{ "type": "bundle", "id": "bundle--d15e6010-cb5a-45e3-b513-bc9847b12d1b", "spec_version": "2.1", "created": "2026-06-11T23:57:51.342Z", "modified": "2026-06-11T23:57:51.342Z", "objects": [ { "type": "extension-definition", "id": "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4", "spec_version": "2.1", "created": "2022-08-02T19:34:35.143Z", "modified": "2022-08-02T19:34:35.143Z", "name": "Attack Flow", "description": "Extends STIX 2.1 with features to create Attack Flows.", "created_by_ref": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", "schema": "https://center-for-threat-informed-defense.github.io/attack-flow/stix/attack-flow-schema-2.0.0.json", "version": "2.0.0", "extension_types": [ "new-sdo" ], "external_references": [ { "source_name": "Documentation", "description": "Documentation for Attack Flow", "url": "https://center-for-threat-informed-defense.github.io/attack-flow" }, { "source_name": "GitHub", "description": "Source code repository for Attack Flow", "url": "https://github.com/center-for-threat-informed-defense/attack-flow" } ] }, { "type": "identity", "id": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", "spec_version": "2.1", "created": "2022-08-02T19:34:35.143Z", "modified": "2022-08-02T19:34:35.143Z", "created_by_ref": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", "name": "MITRE Center for Threat-Informed Defense", "identity_class": "organization" }, { "type": "attack-flow", "id": "attack-flow--b6db3de7-0af4-406a-99ed-6837ec1620b4", "spec_version": "2.1", "created": "2022-10-27T02:44:54.520Z", "modified": "2026-06-11T23:57:51.342Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "created_by_ref": "identity--ec6a6918-015b-47ab-b474-1c8f5ed36acc", "start_refs": [ "attack-action--06617ed8-35b6-42e2-9f14-99e97f57b78f" ], "name": "FIN13 Case 1", "description": "Attack by FIN13 against a Latin American bank", "scope": "incident", "external_references": [ { "source_name": "Mandiant", "description": "Blog", "url": "https://www.mandiant.com/resources/blog/fin13-cybercriminal-mexico" }, { "source_name": "Sygnia", "description": "Report", "url": "https://f.hubspotusercontent30.net/hubfs/8776530/Sygnia-%20Elephant%20Beetle_Jan2022.pdf" }, { "source_name": "Netwitness", "description": "Report", "url": "https://www.netwitness.com/wp-content/uploads/FIN13-Elephant-Beetle-NetWitness.pdf" } ] }, { "type": "identity", "id": "identity--ec6a6918-015b-47ab-b474-1c8f5ed36acc", "spec_version": "2.1", "created": "2026-06-11T23:57:51.342Z", "modified": "2026-06-11T23:57:51.342Z", "name": "Mia Sanchez", "contact_information": "msanschez@mitre.org" }, { "type": "attack-action", "id": "attack-action--06617ed8-35b6-42e2-9f14-99e97f57b78f", "spec_version": "2.1", "created": "2026-06-11T23:57:51.342Z", "modified": "2026-06-11T23:57:51.342Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Vulnerability Scanning", "description": "The attacker scanned the perimeter of the victim looking for vulnerable webservices.", "effect_refs": [ "attack-action--05411f8d-39a0-45a2-824f-230d9c9b2fd5" ] }, { "type": "attack-action", "id": "attack-action--1f6da219-83ad-4f6a-ba67-5b5e873abb9f", "spec_version": "2.1", "created": "2026-06-11T23:57:51.342Z", "modified": "2026-06-11T23:57:51.342Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Exploit Public-Facing Application", "tactic_id": "TA0001", "tactic_ref": "x-mitre-tactic--ffd5bcee-6e16-4dd2-8eca-7b3beedf33ca", "technique_id": "T1190", "technique_ref": "attack-pattern--3f886f2a-874f-4333-b794-aa6075009b1c", "description": "Exploited a vulnerability in the Oracle WebLogic server, and passed malicious content via POST requests to a web page called AsyncResponseServiceHttps, and executed commands", "effect_refs": [ "attack-action--0b518f13-5622-4f1f-8f5c-a8a7ddb069aa" ] }, { "type": "attack-action", "id": "attack-action--05411f8d-39a0-45a2-824f-230d9c9b2fd5", "spec_version": "2.1", "created": "2026-06-11T23:57:51.342Z", "modified": "2026-06-11T23:57:51.342Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Active Scanning", "tactic_id": "TA0043", "tactic_ref": "x-mitre-tactic--daa4cbb1-b4f4-4723-a824-7f1efd6e0592", "technique_id": "T1595", "technique_ref": "attack-pattern--67073dde-d720-45ae-83da-b12d5e73ca3b", "description": "Scanned the targeted web server again.", "effect_refs": [ "attack-condition--18044ef4-83a8-4573-ac79-0ad9a69a4223" ], "asset_refs": [ "attack-asset--34ad99a8-0996-41d7-990a-dbeb89b00ce8" ] }, { "type": "infrastructure", "id": "infrastructure--1a978a53-c344-4708-99b9-9b88c4191742", "spec_version": "2.1", "created": "2026-06-11T23:57:51.342Z", "modified": "2026-06-11T23:57:51.342Z", "name": "IP Address", "description": "The attacker used IP address 185.193.126.22 to scan the perimeter network and later again to scan the target web server.", "infrastructure_types": [ "Reconnaissance" ], "first_seen": "2021-03-01T00:00:00.000Z" }, { "type": "tool", "id": "tool--45116e1c-100f-4a86-867a-e1de47ce6466", "spec_version": "2.1", "created": "2026-06-11T23:57:51.342Z", "modified": "2026-06-11T23:57:51.342Z", "name": "Nmap", "tool_types": [ "Information-gathering" ] }, { "type": "infrastructure", "id": "infrastructure--043ad1c0-09f8-4b5d-91cd-cdee9f54c754", "spec_version": "2.1", "created": "2026-06-11T23:57:51.342Z", "modified": "2026-06-11T23:57:51.342Z", "name": "IP Address", "description": "187.177.170.111", "infrastructure_types": [ "Command-and-control" ], "first_seen": "2021-06-01T00:00:00.000Z" }, { "type": "attack-action", "id": "attack-action--0b518f13-5622-4f1f-8f5c-a8a7ddb069aa", "spec_version": "2.1", "created": "2026-06-11T23:57:51.342Z", "modified": "2026-06-11T23:57:51.342Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Web Shell", "description": "Uploaded and accessed a webshell", "effect_refs": [ "attack-action--338654f7-6429-4f19-9cab-23970b2db208" ] }, { "type": "vulnerability", "id": "vulnerability--cdab8da6-ae5e-4137-93da-893c2c172e0b", "spec_version": "2.1", "created": "2026-06-11T23:57:51.344Z", "modified": "2026-06-11T23:57:51.344Z", "name": "CVE-2019-2729", "description": "Oracle WebLogic Server Deserialization RCE (aka object injection vulnerability) - user-controllable data is deserialized by a website, allowing an attacker to pass harmful data into an application. This vulnerability is exploitable without authentication." }, { "type": "attack-action", "id": "attack-action--338654f7-6429-4f19-9cab-23970b2db208", "spec_version": "2.1", "created": "2026-06-11T23:57:51.344Z", "modified": "2026-06-11T23:57:51.344Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Network Service Discovery", "tactic_id": "TA0007", "tactic_ref": "x-mitre-tactic--c17c5845-175e-4421-9713-829d0573dbc9", "technique_id": "T1046", "technique_ref": "attack-pattern--e3a12395-188d-4051-9a16-ea8e14d07b88", "description": "Attempted to recon the DMZ segment where the infected webserver was operating.", "effect_refs": [ "attack-condition--c3595f21-9aa4-4c6a-a687-f8916d96bffb" ], "asset_refs": [ "attack-asset--02593d98-1411-48ce-924f-a433dc0063da" ] }, { "type": "attack-action", "id": "attack-action--aac1df04-b869-4d4c-8a6a-4c8c46bf46dd", "spec_version": "2.1", "created": "2026-06-11T23:57:51.344Z", "modified": "2026-06-11T23:57:51.344Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Ingress Tool Transfer", "tactic_id": "TA0011", "tactic_ref": "x-mitre-tactic--f72804c5-f15a-449e-a5da-2eecd181f813", "technique_id": "T1105", "technique_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", "description": "Uploaded a zip archive of tools for various OS via the webshell onto the compromised web server", "effect_refs": [ "attack-action--3ce4085a-e7a6-4863-beda-a392501e3126" ] }, { "type": "tool", "id": "tool--fd2a795d-3027-47d5-b187-f50567280d2c", "spec_version": "2.1", "created": "2026-06-11T23:57:51.344Z", "modified": "2026-06-11T23:57:51.344Z", "name": "Zip File of Tools", "description": "The zip archive contained: BlueAgave (PowerShell HTTP Bind Shell), a Perl version of BlueAgave, PHP webshell, Java Database browser, PortHole (Java Scanner), RawCap (Java packet capture tool), SpinOff SQL Browser, Latchkey (Powersploit script to dump the lsass.exe process)", "tool_types": [ "network-capture", "exploitation", "remote-access", "credential-exploitation" ] }, { "type": "attack-action", "id": "attack-action--3ce4085a-e7a6-4863-beda-a392501e3126", "spec_version": "2.1", "created": "2026-06-11T23:57:51.344Z", "modified": "2026-06-11T23:57:51.344Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Defense Evasion", "tactic_id": "TA0005", "tactic_ref": "x-mitre-tactic--78b23412-0651-46d7-a540-170a1ce8bd5a", "description": "To avoid detection, the attacker halted activity for about a week", "effect_refs": [ "attack-condition--e3caaa44-e11d-46ab-b8c4-b91a6600bae0" ] }, { "type": "attack-action", "id": "attack-action--8054a193-34be-4318-89c8-7967252f0e0f", "spec_version": "2.1", "created": "2026-06-11T23:57:51.344Z", "modified": "2026-06-11T23:57:51.344Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Lateral Movement", "tactic_id": "TA0008", "tactic_ref": "x-mitre-tactic--7141578b-e50b-4dcc-bfa4-08a8dd689e9e", "description": "Attacker used a common credential with the Zabbix server to move laterally.", "effect_refs": [ "attack-action--f57144a5-23e3-4141-a14f-0054f1f3baa2" ], "asset_refs": [ "attack-asset--7fab7a0b-2edc-4d28-88f8-fdb8a88d3edb" ] }, { "type": "attack-action", "id": "attack-action--f57144a5-23e3-4141-a14f-0054f1f3baa2", "spec_version": "2.1", "created": "2026-06-11T23:57:51.344Z", "modified": "2026-06-11T23:57:51.344Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Web Shell", "description": "Implanted a WSO PHP webshell on the Zabbix server.", "effect_refs": [ "attack-action--2d834b49-b19d-447b-bd77-03a5d0cd76ba", "attack-action--2f73644e-77f1-41af-9f14-0a501043c05c", "attack-condition--d91bbf42-1a99-4b12-89fd-8f57a0ebbbb2", "attack-action--42cb83aa-7377-443a-b387-49ce9c6ef2da", "attack-action--93abb92f-ecd8-4308-9f4e-84d84f7002c7" ] }, { "type": "attack-action", "id": "attack-action--1972489e-527b-42d1-946b-1712ca9d88d7", "spec_version": "2.1", "created": "2026-06-11T23:57:51.344Z", "modified": "2026-06-11T23:57:51.344Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Web Shell", "description": "Attacker dropped a BlueAgave Perl webshell, configured on port 65510", "effect_refs": [ "attack-operator--7fb8210d-6eb7-4dcd-a252-5da5db1edf2e" ] }, { "type": "attack-action", "id": "attack-action--42cb83aa-7377-443a-b387-49ce9c6ef2da", "spec_version": "2.1", "created": "2026-06-11T23:57:51.344Z", "modified": "2026-06-11T23:57:51.344Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "File and Directory Permissions Modification", "tactic_id": "TA0112", "tactic_ref": "x-mitre-tactic--43c49635-f2fa-44f2-92b9-0ee980bbf4ef", "description": "Viewed folders and modified permissions to the \"/srv/www/htdocs/gif\" folder.", "effect_refs": [ "attack-operator--7fb8210d-6eb7-4dcd-a252-5da5db1edf2e" ] }, { "type": "attack-action", "id": "attack-action--2f73644e-77f1-41af-9f14-0a501043c05c", "spec_version": "2.1", "created": "2026-06-11T23:57:51.344Z", "modified": "2026-06-11T23:57:51.344Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "System Owner/User Discovery", "tactic_id": "TA0007", "tactic_ref": "x-mitre-tactic--c17c5845-175e-4421-9713-829d0573dbc9", "technique_id": "T1033", "technique_ref": "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104", "description": "Enumerated the environment by running \"whoami.\"", "effect_refs": [ "attack-operator--7fb8210d-6eb7-4dcd-a252-5da5db1edf2e" ], "command_ref": "process--2fd98894-7d8b-4b65-afaa-c8ddeb8dbe4f" }, { "type": "attack-action", "id": "attack-action--2d834b49-b19d-447b-bd77-03a5d0cd76ba", "spec_version": "2.1", "created": "2026-06-11T23:57:51.344Z", "modified": "2026-06-11T23:57:51.344Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Credentials from Password Stores", "tactic_id": "TA0006", "tactic_ref": "x-mitre-tactic--2558fd61-8c75-4730-94c4-11926db2a263", "technique_id": "T1555", "technique_ref": "attack-pattern--3fc9b85a-2862-4363-a64d-d692e3ffbee0", "description": "Viewed the \"/etc/shadow\" file on the Zabbix server.", "effect_refs": [ "attack-operator--7fb8210d-6eb7-4dcd-a252-5da5db1edf2e" ] }, { "type": "attack-condition", "id": "attack-condition--81b20953-5fba-4207-a0b9-7805ed28078f", "spec_version": "2.1", "created": "2026-06-11T23:57:51.344Z", "modified": "2026-06-11T23:57:51.344Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "description": "Gained control of the Zabbix server" }, { "type": "attack-action", "id": "attack-action--8ae9cc92-e769-44d4-a4c0-00081223f860", "spec_version": "2.1", "created": "2026-06-11T23:57:51.344Z", "modified": "2026-06-11T23:57:51.344Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Active Scanning: Scanning IP Blocks", "description": "Attacker launched massive ping sweeps against private subnets.", "effect_refs": [ "attack-condition--c23ddfc1-2cfb-41e0-901a-e33c1208977c" ] }, { "type": "attack-condition", "id": "attack-condition--c23ddfc1-2cfb-41e0-901a-e33c1208977c", "spec_version": "2.1", "created": "2026-06-11T23:57:51.344Z", "modified": "2026-06-11T23:57:51.344Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "description": "Machine responds to the ping sweep" }, { "type": "attack-action", "id": "attack-action--273407ed-343c-4dce-849e-68a96326f8fb", "spec_version": "2.1", "created": "2026-06-11T23:57:51.344Z", "modified": "2026-06-11T23:57:51.344Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Lateral Tool Transfer", "tactic_id": "TA0008", "tactic_ref": "x-mitre-tactic--7141578b-e50b-4dcc-bfa4-08a8dd689e9e", "technique_id": "T1570", "technique_ref": "attack-pattern--bf90d72c-c00b-45e3-b3aa-68560560d4c5", "description": "PortHole used to verify the first 10,000 TCP ports of any machine that responded to the ping sweep", "effect_refs": [ "attack-condition--d8b37caa-b051-4229-a859-139d7ee3000e" ] }, { "type": "attack-condition", "id": "attack-condition--d8b37caa-b051-4229-a859-139d7ee3000e", "spec_version": "2.1", "created": "2026-06-11T23:57:51.344Z", "modified": "2026-06-11T23:57:51.344Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "description": "Identified Domain Controller through scan of the Backend DMZ Lan and waited 1 week to attack the AD server" }, { "type": "attack-action", "id": "attack-action--e1ce720a-a99e-4714-ae35-b9f259c515a4", "spec_version": "2.1", "created": "2026-06-11T23:57:51.344Z", "modified": "2026-06-11T23:57:51.344Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Lateral Tool Transfer", "tactic_id": "TA0008", "tactic_ref": "x-mitre-tactic--7141578b-e50b-4dcc-bfa4-08a8dd689e9e", "technique_id": "T1570", "technique_ref": "attack-pattern--bf90d72c-c00b-45e3-b3aa-68560560d4c5", "description": "Transferred additional tools to the Zabbix from the WebLogic Server", "effect_refs": [ "attack-action--bcd31619-522d-40c4-a0f0-ecff1fc40188" ] }, { "type": "tool", "id": "tool--0caac53e-77c9-4276-a271-0b7e06588718", "spec_version": "2.1", "created": "2026-06-11T23:57:51.344Z", "modified": "2026-06-11T23:57:51.344Z", "name": "Transferred Tools", "description": "Malicious tools found in Zabbix server: 65.txt (perl webshell), chart10.php (webshell), p.txt (Java port scanner), pr64.zip (procdump64), bi.txt (perl bind shell), s0b.j (Jar that queries db), str-isis.txt (jdbc connection/credential info), jtds-1.2.1.jar (likely jdbc deriver), and str-bio.txt (jdbc connection/credential info)", "tool_types": [ "remote-access", "information-gathering", "exploitation", "credential-exploitation" ] }, { "type": "attack-action", "id": "attack-action--bcd31619-522d-40c4-a0f0-ecff1fc40188", "spec_version": "2.1", "created": "2026-06-11T23:57:51.344Z", "modified": "2026-06-11T23:57:51.344Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Exploitation of Remote Services", "tactic_id": "TA0008", "tactic_ref": "x-mitre-tactic--7141578b-e50b-4dcc-bfa4-08a8dd689e9e", "technique_id": "T1210", "technique_ref": "attack-pattern--9db0cf3a-a3c9-4012-8268-123b9db6fd82", "description": "Attacker moved laterally from the Zabbix server to the Oracle Identity Manager server (in the DMZ)", "asset_refs": [ "attack-asset--2ed8001b-8b48-4b91-a302-0cef62b0aba2" ], "effect_refs": [ "attack-action--516a162a-e8c3-437e-bcf8-f5045840a9c9" ] }, { "type": "attack-action", "id": "attack-action--516a162a-e8c3-437e-bcf8-f5045840a9c9", "spec_version": "2.1", "created": "2026-06-11T23:57:51.344Z", "modified": "2026-06-11T23:57:51.344Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "OS Credential Dumping", "tactic_id": "TA0006", "tactic_ref": "x-mitre-tactic--2558fd61-8c75-4730-94c4-11926db2a263", "technique_id": "T1003", "technique_ref": "attack-pattern--0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "description": "Attacker dumped the sysadmin account related to the IAM service", "effect_refs": [ "attack-action--144109da-1040-4cba-ae66-ff8a2832dd75" ] }, { "type": "attack-action", "id": "attack-action--94b2422d-0950-424f-9350-a12d3d732922", "spec_version": "2.1", "created": "2026-06-11T23:57:51.344Z", "modified": "2026-06-11T23:57:51.344Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Network Sniffing", "tactic_id": "TA0006", "tactic_ref": "x-mitre-tactic--2558fd61-8c75-4730-94c4-11926db2a263", "technique_id": "T1040", "technique_ref": "attack-pattern--3257eb21-f9a7-4430-8de1-d8b6e288f529", "description": "Sniffed credentials passed by the IAM service to the DMZ servers.", "effect_refs": [ "attack-action--3aa3633a-0dce-4f87-8b81-a1c810797686" ] }, { "type": "tool", "id": "tool--f0fa3bab-b1d6-49b4-9c9f-ae8d132a54bb", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "name": "RawCap", "description": "The attacker installed the Java capture tool RawCap to sniff credentials.", "tool_types": [ "credential-exploitation" ] }, { "type": "attack-condition", "id": "attack-condition--28a5ad6a-c051-4d29-9ee3-9fd7637e3945", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "description": "Attacker intercepted additional domain and local passwords." }, { "type": "attack-action", "id": "attack-action--dee25372-7209-4583-ba05-890ef94a1b74", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Lateral Movement", "tactic_id": "TA0008", "tactic_ref": "x-mitre-tactic--7141578b-e50b-4dcc-bfa4-08a8dd689e9e", "description": "Moved laterally to the Backweb server", "asset_refs": [ "attack-asset--e18f253a-e3aa-4f98-958e-53be3bb33ef3" ], "effect_refs": [ "attack-condition--f5518d77-b508-4543-a606-17d6d976cc2d" ] }, { "type": "attack-action", "id": "attack-action--01813f00-c84d-4bd2-8276-736722e0e3f8", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Kerberoasting", "description": "Attacker used Kerberoasting technique to collect the ticket from system memory and crack offline to obtain credentials.", "effect_refs": [ "attack-action--ae89eafb-e337-431f-af43-50f8d6897d0c" ] }, { "type": "infrastructure", "id": "infrastructure--9df29fec-776c-4950-9ddd-871cd87b9052", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "name": "IP Address", "description": "The attacker used external IP addresses to access Backweb server", "infrastructure_types": [ "command-and-control" ] }, { "type": "attack-action", "id": "attack-action--feef2c34-c57b-481c-9f1b-358c5cfb3ccf", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Web Shell", "description": "Decoded PowerShell payload results in a similar PowerShell HTTP Bindshell that listens on port 65512", "effect_refs": [ "attack-action--0574f20a-0604-4681-9245-a53fc4491e52" ] }, { "type": "attack-action", "id": "attack-action--ea65ce07-b01f-448c-ad0f-1e75f48fe802", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Scanning IP Blocks", "description": "Scanned internal subnets looking for additional servers", "effect_refs": [ "attack-condition--0e98866c-8f21-4b2c-abdb-9e6bdb0d3dbe" ] }, { "type": "attack-condition", "id": "attack-condition--0e98866c-8f21-4b2c-abdb-9e6bdb0d3dbe", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "description": "Identified a cluster of RSA SecurID servers" }, { "type": "attack-action", "id": "attack-action--9657b790-d5a8-4253-9932-b358f8d6c992", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Brute Force", "tactic_id": "TA0006", "tactic_ref": "x-mitre-tactic--2558fd61-8c75-4730-94c4-11926db2a263", "technique_id": "T1110", "technique_ref": "attack-pattern--a93494bb-4b80-4ea1-8695-3236a49916fd", "description": "Attacker attempted to access the RSA servers by leveraging service accounts previously stolen through executing dictionary-based access attempts", "effect_refs": [ "attack-condition--4f01bf9f-4880-4568-964c-5daa5a20ce1a" ] }, { "type": "attack-action", "id": "attack-action--14f1573e-dea1-49ff-94a0-65c662c0a9ac", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Data from Local System", "tactic_id": "TA0035", "tactic_ref": "x-mitre-tactic--7a0d25d3-f0c0-40bf-bf90-c743871b19ba", "description": "The attackers dumped the database containing the SecurID token serials with the corresponding end-user accounts", "effect_refs": [ "attack-action--d3cb375e-3c91-48aa-b3ec-1af4e3af0ec3" ] }, { "type": "attack-action", "id": "attack-action--d8c00dfb-334f-44b5-9363-6c378ac48ce5", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Multi-Factor Authentication Interception", "tactic_id": "TA0006", "tactic_ref": "x-mitre-tactic--2558fd61-8c75-4730-94c4-11926db2a263", "technique_id": "T1111", "technique_ref": "attack-pattern--dd43c543-bb85-4a6f-aa6e-160d90d06a49", "description": "Attacker harvested token serials from the database and collected daily token transactions in clear text stored inside a service account folder, where the storage procedure was scripted", "effect_refs": [ "attack-condition--eba88067-cabc-41e2-a8f8-7c0bd2436b3d" ], "asset_refs": [ "attack-asset--5a4b12bb-619d-4913-929b-b879a8b1186b", "attack-asset--4e6f13fe-483c-4212-8a6a-27c0ee977b75", "attack-asset--927a6c6f-d696-4f56-9822-1b520d18ef70" ] }, { "type": "attack-condition", "id": "attack-condition--eba88067-cabc-41e2-a8f8-7c0bd2436b3d", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "description": "Attacker activated the token recovery procedure for bank users" }, { "type": "attack-action", "id": "attack-action--97790d66-c67b-416c-8072-a3942d5c0b44", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Valid Accounts", "tactic_id": "TA0001", "tactic_ref": "x-mitre-tactic--ffd5bcee-6e16-4dd2-8eca-7b3beedf33ca", "technique_id": "T1078", "technique_ref": "attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81", "description": "Attacker logged into the bank users' accounts", "effect_refs": [ "attack-action--96a46807-7785-414b-956c-0ae6a1cdb9a8" ] }, { "type": "attack-action", "id": "attack-action--96a46807-7785-414b-956c-0ae6a1cdb9a8", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Fraud", "description": "Attacker transferred money from the online banking system" }, { "type": "threat-actor", "id": "threat-actor--0fb5ffcd-5a32-4143-b96a-32be81723dbf", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "name": "FIN13", "description": "FIN13 is a financially-motivated actor primarily focusing on Latin America with activity stretching back to early 2016. FIN13 has a history of highly localized targeting against the financial, retail, and hospitality industries.", "threat_actor_types": [ "Crime-syndicate" ], "aliases": [ "Elephant Beetle", "TG2003" ], "first_seen": "2016-01-01T00:00:00.000Z", "roles": [ "Director" ], "goals": [ "financially-motivated and targeting Latin American organizations in financial, retail, and hospitality industries" ], "sophistication": "Advanced", "resource_level": "Team", "primary_motivation": "organizational-gain" }, { "type": "campaign", "id": "campaign--5733693b-c9aa-418e-ac09-312251d23259", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "name": "FIN13 Case 1", "description": "This attack began in March 2021 and targeted a Latin American bank. After exploiting the system, the attackers committed fraud between Sept-Oct 2021, impacting hundreds of accounts and stealing a significant amount of money.", "first_seen": "2021-03-01T00:00:00.000Z", "last_seen": "2021-10-01T00:00:00.000Z", "objective": "stealing money for financial gain" }, { "type": "attack-asset", "id": "attack-asset--34ad99a8-0996-41d7-990a-dbeb89b00ce8", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Oracle Web Server", "description": "Exposed server running a vulnerable version of WebLogic" }, { "type": "attack-condition", "id": "attack-condition--18044ef4-83a8-4573-ac79-0ad9a69a4223", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "description": "Discovered a vulnerable webserver - Oracle Weblogic" }, { "type": "attack-condition", "id": "attack-condition--c3595f21-9aa4-4c6a-a687-f8916d96bffb", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "description": "Discovered a DMZ monitoring server, Auth server, and DMZ DNS server" }, { "type": "infrastructure", "id": "infrastructure--4a29334f-9c07-44bc-99cc-10445ca03601", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "name": "web server", "description": "infected web server is used to stage malicious executables for the attacker", "infrastructure_types": [ "hosting-malware" ] }, { "type": "attack-condition", "id": "attack-condition--e3caaa44-e11d-46ab-b8c4-b91a6600bae0", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "description": "Attacker access the webshell again" }, { "type": "attack-asset", "id": "attack-asset--7fab7a0b-2edc-4d28-88f8-fdb8a88d3edb", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Zabbix server", "description": "DMZ monitoring service" }, { "type": "vulnerability", "id": "vulnerability--f9a8f240-ab61-4f10-b74c-1e83abb866f1", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "name": "Firewall Misconfiguration", "description": "misconfigured firewall allowed the attacker to put the webshell accessible from the Internet by publishing it on a public IP belonging to the victim IPv4 public address space on port TCP/80" }, { "type": "attack-action", "id": "attack-action--93abb92f-ecd8-4308-9f4e-84d84f7002c7", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Clear Linux or Mac System Logs", "description": "Attackers viewed contents in the /var/log/apache2/ folder and removed entries of the access logs", "effect_refs": [ "attack-operator--7fb8210d-6eb7-4dcd-a252-5da5db1edf2e" ] }, { "type": "attack-condition", "id": "attack-condition--d91bbf42-1a99-4b12-89fd-8f57a0ebbbb2", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "description": "Attacker checked for file 65510 in /dev/shm" }, { "type": "attack-operator", "id": "attack-operator--7fb8210d-6eb7-4dcd-a252-5da5db1edf2e", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "operator": "AND", "effect_refs": [ "attack-condition--81b20953-5fba-4207-a0b9-7805ed28078f" ] }, { "type": "tool", "id": "tool--ead45881-66db-4866-9fa9-f55192c86ef1", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "name": "PortHole", "description": "Java-based port scanner", "tool_types": [ "information-gathering" ] }, { "type": "vulnerability", "id": "vulnerability--c17bc217-fc16-4916-b7f6-c57e711d1ffb", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "name": "CWE-309", "description": "Use of Password System for Primary Authentication - the Zabbix root password was also the password for the Oracle Identity Manager server" }, { "type": "attack-asset", "id": "attack-asset--2ed8001b-8b48-4b91-a302-0cef62b0aba2", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Oracle Identity Manager server" }, { "type": "attack-action", "id": "attack-action--144109da-1040-4cba-ae66-ff8a2832dd75", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "SSH", "description": "Attacker used SSH to access the Oracle IAM server administrative UI", "effect_refs": [ "attack-action--445159ff-e8fc-42e6-9c4f-6972b015da70" ], "asset_refs": [ "attack-asset--bb5d56be-0823-4a76-999f-4b8a13cb49f4" ] }, { "type": "attack-action", "id": "attack-action--445159ff-e8fc-42e6-9c4f-6972b015da70", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Data from Local System", "tactic_id": "TA0009", "tactic_ref": "x-mitre-tactic--d108ce10-2419-4cf9-a774-46161d6c6cfe", "technique_id": "T1005", "technique_ref": "attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "description": "Attacker dumped the IAM local database of accounts allowing them to find domain accounts", "effect_refs": [ "attack-action--94b2422d-0950-424f-9350-a12d3d732922" ], "asset_refs": [ "attack-asset--c20f8f3b-8d52-4e7b-bc22-17b8b8dda69f" ] }, { "type": "attack-action", "id": "attack-action--3aa3633a-0dce-4f87-8b81-a1c810797686", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Indicator Removal on Host: File Deletion", "tactic_id": "TA0005", "tactic_ref": "x-mitre-tactic--78b23412-0651-46d7-a540-170a1ce8bd5a", "technique_id": "T1070", "technique_ref": "attack-pattern--799ace7f-e227-4411-baa0-8868704f2a69", "description": "Attacker deleted RawCap output files and the RawCap tool", "effect_refs": [ "attack-condition--28a5ad6a-c051-4d29-9ee3-9fd7637e3945" ] }, { "type": "attack-asset", "id": "attack-asset--e18f253a-e3aa-4f98-958e-53be3bb33ef3", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Backweb server", "description": "an internal web portal including domain accounts" }, { "type": "attack-condition", "id": "attack-condition--f5518d77-b508-4543-a606-17d6d976cc2d", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "description": "Attacker logged on to the Backweb server" }, { "type": "attack-action", "id": "attack-action--3c484f24-0328-4750-8a71-758e69718297", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Lateral Tool Transfer", "tactic_id": "TA0008", "tactic_ref": "x-mitre-tactic--7141578b-e50b-4dcc-bfa4-08a8dd689e9e", "technique_id": "T1570", "technique_ref": "attack-pattern--bf90d72c-c00b-45e3-b3aa-68560560d4c5", "description": "Attacker copied pr64.zip to the Backweb server", "effect_refs": [ "attack-action--01813f00-c84d-4bd2-8276-736722e0e3f8" ] }, { "type": "tool", "id": "tool--a2cecae8-93cf-4648-a09f-b48aaa8704bf", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "name": "pr64.zip", "description": "renamed procdump", "tool_types": [ "credential-exploitation" ] }, { "type": "attack-action", "id": "attack-action--ae89eafb-e337-431f-af43-50f8d6897d0c", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Valid Accounts: Local Accounts", "technique_id": "T1078", "technique_ref": "attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81", "description": "Attacker accessed the Backweb server using customasp local user account", "effect_refs": [ "attack-action--0fa237a6-3703-4c7c-a03d-eb9ba25c3ca0" ] }, { "type": "attack-action", "id": "attack-action--0fa237a6-3703-4c7c-a03d-eb9ba25c3ca0", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "PowerShell", "description": "Attacker created a service and initialized it with an obfuscated PowerShell payload", "effect_refs": [ "attack-action--feef2c34-c57b-481c-9f1b-358c5cfb3ccf" ] }, { "type": "tool", "id": "tool--705ce69c-2ef3-43eb-8e1d-69ca35801019", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "name": "PowerShell HTTP BindShell", "tool_types": [ "remote-access" ] }, { "type": "attack-action", "id": "attack-action--0574f20a-0604-4681-9245-a53fc4491e52", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Lateral Tool Transfer", "tactic_id": "TA0008", "tactic_ref": "x-mitre-tactic--7141578b-e50b-4dcc-bfa4-08a8dd689e9e", "technique_id": "T1570", "technique_ref": "attack-pattern--bf90d72c-c00b-45e3-b3aa-68560560d4c5", "description": "Attacker left several files in \"Windows\\Temp\" directory, such as the Java scanner", "effect_refs": [ "attack-action--ea65ce07-b01f-448c-ad0f-1e75f48fe802" ] }, { "type": "tool", "id": "tool--bc72aad0-8921-4be6-a0cb-fb26698c19cc", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "name": "Java Scanner", "tool_types": [ "information-gathering" ] }, { "type": "attack-action", "id": "attack-action--e5b25470-9b73-4a90-abad-efaf56a241a7", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Gather Victim Network Information", "tactic_id": "TA0043", "tactic_ref": "x-mitre-tactic--daa4cbb1-b4f4-4723-a824-7f1efd6e0592", "technique_id": "T1590", "technique_ref": "attack-pattern--9d48cab2-7929-4812-ad22-f536665f0109", "description": "Attacker enumerated databases in the same network segment as the RSA servers", "effect_refs": [ "attack-action--6e420205-86d5-457c-9952-0eb1d4d0c29b" ] }, { "type": "attack-condition", "id": "attack-condition--4f01bf9f-4880-4568-964c-5daa5a20ce1a", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "description": "Attacker switched tactics to access SecurID server" }, { "type": "attack-action", "id": "attack-action--6e420205-86d5-457c-9952-0eb1d4d0c29b", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Active Scanning", "tactic_id": "TA0043", "tactic_ref": "x-mitre-tactic--daa4cbb1-b4f4-4723-a824-7f1efd6e0592", "technique_id": "T1595", "technique_ref": "attack-pattern--67073dde-d720-45ae-83da-b12d5e73ca3b", "description": "Attacker scanned for MS-SQL servers", "effect_refs": [ "attack-action--5f223e58-a5d8-406e-8ad9-72a80b0abc38" ] }, { "type": "attack-action", "id": "attack-action--5f223e58-a5d8-406e-8ad9-72a80b0abc38", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Lateral Tool Transfer", "tactic_id": "TA0008", "tactic_ref": "x-mitre-tactic--7141578b-e50b-4dcc-bfa4-08a8dd689e9e", "technique_id": "T1570", "technique_ref": "attack-pattern--bf90d72c-c00b-45e3-b3aa-68560560d4c5", "description": "Attacker moved several tools to the Backweb server", "effect_refs": [ "attack-condition--2541e4a4-d068-4278-a455-0afb29baf445" ] }, { "type": "tool", "id": "tool--de7ae5b8-64a2-4e60-99a0-0eb85ca9cc4f", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "name": "Added tools", "description": "s0b.j, str-isis.txt, jtds-1.2.1.jar, str-bio.txt", "tool_types": [ "exploitation" ] }, { "type": "tool", "id": "tool--1a76d629-1a37-4133-a73b-daccfa9844dc", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "name": "s0b.j", "description": "Accepts base64 encoded SQL queries and uses a configuration file that contains the connection string and credentials of the target database server", "tool_types": [ "exploitation" ] }, { "type": "attack-condition", "id": "attack-condition--2541e4a4-d068-4278-a455-0afb29baf445", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "description": "Using s0b.j, attacker accessed multiple databases, including a database storing the SecurID token serials with corresponding end-user accounts" }, { "type": "attack-action", "id": "attack-action--d3cb375e-3c91-48aa-b3ec-1af4e3af0ec3", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Remote Desktop Protocol", "description": "Attacker accessed the Backweb server again multiple times using RDP and the sqlservice and sqlinstall accounts", "effect_refs": [ "attack-action--d8c00dfb-334f-44b5-9363-6c378ac48ce5" ] }, { "type": "attack-asset", "id": "attack-asset--5a4b12bb-619d-4913-929b-b879a8b1186b", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "service account folder" }, { "type": "url", "id": "url--97b18b6d-7da0-4201-a12a-98dc1247e886", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "value": "AsyncResponseServiceHttps" }, { "type": "malware", "id": "malware--00a06b29-7a3f-41b1-8f2c-8a6ea7d1fe7b", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "name": ".weblog.jsp", "description": "a jspRAT that can manipulate files and directories and run arbitrary Windows commands", "malware_types": [ "webshell", "remote-access-trojan", "trojan" ], "is_family": false, "capabilities": [ "communicates-with-c2", "probes-network-environment", "installs-other-components" ] }, { "type": "attack-asset", "id": "attack-asset--02593d98-1411-48ce-924f-a433dc0063da", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "DMZ segment" }, { "type": "attack-asset", "id": "attack-asset--28e50ac0-ab5f-4bac-84bf-85faa7af2e94", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Auth server" }, { "type": "attack-asset", "id": "attack-asset--334e26d6-dcb4-48e5-a902-144bb13e6d8d", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "monitoring server" }, { "type": "attack-asset", "id": "attack-asset--2d75a947-cbdd-48f9-b890-5ea82f508e73", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "DMZ DNS server" }, { "type": "note", "id": "note--428b69b9-84a6-4ccc-bfc6-574c5708a758", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "content": "The report does not specify how or when the attackers got the common credential, but I assume it is with one of the tools uploaded in the zip file.", "authors": [ "Lauren Parker" ], "object_refs": [ "attack-action--8054a193-34be-4318-89c8-7967252f0e0f" ] }, { "type": "malware", "id": "malware--5fe11f7c-ce4b-4417-ab25-16cbbc609bd6", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "name": "WSO PHP webshell", "malware_types": [ "webshell" ], "is_family": false, "capabilities": [ "communicates-with-c2", "escalates-privileges", "exfiltrates-data", "infects-files", "installs-other-components", "fingerprints-host", "steals-authentication-credentials" ] }, { "type": "file", "id": "file--e08b6551-d0d4-446b-b71b-c295c94e8d67", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "name": "/etc/shadow" }, { "type": "process", "id": "process--2fd98894-7d8b-4b65-afaa-c8ddeb8dbe4f", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "command_line": "whoami" }, { "type": "directory", "id": "directory--7cf1c5f5-45aa-4aae-a9d5-bffe1309fc13", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "path": "/srv/www/htdocs/gif" }, { "type": "directory", "id": "directory--b626e448-b184-43d5-b695-7a4d67f2b60f", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "path": "/var/log/apache2/" }, { "type": "file", "id": "file--1ce3f438-bc34-4e7a-b731-4472bb661079", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "name": "65510" }, { "type": "directory", "id": "directory--11737a10-d109-4024-8a82-79d42eb10175", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "path": "/dev/shm" }, { "type": "malware", "id": "malware--491784b9-025a-4460-b2ce-b80ad6a10e07", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "name": "65.txt", "description": "BlueAgave Perl webshell placed on the Zabbix Server", "malware_types": [ "webshell", "trojan" ], "is_family": false, "capabilities": [ "communicates-with-c2", "exfiltrates-data", "probes-network-environment" ] }, { "type": "note", "id": "note--5b1faf1e-d596-4e27-a805-8fc87b472517", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "content": "Several txt files were found in the unallocated address space of the Zabbix machine that were outputs from these scanning attempts", "authors": [ "Lauren Parker" ], "object_refs": [ "attack-action--273407ed-343c-4dce-849e-68a96326f8fb" ] }, { "type": "attack-asset", "id": "attack-asset--bb5d56be-0823-4a76-999f-4b8a13cb49f4", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Oracle IAM server administrative UI" }, { "type": "attack-asset", "id": "attack-asset--c20f8f3b-8d52-4e7b-bc22-17b8b8dda69f", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "domain accounts" }, { "type": "user-account", "id": "user-account--05a45e84-229e-46ca-94ba-51ef9852c257", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "account_type": "windows-local", "display_name": "customasp" }, { "type": "ipv4-addr", "id": "ipv4-addr--e8cdf5e7-451f-4a37-a21a-d2125296a7ac", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "value": "179.6.92.161" }, { "type": "directory", "id": "directory--b07abfab-73bf-4faf-b347-4ccfe1fa162c", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "path": "Windows\\Temp" }, { "type": "attack-asset", "id": "attack-asset--27de8418-b47e-4bb5-a6cb-1cb672409e81", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "RSA SecurID servers" }, { "type": "file", "id": "file--5a85bc98-f407-4aa6-b34d-5f08a2ed1960", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "name": "/var/log/btmp" }, { "type": "note", "id": "note--24c015f4-bf09-4656-91fb-0ed679e3b21d", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "content": "showed the failed SSH connection attempts, indicating a dictionary-based access attempts", "authors": [ "Lauren Parker" ], "object_refs": [ "file--5a85bc98-f407-4aa6-b34d-5f08a2ed1960" ] }, { "type": "file", "id": "file--f347ae73-c5d2-4a40-a7bc-8a8bf64f93d4", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "name": "srt*.txt" }, { "type": "user-account", "id": "user-account--f33d628c-e2c5-4884-96a9-15fc06555862", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "display_name": "sqlservice" }, { "type": "user-account", "id": "user-account--873ae4f3-17b0-4dd7-b004-6fd50104bbca", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "display_name": "sqlinstall" }, { "type": "attack-asset", "id": "attack-asset--927a6c6f-d696-4f56-9822-1b520d18ef70", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "token serials" }, { "type": "attack-asset", "id": "attack-asset--4e6f13fe-483c-4212-8a6a-27c0ee977b75", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "daily token transactions" }, { "type": "user-account", "id": "user-account--be58553f-e500-43bf-8742-aed3a67c6ea4", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "account_type": "windows-domain", "display_name": "sysadmin" }, { "type": "relationship", "id": "relationship--9b73b070-f09e-4c7c-87e9-2bf7c1337e0e", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "relationship_type": "related-to", "source_ref": "attack-action--06617ed8-35b6-42e2-9f14-99e97f57b78f", "target_ref": "infrastructure--1a978a53-c344-4708-99b9-9b88c4191742" }, { "type": "relationship", "id": "relationship--1bb6bbf7-9c19-4c50-911c-87902a15c75a", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "relationship_type": "related-to", "source_ref": "attack-action--1f6da219-83ad-4f6a-ba67-5b5e873abb9f", "target_ref": "vulnerability--cdab8da6-ae5e-4137-93da-893c2c172e0b" }, { "type": "relationship", "id": "relationship--450c522d-db85-4498-9c00-3c4718cb4863", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "relationship_type": "related-to", "source_ref": "attack-action--1f6da219-83ad-4f6a-ba67-5b5e873abb9f", "target_ref": "infrastructure--043ad1c0-09f8-4b5d-91cd-cdee9f54c754" }, { "type": "relationship", "id": "relationship--79e394bb-44f2-4a2c-af5b-128f27797376", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "relationship_type": "related-to", "source_ref": "attack-action--1f6da219-83ad-4f6a-ba67-5b5e873abb9f", "target_ref": "url--97b18b6d-7da0-4201-a12a-98dc1247e886" }, { "type": "relationship", "id": "relationship--cfc54dd2-dbb2-4e3b-acbd-8169914cef42", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "relationship_type": "related-to", "source_ref": "attack-action--05411f8d-39a0-45a2-824f-230d9c9b2fd5", "target_ref": "infrastructure--1a978a53-c344-4708-99b9-9b88c4191742" }, { "type": "relationship", "id": "relationship--1c222ae3-f9ec-461b-bc3d-8dc0691ddc49", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "relationship_type": "related-to", "source_ref": "attack-action--05411f8d-39a0-45a2-824f-230d9c9b2fd5", "target_ref": "tool--45116e1c-100f-4a86-867a-e1de47ce6466" }, { "type": "relationship", "id": "relationship--928db1ac-62ba-462c-ba13-703babbde5d8", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "relationship_type": "related-to", "source_ref": "attack-action--0b518f13-5622-4f1f-8f5c-a8a7ddb069aa", "target_ref": "malware--00a06b29-7a3f-41b1-8f2c-8a6ea7d1fe7b" }, { "type": "relationship", "id": "relationship--bf6c8a5f-d30b-4d22-b4fa-0823579b41be", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "relationship_type": "related-to", "source_ref": "attack-action--aac1df04-b869-4d4c-8a6a-4c8c46bf46dd", "target_ref": "tool--fd2a795d-3027-47d5-b187-f50567280d2c" }, { "type": "relationship", "id": "relationship--73a9f21f-369c-48fa-af88-b7d256dac24b", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "relationship_type": "related-to", "source_ref": "attack-action--aac1df04-b869-4d4c-8a6a-4c8c46bf46dd", "target_ref": "infrastructure--4a29334f-9c07-44bc-99cc-10445ca03601" }, { "type": "relationship", "id": "relationship--17bb90f3-3d4a-462e-a346-93675d7fc047", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "relationship_type": "related-to", "source_ref": "attack-action--f57144a5-23e3-4141-a14f-0054f1f3baa2", "target_ref": "malware--5fe11f7c-ce4b-4417-ab25-16cbbc609bd6" }, { "type": "relationship", "id": "relationship--3df2aa4c-f1af-414b-bc45-be083af90c4b", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "relationship_type": "related-to", "source_ref": "attack-action--f57144a5-23e3-4141-a14f-0054f1f3baa2", "target_ref": "vulnerability--f9a8f240-ab61-4f10-b74c-1e83abb866f1" }, { "type": "relationship", "id": "relationship--bab30909-0c74-4320-9a8c-9218b7a6a5bc", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "relationship_type": "related-to", "source_ref": "attack-action--1972489e-527b-42d1-946b-1712ca9d88d7", "target_ref": "malware--491784b9-025a-4460-b2ce-b80ad6a10e07" }, { "type": "relationship", "id": "relationship--c6c72870-0cb7-4a43-a8f3-3e1a0e6b7637", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "relationship_type": "related-to", "source_ref": "attack-action--42cb83aa-7377-443a-b387-49ce9c6ef2da", "target_ref": "directory--7cf1c5f5-45aa-4aae-a9d5-bffe1309fc13" }, { "type": "relationship", "id": "relationship--be700464-0790-4564-832f-a7267c112651", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "relationship_type": "related-to", "source_ref": "attack-action--2d834b49-b19d-447b-bd77-03a5d0cd76ba", "target_ref": "file--e08b6551-d0d4-446b-b71b-c295c94e8d67" }, { "type": "relationship", "id": "relationship--d9e24415-fb7d-405b-abc5-66f1632dc8a9", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "relationship_type": "related-to", "source_ref": "attack-condition--81b20953-5fba-4207-a0b9-7805ed28078f", "target_ref": "attack-action--8ae9cc92-e769-44d4-a4c0-00081223f860" }, { "type": "relationship", "id": "relationship--85e832c5-5999-4900-91cf-17897257c53a", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "relationship_type": "related-to", "source_ref": "attack-condition--c23ddfc1-2cfb-41e0-901a-e33c1208977c", "target_ref": "attack-action--273407ed-343c-4dce-849e-68a96326f8fb" }, { "type": "relationship", "id": "relationship--ddbca8a2-1116-4a75-99e8-cb828853acdc", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "relationship_type": "related-to", "source_ref": "attack-action--273407ed-343c-4dce-849e-68a96326f8fb", "target_ref": "tool--ead45881-66db-4866-9fa9-f55192c86ef1" }, { "type": "relationship", "id": "relationship--e8538ddf-8250-48ec-8358-8583cd962cc5", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "relationship_type": "related-to", "source_ref": "attack-condition--d8b37caa-b051-4229-a859-139d7ee3000e", "target_ref": "attack-action--e1ce720a-a99e-4714-ae35-b9f259c515a4" }, { "type": "relationship", "id": "relationship--2bb72b59-4f0a-42c6-8942-6fb74ea8ece9", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "relationship_type": "related-to", "source_ref": "attack-action--e1ce720a-a99e-4714-ae35-b9f259c515a4", "target_ref": "tool--0caac53e-77c9-4276-a271-0b7e06588718" }, { "type": "relationship", "id": "relationship--7f14d5a7-b11f-449a-b974-acdccd85e132", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "relationship_type": "related-to", "source_ref": "attack-action--bcd31619-522d-40c4-a0f0-ecff1fc40188", "target_ref": "vulnerability--c17bc217-fc16-4916-b7f6-c57e711d1ffb" }, { "type": "relationship", "id": "relationship--d09541cc-db8b-4978-ab46-a265bb3e6416", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "relationship_type": "related-to", "source_ref": "attack-action--516a162a-e8c3-437e-bcf8-f5045840a9c9", "target_ref": "user-account--be58553f-e500-43bf-8742-aed3a67c6ea4" }, { "type": "relationship", "id": "relationship--e43bb91a-5a8c-4775-939a-676e349e8773", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "relationship_type": "related-to", "source_ref": "attack-action--94b2422d-0950-424f-9350-a12d3d732922", "target_ref": "tool--f0fa3bab-b1d6-49b4-9c9f-ae8d132a54bb" }, { "type": "relationship", "id": "relationship--d16547bc-c292-4b67-a6c7-401f0064df67", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "relationship_type": "related-to", "source_ref": "attack-condition--28a5ad6a-c051-4d29-9ee3-9fd7637e3945", "target_ref": "attack-action--dee25372-7209-4583-ba05-890ef94a1b74" }, { "type": "relationship", "id": "relationship--d2abe355-3bd4-44e3-9577-5ca7986ccd92", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "relationship_type": "related-to", "source_ref": "infrastructure--9df29fec-776c-4950-9ddd-871cd87b9052", "target_ref": "ipv4-addr--e8cdf5e7-451f-4a37-a21a-d2125296a7ac" }, { "type": "relationship", "id": "relationship--b832aaa8-3db8-4093-b950-17ad92fd70de", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "relationship_type": "related-to", "source_ref": "attack-action--feef2c34-c57b-481c-9f1b-358c5cfb3ccf", "target_ref": "infrastructure--9df29fec-776c-4950-9ddd-871cd87b9052" }, { "type": "relationship", "id": "relationship--d71d9703-780b-4766-abb4-89211bf44500", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "relationship_type": "related-to", "source_ref": "attack-action--feef2c34-c57b-481c-9f1b-358c5cfb3ccf", "target_ref": "tool--705ce69c-2ef3-43eb-8e1d-69ca35801019" }, { "type": "relationship", "id": "relationship--065fb213-2fe0-498e-bac2-e23da4f3482c", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "relationship_type": "related-to", "source_ref": "attack-condition--0e98866c-8f21-4b2c-abdb-9e6bdb0d3dbe", "target_ref": "attack-action--9657b790-d5a8-4253-9932-b358f8d6c992" }, { "type": "relationship", "id": "relationship--228a98b3-4f45-43a7-b50e-d1c8f94359e5", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "relationship_type": "related-to", "source_ref": "attack-condition--0e98866c-8f21-4b2c-abdb-9e6bdb0d3dbe", "target_ref": "attack-asset--27de8418-b47e-4bb5-a6cb-1cb672409e81" }, { "type": "relationship", "id": "relationship--fc1d8ffc-b522-4d98-925b-562f27c69dc0", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "relationship_type": "related-to", "source_ref": "attack-action--9657b790-d5a8-4253-9932-b358f8d6c992", "target_ref": "file--5a85bc98-f407-4aa6-b34d-5f08a2ed1960" }, { "type": "relationship", "id": "relationship--9d986e67-ad1d-47d1-bbaa-d433693a3a95", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "relationship_type": "related-to", "source_ref": "attack-condition--eba88067-cabc-41e2-a8f8-7c0bd2436b3d", "target_ref": "attack-action--97790d66-c67b-416c-8072-a3942d5c0b44" }, { "type": "relationship", "id": "relationship--502c3ff1-cd73-4df0-8bb0-85efca0e21bd", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "relationship_type": "related-to", "source_ref": "campaign--5733693b-c9aa-418e-ac09-312251d23259", "target_ref": "threat-actor--0fb5ffcd-5a32-4143-b96a-32be81723dbf" }, { "type": "relationship", "id": "relationship--fbb65d48-8c33-48fa-b9b7-9d02717c5f0d", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "relationship_type": "related-to", "source_ref": "attack-condition--18044ef4-83a8-4573-ac79-0ad9a69a4223", "target_ref": "attack-action--1f6da219-83ad-4f6a-ba67-5b5e873abb9f" }, { "type": "relationship", "id": "relationship--1e5bd72a-3e25-4aa3-adaf-850d8866e5e3", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "relationship_type": "related-to", "source_ref": "attack-condition--c3595f21-9aa4-4c6a-a687-f8916d96bffb", "target_ref": "attack-action--aac1df04-b869-4d4c-8a6a-4c8c46bf46dd" }, { "type": "relationship", "id": "relationship--ca42fd0a-e36a-4a75-b866-443c90b8f18b", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "relationship_type": "related-to", "source_ref": "attack-condition--c3595f21-9aa4-4c6a-a687-f8916d96bffb", "target_ref": "attack-asset--334e26d6-dcb4-48e5-a902-144bb13e6d8d" }, { "type": "relationship", "id": "relationship--305fb1a3-f9f1-479e-8f35-1faeb6c93d29", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "relationship_type": "related-to", "source_ref": "attack-condition--c3595f21-9aa4-4c6a-a687-f8916d96bffb", "target_ref": "attack-asset--28e50ac0-ab5f-4bac-84bf-85faa7af2e94" }, { "type": "relationship", "id": "relationship--3febed84-f32f-4609-b764-33fd4568a6f2", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "relationship_type": "related-to", "source_ref": "attack-condition--c3595f21-9aa4-4c6a-a687-f8916d96bffb", "target_ref": "attack-asset--2d75a947-cbdd-48f9-b890-5ea82f508e73" }, { "type": "relationship", "id": "relationship--38a2eb2a-e6c1-4f3b-8f33-33b573b3d2a3", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "relationship_type": "related-to", "source_ref": "attack-condition--e3caaa44-e11d-46ab-b8c4-b91a6600bae0", "target_ref": "attack-action--8054a193-34be-4318-89c8-7967252f0e0f" }, { "type": "relationship", "id": "relationship--471f5d65-ea4a-4ae0-b5b8-6b1429a524c0", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "relationship_type": "related-to", "source_ref": "attack-action--93abb92f-ecd8-4308-9f4e-84d84f7002c7", "target_ref": "directory--b626e448-b184-43d5-b695-7a4d67f2b60f" }, { "type": "relationship", "id": "relationship--06698631-a174-4da3-ac31-e7c49b01480e", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "relationship_type": "related-to", "source_ref": "attack-condition--d91bbf42-1a99-4b12-89fd-8f57a0ebbbb2", "target_ref": "attack-action--1972489e-527b-42d1-946b-1712ca9d88d7" }, { "type": "relationship", "id": "relationship--a8d97b64-4887-4ba3-9994-e6b4c8233fa6", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "relationship_type": "related-to", "source_ref": "attack-condition--d91bbf42-1a99-4b12-89fd-8f57a0ebbbb2", "target_ref": "file--1ce3f438-bc34-4e7a-b731-4472bb661079" }, { "type": "relationship", "id": "relationship--41bbc5a6-eb3e-4a88-8769-41606c5a045f", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "relationship_type": "related-to", "source_ref": "attack-condition--d91bbf42-1a99-4b12-89fd-8f57a0ebbbb2", "target_ref": "directory--11737a10-d109-4024-8a82-79d42eb10175" }, { "type": "relationship", "id": "relationship--c5e9eb94-c83b-40e3-869c-9c40d1e473cd", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "relationship_type": "related-to", "source_ref": "attack-condition--f5518d77-b508-4543-a606-17d6d976cc2d", "target_ref": "attack-action--3c484f24-0328-4750-8a71-758e69718297" }, { "type": "relationship", "id": "relationship--65111a87-e6ee-47d4-9745-b93ede2a4d8d", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "relationship_type": "related-to", "source_ref": "attack-action--3c484f24-0328-4750-8a71-758e69718297", "target_ref": "tool--a2cecae8-93cf-4648-a09f-b48aaa8704bf" }, { "type": "relationship", "id": "relationship--327253a9-e01c-4be9-aec4-6618bfc35b31", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "relationship_type": "related-to", "source_ref": "attack-action--ae89eafb-e337-431f-af43-50f8d6897d0c", "target_ref": "user-account--05a45e84-229e-46ca-94ba-51ef9852c257" }, { "type": "relationship", "id": "relationship--74878cf1-cf84-4f76-ba8c-f866020641b2", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "relationship_type": "related-to", "source_ref": "attack-action--0574f20a-0604-4681-9245-a53fc4491e52", "target_ref": "tool--bc72aad0-8921-4be6-a0cb-fb26698c19cc" }, { "type": "relationship", "id": "relationship--2ea8b8f5-26d4-4ac7-9e5f-82fbf97f75d4", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "relationship_type": "related-to", "source_ref": "attack-action--0574f20a-0604-4681-9245-a53fc4491e52", "target_ref": "directory--b07abfab-73bf-4faf-b347-4ccfe1fa162c" }, { "type": "relationship", "id": "relationship--9ddadb46-5005-40bd-920e-99ac352d80be", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "relationship_type": "related-to", "source_ref": "attack-condition--4f01bf9f-4880-4568-964c-5daa5a20ce1a", "target_ref": "attack-action--e5b25470-9b73-4a90-abad-efaf56a241a7" }, { "type": "relationship", "id": "relationship--a43dd66e-f5af-406e-8448-7bbafc631131", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "relationship_type": "related-to", "source_ref": "attack-action--5f223e58-a5d8-406e-8ad9-72a80b0abc38", "target_ref": "tool--de7ae5b8-64a2-4e60-99a0-0eb85ca9cc4f" }, { "type": "relationship", "id": "relationship--ff2d7bbb-936c-43e5-a5e2-8ac4f6151dfc", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "relationship_type": "related-to", "source_ref": "attack-action--5f223e58-a5d8-406e-8ad9-72a80b0abc38", "target_ref": "tool--1a76d629-1a37-4133-a73b-daccfa9844dc" }, { "type": "relationship", "id": "relationship--371bd08c-cacd-450c-ae23-0560fe3fabbf", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "relationship_type": "related-to", "source_ref": "tool--1a76d629-1a37-4133-a73b-daccfa9844dc", "target_ref": "file--f347ae73-c5d2-4a40-a7bc-8a8bf64f93d4" }, { "type": "relationship", "id": "relationship--8a0c06de-ca44-494e-b8f1-8378f78d697c", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "relationship_type": "related-to", "source_ref": "attack-condition--2541e4a4-d068-4278-a455-0afb29baf445", "target_ref": "attack-action--14f1573e-dea1-49ff-94a0-65c662c0a9ac" }, { "type": "relationship", "id": "relationship--b01f8798-991c-4ffc-a140-6a2ee07d55fa", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "relationship_type": "related-to", "source_ref": "attack-action--d3cb375e-3c91-48aa-b3ec-1af4e3af0ec3", "target_ref": "user-account--873ae4f3-17b0-4dd7-b004-6fd50104bbca" }, { "type": "relationship", "id": "relationship--61c8156c-f87c-4de3-8221-644257c40b45", "spec_version": "2.1", "created": "2026-06-11T23:57:51.345Z", "modified": "2026-06-11T23:57:51.345Z", "relationship_type": "related-to", "source_ref": "attack-action--d3cb375e-3c91-48aa-b3ec-1af4e3af0ec3", "target_ref": "user-account--f33d628c-e2c5-4884-96a9-15fc06555862" } ] }