{ "type": "bundle", "id": "bundle--6fc0ebde-c34f-4dea-9152-5509ffba39d1", "spec_version": "2.1", "created": "2026-06-11T23:57:51.157Z", "modified": "2026-06-11T23:57:51.157Z", "objects": [ { "type": "extension-definition", "id": "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4", "spec_version": "2.1", "created": "2022-08-02T19:34:35.143Z", "modified": "2022-08-02T19:34:35.143Z", "name": "Attack Flow", "description": "Extends STIX 2.1 with features to create Attack Flows.", "created_by_ref": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", "schema": "https://center-for-threat-informed-defense.github.io/attack-flow/stix/attack-flow-schema-2.0.0.json", "version": "2.0.0", "extension_types": [ "new-sdo" ], "external_references": [ { "source_name": "Documentation", "description": "Documentation for Attack Flow", "url": "https://center-for-threat-informed-defense.github.io/attack-flow" }, { "source_name": "GitHub", "description": "Source code repository for Attack Flow", "url": "https://github.com/center-for-threat-informed-defense/attack-flow" } ] }, { "type": "identity", "id": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", "spec_version": "2.1", "created": "2022-08-02T19:34:35.143Z", "modified": "2022-08-02T19:34:35.143Z", "created_by_ref": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", "name": "MITRE Center for Threat-Informed Defense", "identity_class": "organization" }, { "type": "attack-flow", "id": "attack-flow--a2b7e8ad-9fb2-48b3-8e5c-e94da374ab89", "spec_version": "2.1", "created": "2023-01-27T19:55:42.542Z", "modified": "2026-06-11T23:57:51.157Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "created_by_ref": "identity--de8a086b-a93c-4699-9d36-ea191cb34123", "start_refs": [ "attack-action--b6143619-dac3-4f9c-ae0a-605961bef9c7" ], "name": "CISA Iranian APT", "description": "Iranian APT exploited Log4Shell and deployed XMRig crypto mining software.", "scope": "incident", "external_references": [ { "source_name": "CISA", "description": "Cybersecurity Advisory", "url": "https://www.cisa.gov/uscert/ncas/alerts/aa22-320a" } ] }, { "type": "identity", "id": "identity--de8a086b-a93c-4699-9d36-ea191cb34123", "spec_version": "2.1", "created": "2026-06-11T23:57:51.157Z", "modified": "2026-06-11T23:57:51.157Z", "name": "Lauren Parker", "contact_information": "lparker@mitre.org" }, { "type": "attack-action", "id": "attack-action--b6143619-dac3-4f9c-ae0a-605961bef9c7", "spec_version": "2.1", "created": "2026-06-11T23:57:51.158Z", "modified": "2026-06-11T23:57:51.158Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Exploit Public-Facing Application", "tactic_id": "TA0001", "tactic_ref": "x-mitre-tactic--ffd5bcee-6e16-4dd2-8eca-7b3beedf33ca", "technique_id": "T1190", "technique_ref": "attack-pattern--3f886f2a-874f-4333-b794-aa6075009b1c", "description": "Initial access gained through Log4Shell", "asset_refs": [ "attack-asset--f37681b2-371c-4764-ae2f-36fdf3244460" ], "effect_refs": [ "attack-action--0d573bcd-ee5d-4231-ab43-188ef7e809e9" ] }, { "type": "vulnerability", "id": "vulnerability--924ed7f2-54ae-42ad-b1af-94734ff368e0", "spec_version": "2.1", "created": "2026-06-11T23:57:51.158Z", "modified": "2026-06-11T23:57:51.158Z", "name": "CVE-2021-44228", "description": "Log4Shell vulnerability that allows attackers to execute arbitrary code loaded from LDAP servers" }, { "type": "note", "id": "note--715f87ed-5429-478b-93da-f466a3695f5a", "spec_version": "2.1", "created": "2026-06-11T23:57:51.158Z", "modified": "2026-06-11T23:57:51.158Z", "content": "LDAP server (51.89.181.64) is used to exploit Log4Shell", "object_refs": [ "vulnerability--924ed7f2-54ae-42ad-b1af-94734ff368e0" ] }, { "type": "infrastructure", "id": "infrastructure--b7ee6cab-d421-4ea9-8f97-d529c383e7fe", "spec_version": "2.1", "created": "2026-06-11T23:57:51.158Z", "modified": "2026-06-11T23:57:51.158Z", "name": "182.54.217.2", "infrastructure_types": [ "command-and-control" ] }, { "type": "attack-asset", "id": "attack-asset--f37681b2-371c-4764-ae2f-36fdf3244460", "spec_version": "2.1", "created": "2026-06-11T23:57:51.158Z", "modified": "2026-06-11T23:57:51.158Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "VMware Horizon server" }, { "type": "attack-action", "id": "attack-action--0d573bcd-ee5d-4231-ab43-188ef7e809e9", "spec_version": "2.1", "created": "2026-06-11T23:57:51.158Z", "modified": "2026-06-11T23:57:51.158Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "PowerShell", "description": "PowerShell added an exclusion rule to Windows Defender and was executed on AD to obtain a list of machines on the domain", "effect_refs": [ "attack-action--56ca6034-001b-4c5d-99b4-4f9bd3db56ba" ], "asset_refs": [ "attack-asset--1713a15d-fa56-404a-92eb-2c4f7089d399" ], "command_ref": "process--3f5b9295-9d49-410e-b542-54f258b52434" }, { "type": "attack-action", "id": "attack-action--56ca6034-001b-4c5d-99b4-4f9bd3db56ba", "spec_version": "2.1", "created": "2026-06-11T23:57:51.158Z", "modified": "2026-06-11T23:57:51.158Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Disable or Modify Tools", "description": "Exclusion rule allowlisted the entire c:\\drive. Attackers also manually disabled Windows Defender via the GUI", "effect_refs": [ "attack-action--cfae690b-64c4-405f-84f1-5e8b65da3f83" ] }, { "type": "attack-asset", "id": "attack-asset--1713a15d-fa56-404a-92eb-2c4f7089d399", "spec_version": "2.1", "created": "2026-06-11T23:57:51.158Z", "modified": "2026-06-11T23:57:51.158Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Active Directory" }, { "type": "directory", "id": "directory--02b1765f-0d2e-4991-8ba8-1053ef09de2c", "spec_version": "2.1", "created": "2026-06-11T23:57:51.158Z", "modified": "2026-06-11T23:57:51.158Z", "path": "c:\\drive" }, { "type": "attack-action", "id": "attack-action--cfae690b-64c4-405f-84f1-5e8b65da3f83", "spec_version": "2.1", "created": "2026-06-11T23:57:51.158Z", "modified": "2026-06-11T23:57:51.158Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Ingress Tool Transfer", "tactic_id": "TA0011", "tactic_ref": "x-mitre-tactic--f72804c5-f15a-449e-a5da-2eecd181f813", "technique_id": "T1105", "technique_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", "description": "mde.ps1 downloaded onto disk", "effect_refs": [ "attack-action--3fbadab6-0484-4754-85af-fe99f575677e" ] }, { "type": "malware", "id": "malware--89e310ac-f996-4bc7-9ee7-84b527178fa7", "spec_version": "2.1", "created": "2026-06-11T23:57:51.158Z", "modified": "2026-06-11T23:57:51.158Z", "name": "mde.ps1", "description": "mdeploy.text downloaded from 182.54.217.2/mdeploy.txt to C:\\users\\public\\mde.ps1", "malware_types": [ "downloader" ], "is_family": false, "capabilities": [ "communicates-with-c2", "installs-other-components" ] }, { "type": "attack-action", "id": "attack-action--9c30cd6b-b97c-4336-8f91-777437b3824c", "spec_version": "2.1", "created": "2026-06-11T23:57:51.158Z", "modified": "2026-06-11T23:57:51.158Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "File Deletion", "description": "mde.ps1 is removed from the system", "effect_refs": [ "attack-action--857eaaa1-d168-417a-8446-fe6e80095490" ] }, { "type": "attack-action", "id": "attack-action--3fbadab6-0484-4754-85af-fe99f575677e", "spec_version": "2.1", "created": "2026-06-11T23:57:51.158Z", "modified": "2026-06-11T23:57:51.158Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Ingress Tool Transfer", "tactic_id": "TA0011", "tactic_ref": "x-mitre-tactic--f72804c5-f15a-449e-a5da-2eecd181f813", "technique_id": "T1105", "technique_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", "description": "mde.ps1 downloads file.zip", "effect_refs": [ "attack-action--9c30cd6b-b97c-4336-8f91-777437b3824c" ] }, { "type": "malware", "id": "malware--31658705-f1fd-4d16-a928-ecc093820ed4", "spec_version": "2.1", "created": "2026-06-11T23:57:51.158Z", "modified": "2026-06-11T23:57:51.158Z", "name": "file.zip", "description": "mde.ps1 downloads file.zip from 182.54.217.2; contained 4 files", "malware_types": [ "dropper" ], "is_family": false, "capabilities": [ "escalates-privileges", "installs-other-components" ] }, { "type": "malware", "id": "malware--ac51c325-5c08-4c3d-b89e-c31b1a171a84", "spec_version": "2.1", "created": "2026-06-11T23:57:51.158Z", "modified": "2026-06-11T23:57:51.158Z", "name": "WinRing0x64.sys", "description": "XMRig Miner driver", "malware_types": [ "resource-exploitation" ], "is_family": false, "capabilities": [ "compromises-system-availability" ] }, { "type": "malware", "id": "malware--d8f8e9a7-0c82-4094-a811-348661a542ac", "spec_version": "2.1", "created": "2026-06-11T23:57:51.158Z", "modified": "2026-06-11T23:57:51.158Z", "name": "wuacltservice.exe", "description": "XMRig Miner", "malware_types": [ "resource-exploitation" ], "is_family": false, "capabilities": [ "compromises-system-availability" ] }, { "type": "malware", "id": "malware--ab4c411d-58e9-4f99-b0f7-0f67f1f43159", "spec_version": "2.1", "created": "2026-06-11T23:57:51.158Z", "modified": "2026-06-11T23:57:51.158Z", "name": "RuntimeBroker.exe", "description": "associated file", "malware_types": [ "trojan" ], "is_family": false, "capabilities": [ "communicates-with-c2", "escalates-privileges", "installs-other-components", "persists-after-system-reboot" ] }, { "type": "tool", "id": "tool--d783a8af-533c-4ecf-a097-698326a213ed", "spec_version": "2.1", "created": "2026-06-11T23:57:51.158Z", "modified": "2026-06-11T23:57:51.158Z", "name": "config.json", "description": "XMRig Miner configuration", "tool_types": [ "unknown" ] }, { "type": "attack-action", "id": "attack-action--857eaaa1-d168-417a-8446-fe6e80095490", "spec_version": "2.1", "created": "2026-06-11T23:57:51.158Z", "modified": "2026-06-11T23:57:51.158Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Local Account", "description": "RuntimeBroker.exe can create local user accounts", "effect_refs": [ "attack-action--69978025-0b45-44ae-8a3e-1730d7d93d07" ] }, { "type": "attack-action", "id": "attack-action--69978025-0b45-44ae-8a3e-1730d7d93d07", "spec_version": "2.1", "created": "2026-06-11T23:57:51.158Z", "modified": "2026-06-11T23:57:51.158Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Internet Connection Discovery", "description": "Malware tests for internet connectivity by pinging 8.8.8.8", "effect_refs": [ "attack-action--de68b787-80bb-424d-8d70-32b0cec8c94f" ] }, { "type": "attack-action", "id": "attack-action--de68b787-80bb-424d-8d70-32b0cec8c94f", "spec_version": "2.1", "created": "2026-06-11T23:57:51.158Z", "modified": "2026-06-11T23:57:51.158Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Scheduled Task", "description": "exploit payload created a scheduled task that executed RuntimeBroker.exe daily as SYSTEM", "effect_refs": [ "attack-action--f8daeaa9-22f9-4601-96f9-ef3426c4630b" ] }, { "type": "process", "id": "process--3f5b9295-9d49-410e-b542-54f258b52434", "spec_version": "2.1", "created": "2026-06-11T23:57:51.158Z", "modified": "2026-06-11T23:57:51.158Z", "command_line": "powershell try{Add-MpPreference -ExclusionPath 'C:\\'; Write-Host 'added-exclusion'} catch {Write-Host 'adding-exclusion-failed' }; powershell -enc \"$BASE64 encoded payload to download next stage and execute it\"" }, { "type": "malware", "id": "malware--ad11d63f-b48d-4c18-b7ff-0baf8edca7e3", "spec_version": "2.1", "created": "2026-06-11T23:57:51.158Z", "modified": "2026-06-11T23:57:51.158Z", "name": "RuntimeBrokerService.exe", "description": "scheduled task is named RuntimeBrokerService.exe, masquerading as a legitimate Windows task", "malware_types": [ "trojan" ], "is_family": false, "capabilities": [ "communicates-with-c2", "installs-other-components", "persists-after-system-reboot" ] }, { "type": "attack-action", "id": "attack-action--f8daeaa9-22f9-4601-96f9-ef3426c4630b", "spec_version": "2.1", "created": "2026-06-11T23:57:51.158Z", "modified": "2026-06-11T23:57:51.158Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Remote Desktop Protocol", "description": "RDP used to move laterally to multiple hosts on the network", "effect_refs": [ "attack-action--57e36a89-fa92-470c-9d78-a90d8bd938a7" ] }, { "type": "attack-action", "id": "attack-action--57e36a89-fa92-470c-9d78-a90d8bd938a7", "spec_version": "2.1", "created": "2026-06-11T23:57:51.158Z", "modified": "2026-06-11T23:57:51.158Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Default Accounts", "description": "Actors used built-in Windows account - DefaultAccount", "effect_refs": [ "attack-action--c55d72d0-4b7b-4e86-93cf-a65a79ee24ce" ] }, { "type": "user-account", "id": "user-account--039865eb-337f-4941-92c5-14de002c7753", "spec_version": "2.1", "created": "2026-06-11T23:57:51.158Z", "modified": "2026-06-11T23:57:51.158Z", "account_type": "windows-local", "display_name": "DefaultAccount" }, { "type": "ipv4-addr", "id": "ipv4-addr--903efce3-4a7d-4272-9c33-7868fc767876", "spec_version": "2.1", "created": "2026-06-11T23:57:51.158Z", "modified": "2026-06-11T23:57:51.158Z", "value": "182.54.217.2" }, { "type": "ipv4-addr", "id": "ipv4-addr--c51c9009-568d-46c6-8fac-09b4ce1e848c", "spec_version": "2.1", "created": "2026-06-11T23:57:51.158Z", "modified": "2026-06-11T23:57:51.158Z", "value": "182.54.217.2" }, { "type": "user-account", "id": "user-account--8b025fd8-d5a5-408a-8b29-c6795ba84c37", "spec_version": "2.1", "created": "2026-06-11T23:57:51.158Z", "modified": "2026-06-11T23:57:51.158Z", "display_name": "SYSTEM" }, { "type": "attack-action", "id": "attack-action--c55d72d0-4b7b-4e86-93cf-a65a79ee24ce", "spec_version": "2.1", "created": "2026-06-11T23:57:51.158Z", "modified": "2026-06-11T23:57:51.158Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Lateral Movement", "tactic_id": "TA0008", "tactic_ref": "x-mitre-tactic--7141578b-e50b-4dcc-bfa4-08a8dd689e9e", "description": "actors used DefaultAccount to move laterally to a VMware VDI-KMS host", "asset_refs": [ "attack-asset--b7164aca-5ac6-449f-b4da-d66f94be41b2" ], "effect_refs": [ "attack-action--0606c44c-4fcf-4d24-837c-e78341f77183" ] }, { "type": "attack-asset", "id": "attack-asset--b7164aca-5ac6-449f-b4da-d66f94be41b2", "spec_version": "2.1", "created": "2026-06-11T23:57:51.158Z", "modified": "2026-06-11T23:57:51.158Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "VMware VDI-KMS host" }, { "type": "attack-action", "id": "attack-action--0606c44c-4fcf-4d24-837c-e78341f77183", "spec_version": "2.1", "created": "2026-06-11T23:57:51.158Z", "modified": "2026-06-11T23:57:51.158Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Ingress Tool Transfer", "tactic_id": "TA0011", "tactic_ref": "x-mitre-tactic--f72804c5-f15a-449e-a5da-2eecd181f813", "technique_id": "T1105", "technique_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", "description": "actors downloaded around 30MB of files from transfer.sh server associated with 144.76.136.153", "effect_refs": [ "attack-action--d8ba9c2f-c6a6-4950-8cb3-d2d84c97859f" ] }, { "type": "tool", "id": "tool--5b7f7115-8d96-4f17-ab2f-b305b476f8c1", "spec_version": "2.1", "created": "2026-06-11T23:57:51.158Z", "modified": "2026-06-11T23:57:51.158Z", "name": "PsExec", "description": "Microsoft signed tool for system administrators", "tool_types": [ "remote-access" ] }, { "type": "tool", "id": "tool--6f3d8f4c-e92c-42aa-b065-351f552fe10c", "spec_version": "2.1", "created": "2026-06-11T23:57:51.158Z", "modified": "2026-06-11T23:57:51.158Z", "name": "Mimikatz", "description": "credential recovery/theft tool", "tool_types": [ "credential-exploitation" ] }, { "type": "malware", "id": "malware--5e38cef0-6735-40f6-97dd-1b549424788e", "spec_version": "2.1", "created": "2026-06-11T23:57:51.158Z", "modified": "2026-06-11T23:57:51.158Z", "name": "Ngrok", "description": "reverse proxy tool for proxying an internal service onto an Ngrok domain, which the user can then access at a randomly generated subdomain at *.ngrok.io", "malware_types": [ "webshell" ], "is_family": false, "capabilities": [ "persists-after-system-reboot" ] }, { "type": "attack-action", "id": "attack-action--d8ba9c2f-c6a6-4950-8cb3-d2d84c97859f", "spec_version": "2.1", "created": "2026-06-11T23:57:51.158Z", "modified": "2026-06-11T23:57:51.158Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Domain Account", "description": "Mimikatz was used to create a rogue domain administrator account", "effect_refs": [ "attack-action--52069465-600c-487a-8185-e809ed74588b" ] }, { "type": "attack-action", "id": "attack-action--52069465-600c-487a-8185-e809ed74588b", "spec_version": "2.1", "created": "2026-06-11T23:57:51.158Z", "modified": "2026-06-11T23:57:51.158Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Remote Desktop Protocol", "description": "RDP used to move laterally to multiple hosts on the network", "effect_refs": [ "attack-action--1d283005-09ce-49d3-8610-625a75635755" ] }, { "type": "attack-action", "id": "attack-action--1d283005-09ce-49d3-8610-625a75635755", "spec_version": "2.1", "created": "2026-06-11T23:57:51.158Z", "modified": "2026-06-11T23:57:51.158Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Disable or Modify Tools", "description": "Logging into multiple hosts on the system, attackers manually disabled Windows Defender via the GUI", "effect_refs": [ "attack-action--ee829570-2ca7-4948-a3de-a667f81fa2f5" ] }, { "type": "attack-action", "id": "attack-action--ee829570-2ca7-4948-a3de-a667f81fa2f5", "spec_version": "2.1", "created": "2026-06-11T23:57:51.158Z", "modified": "2026-06-11T23:57:51.158Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Lateral Tool Transfer", "tactic_id": "TA0008", "tactic_ref": "x-mitre-tactic--7141578b-e50b-4dcc-bfa4-08a8dd689e9e", "technique_id": "T1570", "technique_ref": "attack-pattern--bf90d72c-c00b-45e3-b3aa-68560560d4c5", "description": "actors implanted Ngrok executables and configuration files on multiple hosts", "effect_refs": [ "attack-action--4beb5555-7460-4636-a2e4-096a01b54186" ] }, { "type": "malware", "id": "malware--a6988ce0-635c-47fc-9d91-a4d919e97950", "spec_version": "2.1", "created": "2026-06-11T23:57:51.158Z", "modified": "2026-06-11T23:57:51.158Z", "name": "Ngrok", "description": "reverse proxy tool for proxying an internal service onto an Ngrok domain, which the user can then access at a randomly generated subdomain at *.ngrok.io", "malware_types": [ "webshell" ], "is_family": false, "capabilities": [ "persists-after-system-reboot" ] }, { "type": "attack-action", "id": "attack-action--4beb5555-7460-4636-a2e4-096a01b54186", "spec_version": "2.1", "created": "2026-06-11T23:57:51.158Z", "modified": "2026-06-11T23:57:51.158Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Proxy", "tactic_id": "TA0011", "tactic_ref": "x-mitre-tactic--f72804c5-f15a-449e-a5da-2eecd181f813", "technique_id": "T1090", "technique_ref": "attack-pattern--731f4f55-b6d0-41d1-a7a9-072a66389aea", "description": "Ngrok was used to proxy RDP connections", "effect_refs": [ "attack-action--7e2175b8-63f8-4934-82cf-394390accd82" ] }, { "type": "url", "id": "url--5cb4ac20-de90-4aba-8467-fe57ba5af2a8", "spec_version": "2.1", "created": "2026-06-11T23:57:51.158Z", "modified": "2026-06-11T23:57:51.158Z", "value": "tunnel.us.ngrok[.]com" }, { "type": "url", "id": "url--3e9fd4ff-625f-42e3-8285-762835bd6b50", "spec_version": "2.1", "created": "2026-06-11T23:57:51.158Z", "modified": "2026-06-11T23:57:51.158Z", "value": "korgn.su.lennut[.]com" }, { "type": "note", "id": "note--31244bf1-3b1c-4ba6-bb41-063352cdcfa4", "spec_version": "2.1", "created": "2026-06-11T23:57:51.158Z", "modified": "2026-06-11T23:57:51.158Z", "content": "attackers may have configured a custom domain or used other Ngrok tunnel domains - *.ngrok[.]com, *.ngrok[.]io, ngrok.*.tunnel[.]com, or korgn.*.lennut[.]com", "object_refs": [ "attack-action--4beb5555-7460-4636-a2e4-096a01b54186" ] }, { "type": "attack-action", "id": "attack-action--7e2175b8-63f8-4934-82cf-394390accd82", "spec_version": "2.1", "created": "2026-06-11T23:57:51.158Z", "modified": "2026-06-11T23:57:51.158Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Remote Desktop Protocol", "description": "actors moved laterally to the domain controller via RDP", "asset_refs": [ "attack-asset--abf74a16-1d54-4a82-9384-b7eac0d9f4c4" ], "effect_refs": [ "attack-action--2f9114f6-e715-448a-b0b7-3ccce0f95f7a" ] }, { "type": "attack-asset", "id": "attack-asset--abf74a16-1d54-4a82-9384-b7eac0d9f4c4", "spec_version": "2.1", "created": "2026-06-11T23:57:51.158Z", "modified": "2026-06-11T23:57:51.158Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Domain Controller" }, { "type": "attack-action", "id": "attack-action--45e8b0a1-83a5-41dc-8186-7d6d4c8a7c0a", "spec_version": "2.1", "created": "2026-06-11T23:57:51.158Z", "modified": "2026-06-11T23:57:51.158Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Remote System Discovery", "tactic_id": "TA0007", "tactic_ref": "x-mitre-tactic--c17c5845-175e-4421-9713-829d0573dbc9", "technique_id": "T1018", "technique_ref": "attack-pattern--e358d692-23c0-4a31-9eb6-ecc13a8d7735", "description": "Attackers used PowerShell on the AD to obtain a list of all machines attached to the domain", "command_ref": "process--6a0cd876-3fd3-4557-9dfc-7d004cf217ae", "effect_refs": [ "attack-action--792aaa39-bd97-4206-b088-2c29e5119da6" ] }, { "type": "attack-action", "id": "attack-action--2f9114f6-e715-448a-b0b7-3ccce0f95f7a", "spec_version": "2.1", "created": "2026-06-11T23:57:51.158Z", "modified": "2026-06-11T23:57:51.158Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "PowerShell", "description": "Attackers executed PowerShell commands on the AD", "effect_refs": [ "attack-action--45e8b0a1-83a5-41dc-8186-7d6d4c8a7c0a" ] }, { "type": "process", "id": "process--6a0cd876-3fd3-4557-9dfc-7d004cf217ae", "spec_version": "2.1", "created": "2026-06-11T23:57:51.158Z", "modified": "2026-06-11T23:57:51.158Z", "command_line": "Powershell.exe get-adcomputer -filter * -properties * | select name,operatingsystem,ipv4address >" }, { "type": "attack-action", "id": "attack-action--792aaa39-bd97-4206-b088-2c29e5119da6", "spec_version": "2.1", "created": "2026-06-11T23:57:51.158Z", "modified": "2026-06-11T23:57:51.158Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Account Manipulation", "tactic_id": "TA0003", "tactic_ref": "x-mitre-tactic--5bc1d813-693e-4823-9961-abf9af4b0e92", "technique_id": "T1098", "technique_ref": "attack-pattern--a10641f4-87b4-45a3-a906-92a149cb2c27", "description": "Actors changed the password for the local administrator account on several hosts", "effect_refs": [ "attack-action--99406b0d-2c64-4f78-a80b-f50898876197" ] }, { "type": "attack-action", "id": "attack-action--99406b0d-2c64-4f78-a80b-f50898876197", "spec_version": "2.1", "created": "2026-06-11T23:57:51.158Z", "modified": "2026-06-11T23:57:51.158Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "LSASS Memory", "description": "Actors tried to dump the LSASS process with task manager" }, { "type": "note", "id": "note--ed71e0af-94b7-40ae-a434-81b815dea5c8", "spec_version": "2.1", "created": "2026-06-11T23:57:51.158Z", "modified": "2026-06-11T23:57:51.158Z", "content": "dumping the LSASS process was stopped by additional AV that was installed on the systems", "object_refs": [ "attack-action--99406b0d-2c64-4f78-a80b-f50898876197" ] }, { "type": "relationship", "id": "relationship--bc45a171-7811-4bd7-adea-bbfe62b03470", "spec_version": "2.1", "created": "2026-06-11T23:57:51.158Z", "modified": "2026-06-11T23:57:51.158Z", "relationship_type": "related-to", "source_ref": "attack-action--b6143619-dac3-4f9c-ae0a-605961bef9c7", "target_ref": "vulnerability--924ed7f2-54ae-42ad-b1af-94734ff368e0" }, { "type": "relationship", "id": "relationship--f8167289-fd89-45f5-b10b-f40478c7ba91", "spec_version": "2.1", "created": "2026-06-11T23:57:51.158Z", "modified": "2026-06-11T23:57:51.158Z", "relationship_type": "related-to", "source_ref": "attack-action--b6143619-dac3-4f9c-ae0a-605961bef9c7", "target_ref": "infrastructure--b7ee6cab-d421-4ea9-8f97-d529c383e7fe" }, { "type": "relationship", "id": "relationship--719baf0f-a1c7-421c-8a47-5d5753bfcac4", "spec_version": "2.1", "created": "2026-06-11T23:57:51.158Z", "modified": "2026-06-11T23:57:51.158Z", "relationship_type": "related-to", "source_ref": "attack-action--56ca6034-001b-4c5d-99b4-4f9bd3db56ba", "target_ref": "directory--02b1765f-0d2e-4991-8ba8-1053ef09de2c" }, { "type": "relationship", "id": "relationship--e7eb84fd-2c1d-46bb-b8fb-dbe708f59f0e", "spec_version": "2.1", "created": "2026-06-11T23:57:51.158Z", "modified": "2026-06-11T23:57:51.158Z", "relationship_type": "related-to", "source_ref": "attack-action--cfae690b-64c4-405f-84f1-5e8b65da3f83", "target_ref": "malware--89e310ac-f996-4bc7-9ee7-84b527178fa7" }, { "type": "relationship", "id": "relationship--380345c8-112b-4bd6-bd4e-6c25f8e80ace", "spec_version": "2.1", "created": "2026-06-11T23:57:51.158Z", "modified": "2026-06-11T23:57:51.158Z", "relationship_type": "related-to", "source_ref": "attack-action--3fbadab6-0484-4754-85af-fe99f575677e", "target_ref": "malware--31658705-f1fd-4d16-a928-ecc093820ed4" }, { "type": "relationship", "id": "relationship--4289444e-0d69-4275-97e3-9eb28e400453", "spec_version": "2.1", "created": "2026-06-11T23:57:51.158Z", "modified": "2026-06-11T23:57:51.158Z", "relationship_type": "related-to", "source_ref": "malware--31658705-f1fd-4d16-a928-ecc093820ed4", "target_ref": "malware--ac51c325-5c08-4c3d-b89e-c31b1a171a84" }, { "type": "relationship", "id": "relationship--2780f930-f100-4f01-80aa-9cf6abe2457a", "spec_version": "2.1", "created": "2026-06-11T23:57:51.158Z", "modified": "2026-06-11T23:57:51.158Z", "relationship_type": "related-to", "source_ref": "malware--31658705-f1fd-4d16-a928-ecc093820ed4", "target_ref": "malware--d8f8e9a7-0c82-4094-a811-348661a542ac" }, { "type": "relationship", "id": "relationship--3da9dc01-ac14-4ed8-8ca3-8d203f2a596f", "spec_version": "2.1", "created": "2026-06-11T23:57:51.158Z", "modified": "2026-06-11T23:57:51.158Z", "relationship_type": "related-to", "source_ref": "malware--31658705-f1fd-4d16-a928-ecc093820ed4", "target_ref": "tool--d783a8af-533c-4ecf-a097-698326a213ed" }, { "type": "relationship", "id": "relationship--de9cb3be-a9a3-4c26-b4ae-00c4b542050c", "spec_version": "2.1", "created": "2026-06-11T23:57:51.158Z", "modified": "2026-06-11T23:57:51.158Z", "relationship_type": "related-to", "source_ref": "malware--31658705-f1fd-4d16-a928-ecc093820ed4", "target_ref": "malware--ab4c411d-58e9-4f99-b0f7-0f67f1f43159" }, { "type": "relationship", "id": "relationship--be81fd11-41a3-461d-a955-a4c1fb155f0c", "spec_version": "2.1", "created": "2026-06-11T23:57:51.158Z", "modified": "2026-06-11T23:57:51.158Z", "relationship_type": "related-to", "source_ref": "attack-action--de68b787-80bb-424d-8d70-32b0cec8c94f", "target_ref": "malware--ad11d63f-b48d-4c18-b7ff-0baf8edca7e3" }, { "type": "relationship", "id": "relationship--43d41374-5702-42a0-bd3d-22c6f7b6a18f", "spec_version": "2.1", "created": "2026-06-11T23:57:51.158Z", "modified": "2026-06-11T23:57:51.158Z", "relationship_type": "related-to", "source_ref": "attack-action--de68b787-80bb-424d-8d70-32b0cec8c94f", "target_ref": "user-account--8b025fd8-d5a5-408a-8b29-c6795ba84c37" }, { "type": "relationship", "id": "relationship--232eba23-6602-4992-9da6-e0efccbbbd96", "spec_version": "2.1", "created": "2026-06-11T23:57:51.158Z", "modified": "2026-06-11T23:57:51.158Z", "relationship_type": "related-to", "source_ref": "attack-action--57e36a89-fa92-470c-9d78-a90d8bd938a7", "target_ref": "user-account--039865eb-337f-4941-92c5-14de002c7753" }, { "type": "relationship", "id": "relationship--01c1dfc3-d376-4162-8905-bff95b514704", "spec_version": "2.1", "created": "2026-06-11T23:57:51.158Z", "modified": "2026-06-11T23:57:51.158Z", "relationship_type": "related-to", "source_ref": "ipv4-addr--903efce3-4a7d-4272-9c33-7868fc767876", "target_ref": "malware--31658705-f1fd-4d16-a928-ecc093820ed4" }, { "type": "relationship", "id": "relationship--dcb9bf7a-a562-4f81-9630-079d512e53bc", "spec_version": "2.1", "created": "2026-06-11T23:57:51.158Z", "modified": "2026-06-11T23:57:51.158Z", "relationship_type": "related-to", "source_ref": "ipv4-addr--c51c9009-568d-46c6-8fac-09b4ce1e848c", "target_ref": "malware--89e310ac-f996-4bc7-9ee7-84b527178fa7" }, { "type": "relationship", "id": "relationship--27820f7a-0e17-4a0a-83e9-db2812feab10", "spec_version": "2.1", "created": "2026-06-11T23:57:51.158Z", "modified": "2026-06-11T23:57:51.158Z", "relationship_type": "related-to", "source_ref": "attack-action--0606c44c-4fcf-4d24-837c-e78341f77183", "target_ref": "malware--5e38cef0-6735-40f6-97dd-1b549424788e" }, { "type": "relationship", "id": "relationship--20b68f3f-c8c5-44a6-9f7e-098fefba58fc", "spec_version": "2.1", "created": "2026-06-11T23:57:51.158Z", "modified": "2026-06-11T23:57:51.158Z", "relationship_type": "related-to", "source_ref": "attack-action--0606c44c-4fcf-4d24-837c-e78341f77183", "target_ref": "tool--5b7f7115-8d96-4f17-ab2f-b305b476f8c1" }, { "type": "relationship", "id": "relationship--4bc92043-aa94-45ba-bd1c-f001367e285c", "spec_version": "2.1", "created": "2026-06-11T23:57:51.158Z", "modified": "2026-06-11T23:57:51.158Z", "relationship_type": "related-to", "source_ref": "attack-action--0606c44c-4fcf-4d24-837c-e78341f77183", "target_ref": "tool--6f3d8f4c-e92c-42aa-b065-351f552fe10c" }, { "type": "relationship", "id": "relationship--68bfb250-900b-4832-8dcf-70ae959dcea5", "spec_version": "2.1", "created": "2026-06-11T23:57:51.158Z", "modified": "2026-06-11T23:57:51.158Z", "relationship_type": "related-to", "source_ref": "attack-action--ee829570-2ca7-4948-a3de-a667f81fa2f5", "target_ref": "malware--a6988ce0-635c-47fc-9d91-a4d919e97950" }, { "type": "relationship", "id": "relationship--c032d9b4-4da5-45d7-a7a7-0b985670a263", "spec_version": "2.1", "created": "2026-06-11T23:57:51.158Z", "modified": "2026-06-11T23:57:51.158Z", "relationship_type": "related-to", "source_ref": "attack-action--4beb5555-7460-4636-a2e4-096a01b54186", "target_ref": "url--5cb4ac20-de90-4aba-8467-fe57ba5af2a8" }, { "type": "relationship", "id": "relationship--7b052c0d-f4c2-4198-900b-eebb8ddef025", "spec_version": "2.1", "created": "2026-06-11T23:57:51.158Z", "modified": "2026-06-11T23:57:51.158Z", "relationship_type": "related-to", "source_ref": "attack-action--4beb5555-7460-4636-a2e4-096a01b54186", "target_ref": "url--3e9fd4ff-625f-42e3-8285-762835bd6b50" } ] }