{ "type": "bundle", "id": "bundle--2f76ee67-32ed-4038-bc72-079b3a9a1028", "spec_version": "2.1", "created": "2026-06-11T23:57:51.372Z", "modified": "2026-06-11T23:57:51.372Z", "objects": [ { "type": "extension-definition", "id": "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4", "spec_version": "2.1", "created": "2022-08-02T19:34:35.143Z", "modified": "2022-08-02T19:34:35.143Z", "name": "Attack Flow", "description": "Extends STIX 2.1 with features to create Attack Flows.", "created_by_ref": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", "schema": "https://center-for-threat-informed-defense.github.io/attack-flow/stix/attack-flow-schema-2.0.0.json", "version": "2.0.0", "extension_types": [ "new-sdo" ], "external_references": [ { "source_name": "Documentation", "description": "Documentation for Attack Flow", "url": "https://center-for-threat-informed-defense.github.io/attack-flow" }, { "source_name": "GitHub", "description": "Source code repository for Attack Flow", "url": "https://github.com/center-for-threat-informed-defense/attack-flow" } ] }, { "type": "identity", "id": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", "spec_version": "2.1", "created": "2022-08-02T19:34:35.143Z", "modified": "2022-08-02T19:34:35.143Z", "created_by_ref": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", "name": "MITRE Center for Threat-Informed Defense", "identity_class": "organization" }, { "type": "attack-flow", "id": "attack-flow--e423964e-24b1-4caa-ac09-35a046e69639", "spec_version": "2.1", "created": "2022-10-27T02:44:54.520Z", "modified": "2026-06-11T23:57:51.372Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "created_by_ref": "identity--fb4f5ac7-3f9c-445e-af0d-6c014bf73919", "start_refs": [ "attack-action--81e5c5eb-d20d-46e2-8755-d196dce3cf55" ], "name": "FIN13 Case 2", "description": "Attack flow for the FIN13 campaign targeting a bank in Peru. ", "scope": "incident", "external_references": [ { "source_name": "Mandiant", "description": "Blog", "url": "https://www.mandiant.com/resources/blog/fin13-cybercriminal-mexico" }, { "source_name": "Sygnia", "description": "Report", "url": "https://f.hubspotusercontent30.net/hubfs/8776530/Sygnia-%20Elephant%20Beetle_Jan2022.pdf" }, { "source_name": "Netwitness", "description": "Report", "url": "https://www.netwitness.com/wp-content/uploads/FIN13-Elephant-Beetle-NetWitness.pdf" } ] }, { "type": "identity", "id": "identity--fb4f5ac7-3f9c-445e-af0d-6c014bf73919", "spec_version": "2.1", "created": "2026-06-11T23:57:51.372Z", "modified": "2026-06-11T23:57:51.372Z", "name": "Mia Sanchez", "contact_information": "msanschez@mitre.org" }, { "type": "attack-action", "id": "attack-action--81e5c5eb-d20d-46e2-8755-d196dce3cf55", "spec_version": "2.1", "created": "2026-06-11T23:57:51.372Z", "modified": "2026-06-11T23:57:51.372Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Exploit Public-Facing Application", "tactic_id": "TA0001", "tactic_ref": "x-mitre-tactic--ffd5bcee-6e16-4dd2-8eca-7b3beedf33ca", "technique_id": "T1190", "technique_ref": "attack-pattern--3f886f2a-874f-4333-b794-aa6075009b1c", "description": "Exploited the Log4j vulnerability to open a breach head on the DMZ", "asset_refs": [ "attack-asset--2b04b7d2-1c66-4c8a-ab0f-96a2151af77f" ], "effect_refs": [ "attack-action--6a89f34f-6ad9-492f-801a-d67148b37c18" ] }, { "type": "attack-action", "id": "attack-action--6a89f34f-6ad9-492f-801a-d67148b37c18", "spec_version": "2.1", "created": "2026-06-11T23:57:51.372Z", "modified": "2026-06-11T23:57:51.372Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Ingress Tool Transfer", "tactic_id": "TA0011", "tactic_ref": "x-mitre-tactic--f72804c5-f15a-449e-a5da-2eecd181f813", "technique_id": "T1105", "technique_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", "description": "The attacker immediately deployed tools on the breached DMZ", "effect_refs": [ "attack-action--fcd49b6d-5dde-4cdd-b73a-a3b5031a6942" ] }, { "type": "vulnerability", "id": "vulnerability--64913703-2b3b-4738-b0aa-e836ff1754e8", "spec_version": "2.1", "created": "2026-06-11T23:57:51.372Z", "modified": "2026-06-11T23:57:51.372Z", "name": "CVE-2021-44228", "description": "Log4j vulnerability" }, { "type": "infrastructure", "id": "infrastructure--63f316cc-2f31-4ef3-afbe-b645e01c70d6", "spec_version": "2.1", "created": "2026-06-11T23:57:51.372Z", "modified": "2026-06-11T23:57:51.372Z", "name": "IP Address", "description": "The attacker used IP address 185.193.126.27 to conduct the attack.", "infrastructure_types": [ "command-and-control" ] }, { "type": "attack-asset", "id": "attack-asset--2b04b7d2-1c66-4c8a-ab0f-96a2151af77f", "spec_version": "2.1", "created": "2026-06-11T23:57:51.372Z", "modified": "2026-06-11T23:57:51.372Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "AKATWEB Web Server", "description": "The attacker exploited an unpatched proxy webserver" }, { "type": "attack-action", "id": "attack-action--fcd49b6d-5dde-4cdd-b73a-a3b5031a6942", "spec_version": "2.1", "created": "2026-06-11T23:57:51.372Z", "modified": "2026-06-11T23:57:51.372Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Web Shell", "description": "Implanted a JSP webshell", "asset_refs": [ "attack-asset--66b37f83-3a98-4971-9e42-1c706ff8431a" ], "effect_refs": [ "attack-action--6c480520-1fa3-436d-832f-fecd8de08f62" ] }, { "type": "attack-asset", "id": "attack-asset--66b37f83-3a98-4971-9e42-1c706ff8431a", "spec_version": "2.1", "created": "2026-06-11T23:57:51.372Z", "modified": "2026-06-11T23:57:51.372Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "AKATWEB Web Server", "description": "The attacker implanted a webshell on the AKATWEB server" }, { "type": "attack-action", "id": "attack-action--6c480520-1fa3-436d-832f-fecd8de08f62", "spec_version": "2.1", "created": "2026-06-11T23:57:51.372Z", "modified": "2026-06-11T23:57:51.372Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Exploitation for Client Execution", "tactic_id": "TA0002", "tactic_ref": "x-mitre-tactic--4ca45d45-df4d-4613-8980-bac22d278fa5", "technique_id": "T1203", "technique_ref": "attack-pattern--be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "description": "Moved laterally to a DMZ segment hosting a SharePoint server probably by using a RCE vulnerability.", "asset_refs": [ "attack-asset--84ee066e-02fc-49ec-bb41-ddcdd3f4a7d1" ], "effect_refs": [ "attack-action--482cf545-fe5c-4a0b-b56d-bcf5aa522006" ] }, { "type": "vulnerability", "id": "vulnerability--5e377b2d-75e0-43bd-9f15-802f3eabf9e4", "spec_version": "2.1", "created": "2026-06-11T23:57:51.372Z", "modified": "2026-06-11T23:57:51.372Z", "name": "CVE-2019-0604", "description": "Microsoft SharePoint RCE Vulnerability" }, { "type": "attack-asset", "id": "attack-asset--84ee066e-02fc-49ec-bb41-ddcdd3f4a7d1", "spec_version": "2.1", "created": "2026-06-11T23:57:51.372Z", "modified": "2026-06-11T23:57:51.372Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Sharepoint Server", "description": "The attacker exploited the Sharepoint Server likely with an RCE vulnerability." }, { "type": "attack-action", "id": "attack-action--47fdc13f-2f34-4b53-8cf5-82646d3f12c7", "spec_version": "2.1", "created": "2026-06-11T23:57:51.372Z", "modified": "2026-06-11T23:57:51.372Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Active Scanning", "tactic_id": "TA0043", "tactic_ref": "x-mitre-tactic--daa4cbb1-b4f4-4723-a824-7f1efd6e0592", "technique_id": "T1595", "technique_ref": "attack-pattern--67073dde-d720-45ae-83da-b12d5e73ca3b", "description": "Executed a scan on the REMWK DMZ to find additional servers.", "effect_refs": [ "attack-condition--2842d171-01e5-4e18-bef5-350d2bdfced9" ], "asset_refs": [ "attack-asset--47c6ad4a-1be9-4d4b-b938-2825042e8302" ] }, { "type": "attack-action", "id": "attack-action--482cf545-fe5c-4a0b-b56d-bcf5aa522006", "spec_version": "2.1", "created": "2026-06-11T23:57:51.372Z", "modified": "2026-06-11T23:57:51.372Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "LSASS Memory", "description": "Succesfully dumped the SharePoint cached credentials and sent the files to a Dropzone to crack offline.", "asset_refs": [ "attack-asset--4b538266-650b-4512-9615-1ce4ca53486c" ], "effect_refs": [ "attack-action--47fdc13f-2f34-4b53-8cf5-82646d3f12c7" ] }, { "type": "tool", "id": "tool--fb49aa4d-402b-4315-b43f-577b537c7835", "spec_version": "2.1", "created": "2026-06-11T23:57:51.372Z", "modified": "2026-06-11T23:57:51.372Z", "name": "pr64.exe", "description": "Renamed procdump, used to retrieve the cached credentials.", "tool_types": [ "credential-exploitation" ] }, { "type": "attack-asset", "id": "attack-asset--4b538266-650b-4512-9615-1ce4ca53486c", "spec_version": "2.1", "created": "2026-06-11T23:57:51.372Z", "modified": "2026-06-11T23:57:51.372Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Sharepoint Credentials", "description": "Cached credentials stored in Sharepoint server LSASS Memory." }, { "type": "attack-action", "id": "attack-action--f5ca2849-e569-49ac-917c-5b33e1c077d7", "spec_version": "2.1", "created": "2026-06-11T23:57:51.372Z", "modified": "2026-06-11T23:57:51.372Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "LSASS Memory", "description": "Executed another LSASS dump", "effect_refs": [ "attack-condition--fdcd3bcc-7b71-48d9-b5ea-80469af42c5e" ] }, { "type": "tool", "id": "tool--3e798e83-18cc-4c43-b6ab-082073deda7b", "spec_version": "2.1", "created": "2026-06-11T23:57:51.372Z", "modified": "2026-06-11T23:57:51.372Z", "name": "pr64.exe", "description": "Renamed procdump, used to retrieve the cached credentials.", "tool_types": [ "credential-exploitation" ] }, { "type": "attack-condition", "id": "attack-condition--fdcd3bcc-7b71-48d9-b5ea-80469af42c5e", "spec_version": "2.1", "created": "2026-06-11T23:57:51.372Z", "modified": "2026-06-11T23:57:51.372Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "description": "Attacker obtained domain admin credentials for SQL Servers and a service account related to a cluster (MULTICLDBSIDE)" }, { "type": "attack-action", "id": "attack-action--a6fcee5f-d0e7-4669-8513-e0c4e3ecc058", "spec_version": "2.1", "created": "2026-06-11T23:57:51.372Z", "modified": "2026-06-11T23:57:51.372Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Valid Accounts", "tactic_id": "TA0001", "tactic_ref": "x-mitre-tactic--ffd5bcee-6e16-4dd2-8eca-7b3beedf33ca", "technique_id": "T1078", "technique_ref": "attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81", "description": "Attacker used RBMAdmin account to log into all databases on REMWK DMZ.", "effect_refs": [ "attack-action--b36be7d2-2b70-44eb-abbe-9b2dd668bdad" ] }, { "type": "attack-action", "id": "attack-action--b36be7d2-2b70-44eb-abbe-9b2dd668bdad", "spec_version": "2.1", "created": "2026-06-11T23:57:51.372Z", "modified": "2026-06-11T23:57:51.372Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Data From Local System", "tactic_id": "TA0009", "tactic_ref": "x-mitre-tactic--d108ce10-2419-4cf9-a774-46161d6c6cfe", "technique_id": "T1005", "technique_ref": "attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "description": "Attacker logged and queried all databases and dumped data containing user information.", "effect_refs": [ "attack-condition--e700dc13-bbb9-4a34-896c-26d9819d7dd7" ], "asset_refs": [ "attack-asset--67bf47f0-8ae2-419d-97d9-51502ef32039" ] }, { "type": "attack-action", "id": "attack-action--727d3aed-67d6-4886-a45b-e78b924778bc", "spec_version": "2.1", "created": "2026-06-11T23:57:51.372Z", "modified": "2026-06-11T23:57:51.372Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "File and Directory Discovery", "tactic_id": "TA0007", "tactic_ref": "x-mitre-tactic--c17c5845-175e-4421-9713-829d0573dbc9", "technique_id": "T1083", "technique_ref": "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18", "description": "A VBScript was identified on the system, which scanned system shares and output the result.", "effect_refs": [ "attack-operator--54ca7834-4fcc-478e-afc5-a3a59f790eae" ] }, { "type": "attack-action", "id": "attack-action--f23801cb-d434-4e33-a02b-aeccbe51329f", "spec_version": "2.1", "created": "2026-06-11T23:57:51.372Z", "modified": "2026-06-11T23:57:51.372Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Remote Services", "tactic_id": "TA0008", "tactic_ref": "x-mitre-tactic--7141578b-e50b-4dcc-bfa4-08a8dd689e9e", "technique_id": "T1021", "technique_ref": "attack-pattern--54a649ff-439a-41a4-9856-8d144a2551ba", "description": "Multiple instances of PsExec was identified on the targeted DC. One instance was referenced in a bat script, which enabled RDP in four hosts.", "effect_refs": [ "attack-operator--54ca7834-4fcc-478e-afc5-a3a59f790eae" ] }, { "type": "attack-operator", "id": "attack-operator--54ca7834-4fcc-478e-afc5-a3a59f790eae", "spec_version": "2.1", "created": "2026-06-11T23:57:51.373Z", "modified": "2026-06-11T23:57:51.373Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "operator": "AND", "effect_refs": [ "attack-condition--b0a39171-bf4c-488d-a770-871ab5f3574b" ] }, { "type": "attack-condition", "id": "attack-condition--b0a39171-bf4c-488d-a770-871ab5f3574b", "spec_version": "2.1", "created": "2026-06-11T23:57:51.373Z", "modified": "2026-06-11T23:57:51.373Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "description": "Domain controller and a number of accounts are compromised" }, { "type": "tool", "id": "tool--39cca402-53e7-491b-b582-dc854b25eb41", "spec_version": "2.1", "created": "2026-06-11T23:57:51.373Z", "modified": "2026-06-11T23:57:51.373Z", "name": "psexesvc.exe/PsExec64.exe", "description": "The attacker used PsExec to remotely access the domain controller.", "tool_types": [ "remote-access" ] }, { "type": "attack-action", "id": "attack-action--b595110b-25ff-4a38-b17f-e23a033c044c", "spec_version": "2.1", "created": "2026-06-11T23:57:51.373Z", "modified": "2026-06-11T23:57:51.373Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Vulnerability Scanning", "description": "Tested INTSRV machines to find one accessible from the Internet", "effect_refs": [ "attack-action--5f327121-40b8-4cee-b35c-4ef4d1115919" ], "asset_refs": [ "attack-asset--deb390fb-0a8e-4043-be15-30afb26b5c4c" ] }, { "type": "attack-action", "id": "attack-action--5f327121-40b8-4cee-b35c-4ef4d1115919", "spec_version": "2.1", "created": "2026-06-11T23:57:51.373Z", "modified": "2026-06-11T23:57:51.373Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Web Shell", "description": "Implanted a webshell", "effect_refs": [ "attack-condition--7ce821e6-6afe-4607-8a33-d834b9901678" ] }, { "type": "attack-asset", "id": "attack-asset--deb390fb-0a8e-4043-be15-30afb26b5c4c", "spec_version": "2.1", "created": "2026-06-11T23:57:51.373Z", "modified": "2026-06-11T23:57:51.373Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "QTJPGPA1", "description": "Machine on INTSRV network that allowed direct access to the internet" }, { "type": "attack-condition", "id": "attack-condition--7ce821e6-6afe-4607-8a33-d834b9901678", "spec_version": "2.1", "created": "2026-06-11T23:57:51.373Z", "modified": "2026-06-11T23:57:51.373Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "description": "Attacker previously discovered evidence of a Hypervisor and VMware V-Center system and evidence of a SecurID cluster for mobile banking" }, { "type": "attack-condition", "id": "attack-condition--1025e924-fdde-4845-ac26-3a55cfefc646", "spec_version": "2.1", "created": "2026-06-11T23:57:51.373Z", "modified": "2026-06-11T23:57:51.373Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "description": "Attacker has SecurID clone and previously stolen accounts" }, { "type": "attack-action", "id": "attack-action--dc98744f-0b1b-46ab-9be5-68de533ee32c", "spec_version": "2.1", "created": "2026-06-11T23:57:51.373Z", "modified": "2026-06-11T23:57:51.373Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Multi-Factor Authentication Interception", "tactic_id": "TA0006", "tactic_ref": "x-mitre-tactic--2558fd61-8c75-4730-94c4-11926db2a263", "technique_id": "T1111", "technique_ref": "attack-pattern--dd43c543-bb85-4a6f-aa6e-160d90d06a49", "description": "Attackers cloned one of the SecurID servers in the VMware center", "effect_refs": [ "attack-action--08bd0251-2db7-4ea0-854d-7a320c98ae6a" ] }, { "type": "attack-asset", "id": "attack-asset--03a8f3c1-b491-47b3-af6a-c4a108ea390b", "spec_version": "2.1", "created": "2026-06-11T23:57:51.373Z", "modified": "2026-06-11T23:57:51.373Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "QTJPGPA1", "description": "Machine on INTSRV network used to export the image of trhe newly cloned SecurID server" }, { "type": "attack-action", "id": "attack-action--6981a40d-633d-4073-86c3-4548407a6e31", "spec_version": "2.1", "created": "2026-06-11T23:57:51.373Z", "modified": "2026-06-11T23:57:51.373Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Fraud", "description": "Attackers targeted users of a specific online mobile service and harvested a significant amount of money" }, { "type": "threat-actor", "id": "threat-actor--17cf6bf2-f646-4879-a5e3-0c100c421d54", "spec_version": "2.1", "created": "2026-06-11T23:57:51.373Z", "modified": "2026-06-11T23:57:51.373Z", "name": "FIN13", "description": "FIN13 is a financially-motivated actor primarily focusing on Latin America with activity stretching back to early 2016. FIN13 has a history of highly localized targeting against the financial, retail, and hospitality industries.", "threat_actor_types": [ "Crime-syndicate" ], "aliases": [ "Elephant Beetle", "TG2003" ], "first_seen": "2016-01-01T00:00:00.000Z", "roles": [ "Director" ], "goals": [ "financially-motivated and targeting Latin American organizations in financial, retail, and hospitality industries" ], "sophistication": "Advanced", "resource_level": "Team", "primary_motivation": "organizational-gain" }, { "type": "campaign", "id": "campaign--7c0825b3-23d9-480b-91dd-c053ee6da2a2", "spec_version": "2.1", "created": "2026-06-11T23:57:51.373Z", "modified": "2026-06-11T23:57:51.373Z", "name": "FIN13 Case 2", "description": "This attack was reported in January 2022 and targeted a bank in Peru.", "first_seen": "2022-01-01T00:00:00.000Z", "objective": "stealing money for financial gain" }, { "type": "attack-condition", "id": "attack-condition--2842d171-01e5-4e18-bef5-350d2bdfced9", "spec_version": "2.1", "created": "2026-06-11T23:57:51.373Z", "modified": "2026-06-11T23:57:51.373Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "description": "Attacker discovered additional servers and cracked SharePoint credentials" }, { "type": "attack-action", "id": "attack-action--100bee83-00d2-4476-9194-8c34bd07b734", "spec_version": "2.1", "created": "2026-06-11T23:57:51.373Z", "modified": "2026-06-11T23:57:51.373Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Lateral Movement", "tactic_id": "TA0008", "tactic_ref": "x-mitre-tactic--7141578b-e50b-4dcc-bfa4-08a8dd689e9e", "description": "Attacker moved laterally to discovered servers using the previously extracted and cracked credentials", "effect_refs": [ "attack-action--f5ca2849-e569-49ac-917c-5b33e1c077d7" ] }, { "type": "tool", "id": "tool--e8e9d57c-b16f-40eb-b369-e5a3272f3c4b", "spec_version": "2.1", "created": "2026-06-11T23:57:51.373Z", "modified": "2026-06-11T23:57:51.373Z", "name": "s0b.j", "description": "Most likely used by attackers since jdbc files (connected with the tool) were discovered on the RBSCLPED01 system.", "tool_types": [ "exploitation" ] }, { "type": "attack-condition", "id": "attack-condition--e700dc13-bbb9-4a34-896c-26d9819d7dd7", "spec_version": "2.1", "created": "2026-06-11T23:57:51.373Z", "modified": "2026-06-11T23:57:51.373Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "description": "Attacker targeted a legacy Windows 2012 server (QTCBDC02)" }, { "type": "attack-action", "id": "attack-action--ee337046-b40e-4b1d-9522-c032498034a5", "spec_version": "2.1", "created": "2026-06-11T23:57:51.373Z", "modified": "2026-06-11T23:57:51.373Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Lateral Movement", "tactic_id": "TA0008", "tactic_ref": "x-mitre-tactic--7141578b-e50b-4dcc-bfa4-08a8dd689e9e", "description": "Attacker moved laterally to the INTSRV area where the SecurID servers are located", "effect_refs": [ "attack-action--b595110b-25ff-4a38-b17f-e23a033c044c" ], "asset_refs": [ "attack-asset--1e1d87e9-3a2d-4dbe-86d8-72f2842799f5", "attack-asset--0a7bc1f8-47ee-4236-8648-f84f8ce15b19" ] }, { "type": "attack-action", "id": "attack-action--4d2a4ed1-fb36-4bfc-8163-0a92e8f64fb9", "spec_version": "2.1", "created": "2026-06-11T23:57:51.373Z", "modified": "2026-06-11T23:57:51.373Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Valid Accounts", "technique_id": "T1078", "technique_ref": "attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81", "description": "Attacker accessed the V-Center server using previously stolen valid accounts", "effect_refs": [ "attack-action--dc98744f-0b1b-46ab-9be5-68de533ee32c" ], "asset_refs": [ "attack-asset--02010746-8fbf-4a57-96fe-1ac93961296b" ] }, { "type": "attack-action", "id": "attack-action--08bd0251-2db7-4ea0-854d-7a320c98ae6a", "spec_version": "2.1", "created": "2026-06-11T23:57:51.373Z", "modified": "2026-06-11T23:57:51.373Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Exfiltration Over C2 Channel", "tactic_id": "TA0010", "tactic_ref": "x-mitre-tactic--9a4e74ab-5008-408c-84bf-a10dfbc53462", "technique_id": "T1041", "technique_ref": "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d", "description": "Attacker exported the SecurID server image over the webshell on QTJPGPA1", "asset_refs": [ "attack-asset--03a8f3c1-b491-47b3-af6a-c4a108ea390b" ], "effect_refs": [ "attack-condition--1025e924-fdde-4845-ac26-3a55cfefc646" ] }, { "type": "ipv4-addr", "id": "ipv4-addr--f914bbeb-1640-455c-b6d9-b3d88d92a903", "spec_version": "2.1", "created": "2026-06-11T23:57:51.373Z", "modified": "2026-06-11T23:57:51.373Z", "value": "185.193.126.27" }, { "type": "malware", "id": "malware--6c502942-6d6d-4674-9632-f2cf40d50c25", "spec_version": "2.1", "created": "2026-06-11T23:57:51.373Z", "modified": "2026-06-11T23:57:51.373Z", "name": "JSP webshell", "malware_types": [ "webshell" ], "is_family": false, "capabilities": [ "communicates-with-c2", "escalates-privileges", "exfiltrates-data", "installs-other-components", "probes-network-environment", "steals-authentication-credentials" ] }, { "type": "attack-asset", "id": "attack-asset--47c6ad4a-1be9-4d4b-b938-2825042e8302", "spec_version": "2.1", "created": "2026-06-11T23:57:51.373Z", "modified": "2026-06-11T23:57:51.373Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "REMWK DMZ" }, { "type": "user-account", "id": "user-account--8e341bda-2ab2-4cdf-8c30-3002da63ead6", "spec_version": "2.1", "created": "2026-06-11T23:57:51.373Z", "modified": "2026-06-11T23:57:51.373Z", "account_type": "windows-domain", "display_name": "RBMAdmin" }, { "type": "note", "id": "note--57132ec0-55f3-4675-aa37-67af75706220", "spec_version": "2.1", "created": "2026-06-11T23:57:51.373Z", "modified": "2026-06-11T23:57:51.373Z", "content": "The RBMAdmin account could have been leveraged for further access, but it is unclear if this was done.", "authors": [ "Lauren Parker" ], "object_refs": [ "attack-action--a6fcee5f-d0e7-4669-8513-e0c4e3ecc058" ] }, { "type": "attack-asset", "id": "attack-asset--67bf47f0-8ae2-419d-97d9-51502ef32039", "spec_version": "2.1", "created": "2026-06-11T23:57:51.373Z", "modified": "2026-06-11T23:57:51.373Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "RBSCLPED01" }, { "type": "attack-asset", "id": "attack-asset--b2265d3d-8a47-435f-a56f-9e91c58bed82", "spec_version": "2.1", "created": "2026-06-11T23:57:51.373Z", "modified": "2026-06-11T23:57:51.373Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "QTCBDC02", "description": "Legacy Windows 2012 server" }, { "type": "malware", "id": "malware--d82c9c60-4c93-4326-b78d-279b1d92238f", "spec_version": "2.1", "created": "2026-06-11T23:57:51.373Z", "modified": "2026-06-11T23:57:51.373Z", "name": "CCfix.bat", "description": "Enabled RDP in hosts", "malware_types": [ "trojan" ], "is_family": false, "capabilities": [ "degrades-security-software" ] }, { "type": "file", "id": "file--cb3c9998-2dcd-44cb-9c46-874e7bf6d000", "spec_version": "2.1", "created": "2026-06-11T23:57:51.373Z", "modified": "2026-06-11T23:57:51.373Z", "name": "equipos.txt" }, { "type": "attack-asset", "id": "attack-asset--0970afdb-2bae-42a4-a70f-7c99109a9d1b", "spec_version": "2.1", "created": "2026-06-11T23:57:51.373Z", "modified": "2026-06-11T23:57:51.373Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Host names listed in equipos.txt", "description": "QTCBDC02, QTVCTR01, QTBKSR02, QTJPGPA1" }, { "type": "malware", "id": "malware--83371fc7-80ca-452a-b203-ccdea7786b0a", "spec_version": "2.1", "created": "2026-06-11T23:57:51.373Z", "modified": "2026-06-11T23:57:51.373Z", "name": "VBScript", "malware_types": [ "trojan" ], "is_family": false, "capabilities": [ "probes-network-environment" ] }, { "type": "attack-asset", "id": "attack-asset--1e1d87e9-3a2d-4dbe-86d8-72f2842799f5", "spec_version": "2.1", "created": "2026-06-11T23:57:51.373Z", "modified": "2026-06-11T23:57:51.373Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "INTSRV" }, { "type": "attack-asset", "id": "attack-asset--0a7bc1f8-47ee-4236-8648-f84f8ce15b19", "spec_version": "2.1", "created": "2026-06-11T23:57:51.373Z", "modified": "2026-06-11T23:57:51.373Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "SecurID servers" }, { "type": "malware", "id": "malware--0cdd837b-42a3-4bd7-b0d4-71ce40d9724d", "spec_version": "2.1", "created": "2026-06-11T23:57:51.373Z", "modified": "2026-06-11T23:57:51.373Z", "name": "Perl Reverse Shell", "description": "Attackers used webshell to remotely connect the system with their C2", "malware_types": [ "webshell" ], "is_family": false, "capabilities": [ "accesses-remote-machines", "commits-fraud", "communicates-with-c2", "escalates-privileges", "exfiltrates-data" ] }, { "type": "attack-asset", "id": "attack-asset--02010746-8fbf-4a57-96fe-1ac93961296b", "spec_version": "2.1", "created": "2026-06-11T23:57:51.373Z", "modified": "2026-06-11T23:57:51.373Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "V-Center Server" }, { "type": "relationship", "id": "relationship--f1a16f0c-27c0-4196-a5d4-1e85c00e7496", "spec_version": "2.1", "created": "2026-06-11T23:57:51.373Z", "modified": "2026-06-11T23:57:51.373Z", "relationship_type": "related-to", "source_ref": "attack-action--81e5c5eb-d20d-46e2-8755-d196dce3cf55", "target_ref": "vulnerability--64913703-2b3b-4738-b0aa-e836ff1754e8" }, { "type": "relationship", "id": "relationship--6f657c59-669b-4f53-9395-30349b9bafca", "spec_version": "2.1", "created": "2026-06-11T23:57:51.373Z", "modified": "2026-06-11T23:57:51.373Z", "relationship_type": "related-to", "source_ref": "attack-action--81e5c5eb-d20d-46e2-8755-d196dce3cf55", "target_ref": "infrastructure--63f316cc-2f31-4ef3-afbe-b645e01c70d6" }, { "type": "relationship", "id": "relationship--7f2dced7-868d-4b18-bf54-d393290942d8", "spec_version": "2.1", "created": "2026-06-11T23:57:51.373Z", "modified": "2026-06-11T23:57:51.373Z", "relationship_type": "related-to", "source_ref": "infrastructure--63f316cc-2f31-4ef3-afbe-b645e01c70d6", "target_ref": "ipv4-addr--f914bbeb-1640-455c-b6d9-b3d88d92a903" }, { "type": "relationship", "id": "relationship--f6844679-1f86-43d2-9b1c-bc2f1aa228f9", "spec_version": "2.1", "created": "2026-06-11T23:57:51.373Z", "modified": "2026-06-11T23:57:51.373Z", "relationship_type": "related-to", "source_ref": "attack-action--fcd49b6d-5dde-4cdd-b73a-a3b5031a6942", "target_ref": "malware--6c502942-6d6d-4674-9632-f2cf40d50c25" }, { "type": "relationship", "id": "relationship--ce3d44da-7fee-4577-b208-97ad73b7c2cf", "spec_version": "2.1", "created": "2026-06-11T23:57:51.373Z", "modified": "2026-06-11T23:57:51.373Z", "relationship_type": "related-to", "source_ref": "attack-action--6c480520-1fa3-436d-832f-fecd8de08f62", "target_ref": "vulnerability--5e377b2d-75e0-43bd-9f15-802f3eabf9e4" }, { "type": "relationship", "id": "relationship--ba4af98b-bdac-4c02-9334-6f9ea0e82b51", "spec_version": "2.1", "created": "2026-06-11T23:57:51.373Z", "modified": "2026-06-11T23:57:51.373Z", "relationship_type": "related-to", "source_ref": "attack-action--482cf545-fe5c-4a0b-b56d-bcf5aa522006", "target_ref": "tool--fb49aa4d-402b-4315-b43f-577b537c7835" }, { "type": "relationship", "id": "relationship--4fe8e26b-ef0d-4594-b412-1900e227170a", "spec_version": "2.1", "created": "2026-06-11T23:57:51.373Z", "modified": "2026-06-11T23:57:51.373Z", "relationship_type": "related-to", "source_ref": "attack-action--f5ca2849-e569-49ac-917c-5b33e1c077d7", "target_ref": "tool--3e798e83-18cc-4c43-b6ab-082073deda7b" }, { "type": "relationship", "id": "relationship--48436113-acb9-4a94-a0f6-0fd662038faf", "spec_version": "2.1", "created": "2026-06-11T23:57:51.373Z", "modified": "2026-06-11T23:57:51.373Z", "relationship_type": "related-to", "source_ref": "attack-condition--fdcd3bcc-7b71-48d9-b5ea-80469af42c5e", "target_ref": "attack-action--a6fcee5f-d0e7-4669-8513-e0c4e3ecc058" }, { "type": "relationship", "id": "relationship--3ab1562c-cb23-437c-850c-b5ece167629e", "spec_version": "2.1", "created": "2026-06-11T23:57:51.373Z", "modified": "2026-06-11T23:57:51.373Z", "relationship_type": "related-to", "source_ref": "attack-action--a6fcee5f-d0e7-4669-8513-e0c4e3ecc058", "target_ref": "user-account--8e341bda-2ab2-4cdf-8c30-3002da63ead6" }, { "type": "relationship", "id": "relationship--21ca8e2c-5436-4ef2-bce3-0d019b4fb4cc", "spec_version": "2.1", "created": "2026-06-11T23:57:51.373Z", "modified": "2026-06-11T23:57:51.373Z", "relationship_type": "related-to", "source_ref": "attack-action--b36be7d2-2b70-44eb-abbe-9b2dd668bdad", "target_ref": "tool--e8e9d57c-b16f-40eb-b369-e5a3272f3c4b" }, { "type": "relationship", "id": "relationship--f3f0dc60-b444-48b9-a77d-06b6cb133d99", "spec_version": "2.1", "created": "2026-06-11T23:57:51.373Z", "modified": "2026-06-11T23:57:51.373Z", "relationship_type": "related-to", "source_ref": "attack-action--727d3aed-67d6-4886-a45b-e78b924778bc", "target_ref": "malware--83371fc7-80ca-452a-b203-ccdea7786b0a" }, { "type": "relationship", "id": "relationship--cf59c5ee-b657-475d-bb25-8926c039950e", "spec_version": "2.1", "created": "2026-06-11T23:57:51.373Z", "modified": "2026-06-11T23:57:51.373Z", "relationship_type": "related-to", "source_ref": "attack-action--f23801cb-d434-4e33-a02b-aeccbe51329f", "target_ref": "malware--d82c9c60-4c93-4326-b78d-279b1d92238f" }, { "type": "relationship", "id": "relationship--3f748977-81ed-4ae2-af96-4d12bee3aed9", "spec_version": "2.1", "created": "2026-06-11T23:57:51.373Z", "modified": "2026-06-11T23:57:51.373Z", "relationship_type": "related-to", "source_ref": "attack-action--f23801cb-d434-4e33-a02b-aeccbe51329f", "target_ref": "tool--39cca402-53e7-491b-b582-dc854b25eb41" }, { "type": "relationship", "id": "relationship--feda47e5-1f5f-4b01-bd87-969a683ae186", "spec_version": "2.1", "created": "2026-06-11T23:57:51.373Z", "modified": "2026-06-11T23:57:51.373Z", "relationship_type": "related-to", "source_ref": "attack-condition--b0a39171-bf4c-488d-a770-871ab5f3574b", "target_ref": "attack-action--ee337046-b40e-4b1d-9522-c032498034a5" }, { "type": "relationship", "id": "relationship--9c072d6e-d8a7-4077-8225-b64e7f84d33d", "spec_version": "2.1", "created": "2026-06-11T23:57:51.373Z", "modified": "2026-06-11T23:57:51.373Z", "relationship_type": "related-to", "source_ref": "attack-action--5f327121-40b8-4cee-b35c-4ef4d1115919", "target_ref": "malware--0cdd837b-42a3-4bd7-b0d4-71ce40d9724d" }, { "type": "relationship", "id": "relationship--e5c38475-8d6a-40d9-9159-6ea479cee096", "spec_version": "2.1", "created": "2026-06-11T23:57:51.373Z", "modified": "2026-06-11T23:57:51.373Z", "relationship_type": "related-to", "source_ref": "attack-condition--7ce821e6-6afe-4607-8a33-d834b9901678", "target_ref": "attack-action--4d2a4ed1-fb36-4bfc-8163-0a92e8f64fb9" }, { "type": "relationship", "id": "relationship--ba269aec-f275-483a-80f6-b45ffb13187c", "spec_version": "2.1", "created": "2026-06-11T23:57:51.373Z", "modified": "2026-06-11T23:57:51.373Z", "relationship_type": "related-to", "source_ref": "attack-condition--1025e924-fdde-4845-ac26-3a55cfefc646", "target_ref": "attack-action--6981a40d-633d-4073-86c3-4548407a6e31" }, { "type": "relationship", "id": "relationship--48d87982-6623-496f-b4df-268852018917", "spec_version": "2.1", "created": "2026-06-11T23:57:51.373Z", "modified": "2026-06-11T23:57:51.373Z", "relationship_type": "related-to", "source_ref": "campaign--7c0825b3-23d9-480b-91dd-c053ee6da2a2", "target_ref": "threat-actor--17cf6bf2-f646-4879-a5e3-0c100c421d54" }, { "type": "relationship", "id": "relationship--a523db9e-06a2-4153-8278-21e588c17707", "spec_version": "2.1", "created": "2026-06-11T23:57:51.373Z", "modified": "2026-06-11T23:57:51.373Z", "relationship_type": "related-to", "source_ref": "attack-condition--2842d171-01e5-4e18-bef5-350d2bdfced9", "target_ref": "attack-action--100bee83-00d2-4476-9194-8c34bd07b734" }, { "type": "relationship", "id": "relationship--840b7985-31c2-4070-9c4c-0dc87b104e15", "spec_version": "2.1", "created": "2026-06-11T23:57:51.373Z", "modified": "2026-06-11T23:57:51.373Z", "relationship_type": "related-to", "source_ref": "attack-condition--e700dc13-bbb9-4a34-896c-26d9819d7dd7", "target_ref": "attack-action--f23801cb-d434-4e33-a02b-aeccbe51329f" }, { "type": "relationship", "id": "relationship--0120f6d7-eaff-46d8-8720-96b789c02e2f", "spec_version": "2.1", "created": "2026-06-11T23:57:51.373Z", "modified": "2026-06-11T23:57:51.373Z", "relationship_type": "related-to", "source_ref": "attack-condition--e700dc13-bbb9-4a34-896c-26d9819d7dd7", "target_ref": "attack-action--727d3aed-67d6-4886-a45b-e78b924778bc" }, { "type": "relationship", "id": "relationship--08a5e7a8-4c16-49d4-a04d-1d4a57f63880", "spec_version": "2.1", "created": "2026-06-11T23:57:51.373Z", "modified": "2026-06-11T23:57:51.373Z", "relationship_type": "related-to", "source_ref": "attack-condition--e700dc13-bbb9-4a34-896c-26d9819d7dd7", "target_ref": "attack-asset--b2265d3d-8a47-435f-a56f-9e91c58bed82" }, { "type": "relationship", "id": "relationship--912cd145-d3ed-42a2-9be6-0bb53b24fee2", "spec_version": "2.1", "created": "2026-06-11T23:57:51.373Z", "modified": "2026-06-11T23:57:51.373Z", "relationship_type": "related-to", "source_ref": "malware--d82c9c60-4c93-4326-b78d-279b1d92238f", "target_ref": "file--cb3c9998-2dcd-44cb-9c46-874e7bf6d000" }, { "type": "relationship", "id": "relationship--706de55d-1613-455a-a752-9e6fd39c2407", "spec_version": "2.1", "created": "2026-06-11T23:57:51.373Z", "modified": "2026-06-11T23:57:51.373Z", "relationship_type": "related-to", "source_ref": "file--cb3c9998-2dcd-44cb-9c46-874e7bf6d000", "target_ref": "attack-asset--0970afdb-2bae-42a4-a70f-7c99109a9d1b" } ] }