - "value": "menuPass (G0045) uses Connection Proxy (T1090)" - }, - { - "meta": { - "source-uuid": "e1161124-f22e-487f-9d5f-ed8efc8dcd61", - "target-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67" - }, - "uuid": "7e55e411-230e-4d1a-a780-d07784ed2cd6", - "value": "Mis-Type (S0084) uses Create Account (T1136)" - }, - { - "meta": { - "source-uuid": "94379dec-5c87-49db-b36e-66abc0b81344", - "target-uuid": "68f7e3a1-f09f-4164-9a62-16b648a0dd5a" - }, - "uuid": "4f3473a4-f5f5-43d8-a4ec-589763695942", - "value": "Derusbi (S0021) uses Regsvr32 (T1117)" - }, - { - "meta": { - "source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6", - "target-uuid": "51dea151-0898-4a45-967c-3ebee0420484" - }, - "uuid": "02b9b0b1-5e7d-42dd-ae8c-68d126a8c3cd", - "value": "APT34 (G0057) uses Remote Desktop Protocol (T1076)" - }, - { - "meta": { - "source-uuid": "6a0ef5d4-fc7c-4dda-85d7-592e4dbdc5d9", - "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" - }, - "uuid": "9b203f00-34db-475f-a28b-f5088d937f4e", - "value": "Sykipot (S0018) uses System Network Configuration Discovery (T1016)" - }, - { - "meta": { - "source-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd", - "target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e" - }, - "uuid": "c35702f8-f13f-4851-9cfc-1eea526bd6e1", - "value": "PlugX (S0013) uses Commonly Used Port (T1043)" - }, - { - "meta": { - "source-uuid": "e9595678-d269-469e-ae6b-75e49259de63", - "target-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643" - }, - "uuid": "f9c7d0e1-135f-4e21-8251-3049bc24c18d", - "value": "BADNEWS (S0128) uses Peripheral Device Discovery (T1120)" - }, - { - "meta": { - "source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", - "target-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec" - }, - "uuid": "8e7ff07b-7a32-4ced-ac22-b523586dbde3", - "value": "Remsec (S0125) uses Data from Removable Media (T1025)" - }, - { - "meta": { - "source-uuid": "fb261c56-b80e-43a9-8351-c84081e7213d", - "target-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842" - }, - "uuid": "6c0aae73-fe06-4aa3-8216-568d78747c6d", - "value": "BACKSPACE (S0031) uses Data Obfuscation (T1001)" - }, - { - "meta": { - "source-uuid": "2daa14d6-cbf3-4308-bb8e-213c324a08e4", - "target-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842" - }, - "uuid": "34c4b497-00e3-415c-8e09-3b73667d9bbe", - "value": "HAMMERTOSS (S0037) uses Data Obfuscation (T1001)" - }, - { - "meta": { - "source-uuid": "876f6a77-fbc5-4e13-ab1a-5611986730a3", - "target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688" - }, - "uuid": "dd89d8a2-257a-47f9-8b55-8011ca53007b", - "value": "T9000 (S0098) uses Screen Capture (T1113)" - }, - { - "meta": { - "source-uuid": "e066bf86-9cfb-407a-9d25-26fd5d91e360", - "target-uuid": "46944654-fcc1-4f63-9dad-628102376586" - }, - "uuid": "1762fe5a-0810-4179-bfb0-16d965ffe055", - "value": "HTTPBrowser (S0070) uses DLL Search Order Hijacking (T1038)" - }, - { - "meta": { - "source-uuid": "7bec698a-7e20-4fd3-bb6a-12787770fb1a", - "target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d" - }, - "uuid": "4a70e764-5c19-4c8e-97e4-486af893cbfc", - "value": "3PARA RAT (S0066) uses Custom Cryptographic Protocol (T1024)" - }, - { - "meta": { - "source-uuid": "94379dec-5c87-49db-b36e-66abc0b81344", - "target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e" - }, - "uuid": "bd315928-0b74-491c-b526-ee5e1841842b", - "value": "Derusbi (S0021) uses Commonly Used Port (T1043)" - }, - { - "meta": { - "source-uuid": "9e9b9415-a7df-406b-b14d-92bfe6809fbe", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "438cae9c-cb03-4db9-ae59-24ed27147725", - "value": "Nidiran (S0118) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd", - "target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0" - }, - "uuid": "0d989c2e-0207-4412-b52a-5d9bf9f96d18", - "value": "PlugX (S0013) uses Masquerading (T1036)" - }, - { - "meta": { - "source-uuid": "dc5d1a33-62aa-4a0c-aa8c-589b87beb11e", - "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - }, - "uuid": "9bc7f2ff-7ba1-42f4-9e96-2112e99ab12a", - "value": "ChChes (S0144) uses Credential Dumping (T1003)" - }, - { - "meta": { - "source-uuid": "0ced8926-914e-4c78-bc93-356fb90dbd1f", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "d6154157-fe69-4da3-8cc3-790eecf33f8c", - "value": "HALFBAKED (S0151) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", - "target-uuid": "772bc7a8-a157-42cc-8728-d648e25c7fe7" - }, - "uuid": "2b469307-a635-4392-a18f-ed1f24b3a684", - "value": "Cobalt Strike (S0154) uses Distributed Component Object Model (T1175)" - }, - { - "meta": { - "source-uuid": "68dca94f-c11d-421e-9287-7c501108e18c", - "target-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e" - }, - "uuid": "611cb6eb-efdb-4d74-b354-5064ab52bd34", - "value": "Duqu (S0038) uses Data Staged (T1074)" - }, - { - "meta": { - "source-uuid": "03c0c586-50ed-45a7-95f4-f496d7eb5330", - "target-uuid": "086952c4-5b90-4185-b573-02bad8e11953" - }, - "uuid": "94db2b6e-c01c-4aec-9229-4a6dcda3c6ee", - "value": "HISTCONTROL Mitigation (T1148) mitigates HISTCONTROL (T1148)" - }, - { - "meta": { - "source-uuid": "102c3898-85e0-43ee-ae28-62a0a3ed9507", - "target-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be" - }, - "uuid": "ecd83e69-2eb1-4c2d-a01f-e42ea8f807f9", - "value": "UACMe (S0116) uses Bypass User Account Control (T1088)" - }, - { - "meta": { - "source-uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e", - "target-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f" - }, - "uuid": "e68ff1c2-ef03-486b-96df-167a1652a97b", - "value": "Helminth (S0170) uses Data Encoding (T1132)" - }, - { - "meta": { - "source-uuid": "dcd81c6e-ebf7-4a16-93e0-9a97fa49c88a", - "target-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638" - }, - "uuid": "292b2a10-ebee-4fbb-b359-2eee16aa46ba", - "value": "CopyKittens (G0052) uses Data Encrypted (T1022)" - }, - { - "meta": { - "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", - "target-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba" - }, - "uuid": "66eb9cc1-4eb4-4b84-8140-bd48da33e93d", - "value": "Cobalt Strike (S0154) uses Remote Services (T1021)" - }, - { - "meta": { - "source-uuid": "5cbe0d3b-6fb1-471f-b591-4b192915116d", - "target-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81" - }, - "uuid": "82b679af-7408-4f41-8fc0-5b0cf5993726", - "value": "Suckfly (G0039) uses Valid Accounts (T1078)" - }, - { - "meta": { - "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", - "target-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e" - }, - "uuid": "bbd29878-c16a-45ee-9785-78550f080d83", - "value": "menuPass (G0045) uses Data Staged (T1074)" - }, - { - "meta": { - "source-uuid": "af2ad3b7-ab6a-4807-91fd-51bcaff9acbb", - "target-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4" - }, - "uuid": "e3e841fa-b806-4c22-9f98-a97950b68931", - "value": "USBStealer (S0136) uses Replication Through Removable Media (T1091)" - }, - { - "meta": { - "source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6", - "target-uuid": "4664b683-f578-434f-919b-1c1aad2a1111" - }, - "uuid": "1fe875f1-89b6-447b-9d96-63c0cebecb9b", - "value": "APT34 (G0057) uses netstat (S0104)" - }, - { - "meta": { - "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", - "target-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5" - }, - "uuid": "38a72b32-dc04-493d-8b92-31174c32f3ed", - "value": "APT1 (G0006) uses Data from Local System (T1005)" - }, - { - "meta": { - "source-uuid": "76abb3ef-dafd-4762-97cb-a35379429db4", - "target-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d" - }, - "uuid": "86ebda8c-df0c-4d76-970b-27bf392606a7", - "value": "Gazer (S0168) uses Process Injection (T1055)" - }, - { - "meta": { - "source-uuid": "d3afa961-a80c-4043-9509-282cdf69ab21", - "target-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5" - }, - "uuid": "6b11697f-be6c-4cd7-b445-4d277a8d7346", - "value": "Winnti (S0141) uses Rundll32 (T1085)" - }, - { - "meta": { - "source-uuid": "0db09158-6e48-4e7c-8ce7-2b10b9c0c039", - "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" - }, - "uuid": "70a1cab8-dd98-4b82-9f7f-36294e3889c0", - "value": "Misdat (S0083) uses File Deletion (T1107)" - }, - { - "meta": { - "source-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "090a553a-b863-4214-aa3b-cf8ea7ba2d68", - "value": "ADVSTORESHELL (S0045) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "1cc934e4-b01d-4543-a011-b988dfc1a458", - "target-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5" - }, - "uuid": "cd70a632-a961-4adb-aea9-9995ef8e2b54", - "value": "Matroyshka (S0167) uses Rundll32 (T1085)" - }, - { - "meta": { - "source-uuid": "8901ac23-6b50-410c-b0dd-d8174a86f9b3", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "272068a3-47e3-42d6-8772-71d39c1976c3", - "value": "Shamoon (S0140) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "f108215f-3487-489d-be8b-80e346d32518" - }, - "uuid": "63841959-afe2-4cb0-a93e-d407eb1b8d66", - "value": "APT28 (G0007) uses Komplex (S0162)" - }, - { - "meta": { - "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "d7c5e4f4-cede-4a81-b46f-035b9e702e61", - "value": "BRONZE BUTLER (G0060) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6", - "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - }, - "uuid": "9dfb7899-20af-4eea-bfca-f608d885cb00", - "value": "Turla (G0010) uses Process Discovery (T1057)" - }, - { - "meta": { - "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", - "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - }, - "uuid": "c948f964-e26c-4226-9577-7b78b5bf271f", - "value": "APT3 (G0022) uses Credential Dumping (T1003)" - }, - { - "meta": { - "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", - "target-uuid": "e7eab98d-ae11-4491-bd28-a53ba875865a" - }, - "uuid": "dc7cb17d-c3d3-4c3c-b79e-499cede49baa", - "value": "Threat Group-3390 (G0027) uses Network Share Connection Removal (T1126)" - }, - { - "meta": { - "source-uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", - "target-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df" - }, - "uuid": "2fbcd38e-0ec9-4f2d-823b-3654f108f3a3", - "value": "Dragonfly (G0035) uses Web Shell (T1100)" - }, - { - "meta": { - "source-uuid": "4b998a71-7b8f-4dcc-8f3f-277f2e740271", - "target-uuid": "00d0b012-8a03-410e-95de-5826bf542de6" - }, - "uuid": "5978c8e0-8b60-4ad5-8fc9-9fa1ee4d7387", - "value": "Indicator Removal from Tools Mitigation (T1066) mitigates Indicator Removal from Tools (T1066)" - }, - { - "meta": { - "source-uuid": "894aab42-3371-47b1-8859-a4a074c804c8", - "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" - }, - "uuid": "8ebab956-4440-4fd7-96ff-8da29e0f0b46", - "value": "Stealth Falcon (G0038) uses System Owner/User Discovery (T1033)" - }, - { - "meta": { - "source-uuid": "53cf6cc4-65aa-445a-bcf8-c3d296f8a7a2", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "84fcda4b-e58e-4ecd-8366-77d464e043ee", - "value": "NETEAGLE (S0034) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "ab3580c8-8435-4117-aace-3d9fbe46aa56", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "321544e0-902c-443e-adf9-d7e78f0e4d13", - "value": "Unknown Logger (S0130) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "2a6f4c7b-e690-4cc7-ab6b-1f821fb6b80b", - "target-uuid": "830c9528-df21-472c-8c14-a036bf17d665" - }, - "uuid": "8c9f23e6-2665-45b3-9c28-53a9335b16ce", - "value": "LOWBALL (S0042) uses Web Service (T1102)" - }, - { - "meta": { - "source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", - "target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9" - }, - "uuid": "b2cf6651-3f2c-4522-9360-dbc5c7af43c5", - "value": "Remsec (S0125) uses Scheduled Task (T1053)" - }, - { - "meta": { - "source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", - "target-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776" - }, - "uuid": "1ce50a6a-5f0b-40ca-9a71-41369ae3fdcd", - "value": "Remsec (S0125) uses Exfiltration Over Alternative Protocol (T1048)" - }, - { - "meta": { - "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688" - }, - "uuid": "2d840d1b-28d7-4387-86fd-6d3df8650171", - "value": "BRONZE BUTLER (G0060) uses Screen Capture (T1113)" - }, - { - "meta": { - "source-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", - "target-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be" - }, - "uuid": "054a22c3-f0ee-476a-b0cb-e3277c755032", - "value": "BlackEnergy (S0089) uses Bypass User Account Control (T1088)" - }, - { - "meta": { - "source-uuid": "64d76fa5-cf8f-469c-b78c-1a4f7c5bad80", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "7fd6c479-00ae-478d-a29b-fc40619eea97", - "value": "BBSRAT (S0127) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "cafd0bf8-2b9c-46c7-ae3c-3e0f42c5062e", - "target-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830" - }, - "uuid": "10c6cc56-a028-4c2a-b24e-38d97fb4ebb7", - "value": "NetTraveler (S0033) uses Application Window Discovery (T1010)" - }, - { - "meta": { - "source-uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063", - "target-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db" - }, - "uuid": "3cd8ef78-9d92-4e28-97ae-5bd6c698bfec", - "value": "Cleaver (G0003) uses PsExec (S0029)" - }, - { - "meta": { - "source-uuid": "60c18d06-7b91-4742-bae3-647845cd9d81", - "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - }, - "uuid": "e6f5bde4-869f-4c9a-9414-11ea48386204", - "value": "CORESHELL (S0137) uses Obfuscated Files or Information (T1027)" - }, - { - "meta": { - "source-uuid": "fbe9387f-34e6-4828-ac28-3080020c597b", - "target-uuid": "51dea151-0898-4a45-967c-3ebee0420484" - }, - "uuid": "a48e7d01-012a-4336-9676-0f34e8501e22", - "value": "FIN10 (G0051) uses Remote Desktop Protocol (T1076)" - }, - { - "meta": { - "source-uuid": "bb3c1098-d654-4620-bf40-694386d28921", - "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" - }, - "uuid": "bfd49393-75b6-4e67-af74-4bf3c87624b0", - "value": "FakeM (S0076) uses Input Capture (T1056)" - }, - { - "meta": { - "source-uuid": "a1dd2dbd-1550-44bf-abcc-1a4c52e97719", - "target-uuid": "0dbf5f1b-a560-4d51-ac1b-d70caab3e1f0" - }, - "uuid": "aef7fe44-f381-41d5-88af-f04135e3aeab", - "value": "Responder (S0174) uses LLMNR/NBT-NS Poisoning (T1171)" - }, - { - "meta": { - "source-uuid": "9559ecaf-2e75-48a7-aee8-9974020bc772", - "target-uuid": "e9595678-d269-469e-ae6b-75e49259de63" - }, - "uuid": "238a7a2c-34db-4f43-a94b-4a6ad225129d", - "value": "MONSOON (G0042) uses BADNEWS (S0128)" - }, - { - "meta": { - "source-uuid": "6a0ef5d4-fc7c-4dda-85d7-592e4dbdc5d9", - "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - }, - "uuid": "4438ba64-0cd2-46e9-8a67-c685bf9b404c", - "value": "Sykipot (S0018) uses Process Discovery (T1057)" - }, - { - "meta": { - "source-uuid": "0ea72cd5-ca30-46ba-bc04-378f701c658f", - "target-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba" - }, - "uuid": "7db7f665-6e29-4789-8a3d-d6cb8d0af31e", - "value": "GCMAN (G0036) uses Remote Services (T1021)" - }, - { - "meta": { - "source-uuid": "0998045d-f96e-4284-95ce-3c8219707486", - "target-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a" - }, - "uuid": "6d562520-86bb-4251-9431-a4958bec097c", - "value": "SEASHARPEE (S0185) uses Timestomp (T1099)" - }, - { - "meta": { - "source-uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", - "target-uuid": "799ace7f-e227-4411-baa0-8868704f2a69" - }, - "uuid": "596c4579-14ea-4c1f-9503-cf47693f18a8", - "value": "Dragonfly (G0035) uses Indicator Removal on Host (T1070)" - }, - { - "meta": { - "source-uuid": "fece06b7-d4b1-42cf-b81a-5323c917546e", - "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" - }, - "uuid": "3b32f3be-5bdd-4de8-9e39-83b0b8c1e70f", - "value": "FALLCHILL (S0181) uses File Deletion (T1107)" - }, - { - "meta": { - "source-uuid": "96b08451-b27a-4ff6-893f-790e26393a8e", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "384c75e4-04e7-4ff8-9da6-0c8a03cb7a61", - "value": "Sakula (S0074) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841", - "target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688" - }, - "uuid": "f6d23c00-158e-4e39-bf9b-f18344cd0151", - "value": "RTM (S0148) uses Screen Capture (T1113)" - }, - { - "meta": { - "source-uuid": "d75a3d1b-b536-4f15-a23c-f4bcc17837b8", - "target-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea" - }, - "uuid": "eede138c-9745-453c-a8b5-684b696c2ad0", - "value": "Connection Proxy Mitigation (T1090) mitigates Connection Proxy (T1090)" - }, - { - "meta": { - "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", - "target-uuid": "b42378e0-f147-496f-992a-26a49705395b" - }, - "uuid": "bab6aadc-7a93-43e4-88cb-904fd1f2fddd", - "value": "menuPass (G0045) uses PoisonIvy (S0012)" - }, - { - "meta": { - "source-uuid": "6713ab67-e25b-49cc-808d-2b36d4fbc35c", - "target-uuid": "92d7da27-2d91-488e-a00c-059dc162766d" - }, - "uuid": "49f2c182-bd69-4874-9102-b5fd1acac59c", - "value": "Ke3chang (G0004) uses Exfiltration Over Command and Control Channel (T1041)" - }, - { - "meta": { - "source-uuid": "17862c7d-9e60-48a0-b48e-da4dc4c3f6b0", - "target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0" - }, - "uuid": "42d4ae64-75da-4dfd-b23f-d270252115ee", - "value": "Patchwork (G0040) uses Masquerading (T1036)" - }, - { - "meta": { - "source-uuid": "277d2f87-2ae5-4730-a3aa-50c1fdff9656", - "target-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea" - }, - "uuid": "6476b9fe-dc7f-4578-a39d-beebc8390af2", - "value": "Strider (G0041) uses Connection Proxy (T1090)" - }, - { - "meta": { - "source-uuid": "67e6d66b-1b82-4699-b47a-e2efb6268d14", - "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" - }, - "uuid": "c8d0e862-20af-4f9f-84e8-0419c8080008", - "value": "SeaDuke (S0053) uses Standard Cryptographic Protocol (T1032)" - }, - { - "meta": { - "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", - "target-uuid": "17b40f60-729f-4fe8-8aea-cc9ee44a95d5" - }, - "uuid": "3dd745f5-1c0c-4376-8850-89679fcd4e31", - "value": "menuPass (G0045) uses RedLeaves (S0153)" - }, - { - "meta": { - "source-uuid": "196f1f32-e0c2-4d46-99cd-234d4b6befe1", - "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" - }, - "uuid": "c74cbdc5-e454-4b22-957e-926854dd37f1", - "value": "Felismus (S0171) uses System Network Configuration Discovery (T1016)" - }, - { - "meta": { - "source-uuid": "16ade1aa-0ea1-4bb7-88cc-9079df2ae756", - "target-uuid": "7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1" - }, - "uuid": "318afc9f-92f3-4262-af70-b2e045b87737", - "value": "admin@338 (G0018) uses Systeminfo (S0096)" - }, - { - "meta": { - "source-uuid": "4c59cce8-cb48-4141-b9f1-f646edfaadb0", - "target-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d" - }, - "uuid": "47109a67-e1af-4f5c-8c58-c1580ff5c6ec", - "value": "Regin (S0019) uses Code Signing (T1116)" - }, - { - "meta": { - "source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "c6606ced-4641-451f-ac2a-493b1d15d0aa", - "value": "RTM (S0148) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "5be33fef-39c0-4532-84ee-bea31e1b5324", - "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - }, - "uuid": "a0500766-a6ba-4672-b7fc-2a712cd0cfca", - "value": "ISMInjector (S0189) uses Obfuscated Files or Information (T1027)" - }, - { - "meta": { - "source-uuid": "a0cb9370-e39b-44d5-9f50-ef78e412b973", - "target-uuid": "51dea151-0898-4a45-967c-3ebee0420484" - }, - "uuid": "70f3eaca-179d-4412-ad32-c4e3cf60c27c", - "value": "Axiom (G0001) uses Remote Desktop Protocol (T1076)" - }, - { - "meta": { - "source-uuid": "2a158b0a-7ef8-43cb-9985-bf34d1e12050", - "target-uuid": "7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1" - }, - "uuid": "4b521c7b-c66b-4bbc-847e-d6a13e9ae62c", - "value": "Naikon (G0019) uses Systeminfo (S0096)" - }, - { - "meta": { - "source-uuid": "06824aa2-94a5-474c-97f6-57c2e983d885", - "target-uuid": "36675cd3-fe00-454c-8516-aebecacbe9d9" - }, - "uuid": "ab6dbf38-dfed-4bfa-9d7d-bbe6864f82d3", - "value": "Login Item Mitigation (T1162) mitigates Login Item (T1162)" - }, - { - "meta": { - "source-uuid": "d8787791-d22e-45bb-a9a8-251d8d0a1ff2", - "target-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa" - }, - "uuid": "338cf92d-43a8-4fdd-948d-1a3bde10d917", - "value": "System Service Discovery Mitigation (T1007) mitigates System Service Discovery (T1007)" - }, - { - "meta": { - "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", - "target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790" - }, - "uuid": "d4f48744-0564-4ef3-bdae-421076912495", - "value": "Cobalt Strike (S0154) uses New Service (T1050)" - }, - { - "meta": { - "source-uuid": "dc5d1a33-62aa-4a0c-aa8c-589b87beb11e", - "target-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d" - }, - "uuid": "fe0c8388-46fb-4064-9837-56a23339ffaa", - "value": "ChChes (S0144) uses Code Signing (T1116)" - }, - { - "meta": { - "source-uuid": "82cb34ba-02b5-432b-b2d2-07f55cbf674d", - "target-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88" - }, - "uuid": "40c202ae-fd92-4506-b72a-5fb0e7bcf99a", - "value": "Trojan.Karagany (S0094) uses Software Packing (T1045)" - }, - { - "meta": { - "source-uuid": "e9595678-d269-469e-ae6b-75e49259de63", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "8c359d18-06fc-4db1-9b58-6e85fa563066", - "value": "BADNEWS (S0128) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", - "target-uuid": "c3bce4f4-9795-46c6-976e-8676300bbc39" - }, - "uuid": "d328f1e2-c98f-473e-aea5-063e1ee70744", - "value": "Cobalt Strike (S0154) uses Windows Remote Management (T1028)" - }, - { - "meta": { - "source-uuid": "68dca94f-c11d-421e-9287-7c501108e18c", - "target-uuid": "ffe742ed-9100-4686-9e00-c331da544787" - }, - "uuid": "8d7cd505-3b0e-4e90-bf47-6552612958dc", - "value": "Duqu (S0038) uses Windows Admin Shares (T1077)" - }, - { - "meta": { - "source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "d412ff4a-d9d0-44a9-b8b3-36a650f18036", - "value": "RTM (S0148) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "7ecc3b4f-5cdb-457e-b55a-df376b359446", - "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - }, - "uuid": "35aac341-5371-42e8-ad93-3ab94a11b51a", - "value": "Poseidon Group (G0033) uses Credential Dumping (T1003)" - }, - { - "meta": { - "source-uuid": "6713ab67-e25b-49cc-808d-2b36d4fbc35c", - "target-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce" - }, - "uuid": "b368c7c2-a593-45cb-b557-aac668a02656", - "value": "Ke3chang (G0004) uses Permission Groups Discovery (T1069)" - }, - { - "meta": { - "source-uuid": "007b44b6-e4c5-480b-b5b9-56f2081b1b7b", - "target-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044" - }, - "uuid": "7209b3d7-b8c8-4fc0-89fb-a5448f015540", - "value": "HDoor (S0061) uses Disabling Security Tools (T1089)" - }, - { - "meta": { - "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", - "target-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735" - }, - "uuid": "03f32a8b-4cd9-488c-9759-37f3dff9faea", - "value": "menuPass (G0045) uses Remote System Discovery (T1018)" - }, - { - "meta": { - "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", - "target-uuid": "2fab555f-7664-4623-b4e0-1675ae38190b" - }, - "uuid": "44858dc2-c869-42a0-8f67-3ddd9660b538", - "value": "APT1 (G0006) uses Lslsass (S0121)" - }, - { - "meta": { - "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", - "target-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c" - }, - "uuid": "80dcd852-39c2-4ef9-a401-e54982010a65", - "value": "APT3 (G0022) uses Credentials in Files (T1081)" - }, - { - "meta": { - "source-uuid": "91000a8a-58cc-4aba-9ad0-993ad6302b86", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "fa04b7b3-e9ea-4c35-a2a5-8d0c73f5698b", - "value": "StreamEx (S0142) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "552462b9-ae79-49dd-855c-5973014e157f", - "target-uuid": "f2d44246-91f1-478a-b6c8-1227e0ca109d" - }, - "uuid": "e584ec5f-af99-4d61-8b02-3dbacae4adf4", - "value": "Zeroaccess (S0027) uses NTFS Extended Attributes (T1096)" - }, - { - "meta": { - "source-uuid": "083bb47b-02c8-4423-81a2-f9ef58572974", - "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - }, - "uuid": "adf7a6a5-91b0-4c37-9fa5-0bfbb382a838", - "value": "Backdoor.Oldrea (S0093) uses Credential Dumping (T1003)" - }, - { - "meta": { - "source-uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", - "target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9" - }, - "uuid": "ba95a6e7-3235-4dcd-93eb-4eebc4d0aaec", - "value": "Dragonfly (G0035) uses Scheduled Task (T1053)" - }, - { - "meta": { - "source-uuid": "f8dfbc54-b070-4224-b560-79aaa5f835bd", - "target-uuid": "246fd3c7-f5e3-466d-8787-4c13d9e3b61c" - }, - "uuid": "1539eaf6-e4ea-4e9d-af2b-2594d1ca5b38", - "value": "H1N1 (S0132) uses Taint Shared Content (T1080)" - }, - { - "meta": { - "source-uuid": "3cab1b76-2f40-4cd0-8d2c-7ed16eeb909c", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "10619fa8-c479-4b61-9aac-ee08f00114d1", - "value": "ELMER (S0064) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "target-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c" - }, - "uuid": "03303147-db81-4cb3-9368-98ee4f963c1a", - "value": "BRONZE BUTLER (G0060) uses Deobfuscate/Decode Files or Information (T1140)" - }, - { - "meta": { - "source-uuid": "9752aef4-a1f3-4328-929f-b64eb0536090", - "target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0" - }, - "uuid": "37aa4e22-824b-468c-ae46-d9d007cc7cc7", - "value": "RawPOS (S0169) uses Masquerading (T1036)" - }, - { - "meta": { - "source-uuid": "e6ef745b-077f-42e1-a37d-29eecff9c754", - "target-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7" - }, - "uuid": "330c8e43-575f-4c9a-b6c2-def7306841ad", - "value": "CozyCar (S0046) uses Security Software Discovery (T1063)" - }, - { - "meta": { - "source-uuid": "7bec698a-7e20-4fd3-bb6a-12787770fb1a", - "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" - }, - "uuid": "0e630f6b-8662-4ffe-b666-709e17aad69f", - "value": "3PARA RAT (S0066) uses Standard Cryptographic Protocol (T1032)" - }, - { - "meta": { - "source-uuid": "7551188b-8f91-4d34-8350-0d0c57b2b913", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "6e39f6fe-3808-41ae-9263-1fd23865bd7b", - "value": "Elise (S0081) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", - "target-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810" - }, - "uuid": "8200c438-ec29-4f0e-81c3-9a058c735748", - "value": "BlackEnergy (S0089) uses Shortcut Modification (T1023)" - }, - { - "meta": { - "source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", - "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" - }, - "uuid": "2f5f2d31-739e-4dc5-b137-840401985244", - "value": "Remsec (S0125) uses Input Capture (T1056)" - }, - { - "meta": { - "source-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73", - "target-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896" - }, - "uuid": "9f496c45-eac5-464f-858b-ef481f2f37ff", - "value": "ADVSTORESHELL (S0045) uses Query Registry (T1012)" - }, - { - "meta": { - "source-uuid": "0f862b01-99da-47cc-9bdb-db4a86a95bb1", - "target-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5" - }, - "uuid": "1c6f35f0-1169-4218-9881-7291e1765cd8", - "value": "Emissary (S0082) uses Rundll32 (T1085)" - }, - { - "meta": { - "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", - "target-uuid": "ae676644-d2d2-41b7-af7e-9bed1b55898c" - }, - "uuid": "c2909563-2b7e-48d6-b165-05b8eff63862", - "value": "menuPass (G0045) uses Data from Network Shared Drive (T1039)" - }, - { - "meta": { - "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", - "target-uuid": "4e6b9625-bbda-4d96-a652-b3bb45453f26" - }, - "uuid": "f24d37c0-283d-4f37-8278-07fc75cc0e94", - "value": "APT3 (G0022) uses RemoteCMD (S0166)" - }, - { - "meta": { - "source-uuid": "cafd0bf8-2b9c-46c7-ae3c-3e0f42c5062e", - "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" - }, - "uuid": "2be17426-9704-4913-981b-6d8fe4471147", - "value": "NetTraveler (S0033) uses Input Capture (T1056)" - }, - { - "meta": { - "source-uuid": "9378f139-10ef-4e4b-b679-2255a0818902", - "target-uuid": "39a130e1-6ab7-434a-8bd2-418e7d9d6427" - }, - "uuid": "52b6181e-881e-4b96-93a3-1292bc2f1352", - "value": "Service Registry Permissions Weakness Mitigation (T1058) mitigates Service Registry Permissions Weakness (T1058)" - }, - { - "meta": { - "source-uuid": "894aab42-3371-47b1-8859-a4a074c804c8", - "target-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5" - }, - "uuid": "cdf73653-b2d7-422f-b433-b6a428ff12d4", - "value": "Stealth Falcon (G0038) uses Data from Local System (T1005)" - }, - { - "meta": { - "source-uuid": "c0c45d38-fe57-4cd4-b2b2-9ecd0ddd4ca9", - "target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790" - }, - "uuid": "90347c97-c0c5-4407-9087-b917d0789b0e", - "value": "TinyZBot (S0004) uses New Service (T1050)" - }, - { - "meta": { - "source-uuid": "ae9d818d-95d0-41da-b045-9cabea1ca164", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "1fbde0c8-1b00-40bf-8fef-11892d103d63", - "value": "PinchDuke (S0048) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "26fed817-e7bf-41f9-829a-9075ffac45c2", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "828afc32-9874-40aa-b752-315c7623ffee", - "value": "Kasidet (S0088) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "0ced8926-914e-4c78-bc93-356fb90dbd1f", - "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" - }, - "uuid": "d0013f9d-4243-4ade-8d06-a2cd6158ca58", - "value": "HALFBAKED (S0151) uses File Deletion (T1107)" - }, - { - "meta": { - "source-uuid": "ae41895a-243f-4a65-b99b-d85022326c31", - "target-uuid": "e1161124-f22e-487f-9d5f-ed8efc8dcd61" - }, - "uuid": "2092cbf8-4b5e-40e9-93dd-bfd8a71b4e8c", - "value": "Dust Storm (G0031) uses Mis-Type (S0084)" - }, - { - "meta": { - "source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", - "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - }, - "uuid": "852009ed-1b50-4b08-9e77-53f0271d995c", - "value": "Remsec (S0125) uses Credential Dumping (T1003)" - }, - { - "meta": { - "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "target-uuid": "0c8465c0-d0b4-4670-992e-4eee8d7ff952" - }, - "uuid": "80fc5f0c-3dcb-45ab-807a-bfa3d64334c6", - "value": "BRONZE BUTLER (G0060) uses at (S0110)" - }, - { - "meta": { - "source-uuid": "7551188b-8f91-4d34-8350-0d0c57b2b913", - "target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0" - }, - "uuid": "0fd5d3bc-d736-43c0-b9ec-f1dcd95411a7", - "value": "Elise (S0081) uses Masquerading (T1036)" - }, - { - "meta": { - "source-uuid": "2a7914cf-dff3-428d-ab0f-1014d1c28aeb", - "target-uuid": "30208d3e-0d6b-43c8-883e-44462a514619" - }, - "uuid": "ac7d5b88-7929-4f64-abcd-8219caafac24", - "value": "FIN6 (G0037) uses Automated Collection (T1119)" - }, - { - "meta": { - "source-uuid": "7551188b-8f91-4d34-8350-0d0c57b2b913", - "target-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f" - }, - "uuid": "c667befa-7242-47f8-bdc1-1056f62bb466", - "value": "Elise (S0081) uses Data Encoding (T1132)" - }, - { - "meta": { - "source-uuid": "38fd6a28-3353-4f2b-bb2b-459fecd5c648", - "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" - }, - "uuid": "6175bbbe-1bc1-4562-8c5f-9e437348636a", - "value": "APT18 (G0026) uses File Deletion (T1107)" - }, - { - "meta": { - "source-uuid": "5967cc93-57c9-404a-8ffd-097edfa7bdfc", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "18572125-3439-4f7c-92c8-d787913dc989", - "value": "Hi-Zor (S0087) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9" - }, - "uuid": "9ef58dda-688d-4461-b5fc-25f2ba3a9c54", - "value": "BRONZE BUTLER (G0060) uses Scheduled Task (T1053)" - }, - { - "meta": { - "source-uuid": "e1161124-f22e-487f-9d5f-ed8efc8dcd61", - "target-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08" - }, - "uuid": "a33c172b-9910-4f36-8373-32126201144b", - "value": "Mis-Type (S0084) uses Account Discovery (T1087)" - }, - { - "meta": { - "source-uuid": "7a14d974-f3d9-4e4e-9b7d-980385762908", - "target-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09" - }, - "uuid": "4f2dbf3d-70f6-42d9-8894-c98d8bc70abc", - "value": "DLL Side-Loading Mitigation (T1073) mitigates DLL Side-Loading (T1073)" - }, - { - "meta": { - "source-uuid": "8c553311-0baa-4146-997a-f79acef3d831", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "4bf364ad-1e9c-4860-93c0-241da4c81068", - "value": "RARSTONE (S0055) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "0f862b01-99da-47cc-9bdb-db4a86a95bb1", - "target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d" - }, - "uuid": "4b5540e5-eac1-40f4-93d0-155f60e9395a", - "value": "Emissary (S0082) uses Custom Cryptographic Protocol (T1024)" - }, - { - "meta": { - "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", - "target-uuid": "51dea151-0898-4a45-967c-3ebee0420484" - }, - "uuid": "27ead6bc-2bba-49d3-bcfe-667c7654a6fc", - "value": "OilRig (G0049) uses Remote Desktop Protocol (T1076)" - }, - { - "meta": { - "source-uuid": "1a7f5bd3-f6ee-4bd7-b949-2f3632ad6158", - "target-uuid": "6fb6408c-0db3-41d9-a3a1-a32e5f16454e" - }, - "uuid": "47639246-6268-4a7e-9670-965873bdfb42", - "value": "Gatekeeper Bypass Mitigation (T1144) mitigates Gatekeeper Bypass (T1144)" - }, - { - "meta": { - "source-uuid": "b91c2f9e-c1a0-44df-95f0-9e7c9d1d5e55", - "target-uuid": "1df0326d-2fbc-4d08-a16b-48365f1e742d" - }, - "uuid": "e59e9443-740a-4e2b-a775-8ae59ceb3844", - "value": "SID-History Injection Mitigation (T1178) mitigates SID-History Injection (T1178)" - }, - { - "meta": { - "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "target-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077" - }, - "uuid": "6c053469-7bd4-4b55-90b2-289a09aa53fa", - "value": "BRONZE BUTLER (G0060) uses System Time Discovery (T1124)" - }, - { - "meta": { - "source-uuid": "b6b3dfc7-9a81-43ff-ac04-698bad48973a", - "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" - }, - "uuid": "d2bc1c1b-987b-4a1a-b488-8199f8113697", - "value": "Daserf (S0187) uses Input Capture (T1056)" - }, - { - "meta": { - "source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841", - "target-uuid": "30208d3e-0d6b-43c8-883e-44462a514619" - }, - "uuid": "a83182d2-b619-4ca4-984b-21ecfe43da26", - "value": "RTM (S0148) uses Automated Collection (T1119)" - }, - { - "meta": { - "source-uuid": "ab3580c8-8435-4117-aace-3d9fbe46aa56", - "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" - }, - "uuid": "ecde1551-bca2-4f45-8692-cbc583cf3d4f", - "value": "Unknown Logger (S0130) uses Input Capture (T1056)" - }, - { - "meta": { - "source-uuid": "166c0eca-02fd-424a-92c0-6b5106994d31", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "fb11df98-790a-4b1c-9ca0-73224226cff3", - "value": "ZLib (S0086) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "e1161124-f22e-487f-9d5f-ed8efc8dcd61", - "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" - }, - "uuid": "39e856a1-4bab-474e-a6b2-3ce69249bc29", - "value": "Mis-Type (S0084) uses System Network Configuration Discovery (T1016)" - }, - { - "meta": { - "source-uuid": "3753cc21-2dae-4dfb-8481-d004e74502cc", - "target-uuid": "17e919aa-4a49-445c-b103-dbb8df9e7351" - }, - "uuid": "b6eb09bc-fef4-4cf3-b337-dfe6bd87ca35", - "value": "FIN7 (G0046) uses POWERSOURCE (S0145)" - }, - { - "meta": { - "source-uuid": "2a158b0a-7ef8-43cb-9985-bf34d1e12050", - "target-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db" - }, - "uuid": "f08c1f67-485b-4ebd-81dd-e886f63025e6", - "value": "Naikon (G0019) uses PsExec (S0029)" - }, - { - "meta": { - "source-uuid": "e9595678-d269-469e-ae6b-75e49259de63", - "target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688" - }, - "uuid": "11010986-1b4d-4158-b47d-bbff34306c98", - "value": "BADNEWS (S0128) uses Screen Capture (T1113)" - }, - { - "meta": { - "source-uuid": "43213480-78f7-4fb3-976f-d48f5f6a4c2a", - "target-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5" - }, - "uuid": "18324fed-7770-4768-b652-59860ac4782f", - "value": "FLASHFLOOD (S0036) uses Data from Local System (T1005)" - }, - { - "meta": { - "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", - "target-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09" - }, - "uuid": "2a93ea80-d0f6-4b81-887d-8911f7573245", - "value": "Threat Group-3390 (G0027) uses DLL Side-Loading (T1073)" - }, - { - "meta": { - "source-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd", - "target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790" - }, - "uuid": "ce42140b-f801-40da-8185-105a9b1a915a", - "value": "PlugX (S0013) uses New Service (T1050)" - }, - { - "meta": { - "source-uuid": "b7b2c89c-09c1-4b71-ae7c-000ec2893aab", - "target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790" - }, - "uuid": "bb1de6e6-23ce-42a8-bcd7-fd75aec24c50", - "value": "New Service Mitigation (T1050) mitigates New Service (T1050)" - }, - { - "meta": { - "source-uuid": "82cb34ba-02b5-432b-b2d2-07f55cbf674d", - "target-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e" - }, - "uuid": "7cf7d162-a34f-4951-a643-5bf959283f6b", - "value": "Trojan.Karagany (S0094) uses Data Staged (T1074)" - }, - { - "meta": { - "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", - "target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0" - }, - "uuid": "4fde23ab-b8db-4275-ac37-37e608cb00b0", - "value": "OilRig (G0049) uses PowerShell (T1086)" - }, - { - "meta": { - "source-uuid": "b1de6916-7a22-4460-8d26-6b5483ffaa2a", - "target-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4" - }, - "uuid": "114f98a4-6243-4a0c-a6c4-3e693a4f9b08", - "value": "SHIPSHAPE (S0028) uses Replication Through Removable Media (T1091)" - }, - { - "meta": { - "source-uuid": "e9595678-d269-469e-ae6b-75e49259de63", - "target-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5" - }, - "uuid": "11a7431f-416f-48de-a3c0-8782abdede63", - "value": "BADNEWS (S0128) uses Data from Local System (T1005)" - }, - { - "meta": { - "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "target-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f" - }, - "uuid": "545a618f-9fe4-4573-a0a0-ecfcef0b407c", - "value": "BRONZE BUTLER (G0060) uses Data Encoding (T1132)" - }, - { - "meta": { - "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", - "target-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd" - }, - "uuid": "3427863f-d4c4-4272-ad60-1479e42ed4af", - "value": "APT3 (G0022) uses PlugX (S0013)" - }, - { - "meta": { - "source-uuid": "b35068ec-107a-4266-bda8-eb7036267aea", - "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" - }, - "uuid": "92d3b6b0-7c61-452a-a9b9-c2549357bfef", - "value": "nbtstat (S0102) uses System Network Configuration Discovery (T1016)" - }, - { - "meta": { - "source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841", - "target-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be" - }, - "uuid": "0d0b4507-b600-41f1-be98-03909e5d99cf", - "value": "RTM (S0148) uses Bypass User Account Control (T1088)" - }, - { - "meta": { - "source-uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "e2675622-ec8e-4894-9f5e-3c82944e3019", - "value": "Turla (G0010) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "ab3580c8-8435-4117-aace-3d9fbe46aa56", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "02206f22-80e9-4f87-9e4b-5c1df1eb737e", - "value": "Unknown Logger (S0130) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "08d20cd2-f084-45ee-8558-fa6ef5a18519", - "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" - }, - "uuid": "9253e8b3-9fbb-4149-a2e4-60d36c006ba6", - "value": "Downdelph (S0134) uses Standard Cryptographic Protocol (T1032)" - }, - { - "meta": { - "source-uuid": "2daa14d6-cbf3-4308-bb8e-213c324a08e4", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "4556634c-06f7-48f9-bcaa-22d023524068", - "value": "HAMMERTOSS (S0037) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "0db09158-6e48-4e7c-8ce7-2b10b9c0c039", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "1a4c94a1-6362-42b3-b1d9-41ae3fbf5ea5", - "value": "Misdat (S0083) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "007b44b6-e4c5-480b-b5b9-56f2081b1b7b", - "target-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88" - }, - "uuid": "db283fff-4b13-4c79-85f0-5cdb6b76e964", - "value": "HDoor (S0061) uses Network Service Scanning (T1046)" - }, - { - "meta": { - "source-uuid": "03342581-f790-4f03-ba41-e82e67392e23", - "target-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392" - }, - "uuid": "5fc0ca38-bb65-43ab-b8b2-6861442b25a8", - "value": "Net (S0039) uses Service Execution (T1035)" - }, - { - "meta": { - "source-uuid": "6713ab67-e25b-49cc-808d-2b36d4fbc35c", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "f865403f-5b4a-4e5a-bb50-8d416ad36db4", - "value": "Ke3chang (G0004) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "target-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be" - }, - "uuid": "4c6aea43-27ba-4e6a-8907-e5db364a145b", - "value": "BRONZE BUTLER (G0060) uses Bypass User Account Control (T1088)" - }, - { - "meta": { - "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", - "target-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db" - }, - "uuid": "f9600732-9116-4325-8073-28d81721b37a", - "value": "menuPass (G0045) uses PsExec (S0029)" - }, - { - "meta": { - "source-uuid": "247cb30b-955f-42eb-97a5-a89fef69341e", - "target-uuid": "7dbb67c7-270a-40ad-836e-c45f8948aa5a" - }, - "uuid": "5ccd4b15-ef11-4b89-b0e1-4dd714fa2fb5", - "value": "APT32 (G0050) uses KOMPROGO (S0156)" - }, - { - "meta": { - "source-uuid": "85b39628-204a-48d2-b377-ec368cbcb7ca", - "target-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9" - }, - "uuid": "ff922dd7-21b6-4f95-bb8b-080d0dee6655", - "value": "TINYTYPHON (S0131) uses Automated Exfiltration (T1020)" - }, - { - "meta": { - "source-uuid": "e669bb87-f773-4c7b-bfcc-a9ffebfdd8d4", - "target-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d" - }, - "uuid": "b97e696f-6386-4b15-8f24-81d0abe51830", - "value": "HIDEDRV (S0135) uses Process Injection (T1055)" - }, - { - "meta": { - "source-uuid": "6713ab67-e25b-49cc-808d-2b36d4fbc35c", - "target-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08" - }, - "uuid": "20f863a1-f7de-4d66-a564-c4adee24fdbe", - "value": "Ke3chang (G0004) uses Account Discovery (T1087)" - }, - { - "meta": { - "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "target-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896" - }, - "uuid": "39b735d3-c659-4d1a-8e7e-082c0f049c2d", - "value": "Lazarus Group (G0032) uses Query Registry (T1012)" - }, - { - "meta": { - "source-uuid": "ff6840c9-4c87-4d07-bbb6-9f50aa33d498", - "target-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5" - }, - "uuid": "ced15447-281b-4d92-941e-b5df9747a3d5", - "value": "Flame (S0143) uses Rundll32 (T1085)" - }, - { - "meta": { - "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "target-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5" - }, - "uuid": "05e9e12f-be5e-46f4-9f42-6f7fb7e9fb4a", - "value": "BRONZE BUTLER (G0060) uses Data from Local System (T1005)" - }, - { - "meta": { - "source-uuid": "96b08451-b27a-4ff6-893f-790e26393a8e", - "target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790" - }, - "uuid": "d64ba78c-a332-40be-8e2f-904f15ceffe7", - "value": "Sakula (S0074) uses New Service (T1050)" - }, - { - "meta": { - "source-uuid": "17862c7d-9e60-48a0-b48e-da4dc4c3f6b0", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "0e89ca75-b73e-476e-b56d-1cf815fa7868", - "value": "Patchwork (G0040) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "313c8b20-4d49-40c1-9ac0-4c573aca28f3", - "target-uuid": "514ede4c-78b3-4d78-a38b-daddf6217a79" - }, - "uuid": "cca3a63c-e00e-49d1-bf10-f2c21f3469e6", - "value": "Winlogon Helper DLL Mitigation (T1004) mitigates Winlogon Helper DLL (T1004)" - }, - { - "meta": { - "source-uuid": "e9595678-d269-469e-ae6b-75e49259de63", - "target-uuid": "1c338d0f-a65e-4073-a5c1-c06878849f21" - }, - "uuid": "a5b4d08c-963a-48fe-8f22-ba344835d00e", - "value": "BADNEWS (S0128) uses Process Hollowing (T1093)" - }, - { - "meta": { - "source-uuid": "234e7770-99b0-4f65-b983-d3230f76a60b", - "target-uuid": "c0a384a4-9a25-40e1-97b6-458388474bc8" - }, - "uuid": "3ec34d16-a4e6-4fc7-b819-5a041605aa42", - "value": "Janicab (S0163) uses Local Job Scheduling (T1168)" - }, - { - "meta": { - "source-uuid": "2fb26586-2b53-4b9a-ad4f-2b3bcb9a2421", - "target-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044" - }, - "uuid": "babaa2be-7c41-490a-bd0b-2cf140858244", - "value": "SslMM (S0058) uses Disabling Security Tools (T1089)" - }, - { - "meta": { - "source-uuid": "d7c49196-b40e-42bc-8eed-b803113692ed", - "target-uuid": "68c96494-1a50-403e-8844-69a6af278c68" - }, - "uuid": "0b0884f1-1a40-436e-9a74-8cbe9c9d6732", - "value": "Change Default File Association Mitigation (T1042) mitigates Change Default File Association (T1042)" - }, - { - "meta": { - "source-uuid": "2a7914cf-dff3-428d-ab0f-1014d1c28aeb", - "target-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08" - }, - "uuid": "16c7058c-8fa5-4477-8332-9e76fcb38924", - "value": "FIN6 (G0037) uses Account Discovery (T1087)" - }, - { - "meta": { - "source-uuid": "16ade1aa-0ea1-4bb7-88cc-9079df2ae756", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "fb6f077c-06a2-46bb-9aef-959ef818d4aa", - "value": "admin@338 (G0018) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841", - "target-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643" - }, - "uuid": "45f9e4b6-a6a0-4f9f-aae9-9e8a69f5681d", - "value": "RTM (S0148) uses Peripheral Device Discovery (T1120)" - }, - { - "meta": { - "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", - "target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e" - }, - "uuid": "afbf5119-6e39-4e4c-8329-57f7249a67b4", - "value": "APT3 (G0022) uses Commonly Used Port (T1043)" - }, - { - "meta": { - "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", - "target-uuid": "03342581-f790-4f03-ba41-e82e67392e23" - }, - "uuid": "2e45dc12-f493-42ea-829e-011ba786bef1", - "value": "Threat Group-3390 (G0027) uses Net (S0039)" - }, - { - "meta": { - "source-uuid": "2eb9b131-d333-4a48-9eb4-d8dec46c19ee", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "62507790-a137-409e-a655-9190ff78cb52", - "value": "CosmicDuke (S0050) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", - "target-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08" - }, - "uuid": "5f5af879-c239-416b-99ec-b46e2f9926a2", - "value": "OilRig (G0049) uses Account Discovery (T1087)" - }, - { - "meta": { - "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", - "target-uuid": "00d0b012-8a03-410e-95de-5826bf542de6" - }, - "uuid": "cf7cd81f-3684-469f-936b-a6098ff76dbd", - "value": "Cobalt Strike (S0154) uses Indicator Removal from Tools (T1066)" - }, - { - "meta": { - "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "a6929a8b-e9b4-4122-8dd8-4030173346c9", - "value": "Cobalt Strike (S0154) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "f6ae7a52-f3b6-4525-9daf-640c083f006e", - "target-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4" - }, - "uuid": "202b96f6-0f7c-4aed-8004-780f1d880059", - "value": "PHOREAL (S0158) uses Modify Registry (T1112)" - }, - { - "meta": { - "source-uuid": "ae9d818d-95d0-41da-b045-9cabea1ca164", - "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - }, - "uuid": "2e80a049-220e-4d47-98f7-c0dbfe245cdc", - "value": "PinchDuke (S0048) uses Credential Dumping (T1003)" - }, - { - "meta": { - "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", - "target-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638" - }, - "uuid": "c8c5b766-a719-43bd-988a-cb00beedbba3", - "value": "Threat Group-3390 (G0027) uses Data Encrypted (T1022)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "59a97b15-8189-4d51-9404-e1ce8ea4a069" - }, - "uuid": "cfe2a359-bbab-4520-bdd7-b2d6abf742cc", - "value": "APT28 (G0007) uses XAgentOSX (S0161)" - }, - { - "meta": { - "source-uuid": "5c49bc54-9929-48ca-b581-7018219b5a97", - "target-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08" - }, - "uuid": "3d635b23-78b7-4de4-9417-8077787c7c0b", - "value": "Account Discovery Mitigation (T1087) mitigates Account Discovery (T1087)" - }, - { - "meta": { - "source-uuid": "083bb47b-02c8-4423-81a2-f9ef58572974", - "target-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d" - }, - "uuid": "535e3fbe-e6d9-4608-9689-f8f1f8c1ddc9", - "value": "Backdoor.Oldrea (S0093) uses Process Injection (T1055)" - }, - { - "meta": { - "source-uuid": "dcd81c6e-ebf7-4a16-93e0-9a97fa49c88a", - "target-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39" - }, - "uuid": "6dbb3a1e-5fb4-4494-950c-570616302ece", - "value": "CopyKittens (G0052) uses Cobalt Strike (S0154)" - }, - { - "meta": { - "source-uuid": "b1de6916-7a22-4460-8d26-6b5483ffaa2a", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "093215eb-4edb-4c55-bb5f-b8ca2de7962c", - "value": "SHIPSHAPE (S0028) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "22addc7b-b39f-483d-979a-1b35147da5de", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "9df1a5b0-f1fb-4239-abb5-67ba6e9e05f6", - "value": "WinMM (S0059) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "64d76fa5-cf8f-469c-b78c-1a4f7c5bad80", - "target-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa" - }, - "uuid": "54e99ba2-143f-43be-8d7f-79de5551d1ac", - "value": "BBSRAT (S0127) uses System Service Discovery (T1007)" - }, - { - "meta": { - "source-uuid": "dcd81c6e-ebf7-4a16-93e0-9a97fa49c88a", - "target-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4" - }, - "uuid": "2e82ef21-9fb2-421e-bd96-73599089b448", - "value": "CopyKittens (G0052) uses Data Compressed (T1002)" - }, - { - "meta": { - "source-uuid": "57019a80-8523-46b6-be7d-f763a15a2cc6", - "target-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44" - }, - "uuid": "edbef2c6-4005-4fdb-b978-9699a7b2a309", - "value": "Scripting Mitigation (T1064) mitigates Scripting (T1064)" - }, - { - "meta": { - "source-uuid": "196f1f32-e0c2-4d46-99cd-234d4b6befe1", - "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" - }, - "uuid": "5cdbfaba-b4be-4cff-bdc6-c9205c44c844", - "value": "Felismus (S0171) uses Standard Cryptographic Protocol (T1032)" - }, - { - "meta": { - "source-uuid": "76abb3ef-dafd-4762-97cb-a35379429db4", - "target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d" - }, - "uuid": "ec30b3a9-69b4-4604-9def-db9e904df309", - "value": "Gazer (S0168) uses Custom Cryptographic Protocol (T1024)" - }, - { - "meta": { - "source-uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6", - "target-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa" - }, - "uuid": "52c18ed1-91a5-4394-a4d0-f700c75bf3d9", - "value": "Turla (G0010) uses System Service Discovery (T1007)" - }, - { - "meta": { - "source-uuid": "b96680d1-5eb3-4f07-b95c-00ab904ac236", - "target-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f" - }, - "uuid": "4ec9a523-e27f-4984-9bde-4af785e5e75a", - "value": "Pisloader (S0124) uses Data Encoding (T1132)" - }, - { - "meta": { - "source-uuid": "95047f03-4811-4300-922e-1ba937d53a61", - "target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d" - }, - "uuid": "2c29e6cf-a177-4578-bf1f-fd73ae254edd", - "value": "Hikit (S0009) uses Custom Cryptographic Protocol (T1024)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "799ace7f-e227-4411-baa0-8868704f2a69" - }, - "uuid": "4b8d211d-4969-4c0f-8b01-fd176c8172d1", - "value": "APT28 (G0007) uses Indicator Removal on Host (T1070)" - }, - { - "meta": { - "source-uuid": "6b616fc1-1505-48e3-8b2c-0d19337bff38", - "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" - }, - "uuid": "f4480854-9424-49d5-8b54-f839302e3ee7", - "value": "Rover (S0090) uses Input Capture (T1056)" - }, - { - "meta": { - "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", - "target-uuid": "46944654-fcc1-4f63-9dad-628102376586" - }, - "uuid": "ffee4cd1-f193-4dbc-9f47-6fe47e1523eb", - "value": "menuPass (G0045) uses DLL Search Order Hijacking (T1038)" - }, - { - "meta": { - "source-uuid": "247cb30b-955f-42eb-97a5-a89fef69341e", - "target-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60" - }, - "uuid": "032fb34d-3434-4667-9d5e-6bb9fd6b7d00", - "value": "APT32 (G0050) uses Mimikatz (S0002)" - }, - { - "meta": { - "source-uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e", - "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - }, - "uuid": "284d622d-8b28-4569-97a7-936edced1b18", - "value": "Helminth (S0170) uses Obfuscated Files or Information (T1027)" - }, - { - "meta": { - "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", - "target-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00" - }, - "uuid": "07a550a2-27c1-43f5-8b30-c288441ad5b0", - "value": "OilRig (G0049) uses Custom Command and Control Protocol (T1094)" - }, - { - "meta": { - "source-uuid": "9559ecaf-2e75-48a7-aee8-9974020bc772", - "target-uuid": "ab3580c8-8435-4117-aace-3d9fbe46aa56" - }, - "uuid": "34627bc3-c857-46c4-a9e8-060a779b643e", - "value": "MONSOON (G0042) uses Unknown Logger (S0130)" - }, - { - "meta": { - "source-uuid": "247cb30b-955f-42eb-97a5-a89fef69341e", - "target-uuid": "327f3cc5-eea1-42d4-a6cd-ed34b7ce8f61" - }, - "uuid": "1d3654f8-3a5e-4ef8-826f-4242ecf78c0a", - "value": "APT32 (G0050) uses Application Deployment Software (T1017)" - }, - { - "meta": { - "source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542", - "target-uuid": "e6ef745b-077f-42e1-a37d-29eecff9c754" - }, - "uuid": "0585e082-8f8e-4162-b4a8-3c1cef02f7e3", - "value": "APT29 (G0016) uses CozyCar (S0046)" - }, - { - "meta": { - "source-uuid": "823fbfe9-b015-4bf3-9e67-d340c7373ca0", - "target-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b" - }, - "uuid": "e81d69cf-62b8-464b-ad5b-9a9e80236801", - "value": "Trusted Developer Utilities Mitigation (T1127) mitigates Trusted Developer Utilities (T1127)" - }, - { - "meta": { - "source-uuid": "96b08451-b27a-4ff6-893f-790e26393a8e", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "a3fe1f58-b507-42ea-a21e-a6ac46de9ca8", - "value": "Sakula (S0074) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063", - "target-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60" - }, - "uuid": "b08e3c96-25a7-412f-bbfb-63e010ef3891", - "value": "Cleaver (G0003) uses Mimikatz (S0002)" - }, - { - "meta": { - "source-uuid": "ff6840c9-4c87-4d07-bbb6-9f50aa33d498", - "target-uuid": "52d40641-c480-4ad5-81a3-c80ccaddf82d" - }, - "uuid": "69d05cb2-ded0-4847-b52e-af7af421f303", - "value": "Flame (S0143) uses Authentication Package (T1131)" - }, - { - "meta": { - "source-uuid": "76abb3ef-dafd-4762-97cb-a35379429db4", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "8db1b5bd-8f0c-4c13-8667-c83713ce799e", - "value": "Gazer (S0168) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", - "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - }, - "uuid": "daf56e8e-ea82-4ef2-bb03-78dd7e6ef3c0", - "value": "APT3 (G0022) uses Process Discovery (T1057)" - }, - { - "meta": { - "source-uuid": "17862c7d-9e60-48a0-b48e-da4dc4c3f6b0", - "target-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7" - }, - "uuid": "6a5bc2dd-2132-4af0-9b12-0e781971d96c", - "value": "Patchwork (G0040) uses Security Software Discovery (T1063)" - }, - { - "meta": { - "source-uuid": "26fed817-e7bf-41f9-829a-9075ffac45c2", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "ccb67d98-71d6-4a26-86b6-281174ca07b0", - "value": "Kasidet (S0088) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "10571bf2-8073-4edf-a71c-23bad225532e", - "target-uuid": "317fefa6-46c7-4062-adb6-2008cf6bcb41" - }, - "uuid": "8b439661-99e2-4410-b043-082155793155", - "value": "AppInit DLLs Mitigation (T1103) mitigates AppInit DLLs (T1103)" - }, - { - "meta": { - "source-uuid": "46b7ef91-4e1d-43c5-a2eb-00fa9444f6f4", - "target-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529" - }, - "uuid": "c1600f3f-6c21-4c5b-82fe-a4514785f6bb", - "value": "Network Sniffing Mitigation (T1040) mitigates Network Sniffing (T1040)" - }, - { - "meta": { - "source-uuid": "dc5d1a33-62aa-4a0c-aa8c-589b87beb11e", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "03c9b56e-f006-43b2-ac98-bcbe0c05e979", - "value": "ChChes (S0144) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "c839344c-a96d-412f-bded-5ac7c8fd446a", - "value": "RTM (S0148) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "7ee0879d-ce4f-4f54-a96b-c532dfb98ffd", - "target-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5" - }, - "uuid": "1b4cd403-8e3a-43da-bc25-a7e8d707794b", - "value": "Data from Local System Mitigation (T1005) mitigates Data from Local System (T1005)" - }, - { - "meta": { - "source-uuid": "e1161124-f22e-487f-9d5f-ed8efc8dcd61", - "target-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b" - }, - "uuid": "cef7d272-ee0c-4379-9d7b-63adf1f40252", - "value": "Mis-Type (S0084) uses Standard Non-Application Layer Protocol (T1095)" - }, - { - "meta": { - "source-uuid": "17e919aa-4a49-445c-b103-dbb8df9e7351", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "c560f682-0d21-4c9b-b35d-33aec2287117", - "value": "POWERSOURCE (S0145) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "30489451-5886-4c46-90c9-0dff9adc5252", - "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" - }, - "uuid": "d4fd461f-fc58-4060-aed4-cebe64f249b9", - "value": "Arp (S0099) uses System Network Configuration Discovery (T1016)" - }, - { - "meta": { - "source-uuid": "5e7ef1dc-7fb6-4913-ac75-e06113b59e0c", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "d9e8d70a-06f6-4873-baf8-29ebfaf6bf99", - "value": "MiniDuke (S0051) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "03342581-f790-4f03-ba41-e82e67392e23", - "target-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa" - }, - "uuid": "1d36c3e8-238f-46c6-9b20-9fb4cb5c75ba", - "value": "Net (S0039) uses System Service Discovery (T1007)" - }, - { - "meta": { - "source-uuid": "0db09158-6e48-4e7c-8ce7-2b10b9c0c039", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "87e080cf-b8c0-4679-bcfb-ff77ab7698f3", - "value": "Misdat (S0083) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "66b1dcde-17a0-4c7b-95fa-b08d430c2131", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "d067b113-4584-419f-860b-d3184f734350", - "value": "S-Type (S0085) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "94927849-03e3-4a07-8f4c-9ee21b626719", - "target-uuid": "2ba5aa71-9d15-4b22-b726-56af06d9ad2f" - }, - "uuid": "56086ed3-641e-4fd5-b26e-1ca9479c2081", - "value": "Startup Items Mitigation (T1165) mitigates Startup Items (T1165)" - }, - { - "meta": { - "source-uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6", - "target-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896" - }, - "uuid": "519c4c7f-8495-4b8a-b58e-551a78e469cc", - "value": "Turla (G0010) uses Query Registry (T1012)" - }, - { - "meta": { - "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", - "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" - }, - "uuid": "e0301b36-c339-49c5-b257-9ece19152922", - "value": "OilRig (G0049) uses System Network Configuration Discovery (T1016)" - }, - { - "meta": { - "source-uuid": "a0cb9370-e39b-44d5-9f50-ef78e412b973", - "target-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842" - }, - "uuid": "f837cc68-8715-4301-ae15-bf89c8b1f7ee", - "value": "Axiom (G0001) uses Data Obfuscation (T1001)" - }, - { - "meta": { - "source-uuid": "17b40f60-729f-4fe8-8aea-cc9ee44a95d5", - "target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e" - }, - "uuid": "388b4637-f634-42ab-a370-981be7da89bd", - "value": "RedLeaves (S0153) uses Commonly Used Port (T1043)" - }, - { - "meta": { - "source-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13", - "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" - }, - "uuid": "7f17927d-b371-42c4-bd68-0c5c57e3edab", - "value": "Magic Hound (G0059) uses File Deletion (T1107)" - }, - { - "meta": { - "source-uuid": "7c39ebbf-244e-4d1c-b0ac-b282453ece43", - "target-uuid": "1c338d0f-a65e-4073-a5c1-c06878849f21" - }, - "uuid": "13f5fad8-1b6f-4b65-9803-155f93b5d357", - "value": "Process Hollowing Mitigation (T1093) mitigates Process Hollowing (T1093)" - }, - { - "meta": { - "source-uuid": "1f34230d-b6ae-4dc7-8599-78c18820bd21", - "target-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f" - }, - "uuid": "fb1a7bbd-9dec-4038-9935-1647378f739f", - "value": "Network Share Discovery Mitigation (T1135) mitigates Network Share Discovery (T1135)" - }, - { - "meta": { - "source-uuid": "2fb26586-2b53-4b9a-ad4f-2b3bcb9a2421", - "target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0" - }, - "uuid": "c5cf4822-a0bf-442a-9943-1937ac45520b", - "value": "SslMM (S0058) uses Masquerading (T1036)" - }, - { - "meta": { - "source-uuid": "1022138b-497c-40e6-b53a-13351cbd4090", - "target-uuid": "0ca7beef-9bbc-4e35-97cf-437384ddce6a" - }, - "uuid": "c7047518-c63f-41b5-a803-1ed54066a62e", - "value": "File System Permissions Weakness Mitigation (T1044) mitigates File System Permissions Weakness (T1044)" - }, - { - "meta": { - "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "2cc93cb7-fbe6-4c79-b619-a2eb877de1cf", - "value": "menuPass (G0045) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "fbb470da-1d44-4f29-bbb3-9efbe20f94a3", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "f8a90328-b7ee-474a-9773-f5bf501defd3", - "value": "Mivast (S0080) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542", - "target-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44" - }, - "uuid": "00ce7309-114c-45a1-b905-f7a973cb3837", - "value": "APT29 (G0016) uses Scripting (T1064)" - }, - { - "meta": { - "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "target-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27" - }, - "uuid": "2325c0b2-fb89-44e1-9206-e495811f2907", - "value": "Lazarus Group (G0032) uses Account Manipulation (T1098)" - }, - { - "meta": { - "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", - "target-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4" - }, - "uuid": "43c34939-8236-4ddd-8def-0eb7b5fe62cf", - "value": "APT1 (G0006) uses Data Compressed (T1002)" - }, - { - "meta": { - "source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542", - "target-uuid": "9b99b83a-1aac-4e29-b975-b374950551a3" - }, - "uuid": "e65112dc-8a58-486f-9f3b-5a84925a3e53", - "value": "APT29 (G0016) uses Accessibility Features (T1015)" - }, - { - "meta": { - "source-uuid": "0b32ec39-ba61-4864-9ebe-b4b0b73caf9a", - "target-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a" - }, - "uuid": "d2fa2382-dcfc-4cff-969b-2b5ec12dc406", - "value": "TDTESS (S0164) uses Timestomp (T1099)" - }, - { - "meta": { - "source-uuid": "c47f937f-1022-4f42-8525-e7a4779a14cb", - "target-uuid": "8beac7c2-48d2-4cd9-9b15-6c452f38ac06" - }, - "uuid": "762f85a3-0120-4b09-aafd-3f460764e85f", - "value": "APT12 (G0005) uses Ixeshe (S0015)" - }, - { - "meta": { - "source-uuid": "91000a8a-58cc-4aba-9ad0-993ad6302b86", - "target-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4" - }, - "uuid": "69bff194-c90e-4e30-a369-57da4cff014d", - "value": "StreamEx (S0142) uses Modify Registry (T1112)" - }, - { - "meta": { - "source-uuid": "17b40f60-729f-4fe8-8aea-cc9ee44a95d5", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "ed2f811d-3258-4489-abe1-57dac4bdbbf8", - "value": "RedLeaves (S0153) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "0f862b01-99da-47cc-9bdb-db4a86a95bb1", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "4a959425-4d43-4969-9a47-768894a3afaa", - "value": "Emissary (S0082) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "65341f30-bec6-4b1d-8abf-1a5620446c29", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "edbd751e-29ad-419f-a3ff-9d210453351d", - "value": "Reaver (S0172) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "7343e208-7cab-45f2-a47b-41ba5e2f0fab", - "target-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c" - }, - "uuid": "044ad6d3-9389-4764-9b96-ad53dc98840d", - "value": "XTunnel (S0117) uses Credentials in Files (T1081)" - }, - { - "meta": { - "source-uuid": "a5528622-3a8a-4633-86ce-8cdaf8423858", - "target-uuid": "66f73398-8394-4711-85e5-34c8540b22a5" - }, - "uuid": "3b4f48d3-eb5d-4d7e-9f0b-86f68951207d", - "value": "FinFisher (S0182) uses Hooking (T1179)" - }, - { - "meta": { - "source-uuid": "addb3703-5a59-4461-9bcd-7e2b5d4e92a0", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "2a0b74b3-cbc3-45fa-aba4-eabdb0cb89b5", - "value": "Standard Application Layer Protocol Mitigation (T1071) mitigates Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "463f68f1-5cde-4dc2-a831-68b73488f8f4", - "target-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5" - }, - "uuid": "5d55979e-d4e8-44eb-97d6-e3e78baa60c7", - "value": "MobileOrder (S0079) uses Data from Local System (T1005)" - }, - { - "meta": { - "source-uuid": "247cb30b-955f-42eb-97a5-a89fef69341e", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "79057890-3cd0-4124-8b35-b86db6b4f9d7", - "value": "APT32 (G0050) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "17b40f60-729f-4fe8-8aea-cc9ee44a95d5", - "target-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475" - }, - "uuid": "ed45fb1c-048a-4378-8c15-6f6ea0c72d7a", - "value": "RedLeaves (S0153) uses System Network Connections Discovery (T1049)" - }, - { - "meta": { - "source-uuid": "6713ab67-e25b-49cc-808d-2b36d4fbc35c", - "target-uuid": "4664b683-f578-434f-919b-1c1aad2a1111" - }, - "uuid": "325ccde0-2d5a-4306-9c4e-e1a554ee0d87", - "value": "Ke3chang (G0004) uses netstat (S0104)" - }, - { - "meta": { - "source-uuid": "2a6f4c7b-e690-4cc7-ab6b-1f821fb6b80b", - "target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e" - }, - "uuid": "f19f6e41-14b2-44a1-940f-6a6f2cfab6be", - "value": "LOWBALL (S0042) uses Commonly Used Port (T1043)" - }, - { - "meta": { - "source-uuid": "8901ac23-6b50-410c-b0dd-d8174a86f9b3", - "target-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735" - }, - "uuid": "e1f4c08f-b5b1-4d62-8f1c-75f4302b0bce", - "value": "Shamoon (S0140) uses Remote System Discovery (T1018)" - }, - { - "meta": { - "source-uuid": "17b40f60-729f-4fe8-8aea-cc9ee44a95d5", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "9194756f-c455-427b-9fb0-4887c7bf3bf3", - "value": "RedLeaves (S0153) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "03342581-f790-4f03-ba41-e82e67392e23", - "target-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08" - }, - "uuid": "15f74597-d92d-406f-9941-c0dfef3cb609", - "value": "Net (S0039) uses Account Discovery (T1087)" - }, - { - "meta": { - "source-uuid": "5f9f7648-04ba-4a9f-bb4c-2a13e74572bd", - "target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9" - }, - "uuid": "dbacc7d5-5d10-4b41-994d-51e0792cfb19", - "value": "Pteranodon (S0147) uses Scheduled Task (T1053)" - }, - { - "meta": { - "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", - "target-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81" - }, - "uuid": "26af1f3f-806e-45bd-860a-2eead8af7d3e", - "value": "Cobalt Strike (S0154) uses Valid Accounts (T1078)" - }, - { - "meta": { - "source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", - "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" - }, - "uuid": "bd5b4264-1f10-4cd5-b7b0-a6a8b9dad7c3", - "value": "Remsec (S0125) uses System Network Configuration Discovery (T1016)" - }, - { - "meta": { - "source-uuid": "09b2cd76-c674-47cc-9f57-d2f2ad150a46", - "target-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7" - }, - "uuid": "52781f1e-4b91-4ff2-8f48-89e15bc40d42", - "value": "POWRUNER (S0184) uses Security Software Discovery (T1063)" - }, - { - "meta": { - "source-uuid": "a0cb9370-e39b-44d5-9f50-ef78e412b973", - "target-uuid": "94379dec-5c87-49db-b36e-66abc0b81344" - }, - "uuid": "e4c7c4b7-fe19-4433-acd9-ec94f436f381", - "value": "Axiom (G0001) uses Derusbi (S0021)" - }, - { - "meta": { - "source-uuid": "6b616fc1-1505-48e3-8b2c-0d19337bff38", - "target-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5" - }, - "uuid": "7c792d18-25a3-4d85-be44-93523228748c", - "value": "Rover (S0090) uses Data from Local System (T1005)" - }, - { - "meta": { - "source-uuid": "247cb30b-955f-42eb-97a5-a89fef69341e", - "target-uuid": "98e8a977-3416-43aa-87fa-33e287e9c14c" - }, - "uuid": "d9c29485-ced4-4ebc-880c-31d35dd54b26", - "value": "APT32 (G0050) uses WINDSHIELD (S0155)" - }, - { - "meta": { - "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", - "target-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd" - }, - "uuid": "68487d82-458b-4f45-b1c8-c6e4affaa226", - "value": "menuPass (G0045) uses PlugX (S0013)" - }, - { - "meta": { - "source-uuid": "b6b3dfc7-9a81-43ff-ac04-698bad48973a", - "target-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842" - }, - "uuid": "a566127b-1d88-4b38-84dd-4686e2837399", - "value": "Daserf (S0187) uses Data Obfuscation (T1001)" - }, - { - "meta": { - "source-uuid": "95047f03-4811-4300-922e-1ba937d53a61", - "target-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea" - }, - "uuid": "d7c40b1d-efe6-4869-9754-6494d45f51f1", - "value": "Hikit (S0009) uses Connection Proxy (T1090)" - }, - { - "meta": { - "source-uuid": "d69c8146-ab35-4d50-8382-6fc80e641d43", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "007cc21a-685a-4701-99c1-20f258cedc7c", - "value": "BLACKCOFFEE (S0069) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "88c621a7-aef9-4ae0-94e3-1fc87123eb24", - "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" - }, - "uuid": "becf0a5e-4636-4d2f-bd4a-fd60b15ee74a", - "value": "gh0st (S0032) uses Input Capture (T1056)" - }, - { - "meta": { - "source-uuid": "00c3bfcb-99bd-4767-8c03-b08f585f5c8a", - "target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e" - }, - "uuid": "a72ad83f-8336-4d01-b22d-5c836f5e5bf9", - "value": "PowerDuke (S0139) uses Commonly Used Port (T1043)" - }, - { - "meta": { - "source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", - "target-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88" - }, - "uuid": "e6b68811-113e-4f86-8096-9f506e34dda1", - "value": "Remsec (S0125) uses Network Service Scanning (T1046)" - }, - { - "meta": { - "source-uuid": "ccd61dfc-b03f-4689-8c18-7c97eab08472", - "target-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea" - }, - "uuid": "252c0e02-0da6-4812-b147-81d9cfb3c998", - "value": "CHOPSTICK (S0023) uses Connection Proxy (T1090)" - }, - { - "meta": { - "source-uuid": "66b1dcde-17a0-4c7b-95fa-b08d430c2131", - "target-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810" - }, - "uuid": "907df22e-fdfe-4b93-8b18-ebf66f83868c", - "value": "S-Type (S0085) uses Shortcut Modification (T1023)" - }, - { - "meta": { - "source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6", - "target-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44" - }, - "uuid": "a39bc982-3934-4ec7-ba33-0de9331d55f5", - "value": "APT34 (G0057) uses Scripting (T1064)" - }, - { - "meta": { - "source-uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6", - "target-uuid": "76abb3ef-dafd-4762-97cb-a35379429db4" - }, - "uuid": "773e99eb-0739-42d3-afaa-aff65e86329d", - "value": "Turla (G0010) uses Gazer (S0168)" - }, - { - "meta": { - "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", - "target-uuid": "92d7da27-2d91-488e-a00c-059dc162766d" - }, - "uuid": "68edf451-bda3-4159-9715-dbcfda8eb8e2", - "value": "APT3 (G0022) uses Exfiltration Over Command and Control Channel (T1041)" - }, - { - "meta": { - "source-uuid": "95ddb356-7ba0-4bd9-a889-247262b8946f", - "target-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b" - }, - "uuid": "1e91cd45-a725-4965-abe3-700694374432", - "value": "Rootkit Mitigation (T1014) mitigates Rootkit (T1014)" - }, - { - "meta": { - "source-uuid": "26fed817-e7bf-41f9-829a-9075ffac45c2", - "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - }, - "uuid": "4d90fd9d-9f9b-45f8-986d-3db43b679905", - "value": "Kasidet (S0088) uses Process Discovery (T1057)" - }, - { - "meta": { - "source-uuid": "df71bb3b-813c-45eb-a8bc-f2a419837411", - "target-uuid": "b42378e0-f147-496f-992a-26a49705395b" - }, - "uuid": "fad44d26-02a8-4cdc-b566-5e24f32a93b3", - "value": "Molerats (G0021) uses PoisonIvy (S0012)" - }, - { - "meta": { - "source-uuid": "8901ac23-6b50-410c-b0dd-d8174a86f9b3", - "target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e" - }, - "uuid": "5bb39b9d-3651-4cdf-80b1-9d88b2062258", - "value": "Shamoon (S0140) uses Commonly Used Port (T1043)" - }, - { - "meta": { - "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "target-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48" - }, - "uuid": "1a40426a-355c-4d7e-b51c-e95a102b31e2", - "value": "Lazarus Group (G0032) uses Access Token Manipulation (T1134)" - }, - { - "meta": { - "source-uuid": "d1acfbb3-647b-4723-9154-800ec119006e", - "target-uuid": "96566860-9f11-4b6f-964d-1c924e4f24a4" - }, - "uuid": "64aab090-e7c2-4114-8c15-49700b611fb8", - "value": "Sowbug (G0054) uses Starloader (S0188)" - }, - { - "meta": { - "source-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73", - "target-uuid": "92d7da27-2d91-488e-a00c-059dc162766d" - }, - "uuid": "d8abe157-f6cd-4959-b9d5-e0c87d16bcfe", - "value": "ADVSTORESHELL (S0045) uses Exfiltration Over Command and Control Channel (T1041)" - }, - { - "meta": { - "source-uuid": "c0c45d38-fe57-4cd4-b2b2-9ecd0ddd4ca9", - "target-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f" - }, - "uuid": "35ca6c35-f1e9-49b7-a8c9-a67951c57ea0", - "value": "TinyZBot (S0004) uses Clipboard Data (T1115)" - }, - { - "meta": { - "source-uuid": "09b2cd76-c674-47cc-9f57-d2f2ad150a46", - "target-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842" - }, - "uuid": "129cacdc-8acb-4209-a77c-a6a7e0820a97", - "value": "POWRUNER (S0184) uses Data Obfuscation (T1001)" - }, - { - "meta": { - "source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", - "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" - }, - "uuid": "1fe4be95-b162-4fc7-a3c9-4277547ea722", - "value": "Remsec (S0125) uses Standard Cryptographic Protocol (T1032)" - }, - { - "meta": { - "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", - "target-uuid": "c9cd7ec9-40b7-49db-80be-1399eddd9c52" - }, - "uuid": "1d5e0da2-7741-4a31-9c54-cbbe584fe27b", - "value": "APT1 (G0006) uses Cachedump (S0119)" - }, - { - "meta": { - "source-uuid": "7551188b-8f91-4d34-8350-0d0c57b2b913", - "target-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa" - }, - "uuid": "2a7d01e9-9c42-4d17-947a-629ca7a9d515", - "value": "Elise (S0081) uses System Service Discovery (T1007)" - }, - { - "meta": { - "source-uuid": "fe98767f-9df8-42b9-83c9-004b1dec8647", - "target-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81" - }, - "uuid": "93b12e1a-7f21-4fa0-9b2a-c96c7c270625", - "value": "PittyTiger (G0011) uses Valid Accounts (T1078)" - }, - { - "meta": { - "source-uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6", - "target-uuid": "6b62e336-176f-417b-856a-8552dd8c44e1" - }, - "uuid": "e02d1cb4-1bb7-49b5-a918-5e0d194974aa", - "value": "Turla (G0010) uses Epic (S0091)" - }, - { - "meta": { - "source-uuid": "cba5667e-e3c6-44a4-811c-266dbc00e440", - "target-uuid": "52f3d5a6-8a0f-4f82-977e-750abf90d0b0" - }, - "uuid": "f6483534-196c-4540-a456-985594171cd8", - "value": "Extra Window Memory Injection Mitigation (T1181) mitigates Extra Window Memory Injection (T1181)" - }, - { - "meta": { - "source-uuid": "5cbe0d3b-6fb1-471f-b591-4b192915116d", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "13a8be40-1190-4553-b026-58c5088c322a", - "value": "Suckfly (G0039) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "68dca94f-c11d-421e-9287-7c501108e18c", - "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" - }, - "uuid": "7cb48d6d-1171-4e9d-87c7-4779293f6921", - "value": "Duqu (S0038) uses Standard Cryptographic Protocol (T1032)" - }, - { - "meta": { - "source-uuid": "9559ecaf-2e75-48a7-aee8-9974020bc772", - "target-uuid": "f5352566-1a64-49ac-8f7f-97e1d1a03300" - }, - "uuid": "ded85906-e996-45cd-ae64-82adc22397e3", - "value": "MONSOON (G0042) uses AutoIt backdoor (S0129)" - }, - { - "meta": { - "source-uuid": "d69c8146-ab35-4d50-8382-6fc80e641d43", - "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - }, - "uuid": "5a77e097-3aed-4bd3-b5fc-997746da62ad", - "value": "BLACKCOFFEE (S0069) uses Process Discovery (T1057)" - }, - { - "meta": { - "source-uuid": "56648de3-8947-4559-90c4-eda10acc0f5a", - "target-uuid": "9e09ddb2-1746-4448-9cad-7f8b41777d6d" - }, - "uuid": "dce95526-cb24-4d3e-9b3b-de704e0730e4", - "value": "Keychain Mitigation (T1142) mitigates Keychain (T1142)" - }, - { - "meta": { - "source-uuid": "8901ac23-6b50-410c-b0dd-d8174a86f9b3", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "ed94edc7-e687-409e-9143-20a15190bd83", - "value": "Shamoon (S0140) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" - }, - "uuid": "2d450e2f-25c9-49af-b83f-6c91029ed28a", - "value": "APT28 (G0007) uses Input Capture (T1056)" - }, - { - "meta": { - "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", - "target-uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f" - }, - "uuid": "3beb0c09-e584-4fd8-92bb-d7a1ae9192e6", - "value": "OilRig (G0049) uses Tasklist (S0057)" - }, - { - "meta": { - "source-uuid": "d01f473f-3cdc-4867-9e55-1de9cf1986f0", - "target-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c" - }, - "uuid": "8104dfee-8883-4f7c-8f7d-84c9b409efc3", - "value": "Deobfuscate/Decode Files or Information Mitigation (T1140) mitigates Deobfuscate/Decode Files or Information (T1140)" - }, - { - "meta": { - "source-uuid": "a60657fa-e2e7-4f8f-8128-a882534ae8c5", - "target-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df" - }, - "uuid": "0dee5507-6e61-4244-86a8-c7e8a34469da", - "value": "OwaAuth (S0072) uses Web Shell (T1100)" - }, - { - "meta": { - "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "target-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5" - }, - "uuid": "3fe9b64a-6435-4592-9181-2ad50ee93044", - "value": "Lazarus Group (G0032) uses Data from Local System (T1005)" - }, - { - "meta": { - "source-uuid": "a653431d-6a5e-4600-8ad3-609b5af57064", - "target-uuid": "9b99b83a-1aac-4e29-b975-b374950551a3" - }, - "uuid": "ab069468-3dff-4c77-9293-adb0b2627a4e", - "value": "Deep Panda (G0009) uses Accessibility Features (T1015)" - }, - { - "meta": { - "source-uuid": "4fa49fc0-9162-4bdb-a37e-7aa3dcb6d38b", - "target-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392" - }, - "uuid": "3f416bd3-a06f-4ec2-8cf6-4a84e0611c63", - "value": "xCmd (S0123) uses Service Execution (T1035)" - }, - { - "meta": { - "source-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "79106ad4-28d3-4f67-a2c3-116d138ec84a", - "value": "PlugX (S0013) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "17dec760-9c8f-4f1b-9b4b-0ac47a453234", - "target-uuid": "246fd3c7-f5e3-466d-8787-4c13d9e3b61c" - }, - "uuid": "e0d33a40-a0d1-49fe-bea1-d0e4f000f628", - "value": "Miner-C (S0133) uses Taint Shared Content (T1080)" - }, - { - "meta": { - "source-uuid": "083bb47b-02c8-4423-81a2-f9ef58572974", - "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" - }, - "uuid": "1d54c1d7-529f-4e4f-9a38-55b1b8cbff66", - "value": "Backdoor.Oldrea (S0093) uses File Deletion (T1107)" - }, - { - "meta": { - "source-uuid": "6cac62ce-550b-4793-8ee6-6a1b8836edb0", - "target-uuid": "799ace7f-e227-4411-baa0-8868704f2a69" - }, - "uuid": "dd21c8fe-caf8-40df-b049-787ba465eef7", - "value": "Indicator Removal on Host Mitigation (T1070) mitigates Indicator Removal on Host (T1070)" - }, - { - "meta": { - "source-uuid": "c5574ca0-d5a4-490a-b207-e4658e5fd1d7", - "target-uuid": "463f68f1-5cde-4dc2-a831-68b73488f8f4" - }, - "uuid": "9155d072-d94b-4a63-b089-26781aff5275", - "value": "Scarlet Mimic (G0029) uses MobileOrder (S0079)" - }, - { - "meta": { - "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", - "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" - }, - "uuid": "e8193b28-b28a-4ab7-8390-8a5bd4d851b5", - "value": "Threat Group-3390 (G0027) uses File Deletion (T1107)" - }, - { - "meta": { - "source-uuid": "64d76fa5-cf8f-469c-b78c-1a4f7c5bad80", - "target-uuid": "62dfd1ca-52d5-483c-a84b-d6e80bf94b7b" - }, - "uuid": "96077086-d811-47a1-a805-decbf6f249b7", - "value": "BBSRAT (S0127) uses Modify Existing Service (T1031)" - }, - { - "meta": { - "source-uuid": "3753cc21-2dae-4dfb-8481-d004e74502cc", - "target-uuid": "7c93aa74-4bc0-4a9e-90ea-f25f86301566" - }, - "uuid": "506acc8a-e691-4f4e-b69f-bfab84cf2c73", - "value": "FIN7 (G0046) uses Application Shimming (T1138)" - }, - { - "meta": { - "source-uuid": "9ea525fa-b0a9-4dde-84f2-bcea0137b3c1", - "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" - }, - "uuid": "818a401d-dd4d-426a-b89c-d33625380b8b", - "value": "MoonWind (S0149) uses System Owner/User Discovery (T1033)" - }, - { - "meta": { - "source-uuid": "a60657fa-e2e7-4f8f-8128-a882534ae8c5", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "d53d1e84-f4de-4e6a-bc84-5edfce84b055", - "value": "OwaAuth (S0072) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e", - "target-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce" - }, - "uuid": "b3981ca6-7ef0-4625-99a8-9cbec731bac9", - "value": "Helminth (S0170) uses Permission Groups Discovery (T1069)" - }, - { - "meta": { - "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - }, - "uuid": "8f897f1c-7bc6-4a85-8d3b-627f976af215", - "value": "BRONZE BUTLER (G0060) uses Credential Dumping (T1003)" - }, - { - "meta": { - "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", - "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" - }, - "uuid": "69682171-e717-4af7-a24a-06a39f381641", - "value": "Threat Group-3390 (G0027) uses System Network Configuration Discovery (T1016)" - }, - { - "meta": { - "source-uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69", - "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" - }, - "uuid": "fce2d07b-7bc7-497a-b21a-75a23fbccf50", - "value": "Prikormka (S0113) uses System Owner/User Discovery (T1033)" - }, - { - "meta": { - "source-uuid": "67e6d66b-1b82-4699-b47a-e2efb6268d14", - "target-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f" - }, - "uuid": "13c97dd2-5c0b-4f18-84ab-533949fbeb25", - "value": "SeaDuke (S0053) uses Data Encoding (T1132)" - }, - { - "meta": { - "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "target-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00" - }, - "uuid": "b51f3b69-d62b-4ccf-9ce8-62ec7f934e4b", - "value": "Lazarus Group (G0032) uses Custom Command and Control Protocol (T1094)" - }, - { - "meta": { - "source-uuid": "fe98767f-9df8-42b9-83c9-004b1dec8647", - "target-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60" - }, - "uuid": "cc831c63-94af-4937-b8e6-668591ec7d04", - "value": "PittyTiger (G0011) uses Mimikatz (S0002)" - }, - { - "meta": { - "source-uuid": "fb261c56-b80e-43a9-8351-c84081e7213d", - "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - }, - "uuid": "64cb753d-eb72-4dce-a417-7df747334347", - "value": "BACKSPACE (S0031) uses Process Discovery (T1057)" - }, - { - "meta": { - "source-uuid": "95c29444-49f9-49f7-8b20-bcd68d8fcaa6", - "target-uuid": "4bf5845d-a814-4490-bc5c-ccdee6043025" - }, - "uuid": "0c2ba74b-a5b0-493c-84f3-41b6131070a0", - "value": "AppCert DLLs Mitigation (T1182) mitigates AppCert DLLs (T1182)" - }, - { - "meta": { - "source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841", - "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - }, - "uuid": "d5c86dd3-3cfa-4ade-8984-fdf079b9f81b", - "value": "RTM (S0148) uses Obfuscated Files or Information (T1027)" - }, - { - "meta": { - "source-uuid": "9e729a7e-0dd6-4097-95bf-db8d64911383", - "target-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d" - }, - "uuid": "b69424ec-3af6-44aa-842a-81fba219b9f4", - "value": "Darkhotel (G0012) uses Code Signing (T1116)" - }, - { - "meta": { - "source-uuid": "2dd34b01-6110-4aac-835d-b5e7b936b0be", - "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - }, - "uuid": "695c2f41-140a-48f9-9e14-0cd58d7712d1", - "value": "OLDBAIT (S0138) uses Credential Dumping (T1003)" - }, - { - "meta": { - "source-uuid": "f8dfbc54-b070-4224-b560-79aaa5f835bd", - "target-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be" - }, - "uuid": "8961d93e-ec51-42dd-8f76-54d46ea21967", - "value": "H1N1 (S0132) uses Bypass User Account Control (T1088)" - }, - { - "meta": { - "source-uuid": "463f68f1-5cde-4dc2-a831-68b73488f8f4", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "bc72acee-e417-4de8-8084-153e141917b6", - "value": "MobileOrder (S0079) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "0ced8926-914e-4c78-bc93-356fb90dbd1f", - "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - }, - "uuid": "61fa303b-a9ff-419f-b3ac-96e43e37b6e5", - "value": "HALFBAKED (S0151) uses Process Discovery (T1057)" - }, - { - "meta": { - "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "dd4c02ea-b54a-4753-beb5-3248d89a7e04", - "value": "APT1 (G0006) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2", - "target-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d" - }, - "uuid": "da44c85c-914b-41e0-aef7-68cd3c1faea1", - "value": "JHUHUGIT (S0044) uses Process Injection (T1055)" - }, - { - "meta": { - "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "fc4dd2b6-63a0-46fe-bfc4-90e58e5d1422", - "value": "BRONZE BUTLER (G0060) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "87b8b451-bf9b-4e93-b591-05ef502970f5", - "value": "Magic Hound (G0059) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "dfb5fa9b-3051-4b97-8035-08f80aef945b", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "a1e74408-5c7b-4538-afd9-a01b23a92429", - "value": "Psylo (S0078) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "59a97b15-8189-4d51-9404-e1ce8ea4a069", - "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - }, - "uuid": "bb005145-438c-4fd8-9cac-a636df7465da", - "value": "XAgentOSX (S0161) uses Process Discovery (T1057)" - }, - { - "meta": { - "source-uuid": "64d76fa5-cf8f-469c-b78c-1a4f7c5bad80", - "target-uuid": "1c338d0f-a65e-4073-a5c1-c06878849f21" - }, - "uuid": "ec6074e4-4137-42a4-86c8-1ea95ce54df6", - "value": "BBSRAT (S0127) uses Process Hollowing (T1093)" - }, - { - "meta": { - "source-uuid": "09b2cd76-c674-47cc-9f57-d2f2ad150a46", - "target-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08" - }, - "uuid": "61dd6d75-a95b-488d-9a1d-924563592df7", - "value": "POWRUNER (S0184) uses Account Discovery (T1087)" - }, - { - "meta": { - "source-uuid": "2e290bfe-93b5-48ce-97d6-edcd6d32b7cf", - "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" - }, - "uuid": "a5ffea60-7694-48cd-92e9-b755669b2fdb", - "value": "Gamaredon Group (G0047) uses System Owner/User Discovery (T1033)" - }, - { - "meta": { - "source-uuid": "6b616fc1-1505-48e3-8b2c-0d19337bff38", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "0f5d3626-1dc2-4ebe-ba37-3f86ab0df9ec", - "value": "Rover (S0090) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4" - }, - "uuid": "edaf0203-4959-4e1e-9240-3d20cf0f3b6a", - "value": "APT28 (G0007) uses Replication Through Removable Media (T1091)" - }, - { - "meta": { - "source-uuid": "17b40f60-729f-4fe8-8aea-cc9ee44a95d5", - "target-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0" - }, - "uuid": "44090eb6-1166-4986-8583-60dcc8e69cc7", - "value": "RedLeaves (S0153) uses Uncommonly Used Port (T1065)" - }, - { - "meta": { - "source-uuid": "ed7d0cb1-87a6-43b4-9f46-ef1bc56d6c68", - "target-uuid": "428ca9f8-0e33-442a-be87-f869cb4cf73e" - }, - "uuid": "74486fa3-a5b8-49b2-82b7-0c453b4baf12", - "value": "Tor (S0183) uses Multilayer Encryption (T1079)" - }, - { - "meta": { - "source-uuid": "b52f41b9-ccf6-4da7-a6c0-167eeb71fbd8", - "target-uuid": "389735f1-f21c-4208-b8f0-f8031e7169b8" - }, - "uuid": "d18d4353-e344-4759-b51b-ed39ab2b5f46", - "value": "Browser Extensions Mitigation (T1176) mitigates Browser Extensions (T1176)" - }, - { - "meta": { - "source-uuid": "60c18d06-7b91-4742-bae3-647845cd9d81", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "e41ab3e7-2b69-4461-a693-e53a24c9ab59", - "value": "CORESHELL (S0137) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "083bb47b-02c8-4423-81a2-f9ef58572974", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "b8f1354c-9cff-40ef-aa47-591952c735c3", - "value": "Backdoor.Oldrea (S0093) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "94f6b4f5-b528-4f50-91d5-f66457c2f8f7", - "target-uuid": "544b0346-29ad-41e1-a808-501bb4193f47" - }, - "uuid": "efa2ae6b-8942-4ea2-80ca-b4181dd01427", - "value": "Man in the Browser Mitigation (T1185) mitigates Man in the Browser (T1185)" - }, - { - "meta": { - "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", - "target-uuid": "a52edc76-328d-4596-85e7-d56ef5a9eb69" - }, - "uuid": "76393f0c-a13c-48a8-ba7d-80502ae938a7", - "value": "APT1 (G0006) uses Pass-The-Hash Toolkit (S0122)" - }, - { - "meta": { - "source-uuid": "43213480-78f7-4fb3-976f-d48f5f6a4c2a", - "target-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638" - }, - "uuid": "f9669551-29f8-4aaf-83b9-50e541bbdced", - "value": "FLASHFLOOD (S0036) uses Data Encrypted (T1022)" - }, - { - "meta": { - "source-uuid": "326af1cd-78e7-45b7-a326-125d2f7ef8f2", - "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - }, - "uuid": "ed74954d-4717-4d63-9836-4cbd66c37345", - "value": "Crimson (S0115) uses Credential Dumping (T1003)" - }, - { - "meta": { - "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", - "target-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5" - }, - "uuid": "555e47f2-54bb-4c97-8804-536aa354126c", - "value": "APT3 (G0022) uses Rundll32 (T1085)" - }, - { - "meta": { - "source-uuid": "2a158b0a-7ef8-43cb-9985-bf34d1e12050", - "target-uuid": "22addc7b-b39f-483d-979a-1b35147da5de" - }, - "uuid": "45966f4c-51d4-4940-854d-79d712f63ed5", - "value": "Naikon (G0019) uses WinMM (S0059)" - }, - { - "meta": { - "source-uuid": "7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "c088f23e-b741-453c-a710-01990dead853", - "value": "Systeminfo (S0096) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "362dc67f-4e85-4562-9dac-1b6b7f3ec4b5", - "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" - }, - "uuid": "01e01c24-ba4c-41d7-8f30-8fca364dc2c6", - "value": "ifconfig (S0101) uses System Network Configuration Discovery (T1016)" - }, - { - "meta": { - "source-uuid": "fece06b7-d4b1-42cf-b81a-5323c917546e", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "27834043-1004-4a70-9023-a318bd6db7c6", - "value": "FALLCHILL (S0181) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "515f6584-fa98-44fe-a4e8-e428c7188514", - "target-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433" - }, - "uuid": "bb523d35-52f1-4c61-a8de-b4605ce9e596", - "value": "Fallback Channels Mitigation (T1008) mitigates Fallback Channels (T1008)" - }, - { - "meta": { - "source-uuid": "5e595477-2e78-4ce7-ae42-e0b059b17808", - "target-uuid": "c3888c54-775d-4b2f-b759-75a2ececcbfd" - }, - "uuid": "3e497bf1-4fdc-40a2-b8a2-3492c1d605e5", - "value": "POSHSPY (S0150) uses Data Transfer Size Limits (T1030)" - }, - { - "meta": { - "source-uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", - "target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e" - }, - "uuid": "25d96e8e-6893-4b90-82cc-253cbd499543", - "value": "Dragonfly (G0035) uses Commonly Used Port (T1043)" - }, - { - "meta": { - "source-uuid": "b96680d1-5eb3-4f07-b95c-00ab904ac236", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "ed8b5029-835d-492c-a1f4-10ccbf084a76", - "value": "Pisloader (S0124) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "19edfa02-1a5f-47e4-ad82-3288f57f64cf", - "target-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f" - }, - "uuid": "25a46055-25f5-4f91-9b0f-ba099f9dde4b", - "value": "Clipboard Data Mitigation (T1115) mitigates Clipboard Data (T1115)" - }, - { - "meta": { - "source-uuid": "17b40f60-729f-4fe8-8aea-cc9ee44a95d5", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "d4ca926c-6976-4ee8-a5b0-89aa11931bea", - "value": "RedLeaves (S0153) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "ccd61dfc-b03f-4689-8c18-7c97eab08472", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "838b4a52-1360-4ca7-ab25-1b549508e687", - "value": "CHOPSTICK (S0023) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "e9595678-d269-469e-ae6b-75e49259de63", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "b3f53743-4bd9-47a6-bf41-6f7786bbdc87", - "value": "BADNEWS (S0128) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", - "target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9" - }, - "uuid": "17594ffb-af22-4cdc-8849-ca31d2019a9e", - "value": "Threat Group-3390 (G0027) uses Scheduled Task (T1053)" - }, - { - "meta": { - "source-uuid": "74febc44-8955-4e4d-aca0-d4dad2f967d7", - "target-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d" - }, - "uuid": "f004e6c4-0c37-4060-9627-9ec0940aee9c", - "value": "Process Injection Mitigation (T1055) mitigates Process Injection (T1055)" - }, - { - "meta": { - "source-uuid": "7ecc3b4f-5cdb-457e-b55a-df376b359446", - "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - }, - "uuid": "c6f81350-a410-4ac7-a4b0-58bd4a9c1d9e", - "value": "Poseidon Group (G0033) uses Process Discovery (T1057)" - }, - { - "meta": { - "source-uuid": "17862c7d-9e60-48a0-b48e-da4dc4c3f6b0", - "target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0" - }, - "uuid": "d6e43621-ca4a-475f-b81c-037a0878728b", - "value": "Patchwork (G0040) uses PowerShell (T1086)" - }, - { - "meta": { - "source-uuid": "59a97b15-8189-4d51-9404-e1ce8ea4a069", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "ec362b37-1a64-4b28-8d34-7819d0aa5b2a", - "value": "XAgentOSX (S0161) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "e9595678-d269-469e-ae6b-75e49259de63", - "target-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842" - }, - "uuid": "3884be12-f73f-4f9b-875e-68d40798faf6", - "value": "BADNEWS (S0128) uses Data Obfuscation (T1001)" - }, - { - "meta": { - "source-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", - "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" - }, - "uuid": "bbd9b8d7-431c-44fa-95ac-61f73271ae92", - "value": "BlackEnergy (S0089) uses Input Capture (T1056)" - }, - { - "meta": { - "source-uuid": "91000a8a-58cc-4aba-9ad0-993ad6302b86", - "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - }, - "uuid": "ee51d531-5cc4-4836-a55c-6062bde1a4d4", - "value": "StreamEx (S0142) uses Obfuscated Files or Information (T1027)" - }, - { - "meta": { - "source-uuid": "876f6a77-fbc5-4e13-ab1a-5611986730a3", - "target-uuid": "317fefa6-46c7-4062-adb6-2008cf6bcb41" - }, - "uuid": "3d16b34f-f58b-4469-a0ef-7585f88d6001", - "value": "T9000 (S0098) uses AppInit DLLs (T1103)" - }, - { - "meta": { - "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", - "target-uuid": "51dea151-0898-4a45-967c-3ebee0420484" - }, - "uuid": "3cb99d8e-8a3d-47ed-b4b7-e217cea48013", - "value": "Cobalt Strike (S0154) uses Remote Desktop Protocol (T1076)" - }, - { - "meta": { - "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", - "target-uuid": "56f46b17-8cfa-46c0-b501-dd52fef394e2" - }, - "uuid": "4a1bfb6c-f110-4785-9dff-4c8e433bf04d", - "value": "Threat Group-3390 (G0027) uses ASPXSpy (S0073)" - }, - { - "meta": { - "source-uuid": "53cf6cc4-65aa-445a-bcf8-c3d296f8a7a2", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "5bb94c21-96c6-4c71-ae46-b222a69a493a", - "value": "NETEAGLE (S0034) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "82cb34ba-02b5-432b-b2d2-07f55cbf674d", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "7282eabe-73e0-4a10-824b-f18df7f892e2", - "value": "Trojan.Karagany (S0094) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "2eb9b131-d333-4a48-9eb4-d8dec46c19ee", - "target-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9" - }, - "uuid": "d8ac067b-f246-40bb-98bd-fcff74092139", - "value": "CosmicDuke (S0050) uses Automated Exfiltration (T1020)" - }, - { - "meta": { - "source-uuid": "e1161124-f22e-487f-9d5f-ed8efc8dcd61", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "9b80479d-6f7a-45fd-af5b-1e8adfb1e7fd", - "value": "Mis-Type (S0084) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "876f6a77-fbc5-4e13-ab1a-5611986730a3", - "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" - }, - "uuid": "a6150e37-2411-409f-82a0-e259d55d1166", - "value": "T9000 (S0098) uses System Owner/User Discovery (T1033)" - }, - { - "meta": { - "source-uuid": "ccd61dfc-b03f-4689-8c18-7c97eab08472", - "target-uuid": "64196062-5210-42c3-9a02-563a0d1797ef" - }, - "uuid": "167d7b11-01f3-42d5-bb8a-78306dc80243", - "value": "CHOPSTICK (S0023) uses Communication Through Removable Media (T1092)" - }, - { - "meta": { - "source-uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e", - "target-uuid": "30208d3e-0d6b-43c8-883e-44462a514619" - }, - "uuid": "cd58d271-9ee2-45d6-9ca3-22ae8da639b5", - "value": "Helminth (S0170) uses Automated Collection (T1119)" - }, - { - "meta": { - "source-uuid": "fbe9387f-34e6-4828-ac28-3080020c597b", - "target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0" - }, - "uuid": "a5888362-00f3-4c9e-98ee-048aee5169e1", - "value": "FIN10 (G0051) uses PowerShell (T1086)" - }, - { - "meta": { - "source-uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", - "target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0" - }, - "uuid": "89da3f24-b9dc-4c68-9240-228215e51bfc", - "value": "Dragonfly (G0035) uses Masquerading (T1036)" - }, - { - "meta": { - "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", - "target-uuid": "f6d1d2cb-12f5-4221-9636-44606ea1f3f8" - }, - "uuid": "16ef3e00-dc40-462c-9b74-5e8a8b24c86e", - "value": "APT3 (G0022) uses OSInfo (S0165)" - }, - { - "meta": { - "source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6", - "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - }, - "uuid": "5f95e123-9f44-47a0-affc-aaae6929d269", - "value": "APT34 (G0057) uses Credential Dumping (T1003)" - }, - { - "meta": { - "source-uuid": "2e5d3a83-fe00-41a5-9b60-237efc84832f", - "target-uuid": "b42378e0-f147-496f-992a-26a49705395b" - }, - "uuid": "d6e40826-7af0-4e4e-96c3-28493abda6c7", - "value": "Moafee (G0002) uses PoisonIvy (S0012)" - }, - { - "meta": { - "source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6", - "target-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d" - }, - "uuid": "e9a2c6b5-c02a-404b-818c-d54915a53952", - "value": "APT34 (G0057) uses External Remote Services (T1133)" - }, - { - "meta": { - "source-uuid": "876f6a77-fbc5-4e13-ab1a-5611986730a3", - "target-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967" - }, - "uuid": "842f8f4b-9d90-4533-850f-777f33ef8257", - "value": "T9000 (S0098) uses Audio Capture (T1123)" - }, - { - "meta": { - "source-uuid": "45e7f570-6a0b-4095-bf02-4bca05da6bae", - "target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0" - }, - "uuid": "61528841-379e-4fa3-a233-34c745764c18", - "value": "Masquerading Mitigation (T1036) mitigates Masquerading (T1036)" - }, - { - "meta": { - "source-uuid": "7ecc3b4f-5cdb-457e-b55a-df376b359446", - "target-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08" - }, - "uuid": "a602be33-6ed6-4f73-b7f6-10b47581707a", - "value": "Poseidon Group (G0033) uses Account Discovery (T1087)" - }, - { - "meta": { - "source-uuid": "7ecc3b4f-5cdb-457e-b55a-df376b359446", - "target-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa" - }, - "uuid": "720be590-5ea0-43b6-8360-fa75dd4d1a67", - "value": "Poseidon Group (G0033) uses System Service Discovery (T1007)" - }, - { - "meta": { - "source-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", - "target-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433" - }, - "uuid": "f5936bbd-f8cb-404a-bd43-87f7bc836294", - "value": "BlackEnergy (S0089) uses Fallback Channels (T1008)" - }, - { - "meta": { - "source-uuid": "5e595477-2e78-4ce7-ae42-e0b059b17808", - "target-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a" - }, - "uuid": "d57d1a71-6ac7-4028-ba73-86e5df98395f", - "value": "POSHSPY (S0150) uses Timestomp (T1099)" - }, - { - "meta": { - "source-uuid": "94379dec-5c87-49db-b36e-66abc0b81344", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "3268cdc0-7cee-4fe5-92cc-2c3cdc06712b", - "value": "Derusbi (S0021) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", - "target-uuid": "b8eb28e4-48a6-40ae-951a-328714f75eda" - }, - "uuid": "19fce62c-ba70-4c20-bf74-0bca7886190c", - "value": "APT1 (G0006) uses BISCUIT (S0017)" - }, - { - "meta": { - "source-uuid": "67e6d66b-1b82-4699-b47a-e2efb6268d14", - "target-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4" - }, - "uuid": "45522d60-160a-4c07-bd98-9a487175910e", - "value": "SeaDuke (S0053) uses Data Compressed (T1002)" - }, - { - "meta": { - "source-uuid": "a653431d-6a5e-4600-8ad3-609b5af57064", - "target-uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f" - }, - "uuid": "9d081347-3446-47a4-b5a9-d7a9d2d499e7", - "value": "Deep Panda (G0009) uses Tasklist (S0057)" - }, - { - "meta": { - "source-uuid": "68dca94f-c11d-421e-9287-7c501108e18c", - "target-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81" - }, - "uuid": "448a35fc-fecf-4373-9888-30c37dd1d56a", - "value": "Duqu (S0038) uses Valid Accounts (T1078)" - }, - { - "meta": { - "source-uuid": "38952eac-cb1b-4a71-bad2-ee8223a1c8fe", - "target-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08" - }, - "uuid": "44259d7d-e156-4e09-a401-ff62f0706cdd", - "value": "dsquery (S0105) uses Account Discovery (T1087)" - }, - { - "meta": { - "source-uuid": "c47a9b55-8f61-4b82-b833-1db6242c754e", - "target-uuid": "c0a384a4-9a25-40e1-97b6-458388474bc8" - }, - "uuid": "cfe1e092-57a9-4f7e-ba4a-794bfa797de8", - "value": "Local Job Scheduling Mitigation (T1168) mitigates Local Job Scheduling (T1168)" - }, - { - "meta": { - "source-uuid": "5e595477-2e78-4ce7-ae42-e0b059b17808", - "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" - }, - "uuid": "b380ad90-2f3b-4f98-ae23-3dfdba448e0a", - "value": "POSHSPY (S0150) uses Standard Cryptographic Protocol (T1032)" - }, - { - "meta": { - "source-uuid": "80a014ba-3fef-4768-990b-37d8bd10d7f4", - "target-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b" - }, - "uuid": "eb74fa31-121d-4e43-9794-048a901f509a", - "value": "Uroburos (S0022) uses Rootkit (T1014)" - }, - { - "meta": { - "source-uuid": "68dca94f-c11d-421e-9287-7c501108e18c", - "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" - }, - "uuid": "0b823cda-4775-4690-9ea6-02bbaa3522a1", - "value": "Duqu (S0038) uses Input Capture (T1056)" - }, - { - "meta": { - "source-uuid": "6b62e336-176f-417b-856a-8552dd8c44e1", - "target-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d" - }, - "uuid": "88ad4d2e-745e-4712-8901-e772dfaf3298", - "value": "Epic (S0091) uses Code Signing (T1116)" - }, - { - "meta": { - "source-uuid": "c0c45d38-fe57-4cd4-b2b2-9ecd0ddd4ca9", - "target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688" - }, - "uuid": "6f01abdc-bd94-4645-afed-8d3bd365bba4", - "value": "TinyZBot (S0004) uses Screen Capture (T1113)" - }, - { - "meta": { - "source-uuid": "a653431d-6a5e-4600-8ad3-609b5af57064", - "target-uuid": "94379dec-5c87-49db-b36e-66abc0b81344" - }, - "uuid": "ba4e03d1-f9b6-442d-974b-2fb7feddb551", - "value": "Deep Panda (G0009) uses Derusbi (S0021)" - }, - { - "meta": { - "source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6", - "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" - }, - "uuid": "1eac1b9e-28f1-4315-8070-6946e7e11444", - "value": "APT34 (G0057) uses Input Capture (T1056)" - }, - { - "meta": { - "source-uuid": "df71bb3b-813c-45eb-a8bc-f2a419837411", - "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - }, - "uuid": "6e757efa-8231-4674-a1ea-e234e2dfb838", - "value": "Molerats (G0021) uses Process Discovery (T1057)" - }, - { - "meta": { - "source-uuid": "083bb47b-02c8-4423-81a2-f9ef58572974", - "target-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842" - }, - "uuid": "7123a6ee-2026-4db8-a983-cbc2932c2a09", - "value": "Backdoor.Oldrea (S0093) uses Data Obfuscation (T1001)" - }, - { - "meta": { - "source-uuid": "dc5d1a33-62aa-4a0c-aa8c-589b87beb11e", - "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" - }, - "uuid": "e376d1ed-a35a-47c1-98c6-4d37f52b1b84", - "value": "ChChes (S0144) uses Standard Cryptographic Protocol (T1032)" - }, - { - "meta": { - "source-uuid": "0bc3ce00-83bc-4a92-a042-79ffbc6af259", - "target-uuid": "e906ae4d-1d3a-4675-be23-22f7311c0da4" - }, - "uuid": "4b5bd2c6-b460-401d-8457-005add9037d9", - "value": "Windows Management Instrumentation Event Subscription Mitigation (T1084) mitigates Windows Management Instrumentation Event Subscription (T1084)" - }, - { - "meta": { - "source-uuid": "17862c7d-9e60-48a0-b48e-da4dc4c3f6b0", - "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" - }, - "uuid": "8bb44b86-379d-49ba-9b28-2451e69db30d", - "value": "Patchwork (G0040) uses System Owner/User Discovery (T1033)" - }, - { - "meta": { - "source-uuid": "687c23e4-4e25-4ee7-a870-c5e002511f54", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "ad5f49b0-8b92-43d1-99f3-c691ccb7a8ac", - "value": "DustySky (S0062) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "4320b080-9ae9-4541-9b8b-bcd0961dbbbd", - "target-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e" - }, - "uuid": "47316750-4ca7-4ea3-b72c-9d7c7d895e3a", - "value": "Data Staged Mitigation (T1074) mitigates Data Staged (T1074)" - }, - { - "meta": { - "source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841", - "target-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7" - }, - "uuid": "d7903e1f-f31c-48bc-b7c3-3616cb1a792f", - "value": "RTM (S0148) uses Security Software Discovery (T1063)" - }, - { - "meta": { - "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", - "target-uuid": "3240cbe4-c550-443b-aa76-cc2a7058b870" - }, - "uuid": "15aa00d1-11c0-4be1-a900-ede5e1376110", - "value": "menuPass (G0045) uses SNUGRIDE (S0159)" - }, - { - "meta": { - "source-uuid": "40d3e230-ed32-469f-ba89-be70cc08ab39", - "target-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4" - }, - "uuid": "7f3c015e-d95d-4d35-a583-236134464554", - "value": "Agent.btz (S0092) uses Replication Through Removable Media (T1091)" - }, - { - "meta": { - "source-uuid": "8e461ca3-0996-4e6e-a0df-e2a5bbc51ebc", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "27375058-3002-4fc2-a964-a1e336a10a2a", - "value": "4H RAT (S0065) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69", - "target-uuid": "799ace7f-e227-4411-baa0-8868704f2a69" - }, - "uuid": "be5dadd8-71ce-40ac-8858-5d5c5fbe0e96", - "value": "Prikormka (S0113) uses Indicator Removal on Host (T1070)" - }, - { - "meta": { - "source-uuid": "da2ef4a9-7cbe-400a-a379-e2f230f28db3", - "target-uuid": "02fefddc-fb1b-423f-a76b-7552dd211d4d" - }, - "uuid": "63d53308-7d7d-4777-a1cc-c7100735609c", - "value": "BOOTRASH (S0114) uses Bootkit (T1067)" - }, - { - "meta": { - "source-uuid": "294e2560-bd48-44b2-9da2-833b5588ad11", - "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" - }, - "uuid": "b91e06c1-9546-4184-9552-ba501bf9182e", - "value": "ipconfig (S0100) uses System Network Configuration Discovery (T1016)" - }, - { - "meta": { - "source-uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f", - "target-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7" - }, - "uuid": "80ca0faf-6958-4158-a36d-b3e7936c5f5a", - "value": "Tasklist (S0057) uses Security Software Discovery (T1063)" - }, - { - "meta": { - "source-uuid": "fece06b7-d4b1-42cf-b81a-5323c917546e", - "target-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a" - }, - "uuid": "3017cf15-f6a8-4281-8c74-9dd8f7c2666f", - "value": "FALLCHILL (S0181) uses Timestomp (T1099)" - }, - { - "meta": { - "source-uuid": "b96680d1-5eb3-4f07-b95c-00ab904ac236", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "ed2e17b5-171b-4878-a3ab-2b70e8ca132a", - "value": "Pisloader (S0124) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "e066bf86-9cfb-407a-9d25-26fd5d91e360", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "0e12d7d1-5c46-4314-97fb-263853eed6af", - "value": "HTTPBrowser (S0070) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "66b1dcde-17a0-4c7b-95fa-b08d430c2131", - "target-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67" - }, - "uuid": "6d819560-bdfb-4e0a-bf56-fddcba60cdb5", - "value": "S-Type (S0085) uses Create Account (T1136)" - }, - { - "meta": { - "source-uuid": "09b2cd76-c674-47cc-9f57-d2f2ad150a46", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "9670979e-9785-45f0-a470-f591c97f6f8a", - "value": "POWRUNER (S0184) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "85403903-15e0-4f9f-9be4-a259ecad4022", - "target-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d" - }, - "uuid": "9abd0448-a3b7-4262-8753-fe81dc91c434", - "value": "FIN5 (G0053) uses External Remote Services (T1133)" - }, - { - "meta": { - "source-uuid": "6a0ef5d4-fc7c-4dda-85d7-592e4dbdc5d9", - "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" - }, - "uuid": "7a30e6e7-ed64-47b1-b368-c1cec96d5fbf", - "value": "Sykipot (S0018) uses Input Capture (T1056)" - }, - { - "meta": { - "source-uuid": "199463de-d9be-46d6-bb41-07234c1dd5a6", - "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - }, - "uuid": "3363ae54-1fe3-4c9f-b074-79dc0d7fbba5", - "value": "GeminiDuke (S0049) uses Process Discovery (T1057)" - }, - { - "meta": { - "source-uuid": "76abb3ef-dafd-4762-97cb-a35379429db4", - "target-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a" - }, - "uuid": "1dfbe8fe-0e7a-42a7-85f0-a94b086b470b", - "value": "Gazer (S0168) uses Timestomp (T1099)" - }, - { - "meta": { - "source-uuid": "38fd6a28-3353-4f2b-bb2b-459fecd5c648", - "target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9" - }, - "uuid": "67f19627-27a5-4898-bab5-7b235aa4ad77", - "value": "APT18 (G0026) uses Scheduled Task (T1053)" - }, - { - "meta": { - "source-uuid": "25d5e1d8-c6fb-4735-bc57-115a21222f4b", - "target-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830" - }, - "uuid": "3e89d94b-5e6f-48b3-ba80-d366940fa968", - "value": "Application Window Discovery Mitigation (T1010) mitigates Application Window Discovery (T1010)" - }, - { - "meta": { - "source-uuid": "2a7914cf-dff3-428d-ab0f-1014d1c28aeb", - "target-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e" - }, - "uuid": "eaaf6671-ead6-441b-b8d0-037a1e47572e", - "value": "FIN6 (G0037) uses Data Staged (T1074)" - }, - { - "meta": { - "source-uuid": "2ace01f8-67c8-43eb-b7b1-a7b9f1fe67e1", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "e432b3bc-5539-40e5-bce2-3ba6f463b571", - "value": "File and Directory Discovery Mitigation (T1083) mitigates File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "65341f30-bec6-4b1d-8abf-1a5620446c29", - "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" - }, - "uuid": "e0a0966c-7a2f-41b3-962f-3a6b22a5a8a9", - "value": "Reaver (S0172) uses System Owner/User Discovery (T1033)" - }, - { - "meta": { - "source-uuid": "196f1f32-e0c2-4d46-99cd-234d4b6befe1", - "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" - }, - "uuid": "427a9eb9-659d-433c-9e2c-9a66d115a9a3", - "value": "Felismus (S0171) uses System Owner/User Discovery (T1033)" - }, - { - "meta": { - "source-uuid": "0db09158-6e48-4e7c-8ce7-2b10b9c0c039", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "ae3be82b-3d54-4be8-939b-e074a2cea170", - "value": "Misdat (S0083) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "66b1dcde-17a0-4c7b-95fa-b08d430c2131", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "4d4c8221-17a9-4e5b-86f9-6a0cffc42424", - "value": "S-Type (S0085) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "0a68f1f1-da74-4d28-8d9a-696c082706cc", - "target-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c" - }, - "uuid": "5918cee6-c2f1-41be-ab96-36f3d17e5293", - "value": "certutil (S0160) uses Deobfuscate/Decode Files or Information (T1140)" - }, - { - "meta": { - "source-uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6", - "target-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735" - }, - "uuid": "b8a1739d-240b-46c1-a25a-b82d1c4e4765", - "value": "Turla (G0010) uses Remote System Discovery (T1018)" - }, - { - "meta": { - "source-uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", - "target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688" - }, - "uuid": "926d0b0c-9421-4b8e-a740-8823e35c642f", - "value": "Dragonfly (G0035) uses Screen Capture (T1113)" - }, - { - "meta": { - "source-uuid": "9ea525fa-b0a9-4dde-84f2-bcea0137b3c1", - "target-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e" - }, - "uuid": "9c4a8336-5f5f-4e58-b00d-b6bf1c59ec03", - "value": "MoonWind (S0149) uses Data Staged (T1074)" - }, - { - "meta": { - "source-uuid": "e1161124-f22e-487f-9d5f-ed8efc8dcd61", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "41023c59-b41e-454a-ace2-cd98d4fedb8e", - "value": "Mis-Type (S0084) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "ae41895a-243f-4a65-b99b-d85022326c31", - "target-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5" - }, - "uuid": "72cd5bab-20d9-4895-a6be-7d33f28d4b65", - "value": "Dust Storm (G0031) uses Data from Local System (T1005)" - }, - { - "meta": { - "source-uuid": "96b08451-b27a-4ff6-893f-790e26393a8e", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "33162cc2-a800-4d42-89bb-13ac1e75dfce", - "value": "Sakula (S0074) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", - "target-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60" - }, - "uuid": "e94576ee-284c-4782-a6ef-b7dd8a780254", - "value": "OilRig (G0049) uses Mimikatz (S0002)" - }, - { - "meta": { - "source-uuid": "1881da33-fdf2-4eea-afd0-e04caf9c000f", - "target-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643" - }, - "uuid": "9d0c7e94-b7d6-4ede-8223-a19e615e0a0b", - "value": "Peripheral Device Discovery Mitigation (T1120) mitigates Peripheral Device Discovery (T1120)" - }, - { - "meta": { - "source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6", - "target-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df" - }, - "uuid": "2ccda6d1-5196-4e22-b94a-01c3676fecc9", - "value": "APT34 (G0057) uses Web Shell (T1100)" - }, - { - "meta": { - "source-uuid": "9e2bba94-950b-4fcf-8070-cb3f816c5f4e", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "3ada7220-b5a6-45b9-a7ca-4a26423da831", - "value": "hcdLoader (S0071) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "902286b2-96cc-4dd7-931f-e7340c9961da", - "target-uuid": "0c8ab3eb-df48-4b9c-ace7-beacaac81cc5" - }, - "uuid": "77fad92a-72ba-44d2-b4cb-a3079fbdb256", - "value": "File System Logical Offsets Mitigation (T1006) mitigates File System Logical Offsets (T1006)" - }, - { - "meta": { - "source-uuid": "d9727aee-48b8-4fdb-89e2-4c49746ba4dd", - "target-uuid": "ae676644-d2d2-41b7-af7e-9bed1b55898c" - }, - "uuid": "592d0c31-e61f-495e-a60e-70d7be59a719", - "value": "Data from Network Shared Drive Mitigation (T1039) mitigates Data from Network Shared Drive (T1039)" - }, - { - "meta": { - "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "26eafe5d-0ffc-48cf-ba1d-3681bdcbfaa3", - "value": "Threat Group-3390 (G0027) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "68dca94f-c11d-421e-9287-7c501108e18c", - "target-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00" - }, - "uuid": "47e827f6-ec1d-4f16-80ab-0c54254ff42c", - "value": "Duqu (S0038) uses Custom Command and Control Protocol (T1094)" - }, - { - "meta": { - "source-uuid": "67e6d66b-1b82-4699-b47a-e2efb6268d14", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "5abaaa8f-19c7-448f-9e5a-66f1cbf412f9", - "value": "SeaDuke (S0053) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "1d808f62-cf63-4063-9727-ff6132514c22", - "target-uuid": "46944654-fcc1-4f63-9dad-628102376586" - }, - "uuid": "191885b6-1282-4173-a2bd-174c30c8a1dc", - "value": "WEBC2 (S0109) uses DLL Search Order Hijacking (T1038)" - }, - { - "meta": { - "source-uuid": "ccd61dfc-b03f-4689-8c18-7c97eab08472", - "target-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4" - }, - "uuid": "9aeda7e2-e452-4cd3-837f-e258cba1fc96", - "value": "CHOPSTICK (S0023) uses Replication Through Removable Media (T1091)" - }, - { - "meta": { - "source-uuid": "ae41895a-243f-4a65-b99b-d85022326c31", - "target-uuid": "166c0eca-02fd-424a-92c0-6b5106994d31" - }, - "uuid": "4cb1c7b1-6efd-488c-857d-605ff8ca9ab5", - "value": "Dust Storm (G0031) uses ZLib (S0086)" - }, - { - "meta": { - "source-uuid": "65341f30-bec6-4b1d-8abf-1a5620446c29", - "target-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b" - }, - "uuid": "67f82f6c-18f1-4f1e-8352-b7ecf8839ea2", - "value": "Reaver (S0172) uses Standard Non-Application Layer Protocol (T1095)" - }, - { - "meta": { - "source-uuid": "9a902722-cecd-4fbe-a6c9-49333aa0f8c2", - "target-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735" - }, - "uuid": "863d6b6f-9e13-4925-a736-5e719a10a0b8", - "value": "Remote System Discovery Mitigation (T1018) mitigates Remote System Discovery (T1018)" - }, - { - "meta": { - "source-uuid": "fb261c56-b80e-43a9-8351-c84081e7213d", - "target-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896" - }, - "uuid": "564de5da-7ecc-45c7-bbd5-619a8f316f70", - "value": "BACKSPACE (S0031) uses Query Registry (T1012)" - }, - { - "meta": { - "source-uuid": "53cf6cc4-65aa-445a-bcf8-c3d296f8a7a2", - "target-uuid": "92d7da27-2d91-488e-a00c-059dc162766d" - }, - "uuid": "3565539f-7ebf-4288-8422-5212c774821b", - "value": "NETEAGLE (S0034) uses Exfiltration Over Command and Control Channel (T1041)" - }, - { - "meta": { - "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", - "target-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839" - }, - "uuid": "0942dc11-0fcd-480a-ae4d-d571ba96331b", - "value": "Threat Group-3390 (G0027) uses Exploitation of Vulnerability (T1068)" - }, - { - "meta": { - "source-uuid": "0db09158-6e48-4e7c-8ce7-2b10b9c0c039", - "target-uuid": "799ace7f-e227-4411-baa0-8868704f2a69" - }, - "uuid": "dc68cc0c-154a-4c69-a35a-b7fd843d8e98", - "value": "Misdat (S0083) uses Indicator Removal on Host (T1070)" - }, - { - "meta": { - "source-uuid": "552462b9-ae79-49dd-855c-5973014e157f", - "target-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b" - }, - "uuid": "da6aa745-9eb5-44d9-80f8-e9f542d106d2", - "value": "Zeroaccess (S0027) uses Rootkit (T1014)" - }, - { - "meta": { - "source-uuid": "b96680d1-5eb3-4f07-b95c-00ab904ac236", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "02a629d3-b970-43e8-a11b-79f35107a4c0", - "value": "Pisloader (S0124) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "5ce5392a-3a6c-4e07-9df3-9b6a9159ac45", - "target-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044" - }, - "uuid": "94211067-148f-4196-a216-c1bb1e5cfc70", - "value": "Putter Panda (G0024) uses Disabling Security Tools (T1089)" - }, - { - "meta": { - "source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6", - "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" - }, - "uuid": "d6e48ec5-1634-4ddd-865e-0bcb32a1fd1a", - "value": "APT34 (G0057) uses File Deletion (T1107)" - }, - { - "meta": { - "source-uuid": "c5947e1c-1cbc-434c-94b8-27c7e3be0fff", - "target-uuid": "d3afa961-a80c-4043-9509-282cdf69ab21" - }, - "uuid": "a70d06e8-63dd-4cb3-83a5-f7bd8f2a8132", - "value": "Winnti Group (G0044) uses Winnti (S0141)" - }, - { - "meta": { - "source-uuid": "f108215f-3487-489d-be8b-80e346d32518", - "target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d" - }, - "uuid": "c08ef8e9-9e12-4bb2-9e6a-061934f33ea0", - "value": "Komplex (S0162) uses Custom Cryptographic Protocol (T1024)" - }, - { - "meta": { - "source-uuid": "247cb30b-955f-42eb-97a5-a89fef69341e", - "target-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a" - }, - "uuid": "71a8ae5e-3a78-49b5-9857-e202d636cedf", - "value": "APT32 (G0050) uses Timestomp (T1099)" - }, - { - "meta": { - "source-uuid": "16ade1aa-0ea1-4bb7-88cc-9079df2ae756", - "target-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa" - }, - "uuid": "e6e324d1-b775-48bb-ac9f-02fcc2428752", - "value": "admin@338 (G0018) uses System Service Discovery (T1007)" - }, - { - "meta": { - "source-uuid": "a60657fa-e2e7-4f8f-8128-a882534ae8c5", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "358047bf-1dd3-4fc4-bc1a-b7004bd54b8d", - "value": "OwaAuth (S0072) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "8b880b41-5139-4807-baa9-309690218719", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "d0332cfa-d932-4bc3-b661-9cd72c00b390", - "value": "SPACESHIP (S0035) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "41cff8e9-fd05-408e-b3d5-d98c54c20bcf", - "target-uuid": "c1b11bf7-c68e-4fbf-a95b-28efbe7953bb" - }, - "uuid": "b02c9017-5ec9-4be0-9aa9-b183d252c516", - "value": "SSH Hijacking Mitigation (T1184) mitigates SSH Hijacking (T1184)" - }, - { - "meta": { - "source-uuid": "5967cc93-57c9-404a-8ffd-097edfa7bdfc", - "target-uuid": "428ca9f8-0e33-442a-be87-f869cb4cf73e" - }, - "uuid": "a5d7526f-2b1f-4a69-abc7-926b22bc402b", - "value": "Hi-Zor (S0087) uses Multilayer Encryption (T1079)" - }, - { - "meta": { - "source-uuid": "dfb5fa9b-3051-4b97-8035-08f80aef945b", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "58f6b7ce-c0d0-4a54-b60d-1c39d6204796", - "value": "Psylo (S0078) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "60c18d06-7b91-4742-bae3-647845cd9d81", - "target-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5" - }, - "uuid": "ccc38b61-c517-4186-909a-760f12ef65e8", - "value": "CORESHELL (S0137) uses Rundll32 (T1085)" - }, - { - "meta": { - "source-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13", - "target-uuid": "830c9528-df21-472c-8c14-a036bf17d665" - }, - "uuid": "79f89b33-046c-4bfa-a12d-c50fa0d84ea6", - "value": "Magic Hound (G0059) uses Web Service (T1102)" - }, - { - "meta": { - "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", - "target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0" - }, - "uuid": "ba1b953d-08ce-4b4b-924e-92556cdf1d90", - "value": "APT3 (G0022) uses PowerShell (T1086)" - }, - { - "meta": { - "source-uuid": "ccd61dfc-b03f-4689-8c18-7c97eab08472", - "target-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896" - }, - "uuid": "f55d54fe-27ed-41f9-81db-11ccbe2d2125", - "value": "CHOPSTICK (S0023) uses Query Registry (T1012)" - }, - { - "meta": { - "source-uuid": "6a0ef5d4-fc7c-4dda-85d7-592e4dbdc5d9", - "target-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa" - }, - "uuid": "09c10778-19ad-441a-8a75-a3cf1288f960", - "value": "Sykipot (S0018) uses System Service Discovery (T1007)" - }, - { - "meta": { - "source-uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69", - "target-uuid": "46944654-fcc1-4f63-9dad-628102376586" - }, - "uuid": "6ce3735c-bfae-4eec-ab6b-bbf08cb7d60f", - "value": "Prikormka (S0113) uses DLL Search Order Hijacking (T1038)" - }, - { - "meta": { - "source-uuid": "38fd6a28-3353-4f2b-bb2b-459fecd5c648", - "target-uuid": "bba595da-b73a-4354-aa6c-224d4de7cb4e" - }, - "uuid": "89c6bcd7-e330-4902-8296-0918923d6573", - "value": "APT18 (G0026) uses cmd (S0106)" - }, - { - "meta": { - "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", - "target-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be" - }, - "uuid": "6c030461-42c5-44db-908a-85ac9a5a9822", - "value": "Cobalt Strike (S0154) uses Bypass User Account Control (T1088)" - }, - { - "meta": { - "source-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13", - "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" - }, - "uuid": "88c50625-6d02-42fb-aa82-4315a532b754", - "value": "Magic Hound (G0059) uses System Network Configuration Discovery (T1016)" - }, - { - "meta": { - "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", - "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" - }, - "uuid": "b22cebe6-129a-41a2-8a9e-70c222c88af6", - "value": "OilRig (G0049) uses System Owner/User Discovery (T1033)" - }, - { - "meta": { - "source-uuid": "16ade1aa-0ea1-4bb7-88cc-9079df2ae756", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "eb85fa2e-3c50-4130-9717-8688237fecbc", - "value": "admin@338 (G0018) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "f5352566-1a64-49ac-8f7f-97e1d1a03300", - "target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0" - }, - "uuid": "e47397b7-b3c7-4919-ac5e-1f3266ef97e3", - "value": "AutoIt backdoor (S0129) uses PowerShell (T1086)" - }, - { - "meta": { - "source-uuid": "7331c66a-5601-4d3f-acf6-ad9e3035eb40", - "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - }, - "uuid": "c3a1969b-1edb-4a78-80ab-b122cc2822e4", - "value": "Group5 (G0043) uses Obfuscated Files or Information (T1027)" - }, - { - "meta": { - "source-uuid": "60c18d06-7b91-4742-bae3-647845cd9d81", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "167e1e15-1fe1-4073-aac1-062557fdd79f", - "value": "CORESHELL (S0137) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "60c18d06-7b91-4742-bae3-647845cd9d81", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "dcc2c503-25dc-47bb-b9cb-35ce27e73cd2", - "value": "CORESHELL (S0137) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "37dd9a3c-dd52-4541-be7c-b490d026305c", - "value": "RTM (S0148) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", - "target-uuid": "84e02621-8fdf-470f-bd58-993bb6a89d91" - }, - "uuid": "1258536b-6cf4-4cfe-98c7-e9c1d30c5a34", - "value": "APT3 (G0022) uses Multi-Stage Channels (T1104)" - }, - { - "meta": { - "source-uuid": "5967cc93-57c9-404a-8ffd-097edfa7bdfc", - "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - }, - "uuid": "d0d74930-6b1d-4d1d-ba7f-60b93c114fd9", - "value": "Hi-Zor (S0087) uses Obfuscated Files or Information (T1027)" - }, - { - "meta": { - "source-uuid": "b96680d1-5eb3-4f07-b95c-00ab904ac236", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "0c56b369-b665-4001-87ff-d27ae135cc64", - "value": "Pisloader (S0124) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "fb261c56-b80e-43a9-8351-c84081e7213d", - "target-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044" - }, - "uuid": "eb7a6a3f-cc88-4ed7-8421-4642c1eb1978", - "value": "BACKSPACE (S0031) uses Disabling Security Tools (T1089)" - }, - { - "meta": { - "source-uuid": "2a7914cf-dff3-428d-ab0f-1014d1c28aeb", - "target-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4" - }, - "uuid": "98229d5a-fce3-442e-91cf-7ec7b7994248", - "value": "FIN6 (G0037) uses Data Compressed (T1002)" - }, - { - "meta": { - "source-uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", - "target-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d" - }, - "uuid": "5e4ec089-c86d-4684-9783-af348d4aaa14", - "value": "Dragonfly (G0035) uses External Remote Services (T1133)" - }, - { - "meta": { - "source-uuid": "38fd6a28-3353-4f2b-bb2b-459fecd5c648", - "target-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d" - }, - "uuid": "3b521f87-a77d-4c8d-8ab8-ffc6dbc3d62e", - "value": "APT18 (G0026) uses External Remote Services (T1133)" - }, - { - "meta": { - "source-uuid": "b6b3dfc7-9a81-43ff-ac04-698bad48973a", - "target-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f" - }, - "uuid": "4abcf209-1dab-435b-a347-b8ff318ac5d8", - "value": "Daserf (S0187) uses Data Encoding (T1132)" - }, - { - "meta": { - "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", - "target-uuid": "242f3da3-4425-4d11-8f5c-b842886da966" - }, - "uuid": "fb6a8268-5a73-4ac0-8f61-439f472063d6", - "value": "Threat Group-3390 (G0027) uses Windows Credential Editor (S0005)" - }, - { - "meta": { - "source-uuid": "df71bb3b-813c-45eb-a8bc-f2a419837411", - "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - }, - "uuid": "a06bd922-b887-4134-81cb-1e4180cf5a5a", - "value": "Molerats (G0021) uses Credential Dumping (T1003)" - }, - { - "meta": { - "source-uuid": "2eb9b131-d333-4a48-9eb4-d8dec46c19ee", - "target-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f" - }, - "uuid": "66625422-17cd-4b04-beb5-fa2eabe350ad", - "value": "CosmicDuke (S0050) uses Clipboard Data (T1115)" - }, - { - "meta": { - "source-uuid": "b35068ec-107a-4266-bda8-eb7036267aea", - "target-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475" - }, - "uuid": "980e4dca-4d6b-4206-9c51-bff32c72a961", - "value": "nbtstat (S0102) uses System Network Connections Discovery (T1049)" - }, - { - "meta": { - "source-uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", - "target-uuid": "083bb47b-02c8-4423-81a2-f9ef58572974" - }, - "uuid": "d4968f45-d06b-4843-8f72-6e08beb94cab", - "value": "Dragonfly (G0035) uses Backdoor.Oldrea (S0093)" - }, - { - "meta": { - "source-uuid": "894aab42-3371-47b1-8859-a4a074c804c8", - "target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9" - }, - "uuid": "e362d1ad-5d36-4f6d-b2b0-63af2f5f08ff", - "value": "Stealth Falcon (G0038) uses Scheduled Task (T1053)" - }, - { - "meta": { - "source-uuid": "68dca94f-c11d-421e-9287-7c501108e18c", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "8d0d938e-2e4c-49e8-9290-6bfb86161260", - "value": "Duqu (S0038) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", - "target-uuid": "b07c2c47-fefb-4d7c-a69e-6a3296171f54" - }, - "uuid": "3b6fc69c-9759-465a-b09c-a6161e4e2f56", - "value": "Threat Group-3390 (G0027) uses gsecdump (S0008)" - }, - { - "meta": { - "source-uuid": "fbb470da-1d44-4f29-bbb3-9efbe20f94a3", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "5ab3897a-4f37-4b59-99ca-f39605cb1a35", - "value": "Mivast (S0080) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "7ecc3b4f-5cdb-457e-b55a-df376b359446", - "target-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475" - }, - "uuid": "21ff06b5-022f-40bf-821b-3e08dc9f08a3", - "value": "Poseidon Group (G0033) uses System Network Connections Discovery (T1049)" - }, - { - "meta": { - "source-uuid": "196f1f32-e0c2-4d46-99cd-234d4b6befe1", - "target-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7" - }, - "uuid": "863c1d57-db93-49a9-a953-eb7c2d6b2e5b", - "value": "Felismus (S0171) uses Security Software Discovery (T1063)" - }, - { - "meta": { - "source-uuid": "f047ee18-7985-4946-8bfb-4ed754d3a0dd", - "target-uuid": "53cf6cc4-65aa-445a-bcf8-c3d296f8a7a2" - }, - "uuid": "a5015a35-a6a2-4289-8d79-79b583c23e63", - "value": "APT30 (G0013) uses NETEAGLE (S0034)" - }, - { - "meta": { - "source-uuid": "96b08451-b27a-4ff6-893f-790e26393a8e", - "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" - }, - "uuid": "e2e91dcc-87b0-4ff8-a6cd-0dfd6a813483", - "value": "Sakula (S0074) uses File Deletion (T1107)" - }, - { - "meta": { - "source-uuid": "3753cc21-2dae-4dfb-8481-d004e74502cc", - "target-uuid": "a127c32c-cbb0-4f9d-be07-881a792408ec" - }, - "uuid": "9e77b81d-6298-4233-8baa-f419031a9d64", - "value": "FIN7 (G0046) uses Mshta (T1170)" - }, - { - "meta": { - "source-uuid": "2e290bfe-93b5-48ce-97d6-edcd6d32b7cf", - "target-uuid": "5f9f7648-04ba-4a9f-bb4c-2a13e74572bd" - }, - "uuid": "4f33536d-eb06-4eba-8765-4379e399f3b8", - "value": "Gamaredon Group (G0047) uses Pteranodon (S0147)" - }, - { - "meta": { - "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" - }, - "uuid": "979812c4-939e-4a7e-96b3-348028db10ce", - "value": "Lazarus Group (G0032) uses File Deletion (T1107)" - }, - { - "meta": { - "source-uuid": "8e461ca3-0996-4e6e-a0df-e2a5bbc51ebc", - "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - }, - "uuid": "71ee5336-929a-41c7-bfbd-42a7208ca29d", - "value": "4H RAT (S0065) uses Process Discovery (T1057)" - }, - { - "meta": { - "source-uuid": "17862c7d-9e60-48a0-b48e-da4dc4c3f6b0", - "target-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88" - }, - "uuid": "891a97f1-d3e2-45ff-a079-43dcad21a175", - "value": "Patchwork (G0040) uses Software Packing (T1045)" - }, - { - "meta": { - "source-uuid": "f5352566-1a64-49ac-8f7f-97e1d1a03300", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "3de749e5-353a-4bdc-8951-9e0fa387bc70", - "value": "AutoIt backdoor (S0129) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "03342581-f790-4f03-ba41-e82e67392e23", - "target-uuid": "e7eab98d-ae11-4491-bd28-a53ba875865a" - }, - "uuid": "4e167937-d152-4c57-a7b7-e3b407470720", - "value": "Net (S0039) uses Network Share Connection Removal (T1126)" - }, - { - "meta": { - "source-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", - "target-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d" - }, - "uuid": "1a7d1db3-9383-4171-8938-382e9b0375c6", - "value": "BlackEnergy (S0089) uses Process Injection (T1055)" - }, - { - "meta": { - "source-uuid": "e8268361-a599-4e45-bd3f-71c8c7e700c0", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "a45f37c0-da3f-4766-bdb2-4cc1f4bda04d", - "value": "httpclient (S0068) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "43b366a4-b5ff-4d4e-8a3b-f09a9d2faff5", - "target-uuid": "804c042c-cfe6-449e-bc1a-ba0a998a70db" - }, - "uuid": "143c0761-981a-4668-ab8a-9ba74cb58869", - "value": "Shared Webroot Mitigation (T1051) mitigates Shared Webroot (T1051)" - }, - { - "meta": { - "source-uuid": "98e8a977-3416-43aa-87fa-33e287e9c14c", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "73fe447a-8d70-433f-be9a-5af74934a662", - "value": "WINDSHIELD (S0155) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "bd2554b8-634f-4434-a986-9b49c29da2ae", - "target-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7" - }, - "uuid": "c0b07b4a-d421-4faa-8564-4cc89668afac", - "value": "Security Software Discovery Mitigation (T1063) mitigates Security Software Discovery (T1063)" - }, - { - "meta": { - "source-uuid": "00c3bfcb-99bd-4767-8c03-b08f585f5c8a", - "target-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5" - }, - "uuid": "1cbf5583-626a-4a24-bc59-f3b973752cee", - "value": "PowerDuke (S0139) uses Rundll32 (T1085)" - }, - { - "meta": { - "source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6", - "target-uuid": "01a5a209-b94c-450b-b7f9-946497d91055" - }, - "uuid": "ec6002c7-a2ca-4792-8dc4-0f0746768762", - "value": "APT34 (G0057) uses Windows Management Instrumentation (T1047)" - }, - { - "meta": { - "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "target-uuid": "fece06b7-d4b1-42cf-b81a-5323c917546e" - }, - "uuid": "216c15b0-3091-49f2-ba85-356d56265671", - "value": "Lazarus Group (G0032) uses FALLCHILL (S0181)" - }, - { - "meta": { - "source-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd", - "target-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896" - }, - "uuid": "4cb1a0d0-6276-4c2c-b299-c26c982e9e1e", - "value": "PlugX (S0013) uses Query Registry (T1012)" - }, - { - "meta": { - "source-uuid": "326af1cd-78e7-45b7-a326-125d2f7ef8f2", - "target-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b" - }, - "uuid": "d6c628b9-789a-416b-8abe-cd457e566346", - "value": "Crimson (S0115) uses Standard Non-Application Layer Protocol (T1095)" - }, - { - "meta": { - "source-uuid": "fde50aaa-f5de-4cb8-989a-babb57d6a704", - "target-uuid": "ffe742ed-9100-4686-9e00-c331da544787" - }, - "uuid": "e89d06bc-31f3-49c0-a555-360eeff7f7c6", - "value": "Net Crawler (S0056) uses Windows Admin Shares (T1077)" - }, - { - "meta": { - "source-uuid": "f108215f-3487-489d-be8b-80e346d32518", - "target-uuid": "dc27c2ec-c5f9-4228-ba57-d67b590bda93" - }, - "uuid": "f5acb12e-6d83-4628-9b1d-61f277a699b2", - "value": "Komplex (S0162) uses Hidden Files and Directories (T1158)" - }, - { - "meta": { - "source-uuid": "894aab42-3371-47b1-8859-a4a074c804c8", - "target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0" - }, - "uuid": "e2e33068-b08e-45fd-89e0-0cf79868f902", - "value": "Stealth Falcon (G0038) uses PowerShell (T1086)" - }, - { - "meta": { - "source-uuid": "da5880b4-f7da-4869-85f2-e0aba84b8565", - "target-uuid": "9b52fca7-1a36-4da0-b62d-da5bd83b4d69" - }, - "uuid": "64309b21-2dc2-4369-9c70-66f47f5c4b56", - "value": "ComRAT (S0126) uses Component Object Model Hijacking (T1122)" - }, - { - "meta": { - "source-uuid": "4a99fecc-680b-448e-8fe7-8144c60d272c", - "target-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd" - }, - "uuid": "cade3e14-aab4-4297-b77d-019d3ee0ccef", - "value": "Brute Force Mitigation (T1110) mitigates Brute Force (T1110)" - }, - { - "meta": { - "source-uuid": "876f6a77-fbc5-4e13-ab1a-5611986730a3", - "target-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09" - }, - "uuid": "677f32ad-2aa1-4fe3-8dab-73494891aa4a", - "value": "T9000 (S0098) uses DLL Side-Loading (T1073)" - }, - { - "meta": { - "source-uuid": "876f6a77-fbc5-4e13-ab1a-5611986730a3", - "target-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638" - }, - "uuid": "bb11119c-c409-4615-8c3f-8491749f2d3b", - "value": "T9000 (S0098) uses Data Encrypted (T1022)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "2c4d4e92-0ccf-4a97-b54c-86d662988a53" - }, - "uuid": "d0560e25-020d-4cd6-b61c-5fc82a757edc", - "value": "APT28 (G0007) uses Office Application Startup (T1137)" - }, - { - "meta": { - "source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", - "target-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0" - }, - "uuid": "7ed59789-3b2d-4acf-9127-7af35234a373", - "value": "Remsec (S0125) uses Uncommonly Used Port (T1065)" - }, - { - "meta": { - "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", - "target-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c" - }, - "uuid": "67469b79-67e2-4932-9776-b09a82871723", - "value": "OilRig (G0049) uses Deobfuscate/Decode Files or Information (T1140)" - }, - { - "meta": { - "source-uuid": "16ade1aa-0ea1-4bb7-88cc-9079df2ae756", - "target-uuid": "4664b683-f578-434f-919b-1c1aad2a1111" - }, - "uuid": "d75ee2bd-801c-4521-8d70-f5e2d64c87f9", - "value": "admin@338 (G0018) uses netstat (S0104)" - }, - { - "meta": { - "source-uuid": "ab3580c8-8435-4117-aace-3d9fbe46aa56", - "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - }, - "uuid": "a76e4748-2cef-4ee6-96a3-53ee227f0333", - "value": "Unknown Logger (S0130) uses Credential Dumping (T1003)" - }, - { - "meta": { - "source-uuid": "c9cd7ec9-40b7-49db-80be-1399eddd9c52", - "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - }, - "uuid": "5c6b3fda-2eec-4c7a-af09-5f880f260085", - "value": "Cachedump (S0119) uses Credential Dumping (T1003)" - }, - { - "meta": { - "source-uuid": "2dd34b01-6110-4aac-835d-b5e7b936b0be", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "cc065036-1b46-4f5c-935e-fb80bd3de7c7", - "value": "OLDBAIT (S0138) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "121b2863-5b97-4538-acb3-f8aae070ec13", - "target-uuid": "dd901512-6e37-4155-943b-453e3777b125" - }, - "uuid": "48b9ca0c-925b-4f6a-8f25-459b2489be7c", - "value": "Launch Agent Mitigation (T1159) mitigates Launch Agent (T1159)" - }, - { - "meta": { - "source-uuid": "59a97b15-8189-4d51-9404-e1ce8ea4a069", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "785abba4-fdb4-4aad-9049-5a0c748cc965", - "value": "XAgentOSX (S0161) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "91000a8a-58cc-4aba-9ad0-993ad6302b86", - "target-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7" - }, - "uuid": "df7fb8f2-e7a6-4342-8d67-09655ceefead", - "value": "StreamEx (S0142) uses Security Software Discovery (T1063)" - }, - { - "meta": { - "source-uuid": "ae9d818d-95d0-41da-b045-9cabea1ca164", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "7b29c94f-1834-42ac-933c-ae6cd125e87a", - "value": "PinchDuke (S0048) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", - "target-uuid": "a257ed11-ff3b-4216-8c9d-3938ef57064c" - }, - "uuid": "76037b22-a3e4-40d3-bd56-699d1ea4e97e", - "value": "Mimikatz (S0002) uses Pass the Ticket (T1097)" - }, - { - "meta": { - "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", - "target-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4" - }, - "uuid": "17262c58-2f41-41d2-a86a-5bc86642ddb4", - "value": "menuPass (G0045) uses Data Compressed (T1002)" - }, - { - "meta": { - "source-uuid": "4c59cce8-cb48-4141-b9f1-f646edfaadb0", - "target-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b" - }, - "uuid": "e7ac3ee3-a014-4b07-9bad-b93d3d1d0f4b", - "value": "Regin (S0019) uses Standard Non-Application Layer Protocol (T1095)" - }, - { - "meta": { - "source-uuid": "40d3e230-ed32-469f-ba89-be70cc08ab39", - "target-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638" - }, - "uuid": "f4c6cb3f-b24c-4a1e-9bba-7b129b89a17a", - "value": "Agent.btz (S0092) uses Data Encrypted (T1022)" - }, - { - "meta": { - "source-uuid": "463f68f1-5cde-4dc2-a831-68b73488f8f4", - "target-uuid": "92d7da27-2d91-488e-a00c-059dc162766d" - }, - "uuid": "4ffcf69a-c7ef-46dc-add7-9093e454a67e", - "value": "MobileOrder (S0079) uses Exfiltration Over Command and Control Channel (T1041)" - }, - { - "meta": { - "source-uuid": "9ea525fa-b0a9-4dde-84f2-bcea0137b3c1", - "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" - }, - "uuid": "761edf58-baad-4626-acca-a137c251b0e6", - "value": "MoonWind (S0149) uses File Deletion (T1107)" - }, - { - "meta": { - "source-uuid": "8ca6a5e0-aae5-49bc-8d07-f888c7dba9ea", - "target-uuid": "2c4d4e92-0ccf-4a97-b54c-86d662988a53" - }, - "uuid": "140b4bbc-68c6-474a-adae-9b2275471f13", - "value": "Office Application Startup Mitigation (T1137) mitigates Office Application Startup (T1137)" - }, - { - "meta": { - "source-uuid": "e48df773-7c95-4a4c-ba70-ea3d15900148", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "396edbf6-41b5-4377-90b6-4967c24de7fb", - "value": "DownPaper (S0186) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "a653431d-6a5e-4600-8ad3-609b5af57064", - "target-uuid": "03342581-f790-4f03-ba41-e82e67392e23" - }, - "uuid": "2df910df-37cc-4349-96c3-f938fa5a9054", - "value": "Deep Panda (G0009) uses Net (S0039)" - }, - { - "meta": { - "source-uuid": "0e18b800-906c-4e44-a143-b11c72b3448b", - "target-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea" - }, - "uuid": "7cfafeb7-2662-4b65-8dfc-93db752f5e71", - "value": "FLIPSIDE (S0173) uses Connection Proxy (T1090)" - }, - { - "meta": { - "source-uuid": "3a476d83-43eb-4fad-9b75-b1febd834e3d", - "target-uuid": "a257ed11-ff3b-4216-8c9d-3938ef57064c" - }, - "uuid": "cb35f782-6fb4-4a0c-b549-8af99dbc57fd", - "value": "Pass the Ticket Mitigation (T1097) mitigates Pass the Ticket (T1097)" - }, - { - "meta": { - "source-uuid": "da987565-27b6-4b31-bbcd-74b909847116", - "target-uuid": "99709758-2b96-48f2-a68a-ad7fbd828091" - }, - "uuid": "c57efd0b-817e-45c2-9f11-e8e7ac11b44c", - "value": "Multiband Communication Mitigation (T1026) mitigates Multiband Communication (T1026)" - }, - { - "meta": { - "source-uuid": "7f8730af-f683-423f-9ee1-5f6875a80481", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "550bf43e-53da-467e-affd-9f44ad668508", - "value": "Sys10 (S0060) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "e48df773-7c95-4a4c-ba70-ea3d15900148", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "ef318b23-1b8c-4c24-ad20-09c0977a73b3", - "value": "DownPaper (S0186) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "247cb30b-955f-42eb-97a5-a89fef69341e", - "target-uuid": "68f7e3a1-f09f-4164-9a62-16b648a0dd5a" - }, - "uuid": "dfcc52d8-4664-48c4-9e35-2be2cd649d93", - "value": "APT32 (G0050) uses Regsvr32 (T1117)" - }, - { - "meta": { - "source-uuid": "326af1cd-78e7-45b7-a326-125d2f7ef8f2", - "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - }, - "uuid": "84f40044-00a2-4015-be0d-1bb0107ef42b", - "value": "Crimson (S0115) uses Process Discovery (T1057)" - }, - { - "meta": { - "source-uuid": "326af1cd-78e7-45b7-a326-125d2f7ef8f2", - "target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688" - }, - "uuid": "717d87d5-df97-48a9-8766-c9a947541e1d", - "value": "Crimson (S0115) uses Screen Capture (T1113)" - }, - { - "meta": { - "source-uuid": "d1acfbb3-647b-4723-9154-800ec119006e", - "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" - }, - "uuid": "ae1600d0-8271-4709-a1a6-6fb62494fa23", - "value": "Sowbug (G0054) uses Input Capture (T1056)" - }, - { - "meta": { - "source-uuid": "166c0eca-02fd-424a-92c0-6b5106994d31", - "target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688" - }, - "uuid": "7296e1e2-514d-4a6c-a1fe-18558a5e3b0f", - "value": "ZLib (S0086) uses Screen Capture (T1113)" - }, - { - "meta": { - "source-uuid": "f8dfbc54-b070-4224-b560-79aaa5f835bd", - "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" - }, - "uuid": "ca8ed9e2-f7a6-4d54-b450-94c187b1f9b6", - "value": "H1N1 (S0132) uses Standard Cryptographic Protocol (T1032)" - }, - { - "meta": { - "source-uuid": "c416b28c-103b-4df1-909e-78089a7e0e5f", - "target-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841" - }, - "uuid": "9755e169-0dd5-4bf5-a884-d50d31f33ad9", - "value": "RTM (G0048) uses RTM (S0148)" - }, - { - "meta": { - "source-uuid": "f6469191-1814-4dbe-a081-2a6daf83a10b", - "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - }, - "uuid": "03f30a17-095b-4656-a7db-87d98628dfd8", - "value": "Process Discovery Mitigation (T1057) mitigates Process Discovery (T1057)" - }, - { - "meta": { - "source-uuid": "166c0eca-02fd-424a-92c0-6b5106994d31", - "target-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4" - }, - "uuid": "32568a57-ff9c-42f5-9b60-0b78d7b0a7c0", - "value": "ZLib (S0086) uses Data Compressed (T1002)" - }, - { - "meta": { - "source-uuid": "f8dfbc54-b070-4224-b560-79aaa5f835bd", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "4a419b18-5fb2-43a0-8c0a-6521b8d9de63", - "value": "H1N1 (S0132) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13", - "target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688" - }, - "uuid": "65f7704a-358a-464d-b09b-fee5dd96adf3", - "value": "Magic Hound (G0059) uses Screen Capture (T1113)" - }, - { - "meta": { - "source-uuid": "53cf6cc4-65aa-445a-bcf8-c3d296f8a7a2", - "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" - }, - "uuid": "122e6f20-ab3b-4bf0-bef1-0372399bee7c", - "value": "NETEAGLE (S0034) uses Standard Cryptographic Protocol (T1032)" - }, - { - "meta": { - "source-uuid": "2a7914cf-dff3-428d-ab0f-1014d1c28aeb", - "target-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88" - }, - "uuid": "b1c49faa-0b6f-4a0e-85da-5ab8ddeab2ce", - "value": "FIN6 (G0037) uses Network Service Scanning (T1046)" - }, - { - "meta": { - "source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841", - "target-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f" - }, - "uuid": "1e03e95c-1c9a-4fa8-9d6d-b5d244b06509", - "value": "RTM (S0148) uses Clipboard Data (T1115)" - }, - { - "meta": { - "source-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73", - "target-uuid": "9b52fca7-1a36-4da0-b62d-da5bd83b4d69" - }, - "uuid": "075e7d33-8d5c-4016-9a24-dc6e61f56fcd", - "value": "ADVSTORESHELL (S0045) uses Component Object Model Hijacking (T1122)" - }, - { - "meta": { - "source-uuid": "17e919aa-4a49-445c-b103-dbb8df9e7351", - "target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0" - }, - "uuid": "89424d69-a426-4f76-9e7f-7b2dabe459be", - "value": "POWERSOURCE (S0145) uses PowerShell (T1086)" - }, - { - "meta": { - "source-uuid": "7343e208-7cab-45f2-a47b-41ba5e2f0fab", - "target-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433" - }, - "uuid": "e97b39d6-7be1-4f59-8959-7f1f01402152", - "value": "XTunnel (S0117) uses Fallback Channels (T1008)" - }, - { - "meta": { - "source-uuid": "199463de-d9be-46d6-bb41-07234c1dd5a6", - "target-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08" - }, - "uuid": "2e69a835-6443-455e-8ff0-775bb8c823f1", - "value": "GeminiDuke (S0049) uses Account Discovery (T1087)" - }, - { - "meta": { - "source-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", - "target-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475" - }, - "uuid": "5b2c87e3-8eac-48b3-832b-2290b367403d", - "value": "BlackEnergy (S0089) uses System Network Connections Discovery (T1049)" - }, - { - "meta": { - "source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6", - "target-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88" - }, - "uuid": "6a5bd9f5-f8ff-4eab-a4bc-edb2e098c47d", - "value": "APT34 (G0057) uses Network Service Scanning (T1046)" - }, - { - "meta": { - "source-uuid": "bcc91b8c-f104-4710-964e-1d5409666736", - "target-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df" - }, - "uuid": "38d4c148-6fe8-4703-94e5-1b79b1cf5b8c", - "value": "Web Shell Mitigation (T1100) mitigates Web Shell (T1100)" - }, - { - "meta": { - "source-uuid": "6b616fc1-1505-48e3-8b2c-0d19337bff38", - "target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688" - }, - "uuid": "6184b127-47cf-43fc-880b-890554d9cc9a", - "value": "Rover (S0090) uses Screen Capture (T1113)" - }, - { - "meta": { - "source-uuid": "b96680d1-5eb3-4f07-b95c-00ab904ac236", - "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" - }, - "uuid": "548e7315-5055-4434-96c1-1429779b0e2b", - "value": "Pisloader (S0124) uses System Network Configuration Discovery (T1016)" - }, - { - "meta": { - "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "target-uuid": "519630c5-f03f-4882-825c-3af924935817" - }, - "uuid": "cc13f316-0f88-4ed1-8790-b13bc35be119", - "value": "BRONZE BUTLER (G0060) uses Binary Padding (T1009)" - }, - { - "meta": { - "source-uuid": "2a158b0a-7ef8-43cb-9985-bf34d1e12050", - "target-uuid": "03342581-f790-4f03-ba41-e82e67392e23" - }, - "uuid": "0ef9bb79-c221-40a8-94b0-58bfc816565f", - "value": "Naikon (G0019) uses Net (S0039)" - }, - { - "meta": { - "source-uuid": "ad4f146f-e3ec-444a-ba71-24bffd7f0f8e", - "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" - }, - "uuid": "c945e5f2-5622-46ce-8b35-468d41d2af46", - "value": "RIPTIDE (S0003) uses Standard Cryptographic Protocol (T1032)" - }, - { - "meta": { - "source-uuid": "68dca94f-c11d-421e-9287-7c501108e18c", - "target-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48" - }, - "uuid": "968610c5-7fa5-4840-b9bb-2f70eecd87fa", - "value": "Duqu (S0038) uses Access Token Manipulation (T1134)" - }, - { - "meta": { - "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", - "target-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475" - }, - "uuid": "8edb0383-cae8-43ee-9241-b25e5068cc95", - "value": "OilRig (G0049) uses System Network Connections Discovery (T1049)" - }, - { - "meta": { - "source-uuid": "43213480-78f7-4fb3-976f-d48f5f6a4c2a", - "target-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e" - }, - "uuid": "e5728c4d-d404-44e8-9e28-3411942c5234", - "value": "FLASHFLOOD (S0036) uses Data Staged (T1074)" - }, - { - "meta": { - "source-uuid": "94379dec-5c87-49db-b36e-66abc0b81344", - "target-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433" - }, - "uuid": "bd74b90d-ff9f-4ce3-96af-9b809fffc3da", - "value": "Derusbi (S0021) uses Fallback Channels (T1008)" - }, - { - "meta": { - "source-uuid": "68dca94f-c11d-421e-9287-7c501108e18c", - "target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790" - }, - "uuid": "46660a8a-7724-4577-b09e-551a1ce61bfc", - "value": "Duqu (S0038) uses New Service (T1050)" - }, - { - "meta": { - "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", - "target-uuid": "1c338d0f-a65e-4073-a5c1-c06878849f21" - }, - "uuid": "6c303446-f8d1-424c-b1ac-8c10f82d33d7", - "value": "Cobalt Strike (S0154) uses Process Hollowing (T1093)" - }, - { - "meta": { - "source-uuid": "ad4f146f-e3ec-444a-ba71-24bffd7f0f8e", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "c4ce39f8-371c-45dd-a8d2-a411a6f0678d", - "value": "RIPTIDE (S0003) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "1cc934e4-b01d-4543-a011-b988dfc1a458", - "target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9" - }, - "uuid": "d2560c35-b2f6-47d2-b573-236ef99894d5", - "value": "Matroyshka (S0167) uses Scheduled Task (T1053)" - }, - { - "meta": { - "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - }, - "uuid": "3afd226c-934f-44fd-8194-9a6dee5cba59", - "value": "Lazarus Group (G0032) uses Obfuscated Files or Information (T1027)" - }, - { - "meta": { - "source-uuid": "6713ab67-e25b-49cc-808d-2b36d4fbc35c", - "target-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5" - }, - "uuid": "8c763d80-4c50-4ebd-b2c6-3cad22c55bfa", - "value": "Ke3chang (G0004) uses Data from Local System (T1005)" - }, - { - "meta": { - "source-uuid": "199463de-d9be-46d6-bb41-07234c1dd5a6", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "b5a1cf65-c128-4d2e-bd28-54514d1a3aae", - "value": "GeminiDuke (S0049) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "943d370b-2054-44df-8be2-ab4139bde1c5", - "target-uuid": "52d40641-c480-4ad5-81a3-c80ccaddf82d" - }, - "uuid": "758b6582-b988-4ab9-911e-e40c9bbebc2d", - "value": "Authentication Package Mitigation (T1131) mitigates Authentication Package (T1131)" - }, - { - "meta": { - "source-uuid": "16ade1aa-0ea1-4bb7-88cc-9079df2ae756", - "target-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08" - }, - "uuid": "c4962ae6-91e2-407d-9f42-aa0381574476", - "value": "admin@338 (G0018) uses Account Discovery (T1087)" - }, - { - "meta": { - "source-uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", - "target-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f" - }, - "uuid": "1e1b566b-152a-4778-a03f-0ce94b72c5f2", - "value": "Dragonfly (G0035) uses Network Share Discovery (T1135)" - }, - { - "meta": { - "source-uuid": "e066bf86-9cfb-407a-9d25-26fd5d91e360", - "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" - }, - "uuid": "b13fd1c9-a42c-45fc-9db8-1cd691740e0a", - "value": "HTTPBrowser (S0070) uses File Deletion (T1107)" - }, - { - "meta": { - "source-uuid": "9ca488bd-9587-48ef-b923-1743523e63b2", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "c3ee174d-fd40-4636-97b2-afe80854f987", - "value": "SOUNDBITE (S0157) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "ae41895a-243f-4a65-b99b-d85022326c31", - "target-uuid": "0db09158-6e48-4e7c-8ce7-2b10b9c0c039" - }, - "uuid": "c8253944-3a69-42e6-b36a-1c3defbb088e", - "value": "Dust Storm (G0031) uses Misdat (S0083)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "60c18d06-7b91-4742-bae3-647845cd9d81" - }, - "uuid": "ba64e6d1-4deb-440a-a4eb-1c3476b6fb47", - "value": "APT28 (G0007) uses CORESHELL (S0137)" - }, - { - "meta": { - "source-uuid": "9ea525fa-b0a9-4dde-84f2-bcea0137b3c1", - "target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e" - }, - "uuid": "2864eb81-71a5-4325-b42a-7a725f0c6887", - "value": "MoonWind (S0149) uses Commonly Used Port (T1043)" - }, - { - "meta": { - "source-uuid": "0db09158-6e48-4e7c-8ce7-2b10b9c0c039", - "target-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f" - }, - "uuid": "a12a471b-39b2-4abf-80d0-af88d5a4f038", - "value": "Misdat (S0083) uses Data Encoding (T1132)" - }, - { - "meta": { - "source-uuid": "cbf646f1-7db5-4dc6-808b-0094313949df", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "800825f5-6e74-43ad-a732-476fdf471225", - "value": "CloudDuke (S0054) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "72f54d66-675d-4587-9bd3-4ed09f9522e4", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "210f5206-8763-48ac-a4c3-a08440892b5d", - "value": "Carbanak (S0030) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", - "target-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08" - }, - "uuid": "9a615c7f-986d-4769-bea6-af9ffe0d575e", - "value": "APT3 (G0022) uses Account Discovery (T1087)" - }, - { - "meta": { - "source-uuid": "f6d1d2cb-12f5-4221-9636-44606ea1f3f8", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "7507eb37-407e-4428-b29f-da0bda3f7970", - "value": "OSInfo (S0165) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "f047ee18-7985-4946-8bfb-4ed754d3a0dd", - "target-uuid": "8b880b41-5139-4807-baa9-309690218719" - }, - "uuid": "fca5a601-68fd-4b20-ad1e-0592cadecb73", - "value": "APT30 (G0013) uses SPACESHIP (S0035)" - }, - { - "meta": { - "source-uuid": "85403903-15e0-4f9f-9be4-a259ecad4022", - "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" - }, - "uuid": "1ace08c6-0f1a-487d-92b2-6c61c2299270", - "value": "FIN5 (G0053) uses File Deletion (T1107)" - }, - { - "meta": { - "source-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "7105ecea-8da8-4723-b717-ae9c3152cfdd", - "value": "ADVSTORESHELL (S0045) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73", - "target-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643" - }, - "uuid": "a0f1273a-e422-4801-a911-e7cb223ebea2", - "value": "ADVSTORESHELL (S0045) uses Peripheral Device Discovery (T1120)" - }, - { - "meta": { - "source-uuid": "8901ac23-6b50-410c-b0dd-d8174a86f9b3", - "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" - }, - "uuid": "5206976b-ac4d-4286-a954-4b1ef5c20adc", - "value": "Shamoon (S0140) uses System Network Configuration Discovery (T1016)" - }, - { - "meta": { - "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", - "target-uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f" - }, - "uuid": "79cd2ec8-068c-4a7a-8133-1855381d3bd3", - "value": "APT1 (G0006) uses Tasklist (S0057)" - }, - { - "meta": { - "source-uuid": "f27ef4f2-71fe-48b6-b7f4-02dcac14320e", - "target-uuid": "56ff457d-5e39-492b-974c-dfd2b8603ffe" - }, - "uuid": "5718d7a3-c402-4816-92fb-4322094b84f8", - "value": "Private Keys Mitigation (T1145) mitigates Private Keys (T1145)" - }, - { - "meta": { - "source-uuid": "e1161124-f22e-487f-9d5f-ed8efc8dcd61", - "target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0" - }, - "uuid": "4ffe2425-c971-45e5-9256-0b1a2bf63bbf", - "value": "Mis-Type (S0084) uses Masquerading (T1036)" - }, - { - "meta": { - "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "target-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60" - }, - "uuid": "28471736-5b62-4132-b4ed-c22ae449b455", - "value": "BRONZE BUTLER (G0060) uses Mimikatz (S0002)" - }, - { - "meta": { - "source-uuid": "a60657fa-e2e7-4f8f-8128-a882534ae8c5", - "target-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09" - }, - "uuid": "c1884e62-7b2e-45a1-89fd-c76b1b717f50", - "value": "OwaAuth (S0072) uses DLL Side-Loading (T1073)" - }, - { - "meta": { - "source-uuid": "e6ef745b-077f-42e1-a37d-29eecff9c754", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "166c430d-0272-4dca-8d30-318cda0a0a63", - "value": "CozyCar (S0046) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", - "target-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88" - }, - "uuid": "47e4d006-2685-4628-a46b-f6d9066f3585", - "value": "BlackEnergy (S0089) uses Network Service Scanning (T1046)" - }, - { - "meta": { - "source-uuid": "bb3c1098-d654-4620-bf40-694386d28921", - "target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d" - }, - "uuid": "a00d3582-7c2d-45dc-8580-1de25356ae70", - "value": "FakeM (S0076) uses Custom Cryptographic Protocol (T1024)" - }, - { - "meta": { - "source-uuid": "b42378e0-f147-496f-992a-26a49705395b", - "target-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d" - }, - "uuid": "7d020981-51b3-4ff6-825f-7cd192c934e1", - "value": "PoisonIvy (S0012) uses Process Injection (T1055)" - }, - { - "meta": { - "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "target-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd" - }, - "uuid": "83ba5b2c-b3fd-4558-a3f8-cef4c31e02bd", - "value": "Lazarus Group (G0032) uses Brute Force (T1110)" - }, - { - "meta": { - "source-uuid": "17862c7d-9e60-48a0-b48e-da4dc4c3f6b0", - "target-uuid": "1c338d0f-a65e-4073-a5c1-c06878849f21" - }, - "uuid": "28139c5b-be96-44d2-8e54-425311d108d6", - "value": "Patchwork (G0040) uses Process Hollowing (T1093)" - }, - { - "meta": { - "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", - "target-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4" - }, - "uuid": "b028b9a6-4031-4b56-8dd5-0bdd3c59dbec", - "value": "APT3 (G0022) uses Data Compressed (T1002)" - }, - { - "meta": { - "source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841", - "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - }, - "uuid": "f0cf3ea2-5345-48d7-9685-be0180eb0e4a", - "value": "RTM (S0148) uses Process Discovery (T1057)" - }, - { - "meta": { - "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", - "target-uuid": "b42378e0-f147-496f-992a-26a49705395b" - }, - "uuid": "47545d87-b0ae-45ae-aeea-dc849eac2f6f", - "value": "APT1 (G0006) uses PoisonIvy (S0012)" - }, - { - "meta": { - "source-uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6", - "target-uuid": "cde2d700-9ed1-46cf-9bce-07364fe8b24f" - }, - "uuid": "d0ed3128-67f0-43dd-b1d9-01843eb71b77", - "value": "Turla (G0010) uses Reg (S0075)" - }, - { - "meta": { - "source-uuid": "38fd6a28-3353-4f2b-bb2b-459fecd5c648", - "target-uuid": "9e2bba94-950b-4fcf-8070-cb3f816c5f4e" - }, - "uuid": "7dc4c8b9-a380-4dc0-9973-a8a2f8d0175c", - "value": "APT18 (G0026) uses hcdLoader (S0071)" - }, - { - "meta": { - "source-uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e", - "target-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e" - }, - "uuid": "9c7ecbf4-88fe-4144-8dc4-f5bca2c3156d", - "value": "Helminth (S0170) uses Data Staged (T1074)" - }, - { - "meta": { - "source-uuid": "5f9f7648-04ba-4a9f-bb4c-2a13e74572bd", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "16632790-94dc-40ce-9c0a-2f6af0f691b1", - "value": "Pteranodon (S0147) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", - "target-uuid": "c3bce4f4-9795-46c6-976e-8676300bbc39" - }, - "uuid": "df8350d6-a7a7-421d-a9e8-64d7e0cc0653", - "value": "Threat Group-3390 (G0027) uses Windows Remote Management (T1028)" - }, - { - "meta": { - "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "b0791504-fc65-402b-bc47-bd96ed4abea1", - "value": "APT3 (G0022) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "7e216050-e850-4591-a870-7148d4544642", - "value": "APT34 (G0057) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "58adaaa8-f1e8-4606-9a08-422e568461eb", - "target-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735" - }, - "uuid": "9ea25bfb-3e3a-42cb-8d2a-939169057806", - "value": "SHOTPUT (S0063) uses Remote System Discovery (T1018)" - }, - { - "meta": { - "source-uuid": "8901ac23-6b50-410c-b0dd-d8174a86f9b3", - "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - }, - "uuid": "59df5f14-e570-417e-8184-e8e7c6c1ea75", - "value": "Shamoon (S0140) uses Obfuscated Files or Information (T1027)" - }, - { - "meta": { - "source-uuid": "4f45dfeb-fe51-4df0-8db3-edf7dd0513fe", - "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - }, - "uuid": "f1d5a985-406e-4b03-9f55-2706a2adba92", - "value": "Fgdump (S0120) uses Credential Dumping (T1003)" - }, - { - "meta": { - "source-uuid": "ab3580c8-8435-4117-aace-3d9fbe46aa56", - "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" - }, - "uuid": "1d3296a5-9a15-4bd9-a294-ee014348136c", - "value": "Unknown Logger (S0130) uses System Owner/User Discovery (T1033)" - }, - { - "meta": { - "source-uuid": "ed202147-4026-4330-b5bd-1e8dfa8cf7cc", - "target-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4" - }, - "uuid": "ff93eedd-e788-4541-9a9b-ccead3df0d13", - "value": "Modify Registry Mitigation (T1112) mitigates Modify Registry (T1112)" - }, - { - "meta": { - "source-uuid": "1c6bc7f3-d517-4971-aed4-8f939090846b", - "target-uuid": "1f47e2fd-fa77-4f2f-88ee-e85df308f125" - }, - "uuid": "05d3fd1d-6041-4395-906a-e3104a192e1c", - "value": "Port Monitors Mitigation (T1013) mitigates Port Monitors (T1013)" - }, - { - "meta": { - "source-uuid": "a653431d-6a5e-4600-8ad3-609b5af57064", - "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - }, - "uuid": "1fbf92c8-747b-4c0f-ab33-ce63cbff8197", - "value": "Deep Panda (G0009) uses Process Discovery (T1057)" - }, - { - "meta": { - "source-uuid": "f047ee18-7985-4946-8bfb-4ed754d3a0dd", - "target-uuid": "fb261c56-b80e-43a9-8351-c84081e7213d" - }, - "uuid": "9820c1e9-a414-4af1-a78c-aaf2cb164361", - "value": "APT30 (G0013) uses BACKSPACE (S0031)" - }, - { - "meta": { - "source-uuid": "1e4ef2c7-ee96-4484-9baa-3b5777561301", - "target-uuid": "5ad95aaa-49c1-4784-821d-2e83f47b079b" - }, - "uuid": "620ab17a-3e46-4083-82b0-aeff74d104cd", - "value": "AppleScript Mitigation (T1155) mitigates AppleScript (T1155)" - }, - { - "meta": { - "source-uuid": "ab3580c8-8435-4117-aace-3d9fbe46aa56", - "target-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4" - }, - "uuid": "291df761-474b-4c5f-a9bd-2aaef0f80d70", - "value": "Unknown Logger (S0130) uses Replication Through Removable Media (T1091)" - }, - { - "meta": { - "source-uuid": "d0415180-51e9-40ce-b57c-c332b0b441f2", - "target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0" - }, - "uuid": "1f8f6283-6004-4204-a54f-759e9c0519b1", - "value": "PowerShell Mitigation (T1086) mitigates PowerShell (T1086)" - }, - { - "meta": { - "source-uuid": "c47f937f-1022-4f42-8525-e7a4779a14cb", - "target-uuid": "ad4f146f-e3ec-444a-ba71-24bffd7f0f8e" - }, - "uuid": "d242dc5a-3969-498c-b7eb-5d850e7d384d", - "value": "APT12 (G0005) uses RIPTIDE (S0003)" - }, - { - "meta": { - "source-uuid": "4e6b9625-bbda-4d96-a652-b3bb45453f26", - "target-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba" - }, - "uuid": "d6fd820e-09ea-494d-a5f7-9de4431a309d", - "value": "RemoteCMD (S0166) uses Remote Services (T1021)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81" - }, - "uuid": "7606ad11-1322-4b97-83b9-aaafaee02c07", - "value": "APT28 (G0007) uses Valid Accounts (T1078)" - }, - { - "meta": { - "source-uuid": "5f9f7648-04ba-4a9f-bb4c-2a13e74572bd", - "target-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5" - }, - "uuid": "a20b8e4c-330f-4e91-b4f6-e58e5800d690", - "value": "Pteranodon (S0147) uses Rundll32 (T1085)" - }, - { - "meta": { - "source-uuid": "d256cb63-b021-4b4a-bb6d-1b42eea179a3", - "target-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88" - }, - "uuid": "371d43af-ef68-4471-9db9-f2d40d2baefc", - "value": "Network Service Scanning Mitigation (T1046) mitigates Network Service Scanning (T1046)" - }, - { - "meta": { - "source-uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", - "target-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db" - }, - "uuid": "397e4a59-23b1-47ef-9a57-9f401375b2cb", - "value": "Dragonfly (G0035) uses PsExec (S0029)" - }, - { - "meta": { - "source-uuid": "55033a4d-3ffe-46b2-99b4-2c1541e9ce1c", - "target-uuid": "5a63f900-5e7e-4928-a746-dd4558e1df71" - }, - "uuid": "e2e2d332-f27b-46fb-b48f-4ee1872b321f", - "value": "Carbanak (G0008) uses netsh (S0108)" - }, - { - "meta": { - "source-uuid": "5ce5392a-3a6c-4e07-9df3-9b6a9159ac45", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "55120727-0b7f-4d6a-a881-d17bdc9c85ba", - "value": "Putter Panda (G0024) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69", - "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" - }, - "uuid": "3caec960-fa9c-4b2f-80e4-6dd4471e26ba", - "value": "Prikormka (S0113) uses System Network Configuration Discovery (T1016)" - }, - { - "meta": { - "source-uuid": "e066bf86-9cfb-407a-9d25-26fd5d91e360", - "target-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09" - }, - "uuid": "71ede2de-7e5f-49fa-ac07-9322ef4857ae", - "value": "HTTPBrowser (S0070) uses DLL Side-Loading (T1073)" - }, - { - "meta": { - "source-uuid": "f3bdec95-3d62-42d9-a840-29630f6cdc1a", - "target-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd" - }, - "uuid": "ee2739de-6829-4c73-b72b-91ba4b9fac5c", - "value": "DragonOK (G0017) uses PlugX (S0013)" - }, - { - "meta": { - "source-uuid": "6a0ef5d4-fc7c-4dda-85d7-592e4dbdc5d9", - "target-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475" - }, - "uuid": "83ad6071-8874-49c9-98cd-0d493a8eeb07", - "value": "Sykipot (S0018) uses System Network Connections Discovery (T1049)" - }, - { - "meta": { - "source-uuid": "09b2cd76-c674-47cc-9f57-d2f2ad150a46", - "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" - }, - "uuid": "0bd2ee1a-6202-4ff5-9a42-4869a276a92c", - "value": "POWRUNER (S0184) uses System Network Configuration Discovery (T1016)" - }, - { - "meta": { - "source-uuid": "bb3c1098-d654-4620-bf40-694386d28921", - "target-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842" - }, - "uuid": "d8c5b193-b49d-4c0e-a9da-072302ff47a0", - "value": "FakeM (S0076) uses Data Obfuscation (T1001)" - }, - { - "meta": { - "source-uuid": "cb7bcf6f-085f-41db-81ee-4b68481661b5", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "bdd64378-e348-4156-8490-528392c6ea82", - "value": "CallMe (S0077) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "dfb5fa9b-3051-4b97-8035-08f80aef945b", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "922c214d-ad32-4490-bb3f-a4db73b718d5", - "value": "Psylo (S0078) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73", - "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - }, - "uuid": "66819f02-7a22-4f21-8e4f-df24969e5567", - "value": "ADVSTORESHELL (S0045) uses Process Discovery (T1057)" - }, - { - "meta": { - "source-uuid": "5cbe0d3b-6fb1-471f-b591-4b192915116d", - "target-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88" - }, - "uuid": "9b360cf4-4600-4ea8-a28c-99d91e0d1734", - "value": "Suckfly (G0039) uses Network Service Scanning (T1046)" - }, - { - "meta": { - "source-uuid": "e6ef745b-077f-42e1-a37d-29eecff9c754", - "target-uuid": "830c9528-df21-472c-8c14-a036bf17d665" - }, - "uuid": "233d1a32-f826-4705-a535-806edee8a5aa", - "value": "CozyCar (S0046) uses Web Service (T1102)" - }, - { - "meta": { - "source-uuid": "d1acfbb3-647b-4723-9154-800ec119006e", - "target-uuid": "196f1f32-e0c2-4d46-99cd-234d4b6befe1" - }, - "uuid": "b2496438-9431-40e5-8ca0-2ec713f342c3", - "value": "Sowbug (G0054) uses Felismus (S0171)" - }, - { - "meta": { - "source-uuid": "2fb26586-2b53-4b9a-ad4f-2b3bcb9a2421", - "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" - }, - "uuid": "0df8e968-716a-4de9-9669-862af62d6eb6", - "value": "SslMM (S0058) uses System Owner/User Discovery (T1033)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec" - }, - "uuid": "78e8d9e6-48b7-473f-af94-43f626de7931", - "value": "APT28 (G0007) uses Data from Removable Media (T1025)" - }, - { - "meta": { - "source-uuid": "3e7018e9-7389-48e7-9208-0bdbcbba9483", - "target-uuid": "d3046a90-580c-4004-8208-66915bc29830" - }, - "uuid": "02f28dfb-4e72-47e2-a390-2ec3fa67d26d", - "value": "Clear Command History Mitigation (T1146) mitigates Clear Command History (T1146)" - }, - { - "meta": { - "source-uuid": "f108215f-3487-489d-be8b-80e346d32518", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "cdca2bdf-a29b-45d5-90ff-17ab56b094a4", - "value": "Komplex (S0162) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "09b2cd76-c674-47cc-9f57-d2f2ad150a46", - "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - }, - "uuid": "408db284-4c7a-4ad4-8399-90a8102b4bfa", - "value": "POWRUNER (S0184) uses Process Discovery (T1057)" - }, - { - "meta": { - "source-uuid": "f108215f-3487-489d-be8b-80e346d32518", - "target-uuid": "dd901512-6e37-4155-943b-453e3777b125" - }, - "uuid": "6c879d75-7f07-44ff-9801-815a549cdc44", - "value": "Komplex (S0162) uses Launch Agent (T1159)" - }, - { - "meta": { - "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", - "target-uuid": "f2e8c7a1-cae1-45c4-baf0-6f21bdcbb2c2" - }, - "uuid": "324a5331-cce7-4154-a803-ad68d5de1f94", - "value": "APT1 (G0006) uses GLOOXMAIL (S0026)" - }, - { - "meta": { - "source-uuid": "a569295c-a093-4db4-9fb4-7105edef85ad", - "target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d" - }, - "uuid": "442aa7b4-00a0-4d73-ae61-5a09c319ac1c", - "value": "Custom Cryptographic Protocol Mitigation (T1024) mitigates Custom Cryptographic Protocol (T1024)" - }, - { - "meta": { - "source-uuid": "326af1cd-78e7-45b7-a326-125d2f7ef8f2", - "target-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f" - }, - "uuid": "892ff1d1-3da9-489e-89c3-374ab07a417b", - "value": "Crimson (S0115) uses Email Collection (T1114)" - }, - { - "meta": { - "source-uuid": "326af1cd-78e7-45b7-a326-125d2f7ef8f2", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "a0186caf-482a-4f2a-bf2f-cac9fc51244a", - "value": "Crimson (S0115) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e", - "target-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f" - }, - "uuid": "a58983e1-45d7-4b45-a578-307659a619dc", - "value": "Helminth (S0170) uses Clipboard Data (T1115)" - }, - { - "meta": { - "source-uuid": "0db09158-6e48-4e7c-8ce7-2b10b9c0c039", - "target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0" - }, - "uuid": "01ab8fee-5204-40c1-ac7a-b11a5683a87d", - "value": "Misdat (S0083) uses Masquerading (T1036)" - }, - { - "meta": { - "source-uuid": "66b1dcde-17a0-4c7b-95fa-b08d430c2131", - "target-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f" - }, - "uuid": "813e4416-bee6-4192-a712-6b5f80a7fff3", - "value": "S-Type (S0085) uses Data Encoding (T1132)" - }, - { - "meta": { - "source-uuid": "ff6840c9-4c87-4d07-bbb6-9f50aa33d498", - "target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688" - }, - "uuid": "7ba62129-a4ba-42b4-9971-4a650682cb52", - "value": "Flame (S0143) uses Screen Capture (T1113)" - }, - { - "meta": { - "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", - "target-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b" - }, - "uuid": "df4b49f1-71ca-4744-8554-47bf36174d89", - "value": "APT3 (G0022) uses Standard Non-Application Layer Protocol (T1095)" - }, - { - "meta": { - "source-uuid": "399d9038-b100-43ef-b28d-a5065106b935", - "target-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b" - }, - "uuid": "aa80b239-dc67-4883-adfd-6a10e96c18c6", - "value": "Standard Non-Application Layer Protocol Mitigation (T1095) mitigates Standard Non-Application Layer Protocol (T1095)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48" - }, - "uuid": "b719d37b-8f0e-4704-b21d-8977a5c7cceb", - "value": "APT28 (G0007) uses Access Token Manipulation (T1134)" - }, - { - "meta": { - "source-uuid": "af2ad3b7-ab6a-4807-91fd-51bcaff9acbb", - "target-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9" - }, - "uuid": "ae8a95fa-c0ad-40b4-a573-a9441ed94fab", - "value": "USBStealer (S0136) uses Automated Exfiltration (T1020)" - }, - { - "meta": { - "source-uuid": "fde50aaa-f5de-4cb8-989a-babb57d6a704", - "target-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd" - }, - "uuid": "2355c588-ff82-4eaf-82db-54af59ede582", - "value": "Net Crawler (S0056) uses Brute Force (T1110)" - }, - { - "meta": { - "source-uuid": "94379dec-5c87-49db-b36e-66abc0b81344", - "target-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b" - }, - "uuid": "c52eb151-c8c5-45f1-984b-d99a12ca05cf", - "value": "Derusbi (S0021) uses Standard Non-Application Layer Protocol (T1095)" - }, - { - "meta": { - "source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542", - "target-uuid": "65370d0b-3bd4-4653-8cf9-daf56f6be830" - }, - "uuid": "0e0197fe-eca5-4d70-bf72-2d9092bc777b", - "value": "APT29 (G0016) uses meek (S0175)" - }, - { - "meta": { - "source-uuid": "c0c45d38-fe57-4cd4-b2b2-9ecd0ddd4ca9", - "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" - }, - "uuid": "d8f5283b-fe44-4206-8a7d-393d216beb7e", - "value": "TinyZBot (S0004) uses Input Capture (T1056)" - }, - { - "meta": { - "source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841", - "target-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5" - }, - "uuid": "b258b8da-ddd2-4f0e-b5da-83a89f018d54", - "value": "RTM (S0148) uses Rundll32 (T1085)" - }, - { - "meta": { - "source-uuid": "03342581-f790-4f03-ba41-e82e67392e23", - "target-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce" - }, - "uuid": "75f7d0e0-b1e9-4289-8895-d8a262930523", - "value": "Net (S0039) uses Permission Groups Discovery (T1069)" - }, - { - "meta": { - "source-uuid": "09b2cd76-c674-47cc-9f57-d2f2ad150a46", - "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" - }, - "uuid": "5183147b-4563-4a01-a360-a419691e35f8", - "value": "POWRUNER (S0184) uses System Owner/User Discovery (T1033)" - }, - { - "meta": { - "source-uuid": "8901ac23-6b50-410c-b0dd-d8174a86f9b3", - "target-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077" - }, - "uuid": "0024d82d-97ea-4dc5-81a1-8738862e1f3b", - "value": "Shamoon (S0140) uses System Time Discovery (T1124)" - }, - { - "meta": { - "source-uuid": "68dca94f-c11d-421e-9287-7c501108e18c", - "target-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830" - }, - "uuid": "bbc31a33-f55f-43d4-a3fd-23426c5fc638", - "value": "Duqu (S0038) uses Application Window Discovery (T1010)" - }, - { - "meta": { - "source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841", - "target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d" - }, - "uuid": "87fb2671-e71a-4630-bde2-67e546fdeaa6", - "value": "RTM (S0148) uses Custom Cryptographic Protocol (T1024)" - }, - { - "meta": { - "source-uuid": "0ced8926-914e-4c78-bc93-356fb90dbd1f", - "target-uuid": "01a5a209-b94c-450b-b7f9-946497d91055" - }, - "uuid": "77ea5d03-715b-4247-8484-6c1cf2bc7984", - "value": "HALFBAKED (S0151) uses Windows Management Instrumentation (T1047)" - }, - { - "meta": { - "source-uuid": "c1676218-c16a-41c9-8f7a-023779916e39", - "target-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475" - }, - "uuid": "b6f00052-49e3-48c5-8f5e-492be4e67acf", - "value": "System Network Connections Discovery Mitigation (T1049) mitigates System Network Connections Discovery (T1049)" - }, - { - "meta": { - "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", - "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - }, - "uuid": "0fa0f5d6-be0b-4a48-938c-6d9bb8b1a170", - "value": "OilRig (G0049) uses Credential Dumping (T1003)" - }, - { - "meta": { - "source-uuid": "85403903-15e0-4f9f-9be4-a259ecad4022", - "target-uuid": "6aabc5ec-eae6-422c-8311-38d45ee9838a" - }, - "uuid": "11f6ad22-0293-47bd-95d1-34bf4ee1de9e", - "value": "FIN5 (G0053) uses Redundant Access (T1108)" - }, - { - "meta": { - "source-uuid": "624d063d-cda8-4616-b4e4-54c04e427aec", - "target-uuid": "bb0e0cb5-f3e4-4118-a4cb-6bf13bfbc9f2" - }, - "uuid": "e8c25f99-67f0-4aae-aeee-55e5bcea2d8e", - "value": "Netsh Helper DLL Mitigation (T1128) mitigates Netsh Helper DLL (T1128)" - }, - { - "meta": { - "source-uuid": "53cf6cc4-65aa-445a-bcf8-c3d296f8a7a2", - "target-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b" - }, - "uuid": "b41abaa3-a21f-4d2c-9c60-c90c4f360b00", - "value": "NETEAGLE (S0034) uses Standard Non-Application Layer Protocol (T1095)" - }, - { - "meta": { - "source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", - "target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0" - }, - "uuid": "48b75b8b-5bef-4f99-baa8-5fa978d371d2", - "value": "Remsec (S0125) uses Masquerading (T1036)" - }, - { - "meta": { - "source-uuid": "03342581-f790-4f03-ba41-e82e67392e23", - "target-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f" - }, - "uuid": "3b5d1788-c59b-4e84-97b0-b109df608619", - "value": "Net (S0039) uses Network Share Discovery (T1135)" - }, - { - "meta": { - "source-uuid": "17b40f60-729f-4fe8-8aea-cc9ee44a95d5", - "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" - }, - "uuid": "b94e707d-b2f8-4b68-acac-44d3777dd93f", - "value": "RedLeaves (S0153) uses Standard Cryptographic Protocol (T1032)" - }, - { - "meta": { - "source-uuid": "6713ab67-e25b-49cc-808d-2b36d4fbc35c", - "target-uuid": "ffe742ed-9100-4686-9e00-c331da544787" - }, - "uuid": "42d2f816-9db2-47bf-9481-3065d038725d", - "value": "Ke3chang (G0004) uses Windows Admin Shares (T1077)" - }, - { - "meta": { - "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", - "target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e" - }, - "uuid": "8924eb12-0841-48ca-9d36-69de932b1f21", - "value": "Cobalt Strike (S0154) uses Commonly Used Port (T1043)" - }, - { - "meta": { - "source-uuid": "2a158b0a-7ef8-43cb-9985-bf34d1e12050", - "target-uuid": "7f8730af-f683-423f-9ee1-5f6875a80481" - }, - "uuid": "956303a4-558c-433d-bc2f-28a7e69192ae", - "value": "Naikon (G0019) uses Sys10 (S0060)" - }, - { - "meta": { - "source-uuid": "a60657fa-e2e7-4f8f-8128-a882534ae8c5", - "target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0" - }, - "uuid": "1088fc27-2de5-4b73-83fd-6741ab3ff4d6", - "value": "OwaAuth (S0072) uses Masquerading (T1036)" - }, - { - "meta": { - "source-uuid": "3cab1b76-2f40-4cd0-8d2c-7ed16eeb909c", - "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - }, - "uuid": "771c349e-1b23-41ea-bcab-59bdbd6c935f", - "value": "ELMER (S0064) uses Process Discovery (T1057)" - }, - { - "meta": { - "source-uuid": "09b2cd76-c674-47cc-9f57-d2f2ad150a46", - "target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9" - }, - "uuid": "ea5f9e1f-68fb-46dd-9e09-f66066808d0c", - "value": "POWRUNER (S0184) uses Scheduled Task (T1053)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "64196062-5210-42c3-9a02-563a0d1797ef" - }, - "uuid": "c569059f-8a7d-4777-a111-d3ab62d178ca", - "value": "APT28 (G0007) uses Communication Through Removable Media (T1092)" - }, - { - "meta": { - "source-uuid": "98e8a977-3416-43aa-87fa-33e287e9c14c", - "target-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b" - }, - "uuid": "1984ba26-2309-49db-8c42-75951d0ef678", - "value": "WINDSHIELD (S0155) uses Standard Non-Application Layer Protocol (T1095)" - }, - { - "meta": { - "source-uuid": "da5880b4-f7da-4869-85f2-e0aba84b8565", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "1782abeb-8d28-42a1-8abe-c137f23b282c", - "value": "ComRAT (S0126) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "63c2a130-8a5b-452f-ad96-07cf0af12ffe", - "target-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7" - }, - "uuid": "17f9d6c8-f938-4532-b834-3834655911b8", - "value": "Dyre (S0024) uses Security Software Discovery (T1063)" - }, - { - "meta": { - "source-uuid": "c9703cd3-141c-43a0-a926-380082be5d04", - "target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9" - }, - "uuid": "eeeac3c6-78d1-4506-a9a9-2518d0c6e500", - "value": "schtasks (S0111) uses Scheduled Task (T1053)" - }, - { - "meta": { - "source-uuid": "e6ef745b-077f-42e1-a37d-29eecff9c754", - "target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9" - }, - "uuid": "ae38c68d-cc08-4460-9d98-ddf957f837e2", - "value": "CozyCar (S0046) uses Scheduled Task (T1053)" - }, - { - "meta": { - "source-uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6", - "target-uuid": "b35068ec-107a-4266-bda8-eb7036267aea" - }, - "uuid": "1ab3f63b-bd80-4e4c-8f62-79f26b9724ab", - "value": "Turla (G0010) uses nbtstat (S0102)" - }, - { - "meta": { - "source-uuid": "8bd1ae32-a686-48f4-a6f8-470287f76152", - "target-uuid": "30208d3e-0d6b-43c8-883e-44462a514619" - }, - "uuid": "fa04ac7f-206f-42ad-b0c7-499e57bc99ce", - "value": "Automated Collection Mitigation (T1119) mitigates Automated Collection (T1119)" - }, - { - "meta": { - "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "de376ec3-0fad-4c41-944d-2d74cee6968c", - "value": "Lazarus Group (G0032) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "8a61f6b9-6b7a-4cf2-8e08-f1e26434f6df", - "target-uuid": "91ce1ede-107f-4d8b-bf4c-735e8789c94b" - }, - "uuid": "67bde2b2-49d1-4a61-8fe7-1a48c58089e6", - "value": "Input Prompt Mitigation (T1141) mitigates Input Prompt (T1141)" - }, - { - "meta": { - "source-uuid": "a8d3d497-2da9-4797-8e0b-ed176be08654", - "target-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7" - }, - "uuid": "b1371fd9-1bfd-40b2-90a2-4876d89029bf", - "value": "Wingbird (S0176) uses Security Software Discovery (T1063)" - }, - { - "meta": { - "source-uuid": "ab3580c8-8435-4117-aace-3d9fbe46aa56", - "target-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044" - }, - "uuid": "fb1ff794-8060-42c8-8969-b6660b07068f", - "value": "Unknown Logger (S0130) uses Disabling Security Tools (T1089)" - }, - { - "meta": { - "source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6", - "target-uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e" - }, - "uuid": "ce288414-89f3-40d4-9a85-004d8a064eb4", - "value": "APT34 (G0057) uses Helminth (S0170)" - }, - { - "meta": { - "source-uuid": "4b62ab58-c23b-4704-9c15-edd568cd59f8", - "target-uuid": "6856ddd6-2df3-4379-8b87-284603c189c3" - }, - "uuid": "6ab0ff01-1695-4301-ac9a-1cd0719be532", - "value": "Hacking Team UEFI Rootkit (S0047) uses System Firmware (T1019)" - }, - { - "meta": { - "source-uuid": "68dca94f-c11d-421e-9287-7c501108e18c", - "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - }, - "uuid": "3b0a7f6a-173f-41e6-8dec-2d1b4a0851d9", - "value": "Duqu (S0038) uses Process Discovery (T1057)" - }, - { - "meta": { - "source-uuid": "91000a8a-58cc-4aba-9ad0-993ad6302b86", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "788ca56e-1194-4c5f-a12b-72678390f1ef", - "value": "StreamEx (S0142) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "39706d54-0d06-4a25-816a-78cc43455100", - "target-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec" - }, - "uuid": "bb283a5e-7d61-4b33-aa30-e7c2f0bacbe6", - "value": "Data from Removable Media Mitigation (T1025) mitigates Data from Removable Media (T1025)" - }, - { - "meta": { - "source-uuid": "d519164e-f5fa-4b8c-a1fb-cf0172ad0983", - "target-uuid": "ffe742ed-9100-4686-9e00-c331da544787" - }, - "uuid": "0512a63b-58c8-4b0c-b2b4-e4da562cee5f", - "value": "Threat Group-1314 (G0028) uses Windows Admin Shares (T1077)" - }, - { - "meta": { - "source-uuid": "8901ac23-6b50-410c-b0dd-d8174a86f9b3", - "target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9" - }, - "uuid": "8dd9d97d-0eb1-4e17-94ac-5589db51f878", - "value": "Shamoon (S0140) uses Scheduled Task (T1053)" - }, - { - "meta": { - "source-uuid": "76abb3ef-dafd-4762-97cb-a35379429db4", - "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" - }, - "uuid": "85c95ce3-8685-4d2a-9d6f-7e4be4cd9623", - "value": "Gazer (S0168) uses File Deletion (T1107)" - }, - { - "meta": { - "source-uuid": "2c3ce852-06a2-40ee-8fe6-086f6402a739", - "target-uuid": "4be89c7c-ace6-4876-9377-c8d54cef3d63" - }, - "uuid": "4aecd118-a823-4859-9245-90155a0bbe11", - "value": "Hypervisor Mitigation (T1062) mitigates Hypervisor (T1062)" - }, - { - "meta": { - "source-uuid": "5967cc93-57c9-404a-8ffd-097edfa7bdfc", - "target-uuid": "68f7e3a1-f09f-4164-9a62-16b648a0dd5a" - }, - "uuid": "ecb0d858-dd15-4181-b15b-76459db1d294", - "value": "Hi-Zor (S0087) uses Regsvr32 (T1117)" - }, - { - "meta": { - "source-uuid": "7ecc3b4f-5cdb-457e-b55a-df376b359446", - "target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0" - }, - "uuid": "e2ce90d2-7470-4f2d-a86c-f429b934ab35", - "value": "Poseidon Group (G0033) uses PowerShell (T1086)" - }, - { - "meta": { - "source-uuid": "58adaaa8-f1e8-4606-9a08-422e568461eb", - "target-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475" - }, - "uuid": "a5efdeb3-10db-4e40-b8cd-61dee7d72cc0", - "value": "SHOTPUT (S0063) uses System Network Connections Discovery (T1049)" - }, - { - "meta": { - "source-uuid": "76abb3ef-dafd-4762-97cb-a35379429db4", - "target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9" - }, - "uuid": "eb0307d6-901d-4140-84f9-a08c6a8ea14c", - "value": "Gazer (S0168) uses Scheduled Task (T1053)" - }, - { - "meta": { - "source-uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", - "target-uuid": "b77cf5f3-6060-475d-bd60-40ccbf28fdc2" - }, - "uuid": "8c8cc494-628c-4540-b5ba-862cd937f94e", - "value": "Dragonfly (G0035) uses Forced Authentication (T1187)" - }, - { - "meta": { - "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "d20b659b-3595-4171-9beb-668ab26bf398", - "value": "BRONZE BUTLER (G0060) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "edbe24e9-aec4-4994-ac75-6a6bc7f1ddd0" - }, - "uuid": "69f57458-bfb2-44a2-a8cf-0fce0e2b0a22", - "value": "APT28 (G0007) uses Dynamic Data Exchange (T1173)" - }, - { - "meta": { - "source-uuid": "6e7db820-9735-4545-bc64-039bc4ce354b", - "target-uuid": "a0a189c8-d3bd-4991-bf6f-153d185ee373" - }, - "uuid": "0a4e270a-5641-424d-a343-437ae9548125", - "value": "LC_MAIN Hijacking Mitigation (T1149) mitigates LC_MAIN Hijacking (T1149)" - }, - { - "meta": { - "source-uuid": "2a7914cf-dff3-428d-ab0f-1014d1c28aeb", - "target-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839" - }, - "uuid": "74e737cf-67fb-4f80-ac4e-0ddff90b6f8e", - "value": "FIN6 (G0037) uses Exploitation of Vulnerability (T1068)" - }, - { - "meta": { - "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "target-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a" - }, - "uuid": "d35f6c6f-c1ed-4b0d-b95f-9fd762eb3ac7", - "value": "Lazarus Group (G0032) uses Timestomp (T1099)" - }, - { - "meta": { - "source-uuid": "e9595678-d269-469e-ae6b-75e49259de63", - "target-uuid": "ae676644-d2d2-41b7-af7e-9bed1b55898c" - }, - "uuid": "6c9649b7-00c6-4503-a911-9e8b9086eac4", - "value": "BADNEWS (S0128) uses Data from Network Shared Drive (T1039)" - }, - { - "meta": { - "source-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd", - "target-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09" - }, - "uuid": "464ce0ed-31a5-4a99-9791-9ce5bb987f58", - "value": "PlugX (S0013) uses DLL Side-Loading (T1073)" - }, - { - "meta": { - "source-uuid": "247cb30b-955f-42eb-97a5-a89fef69341e", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "93f1726f-f172-4705-a13a-d5adaeb4e91b", - "value": "APT32 (G0050) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "3753cc21-2dae-4dfb-8481-d004e74502cc", - "target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0" - }, - "uuid": "4856de0a-2635-4081-97a8-3f15593c2aa5", - "value": "FIN7 (G0046) uses PowerShell (T1086)" - }, - { - "meta": { - "source-uuid": "7331c66a-5601-4d3f-acf6-ad9e3035eb40", - "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" - }, - "uuid": "a9bc7666-f637-4093-a5bb-4edb61710e45", - "value": "Group5 (G0043) uses File Deletion (T1107)" - }, - { - "meta": { - "source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6", - "target-uuid": "0998045d-f96e-4284-95ce-3c8219707486" - }, - "uuid": "47214641-972c-4924-828a-3db470553dcb", - "value": "APT34 (G0057) uses SEASHARPEE (S0185)" - }, - { - "meta": { - "source-uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "e11d4f32-842a-4684-8974-f368e52b8632", - "value": "JHUHUGIT (S0044) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "67e6d66b-1b82-4699-b47a-e2efb6268d14", - "target-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88" - }, - "uuid": "8a48e56d-f837-4a5a-99b6-db0f60b541a0", - "value": "SeaDuke (S0053) uses Software Packing (T1045)" - }, - { - "meta": { - "source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", - "target-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735" - }, - "uuid": "51742efe-5f0c-4fbf-9eb7-5e765a0a408f", - "value": "Remsec (S0125) uses Remote System Discovery (T1018)" - }, - { - "meta": { - "source-uuid": "2a8de25c-f743-4348-b101-3ee33ab5871b", - "target-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638" - }, - "uuid": "bd5699e8-8765-4f24-8307-c81a296b87e0", - "value": "Data Encrypted Mitigation (T1022) mitigates Data Encrypted (T1022)" - }, - { - "meta": { - "source-uuid": "38fd6a28-3353-4f2b-bb2b-459fecd5c648", - "target-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81" - }, - "uuid": "1ac5bace-cdc2-4a1b-abad-d30ca0ed7f45", - "value": "APT18 (G0026) uses Valid Accounts (T1078)" - }, - { - "meta": { - "source-uuid": "17862c7d-9e60-48a0-b48e-da4dc4c3f6b0", - "target-uuid": "51dea151-0898-4a45-967c-3ebee0420484" - }, - "uuid": "2816f512-1a04-4cf8-94e9-36720b949c76", - "value": "Patchwork (G0040) uses Remote Desktop Protocol (T1076)" - }, - { - "meta": { - "source-uuid": "16ade1aa-0ea1-4bb7-88cc-9079df2ae756", - "target-uuid": "123bd7b3-675c-4b1a-8482-c55782b20e2b" - }, - "uuid": "013ab34f-54bf-4813-bd37-42a4eebb8d52", - "value": "admin@338 (G0018) uses BUBBLEWRAP (S0043)" - }, - { - "meta": { - "source-uuid": "94379dec-5c87-49db-b36e-66abc0b81344", - "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - }, - "uuid": "f017f6c0-96f4-46f1-905f-44e9950effbc", - "value": "Derusbi (S0021) uses Process Discovery (T1057)" - }, - { - "meta": { - "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "target-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4" - }, - "uuid": "99e9583f-433d-437d-bf37-7ea2b3f1b613", - "value": "BRONZE BUTLER (G0060) uses Data Compressed (T1002)" - }, - { - "meta": { - "source-uuid": "cba78a1c-186f-4112-9e6a-be1839f030f7", - "target-uuid": "02fefddc-fb1b-423f-a76b-7552dd211d4d" - }, - "uuid": "44b56e08-7cd1-442c-8806-c69bb65fd231", - "value": "ROCKBOOT (S0112) uses Bootkit (T1067)" - }, - { - "meta": { - "source-uuid": "7343e208-7cab-45f2-a47b-41ba5e2f0fab", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "59aabb7b-9211-4577-9c6b-ba2cf6e3704c", - "value": "XTunnel (S0117) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "34efb2fd-4dc2-40d4-a564-0c147c85034d", - "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" - }, - "uuid": "8ff745b7-9985-4781-a8bc-dae6d71233d3", - "value": "File Deletion Mitigation (T1107) mitigates File Deletion (T1107)" - }, - { - "meta": { - "source-uuid": "85403903-15e0-4f9f-9be4-a259ecad4022", - "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - }, - "uuid": "6b429676-7b77-4453-a6ce-2d6a6cb0dfe7", - "value": "FIN5 (G0053) uses Credential Dumping (T1003)" - }, - { - "meta": { - "source-uuid": "1cc934e4-b01d-4543-a011-b988dfc1a458", - "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - }, - "uuid": "573916d8-804d-4453-be37-e6b1865e87db", - "value": "Matroyshka (S0167) uses Obfuscated Files or Information (T1027)" - }, - { - "meta": { - "source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841", - "target-uuid": "799ace7f-e227-4411-baa0-8868704f2a69" - }, - "uuid": "81cfd1fd-999b-4730-b5dc-363d367dd92e", - "value": "RTM (S0148) uses Indicator Removal on Host (T1070)" - }, - { - "meta": { - "source-uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e", - "target-uuid": "c3888c54-775d-4b2f-b759-75a2ececcbfd" - }, - "uuid": "f81274dc-2f5b-47f7-b91f-70a4ebdfde95", - "value": "Helminth (S0170) uses Data Transfer Size Limits (T1030)" - }, - { - "meta": { - "source-uuid": "f0a42cad-9b1f-44da-a672-718f18381018", - "target-uuid": "246fd3c7-f5e3-466d-8787-4c13d9e3b61c" - }, - "uuid": "37781434-3f1e-4f45-af34-b2378647c13a", - "value": "Taint Shared Content Mitigation (T1080) mitigates Taint Shared Content (T1080)" - }, - { - "meta": { - "source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542", - "target-uuid": "67e6d66b-1b82-4699-b47a-e2efb6268d14" - }, - "uuid": "8d6cf235-4a33-4866-9b73-a7119293e5db", - "value": "APT29 (G0016) uses SeaDuke (S0053)" - }, - { - "meta": { - "source-uuid": "85403903-15e0-4f9f-9be4-a259ecad4022", - "target-uuid": "799ace7f-e227-4411-baa0-8868704f2a69" - }, - "uuid": "9b43f780-6a8b-477f-826f-c45e867749c9", - "value": "FIN5 (G0053) uses Indicator Removal on Host (T1070)" - }, - { - "meta": { - "source-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", - "target-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392" - }, - "uuid": "a66aff09-0635-44a3-b591-a530a25c9012", - "value": "PsExec (S0029) uses Service Execution (T1035)" - }, - { - "meta": { - "source-uuid": "894aab42-3371-47b1-8859-a4a074c804c8", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "efbe5efa-6863-4334-90e5-d7caab9806a6", - "value": "Stealth Falcon (G0038) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "fe98767f-9df8-42b9-83c9-004b1dec8647", - "target-uuid": "251fbae2-78f6-4de7-84f6-194c727a64ad" - }, - "uuid": "71416f0d-b037-48b2-a14d-acb1a5f3a4a4", - "value": "PittyTiger (G0011) uses Lurid (S0010)" - }, - { - "meta": { - "source-uuid": "4f6aa78c-c3d4-4883-9840-96ca2f5d6d47", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "b8e6bb17-9652-464d-8e5d-bd21e1f69a2e", - "value": "TEXTMATE (S0146) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "2a7cd52f-46e5-4a18-bdf6-4c38edfcb97c", - "value": "Helminth (S0170) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "target-uuid": "495b6cdb-7b5a-4fbc-8d33-e7ef68806d08" - }, - "uuid": "e46836e5-8ffe-45e5-9398-bb9fbb3a4aeb", - "value": "Lazarus Group (G0032) uses Volgmer (S0180)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a" - }, - "uuid": "1036833a-1d4c-4d9e-b716-1e52606ab684", - "value": "APT28 (G0007) uses Timestomp (T1099)" - }, - { - "meta": { - "source-uuid": "a653431d-6a5e-4600-8ad3-609b5af57064", - "target-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44" - }, - "uuid": "8cbcb17a-01f4-4899-bc83-9b02fd44f861", - "value": "Deep Panda (G0009) uses Scripting (T1064)" - }, - { - "meta": { - "source-uuid": "d4fd04e0-d1a4-4b5a-a5bb-16683cdbcce2", - "target-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d" - }, - "uuid": "a93e5f9f-5c8c-4832-93db-a6c180840a43", - "value": "External Remote Services Mitigation (T1133) mitigates External Remote Services (T1133)" - }, - { - "meta": { - "source-uuid": "0998045d-f96e-4284-95ce-3c8219707486", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "7276fbbe-3237-4e95-b2ad-8518327432ba", - "value": "SEASHARPEE (S0185) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "22addc7b-b39f-483d-979a-1b35147da5de", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "1684e405-53bd-4951-a26d-e7c39887b06a", - "value": "WinMM (S0059) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "199463de-d9be-46d6-bb41-07234c1dd5a6", - "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" - }, - "uuid": "847752f4-59a2-46e9-ae28-befe0142b223", - "value": "GeminiDuke (S0049) uses System Network Configuration Discovery (T1016)" - }, - { - "meta": { - "source-uuid": "2e290bfe-93b5-48ce-97d6-edcd6d32b7cf", - "target-uuid": "92d7da27-2d91-488e-a00c-059dc162766d" - }, - "uuid": "d361058d-a11b-470d-bed8-44bfd8e50393", - "value": "Gamaredon Group (G0047) uses Exfiltration Over Command and Control Channel (T1041)" - }, - { - "meta": { - "source-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "cd2a7854-1339-4f40-8ba1-be032dc5249e", - "value": "BlackEnergy (S0089) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "17e919aa-4a49-445c-b103-dbb8df9e7351", - "target-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896" - }, - "uuid": "9c79076c-341f-4eb3-bed7-300723747b18", - "value": "POWERSOURCE (S0145) uses Query Registry (T1012)" - }, - { - "meta": { - "source-uuid": "e1161124-f22e-487f-9d5f-ed8efc8dcd61", - "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" - }, - "uuid": "a1e9769e-5172-4959-84d3-5a28796f86e1", - "value": "Mis-Type (S0084) uses System Owner/User Discovery (T1033)" - }, - { - "meta": { - "source-uuid": "60c18d06-7b91-4742-bae3-647845cd9d81", - "target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d" - }, - "uuid": "f4e53b40-abcf-4157-9e53-4ab9632619f1", - "value": "CORESHELL (S0137) uses Custom Cryptographic Protocol (T1024)" - }, - { - "meta": { - "source-uuid": "e9595678-d269-469e-ae6b-75e49259de63", - "target-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670" - }, - "uuid": "d15cda3e-7ed6-4914-a0a8-ff1f4fe668ec", - "value": "BADNEWS (S0128) uses Execution through API (T1106)" - }, - { - "meta": { - "source-uuid": "96566860-9f11-4b6f-964d-1c924e4f24a4", - "target-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c" - }, - "uuid": "283bdd5f-f356-43a2-864c-6f8211073d45", - "value": "Starloader (S0188) uses Deobfuscate/Decode Files or Information (T1140)" - }, - { - "meta": { - "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" - }, - "uuid": "7f695d14-17e1-46c6-92eb-7c2f57fc6553", - "value": "Lazarus Group (G0032) uses Input Capture (T1056)" - } - ], - "version": 3 -} diff --git a/clusters/mitre-mobile-attack-relationship.json b/clusters/mitre-mobile-attack-relationship.json deleted file mode 100644 index db9449a..0000000 --- a/clusters/mitre-mobile-attack-relationship.json +++ /dev/null @@ -1,1973 +0,0 @@ -{ - "authors": [ - "MITRE" - ], - "description": "MITRE Relationship", - "name": "Mobile Attack - Relationship", - "source": "https://github.com/mitre/cti", - "type": "mitre-mobile-attack-relationship", - "uuid": "02f1fc42-1708-11e8-a4f2-eb70472c5901", - "values": [ - { - "meta": { - "source-uuid": "bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", - "target-uuid": "dfe29258-ce59-421c-9dee-e85cb9fa90cd" - }, - "uuid": "6eca2456-fdcf-42e9-bcbb-a4c51ce54139", - "value": "Security Updates (MOB-M1001) mitigates Lockscreen Bypass (MOB-T1064)" - }, - { - "meta": { - "source-uuid": "d1c600f8-0fb6-4367-921b-85b71947d950", - "target-uuid": "9d7c32f4-ab39-49dc-8055-8106bc2294a1" - }, - "uuid": "69bb264a-3f44-4132-9248-dd80a9f5efa2", - "value": "Charger (MOB-S0039) uses Lock User Out of Device (MOB-T1049)" - }, - { - "meta": { - "source-uuid": "0beabf44-e8d8-4ae4-9122-ef56369a2564", - "target-uuid": "c91c304a-975d-4501-9789-0db1c57afd3f" - }, - "uuid": "ca7c3278-1d12-4e55-b320-39efa5a285db", - "value": "Use Recent OS Version (MOB-M1006) mitigates Exploit Baseband Vulnerability (MOB-T1058)" - }, - { - "meta": { - "source-uuid": "20dbaf05-59b8-4dc6-8777-0b17f4553a23", - "target-uuid": "bd4d32f5-eed4-4018-a649-40b229dd1d69" - }, - "uuid": "0008005f-ca51-47c3-8369-55ee5de1c65a", - "value": "SpyNote RAT (MOB-S0021) uses App Auto-Start at Device Boot (MOB-T1005)" - }, - { - "meta": { - "source-uuid": "f6ac21b6-2592-400c-8472-10d0e2f1bfaf", - "target-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060" - }, - "uuid": "18d3f4c7-2888-4d27-9ac7-b7ade1a1c04c", - "value": "Adups (MOB-S0025) uses Capture SMS Messages (MOB-T1015)" - }, - { - "meta": { - "source-uuid": "363bc05d-13cb-4e98-a5b7-e250f2bbdc2b", - "target-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160" - }, - "uuid": "4088b31b-d542-4935-84b4-82b592159591", - "value": "RCSAndroid (MOB-S0011) uses Access Sensitive Data or Credentials in Files (MOB-T1012)" - }, - { - "meta": { - "source-uuid": "363bc05d-13cb-4e98-a5b7-e250f2bbdc2b", - "target-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4" - }, - "uuid": "da4296d7-5fdb-45b6-9791-b023d634c08d", - "value": "RCSAndroid (MOB-S0011) uses Location Tracking (MOB-T1033)" - }, - { - "meta": { - "source-uuid": "8220b57e-c400-4525-bf69-f8edc6b389a8", - "target-uuid": "f58cd69a-e548-478b-9248-8a9af881dc34" - }, - "uuid": "690111d3-c281-4d55-a7ed-73b8dab72a85", - "value": "Encrypt Network Traffic (MOB-M1009) mitigates Downgrade to Insecure Protocols (MOB-T1069)" - }, - { - "meta": { - "source-uuid": "1553b156-6767-47f7-9eb4-2a692505666d", - "target-uuid": "e30cc912-7ea1-4683-9219-543b86cbdec9" - }, - "uuid": "a834341f-d909-41e3-adaf-5f3450e4090e", - "value": "Application Vetting (MOB-M1005) mitigates Fake Developer Accounts (MOB-T1045)" - }, - { - "meta": { - "source-uuid": "05c4f87c-be8f-46ea-8d9a-2a0aad8f52c1", - "target-uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44" - }, - "uuid": "c65661a6-6047-4901-ac2c-3ca4b1bbbb28", - "value": "DroidJack RAT (MOB-S0036) uses Access Call Log (MOB-T1036)" - }, - { - "meta": { - "source-uuid": "1553b156-6767-47f7-9eb4-2a692505666d", - "target-uuid": "29e07491-8947-43a3-8d4e-9a787c45f3d3" - }, - "uuid": "9e83607e-2936-4f25-b6d2-c357846840f3", - "value": "Application Vetting (MOB-M1005) mitigates Access Sensitive Data in Device Logs (MOB-T1016)" - }, - { - "meta": { - "source-uuid": "0beabf44-e8d8-4ae4-9122-ef56369a2564", - "target-uuid": "88932a8c-3a17-406f-9431-1da3ff19f6d6" - }, - "uuid": "ebdb9385-6311-4532-b021-2da48734aab7", - "value": "Use Recent OS Version (MOB-M1006) mitigates Modify cached executable code (MOB-T1006)" - }, - { - "meta": { - "source-uuid": "c8770c81-c29f-40d2-a140-38544206b2b4", - "target-uuid": "76c12fc8-a4eb-45d6-a3b7-e371a7248f69" - }, - "uuid": "f947d845-4d70-41f3-ae3c-18ea8b44e667", - "value": "HummingBad (MOB-S0038) uses Manipulate App Store Rankings or Ratings (MOB-T1055)" - }, - { - "meta": { - "source-uuid": "1553b156-6767-47f7-9eb4-2a692505666d", - "target-uuid": "dd818ea5-adf5-41c7-93b5-f3b839a219fb" - }, - "uuid": "de1b1f92-c060-4d8c-81bf-465b7fb21be4", - "value": "Application Vetting (MOB-M1005) mitigates Local Network Connections Discovery (MOB-T1024)" - }, - { - "meta": { - "source-uuid": "d2a199d2-dfea-4d0c-987d-6195ed17be9c", - "target-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160" - }, - "uuid": "be2895e2-7e1d-4467-8b6a-ac06b17ce0bb", - "value": "Use Device-Provided Credential Storage (MOB-M1008) mitigates Access Sensitive Data or Credentials in Files (MOB-T1012)" - }, - { - "meta": { - "source-uuid": "e829ee51-1caf-4665-ba15-7f8979634124", - "target-uuid": "52651225-0b3a-482d-aa7e-10618fd063b5" - }, - "uuid": "6f8b3839-ea91-44d5-ba68-b9d1e6076c19", - "value": "Interconnection Filtering (MOB-M1014) mitigates Exploit SS7 to Track Device Location (MOB-T1053)" - }, - { - "meta": { - "source-uuid": "1553b156-6767-47f7-9eb4-2a692505666d", - "target-uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44" - }, - "uuid": "69d6f3fc-17ea-4a32-b4dd-a006c75362d6", - "value": "Application Vetting (MOB-M1005) mitigates Access Call Log (MOB-T1036)" - }, - { - "meta": { - "source-uuid": "653492e3-27be-4a0e-b08c-938dd2b7e0e1", - "target-uuid": "6b846ad0-cc20-4db6-aa34-91561397c5e2" - }, - "uuid": "b104c62f-771c-46c5-afc4-a964a94cea50", - "value": "User Guidance (MOB-M1011) mitigates App Delivered via Web Download (MOB-T1034)" - }, - { - "meta": { - "source-uuid": "1553b156-6767-47f7-9eb4-2a692505666d", - "target-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760" - }, - "uuid": "50986206-ad56-4dea-baed-846545fb2f5a", - "value": "Application Vetting (MOB-M1005) mitigates Microphone or Camera Recordings (MOB-T1032)" - }, - { - "meta": { - "source-uuid": "c8770c81-c29f-40d2-a140-38544206b2b4", - "target-uuid": "f981d199-2720-467e-9dc9-eea04dbe05cf" - }, - "uuid": "ac523dfb-36be-4402-acf2-abe98e183eef", - "value": "HummingBad (MOB-S0038) uses Generate Fraudulent Advertising Revenue (MOB-T1075)" - }, - { - "meta": { - "source-uuid": "25dc1ce8-eb55-4333-ae30-a7cb4f5894a1", - "target-uuid": "29e07491-8947-43a3-8d4e-9a787c45f3d3" - }, - "uuid": "fab8c40d-b934-4ee0-8e83-f017af2e347a", - "value": "Application Developer Guidance (MOB-M1013) mitigates Access Sensitive Data in Device Logs (MOB-T1016)" - }, - { - "meta": { - "source-uuid": "3c3b55a6-c3e9-4043-8aae-283fe96220c0", - "target-uuid": "6c49d50f-494d-4150-b774-a655022d20a6" - }, - "uuid": "d54bdaff-8eb8-4a02-9f64-bc33c892e9d1", - "value": "ZergHelper (MOB-S0003) uses Download New Code at Runtime (MOB-T1010)" - }, - { - "meta": { - "source-uuid": "d9e07aea-baad-4b68-bdca-90c77647d7f9", - "target-uuid": "b928b94a-4966-4e2a-9e61-36505b896ebc" - }, - "uuid": "8e4b2305-1280-4456-8ec7-93c66da5c674", - "value": "XcodeGhost (MOB-S0013) uses Malicious Software Development Tools (MOB-T1065)" - }, - { - "meta": { - "source-uuid": "a3dad2be-ce62-4440-953b-00fbce7aba93", - "target-uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44" - }, - "uuid": "290a627d-172d-494d-a0cc-685f480a1034", - "value": "AndroRAT (MOB-S0008) uses Access Call Log (MOB-T1036)" - }, - { - "meta": { - "source-uuid": "936be60d-90eb-4c36-9247-4b31128432c4", - "target-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77" - }, - "uuid": "bb3be217-08e2-4bb0-9f1a-d8e538010451", - "value": "RuMMS (MOB-S0029) uses System Information Discovery (MOB-T1029)" - }, - { - "meta": { - "source-uuid": "8220b57e-c400-4525-bf69-f8edc6b389a8", - "target-uuid": "d731c21e-f27d-4756-b418-0e2aaabd6d63" - }, - "uuid": "74155759-4c76-42d3-b64f-a898f7b582f9", - "value": "Encrypt Network Traffic (MOB-M1009) mitigates Manipulate Device Communication (MOB-T1066)" - }, - { - "meta": { - "source-uuid": "1553b156-6767-47f7-9eb4-2a692505666d", - "target-uuid": "bd4d32f5-eed4-4018-a649-40b229dd1d69" - }, - "uuid": "8e94da58-86b7-4a45-886e-6da58828eacd", - "value": "Application Vetting (MOB-M1005) mitigates App Auto-Start at Device Boot (MOB-T1005)" - }, - { - "meta": { - "source-uuid": "bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", - "target-uuid": "46d818a5-67fa-4585-a7fc-ecf15376c8d5" - }, - "uuid": "4cf9511e-da0e-4055-bc8c-56121ae120d2", - "value": "Security Updates (MOB-M1001) mitigates Modify OS Kernel or Boot Partition (MOB-T1001)" - }, - { - "meta": { - "source-uuid": "bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", - "target-uuid": "f1c3d071-0c24-483d-aca0-e8b8496ce468" - }, - "uuid": "62480750-2218-4ea0-b168-b9035b9ee998", - "value": "Security Updates (MOB-M1001) mitigates Modify Trusted Execution Environment (MOB-T1002)" - }, - { - "meta": { - "source-uuid": "c80a6bef-b3ce-44d0-b113-946e93124898", - "target-uuid": "a93ccb8f-3996-42e2-b7c7-bb599d4e205f" - }, - "uuid": "ebc0aa93-93ac-4b7e-ad87-9d5743a09c8e", - "value": "Shedun (MOB-S0010) uses Repackaged Application (MOB-T1047)" - }, - { - "meta": { - "source-uuid": "56660521-6db4-4e5a-a927-464f22954b7c", - "target-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4" - }, - "uuid": "9e66ec3b-cdd6-461c-bd84-e75316818e15", - "value": "X-Agent (MOB-S0030) uses Location Tracking (MOB-T1033)" - }, - { - "meta": { - "source-uuid": "649f7268-4c12-483b-ac84-4b7bca9fe2ee", - "target-uuid": "633baf01-6de4-4963-bb54-ff6c6357bed3" - }, - "uuid": "cda9f3cf-01e4-41b3-8e45-4dda9fe5eb30", - "value": "Enterprise Policy (MOB-M1012) mitigates Rogue Wi-Fi Access Points (MOB-T1068)" - }, - { - "meta": { - "source-uuid": "a3dad2be-ce62-4440-953b-00fbce7aba93", - "target-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760" - }, - "uuid": "b4180067-52b6-4109-91df-52fd9a7ed2e8", - "value": "AndroRAT (MOB-S0008) uses Microphone or Camera Recordings (MOB-T1032)" - }, - { - "meta": { - "source-uuid": "936be60d-90eb-4c36-9247-4b31128432c4", - "target-uuid": "6a3f6490-9c44-40de-b059-e5940f246673" - }, - "uuid": "4d7e937d-7ea1-49cb-939c-5244815e51d7", - "value": "RuMMS (MOB-S0029) uses Standard Application Layer Protocol (MOB-T1040)" - }, - { - "meta": { - "source-uuid": "f6ac21b6-2592-400c-8472-10d0e2f1bfaf", - "target-uuid": "f9e4f526-ac9d-4df5-8949-833a82a1d2df" - }, - "uuid": "d792bffd-6745-4da6-a70f-2d5843ef05ca", - "value": "Adups (MOB-S0025) uses Malicious or Vulnerable Built-in Device Functionality (MOB-T1076)" - }, - { - "meta": { - "source-uuid": "1553b156-6767-47f7-9eb4-2a692505666d", - "target-uuid": "c4b96c0b-cb58-497a-a1c2-bb447d79d692" - }, - "uuid": "ba556d98-4ff2-43a4-bb93-52f99265ff99", - "value": "Application Vetting (MOB-M1005) mitigates Capture Clipboard Data (MOB-T1017)" - }, - { - "meta": { - "source-uuid": "d9e07aea-baad-4b68-bdca-90c77647d7f9", - "target-uuid": "c4b96c0b-cb58-497a-a1c2-bb447d79d692" - }, - "uuid": "2de76a24-ec87-4808-b0d3-b84d318ac22c", - "value": "XcodeGhost (MOB-S0013) uses Capture Clipboard Data (MOB-T1017)" - }, - { - "meta": { - "source-uuid": "d05f7357-4cbe-47ea-bf83-b8604226d533", - "target-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4" - }, - "uuid": "9c7c302a-d5ba-4fc9-a4e5-e865fd7fb708", - "value": "Android/Chuli.A (MOB-S0020) uses Location Tracking (MOB-T1033)" - }, - { - "meta": { - "source-uuid": "d1c600f8-0fb6-4367-921b-85b71947d950", - "target-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4" - }, - "uuid": "85c7e956-3ce5-4495-b52e-385ae2ee4f9b", - "value": "Charger (MOB-S0039) uses Location Tracking (MOB-T1033)" - }, - { - "meta": { - "source-uuid": "363bc05d-13cb-4e98-a5b7-e250f2bbdc2b", - "target-uuid": "b3c2e5de-0941-4b57-ba61-af029eb5517a" - }, - "uuid": "8cb42e3d-69f4-4b0d-98c9-0bb7560947c1", - "value": "RCSAndroid (MOB-S0011) uses Alternate Network Mediums (MOB-T1041)" - }, - { - "meta": { - "source-uuid": "33d9d91d-aad9-49d5-a516-220ce101ac8a", - "target-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77" - }, - "uuid": "7af7d094-3a49-4e5e-99d0-385c79f95f06", - "value": "Pegasus (MOB-S0005) uses System Information Discovery (MOB-T1029)" - }, - { - "meta": { - "source-uuid": "363bc05d-13cb-4e98-a5b7-e250f2bbdc2b", - "target-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060" - }, - "uuid": "2065382f-45ae-4b9a-a77c-027ecd6c1735", - "value": "RCSAndroid (MOB-S0011) uses Capture SMS Messages (MOB-T1015)" - }, - { - "meta": { - "source-uuid": "653492e3-27be-4a0e-b08c-938dd2b7e0e1", - "target-uuid": "537ea573-8a1c-468c-956b-d16d2ed9d067" - }, - "uuid": "69efe716-affe-419e-ac06-924d2e416695", - "value": "User Guidance (MOB-M1011) mitigates Remotely Wipe Data Without Authorization (MOB-T1072)" - }, - { - "meta": { - "source-uuid": "1553b156-6767-47f7-9eb4-2a692505666d", - "target-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060" - }, - "uuid": "16f55053-285d-411d-881c-6f8c1bdef8d7", - "value": "Application Vetting (MOB-M1005) mitigates Capture SMS Messages (MOB-T1015)" - }, - { - "meta": { - "source-uuid": "649f7268-4c12-483b-ac84-4b7bca9fe2ee", - "target-uuid": "667e5707-3843-4da8-bd34-88b922526f0d" - }, - "uuid": "eb6dbe2a-6f76-4bce-ab37-66ec67148041", - "value": "Enterprise Policy (MOB-M1012) mitigates Exploit via Charging Station or PC (MOB-T1061)" - }, - { - "meta": { - "source-uuid": "bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", - "target-uuid": "ef771e03-e080-43b4-a619-ac6f84899884" - }, - "uuid": "6d8ea31a-da35-442a-8e0d-1d0c0dcdf14b", - "value": "Security Updates (MOB-M1001) mitigates Exploit TEE Vulnerability (MOB-T1008)" - }, - { - "meta": { - "source-uuid": "d05f7357-4cbe-47ea-bf83-b8604226d533", - "target-uuid": "89fcd02f-62dc-40b9-a54b-9ac4b1baef05" - }, - "uuid": "83991b5c-59b9-4fe5-9ef2-39c6ddc8b835", - "value": "Android/Chuli.A (MOB-S0020) uses Device Type Discovery (MOB-T1022)" - }, - { - "meta": { - "source-uuid": "653492e3-27be-4a0e-b08c-938dd2b7e0e1", - "target-uuid": "6f86d346-f092-4abc-80df-8558a90c426a" - }, - "uuid": "0818895a-0d6d-47cc-ad34-a09bdb76a81b", - "value": "User Guidance (MOB-M1011) mitigates Remotely Track Device Without Authorization (MOB-T1071)" - }, - { - "meta": { - "source-uuid": "0beabf44-e8d8-4ae4-9122-ef56369a2564", - "target-uuid": "9d7c32f4-ab39-49dc-8055-8106bc2294a1" - }, - "uuid": "4d2d892c-9d3a-445c-b9bf-1eab45703dcc", - "value": "Use Recent OS Version (MOB-M1006) mitigates Lock User Out of Device (MOB-T1049)" - }, - { - "meta": { - "source-uuid": "c709da93-20c3-4d17-ab68-48cba76b2137", - "target-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd" - }, - "uuid": "789cb76e-27b0-4762-a2f7-3ff32ce0762d", - "value": "PJApps (MOB-S0007) uses Local Network Configuration Discovery (MOB-T1025)" - }, - { - "meta": { - "source-uuid": "c8770c81-c29f-40d2-a140-38544206b2b4", - "target-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172" - }, - "uuid": "d87b468e-f610-4e95-8dfb-8cf029f0e891", - "value": "HummingBad (MOB-S0038) uses Exploit OS Vulnerability (MOB-T1007)" - }, - { - "meta": { - "source-uuid": "2074b2ad-612e-4758-adce-7901c1b49bbc", - "target-uuid": "46d818a5-67fa-4585-a7fc-ecf15376c8d5" - }, - "uuid": "373f33be-9b40-44f5-bfd3-db2a9f5fa72c", - "value": "OldBoot (MOB-S0001) uses Modify OS Kernel or Boot Partition (MOB-T1001)" - }, - { - "meta": { - "source-uuid": "bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", - "target-uuid": "a0464539-e1b7-4455-a355-12495987c300" - }, - "uuid": "2388ba94-8e49-40d0-a697-eea948e6cfb6", - "value": "Security Updates (MOB-M1001) mitigates Attack PC via USB Connection (MOB-T1030)" - }, - { - "meta": { - "source-uuid": "0beabf44-e8d8-4ae4-9122-ef56369a2564", - "target-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160" - }, - "uuid": "3ebcd3d8-dd8e-4cc9-8087-ce9e93df6f56", - "value": "Use Recent OS Version (MOB-M1006) mitigates Access Sensitive Data or Credentials in Files (MOB-T1012)" - }, - { - "meta": { - "source-uuid": "653492e3-27be-4a0e-b08c-938dd2b7e0e1", - "target-uuid": "0c71033e-401e-4b97-9309-7a7c95e43a5d" - }, - "uuid": "2bd272ca-8a14-42cd-9664-6cc6f7451e42", - "value": "User Guidance (MOB-M1011) mitigates Obtain Device Cloud Backups (MOB-T1073)" - }, - { - "meta": { - "source-uuid": "33d9d91d-aad9-49d5-a516-220ce101ac8a", - "target-uuid": "b3c2e5de-0941-4b57-ba61-af029eb5517a" - }, - "uuid": "4f2ae057-ef0b-4995-b24d-348a76a74a4f", - "value": "Pegasus (MOB-S0005) uses Alternate Network Mediums (MOB-T1041)" - }, - { - "meta": { - "source-uuid": "93799a9d-3537-43d8-b6f4-17215de1657c", - "target-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd" - }, - "uuid": "db3fc82d-d353-438d-aa5e-9b5e7e60f0ac", - "value": "Pegasus for Android (MOB-S0032) uses Local Network Configuration Discovery (MOB-T1025)" - }, - { - "meta": { - "source-uuid": "0beabf44-e8d8-4ae4-9122-ef56369a2564", - "target-uuid": "667e5707-3843-4da8-bd34-88b922526f0d" - }, - "uuid": "abd2e863-4bd3-4686-b2aa-f8a097a41c99", - "value": "Use Recent OS Version (MOB-M1006) mitigates Exploit via Charging Station or PC (MOB-T1061)" - }, - { - "meta": { - "source-uuid": "1553b156-6767-47f7-9eb4-2a692505666d", - "target-uuid": "a8c31121-852b-46bd-9ba4-674ae5afe7ad" - }, - "uuid": "903660e1-3996-4ed2-9e7a-4f8c397a71eb", - "value": "Application Vetting (MOB-M1005) mitigates Malicious Third Party Keyboard App (MOB-T1020)" - }, - { - "meta": { - "source-uuid": "0beabf44-e8d8-4ae4-9122-ef56369a2564", - "target-uuid": "82f04b1e-5371-4a6f-be06-411f0f43b483" - }, - "uuid": "b2c289bf-e981-4bcd-87dd-b6c0680557e9", - "value": "Use Recent OS Version (MOB-M1006) mitigates Abuse Device Administrator Access to Prevent Removal (MOB-T1004)" - }, - { - "meta": { - "source-uuid": "93799a9d-3537-43d8-b6f4-17215de1657c", - "target-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2" - }, - "uuid": "f5fab17b-43e7-46ff-bdea-eb8c52a0c6c3", - "value": "Pegasus for Android (MOB-S0032) uses Application Discovery (MOB-T1021)" - }, - { - "meta": { - "source-uuid": "e944670c-d03a-4e93-a21c-b3d4c53ec4c9", - "target-uuid": "8e27551a-5080-4148-a584-c64348212e4f" - }, - "uuid": "465ff71b-2b1b-43b6-ab78-afb273d956d2", - "value": "Caution with Device Administrator Access (MOB-M1007) mitigates Wipe Device Data (MOB-T1050)" - }, - { - "meta": { - "source-uuid": "e13d084c-382f-40fd-aa9a-98d69e20301e", - "target-uuid": "6c49d50f-494d-4150-b774-a655022d20a6" - }, - "uuid": "706c698c-aa8d-4fac-a6c1-2e047c3f965c", - "value": "BrainTest (MOB-S0009) uses Download New Code at Runtime (MOB-T1010)" - }, - { - "meta": { - "source-uuid": "05c4f87c-be8f-46ea-8d9a-2a0aad8f52c1", - "target-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760" - }, - "uuid": "69de3f7e-faa7-4342-b755-4777a68fd89b", - "value": "DroidJack RAT (MOB-S0036) uses Microphone or Camera Recordings (MOB-T1032)" - }, - { - "meta": { - "source-uuid": "1553b156-6767-47f7-9eb4-2a692505666d", - "target-uuid": "8f142a25-f6c3-4520-bd50-2ae3ab50ed3e" - }, - "uuid": "3a446bee-007b-4b1f-849e-60e9d39c2e92", - "value": "Application Vetting (MOB-M1005) mitigates URL Scheme Hijacking (MOB-T1018)" - }, - { - "meta": { - "source-uuid": "363bc05d-13cb-4e98-a5b7-e250f2bbdc2b", - "target-uuid": "6c49d50f-494d-4150-b774-a655022d20a6" - }, - "uuid": "8d027310-93a0-4046-b7ad-d1f461f30838", - "value": "RCSAndroid (MOB-S0011) uses Download New Code at Runtime (MOB-T1010)" - }, - { - "meta": { - "source-uuid": "0beabf44-e8d8-4ae4-9122-ef56369a2564", - "target-uuid": "a0464539-e1b7-4455-a355-12495987c300" - }, - "uuid": "09fa9342-34cb-4f0d-8cdf-df4d51d0ae12", - "value": "Use Recent OS Version (MOB-M1006) mitigates Attack PC via USB Connection (MOB-T1030)" - }, - { - "meta": { - "source-uuid": "1553b156-6767-47f7-9eb4-2a692505666d", - "target-uuid": "ef771e03-e080-43b4-a619-ac6f84899884" - }, - "uuid": "a01af4da-0910-4a20-805f-86b3ae1dc046", - "value": "Application Vetting (MOB-M1005) mitigates Exploit TEE Vulnerability (MOB-T1008)" - }, - { - "meta": { - "source-uuid": "3c3b55a6-c3e9-4043-8aae-283fe96220c0", - "target-uuid": "51aedbd6-2837-4d15-aeb0-cb09f2bf22ac" - }, - "uuid": "40581c90-e948-4e91-8530-a9bc59cce9d7", - "value": "ZergHelper (MOB-S0003) uses Abuse of iOS Enterprise App Signing Key (MOB-T1048)" - }, - { - "meta": { - "source-uuid": "ca4f63b9-a358-4214-bb26-8c912318cfde", - "target-uuid": "82f04b1e-5371-4a6f-be06-411f0f43b483" - }, - "uuid": "51757971-17ac-40c3-bae7-78365579db49", - "value": "OBAD (MOB-S0002) uses Abuse Device Administrator Access to Prevent Removal (MOB-T1004)" - }, - { - "meta": { - "source-uuid": "da21929e-40c0-443d-bdf4-6b60d15448b4", - "target-uuid": "9d7c32f4-ab39-49dc-8055-8106bc2294a1" - }, - "uuid": "1218ed50-bd44-4f37-baba-1aae998b5a1f", - "value": "Xbot (MOB-S0014) uses Lock User Out of Device (MOB-T1049)" - }, - { - "meta": { - "source-uuid": "93799a9d-3537-43d8-b6f4-17215de1657c", - "target-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160" - }, - "uuid": "3f973c3c-45f8-432a-9859-e8749f2e7418", - "value": "Pegasus for Android (MOB-S0032) uses Access Sensitive Data or Credentials in Files (MOB-T1012)" - }, - { - "meta": { - "source-uuid": "d1c600f8-0fb6-4367-921b-85b71947d950", - "target-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a" - }, - "uuid": "bee6407a-1f05-4f91-b6e7-a8f8b58fa421", - "value": "Charger (MOB-S0039) uses Obfuscated or Encrypted Payload (MOB-T1009)" - }, - { - "meta": { - "source-uuid": "33d9d91d-aad9-49d5-a516-220ce101ac8a", - "target-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160" - }, - "uuid": "a290a8ca-e650-456c-b33e-03343fe5ea4e", - "value": "Pegasus (MOB-S0005) uses Access Sensitive Data or Credentials in Files (MOB-T1012)" - }, - { - "meta": { - "source-uuid": "cf2cccb1-cab8-431a-8ecf-f7874d05f433", - "target-uuid": "9d7c32f4-ab39-49dc-8055-8106bc2294a1" - }, - "uuid": "1ed76ca9-0ed6-40f9-89c6-64662fdd447d", - "value": "Deploy Compromised Device Detection Method (MOB-M1010) mitigates Lock User Out of Device (MOB-T1049)" - }, - { - "meta": { - "source-uuid": "e829ee51-1caf-4665-ba15-7f8979634124", - "target-uuid": "fb3fa94a-3aee-4ab0-b7e7-abdf0a51286d" - }, - "uuid": "26a9db86-5ecf-400a-bdd9-419448c2f776", - "value": "Interconnection Filtering (MOB-M1014) mitigates Exploit SS7 to Redirect Phone Calls/SMS (MOB-T1052)" - }, - { - "meta": { - "source-uuid": "f6ac21b6-2592-400c-8472-10d0e2f1bfaf", - "target-uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44" - }, - "uuid": "e87aa0d6-241f-4f72-bdb6-54e8d5584ae2", - "value": "Adups (MOB-S0025) uses Access Call Log (MOB-T1036)" - }, - { - "meta": { - "source-uuid": "8ccd428d-39da-4e8f-a55b-d48ea1d56e58", - "target-uuid": "46d818a5-67fa-4585-a7fc-ecf15376c8d5" - }, - "uuid": "ce6c7f21-91a5-4d63-bd03-a6b57e025afe", - "value": "Lock Bootloader (MOB-M1003) mitigates Modify OS Kernel or Boot Partition (MOB-T1001)" - }, - { - "meta": { - "source-uuid": "bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", - "target-uuid": "f296fc9c-2ff5-43ee-941e-6b49c438270a" - }, - "uuid": "2f5da3a1-19da-421f-be48-cfdcd3c79be1", - "value": "Security Updates (MOB-M1001) mitigates Device Unlock Code Guessing or Brute Force (MOB-T1062)" - }, - { - "meta": { - "source-uuid": "4bf6ba32-4165-42c1-b911-9c36165891c8", - "target-uuid": "6a3f6490-9c44-40de-b059-e5940f246673" - }, - "uuid": "f2e23cb7-7bac-4938-91ea-7dd42b41ba29", - "value": "ANDROIDOS_ANSERVER.A (MOB-S0026) uses Standard Application Layer Protocol (MOB-T1040)" - }, - { - "meta": { - "source-uuid": "1553b156-6767-47f7-9eb4-2a692505666d", - "target-uuid": "62adb627-f647-498e-b4cc-41499361bacb" - }, - "uuid": "85328449-c231-444d-905a-2988c14d3e82", - "value": "Application Vetting (MOB-M1005) mitigates Access Calendar Entries (MOB-T1038)" - }, - { - "meta": { - "source-uuid": "1553b156-6767-47f7-9eb4-2a692505666d", - "target-uuid": "82f04b1e-5371-4a6f-be06-411f0f43b483" - }, - "uuid": "4a697724-4457-436b-97ad-9d6f445fb6b0", - "value": "Application Vetting (MOB-M1005) mitigates Abuse Device Administrator Access to Prevent Removal (MOB-T1004)" - }, - { - "meta": { - "source-uuid": "326eaf7b-5784-4f08-8fc2-61fd5d5bc5fb", - "target-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a" - }, - "uuid": "b3bb33bf-9034-4d5c-8ea0-31d3bbd12b6b", - "value": "WireLurker (MOB-S0028) uses Obfuscated or Encrypted Payload (MOB-T1009)" - }, - { - "meta": { - "source-uuid": "6447e3a1-ef4d-44b1-99d5-6b1c4888674f", - "target-uuid": "f981d199-2720-467e-9dc9-eea04dbe05cf" - }, - "uuid": "b263e4e9-972d-4ba7-8be8-e55eb6a483c0", - "value": "HummingWhale (MOB-S0037) uses Generate Fraudulent Advertising Revenue (MOB-T1075)" - }, - { - "meta": { - "source-uuid": "649f7268-4c12-483b-ac84-4b7bca9fe2ee", - "target-uuid": "f296fc9c-2ff5-43ee-941e-6b49c438270a" - }, - "uuid": "718949aa-6841-48d2-9343-f01be0aa32c1", - "value": "Enterprise Policy (MOB-M1012) mitigates Device Unlock Code Guessing or Brute Force (MOB-T1062)" - }, - { - "meta": { - "source-uuid": "20dbaf05-59b8-4dc6-8777-0b17f4553a23", - "target-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160" - }, - "uuid": "bc4e848a-adb7-40a2-94a1-d5ab9854ff0f", - "value": "SpyNote RAT (MOB-S0021) uses Access Sensitive Data or Credentials in Files (MOB-T1012)" - }, - { - "meta": { - "source-uuid": "0beabf44-e8d8-4ae4-9122-ef56369a2564", - "target-uuid": "1b51f5bc-b97a-498a-8dbd-bc6b1901bf19" - }, - "uuid": "024f9ee4-cb7d-49f4-b180-ad1e5e168a4c", - "value": "Use Recent OS Version (MOB-M1006) mitigates Process Discovery (MOB-T1027)" - }, - { - "meta": { - "source-uuid": "1553b156-6767-47f7-9eb4-2a692505666d", - "target-uuid": "d731c21e-f27d-4756-b418-0e2aaabd6d63" - }, - "uuid": "6f1cadef-283b-466b-bfa2-0cb51edf88f7", - "value": "Application Vetting (MOB-M1005) mitigates Manipulate Device Communication (MOB-T1066)" - }, - { - "meta": { - "source-uuid": "0beabf44-e8d8-4ae4-9122-ef56369a2564", - "target-uuid": "a9cab8f6-4c94-4c9b-9e7d-9d863ff53431" - }, - "uuid": "176ba064-0657-4850-baa3-626bc845efd3", - "value": "Use Recent OS Version (MOB-M1006) mitigates Malicious Media Content (MOB-T1060)" - }, - { - "meta": { - "source-uuid": "d05f7357-4cbe-47ea-bf83-b8604226d533", - "target-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060" - }, - "uuid": "68e5789c-9f60-421e-9c79-fae207a29e83", - "value": "Android/Chuli.A (MOB-S0020) uses Capture SMS Messages (MOB-T1015)" - }, - { - "meta": { - "source-uuid": "33d9d91d-aad9-49d5-a516-220ce101ac8a", - "target-uuid": "fd339382-bfec-4bf0-8d47-1caedc9e7e57" - }, - "uuid": "638f3d4b-f1d4-4c61-91a0-7c125ef8437a", - "value": "Pegasus (MOB-S0005) uses Malicious Web Content (MOB-T1059)" - }, - { - "meta": { - "source-uuid": "bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", - "target-uuid": "3b0b604f-10db-41a0-b54c-493124d455b9" - }, - "uuid": "8aa790cc-0d42-4114-8cbe-783abc595b8b", - "value": "Security Updates (MOB-M1001) mitigates Network Traffic Capture or Redirection (MOB-T1013)" - }, - { - "meta": { - "source-uuid": "1553b156-6767-47f7-9eb4-2a692505666d", - "target-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2" - }, - "uuid": "5b14149e-09f1-4d38-82bc-0ff3cff8b650", - "value": "Application Vetting (MOB-M1005) mitigates Application Discovery (MOB-T1021)" - }, - { - "meta": { - "source-uuid": "e944670c-d03a-4e93-a21c-b3d4c53ec4c9", - "target-uuid": "9d7c32f4-ab39-49dc-8055-8106bc2294a1" - }, - "uuid": "6bb99599-aa51-4492-9c79-296a772233b4", - "value": "Caution with Device Administrator Access (MOB-M1007) mitigates Lock User Out of Device (MOB-T1049)" - }, - { - "meta": { - "source-uuid": "b6d3657a-2d6a-400f-8b7e-4d60391aa1f7", - "target-uuid": "6b846ad0-cc20-4db6-aa34-91561397c5e2" - }, - "uuid": "f14af74f-fb6b-480f-91de-d755c89960ce", - "value": "AndroidOverlayMalware (MOB-S0012) uses App Delivered via Web Download (MOB-T1034)" - }, - { - "meta": { - "source-uuid": "649f7268-4c12-483b-ac84-4b7bca9fe2ee", - "target-uuid": "51aedbd6-2837-4d15-aeb0-cb09f2bf22ac" - }, - "uuid": "8e49feb1-e401-4e63-acfa-7f8b9a8ca026", - "value": "Enterprise Policy (MOB-M1012) mitigates Abuse of iOS Enterprise App Signing Key (MOB-T1048)" - }, - { - "meta": { - "source-uuid": "5ddf81ea-2c06-497b-8c30-5f1ab89a40f9", - "target-uuid": "6b846ad0-cc20-4db6-aa34-91561397c5e2" - }, - "uuid": "6fce6a21-ab9b-44a5-be20-9b631109487b", - "value": "MazarBOT (MOB-S0019) uses App Delivered via Web Download (MOB-T1034)" - }, - { - "meta": { - "source-uuid": "e13d084c-382f-40fd-aa9a-98d69e20301e", - "target-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a" - }, - "uuid": "78cc0d6d-6347-45a4-a18c-ca76150aa7a9", - "value": "BrainTest (MOB-S0009) uses Obfuscated or Encrypted Payload (MOB-T1009)" - }, - { - "meta": { - "source-uuid": "33d9d91d-aad9-49d5-a516-220ce101ac8a", - "target-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760" - }, - "uuid": "b7652f27-1cf6-4310-bf6b-5fb99c4fd725", - "value": "Pegasus (MOB-S0005) uses Microphone or Camera Recordings (MOB-T1032)" - }, - { - "meta": { - "source-uuid": "1553b156-6767-47f7-9eb4-2a692505666d", - "target-uuid": "8e27551a-5080-4148-a584-c64348212e4f" - }, - "uuid": "b1f2770e-11f0-429c-9bac-9fa5bc5859b0", - "value": "Application Vetting (MOB-M1005) mitigates Wipe Device Data (MOB-T1050)" - }, - { - "meta": { - "source-uuid": "bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", - "target-uuid": "0bcc4ec1-a897-49a9-a9ff-c00df1d1209d" - }, - "uuid": "69bdeed3-d6a8-4d10-8bf5-44c6cb4392e5", - "value": "Security Updates (MOB-M1001) mitigates Malicious SMS Message (MOB-T1057)" - }, - { - "meta": { - "source-uuid": "93799a9d-3537-43d8-b6f4-17215de1657c", - "target-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760" - }, - "uuid": "0cae6859-d7d1-483b-b473-4f32084938a9", - "value": "Pegasus for Android (MOB-S0032) uses Microphone or Camera Recordings (MOB-T1032)" - }, - { - "meta": { - "source-uuid": "0beabf44-e8d8-4ae4-9122-ef56369a2564", - "target-uuid": "fd339382-bfec-4bf0-8d47-1caedc9e7e57" - }, - "uuid": "3f3d63f0-1f03-4931-9624-10eaf4b207b4", - "value": "Use Recent OS Version (MOB-M1006) mitigates Malicious Web Content (MOB-T1059)" - }, - { - "meta": { - "source-uuid": "33d9d91d-aad9-49d5-a516-220ce101ac8a", - "target-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4" - }, - "uuid": "94040d2e-3f60-423c-8a93-a83b61cafe7d", - "value": "Pegasus (MOB-S0005) uses Location Tracking (MOB-T1033)" - }, - { - "meta": { - "source-uuid": "f6ac21b6-2592-400c-8472-10d0e2f1bfaf", - "target-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4" - }, - "uuid": "8ed14c81-0b30-4bfc-8552-439aa0e920c3", - "value": "Adups (MOB-S0025) uses Location Tracking (MOB-T1033)" - }, - { - "meta": { - "source-uuid": "c80a6bef-b3ce-44d0-b113-946e93124898", - "target-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172" - }, - "uuid": "f0851531-e554-4658-920c-f2342632c19a", - "value": "Shedun (MOB-S0010) uses Exploit OS Vulnerability (MOB-T1007)" - }, - { - "meta": { - "source-uuid": "d9e07aea-baad-4b68-bdca-90c77647d7f9", - "target-uuid": "3dd58c80-4c2e-458c-9503-1b2cd273c4d2" - }, - "uuid": "13efc415-5e17-4a16-81c2-64e74815907f", - "value": "XcodeGhost (MOB-S0013) uses User Interface Spoofing (MOB-T1014)" - }, - { - "meta": { - "source-uuid": "0beabf44-e8d8-4ae4-9122-ef56369a2564", - "target-uuid": "0bcc4ec1-a897-49a9-a9ff-c00df1d1209d" - }, - "uuid": "a912f528-5218-4e0b-a350-7e9012cccdf3", - "value": "Use Recent OS Version (MOB-M1006) mitigates Malicious SMS Message (MOB-T1057)" - }, - { - "meta": { - "source-uuid": "653492e3-27be-4a0e-b08c-938dd2b7e0e1", - "target-uuid": "f296fc9c-2ff5-43ee-941e-6b49c438270a" - }, - "uuid": "64a6fb42-65ce-4160-a5c8-ac176f60a2ae", - "value": "User Guidance (MOB-M1011) mitigates Device Unlock Code Guessing or Brute Force (MOB-T1062)" - }, - { - "meta": { - "source-uuid": "3bc1f0ad-ef11-4afc-83c0-fcffe08d4e50", - "target-uuid": "9d7c32f4-ab39-49dc-8055-8106bc2294a1" - }, - "uuid": "9f737872-3503-4ef4-b575-ab6037b33a98", - "value": "KeyRaider (MOB-S0004) uses Lock User Out of Device (MOB-T1049)" - }, - { - "meta": { - "source-uuid": "56660521-6db4-4e5a-a927-464f22954b7c", - "target-uuid": "a93ccb8f-3996-42e2-b7c7-bb599d4e205f" - }, - "uuid": "efcfe1a3-3351-4b4f-ae36-101f103b4798", - "value": "X-Agent (MOB-S0030) uses Repackaged Application (MOB-T1047)" - }, - { - "meta": { - "source-uuid": "ff742eeb-1f90-4f5a-8b92-9d40fffd99ca", - "target-uuid": "22379609-a99f-4a01-bd7e-70f3e105859d" - }, - "uuid": "81db3270-4cb8-4982-8ff8-c28a874e8421", - "value": "DressCode (MOB-S0016) uses Exploit Enterprise Resources (MOB-T1031)" - }, - { - "meta": { - "source-uuid": "1553b156-6767-47f7-9eb4-2a692505666d", - "target-uuid": "f981d199-2720-467e-9dc9-eea04dbe05cf" - }, - "uuid": "31942635-81b1-4657-8882-50fb97fae64b", - "value": "Application Vetting (MOB-M1005) mitigates Generate Fraudulent Advertising Revenue (MOB-T1075)" - }, - { - "meta": { - "source-uuid": "ff4821f6-5afb-481b-8c0f-26c28c0d666c", - "target-uuid": "46d818a5-67fa-4585-a7fc-ecf15376c8d5" - }, - "uuid": "49f0f7b8-7208-4650-89c2-5d6b1f166113", - "value": "Attestation (MOB-M1002) mitigates Modify OS Kernel or Boot Partition (MOB-T1001)" - }, - { - "meta": { - "source-uuid": "8220b57e-c400-4525-bf69-f8edc6b389a8", - "target-uuid": "a5de0540-73e7-4c67-96da-4143afedc7ed" - }, - "uuid": "b2b31911-5b7e-4df3-89c6-00b5b372fb4f", - "value": "Encrypt Network Traffic (MOB-M1009) mitigates Rogue Cellular Base Station (MOB-T1070)" - }, - { - "meta": { - "source-uuid": "0beabf44-e8d8-4ae4-9122-ef56369a2564", - "target-uuid": "ef771e03-e080-43b4-a619-ac6f84899884" - }, - "uuid": "51186ad6-e721-49cf-9cf7-89466d5f29f4", - "value": "Use Recent OS Version (MOB-M1006) mitigates Exploit TEE Vulnerability (MOB-T1008)" - }, - { - "meta": { - "source-uuid": "bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", - "target-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060" - }, - "uuid": "f6fa0801-418e-43e5-bfae-332e909624fc", - "value": "Security Updates (MOB-M1001) mitigates Capture SMS Messages (MOB-T1015)" - }, - { - "meta": { - "source-uuid": "bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", - "target-uuid": "fd339382-bfec-4bf0-8d47-1caedc9e7e57" - }, - "uuid": "d98a030f-c551-4fd0-9948-32e1ea01f79c", - "value": "Security Updates (MOB-M1001) mitigates Malicious Web Content (MOB-T1059)" - }, - { - "meta": { - "source-uuid": "41e3fd01-7b83-471f-835d-d2b1dc9a770c", - "target-uuid": "6a3f6490-9c44-40de-b059-e5940f246673" - }, - "uuid": "9d7ac1b2-3fa9-4236-b72d-5565f0c66eab", - "value": "Twitoor (MOB-S0018) uses Standard Application Layer Protocol (MOB-T1040)" - }, - { - "meta": { - "source-uuid": "d89c132d-7752-4c7f-9372-954a71522985", - "target-uuid": "6a3f6490-9c44-40de-b059-e5940f246673" - }, - "uuid": "2cdd5474-620c-499e-8b9c-835505febc2c", - "value": "Trojan-SMS.AndroidOS.OpFake.a (MOB-S0024) uses Standard Application Layer Protocol (MOB-T1040)" - }, - { - "meta": { - "source-uuid": "7b1cf46f-784b-405a-a8dd-4624c19d8321", - "target-uuid": "c5089859-b21f-40a3-8be4-63e381b8b1c0" - }, - "uuid": "0977107c-9dd3-4cc5-b769-7e29da9f4bb6", - "value": "System Partition Integrity (MOB-M1004) mitigates Modify System Partition (MOB-T1003)" - }, - { - "meta": { - "source-uuid": "20d56cd6-8dff-4871-9889-d32d254816de", - "target-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172" - }, - "uuid": "aa8e45c2-4276-451b-b1eb-59c396bf720a", - "value": "Gooligan (MOB-S0006) uses Exploit OS Vulnerability (MOB-T1007)" - }, - { - "meta": { - "source-uuid": "1553b156-6767-47f7-9eb4-2a692505666d", - "target-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172" - }, - "uuid": "5f6f5913-cade-4b14-aa96-5a921b0927a7", - "value": "Application Vetting (MOB-M1005) mitigates Exploit OS Vulnerability (MOB-T1007)" - }, - { - "meta": { - "source-uuid": "a3dad2be-ce62-4440-953b-00fbce7aba93", - "target-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4" - }, - "uuid": "fa1da6db-da32-45d2-98a8-6bbe153166da", - "value": "AndroRAT (MOB-S0008) uses Location Tracking (MOB-T1033)" - }, - { - "meta": { - "source-uuid": "8ccd428d-39da-4e8f-a55b-d48ea1d56e58", - "target-uuid": "c5089859-b21f-40a3-8be4-63e381b8b1c0" - }, - "uuid": "ef7f8f51-6aea-4f5c-9c96-f353a14cf062", - "value": "Lock Bootloader (MOB-M1003) mitigates Modify System Partition (MOB-T1003)" - }, - { - "meta": { - "source-uuid": "0beabf44-e8d8-4ae4-9122-ef56369a2564", - "target-uuid": "8f0e39c6-82c9-41ec-9f93-5696c0f2e274" - }, - "uuid": "d6930d98-f8a2-4556-baa4-95275d3fa23d", - "value": "Use Recent OS Version (MOB-M1006) mitigates Premium SMS Toll Fraud (MOB-T1051)" - }, - { - "meta": { - "source-uuid": "0beabf44-e8d8-4ae4-9122-ef56369a2564", - "target-uuid": "3dd58c80-4c2e-458c-9503-1b2cd273c4d2" - }, - "uuid": "dfc1f490-f8b9-4287-8c79-652d42f0a64a", - "value": "Use Recent OS Version (MOB-M1006) mitigates User Interface Spoofing (MOB-T1014)" - }, - { - "meta": { - "source-uuid": "93799a9d-3537-43d8-b6f4-17215de1657c", - "target-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172" - }, - "uuid": "3d24d88e-a0ab-42c6-8e8f-11f721082bba", - "value": "Pegasus for Android (MOB-S0032) uses Exploit OS Vulnerability (MOB-T1007)" - }, - { - "meta": { - "source-uuid": "f6ac21b6-2592-400c-8472-10d0e2f1bfaf", - "target-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce" - }, - "uuid": "a8079e6a-ef87-4e3b-9f71-cf1ea2360892", - "value": "Adups (MOB-S0025) uses Access Contact List (MOB-T1035)" - }, - { - "meta": { - "source-uuid": "05c4f87c-be8f-46ea-8d9a-2a0aad8f52c1", - "target-uuid": "a93ccb8f-3996-42e2-b7c7-bb599d4e205f" - }, - "uuid": "5f82db63-d7c2-43c7-a056-3cf718201ced", - "value": "DroidJack RAT (MOB-S0036) uses Repackaged Application (MOB-T1047)" - }, - { - "meta": { - "source-uuid": "33d9d91d-aad9-49d5-a516-220ce101ac8a", - "target-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172" - }, - "uuid": "63e67cba-4eae-4495-8897-2610103a0c41", - "value": "Pegasus (MOB-S0005) uses Exploit OS Vulnerability (MOB-T1007)" - }, - { - "meta": { - "source-uuid": "936be60d-90eb-4c36-9247-4b31128432c4", - "target-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd" - }, - "uuid": "3c291ee5-1782-4e5b-8131-5188c7388f45", - "value": "RuMMS (MOB-S0029) uses Local Network Configuration Discovery (MOB-T1025)" - }, - { - "meta": { - "source-uuid": "0beabf44-e8d8-4ae4-9122-ef56369a2564", - "target-uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44" - }, - "uuid": "b28c1e81-4f78-4e40-9899-2872cdbcceba", - "value": "Use Recent OS Version (MOB-M1006) mitigates Access Call Log (MOB-T1036)" - }, - { - "meta": { - "source-uuid": "1553b156-6767-47f7-9eb4-2a692505666d", - "target-uuid": "d9e88203-2b5d-405f-a406-2933b1e3d7e4" - }, - "uuid": "c5b80ca7-eceb-43ea-991e-10af5d9ca4bc", - "value": "Application Vetting (MOB-M1005) mitigates Encrypt Files for Ransom (MOB-T1074)" - }, - { - "meta": { - "source-uuid": "3bc1f0ad-ef11-4afc-83c0-fcffe08d4e50", - "target-uuid": "3b0b604f-10db-41a0-b54c-493124d455b9" - }, - "uuid": "b596251a-73db-4e53-a04d-51be783b0241", - "value": "KeyRaider (MOB-S0004) uses Network Traffic Capture or Redirection (MOB-T1013)" - }, - { - "meta": { - "source-uuid": "363bc05d-13cb-4e98-a5b7-e250f2bbdc2b", - "target-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760" - }, - "uuid": "14143e21-51bf-4fa7-a949-d22a8271f590", - "value": "RCSAndroid (MOB-S0011) uses Microphone or Camera Recordings (MOB-T1032)" - }, - { - "meta": { - "source-uuid": "8220b57e-c400-4525-bf69-f8edc6b389a8", - "target-uuid": "3b0b604f-10db-41a0-b54c-493124d455b9" - }, - "uuid": "ee0afd88-a0fc-4b1d-b047-9b9bf04d36fe", - "value": "Encrypt Network Traffic (MOB-M1009) mitigates Network Traffic Capture or Redirection (MOB-T1013)" - }, - { - "meta": { - "source-uuid": "93799a9d-3537-43d8-b6f4-17215de1657c", - "target-uuid": "bd4d32f5-eed4-4018-a649-40b229dd1d69" - }, - "uuid": "19df76ee-fa85-43cf-96ce-422d46f29a13", - "value": "Pegasus for Android (MOB-S0032) uses App Auto-Start at Device Boot (MOB-T1005)" - }, - { - "meta": { - "source-uuid": "649f7268-4c12-483b-ac84-4b7bca9fe2ee", - "target-uuid": "1f96d624-8409-4472-ad8a-30618ee6b2e2" - }, - "uuid": "0673ca70-d403-4e49-8e18-de4bf8ab700c", - "value": "Enterprise Policy (MOB-M1012) mitigates App Delivered via Email Attachment (MOB-T1037)" - }, - { - "meta": { - "source-uuid": "20dbaf05-59b8-4dc6-8777-0b17f4553a23", - "target-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4" - }, - "uuid": "0f7e7c29-43f0-4aff-ae83-dfff331915ef", - "value": "SpyNote RAT (MOB-S0021) uses Location Tracking (MOB-T1033)" - }, - { - "meta": { - "source-uuid": "653492e3-27be-4a0e-b08c-938dd2b7e0e1", - "target-uuid": "1f96d624-8409-4472-ad8a-30618ee6b2e2" - }, - "uuid": "bf859944-d097-45ba-ae01-2f85a00cad1f", - "value": "User Guidance (MOB-M1011) mitigates App Delivered via Email Attachment (MOB-T1037)" - }, - { - "meta": { - "source-uuid": "e13d084c-382f-40fd-aa9a-98d69e20301e", - "target-uuid": "76c12fc8-a4eb-45d6-a3b7-e371a7248f69" - }, - "uuid": "6086e1e2-1b39-4ff2-910e-4a4eb86d57b7", - "value": "BrainTest (MOB-S0009) uses Manipulate App Store Rankings or Ratings (MOB-T1055)" - }, - { - "meta": { - "source-uuid": "8ccd428d-39da-4e8f-a55b-d48ea1d56e58", - "target-uuid": "667e5707-3843-4da8-bd34-88b922526f0d" - }, - "uuid": "3230c032-17e0-49f7-b948-c157049aafe2", - "value": "Lock Bootloader (MOB-M1003) mitigates Exploit via Charging Station or PC (MOB-T1061)" - }, - { - "meta": { - "source-uuid": "33d9d91d-aad9-49d5-a516-220ce101ac8a", - "target-uuid": "0bcc4ec1-a897-49a9-a9ff-c00df1d1209d" - }, - "uuid": "9e77b80d-4981-4908-9203-c4e7cea5b5d8", - "value": "Pegasus (MOB-S0005) uses Malicious SMS Message (MOB-T1057)" - }, - { - "meta": { - "source-uuid": "0beabf44-e8d8-4ae4-9122-ef56369a2564", - "target-uuid": "2204c371-6100-4ae0-82f3-25c07c29772a" - }, - "uuid": "55f12292-dc9d-4bfd-9de9-2d07cd67b044", - "value": "Use Recent OS Version (MOB-M1006) mitigates Abuse Accessibility Features (MOB-T1056)" - }, - { - "meta": { - "source-uuid": "33d9d91d-aad9-49d5-a516-220ce101ac8a", - "target-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce" - }, - "uuid": "7baa3cab-c4f8-4b91-a6c3-189ad7a6416c", - "value": "Pegasus (MOB-S0005) uses Access Contact List (MOB-T1035)" - }, - { - "meta": { - "source-uuid": "d1c600f8-0fb6-4367-921b-85b71947d950", - "target-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce" - }, - "uuid": "e2ee6825-43c2-441f-ba96-404a330a9059", - "value": "Charger (MOB-S0039) uses Access Contact List (MOB-T1035)" - }, - { - "meta": { - "source-uuid": "e944670c-d03a-4e93-a21c-b3d4c53ec4c9", - "target-uuid": "82f04b1e-5371-4a6f-be06-411f0f43b483" - }, - "uuid": "3c2d7ccc-5980-4012-8aab-64979bcd0ea6", - "value": "Caution with Device Administrator Access (MOB-M1007) mitigates Abuse Device Administrator Access to Prevent Removal (MOB-T1004)" - }, - { - "meta": { - "source-uuid": "1553b156-6767-47f7-9eb4-2a692505666d", - "target-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a" - }, - "uuid": "b4e055cf-f77e-4888-9610-6cd328e035c8", - "value": "Application Vetting (MOB-M1005) mitigates Obfuscated or Encrypted Payload (MOB-T1009)" - }, - { - "meta": { - "source-uuid": "0beabf44-e8d8-4ae4-9122-ef56369a2564", - "target-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd" - }, - "uuid": "554ec347-c8b2-43da-876b-36608dcc543d", - "value": "Use Recent OS Version (MOB-M1006) mitigates Local Network Configuration Discovery (MOB-T1025)" - }, - { - "meta": { - "source-uuid": "20d56cd6-8dff-4871-9889-d32d254816de", - "target-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160" - }, - "uuid": "a25d58af-dbb3-4025-b91d-898c6adffcb3", - "value": "Gooligan (MOB-S0006) uses Access Sensitive Data or Credentials in Files (MOB-T1012)" - }, - { - "meta": { - "source-uuid": "1553b156-6767-47f7-9eb4-2a692505666d", - "target-uuid": "1b51f5bc-b97a-498a-8dbd-bc6b1901bf19" - }, - "uuid": "6c0491ee-53e0-44ae-bcd0-253fc47de61e", - "value": "Application Vetting (MOB-M1005) mitigates Process Discovery (MOB-T1027)" - }, - { - "meta": { - "source-uuid": "8220b57e-c400-4525-bf69-f8edc6b389a8", - "target-uuid": "393e8c12-a416-4575-ba90-19cc85656796" - }, - "uuid": "b5097495-f417-46ed-88e2-02cba2371936", - "value": "Encrypt Network Traffic (MOB-M1009) mitigates Eavesdrop on Insecure Network Communication (MOB-T1042)" - }, - { - "meta": { - "source-uuid": "653492e3-27be-4a0e-b08c-938dd2b7e0e1", - "target-uuid": "f9e4f526-ac9d-4df5-8949-833a82a1d2df" - }, - "uuid": "aa23a2c6-ed8a-4453-95d1-f9a47e14b0f9", - "value": "User Guidance (MOB-M1011) mitigates Malicious or Vulnerable Built-in Device Functionality (MOB-T1076)" - }, - { - "meta": { - "source-uuid": "317a2c10-d489-431e-b6b2-f0251fddc88e", - "target-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760" - }, - "uuid": "ed06f5dc-9d02-4896-a0a3-2f457c64f125", - "value": "Dendroid (MOB-S0017) uses Microphone or Camera Recordings (MOB-T1032)" - }, - { - "meta": { - "source-uuid": "0beabf44-e8d8-4ae4-9122-ef56369a2564", - "target-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060" - }, - "uuid": "a4b53160-fdb8-4cab-90cc-ad12ab13a8a0", - "value": "Use Recent OS Version (MOB-M1006) mitigates Capture SMS Messages (MOB-T1015)" - }, - { - "meta": { - "source-uuid": "a15c9357-2be0-4836-beec-594f28b9b4a9", - "target-uuid": "51aedbd6-2837-4d15-aeb0-cb09f2bf22ac" - }, - "uuid": "c5d6fb25-1782-44c4-b3ae-0cd72e8a6d37", - "value": "YiSpecter (MOB-S0027) uses Abuse of iOS Enterprise App Signing Key (MOB-T1048)" - }, - { - "meta": { - "source-uuid": "05c4f87c-be8f-46ea-8d9a-2a0aad8f52c1", - "target-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060" - }, - "uuid": "910009da-65c0-4e6a-aeb2-386c643d1c0e", - "value": "DroidJack RAT (MOB-S0036) uses Capture SMS Messages (MOB-T1015)" - }, - { - "meta": { - "source-uuid": "d05f7357-4cbe-47ea-bf83-b8604226d533", - "target-uuid": "1f96d624-8409-4472-ad8a-30618ee6b2e2" - }, - "uuid": "fb371daf-2771-488f-90ca-5e08b9a36c5c", - "value": "Android/Chuli.A (MOB-S0020) uses App Delivered via Email Attachment (MOB-T1037)" - }, - { - "meta": { - "source-uuid": "0beabf44-e8d8-4ae4-9122-ef56369a2564", - "target-uuid": "dfe29258-ce59-421c-9dee-e85cb9fa90cd" - }, - "uuid": "37c4a0cf-0552-46fd-b067-419b15833044", - "value": "Use Recent OS Version (MOB-M1006) mitigates Lockscreen Bypass (MOB-T1064)" - }, - { - "meta": { - "source-uuid": "936be60d-90eb-4c36-9247-4b31128432c4", - "target-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060" - }, - "uuid": "29dc105c-0b1b-4645-85ef-436c096bd3e2", - "value": "RuMMS (MOB-S0029) uses Capture SMS Messages (MOB-T1015)" - }, - { - "meta": { - "source-uuid": "1553b156-6767-47f7-9eb4-2a692505666d", - "target-uuid": "77e30eee-fd48-40b4-99ec-73e97c158b58" - }, - "uuid": "5b9a54cd-4925-4a2b-ad61-27d70e673093", - "value": "Application Vetting (MOB-M1005) mitigates Android Intent Hijacking (MOB-T1019)" - }, - { - "meta": { - "source-uuid": "0beabf44-e8d8-4ae4-9122-ef56369a2564", - "target-uuid": "3b0b604f-10db-41a0-b54c-493124d455b9" - }, - "uuid": "8ccfab20-58cf-4af6-9fb0-6bbf59258ac9", - "value": "Use Recent OS Version (MOB-M1006) mitigates Network Traffic Capture or Redirection (MOB-T1013)" - }, - { - "meta": { - "source-uuid": "23040c15-e7d8-47b5-8c16-8fd3e0e297fe", - "target-uuid": "22379609-a99f-4a01-bd7e-70f3e105859d" - }, - "uuid": "ffc24804-42db-4be1-a418-7f5ab9de453c", - "value": "NotCompatible (MOB-S0015) uses Exploit Enterprise Resources (MOB-T1031)" - }, - { - "meta": { - "source-uuid": "bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", - "target-uuid": "667e5707-3843-4da8-bd34-88b922526f0d" - }, - "uuid": "00b20e5c-5f52-4a07-bfec-e30872e793e3", - "value": "Security Updates (MOB-M1001) mitigates Exploit via Charging Station or PC (MOB-T1061)" - }, - { - "meta": { - "source-uuid": "20dbaf05-59b8-4dc6-8777-0b17f4553a23", - "target-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce" - }, - "uuid": "5012c647-9b58-4a4f-b64f-468c9b76a60c", - "value": "SpyNote RAT (MOB-S0021) uses Access Contact List (MOB-T1035)" - }, - { - "meta": { - "source-uuid": "936be60d-90eb-4c36-9247-4b31128432c4", - "target-uuid": "6b846ad0-cc20-4db6-aa34-91561397c5e2" - }, - "uuid": "e3a03a80-0e31-43ef-b802-d6f65c44896d", - "value": "RuMMS (MOB-S0029) uses App Delivered via Web Download (MOB-T1034)" - }, - { - "meta": { - "source-uuid": "33d9d91d-aad9-49d5-a516-220ce101ac8a", - "target-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd" - }, - "uuid": "450a1b75-efa5-4d7a-bcd5-d3e63723b408", - "value": "Pegasus (MOB-S0005) uses Local Network Configuration Discovery (MOB-T1025)" - }, - { - "meta": { - "source-uuid": "1553b156-6767-47f7-9eb4-2a692505666d", - "target-uuid": "89fcd02f-62dc-40b9-a54b-9ac4b1baef05" - }, - "uuid": "05c87985-4f8a-4a38-b1cd-ab01f0a628ed", - "value": "Application Vetting (MOB-M1005) mitigates Device Type Discovery (MOB-T1022)" - }, - { - "meta": { - "source-uuid": "653492e3-27be-4a0e-b08c-938dd2b7e0e1", - "target-uuid": "a93ccb8f-3996-42e2-b7c7-bb599d4e205f" - }, - "uuid": "634e2691-341f-4e5b-83e7-e28369d88c64", - "value": "User Guidance (MOB-M1011) mitigates Repackaged Application (MOB-T1047)" - }, - { - "meta": { - "source-uuid": "0beabf44-e8d8-4ae4-9122-ef56369a2564", - "target-uuid": "cf28ca46-1fd3-46b4-b1f6-ec0b72361848" - }, - "uuid": "7260c8fe-6b3b-48a2-889f-f329fb5b4ef0", - "value": "Use Recent OS Version (MOB-M1006) mitigates File and Directory Discovery (MOB-T1023)" - }, - { - "meta": { - "source-uuid": "a3dad2be-ce62-4440-953b-00fbce7aba93", - "target-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060" - }, - "uuid": "980c49f8-d991-4e1f-8feb-6173e3dfca1f", - "value": "AndroRAT (MOB-S0008) uses Capture SMS Messages (MOB-T1015)" - }, - { - "meta": { - "source-uuid": "653492e3-27be-4a0e-b08c-938dd2b7e0e1", - "target-uuid": "51aedbd6-2837-4d15-aeb0-cb09f2bf22ac" - }, - "uuid": "49fe6eac-73a7-4147-9121-85fb71fca4ed", - "value": "User Guidance (MOB-M1011) mitigates Abuse of iOS Enterprise App Signing Key (MOB-T1048)" - }, - { - "meta": { - "source-uuid": "d05f7357-4cbe-47ea-bf83-b8604226d533", - "target-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce" - }, - "uuid": "cfa1d194-7401-46ba-bfed-5f311aeb22d3", - "value": "Android/Chuli.A (MOB-S0020) uses Access Contact List (MOB-T1035)" - }, - { - "meta": { - "source-uuid": "bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", - "target-uuid": "c91c304a-975d-4501-9789-0db1c57afd3f" - }, - "uuid": "047ab474-c4ec-4675-a817-1e0a9f8dd92f", - "value": "Security Updates (MOB-M1001) mitigates Exploit Baseband Vulnerability (MOB-T1058)" - }, - { - "meta": { - "source-uuid": "e13d084c-382f-40fd-aa9a-98d69e20301e", - "target-uuid": "c5089859-b21f-40a3-8be4-63e381b8b1c0" - }, - "uuid": "0e9edc13-7af7-43c4-8ec2-636b1f8cb7f1", - "value": "BrainTest (MOB-S0009) uses Modify System Partition (MOB-T1003)" - }, - { - "meta": { - "source-uuid": "649f7268-4c12-483b-ac84-4b7bca9fe2ee", - "target-uuid": "6b846ad0-cc20-4db6-aa34-91561397c5e2" - }, - "uuid": "cdb1ed75-d8a5-4088-b282-0b85588bbc8c", - "value": "Enterprise Policy (MOB-M1012) mitigates App Delivered via Web Download (MOB-T1034)" - }, - { - "meta": { - "source-uuid": "ca4f63b9-a358-4214-bb26-8c912318cfde", - "target-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a" - }, - "uuid": "b67f04d9-1cbd-49b4-9ec3-a33a41ac42ab", - "value": "OBAD (MOB-S0002) uses Obfuscated or Encrypted Payload (MOB-T1009)" - }, - { - "meta": { - "source-uuid": "0beabf44-e8d8-4ae4-9122-ef56369a2564", - "target-uuid": "f9e4f526-ac9d-4df5-8949-833a82a1d2df" - }, - "uuid": "3baf01c5-591b-43a0-8963-506531313e68", - "value": "Use Recent OS Version (MOB-M1006) mitigates Malicious or Vulnerable Built-in Device Functionality (MOB-T1076)" - }, - { - "meta": { - "source-uuid": "a1867c56-8c86-455a-96ad-b0d5f7e2bc17", - "target-uuid": "6a3f6490-9c44-40de-b059-e5940f246673" - }, - "uuid": "319d46b5-de41-4f23-9001-2fa75f954720", - "value": "Trojan-SMS.AndroidOS.Agent.ao (MOB-S0023) uses Standard Application Layer Protocol (MOB-T1040)" - }, - { - "meta": { - "source-uuid": "649f7268-4c12-483b-ac84-4b7bca9fe2ee", - "target-uuid": "45dcbc83-4abc-4de1-b643-e528d1e9df09" - }, - "uuid": "1a62c9c7-2d3b-4ee7-87d1-d8774050c566", - "value": "Enterprise Policy (MOB-M1012) mitigates Biometric Spoofing (MOB-T1063)" - }, - { - "meta": { - "source-uuid": "33d9d91d-aad9-49d5-a516-220ce101ac8a", - "target-uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44" - }, - "uuid": "34351abd-1f58-420a-a893-ad822839815d", - "value": "Pegasus (MOB-S0005) uses Access Call Log (MOB-T1036)" - }, - { - "meta": { - "source-uuid": "0beabf44-e8d8-4ae4-9122-ef56369a2564", - "target-uuid": "f296fc9c-2ff5-43ee-941e-6b49c438270a" - }, - "uuid": "fa7b38df-eedc-469b-bcec-facdd8365231", - "value": "Use Recent OS Version (MOB-M1006) mitigates Device Unlock Code Guessing or Brute Force (MOB-T1062)" - }, - { - "meta": { - "source-uuid": "326eaf7b-5784-4f08-8fc2-61fd5d5bc5fb", - "target-uuid": "667e5707-3843-4da8-bd34-88b922526f0d" - }, - "uuid": "0791f28b-d06f-4fee-9cdb-85a6fd2eed61", - "value": "WireLurker (MOB-S0028) uses Exploit via Charging Station or PC (MOB-T1061)" - }, - { - "meta": { - "source-uuid": "1553b156-6767-47f7-9eb4-2a692505666d", - "target-uuid": "8f0e39c6-82c9-41ec-9f93-5696c0f2e274" - }, - "uuid": "4caf3ad1-6ef8-42de-851d-bdc3a22977b3", - "value": "Application Vetting (MOB-M1005) mitigates Premium SMS Toll Fraud (MOB-T1051)" - }, - { - "meta": { - "source-uuid": "d05f7357-4cbe-47ea-bf83-b8604226d533", - "target-uuid": "b3c2e5de-0941-4b57-ba61-af029eb5517a" - }, - "uuid": "c83c84e8-a556-4efe-ae24-75970ee8ad4b", - "value": "Android/Chuli.A (MOB-S0020) uses Alternate Network Mediums (MOB-T1041)" - }, - { - "meta": { - "source-uuid": "bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", - "target-uuid": "a9cab8f6-4c94-4c9b-9e7d-9d863ff53431" - }, - "uuid": "3a9467d4-09df-4266-ba5a-d40309949e70", - "value": "Security Updates (MOB-M1001) mitigates Malicious Media Content (MOB-T1060)" - }, - { - "meta": { - "source-uuid": "1553b156-6767-47f7-9eb4-2a692505666d", - "target-uuid": "3b0b604f-10db-41a0-b54c-493124d455b9" - }, - "uuid": "6407562a-d297-43cd-95df-aec9cf501ce2", - "value": "Application Vetting (MOB-M1005) mitigates Network Traffic Capture or Redirection (MOB-T1013)" - }, - { - "meta": { - "source-uuid": "93799a9d-3537-43d8-b6f4-17215de1657c", - "target-uuid": "b765efd1-02e6-4e67-aebf-0fef5c37e54b" - }, - "uuid": "0e81eb1d-cd1e-43e1-8c09-03927681ce76", - "value": "Pegasus for Android (MOB-S0032) uses Detect App Analysis Environment (MOB-T1043)" - }, - { - "meta": { - "source-uuid": "1553b156-6767-47f7-9eb4-2a692505666d", - "target-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce" - }, - "uuid": "e183af70-44d5-4d56-9aad-753eb4c1c964", - "value": "Application Vetting (MOB-M1005) mitigates Access Contact List (MOB-T1035)" - }, - { - "meta": { - "source-uuid": "5ddf81ea-2c06-497b-8c30-5f1ab89a40f9", - "target-uuid": "8f0e39c6-82c9-41ec-9f93-5696c0f2e274" - }, - "uuid": "5a6df1dd-9aa4-4f67-9195-8c3a9f5c0f7a", - "value": "MazarBOT (MOB-S0019) uses Premium SMS Toll Fraud (MOB-T1051)" - }, - { - "meta": { - "source-uuid": "653492e3-27be-4a0e-b08c-938dd2b7e0e1", - "target-uuid": "a0464539-e1b7-4455-a355-12495987c300" - }, - "uuid": "86696d32-0af7-4308-b1fe-52306b9f839a", - "value": "User Guidance (MOB-M1011) mitigates Attack PC via USB Connection (MOB-T1030)" - }, - { - "meta": { - "source-uuid": "bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", - "target-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160" - }, - "uuid": "92333055-88ce-4db2-a589-e0e1e617d8e0", - "value": "Security Updates (MOB-M1001) mitigates Access Sensitive Data or Credentials in Files (MOB-T1012)" - }, - { - "meta": { - "source-uuid": "93799a9d-3537-43d8-b6f4-17215de1657c", - "target-uuid": "62adb627-f647-498e-b4cc-41499361bacb" - }, - "uuid": "a7b276ac-6f07-4d1f-8d24-dc5682acf62d", - "value": "Pegasus for Android (MOB-S0032) uses Access Calendar Entries (MOB-T1038)" - }, - { - "meta": { - "source-uuid": "3c3b55a6-c3e9-4043-8aae-283fe96220c0", - "target-uuid": "b765efd1-02e6-4e67-aebf-0fef5c37e54b" - }, - "uuid": "eb686f55-85de-42d8-a5a1-69a78af0f1f3", - "value": "ZergHelper (MOB-S0003) uses Detect App Analysis Environment (MOB-T1043)" - }, - { - "meta": { - "source-uuid": "653492e3-27be-4a0e-b08c-938dd2b7e0e1", - "target-uuid": "a8c31121-852b-46bd-9ba4-674ae5afe7ad" - }, - "uuid": "7b899be0-4a9c-4e52-aeab-d8acedfe26d0", - "value": "User Guidance (MOB-M1011) mitigates Malicious Third Party Keyboard App (MOB-T1020)" - }, - { - "meta": { - "source-uuid": "bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", - "target-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172" - }, - "uuid": "96027d55-0bdb-4f5f-a559-66c93eab3a17", - "value": "Security Updates (MOB-M1001) mitigates Exploit OS Vulnerability (MOB-T1007)" - }, - { - "meta": { - "source-uuid": "c709da93-20c3-4d17-ab68-48cba76b2137", - "target-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4" - }, - "uuid": "27247071-356b-4b5f-bc8f-6436a3fec095", - "value": "PJApps (MOB-S0007) uses Location Tracking (MOB-T1033)" - }, - { - "meta": { - "source-uuid": "1553b156-6767-47f7-9eb4-2a692505666d", - "target-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4" - }, - "uuid": "d22dc053-24a7-4a5b-ae51-8a626569ec9b", - "value": "Application Vetting (MOB-M1005) mitigates Location Tracking (MOB-T1033)" - }, - { - "meta": { - "source-uuid": "33d9d91d-aad9-49d5-a516-220ce101ac8a", - "target-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060" - }, - "uuid": "7d481598-ece7-469c-b231-619a804c25e5", - "value": "Pegasus (MOB-S0005) uses Capture SMS Messages (MOB-T1015)" - }, - { - "meta": { - "source-uuid": "363bc05d-13cb-4e98-a5b7-e250f2bbdc2b", - "target-uuid": "c4b96c0b-cb58-497a-a1c2-bb447d79d692" - }, - "uuid": "9e3921a8-a9e1-48c4-9b61-ff190c104f63", - "value": "RCSAndroid (MOB-S0011) uses Capture Clipboard Data (MOB-T1017)" - }, - { - "meta": { - "source-uuid": "d05f7357-4cbe-47ea-bf83-b8604226d533", - "target-uuid": "3911658a-6506-4deb-9ab4-595a51ae71ad" - }, - "uuid": "7c966cde-22fd-4eb2-b518-3e37a8fad88b", - "value": "Android/Chuli.A (MOB-S0020) uses Commonly Used Port (MOB-T1039)" - }, - { - "meta": { - "source-uuid": "8220b57e-c400-4525-bf69-f8edc6b389a8", - "target-uuid": "fb3fa94a-3aee-4ab0-b7e7-abdf0a51286d" - }, - "uuid": "dc6eb5d7-acef-4eb4-bece-4e8c90c914dc", - "value": "Encrypt Network Traffic (MOB-M1009) mitigates Exploit SS7 to Redirect Phone Calls/SMS (MOB-T1052)" - }, - { - "meta": { - "source-uuid": "da21929e-40c0-443d-bdf4-6b60d15448b4", - "target-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060" - }, - "uuid": "833b4c44-7370-4b27-b9b2-a058c27dcf8c", - "value": "Xbot (MOB-S0014) uses Capture SMS Messages (MOB-T1015)" - }, - { - "meta": { - "source-uuid": "8220b57e-c400-4525-bf69-f8edc6b389a8", - "target-uuid": "633baf01-6de4-4963-bb54-ff6c6357bed3" - }, - "uuid": "4df969b3-f5a0-4802-b87e-a458e3e439ed", - "value": "Encrypt Network Traffic (MOB-M1009) mitigates Rogue Wi-Fi Access Points (MOB-T1068)" - }, - { - "meta": { - "source-uuid": "20d56cd6-8dff-4871-9889-d32d254816de", - "target-uuid": "f981d199-2720-467e-9dc9-eea04dbe05cf" - }, - "uuid": "42ae42eb-ea75-457a-bf39-4ea04304dd0b", - "value": "Gooligan (MOB-S0006) uses Generate Fraudulent Advertising Revenue (MOB-T1075)" - }, - { - "meta": { - "source-uuid": "93799a9d-3537-43d8-b6f4-17215de1657c", - "target-uuid": "c5089859-b21f-40a3-8be4-63e381b8b1c0" - }, - "uuid": "d7ae7fb1-c363-4969-a4af-e2dd44a3c064", - "value": "Pegasus for Android (MOB-S0032) uses Modify System Partition (MOB-T1003)" - }, - { - "meta": { - "source-uuid": "33d9d91d-aad9-49d5-a516-220ce101ac8a", - "target-uuid": "c5089859-b21f-40a3-8be4-63e381b8b1c0" - }, - "uuid": "69718f1d-7761-41ae-b9d0-12c45f6b4ac4", - "value": "Pegasus (MOB-S0005) uses Modify System Partition (MOB-T1003)" - }, - { - "meta": { - "source-uuid": "bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", - "target-uuid": "b332a960-3c04-495a-827f-f17a5daed3a6" - }, - "uuid": "15a2702e-4e49-4255-909d-bbf94abfd1d7", - "value": "Security Updates (MOB-M1001) mitigates Disguise Root/Jailbreak Indicators (MOB-T1011)" - }, - { - "meta": { - "source-uuid": "1553b156-6767-47f7-9eb4-2a692505666d", - "target-uuid": "2204c371-6100-4ae0-82f3-25c07c29772a" - }, - "uuid": "077da2d7-0913-4040-b25e-2f6913ed4ea0", - "value": "Application Vetting (MOB-M1005) mitigates Abuse Accessibility Features (MOB-T1056)" - }, - { - "meta": { - "source-uuid": "0beabf44-e8d8-4ae4-9122-ef56369a2564", - "target-uuid": "29e07491-8947-43a3-8d4e-9a787c45f3d3" - }, - "uuid": "c761ed82-24cc-4c40-94ef-c4d0f4d1cd7a", - "value": "Use Recent OS Version (MOB-M1006) mitigates Access Sensitive Data in Device Logs (MOB-T1016)" - }, - { - "meta": { - "source-uuid": "bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", - "target-uuid": "f9e4f526-ac9d-4df5-8949-833a82a1d2df" - }, - "uuid": "1a493cb6-452f-46ce-a7b4-267eacd5d2ff", - "value": "Security Updates (MOB-M1001) mitigates Malicious or Vulnerable Built-in Device Functionality (MOB-T1076)" - }, - { - "meta": { - "source-uuid": "d05f7357-4cbe-47ea-bf83-b8604226d533", - "target-uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44" - }, - "uuid": "2bedbf86-2ef0-45bf-950d-b9d072c03bdc", - "value": "Android/Chuli.A (MOB-S0020) uses Access Call Log (MOB-T1036)" - }, - { - "meta": { - "source-uuid": "e13d084c-382f-40fd-aa9a-98d69e20301e", - "target-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172" - }, - "uuid": "02b3c8fe-1539-4c77-b67e-07fa8a22c91e", - "value": "BrainTest (MOB-S0009) uses Exploit OS Vulnerability (MOB-T1007)" - }, - { - "meta": { - "source-uuid": "bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", - "target-uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44" - }, - "uuid": "93a524e2-cb17-4b40-8640-a03949e89775", - "value": "Security Updates (MOB-M1001) mitigates Access Call Log (MOB-T1036)" - }, - { - "meta": { - "source-uuid": "93799a9d-3537-43d8-b6f4-17215de1657c", - "target-uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44" - }, - "uuid": "4f366c8c-9c70-44ed-baa8-d433d5dbfe49", - "value": "Pegasus for Android (MOB-S0032) uses Access Call Log (MOB-T1036)" - }, - { - "meta": { - "source-uuid": "bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", - "target-uuid": "29e07491-8947-43a3-8d4e-9a787c45f3d3" - }, - "uuid": "b23ec81b-8610-4bb0-a837-2c316c67fa79", - "value": "Security Updates (MOB-M1001) mitigates Access Sensitive Data in Device Logs (MOB-T1016)" - }, - { - "meta": { - "source-uuid": "bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", - "target-uuid": "88932a8c-3a17-406f-9431-1da3ff19f6d6" - }, - "uuid": "72d7fa07-e559-4e35-b791-64b7bf8a0aef", - "value": "Security Updates (MOB-M1001) mitigates Modify cached executable code (MOB-T1006)" - }, - { - "meta": { - "source-uuid": "da21929e-40c0-443d-bdf4-6b60d15448b4", - "target-uuid": "d9e88203-2b5d-405f-a406-2933b1e3d7e4" - }, - "uuid": "70f8cbed-b20d-4ff2-ad02-8d78e7d49159", - "value": "Xbot (MOB-S0014) uses Encrypt Files for Ransom (MOB-T1074)" - }, - { - "meta": { - "source-uuid": "1553b156-6767-47f7-9eb4-2a692505666d", - "target-uuid": "3dd58c80-4c2e-458c-9503-1b2cd273c4d2" - }, - "uuid": "095f71ad-9a93-45ce-9b77-a101f6c894de", - "value": "Application Vetting (MOB-M1005) mitigates User Interface Spoofing (MOB-T1014)" - }, - { - "meta": { - "source-uuid": "653492e3-27be-4a0e-b08c-938dd2b7e0e1", - "target-uuid": "a21a6a79-f9a1-4c87-aed9-ba2d79536881" - }, - "uuid": "aaf0ae2f-07ea-479e-8419-e524e23dbaef", - "value": "User Guidance (MOB-M1011) mitigates Stolen Developer Credentials or Signing Keys (MOB-T1044)" - }, - { - "meta": { - "source-uuid": "653492e3-27be-4a0e-b08c-938dd2b7e0e1", - "target-uuid": "831e3269-da49-48ac-94dc-948008e8fd16" - }, - "uuid": "8f7c14bf-4c0f-4e54-99c2-41b511220b33", - "value": "User Guidance (MOB-M1011) mitigates Remotely Install Application (MOB-T1046)" - }, - { - "meta": { - "source-uuid": "28e39395-91e7-4f02-b694-5e079c964da9", - "target-uuid": "6a3f6490-9c44-40de-b059-e5940f246673" - }, - "uuid": "54151897-cc7e-4f92-af50-bed41ea78d92", - "value": "Trojan-SMS.AndroidOS.FakeInst.a (MOB-S0022) uses Standard Application Layer Protocol (MOB-T1040)" - }, - { - "meta": { - "source-uuid": "c80a6bef-b3ce-44d0-b113-946e93124898", - "target-uuid": "c5089859-b21f-40a3-8be4-63e381b8b1c0" - }, - "uuid": "18afa4ad-4fd7-47ad-acdb-3b298b640d3c", - "value": "Shedun (MOB-S0010) uses Modify System Partition (MOB-T1003)" - }, - { - "meta": { - "source-uuid": "1553b156-6767-47f7-9eb4-2a692505666d", - "target-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160" - }, - "uuid": "7ec08d5c-73a1-4444-bd27-892090d6b2e3", - "value": "Application Vetting (MOB-M1005) mitigates Access Sensitive Data or Credentials in Files (MOB-T1012)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "56660521-6db4-4e5a-a927-464f22954b7c" - }, - "uuid": "3e3cad6c-dd73-43c9-bf99-d4796ba97fb1", - "value": "APT28 (G0007) uses X-Agent (MOB-S0030)" - }, - { - "meta": { - "source-uuid": "1553b156-6767-47f7-9eb4-2a692505666d", - "target-uuid": "11bd699b-f2c2-4e48-bf46-fb3f8acd9799" - }, - "uuid": "c2437c8b-709f-47e8-ae65-21ae48410a9e", - "value": "Application Vetting (MOB-M1005) mitigates Insecure Third-Party Libraries (MOB-T1028)" - }, - { - "meta": { - "source-uuid": "d1c600f8-0fb6-4367-921b-85b71947d950", - "target-uuid": "b765efd1-02e6-4e67-aebf-0fef5c37e54b" - }, - "uuid": "7e4be913-d916-4a79-ac00-262a49afe070", - "value": "Charger (MOB-S0039) uses Detect App Analysis Environment (MOB-T1043)" - }, - { - "meta": { - "source-uuid": "b6d3657a-2d6a-400f-8b7e-4d60391aa1f7", - "target-uuid": "3dd58c80-4c2e-458c-9503-1b2cd273c4d2" - }, - "uuid": "3faed885-6a3d-444f-8e57-fd8818abb1cc", - "value": "AndroidOverlayMalware (MOB-S0012) uses User Interface Spoofing (MOB-T1014)" - }, - { - "meta": { - "source-uuid": "1553b156-6767-47f7-9eb4-2a692505666d", - "target-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd" - }, - "uuid": "513c05e2-afc6-4d1b-8a8e-6d6935a8626f", - "value": "Application Vetting (MOB-M1005) mitigates Local Network Configuration Discovery (MOB-T1025)" - }, - { - "meta": { - "source-uuid": "0beabf44-e8d8-4ae4-9122-ef56369a2564", - "target-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172" - }, - "uuid": "08e7c0ad-f2d7-472c-97de-3627ca5d2991", - "value": "Use Recent OS Version (MOB-M1006) mitigates Exploit OS Vulnerability (MOB-T1007)" - }, - { - "meta": { - "source-uuid": "20dbaf05-59b8-4dc6-8777-0b17f4553a23", - "target-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060" - }, - "uuid": "e0ebf0cd-9244-4cef-9171-128a12b87b58", - "value": "SpyNote RAT (MOB-S0021) uses Capture SMS Messages (MOB-T1015)" - }, - { - "meta": { - "source-uuid": "93799a9d-3537-43d8-b6f4-17215de1657c", - "target-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce" - }, - "uuid": "e84ad4b0-9f7a-48a5-89ae-33804b11eb56", - "value": "Pegasus for Android (MOB-S0032) uses Access Contact List (MOB-T1035)" - }, - { - "meta": { - "source-uuid": "a3dad2be-ce62-4440-953b-00fbce7aba93", - "target-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce" - }, - "uuid": "aaf55dd1-33df-4f02-8025-eaae01f30b33", - "value": "AndroRAT (MOB-S0008) uses Access Contact List (MOB-T1035)" - }, - { - "meta": { - "source-uuid": "649f7268-4c12-483b-ac84-4b7bca9fe2ee", - "target-uuid": "b928b94a-4966-4e2a-9e61-36505b896ebc" - }, - "uuid": "9adde9d7-4ba0-4e35-93ba-1e85e9eb16bc", - "value": "Enterprise Policy (MOB-M1012) mitigates Malicious Software Development Tools (MOB-T1065)" - }, - { - "meta": { - "source-uuid": "5ddf81ea-2c06-497b-8c30-5f1ab89a40f9", - "target-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060" - }, - "uuid": "721cc30c-74cf-4eed-89a8-7a8e63e6c0e1", - "value": "MazarBOT (MOB-S0019) uses Capture SMS Messages (MOB-T1015)" - }, - { - "meta": { - "source-uuid": "653492e3-27be-4a0e-b08c-938dd2b7e0e1", - "target-uuid": "667e5707-3843-4da8-bd34-88b922526f0d" - }, - "uuid": "95f4db59-e0b4-4c1b-b888-1fc76b21e8c0", - "value": "User Guidance (MOB-M1011) mitigates Exploit via Charging Station or PC (MOB-T1061)" - }, - { - "meta": { - "source-uuid": "c709da93-20c3-4d17-ab68-48cba76b2137", - "target-uuid": "8f0e39c6-82c9-41ec-9f93-5696c0f2e274" - }, - "uuid": "4454a696-7619-40ee-971b-cbf646e4ee61", - "value": "PJApps (MOB-S0007) uses Premium SMS Toll Fraud (MOB-T1051)" - }, - { - "meta": { - "source-uuid": "1553b156-6767-47f7-9eb4-2a692505666d", - "target-uuid": "9d7c32f4-ab39-49dc-8055-8106bc2294a1" - }, - "uuid": "bebf345c-21d5-410f-9015-90c144161e5d", - "value": "Application Vetting (MOB-M1005) mitigates Lock User Out of Device (MOB-T1049)" - }, - { - "meta": { - "source-uuid": "da21929e-40c0-443d-bdf4-6b60d15448b4", - "target-uuid": "3dd58c80-4c2e-458c-9503-1b2cd273c4d2" - }, - "uuid": "1cca5e17-80ae-4b6e-8919-2768153aa966", - "value": "Xbot (MOB-S0014) uses User Interface Spoofing (MOB-T1014)" - }, - { - "meta": { - "source-uuid": "507fe748-5e4a-4b45-9e9f-8b1115f4e878", - "target-uuid": "667e5707-3843-4da8-bd34-88b922526f0d" - }, - "uuid": "b7282bf9-63f8-49ad-8ee0-f2ad523a367e", - "value": "DualToy (MOB-S0031) uses Exploit via Charging Station or PC (MOB-T1061)" - }, - { - "meta": { - "source-uuid": "bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", - "target-uuid": "c5089859-b21f-40a3-8be4-63e381b8b1c0" - }, - "uuid": "aa39b402-7ecc-4057-a989-663887e540e7", - "value": "Security Updates (MOB-M1001) mitigates Modify System Partition (MOB-T1003)" - }, - { - "meta": { - "source-uuid": "93799a9d-3537-43d8-b6f4-17215de1657c", - "target-uuid": "b3c2e5de-0941-4b57-ba61-af029eb5517a" - }, - "uuid": "f6098dca-3a9e-4991-8d51-1310b12161b6", - "value": "Pegasus for Android (MOB-S0032) uses Alternate Network Mediums (MOB-T1041)" - }, - { - "meta": { - "source-uuid": "20dbaf05-59b8-4dc6-8777-0b17f4553a23", - "target-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760" - }, - "uuid": "bf2ea132-c8f3-4ea0-8c4c-bdc95923c3b1", - "value": "SpyNote RAT (MOB-S0021) uses Microphone or Camera Recordings (MOB-T1032)" - }, - { - "meta": { - "source-uuid": "1553b156-6767-47f7-9eb4-2a692505666d", - "target-uuid": "6c49d50f-494d-4150-b774-a655022d20a6" - }, - "uuid": "94a737af-9a72-48f6-a85e-d9d7fa93bfdd", - "value": "Application Vetting (MOB-M1005) mitigates Download New Code at Runtime (MOB-T1010)" - } - ], - "version": 2 -} diff --git a/clusters/mitre-pre-attack-relationship.json b/clusters/mitre-pre-attack-relationship.json deleted file mode 100644 index da91fd6..0000000 --- a/clusters/mitre-pre-attack-relationship.json +++ /dev/null @@ -1,925 +0,0 @@ -{ - "authors": [ - "MITRE" - ], - "description": "MITRE Relationship", - "name": "Pre Attack - Relationship", - "source": "https://github.com/mitre/cti", - "type": "mitre-pre-attack-relationship", - "uuid": "1ffd3108-1708-11e8-9f98-67b378d9094c", - "values": [ - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "58d0b955-ae3d-424a-a537-2804dab38793" - }, - "uuid": "1eed277b-a2a7-43f9-bf12-6e30abf0841a", - "value": "APT28 (G0007) uses Unconditional client-side exploitation/Injected Website/Driveby (PRE-T1149)" - }, - { - "meta": { - "source-uuid": "eacd1efe-ee30-4b03-b58f-5b3b1adfe45d", - "target-uuid": "103d72e6-7e0d-4b3a-9373-c38567305c33" - }, - "uuid": "4a69750c-47d5-40f5-b753-c6bb2a27a359", - "value": "Friend/Follow/Connect to targets of interest (PRE-T1141) related-to Friend/Follow/Connect to targets of interest (PRE-T1121)" - }, - { - "meta": { - "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", - "target-uuid": "15ef4da5-3b93-4bb1-a39a-5396661956d3" - }, - "uuid": "2b6a71e4-e5d5-41d2-a193-9a95c94dc924", - "value": "APT1 (G0006) uses Build and configure delivery systems (PRE-T1124)" - }, - { - "meta": { - "source-uuid": "23b6a0f5-fa95-46f9-a6f3-4549c5e45ec8", - "target-uuid": "e24a9f99-cb76-42a3-a50b-464668773e97" - }, - "uuid": "57723021-1eb3-4bf2-86eb-fdbf8a1b8125", - "value": "Night Dragon (G0014) uses Spear phishing messages with malicious attachments (PRE-T1144)" - }, - { - "meta": { - "source-uuid": "23b6a0f5-fa95-46f9-a6f3-4549c5e45ec8", - "target-uuid": "9755ecdc-deb0-40e6-af49-713cb0f8ed92" - }, - "uuid": "a34c16e9-bc7e-45f5-a9a2-8b05d868e6a0", - "value": "Night Dragon (G0014) uses Remote access tool development (PRE-T1128)" - }, - { - "meta": { - "source-uuid": "d6e88e18-81e8-4709-82d8-973095da1e70", - "target-uuid": "d69c3e06-8311-4093-8e3e-0a8e06b15d92" - }, - "uuid": "307e24f8-4d7c-49a8-88f6-fb0a99fe8ff4", - "value": "APT16 (G0023) uses Assess targeting options (PRE-T1073)" - }, - { - "meta": { - "source-uuid": "7baccb84-356c-4e89-8c5d-58e701f033fc", - "target-uuid": "092f05e3-f7c0-4cd2-91be-3a8d6ed3cadc" - }, - "uuid": "2dbdcf5e-af75-4f92-b4ad-942a06aab259", - "value": "Analyze organizational skillsets and deficiencies (PRE-T1077) related-to Analyze organizational skillsets and deficiencies (PRE-T1066)" - }, - { - "meta": { - "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", - "target-uuid": "f4c5d1d9-8f0e-46f1-a9fa-f9a440926046" - }, - "uuid": "9af7194c-1eea-4aef-bab1-49bd29be069c", - "value": "APT1 (G0006) uses Confirmation of launched compromise achieved (PRE-T1160)" - }, - { - "meta": { - "source-uuid": "23b6a0f5-fa95-46f9-a6f3-4549c5e45ec8", - "target-uuid": "89a79d91-53e0-4ef5-ba28-558cb8b01f76" - }, - "uuid": "f6dd74d9-ed02-4fe4-aff6-9ef25906592f", - "value": "Night Dragon (G0014) uses Identify groups/roles (PRE-T1047)" - }, - { - "meta": { - "source-uuid": "090242d7-73fc-4738-af68-20162f7a5aae", - "target-uuid": "271e6d40-e191-421a-8f87-a8102452c201" - }, - "uuid": "614f64d8-c221-4789-b1e1-787e9326a37b", - "value": "APT17 (G0025) uses Develop social network persona digital footprint (PRE-T1119)" - }, - { - "meta": { - "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", - "target-uuid": "e24a9f99-cb76-42a3-a50b-464668773e97" - }, - "uuid": "84943231-1b44-4029-ae09-0dbf05440bef", - "value": "APT1 (G0006) uses Spear phishing messages with malicious attachments (PRE-T1144)" - }, - { - "meta": { - "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", - "target-uuid": "d3999268-740f-467e-a075-c82e2d04be62" - }, - "uuid": "51d03816-347c-4716-9524-da99a58f5ea6", - "value": "APT1 (G0006) uses Assess leadership areas of interest (PRE-T1001)" - }, - { - "meta": { - "source-uuid": "af358cad-eb71-4e91-a752-236edc237dae", - "target-uuid": "74a3288e-eee9-4f8e-973a-fbc128e033f1" - }, - "uuid": "ad510f42-e745-42d0-8b54-4bf7a2f3cf34", - "value": "Conduct social engineering (PRE-T1045) related-to Conduct social engineering (PRE-T1026)" - }, - { - "meta": { - "source-uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063", - "target-uuid": "9108e212-1c94-4f8d-be76-1aad9b4c86a4" - }, - "uuid": "ab356c7a-6922-4143-90eb-5be632e2f6cd", - "value": "Cleaver (G0003) uses Build social network persona (PRE-T1118)" - }, - { - "meta": { - "source-uuid": "c721b235-679a-4d76-9ae9-e08921fccf84", - "target-uuid": "7718e92f-b011-4f88-b822-ae245a1de407" - }, - "uuid": "ab313887-ff00-4aa9-8edb-ab107c517c19", - "value": "Identify job postings and needs/gaps (PRE-T1025) related-to Identify job postings and needs/gaps (PRE-T1055)" - }, - { - "meta": { - "source-uuid": "d6e88e18-81e8-4709-82d8-973095da1e70", - "target-uuid": "784ff1bc-1483-41fe-a172-4cd9ae25c06b" - }, - "uuid": "edb31962-2310-4618-bd4f-d34f8e7d58e8", - "value": "APT16 (G0023) uses Acquire OSINT data sets and information (PRE-T1024)" - }, - { - "meta": { - "source-uuid": "23b6a0f5-fa95-46f9-a6f3-4549c5e45ec8", - "target-uuid": "286cc500-4291-45c2-99a1-e760db176402" - }, - "uuid": "0adf353d-688b-46ce-88bb-62a008675fe0", - "value": "Night Dragon (G0014) uses Acquire and/or use 3rd party infrastructure services (PRE-T1084)" - }, - { - "meta": { - "source-uuid": "23b6a0f5-fa95-46f9-a6f3-4549c5e45ec8", - "target-uuid": "d778cb83-2292-4995-b006-d38f52bc1e64" - }, - "uuid": "e95ea206-3962-43af-aac1-042ac9928679", - "value": "Night Dragon (G0014) uses Identify gap areas (PRE-T1002)" - }, - { - "meta": { - "source-uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063", - "target-uuid": "fddd81e9-dd3d-477e-9773-4fb8ae227234" - }, - "uuid": "b09b41c4-670f-4f00-b8d5-a8c6a2dcfcfb", - "value": "Cleaver (G0003) uses Create custom payloads (PRE-T1122)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "c860af4a-376e-46d7-afbf-262c41012227" - }, - "uuid": "26bf68a4-af3c-4d39-bad3-5f0ce824f4a3", - "value": "APT28 (G0007) uses Determine operational element (PRE-T1019)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "45242287-2964-4a3e-9373-159fad4d8195" - }, - "uuid": "3d65fc7e-87a5-4113-bd9c-09453fba4d1e", - "value": "APT28 (G0007) uses Buy domain name (PRE-T1105)" - }, - { - "meta": { - "source-uuid": "7718e92f-b011-4f88-b822-ae245a1de407", - "target-uuid": "c721b235-679a-4d76-9ae9-e08921fccf84" - }, - "uuid": "22d4f32c-63c1-400f-8e2c-10e4a200d133", - "value": "Identify job postings and needs/gaps (PRE-T1055) related-to Identify job postings and needs/gaps (PRE-T1025)" - }, - { - "meta": { - "source-uuid": "73e7d7d5-1782-4cd0-a4d7-00c7ec051c2a", - "target-uuid": "5b6ce031-bb86-407a-9984-2b9700ac4549" - }, - "uuid": "ac1dfc58-d5a2-4b6f-9bf4-c6c0d2d3ae80", - "value": "Identify business relationships (PRE-T1060) related-to Identify business relationships (PRE-T1049)" - }, - { - "meta": { - "source-uuid": "5b6ce031-bb86-407a-9984-2b9700ac4549", - "target-uuid": "73e7d7d5-1782-4cd0-a4d7-00c7ec051c2a" - }, - "uuid": "9524754d-7743-47b3-8395-3cbfb633c020", - "value": "Identify business relationships (PRE-T1049) related-to Identify business relationships (PRE-T1060)" - }, - { - "meta": { - "source-uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063", - "target-uuid": "271e6d40-e191-421a-8f87-a8102452c201" - }, - "uuid": "d26a1746-b577-4a89-be5e-c49611e8c65a", - "value": "Cleaver (G0003) uses Develop social network persona digital footprint (PRE-T1119)" - }, - { - "meta": { - "source-uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063", - "target-uuid": "c2ffd229-11bb-4fd8-9208-edbe97b14c93" - }, - "uuid": "f43faad4-a016-4da0-8de6-53103d429268", - "value": "Cleaver (G0003) uses Obfuscation or cryptography (PRE-T1090)" - }, - { - "meta": { - "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", - "target-uuid": "20a66013-8dab-4ca3-a67d-766c842c561c" - }, - "uuid": "0e7905fd-77c8-43cb-b499-7d6e37fefbeb", - "value": "APT1 (G0006) uses Dynamic DNS (PRE-T1088)" - }, - { - "meta": { - "source-uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063", - "target-uuid": "b79a1960-d0be-4b51-bb62-b27e91e1dea0" - }, - "uuid": "3f8694fa-8e16-465b-8357-ec0a85316e9c", - "value": "Cleaver (G0003) uses Conduct social engineering or HUMINT operation (PRE-T1153)" - }, - { - "meta": { - "source-uuid": "090242d7-73fc-4738-af68-20162f7a5aae", - "target-uuid": "72c8d526-1247-42d4-919c-6d7a31ca8f39" - }, - "uuid": "9c87b627-de61-42da-a658-7bdb33358754", - "value": "APT17 (G0025) uses Obfuscate infrastructure (PRE-T1108)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "fddd81e9-dd3d-477e-9773-4fb8ae227234" - }, - "uuid": "6d809b32-a5db-4e1e-bea6-ef29a2c680e5", - "value": "APT28 (G0007) uses Create custom payloads (PRE-T1122)" - }, - { - "meta": { - "source-uuid": "20a66013-8dab-4ca3-a67d-766c842c561c", - "target-uuid": "54eb2bab-125f-4d1c-b999-0c692860bafe" - }, - "uuid": "f24a6bf4-c60f-4fa6-8f6a-f2806ae92cdd", - "value": "Dynamic DNS (PRE-T1088) related-to Dynamic DNS (PRE-T1110)" - }, - { - "meta": { - "source-uuid": "54eb2bab-125f-4d1c-b999-0c692860bafe", - "target-uuid": "20a66013-8dab-4ca3-a67d-766c842c561c" - }, - "uuid": "94daf955-fb3e-4f13-af60-0e3ffa185be0", - "value": "Dynamic DNS (PRE-T1110) related-to Dynamic DNS (PRE-T1088)" - }, - { - "meta": { - "source-uuid": "090242d7-73fc-4738-af68-20162f7a5aae", - "target-uuid": "9108e212-1c94-4f8d-be76-1aad9b4c86a4" - }, - "uuid": "545cd36e-572e-413d-82b9-db65788791f9", - "value": "APT17 (G0025) uses Build social network persona (PRE-T1118)" - }, - { - "meta": { - "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", - "target-uuid": "e51398e6-53dc-4e9f-a323-e54683d8672b" - }, - "uuid": "8a2c46d3-92f2-4ff7-a912-8d47189a7d79", - "value": "APT1 (G0006) uses Compromise 3rd party infrastructure to support delivery (PRE-T1111)" - }, - { - "meta": { - "source-uuid": "784ff1bc-1483-41fe-a172-4cd9ae25c06b", - "target-uuid": "028ad431-84c5-4eb7-a364-2b797c234f88" - }, - "uuid": "60b6c9a6-7705-4c72-93bb-67de0caf11f4", - "value": "Acquire OSINT data sets and information (PRE-T1024) related-to Acquire OSINT data sets and information (PRE-T1054)" - }, - { - "meta": { - "source-uuid": "7860e21e-7514-4a3f-8a9d-56405ccfdb0c", - "target-uuid": "78e41091-d10d-4001-b202-89612892b6ff" - }, - "uuid": "9c44b2ec-70b0-4f5c-800e-426477330658", - "value": "Identify supply chains (PRE-T1053) related-to Identify supply chains (PRE-T1023)" - }, - { - "meta": { - "source-uuid": "e51398e6-53dc-4e9f-a323-e54683d8672b", - "target-uuid": "4900fabf-1142-4c1f-92f5-0b590e049077" - }, - "uuid": "bc165934-7ef6-4aed-a0d7-81d3372589f4", - "value": "Compromise 3rd party infrastructure to support delivery (PRE-T1111) related-to Compromise 3rd party infrastructure to support delivery (PRE-T1089)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "288b3cc3-f4da-4250-ab8c-d8b5dbed94ca" - }, - "uuid": "643d984b-0c82-4e14-8ba9-1b8dec0c91e2", - "value": "APT28 (G0007) uses Identify web defensive services (PRE-T1033)" - }, - { - "meta": { - "source-uuid": "7baccb84-356c-4e89-8c5d-58e701f033fc", - "target-uuid": "96eb59d1-6c46-44bb-bfcd-56be02a00d41" - }, - "uuid": "715a66b4-7925-40b4-868a-e47aba879f8b", - "value": "Analyze organizational skillsets and deficiencies (PRE-T1077) related-to Analyze organizational skillsets and deficiencies (PRE-T1074)" - }, - { - "meta": { - "source-uuid": "2b9a666e-bd59-4f67-9031-ed41b428e04a", - "target-uuid": "028ad431-84c5-4eb7-a364-2b797c234f88" - }, - "uuid": "28bf7e8b-9948-40a8-945b-6b5f2c78ec53", - "value": "Acquire OSINT data sets and information (PRE-T1043) related-to Acquire OSINT data sets and information (PRE-T1054)" - }, - { - "meta": { - "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", - "target-uuid": "27f3ddf8-1b77-4cc2-a4c0-e6da3d31a768" - }, - "uuid": "2b0ec032-eaca-4f0c-be55-39471f0f2bf5", - "value": "APT1 (G0006) uses Obtain/re-use payloads (PRE-T1123)" - }, - { - "meta": { - "source-uuid": "784ff1bc-1483-41fe-a172-4cd9ae25c06b", - "target-uuid": "2b9a666e-bd59-4f67-9031-ed41b428e04a" - }, - "uuid": "1143e6a6-deef-4dbd-8c91-7bf537d8f5ce", - "value": "Acquire OSINT data sets and information (PRE-T1024) related-to Acquire OSINT data sets and information (PRE-T1043)" - }, - { - "meta": { - "source-uuid": "78e41091-d10d-4001-b202-89612892b6ff", - "target-uuid": "59369f72-3005-4e54-9095-3d00efcece73" - }, - "uuid": "a29f2adc-c328-4cf3-9984-2c0c72ec7061", - "value": "Identify supply chains (PRE-T1023) related-to Identify supply chains (PRE-T1042)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "abd5bed1-4c12-45de-a623-ab8dc4ff862a" - }, - "uuid": "eab3be4e-4130-4898-a7b6-d9e9eb34f2bd", - "value": "APT28 (G0007) uses Research relevant vulnerabilities/CVEs (PRE-T1068)" - }, - { - "meta": { - "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", - "target-uuid": "1a295f87-af63-4d94-b130-039d6221fb11" - }, - "uuid": "39db1df8-f786-480c-9faf-5b870de2250b", - "value": "APT1 (G0006) uses Acquire and/or use 3rd party software services (PRE-T1085)" - }, - { - "meta": { - "source-uuid": "028ad431-84c5-4eb7-a364-2b797c234f88", - "target-uuid": "2b9a666e-bd59-4f67-9031-ed41b428e04a" - }, - "uuid": "6ba71250-1dc7-4b8d-88e7-698440ea18a0", - "value": "Acquire OSINT data sets and information (PRE-T1054) related-to Acquire OSINT data sets and information (PRE-T1043)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "e24a9f99-cb76-42a3-a50b-464668773e97" - }, - "uuid": "6238613d-8683-420d-baf7-6050aa27eb9d", - "value": "APT28 (G0007) uses Spear phishing messages with malicious attachments (PRE-T1144)" - }, - { - "meta": { - "source-uuid": "286cc500-4291-45c2-99a1-e760db176402", - "target-uuid": "795c1a92-3a26-453e-b99a-6a566aa94dc6" - }, - "uuid": "5dc0b076-5f25-4bda-83c7-1d8bd214b81a", - "value": "Acquire and/or use 3rd party infrastructure services (PRE-T1084) related-to Acquire and/or use 3rd party infrastructure services (PRE-T1106)" - }, - { - "meta": { - "source-uuid": "7860e21e-7514-4a3f-8a9d-56405ccfdb0c", - "target-uuid": "59369f72-3005-4e54-9095-3d00efcece73" - }, - "uuid": "7aaa32b6-73f3-4b6e-98ae-da16976e6003", - "value": "Identify supply chains (PRE-T1053) related-to Identify supply chains (PRE-T1042)" - }, - { - "meta": { - "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", - "target-uuid": "4900fabf-1142-4c1f-92f5-0b590e049077" - }, - "uuid": "cc22ab71-f2fc-4885-832b-e75dadeefa2d", - "value": "APT1 (G0006) uses Compromise 3rd party infrastructure to support delivery (PRE-T1089)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "784ff1bc-1483-41fe-a172-4cd9ae25c06b" - }, - "uuid": "60e79ac2-3dc1-4005-a1f8-260d58117dab", - "value": "APT28 (G0007) uses Acquire OSINT data sets and information (PRE-T1024)" - }, - { - "meta": { - "source-uuid": "c47f937f-1022-4f42-8525-e7a4779a14cb", - "target-uuid": "9a8c47f6-ae69-4044-917d-4b1602af64d9" - }, - "uuid": "7da16587-3861-4404-9043-0076e4766ac4", - "value": "APT12 (G0005) uses Choose pre-compromised persona and affiliated accounts (PRE-T1120)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "91a3735f-817a-4450-8ed4-f05a0f5c3877" - }, - "uuid": "6cfc9229-9928-414e-bfaf-f63e815b4c84", - "value": "APT28 (G0007) uses Determine strategic target (PRE-T1018)" - }, - { - "meta": { - "source-uuid": "dfa4eaf4-50d9-49de-89e9-d33f579f3e05", - "target-uuid": "856a9371-4f0f-4ea9-946e-f3144204240f" - }, - "uuid": "a7f177e4-7e7f-4883-af3d-c95db9ea7a53", - "value": "Determine 3rd party infrastructure services (PRE-T1061) related-to Determine 3rd party infrastructure services (PRE-T1037)" - }, - { - "meta": { - "source-uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063", - "target-uuid": "27f3ddf8-1b77-4cc2-a4c0-e6da3d31a768" - }, - "uuid": "515e7665-040c-44ac-a379-44d4399d6e2b", - "value": "Cleaver (G0003) uses Obtain/re-use payloads (PRE-T1123)" - }, - { - "meta": { - "source-uuid": "96eb59d1-6c46-44bb-bfcd-56be02a00d41", - "target-uuid": "7baccb84-356c-4e89-8c5d-58e701f033fc" - }, - "uuid": "b180dee5-0d48-448f-94b9-4997f0c584d5", - "value": "Analyze organizational skillsets and deficiencies (PRE-T1074) related-to Analyze organizational skillsets and deficiencies (PRE-T1077)" - }, - { - "meta": { - "source-uuid": "4900fabf-1142-4c1f-92f5-0b590e049077", - "target-uuid": "e51398e6-53dc-4e9f-a323-e54683d8672b" - }, - "uuid": "28815a00-1cf4-4fbc-9039-306a9542c7fd", - "value": "Compromise 3rd party infrastructure to support delivery (PRE-T1089) related-to Compromise 3rd party infrastructure to support delivery (PRE-T1111)" - }, - { - "meta": { - "source-uuid": "c721b235-679a-4d76-9ae9-e08921fccf84", - "target-uuid": "0722cd65-0c83-4c89-9502-539198467ab1" - }, - "uuid": "8bcaccd1-403b-40f1-82d3-ac4d873263f8", - "value": "Identify job postings and needs/gaps (PRE-T1025) related-to Identify job postings and needs/gaps (PRE-T1044)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "ef0f816a-d561-4953-84c6-2a2936c96957" - }, - "uuid": "5aab758c-79d2-4219-9053-f50791d98531", - "value": "APT28 (G0007) uses Discover target logon/email address format (PRE-T1032)" - }, - { - "meta": { - "source-uuid": "c47f937f-1022-4f42-8525-e7a4779a14cb", - "target-uuid": "e6ca2820-a564-4b74-b42a-b6bdf052e5b6" - }, - "uuid": "b55534ba-37ce-47f2-a961-edeaeedcb399", - "value": "APT12 (G0005) uses Obfuscate infrastructure (PRE-T1086)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "27f3ddf8-1b77-4cc2-a4c0-e6da3d31a768" - }, - "uuid": "709bb5af-c484-48f2-bb19-bd7630e42e2d", - "value": "APT28 (G0007) uses Obtain/re-use payloads (PRE-T1123)" - }, - { - "meta": { - "source-uuid": "c47f937f-1022-4f42-8525-e7a4779a14cb", - "target-uuid": "91a3735f-817a-4450-8ed4-f05a0f5c3877" - }, - "uuid": "4e06cf53-00b1-46a6-a6b6-8e33e761b83f", - "value": "APT12 (G0005) uses Determine strategic target (PRE-T1018)" - }, - { - "meta": { - "source-uuid": "090242d7-73fc-4738-af68-20162f7a5aae", - "target-uuid": "91a3735f-817a-4450-8ed4-f05a0f5c3877" - }, - "uuid": "89754a0d-03b1-44e3-94c5-7a892d171a28", - "value": "APT17 (G0025) uses Determine strategic target (PRE-T1018)" - }, - { - "meta": { - "source-uuid": "af358cad-eb71-4e91-a752-236edc237dae", - "target-uuid": "a757670d-d600-48d9-8ae9-601d42c184a5" - }, - "uuid": "984d13eb-ba9c-4e7c-8675-85dde9877a81", - "value": "Conduct social engineering (PRE-T1045) related-to Conduct social engineering (PRE-T1056)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "d3999268-740f-467e-a075-c82e2d04be62" - }, - "uuid": "2daad934-bf08-4a2f-b656-4f7d197eb8fa", - "value": "APT28 (G0007) uses Assess leadership areas of interest (PRE-T1001)" - }, - { - "meta": { - "source-uuid": "c47f937f-1022-4f42-8525-e7a4779a14cb", - "target-uuid": "e24a9f99-cb76-42a3-a50b-464668773e97" - }, - "uuid": "1895866a-4689-4527-8460-95e9cd7dd037", - "value": "APT12 (G0005) uses Spear phishing messages with malicious attachments (PRE-T1144)" - }, - { - "meta": { - "source-uuid": "a757670d-d600-48d9-8ae9-601d42c184a5", - "target-uuid": "74a3288e-eee9-4f8e-973a-fbc128e033f1" - }, - "uuid": "51c20b46-16cc-4b58-80d7-89d48b14b064", - "value": "Conduct social engineering (PRE-T1056) related-to Conduct social engineering (PRE-T1026)" - }, - { - "meta": { - "source-uuid": "03f4a766-7a21-4b5e-9ccf-e0cf422ab983", - "target-uuid": "e5164428-03ca-4336-a9a7-4d9ea1417e59" - }, - "uuid": "fe31fa7c-be01-47ca-90bb-0fb49b49eb03", - "value": "Acquire or compromise 3rd party signing certificates (PRE-T1109) related-to Acquire or compromise 3rd party signing certificates (PRE-T1087)" - }, - { - "meta": { - "source-uuid": "59369f72-3005-4e54-9095-3d00efcece73", - "target-uuid": "78e41091-d10d-4001-b202-89612892b6ff" - }, - "uuid": "432c700b-4bf3-4824-a530-a6e86882c4b7", - "value": "Identify supply chains (PRE-T1042) related-to Identify supply chains (PRE-T1023)" - }, - { - "meta": { - "source-uuid": "7718e92f-b011-4f88-b822-ae245a1de407", - "target-uuid": "0722cd65-0c83-4c89-9502-539198467ab1" - }, - "uuid": "ef32147c-d309-4867-aaba-998088290e32", - "value": "Identify job postings and needs/gaps (PRE-T1055) related-to Identify job postings and needs/gaps (PRE-T1044)" - }, - { - "meta": { - "source-uuid": "d6e88e18-81e8-4709-82d8-973095da1e70", - "target-uuid": "e51398e6-53dc-4e9f-a323-e54683d8672b" - }, - "uuid": "f8559304-7ef6-4c48-8d76-a56ebf37c0be", - "value": "APT16 (G0023) uses Compromise 3rd party infrastructure to support delivery (PRE-T1111)" - }, - { - "meta": { - "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", - "target-uuid": "2141aea0-cf38-49aa-9e51-ac34092bc30a" - }, - "uuid": "3d3eb711-5054-4b32-8006-15ba67d3bb25", - "value": "APT1 (G0006) uses Procure required equipment and software (PRE-T1112)" - }, - { - "meta": { - "source-uuid": "0722cd65-0c83-4c89-9502-539198467ab1", - "target-uuid": "7718e92f-b011-4f88-b822-ae245a1de407" - }, - "uuid": "689ebb39-52f4-4b2f-8678-72cfed67cb9f", - "value": "Identify job postings and needs/gaps (PRE-T1044) related-to Identify job postings and needs/gaps (PRE-T1055)" - }, - { - "meta": { - "source-uuid": "96eb59d1-6c46-44bb-bfcd-56be02a00d41", - "target-uuid": "092f05e3-f7c0-4cd2-91be-3a8d6ed3cadc" - }, - "uuid": "36990d75-9fbd-43f0-9966-ae58f0388e1d", - "value": "Analyze organizational skillsets and deficiencies (PRE-T1074) related-to Analyze organizational skillsets and deficiencies (PRE-T1066)" - }, - { - "meta": { - "source-uuid": "795c1a92-3a26-453e-b99a-6a566aa94dc6", - "target-uuid": "286cc500-4291-45c2-99a1-e760db176402" - }, - "uuid": "9a1f729c-72a9-4735-9d48-ecb54ea018a9", - "value": "Acquire and/or use 3rd party infrastructure services (PRE-T1106) related-to Acquire and/or use 3rd party infrastructure services (PRE-T1084)" - }, - { - "meta": { - "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", - "target-uuid": "eb517589-eefc-480e-b8e3-7a8b1066f6f1" - }, - "uuid": "7c68bb22-457e-4942-9e07-36f6cd5ac5ba", - "value": "APT1 (G0006) uses Targeted social media phishing (PRE-T1143)" - }, - { - "meta": { - "source-uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063", - "target-uuid": "0440f60f-9056-4791-a740-8eae96eb61fa" - }, - "uuid": "75c781d7-f9ef-42c8-b610-0dc1ecb3b350", - "value": "Cleaver (G0003) uses Authorized user performs requested cyber action (PRE-T1163)" - }, - { - "meta": { - "source-uuid": "092f05e3-f7c0-4cd2-91be-3a8d6ed3cadc", - "target-uuid": "7baccb84-356c-4e89-8c5d-58e701f033fc" - }, - "uuid": "d5bd7a33-a249-46e5-bb19-a498eba42bdb", - "value": "Analyze organizational skillsets and deficiencies (PRE-T1066) related-to Analyze organizational skillsets and deficiencies (PRE-T1077)" - }, - { - "meta": { - "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", - "target-uuid": "15d5eaa4-597a-47fd-a692-f2bed434d904" - }, - "uuid": "8a2549fa-9e7c-4d47-9678-8ed0bb8fa3aa", - "value": "APT1 (G0006) uses Derive intelligence requirements (PRE-T1007)" - }, - { - "meta": { - "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", - "target-uuid": "0440f60f-9056-4791-a740-8eae96eb61fa" - }, - "uuid": "0f97c2ae-2b89-4dd5-a270-42b1dcb5d403", - "value": "APT1 (G0006) uses Authorized user performs requested cyber action (PRE-T1163)" - }, - { - "meta": { - "source-uuid": "d6e88e18-81e8-4709-82d8-973095da1e70", - "target-uuid": "e24a9f99-cb76-42a3-a50b-464668773e97" - }, - "uuid": "c90a4d6a-af21-4103-ba57-3ddeb6e973e7", - "value": "APT16 (G0023) uses Spear phishing messages with malicious attachments (PRE-T1144)" - }, - { - "meta": { - "source-uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063", - "target-uuid": "c860af4a-376e-46d7-afbf-262c41012227" - }, - "uuid": "eca0f05c-5025-4149-9826-3715cc243180", - "value": "Cleaver (G0003) uses Determine operational element (PRE-T1019)" - }, - { - "meta": { - "source-uuid": "c47f937f-1022-4f42-8525-e7a4779a14cb", - "target-uuid": "d778cb83-2292-4995-b006-d38f52bc1e64" - }, - "uuid": "683d4e44-f763-492c-b510-fa469a923798", - "value": "APT12 (G0005) uses Identify gap areas (PRE-T1002)" - }, - { - "meta": { - "source-uuid": "72c8d526-1247-42d4-919c-6d7a31ca8f39", - "target-uuid": "e6ca2820-a564-4b74-b42a-b6bdf052e5b6" - }, - "uuid": "db4dfa09-7f19-437a-9d79-15f2dc8ba0da", - "value": "Obfuscate infrastructure (PRE-T1108) related-to Obfuscate infrastructure (PRE-T1086)" - }, - { - "meta": { - "source-uuid": "0722cd65-0c83-4c89-9502-539198467ab1", - "target-uuid": "c721b235-679a-4d76-9ae9-e08921fccf84" - }, - "uuid": "bbb1c074-a93a-4e40-b11e-2151403f7f1d", - "value": "Identify job postings and needs/gaps (PRE-T1044) related-to Identify job postings and needs/gaps (PRE-T1025)" - }, - { - "meta": { - "source-uuid": "028ad431-84c5-4eb7-a364-2b797c234f88", - "target-uuid": "784ff1bc-1483-41fe-a172-4cd9ae25c06b" - }, - "uuid": "0e52753e-0a02-4bec-88f9-f8ee21b46bae", - "value": "Acquire OSINT data sets and information (PRE-T1054) related-to Acquire OSINT data sets and information (PRE-T1024)" - }, - { - "meta": { - "source-uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063", - "target-uuid": "91a3735f-817a-4450-8ed4-f05a0f5c3877" - }, - "uuid": "3c7c0851-1cf8-458f-862d-4e4827f8f474", - "value": "Cleaver (G0003) uses Determine strategic target (PRE-T1018)" - }, - { - "meta": { - "source-uuid": "e5164428-03ca-4336-a9a7-4d9ea1417e59", - "target-uuid": "03f4a766-7a21-4b5e-9ccf-e0cf422ab983" - }, - "uuid": "c388ed7c-3820-41a3-98af-a48dd7e4d88b", - "value": "Acquire or compromise 3rd party signing certificates (PRE-T1087) related-to Acquire or compromise 3rd party signing certificates (PRE-T1109)" - }, - { - "meta": { - "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", - "target-uuid": "9108e212-1c94-4f8d-be76-1aad9b4c86a4" - }, - "uuid": "34ba5998-4e43-4669-9701-1877aa267354", - "value": "APT1 (G0006) uses Build social network persona (PRE-T1118)" - }, - { - "meta": { - "source-uuid": "74a3288e-eee9-4f8e-973a-fbc128e033f1", - "target-uuid": "af358cad-eb71-4e91-a752-236edc237dae" - }, - "uuid": "f8504a07-758c-4c51-ac94-c2e7ba652e29", - "value": "Conduct social engineering (PRE-T1026) related-to Conduct social engineering (PRE-T1045)" - }, - { - "meta": { - "source-uuid": "78e41091-d10d-4001-b202-89612892b6ff", - "target-uuid": "7860e21e-7514-4a3f-8a9d-56405ccfdb0c" - }, - "uuid": "9ad9966d-4a8d-4b15-b503-c5d27104fcdd", - "value": "Identify supply chains (PRE-T1023) related-to Identify supply chains (PRE-T1053)" - }, - { - "meta": { - "source-uuid": "856a9371-4f0f-4ea9-946e-f3144204240f", - "target-uuid": "dfa4eaf4-50d9-49de-89e9-d33f579f3e05" - }, - "uuid": "e4501560-7850-4467-8422-2cf336429e8a", - "value": "Determine 3rd party infrastructure services (PRE-T1037) related-to Determine 3rd party infrastructure services (PRE-T1061)" - }, - { - "meta": { - "source-uuid": "74a3288e-eee9-4f8e-973a-fbc128e033f1", - "target-uuid": "a757670d-d600-48d9-8ae9-601d42c184a5" - }, - "uuid": "66e4da4a-6eb6-46e0-9baf-74059f341b4a", - "value": "Conduct social engineering (PRE-T1026) related-to Conduct social engineering (PRE-T1056)" - }, - { - "meta": { - "source-uuid": "e6ca2820-a564-4b74-b42a-b6bdf052e5b6", - "target-uuid": "72c8d526-1247-42d4-919c-6d7a31ca8f39" - }, - "uuid": "41be9f31-9d2b-44b8-a7dc-31f8c4519751", - "value": "Obfuscate infrastructure (PRE-T1086) related-to Obfuscate infrastructure (PRE-T1108)" - }, - { - "meta": { - "source-uuid": "2b9a666e-bd59-4f67-9031-ed41b428e04a", - "target-uuid": "784ff1bc-1483-41fe-a172-4cd9ae25c06b" - }, - "uuid": "be031f72-737b-4afd-b2c1-c565f5ab7369", - "value": "Acquire OSINT data sets and information (PRE-T1043) related-to Acquire OSINT data sets and information (PRE-T1024)" - }, - { - "meta": { - "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", - "target-uuid": "df42286d-dfbd-4455-bc9d-aef52ac29aa7" - }, - "uuid": "90d7f0f0-6e41-431a-a024-9375cbc18d2b", - "value": "APT1 (G0006) uses Post compromise tool development (PRE-T1130)" - }, - { - "meta": { - "source-uuid": "d6e88e18-81e8-4709-82d8-973095da1e70", - "target-uuid": "91a3735f-817a-4450-8ed4-f05a0f5c3877" - }, - "uuid": "e60a165e-cfad-43e5-ba83-ea2430a377c5", - "value": "APT16 (G0023) uses Determine strategic target (PRE-T1018)" - }, - { - "meta": { - "source-uuid": "23b6a0f5-fa95-46f9-a6f3-4549c5e45ec8", - "target-uuid": "91a3735f-817a-4450-8ed4-f05a0f5c3877" - }, - "uuid": "a071fc8f-6323-420b-9812-b51f12fc7956", - "value": "Night Dragon (G0014) uses Determine strategic target (PRE-T1018)" - }, - { - "meta": { - "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", - "target-uuid": "ec739e26-d097-4804-b04a-54dd81ff11e0" - }, - "uuid": "970531a2-4927-41a3-b2cd-09d445322f51", - "value": "APT1 (G0006) uses Create strategic plan (PRE-T1008)" - }, - { - "meta": { - "source-uuid": "23b6a0f5-fa95-46f9-a6f3-4549c5e45ec8", - "target-uuid": "4aeafdb3-eb0b-4e8e-b93f-95cd499088b4" - }, - "uuid": "c2571ca8-98c4-490d-b8f8-f3678b0ce74d", - "value": "Night Dragon (G0014) uses Compromise of externally facing system (PRE-T1165)" - }, - { - "meta": { - "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", - "target-uuid": "489a7797-01c3-4706-8cd1-ec56a9db3adc" - }, - "uuid": "e78023e7-98de-4973-9331-843bfa28c9f7", - "value": "APT1 (G0006) uses Spear phishing messages with malicious links (PRE-T1146)" - }, - { - "meta": { - "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", - "target-uuid": "357e137c-7589-4af1-895c-3fbad35ea4d2" - }, - "uuid": "f76d74b6-c797-487c-8388-536367d1b922", - "value": "APT1 (G0006) uses Obfuscate or encrypt code (PRE-T1096)" - }, - { - "meta": { - "source-uuid": "103d72e6-7e0d-4b3a-9373-c38567305c33", - "target-uuid": "eacd1efe-ee30-4b03-b58f-5b3b1adfe45d" - }, - "uuid": "87239038-7693-49b3-b595-b828cc2be1ba", - "value": "Friend/Follow/Connect to targets of interest (PRE-T1121) related-to Friend/Follow/Connect to targets of interest (PRE-T1141)" - }, - { - "meta": { - "source-uuid": "23b6a0f5-fa95-46f9-a6f3-4549c5e45ec8", - "target-uuid": "1a295f87-af63-4d94-b130-039d6221fb11" - }, - "uuid": "c6e43693-2a6d-4ba8-8fa7-ec1ab5239528", - "value": "Night Dragon (G0014) uses Acquire and/or use 3rd party software services (PRE-T1085)" - }, - { - "meta": { - "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", - "target-uuid": "91a3735f-817a-4450-8ed4-f05a0f5c3877" - }, - "uuid": "5ed44a06-bcb4-4293-8bf4-aaebefddc09c", - "value": "APT1 (G0006) uses Determine strategic target (PRE-T1018)" - }, - { - "meta": { - "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", - "target-uuid": "aadaee0d-794c-4642-8293-7ec22a99fb1a" - }, - "uuid": "db10491f-a854-4404-9271-600349484bc3", - "value": "APT1 (G0006) uses Domain registration hijacking (PRE-T1103)" - }, - { - "meta": { - "source-uuid": "d6e88e18-81e8-4709-82d8-973095da1e70", - "target-uuid": "5b6ce031-bb86-407a-9984-2b9700ac4549" - }, - "uuid": "4eb0e01c-85ae-466a-a8ff-0cf7891c5ab2", - "value": "APT16 (G0023) uses Identify business relationships (PRE-T1049)" - }, - { - "meta": { - "source-uuid": "092f05e3-f7c0-4cd2-91be-3a8d6ed3cadc", - "target-uuid": "96eb59d1-6c46-44bb-bfcd-56be02a00d41" - }, - "uuid": "7bd3d2ba-f114-4835-97b6-1c3e2208d3f3", - "value": "Analyze organizational skillsets and deficiencies (PRE-T1066) related-to Analyze organizational skillsets and deficiencies (PRE-T1074)" - }, - { - "meta": { - "source-uuid": "488da8ed-2887-4ef6-a39a-5b69bc6682c6", - "target-uuid": "1a295f87-af63-4d94-b130-039d6221fb11" - }, - "uuid": "2bf984b5-1a48-4d9a-a4f2-e97801254b84", - "value": "Acquire and/or use 3rd party software services (PRE-T1107) related-to Acquire and/or use 3rd party software services (PRE-T1085)" - }, - { - "meta": { - "source-uuid": "59369f72-3005-4e54-9095-3d00efcece73", - "target-uuid": "7860e21e-7514-4a3f-8a9d-56405ccfdb0c" - }, - "uuid": "c124f0ba-f4bc-430a-b40c-eebe0577f812", - "value": "Identify supply chains (PRE-T1042) related-to Identify supply chains (PRE-T1053)" - }, - { - "meta": { - "source-uuid": "1a295f87-af63-4d94-b130-039d6221fb11", - "target-uuid": "488da8ed-2887-4ef6-a39a-5b69bc6682c6" - }, - "uuid": "3d781e9a-d3f8-4e9f-bb23-ba6c2ff22267", - "value": "Acquire and/or use 3rd party software services (PRE-T1085) related-to Acquire and/or use 3rd party software services (PRE-T1107)" - }, - { - "meta": { - "source-uuid": "d6e88e18-81e8-4709-82d8-973095da1e70", - "target-uuid": "ef0f816a-d561-4953-84c6-2a2936c96957" - }, - "uuid": "597be8e7-58a4-4aff-a803-48a7a08164a2", - "value": "APT16 (G0023) uses Discover target logon/email address format (PRE-T1032)" - }, - { - "meta": { - "source-uuid": "c47f937f-1022-4f42-8525-e7a4779a14cb", - "target-uuid": "df42286d-dfbd-4455-bc9d-aef52ac29aa7" - }, - "uuid": "7a254f4d-c7cf-4b98-94e9-3937785b7d68", - "value": "APT12 (G0005) uses Post compromise tool development (PRE-T1130)" - }, - { - "meta": { - "source-uuid": "a757670d-d600-48d9-8ae9-601d42c184a5", - "target-uuid": "af358cad-eb71-4e91-a752-236edc237dae" - }, - "uuid": "46f1e7d4-4d73-4e33-b88b-b3bcde5d81fb", - "value": "Conduct social engineering (PRE-T1056) related-to Conduct social engineering (PRE-T1045)" - } - ], - "version": 2 -} diff --git a/galaxies/mitre-enterprise-attack-relationship.json b/galaxies/mitre-enterprise-attack-relationship.json deleted file mode 100644 index 9353050..0000000 --- a/galaxies/mitre-enterprise-attack-relationship.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "description": "Mitre Relationship", - "icon": "link", - "name": "Enterprise Attack - Relationship", - "namespace": "mitre-attack", - "type": "mitre-enterprise-attack-relationship", - "uuid": "fc404638-1707-11e8-a5cf-b78b9b562766", - "version": 4 -} diff --git a/galaxies/mitre-mobile-attack-relationship.json b/galaxies/mitre-mobile-attack-relationship.json deleted file mode 100644 index e99d84d..0000000 --- a/galaxies/mitre-mobile-attack-relationship.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "description": "Mitre Relationship", - "icon": "link", - "name": "Mobile Attack - Relationship", - "namespace": "mitre-attack", - "type": "mitre-mobile-attack-relationship", - "uuid": "fc8471aa-1707-11e8-b306-33cbe96a1ede", - "version": 4 -} diff --git a/galaxies/mitre-pre-attack-relationship.json b/galaxies/mitre-pre-attack-relationship.json deleted file mode 100644 index 1385b72..0000000 --- a/galaxies/mitre-pre-attack-relationship.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "description": "Mitre Relationship", - "icon": "link", - "name": "Pre Attack - Relationship", - "namespace": "mitre-attack", - "type": "mitre-pre-attack-relationship", - "uuid": "1f8e3bae-1708-11e8-8e97-4bd2150e5aae", - "version": 5 -}