{ "type": "bundle", "id": "bundle--e6585219-2537-435d-922a-151a156eee0d", "spec_version": "2.1", "created": "2026-06-11T23:57:51.227Z", "modified": "2026-06-11T23:57:51.227Z", "objects": [ { "type": "extension-definition", "id": "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4", "spec_version": "2.1", "created": "2022-08-02T19:34:35.143Z", "modified": "2022-08-02T19:34:35.143Z", "name": "Attack Flow", "description": "Extends STIX 2.1 with features to create Attack Flows.", "created_by_ref": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", "schema": "https://center-for-threat-informed-defense.github.io/attack-flow/stix/attack-flow-schema-2.0.0.json", "version": "2.0.0", "extension_types": [ "new-sdo" ], "external_references": [ { "source_name": "Documentation", "description": "Documentation for Attack Flow", "url": "https://center-for-threat-informed-defense.github.io/attack-flow" }, { "source_name": "GitHub", "description": "Source code repository for Attack Flow", "url": "https://github.com/center-for-threat-informed-defense/attack-flow" } ] }, { "type": "identity", "id": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", "spec_version": "2.1", "created": "2022-08-02T19:34:35.143Z", "modified": "2022-08-02T19:34:35.143Z", "created_by_ref": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", "name": "MITRE Center for Threat-Informed Defense", "identity_class": "organization" }, { "type": "attack-flow", "id": "attack-flow--aa469675-7fe8-4fb9-a32e-b9d729bb63ff", "spec_version": "2.1", "created": "2022-10-27T02:44:54.520Z", "modified": "2026-06-11T23:57:51.227Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "created_by_ref": "identity--0741ad86-fa5b-4ac5-8707-5feb90013e2a", "start_refs": [ "attack-action--63b4d51e-84a0-4dee-b22a-0ffaea346e33" ], "name": "Conti Ransomware", "description": "Based on DFIR report", "scope": "malware", "external_references": [ { "source_name": "DFIR", "description": "Report", "url": "https://thedfirreport.com/2021/05/12/conti-ransomware/" } ] }, { "type": "identity", "id": "identity--0741ad86-fa5b-4ac5-8707-5feb90013e2a", "spec_version": "2.1", "created": "2026-06-11T23:57:51.227Z", "modified": "2026-06-11T23:57:51.227Z", "name": "Alaa Nasser" }, { "type": "attack-action", "id": "attack-action--63b4d51e-84a0-4dee-b22a-0ffaea346e33", "spec_version": "2.1", "created": "2026-06-11T23:57:51.227Z", "modified": "2026-06-11T23:57:51.227Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Spearphishing Attachment", "description": "The initial vector used by the threat actor was a zip file delivered through a phishing campaign.", "effect_refs": [ "attack-action--7a811b31-03be-481a-8344-1310218b0fd3" ] }, { "type": "attack-action", "id": "attack-action--0cd8c60f-e89b-4cbf-ac17-2699a2c7f3b3", "spec_version": "2.1", "created": "2026-06-11T23:57:51.227Z", "modified": "2026-06-11T23:57:51.227Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Rundll32", "description": "rundll32.exe executed IcedID malware and ran command and control over port 443 for the duration of the intrusion", "effect_refs": [ "attack-action--726c3e3f-15c9-4ab8-90b9-b59bb4d1e925" ] }, { "type": "attack-action", "id": "attack-action--c1c2e798-adba-4c7b-95ab-3afb8dd69c73", "spec_version": "2.1", "created": "2026-06-11T23:57:51.227Z", "modified": "2026-06-11T23:57:51.227Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "System Owner/User Discovery", "tactic_id": "TA0007", "tactic_ref": "x-mitre-tactic--c17c5845-175e-4421-9713-829d0573dbc9", "technique_id": "T1033", "technique_ref": "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104", "description": "discovery activity with native windows utilities such as nltest.exe, whoami.exe, and net.exe", "effect_refs": [ "attack-operator--6abaa90c-ca0f-4286-b647-f2648e68a1ef" ] }, { "type": "attack-action", "id": "attack-action--e54e0ab2-7ce5-4313-946e-52250aead3a9", "spec_version": "2.1", "created": "2026-06-11T23:57:51.227Z", "modified": "2026-06-11T23:57:51.227Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Permission Groups Discovery", "tactic_id": "TA0007", "tactic_ref": "x-mitre-tactic--c17c5845-175e-4421-9713-829d0573dbc9", "technique_id": "T1069", "technique_ref": "attack-pattern--15dbf668-795c-41e6-8219-f0447c0e64ce", "description": "discovery activity with native windows utilities such as nltest.exe, whoami.exe, and net.exe", "effect_refs": [ "attack-operator--6abaa90c-ca0f-4286-b647-f2648e68a1ef" ] }, { "type": "attack-action", "id": "attack-action--5a4db315-756f-465a-b6f1-edcd1c507fd8", "spec_version": "2.1", "created": "2026-06-11T23:57:51.227Z", "modified": "2026-06-11T23:57:51.227Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Remote System Discovery", "tactic_id": "TA0007", "tactic_ref": "x-mitre-tactic--c17c5845-175e-4421-9713-829d0573dbc9", "technique_id": "T1018", "technique_ref": "attack-pattern--e358d692-23c0-4a31-9eb6-ecc13a8d7735", "description": "discovery activity with native windows utilities such as nltest.exe, whoami.exe, and net.exe", "effect_refs": [ "attack-operator--6abaa90c-ca0f-4286-b647-f2648e68a1ef" ] }, { "type": "attack-action", "id": "attack-action--eb41545a-feb2-4709-a184-3b76b4f11724", "spec_version": "2.1", "created": "2026-06-11T23:57:51.227Z", "modified": "2026-06-11T23:57:51.227Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Access Token Manipulation", "tactic_id": "TA0004", "tactic_ref": "x-mitre-tactic--5e29b093-294e-49e9-a803-dab3d73b77dd", "technique_id": "T1134", "technique_ref": "attack-pattern--dcaa092b-7de9-4a21-977f-7fcb77e89c48", "description": "Attackers escalated to SYSTEM privileges via Cobalt Strike’s built-in “named pipe impersonation” (GetSystem) functionality.", "effect_refs": [ "attack-action--f8a23107-18ea-4ae8-a224-392fbd8ae25d" ], "command_ref": "process--a3634015-af4d-4c6a-baa1-7b8d438b700b" }, { "type": "attack-action", "id": "attack-action--f8a23107-18ea-4ae8-a224-392fbd8ae25d", "spec_version": "2.1", "created": "2026-06-11T23:57:51.227Z", "modified": "2026-06-11T23:57:51.227Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "SMB/Windows Admin Shares", "description": "The threat actors continued by moving laterally to the domain controllers on the network using SMB to transfer and execute a Cobalt Strike Beacon", "asset_refs": [ "attack-asset--da35e072-b1c8-4835-812c-bed410e4a10d" ], "effect_refs": [ "attack-action--97fc06cc-cc3d-43a0-8b57-f7964c10bff3" ] }, { "type": "attack-action", "id": "attack-action--97fc06cc-cc3d-43a0-8b57-f7964c10bff3", "spec_version": "2.1", "created": "2026-06-11T23:57:51.227Z", "modified": "2026-06-11T23:57:51.227Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Network Service Discovery", "tactic_id": "TA0007", "tactic_ref": "x-mitre-tactic--c17c5845-175e-4421-9713-829d0573dbc9", "technique_id": "T1046", "technique_ref": "attack-pattern--e3a12395-188d-4051-9a16-ea8e14d07b88", "description": "During that time, we observed port scanning activity from one of the domain controllers, to identify open ports such as SSH, SMB, MSSQL, RDP and WinRM, and attempts to enumerate what networks were present in the environment", "asset_refs": [ "attack-asset--f4a90ba8-b4db-481d-8dfa-c07368d62e1a" ], "effect_refs": [ "attack-action--809a956f-52ae-4d56-af4c-0504543dacd7" ] }, { "type": "attack-action", "id": "attack-action--94ac64c0-2ced-4a0a-b756-d0e27aa5c1dd", "spec_version": "2.1", "created": "2026-06-11T23:57:51.227Z", "modified": "2026-06-11T23:57:51.227Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "SMB/Windows Admin Shares", "description": "PsExec was used to copy and execute a Cobalt Strike Beacon DLL on most of the systems in the network, including Admin shares.", "effect_refs": [ "attack-action--834638ac-9ed6-4b87-bc7f-a9bb36124e2f" ], "asset_refs": [ "attack-asset--98664a49-6df3-4b14-aa0e-91a911151517" ] }, { "type": "attack-action", "id": "attack-action--834638ac-9ed6-4b87-bc7f-a9bb36124e2f", "spec_version": "2.1", "created": "2026-06-11T23:57:51.227Z", "modified": "2026-06-11T23:57:51.227Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Remote Desktop Protocol", "description": "A RDP connection was made from the victim host to the domain controller and other systems throughout the environment. This RDP activity was being proxied through the IcedID process running on that host, to a remote proxy over port 8080.", "effect_refs": [ "attack-action--3dde05e7-c85d-491c-9477-8f8c8f09c3a4" ] }, { "type": "attack-action", "id": "attack-action--3dde05e7-c85d-491c-9477-8f8c8f09c3a4", "spec_version": "2.1", "created": "2026-06-11T23:57:51.227Z", "modified": "2026-06-11T23:57:51.227Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Domain Account", "description": "The attackers created a new local user on one of the domain controllers and added it to the Administrators group", "effect_refs": [ "attack-action--fc2f373d-3ee7-4d28-b3c7-939273123d88" ] }, { "type": "attack-action", "id": "attack-action--99d68cdd-73de-4809-8055-3f0a85076a5e", "spec_version": "2.1", "created": "2026-06-11T23:57:51.227Z", "modified": "2026-06-11T23:57:51.227Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Data Encrypted for Impact", "tactic_id": "TA0040", "tactic_ref": "x-mitre-tactic--5569339b-94c2-49ee-afb3-2222936582c8", "technique_id": "T1486", "technique_ref": "attack-pattern--b80d107d-fa0d-4b60-9684-b0433e8bdba0", "description": "Attackers encrypted all systems" }, { "type": "attack-action", "id": "attack-action--7a811b31-03be-481a-8344-1310218b0fd3", "spec_version": "2.1", "created": "2026-06-11T23:57:51.227Z", "modified": "2026-06-11T23:57:51.227Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "JavaScript", "description": "A JavaScript file is located within the zip file and executed", "effect_refs": [ "attack-action--8fbbfd31-5bde-4c5e-bfbd-4cd34a382694" ] }, { "type": "attack-action", "id": "attack-action--8fbbfd31-5bde-4c5e-bfbd-4cd34a382694", "spec_version": "2.1", "created": "2026-06-11T23:57:51.227Z", "modified": "2026-06-11T23:57:51.227Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Ingress Tool Transfer", "tactic_id": "TA0011", "tactic_ref": "x-mitre-tactic--f72804c5-f15a-449e-a5da-2eecd181f813", "technique_id": "T1105", "technique_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", "description": "The JavaScript downloaded the IcedID malware", "effect_refs": [ "attack-action--0cd8c60f-e89b-4cbf-ac17-2699a2c7f3b3" ] }, { "type": "attack-action", "id": "attack-action--726c3e3f-15c9-4ab8-90b9-b59bb4d1e925", "spec_version": "2.1", "created": "2026-06-11T23:57:51.227Z", "modified": "2026-06-11T23:57:51.227Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Exfiltration", "tactic_id": "TA0010", "tactic_ref": "x-mitre-tactic--9a4e74ab-5008-408c-84bf-a10dfbc53462", "description": "Various attributes, such as computer name and OS version, are sent via encoded cookie values", "effect_refs": [ "attack-condition--e9da9ad8-37a3-4bbe-9ec7-95cfab867d96" ] }, { "type": "attack-operator", "id": "attack-operator--6abaa90c-ca0f-4286-b647-f2648e68a1ef", "spec_version": "2.1", "created": "2026-06-11T23:57:51.227Z", "modified": "2026-06-11T23:57:51.227Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "operator": "AND", "effect_refs": [ "attack-action--eb41545a-feb2-4709-a184-3b76b4f11724" ] }, { "type": "attack-asset", "id": "attack-asset--da35e072-b1c8-4835-812c-bed410e4a10d", "spec_version": "2.1", "created": "2026-06-11T23:57:51.227Z", "modified": "2026-06-11T23:57:51.227Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Domain Controllers" }, { "type": "attack-asset", "id": "attack-asset--f4a90ba8-b4db-481d-8dfa-c07368d62e1a", "spec_version": "2.1", "created": "2026-06-11T23:57:51.227Z", "modified": "2026-06-11T23:57:51.227Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Scanned Ports", "description": "ports 22, 135, 445, 1433, 1434, 3389, 4343, 5000, 5985" }, { "type": "attack-action", "id": "attack-action--809a956f-52ae-4d56-af4c-0504543dacd7", "spec_version": "2.1", "created": "2026-06-11T23:57:51.227Z", "modified": "2026-06-11T23:57:51.227Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Remote Desktop Protocol", "description": "Cobalt Strike enabled RDP and allowed connections through the firewall on the domain controllers", "effect_refs": [ "attack-condition--387968cd-25e3-4867-ae68-4893a32bce0f" ] }, { "type": "attack-condition", "id": "attack-condition--e9da9ad8-37a3-4bbe-9ec7-95cfab867d96", "spec_version": "2.1", "created": "2026-06-11T23:57:51.227Z", "modified": "2026-06-11T23:57:51.227Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "description": "IcedID malware went quiet for 2 days" }, { "type": "attack-action", "id": "attack-action--fd17c242-ee9e-46e7-ae64-034a61b80260", "spec_version": "2.1", "created": "2026-06-11T23:57:51.227Z", "modified": "2026-06-11T23:57:51.227Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Ingress Tool Transfer", "tactic_id": "TA0011", "tactic_ref": "x-mitre-tactic--f72804c5-f15a-449e-a5da-2eecd181f813", "technique_id": "T1105", "technique_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", "description": "A Cobalt Strike Beacon was dropped and executed", "effect_refs": [ "attack-action--c1c2e798-adba-4c7b-95ab-3afb8dd69c73", "attack-action--5a4db315-756f-465a-b6f1-edcd1c507fd8", "attack-action--e54e0ab2-7ce5-4313-946e-52250aead3a9" ] }, { "type": "attack-condition", "id": "attack-condition--387968cd-25e3-4867-ae68-4893a32bce0f", "spec_version": "2.1", "created": "2026-06-11T23:57:51.227Z", "modified": "2026-06-11T23:57:51.227Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "description": "The attackers went quiet for 15 minutes" }, { "type": "infrastructure", "id": "infrastructure--ff48a8f3-4738-43d8-a708-a7474f90da39", "spec_version": "2.1", "created": "2026-06-11T23:57:51.227Z", "modified": "2026-06-11T23:57:51.227Z", "name": "Proxy", "description": "Allowed connections proxied through a redirector (38.135.122.194:8080) passing through the IcedID process" }, { "type": "attack-condition", "id": "attack-condition--534de596-fd76-447b-a244-7549d501e222", "spec_version": "2.1", "created": "2026-06-11T23:57:51.227Z", "modified": "2026-06-11T23:57:51.227Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "description": "Conti is executed in memory using Cobalt Strike Beacons domain-wide" }, { "type": "attack-action", "id": "attack-action--fc2f373d-3ee7-4d28-b3c7-939273123d88", "spec_version": "2.1", "created": "2026-06-11T23:57:51.227Z", "modified": "2026-06-11T23:57:51.227Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Group Policy Modification", "description": "Group Policy was modified to disable Windows Defender", "effect_refs": [ "attack-action--b1ed079a-a69f-42c4-8c6b-75b00164a775" ] }, { "type": "tool", "id": "tool--21748dc0-729d-48ad-ade0-34af41c962c4", "spec_version": "2.1", "created": "2026-06-11T23:57:51.227Z", "modified": "2026-06-11T23:57:51.227Z", "name": "dsquery", "description": "Used to enumerate what networks were present in the environment" }, { "type": "malware", "id": "malware--df317a47-9716-4fb4-9436-b7733cbfda5f", "spec_version": "2.1", "created": "2026-06-11T23:57:51.227Z", "modified": "2026-06-11T23:57:51.227Z", "name": "IcedID DLL", "description": "banking trojan", "malware_types": [ "trojan" ], "is_family": false, "capabilities": [ "steals-authentication-credentials" ] }, { "type": "tool", "id": "tool--1831f55d-27f6-4ed6-86b0-f58453b02d43", "spec_version": "2.1", "created": "2026-06-11T23:57:51.227Z", "modified": "2026-06-11T23:57:51.227Z", "name": "rundll32.exe", "tool_types": [ "Unknown" ] }, { "type": "tool", "id": "tool--acb7026b-0b81-40c9-b7d6-f5ee333c24fc", "spec_version": "2.1", "created": "2026-06-11T23:57:51.227Z", "modified": "2026-06-11T23:57:51.227Z", "name": "nltest.exe", "tool_types": [ "information-gathering" ] }, { "type": "tool", "id": "tool--1e8a9396-74e5-4993-81ce-0d5e005031e0", "spec_version": "2.1", "created": "2026-06-11T23:57:51.227Z", "modified": "2026-06-11T23:57:51.227Z", "name": "whoami.exe", "tool_types": [ "information-gathering" ] }, { "type": "tool", "id": "tool--9502bfd2-cc01-4b88-8451-4092879e9365", "spec_version": "2.1", "created": "2026-06-11T23:57:51.227Z", "modified": "2026-06-11T23:57:51.227Z", "name": "net.exe", "tool_types": [ "information-gathering" ] }, { "type": "process", "id": "process--a3634015-af4d-4c6a-baa1-7b8d438b700b", "spec_version": "2.1", "created": "2026-06-11T23:57:51.227Z", "modified": "2026-06-11T23:57:51.227Z", "command_line": "“named pipe impersonation\"" }, { "type": "course-of-action", "id": "course-of-action--c0e08841-d642-43f8-9c02-ef9535168f13", "spec_version": "2.1", "created": "2026-06-11T23:57:51.227Z", "modified": "2026-06-11T23:57:51.227Z", "name": "Firewall Configurations", "description": "allowed connections through the firewall on the domain controllers" }, { "type": "attack-asset", "id": "attack-asset--98664a49-6df3-4b14-aa0e-91a911151517", "spec_version": "2.1", "created": "2026-06-11T23:57:51.227Z", "modified": "2026-06-11T23:57:51.227Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Admin shares" }, { "type": "tool", "id": "tool--c91f15b0-bd6f-4980-8384-082dfb37a952", "spec_version": "2.1", "created": "2026-06-11T23:57:51.227Z", "modified": "2026-06-11T23:57:51.227Z", "name": "Psexec", "tool_types": [ "remote-access" ] }, { "type": "user-account", "id": "user-account--023a9b4a-a76d-4af3-b769-2845daad5cb0", "spec_version": "2.1", "created": "2026-06-11T23:57:51.227Z", "modified": "2026-06-11T23:57:51.227Z", "account_type": "windows-domain", "display_name": "nuuser" }, { "type": "attack-action", "id": "attack-action--b1ed079a-a69f-42c4-8c6b-75b00164a775", "spec_version": "2.1", "created": "2026-06-11T23:57:51.227Z", "modified": "2026-06-11T23:57:51.227Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Disable or Modify Tools", "description": "disabled Windows Defender", "effect_refs": [ "attack-condition--534de596-fd76-447b-a244-7549d501e222" ] }, { "type": "relationship", "id": "relationship--b4b057fa-43e1-4d3a-bdaf-e6a89b605f46", "spec_version": "2.1", "created": "2026-06-11T23:57:51.227Z", "modified": "2026-06-11T23:57:51.227Z", "relationship_type": "related-to", "source_ref": "attack-action--0cd8c60f-e89b-4cbf-ac17-2699a2c7f3b3", "target_ref": "tool--1831f55d-27f6-4ed6-86b0-f58453b02d43" }, { "type": "relationship", "id": "relationship--9b227c8a-7190-4d78-955a-0ffdb68e3ce5", "spec_version": "2.1", "created": "2026-06-11T23:57:51.227Z", "modified": "2026-06-11T23:57:51.227Z", "relationship_type": "related-to", "source_ref": "attack-action--c1c2e798-adba-4c7b-95ab-3afb8dd69c73", "target_ref": "tool--1e8a9396-74e5-4993-81ce-0d5e005031e0" }, { "type": "relationship", "id": "relationship--d60122a4-8706-4c8d-8e94-3a9c7068b678", "spec_version": "2.1", "created": "2026-06-11T23:57:51.227Z", "modified": "2026-06-11T23:57:51.227Z", "relationship_type": "related-to", "source_ref": "attack-action--e54e0ab2-7ce5-4313-946e-52250aead3a9", "target_ref": "tool--acb7026b-0b81-40c9-b7d6-f5ee333c24fc" }, { "type": "relationship", "id": "relationship--1c1cfe8b-6e12-49dd-9ec3-b36f6acc762c", "spec_version": "2.1", "created": "2026-06-11T23:57:51.227Z", "modified": "2026-06-11T23:57:51.227Z", "relationship_type": "related-to", "source_ref": "attack-action--5a4db315-756f-465a-b6f1-edcd1c507fd8", "target_ref": "tool--9502bfd2-cc01-4b88-8451-4092879e9365" }, { "type": "relationship", "id": "relationship--618fb369-49c5-4290-83b2-b15a448eaf5a", "spec_version": "2.1", "created": "2026-06-11T23:57:51.227Z", "modified": "2026-06-11T23:57:51.227Z", "relationship_type": "related-to", "source_ref": "attack-action--97fc06cc-cc3d-43a0-8b57-f7964c10bff3", "target_ref": "tool--21748dc0-729d-48ad-ade0-34af41c962c4" }, { "type": "relationship", "id": "relationship--8fe8ca67-8442-431c-abdf-57c0690e2b84", "spec_version": "2.1", "created": "2026-06-11T23:57:51.227Z", "modified": "2026-06-11T23:57:51.227Z", "relationship_type": "related-to", "source_ref": "attack-action--94ac64c0-2ced-4a0a-b756-d0e27aa5c1dd", "target_ref": "tool--c91f15b0-bd6f-4980-8384-082dfb37a952" }, { "type": "relationship", "id": "relationship--2ea65f8b-da43-4813-a043-c3976a42ee61", "spec_version": "2.1", "created": "2026-06-11T23:57:51.227Z", "modified": "2026-06-11T23:57:51.227Z", "relationship_type": "related-to", "source_ref": "attack-action--834638ac-9ed6-4b87-bc7f-a9bb36124e2f", "target_ref": "infrastructure--ff48a8f3-4738-43d8-a708-a7474f90da39" }, { "type": "relationship", "id": "relationship--bc2af915-69a9-4478-855e-7cf30e0ae64e", "spec_version": "2.1", "created": "2026-06-11T23:57:51.227Z", "modified": "2026-06-11T23:57:51.227Z", "relationship_type": "related-to", "source_ref": "attack-action--3dde05e7-c85d-491c-9477-8f8c8f09c3a4", "target_ref": "user-account--023a9b4a-a76d-4af3-b769-2845daad5cb0" }, { "type": "relationship", "id": "relationship--e8986195-1672-42a1-ad6e-409134896e31", "spec_version": "2.1", "created": "2026-06-11T23:57:51.227Z", "modified": "2026-06-11T23:57:51.227Z", "relationship_type": "related-to", "source_ref": "attack-action--8fbbfd31-5bde-4c5e-bfbd-4cd34a382694", "target_ref": "malware--df317a47-9716-4fb4-9436-b7733cbfda5f" }, { "type": "relationship", "id": "relationship--8ad22e22-a1e3-4eca-bd04-7db4205e72ff", "spec_version": "2.1", "created": "2026-06-11T23:57:51.227Z", "modified": "2026-06-11T23:57:51.227Z", "relationship_type": "related-to", "source_ref": "attack-action--809a956f-52ae-4d56-af4c-0504543dacd7", "target_ref": "course-of-action--c0e08841-d642-43f8-9c02-ef9535168f13" }, { "type": "relationship", "id": "relationship--a0e5c773-6b43-4729-bd55-c15a9650c91d", "spec_version": "2.1", "created": "2026-06-11T23:57:51.227Z", "modified": "2026-06-11T23:57:51.227Z", "relationship_type": "related-to", "source_ref": "attack-condition--e9da9ad8-37a3-4bbe-9ec7-95cfab867d96", "target_ref": "attack-action--fd17c242-ee9e-46e7-ae64-034a61b80260" }, { "type": "relationship", "id": "relationship--73d7d9ae-8f4b-4dac-a5db-d9de951fce5e", "spec_version": "2.1", "created": "2026-06-11T23:57:51.227Z", "modified": "2026-06-11T23:57:51.227Z", "relationship_type": "related-to", "source_ref": "attack-condition--387968cd-25e3-4867-ae68-4893a32bce0f", "target_ref": "attack-action--94ac64c0-2ced-4a0a-b756-d0e27aa5c1dd" }, { "type": "relationship", "id": "relationship--039bc946-fa8d-49fb-abf9-b1528ba5d5a7", "spec_version": "2.1", "created": "2026-06-11T23:57:51.227Z", "modified": "2026-06-11T23:57:51.227Z", "relationship_type": "related-to", "source_ref": "attack-condition--534de596-fd76-447b-a244-7549d501e222", "target_ref": "attack-action--99d68cdd-73de-4809-8055-3f0a85076a5e" } ] }