{ "type": "bundle", "id": "bundle--044e194a-0fdc-4169-9c6a-f33ba6c37c7d", "spec_version": "2.1", "created": "2026-06-11T23:57:51.408Z", "modified": "2026-06-11T23:57:51.408Z", "objects": [ { "type": "extension-definition", "id": "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4", "spec_version": "2.1", "created": "2022-08-02T19:34:35.143Z", "modified": "2022-08-02T19:34:35.143Z", "name": "Attack Flow", "description": "Extends STIX 2.1 with features to create Attack Flows.", "created_by_ref": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", "schema": "https://center-for-threat-informed-defense.github.io/attack-flow/stix/attack-flow-schema-2.0.0.json", "version": "2.0.0", "extension_types": [ "new-sdo" ], "external_references": [ { "source_name": "Documentation", "description": "Documentation for Attack Flow", "url": "https://center-for-threat-informed-defense.github.io/attack-flow" }, { "source_name": "GitHub", "description": "Source code repository for Attack Flow", "url": "https://github.com/center-for-threat-informed-defense/attack-flow" } ] }, { "type": "identity", "id": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", "spec_version": "2.1", "created": "2022-08-02T19:34:35.143Z", "modified": "2022-08-02T19:34:35.143Z", "created_by_ref": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", "name": "MITRE Center for Threat-Informed Defense", "identity_class": "organization" }, { "type": "attack-flow", "id": "attack-flow--03602b56-fdc6-4e79-b355-22e4c7aaeea5", "spec_version": "2.1", "created": "2022-10-27T02:44:54.520Z", "modified": "2026-06-11T23:57:51.408Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "created_by_ref": "identity--560d783b-7cf9-48cb-bd99-8f778251848e", "start_refs": [ "attack-action--35f13ec8-9c18-40b4-b76a-0c313a99f525" ], "name": "Gootloader", "description": "Attack flow on the Gootloader payload distribution attack.", "scope": "incident", "external_references": [ { "source_name": "DFIR", "description": "Report", "url": "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/" } ] }, { "type": "identity", "id": "identity--560d783b-7cf9-48cb-bd99-8f778251848e", "spec_version": "2.1", "created": "2026-06-11T23:57:51.408Z", "modified": "2026-06-11T23:57:51.408Z", "name": "Mia Sanchez", "contact_information": "msanchez@mitre.org" }, { "type": "attack-action", "id": "attack-action--b8cd023a-4f26-43cc-ac71-38f90533cf2d", "spec_version": "2.1", "created": "2026-06-11T23:57:51.408Z", "modified": "2026-06-11T23:57:51.408Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Drive-by Compromise", "tactic_id": "TA0001", "tactic_ref": "x-mitre-tactic--ffd5bcee-6e16-4dd2-8eca-7b3beedf33ca", "technique_id": "T1189", "technique_ref": "attack-pattern--d742a578-d70e-4d0e-96a6-02a9c30204e6", "description": "The user searched for results and clicked on a compromised website. After navigating to the compromised website, a forum-looking page was displayed and the user clicked on a link, which downloaded a file", "effect_refs": [ "attack-condition--ee68f51a-7009-460f-b06c-415ccaff65dc" ] }, { "type": "attack-condition", "id": "attack-condition--01e917ac-a5d7-4f43-ba4d-407ee5a6aa2c", "spec_version": "2.1", "created": "2026-06-11T23:57:51.408Z", "modified": "2026-06-11T23:57:51.408Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "description": "Attackers launched Search Engine Optimization (SEO) poisoning attack - moves compromised websites hosting malware to top of search requests" }, { "type": "attack-action", "id": "attack-action--35f13ec8-9c18-40b4-b76a-0c313a99f525", "spec_version": "2.1", "created": "2026-06-11T23:57:51.408Z", "modified": "2026-06-11T23:57:51.408Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Compromise Infrastructure", "tactic_id": "TA0042", "tactic_ref": "x-mitre-tactic--d679bca2-e57d-4935-8650-8031c87a4400", "technique_id": "T1584", "technique_ref": "attack-pattern--7e3beebd-8bfe-4e7b-a892-e44ab06a75f9", "description": "Attackers compromised websites to host malware", "effect_refs": [ "attack-condition--01e917ac-a5d7-4f43-ba4d-407ee5a6aa2c" ] }, { "type": "attack-action", "id": "attack-action--1cfc90fc-4363-48e3-ae47-c2cb9ea6fb60", "spec_version": "2.1", "created": "2026-06-11T23:57:51.408Z", "modified": "2026-06-11T23:57:51.408Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Malicious File", "description": "The user double clicked on the dropped zip file", "effect_refs": [ "attack-condition--aad47c8a-4610-4a61-8493-bdfb294972f6" ] }, { "type": "attack-condition", "id": "attack-condition--ee68f51a-7009-460f-b06c-415ccaff65dc", "spec_version": "2.1", "created": "2026-06-11T23:57:51.408Z", "modified": "2026-06-11T23:57:51.408Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "description": "Malicious file downloaded" }, { "type": "attack-action", "id": "attack-action--89b4e412-c715-4a2f-b04f-1024d7c3b9c6", "spec_version": "2.1", "created": "2026-06-11T23:57:51.408Z", "modified": "2026-06-11T23:57:51.408Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "JavaScript", "description": "User double-clicks Javascript file, located within zip, to execute", "effect_refs": [ "attack-action--1aa73c1d-cb93-4a7b-9da9-e4eb45d7b8e8" ], "command_ref": "process--8d0b3e28-b630-4722-825e-ca1b83abb4c4" }, { "type": "attack-condition", "id": "attack-condition--aad47c8a-4610-4a61-8493-bdfb294972f6", "spec_version": "2.1", "created": "2026-06-11T23:57:51.408Z", "modified": "2026-06-11T23:57:51.408Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "description": "Zip file opened" }, { "type": "attack-action", "id": "attack-action--1aa73c1d-cb93-4a7b-9da9-e4eb45d7b8e8", "spec_version": "2.1", "created": "2026-06-11T23:57:51.408Z", "modified": "2026-06-11T23:57:51.408Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Modify Registry", "description": "Gootloader creates two registry keys, the first is populated with an encoded Cobalt Strike payload and the latter stores a .NET loader", "effect_refs": [ "attack-action--dc97c560-1be2-4a23-96e1-86ae94342358" ] }, { "type": "tool", "id": "tool--7c857e19-3e36-4591-989d-03e6b825c8e8", "spec_version": "2.1", "created": "2026-06-11T23:57:51.408Z", "modified": "2026-06-11T23:57:51.408Z", "name": "powershell.dll", "description": ".NET loader", "tool_types": [ "exploitation" ] }, { "type": "attack-action", "id": "attack-action--dc97c560-1be2-4a23-96e1-86ae94342358", "spec_version": "2.1", "created": "2026-06-11T23:57:51.408Z", "modified": "2026-06-11T23:57:51.408Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "PowerShell", "description": "A PowerShell command is issued to extract the .NET loader from the registry and executes the code in memory via Assembly.Load()", "effect_refs": [ "attack-action--29237ebb-4255-4531-8a2a-91c9418a9ac6" ], "asset_refs": [ "attack-asset--81301e03-4550-4453-9390-0ae94066c30d" ], "command_ref": "process--3fa4fa7a-711d-4419-9112-11fbc8c20589" }, { "type": "attack-action", "id": "attack-action--29237ebb-4255-4531-8a2a-91c9418a9ac6", "spec_version": "2.1", "created": "2026-06-11T23:57:51.408Z", "modified": "2026-06-11T23:57:51.408Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Scheduled Task", "description": "The encoded PowerShell script creates a Scheduled Task that executes when the user logs on to the computer.", "effect_refs": [ "attack-action--e8bf52fd-c737-4489-9c7b-018472ed744e" ] }, { "type": "attack-action", "id": "attack-action--e8bf52fd-c737-4489-9c7b-018472ed744e", "spec_version": "2.1", "created": "2026-06-11T23:57:51.408Z", "modified": "2026-06-11T23:57:51.408Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Rundll32", "description": ".NET loader decodes a Cobalt Strike payload from the registry and loads and executes the payload", "effect_refs": [ "attack-action--2f8ce138-c255-4a43-aad4-eff29ef7968e", "attack-action--8702e9e7-8f4d-40b2-9898-29c92efed749", "attack-action--5241139e-43c4-4d7c-9dbc-354e9fabf988" ] }, { "type": "tool", "id": "tool--6571a561-91e7-4521-b26c-ec7b4e789e53", "spec_version": "2.1", "created": "2026-06-11T23:57:51.408Z", "modified": "2026-06-11T23:57:51.408Z", "name": "rundll32", "description": "Often used to load the Cobalt Strike beacons into memory on the victim machine", "tool_types": [ "exploitation" ] }, { "type": "attack-action", "id": "attack-action--8702e9e7-8f4d-40b2-9898-29c92efed749", "spec_version": "2.1", "created": "2026-06-11T23:57:51.408Z", "modified": "2026-06-11T23:57:51.408Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Account Discovery", "tactic_id": "TA0007", "tactic_ref": "x-mitre-tactic--c17c5845-175e-4421-9713-829d0573dbc9", "technique_id": "T1087", "technique_ref": "attack-pattern--72b74d71-8169-42aa-92e0-e7b04b9f5a08", "description": "The threat actors used Bloodhound on the initial victim computer to enumerate the Active Directory domain", "effect_refs": [ "attack-operator--316ccd65-e9e6-417f-aab6-d76dd236ee92" ] }, { "type": "attack-action", "id": "attack-action--2f8ce138-c255-4a43-aad4-eff29ef7968e", "spec_version": "2.1", "created": "2026-06-11T23:57:51.408Z", "modified": "2026-06-11T23:57:51.408Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Domain Trust Discovery", "tactic_id": "TA0007", "tactic_ref": "x-mitre-tactic--c17c5845-175e-4421-9713-829d0573dbc9", "technique_id": "T1482", "technique_ref": "attack-pattern--767dbf9e-df3f-45cb-8998-4903ab5f80c0", "description": "The threat actors used Bloodhound on the initial victim computer to enumerate the Active Directory domain", "effect_refs": [ "attack-operator--316ccd65-e9e6-417f-aab6-d76dd236ee92" ] }, { "type": "attack-action", "id": "attack-action--5241139e-43c4-4d7c-9dbc-354e9fabf988", "spec_version": "2.1", "created": "2026-06-11T23:57:51.408Z", "modified": "2026-06-11T23:57:51.408Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Group Policy Discovery", "tactic_id": "TA0007", "tactic_ref": "x-mitre-tactic--c17c5845-175e-4421-9713-829d0573dbc9", "technique_id": "T1615", "technique_ref": "attack-pattern--1b20efbf-8063-4fc3-a07d-b575318a301b", "description": "The threat actors used Bloodhound on the initial victim computer to enumerate the Active Directory domain", "effect_refs": [ "attack-operator--316ccd65-e9e6-417f-aab6-d76dd236ee92" ] }, { "type": "attack-operator", "id": "attack-operator--316ccd65-e9e6-417f-aab6-d76dd236ee92", "spec_version": "2.1", "created": "2026-06-11T23:57:51.408Z", "modified": "2026-06-11T23:57:51.408Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "operator": "AND", "effect_refs": [ "attack-condition--e0bea8b9-4ec1-42c5-833e-36a83a59b080" ] }, { "type": "attack-condition", "id": "attack-condition--e0bea8b9-4ec1-42c5-833e-36a83a59b080", "spec_version": "2.1", "created": "2026-06-11T23:57:51.408Z", "modified": "2026-06-11T23:57:51.408Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "description": "Enumerated AD Domain information" }, { "type": "attack-action", "id": "attack-action--219e8a53-054f-49d7-ba94-b0c63083d21e", "spec_version": "2.1", "created": "2026-06-11T23:57:51.408Z", "modified": "2026-06-11T23:57:51.408Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "PowerShell", "description": "The attackers then pivoted to nearby workstation host via a Cobalt Strike Powershell beacon", "effect_refs": [ "attack-action--dda7f652-9e4c-4785-b0e0-25ac92cf7e0a" ], "asset_refs": [ "attack-asset--c0c51db9-6175-41bb-b24e-3004bc80f153" ] }, { "type": "attack-action", "id": "attack-action--27af526a-99d9-4803-9b2e-f586ac27dcfb", "spec_version": "2.1", "created": "2026-06-11T23:57:51.408Z", "modified": "2026-06-11T23:57:51.408Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Windows Management Instrumentation", "tactic_id": "TA0002", "tactic_ref": "x-mitre-tactic--4ca45d45-df4d-4613-8980-bac22d278fa5", "technique_id": "T1047", "technique_ref": "attack-pattern--01a5a209-b94c-450b-b7f9-946497d91055", "description": "WMI used to check for AV software on the 2 compromised computers", "effect_refs": [ "attack-action--87d5b719-5732-4b5a-9472-26fc6c8730ab" ] }, { "type": "attack-action", "id": "attack-action--dda7f652-9e4c-4785-b0e0-25ac92cf7e0a", "spec_version": "2.1", "created": "2026-06-11T23:57:51.408Z", "modified": "2026-06-11T23:57:51.408Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Disable or Modify Tools", "description": "Attackers disabled Windows Defender logs on the Workstation", "effect_refs": [ "attack-action--87e0d495-959e-47dc-bb2d-3e7e02d281d6" ] }, { "type": "attack-action", "id": "attack-action--87e0d495-959e-47dc-bb2d-3e7e02d281d6", "spec_version": "2.1", "created": "2026-06-11T23:57:51.408Z", "modified": "2026-06-11T23:57:51.408Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Command and Scripting Interpreter", "tactic_id": "TA0002", "tactic_ref": "x-mitre-tactic--4ca45d45-df4d-4613-8980-bac22d278fa5", "technique_id": "T1059", "technique_ref": "attack-pattern--7385dfaf-6886-4229-9ecd-6fd678040830", "description": "A second Cobalt Strike payload is deployed on the workstation to initiate a second C2 server", "effect_refs": [ "attack-condition--500893f2-d9fc-48ce-a520-85b344084dc0" ] }, { "type": "infrastructure", "id": "infrastructure--8db8bf96-07e0-4ba1-90e8-37c1fb08f7d9", "spec_version": "2.1", "created": "2026-06-11T23:57:51.408Z", "modified": "2026-06-11T23:57:51.408Z", "name": "C2 server", "description": "deployed on the workstation through a Cobalt Strike payload", "infrastructure_types": [ "command-and-control" ] }, { "type": "attack-action", "id": "attack-action--da40e44b-a8d5-42e2-aa73-4be50cbc33a5", "spec_version": "2.1", "created": "2026-06-11T23:57:51.409Z", "modified": "2026-06-11T23:57:51.409Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "PowerShell", "description": "The malicious PowerShell process used by Gootloader dropped a PowerShell script on the file system.", "effect_refs": [ "attack-action--d3720beb-e659-4c5a-919d-f413794bfd40" ] }, { "type": "attack-asset", "id": "attack-asset--81301e03-4550-4453-9390-0ae94066c30d", "spec_version": "2.1", "created": "2026-06-11T23:57:51.409Z", "modified": "2026-06-11T23:57:51.409Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Initial victim system" }, { "type": "attack-asset", "id": "attack-asset--c0c51db9-6175-41bb-b24e-3004bc80f153", "spec_version": "2.1", "created": "2026-06-11T23:57:51.409Z", "modified": "2026-06-11T23:57:51.409Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Workstation", "description": "second victim on the network after the initial victim" }, { "type": "attack-condition", "id": "attack-condition--500893f2-d9fc-48ce-a520-85b344084dc0", "spec_version": "2.1", "created": "2026-06-11T23:57:51.409Z", "modified": "2026-06-11T23:57:51.409Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "description": "Workstation compromised" }, { "type": "attack-action", "id": "attack-action--d3720beb-e659-4c5a-919d-f413794bfd40", "spec_version": "2.1", "created": "2026-06-11T23:57:51.409Z", "modified": "2026-06-11T23:57:51.409Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "PowerShell", "description": "Another PowerShell command triggers the mi.ps1 script on the initial victim's computer to harvest credentials", "effect_refs": [ "attack-action--fa506eae-7768-45fb-ad44-6a937b8a7064" ] }, { "type": "tool", "id": "tool--6c367037-c8b3-4334-b1d9-f8be333a0c5b", "spec_version": "2.1", "created": "2026-06-11T23:57:51.409Z", "modified": "2026-06-11T23:57:51.409Z", "name": "mi.ps1", "description": "output lists \"Invoke-Mimikatz\"; a renamed version of Mimikatz", "tool_types": [ "credential-exploitation" ] }, { "type": "attack-action", "id": "attack-action--fa506eae-7768-45fb-ad44-6a937b8a7064", "spec_version": "2.1", "created": "2026-06-11T23:57:51.409Z", "modified": "2026-06-11T23:57:51.409Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Credentials from Password Stores", "tactic_id": "TA0006", "tactic_ref": "x-mitre-tactic--2558fd61-8c75-4730-94c4-11926db2a263", "technique_id": "T1555", "technique_ref": "attack-pattern--3fc9b85a-2862-4363-a64d-d692e3ffbee0", "description": "The threat actors then ran LaZagne to retrieve all saved credentials from the workstation", "effect_refs": [ "attack-action--18dc9f3a-7634-42ac-9bdc-9663d4b00727" ] }, { "type": "tool", "id": "tool--7846c7de-9a92-468a-a5ba-7521d1724862", "spec_version": "2.1", "created": "2026-06-11T23:57:51.409Z", "modified": "2026-06-11T23:57:51.409Z", "name": "ls.exe", "description": "renamed LaZagne; dumps passwords and stores the output file; with admin privileges, it can dump credentials from registry hives", "tool_types": [ "credential-exploitation" ] }, { "type": "attack-action", "id": "attack-action--18dc9f3a-7634-42ac-9bdc-9663d4b00727", "spec_version": "2.1", "created": "2026-06-11T23:57:51.409Z", "modified": "2026-06-11T23:57:51.409Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Windows Remote Management", "description": "The attackers enabled Restricted Admin Mode through remote WMI. This was allowed because RAM only requires knowledge of the password hash, not the cleartext password", "effect_refs": [ "attack-action--5142db39-7197-481b-8815-732e39006d77" ] }, { "type": "attack-action", "id": "attack-action--5142db39-7197-481b-8815-732e39006d77", "spec_version": "2.1", "created": "2026-06-11T23:57:51.409Z", "modified": "2026-06-11T23:57:51.409Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Remote Desktop Protocol", "description": "Using the harvested credentials, the threat actors used RDP to move from the initial victim computer to the compromised workstation in restricted admin mode.", "effect_refs": [ "attack-action--d28510ff-ed32-4ff2-be70-133133094f0f" ] }, { "type": "attack-action", "id": "attack-action--d28510ff-ed32-4ff2-be70-133133094f0f", "spec_version": "2.1", "created": "2026-06-11T23:57:51.409Z", "modified": "2026-06-11T23:57:51.409Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Disable or Modify Tools", "description": "Microsoft Defender Scheduled Tasks Deleted", "effect_refs": [ "attack-condition--8ef7edb8-c2d5-476a-90be-26f40b18f88e" ] }, { "type": "attack-action", "id": "attack-action--82d244af-b5a4-44dc-93a1-704f401e0a3d", "spec_version": "2.1", "created": "2026-06-11T23:57:51.409Z", "modified": "2026-06-11T23:57:51.409Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "SMB/Windows Admin Shares", "description": "SMB was used to transfer Cobalt Strike payload executables to 3 additional workstations.", "effect_refs": [ "attack-condition--4b7e1b0e-8cf6-405f-989d-797c9bcb9b39" ] }, { "type": "attack-condition", "id": "attack-condition--8ef7edb8-c2d5-476a-90be-26f40b18f88e", "spec_version": "2.1", "created": "2026-06-11T23:57:51.409Z", "modified": "2026-06-11T23:57:51.409Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "description": "Attackers attempted to move laterally by targeting 3 additional workstations" }, { "type": "attack-condition", "id": "attack-condition--4b7e1b0e-8cf6-405f-989d-797c9bcb9b39", "spec_version": "2.1", "created": "2026-06-11T23:57:51.409Z", "modified": "2026-06-11T23:57:51.409Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "description": "Attackers compromised 3 additional workstations" }, { "type": "attack-action", "id": "attack-action--64563afb-79af-405b-a335-7d296ea271b7", "spec_version": "2.1", "created": "2026-06-11T23:57:51.409Z", "modified": "2026-06-11T23:57:51.409Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Windows Remote Management", "description": "The attackers enabled Restricted Admin Mode via remote WMI", "effect_refs": [ "attack-action--11de041a-0431-46dd-be9c-94b7bbc80f49" ] }, { "type": "attack-action", "id": "attack-action--11de041a-0431-46dd-be9c-94b7bbc80f49", "spec_version": "2.1", "created": "2026-06-11T23:57:51.409Z", "modified": "2026-06-11T23:57:51.409Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Remote Desktop Protocol", "description": "The attackers logged into the Domain Controller through RDP", "effect_refs": [ "attack-action--bb12a865-13bc-49b6-b377-c05be7f5d3dd", "attack-action--b6ad86e3-05a1-429c-9bef-b586f4661752", "attack-action--3766b6f9-bfd9-4553-8dc8-af1235b4a375" ], "asset_refs": [ "attack-asset--65b57872-f256-4a43-9e37-039cde9d3bfe" ] }, { "type": "attack-action", "id": "attack-action--bb12a865-13bc-49b6-b377-c05be7f5d3dd", "spec_version": "2.1", "created": "2026-06-11T23:57:51.409Z", "modified": "2026-06-11T23:57:51.409Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "PowerShell", "description": "PowerShell used to execute Cobalt Strike PowerShell payload", "effect_refs": [ "attack-operator--cef61f91-75a3-4f12-8e4f-f289813a7a2d" ] }, { "type": "attack-action", "id": "attack-action--b6ad86e3-05a1-429c-9bef-b586f4661752", "spec_version": "2.1", "created": "2026-06-11T23:57:51.409Z", "modified": "2026-06-11T23:57:51.409Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Disable or Modify Tools", "description": "Microsoft Defender Scheduled Tasks Deleted", "effect_refs": [ "attack-operator--cef61f91-75a3-4f12-8e4f-f289813a7a2d" ] }, { "type": "attack-action", "id": "attack-action--3766b6f9-bfd9-4553-8dc8-af1235b4a375", "spec_version": "2.1", "created": "2026-06-11T23:57:51.409Z", "modified": "2026-06-11T23:57:51.409Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Credentials from Password Stores", "tactic_id": "TA0006", "tactic_ref": "x-mitre-tactic--2558fd61-8c75-4730-94c4-11926db2a263", "technique_id": "T1555", "technique_ref": "attack-pattern--3fc9b85a-2862-4363-a64d-d692e3ffbee0", "description": "LaZagne dropped and executed", "effect_refs": [ "attack-operator--cef61f91-75a3-4f12-8e4f-f289813a7a2d" ] }, { "type": "attack-operator", "id": "attack-operator--cef61f91-75a3-4f12-8e4f-f289813a7a2d", "spec_version": "2.1", "created": "2026-06-11T23:57:51.409Z", "modified": "2026-06-11T23:57:51.409Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "operator": "AND", "effect_refs": [ "attack-action--a795f05e-bf22-4af4-ab28-b0ad647d9bfb" ] }, { "type": "attack-action", "id": "attack-action--fb419879-57a9-4e9a-bb0f-ae375b316a05", "spec_version": "2.1", "created": "2026-06-11T23:57:51.409Z", "modified": "2026-06-11T23:57:51.409Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Data from Network Shared Drive", "tactic_id": "TA0009", "tactic_ref": "x-mitre-tactic--d108ce10-2419-4cf9-a774-46161d6c6cfe", "description": "The attackers then accessed documents on the file share server interactively through wordpad.exe from the initial victim's computer", "effect_refs": [ "attack-condition--b154446e-0aed-4ce2-9720-8d7d12a868b9" ] }, { "type": "attack-action", "id": "attack-action--a795f05e-bf22-4af4-ab28-b0ad647d9bfb", "spec_version": "2.1", "created": "2026-06-11T23:57:51.409Z", "modified": "2026-06-11T23:57:51.409Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Remote Desktop Protocol", "description": "The attackers logged into the File Share Server through RDP from the initial victim's computer", "effect_refs": [ "attack-action--5bced297-0612-40f0-8a91-7d05bd05c283", "attack-action--b8382f9f-a15d-411c-b62d-b2f4b4db2dc4", "attack-action--2e0949bc-505a-47f2-94b4-2b98bc1756a8" ], "asset_refs": [ "attack-asset--7eef049a-d1d6-43b3-9b60-ec228df8ec8a" ] }, { "type": "attack-action", "id": "attack-action--5bced297-0612-40f0-8a91-7d05bd05c283", "spec_version": "2.1", "created": "2026-06-11T23:57:51.409Z", "modified": "2026-06-11T23:57:51.409Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "PowerShell", "description": "PowerShell used to execute Cobalt Strike PowerShell payload", "effect_refs": [ "attack-operator--7762966a-ce27-424d-b3ed-36f1a9f03f00" ] }, { "type": "attack-action", "id": "attack-action--b8382f9f-a15d-411c-b62d-b2f4b4db2dc4", "spec_version": "2.1", "created": "2026-06-11T23:57:51.409Z", "modified": "2026-06-11T23:57:51.409Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Disable or Modify Tools", "description": "Microsoft Defender Scheduled Tasks Deleted", "effect_refs": [ "attack-operator--7762966a-ce27-424d-b3ed-36f1a9f03f00" ] }, { "type": "attack-action", "id": "attack-action--2e0949bc-505a-47f2-94b4-2b98bc1756a8", "spec_version": "2.1", "created": "2026-06-11T23:57:51.409Z", "modified": "2026-06-11T23:57:51.409Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Windows Remote Management", "description": "The attackers enabled Restricted Admin Mode via remote WMI", "effect_refs": [ "attack-operator--7762966a-ce27-424d-b3ed-36f1a9f03f00" ] }, { "type": "attack-operator", "id": "attack-operator--7762966a-ce27-424d-b3ed-36f1a9f03f00", "spec_version": "2.1", "created": "2026-06-11T23:57:51.409Z", "modified": "2026-06-11T23:57:51.409Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "operator": "AND", "effect_refs": [ "attack-action--fb419879-57a9-4e9a-bb0f-ae375b316a05" ] }, { "type": "attack-asset", "id": "attack-asset--7eef049a-d1d6-43b3-9b60-ec228df8ec8a", "spec_version": "2.1", "created": "2026-06-11T23:57:51.409Z", "modified": "2026-06-11T23:57:51.409Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "File Share Server" }, { "type": "tool", "id": "tool--bb66727f-e4d1-4829-86c5-12ad493336ec", "spec_version": "2.1", "created": "2026-06-11T23:57:51.409Z", "modified": "2026-06-11T23:57:51.409Z", "name": "wordpad.exe", "tool_types": [ "unknown" ] }, { "type": "attack-condition", "id": "attack-condition--b154446e-0aed-4ce2-9720-8d7d12a868b9", "spec_version": "2.1", "created": "2026-06-11T23:57:51.409Z", "modified": "2026-06-11T23:57:51.409Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "description": "Attackers enumerated and opened multiple files and file shares" }, { "type": "attack-action", "id": "attack-action--a5f7f950-d331-4574-9762-7789b4869bd3", "spec_version": "2.1", "created": "2026-06-11T23:57:51.409Z", "modified": "2026-06-11T23:57:51.409Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Network Service Discovery", "tactic_id": "TA0007", "tactic_ref": "x-mitre-tactic--c17c5845-175e-4421-9713-829d0573dbc9", "technique_id": "T1046", "technique_ref": "attack-pattern--e3a12395-188d-4051-9a16-ea8e14d07b88", "description": "From the Domain Controller, attackers ran an Advanced IP Scanner", "effect_refs": [ "attack-action--7326e71a-4664-4842-9800-f0088335b16e" ] }, { "type": "tool", "id": "tool--3cfeebe3-b88e-430d-a1e3-f6bd387a60a3", "spec_version": "2.1", "created": "2026-06-11T23:57:51.409Z", "modified": "2026-06-11T23:57:51.409Z", "name": "advanced_ip_scanner.exe", "description": "Advanced IP Scanner used to scan the following ports: 21, 80, 135, 443, 445, 3389, 8080, 56133, 58000, 58157, 58294, 58682, 60234, 60461, 64502", "tool_types": [ "information-gathering" ] }, { "type": "attack-action", "id": "attack-action--7326e71a-4664-4842-9800-f0088335b16e", "spec_version": "2.1", "created": "2026-06-11T23:57:51.409Z", "modified": "2026-06-11T23:57:51.409Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Data from Network Shared Drive", "tactic_id": "TA0009", "tactic_ref": "x-mitre-tactic--d108ce10-2419-4cf9-a774-46161d6c6cfe", "technique_id": "T1039", "technique_ref": "attack-pattern--ae676644-d2d2-41b7-af7e-9bed1b55898c", "description": "The file server SMB shares were accessed from the Domain Controller", "effect_refs": [ "attack-action--22c3d3a1-894f-4785-8658-a66987ecb789" ] }, { "type": "attack-action", "id": "attack-action--22c3d3a1-894f-4785-8658-a66987ecb789", "spec_version": "2.1", "created": "2026-06-11T23:57:51.409Z", "modified": "2026-06-11T23:57:51.409Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Remote Desktop Protocol", "description": "RDP Connection to Backup Server and File Server to look for more interesting files", "effect_refs": [ "attack-condition--2623a5c3-db56-4de4-9a59-2b7f106ca8ca" ], "asset_refs": [ "attack-asset--12bb42df-28c8-45e7-898b-f449434f5d73" ] }, { "type": "attack-condition", "id": "attack-condition--2623a5c3-db56-4de4-9a59-2b7f106ca8ca", "spec_version": "2.1", "created": "2026-06-11T23:57:51.409Z", "modified": "2026-06-11T23:57:51.409Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "description": "Attackers left the network" }, { "type": "attack-asset", "id": "attack-asset--12bb42df-28c8-45e7-898b-f449434f5d73", "spec_version": "2.1", "created": "2026-06-11T23:57:51.409Z", "modified": "2026-06-11T23:57:51.409Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Backup Server" }, { "type": "url", "id": "url--39f9c637-8955-479d-9f8a-5ffdff0c0c96", "spec_version": "2.1", "created": "2026-06-11T23:57:51.409Z", "modified": "2026-06-11T23:57:51.409Z", "value": "kakiosk.adsparkdev.com" }, { "type": "ipv4-addr", "id": "ipv4-addr--10b7013e-3184-4641-b099-af0d1a734892", "spec_version": "2.1", "created": "2026-06-11T23:57:51.409Z", "modified": "2026-06-11T23:57:51.409Z", "value": "35.206.117.64" }, { "type": "file", "id": "file--d662d1c7-188c-421c-b808-de93ef92074e", "spec_version": "2.1", "created": "2026-06-11T23:57:51.409Z", "modified": "2026-06-11T23:57:51.409Z", "name": "olympus_plea_agreement 34603.js" }, { "type": "process", "id": "process--8d0b3e28-b630-4722-825e-ca1b83abb4c4", "spec_version": "2.1", "created": "2026-06-11T23:57:51.409Z", "modified": "2026-06-11T23:57:51.409Z", "command_line": "WScript.exe olympus_plea_agreement 34603.js" }, { "type": "windows-registry-key", "id": "windows-registry-key--3b4722c7-03e5-4e86-b50b-e322ab589d15", "spec_version": "2.1", "created": "2026-06-11T23:57:51.409Z", "modified": "2026-06-11T23:57:51.409Z", "key": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Phone\\Username" }, { "type": "windows-registry-key", "id": "windows-registry-key--7f5e21f3-bded-4e6b-a827-ff0ffc5cc5d2", "spec_version": "2.1", "created": "2026-06-11T23:57:51.409Z", "modified": "2026-06-11T23:57:51.409Z", "key": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Phone\\Username0", "values": [ { "data": "powershell.dll", "data_type": "REG_SZ" } ] }, { "type": "process", "id": "process--3fa4fa7a-711d-4419-9112-11fbc8c20589", "spec_version": "2.1", "created": "2026-06-11T23:57:51.409Z", "modified": "2026-06-11T23:57:51.409Z", "command_line": "\"powershell.exe\" /c C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe \"/\"e\" NgAxA\"..." }, { "type": "url", "id": "url--bd0a5164-885e-490e-a16c-2a4d4cd1b336", "spec_version": "2.1", "created": "2026-06-11T23:57:51.409Z", "modified": "2026-06-11T23:57:51.409Z", "value": "jp.imonitorsoft.com" }, { "type": "url", "id": "url--5886aa17-c1c4-418a-8cba-99a4dc690c49", "spec_version": "2.1", "created": "2026-06-11T23:57:51.409Z", "modified": "2026-06-11T23:57:51.409Z", "value": "junk-bros.com" }, { "type": "malware", "id": "malware--b196d9aa-f36a-4c60-9d1a-a6f4c83d701a", "spec_version": "2.1", "created": "2026-06-11T23:57:51.409Z", "modified": "2026-06-11T23:57:51.409Z", "name": "Cobalt Strike beacons", "malware_types": [ "exploit-kit" ], "is_family": false, "capabilities": [ "accesses-remote-machines", "communicates-with-c2", "escalates-privileges", "exfiltrates-data", "fingerprints-host", "installs-other-components", "probes-network-environment", "steals-authentication-credentials" ] }, { "type": "malware", "id": "malware--b33e35e5-4965-4c5a-ba80-61d0ea42da8a", "spec_version": "2.1", "created": "2026-06-11T23:57:51.409Z", "modified": "2026-06-11T23:57:51.409Z", "name": "Bloodhound", "description": "PowerShell implementation of SharpHound that enumerates AD", "malware_types": [ "unknown" ], "is_family": false, "capabilities": [ "probes-network-environment", "fingerprints-host" ] }, { "type": "malware", "id": "malware--cfa476db-7c0a-48b4-a863-4a1282e15213", "spec_version": "2.1", "created": "2026-06-11T23:57:51.409Z", "modified": "2026-06-11T23:57:51.409Z", "name": "Cobalt Strike beacons", "malware_types": [ "exploit-kit" ], "is_family": false, "capabilities": [ "accesses-remote-machines", "communicates-with-c2", "escalates-privileges", "exfiltrates-data", "fingerprints-host", "installs-other-components", "probes-network-environment", "steals-authentication-credentials" ] }, { "type": "malware", "id": "malware--8dc0a8b4-4b85-4098-9dfb-f30fa0c29509", "spec_version": "2.1", "created": "2026-06-11T23:57:51.409Z", "modified": "2026-06-11T23:57:51.409Z", "name": "Cobalt Strike payload", "malware_types": [ "exploit-kit" ], "is_family": false, "capabilities": [ "accesses-remote-machines", "communicates-with-c2", "escalates-privileges", "exfiltrates-data", "fingerprints-host", "installs-other-components", "probes-network-environment", "steals-authentication-credentials" ] }, { "type": "tool", "id": "tool--c53ca03a-ecaa-4fee-8fb3-efaa3fa6d0c6", "spec_version": "2.1", "created": "2026-06-11T23:57:51.409Z", "modified": "2026-06-11T23:57:51.409Z", "name": "WMI", "description": "checks for AV software", "tool_types": [ "information-gathering" ] }, { "type": "file", "id": "file--5d763214-5788-414f-bbec-73bc67f4f630", "spec_version": "2.1", "created": "2026-06-11T23:57:51.409Z", "modified": "2026-06-11T23:57:51.409Z", "name": "mi.ps1" }, { "type": "tool", "id": "tool--7244bd51-edd5-4f1c-baac-fa4ff1b82e12", "spec_version": "2.1", "created": "2026-06-11T23:57:51.409Z", "modified": "2026-06-11T23:57:51.409Z", "name": "PowerShell", "description": "Used by attacker to drop additional malware", "tool_types": [ "exploitation" ] }, { "type": "malware", "id": "malware--20f289c4-1965-4d80-83ef-4e82687bb5a6", "spec_version": "2.1", "created": "2026-06-11T23:57:51.409Z", "modified": "2026-06-11T23:57:51.409Z", "name": "Cobalt Strike beacons", "description": "payload beacons were dropped to several additional workstations", "malware_types": [ "exploit-kit" ], "is_family": false, "capabilities": [ "accesses-remote-machines", "communicates-with-c2", "escalates-privileges", "exfiltrates-data", "fingerprints-host", "installs-other-components", "probes-network-environment", "steals-authentication-credentials" ] }, { "type": "note", "id": "note--4dd0468a-5d07-42ab-9ea7-6cff956b0a6c", "spec_version": "2.1", "created": "2026-06-11T23:57:51.409Z", "modified": "2026-06-11T23:57:51.409Z", "content": "No additional activity was observed on the additional workstations once this lateral movement occurred", "authors": [ "Lauren Parker" ], "object_refs": [ "attack-action--82d244af-b5a4-44dc-93a1-704f401e0a3d" ] }, { "type": "attack-asset", "id": "attack-asset--65b57872-f256-4a43-9e37-039cde9d3bfe", "spec_version": "2.1", "created": "2026-06-11T23:57:51.409Z", "modified": "2026-06-11T23:57:51.409Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Domain Controller" }, { "type": "malware", "id": "malware--6a211c94-20fd-44be-9567-e2c78b833f9c", "spec_version": "2.1", "created": "2026-06-11T23:57:51.409Z", "modified": "2026-06-11T23:57:51.409Z", "name": "Cobalt Strike payload", "malware_types": [ "exploit-kit" ], "is_family": false, "capabilities": [ "accesses-remote-machines", "communicates-with-c2", "escalates-privileges", "exfiltrates-data", "fingerprints-host", "installs-other-components", "probes-network-environment", "steals-authentication-credentials" ] }, { "type": "tool", "id": "tool--2a65e5da-193b-4969-9f84-a915b6ea4a8a", "spec_version": "2.1", "created": "2026-06-11T23:57:51.409Z", "modified": "2026-06-11T23:57:51.409Z", "name": "ls.exe", "description": "renamed LaZagne; dumps passwords and stores the output file; with admin privileges, it can dump credentials from registry hives", "tool_types": [ "credential-exploitation" ] }, { "type": "malware", "id": "malware--135904f1-5ae4-48e4-a043-ec65e18837e3", "spec_version": "2.1", "created": "2026-06-11T23:57:51.409Z", "modified": "2026-06-11T23:57:51.409Z", "name": "Cobalt Strike payload", "malware_types": [ "exploit-kit" ], "is_family": false, "capabilities": [ "accesses-remote-machines", "communicates-with-c2", "escalates-privileges", "exfiltrates-data", "fingerprints-host", "installs-other-components", "probes-network-environment", "steals-authentication-credentials" ] }, { "type": "attack-action", "id": "attack-action--87d5b719-5732-4b5a-9472-26fc6c8730ab", "spec_version": "2.1", "created": "2026-06-11T23:57:51.409Z", "modified": "2026-06-11T23:57:51.409Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Security Software Discovery", "description": "checks for AV software on the 2 compromised computers", "effect_refs": [ "attack-action--da40e44b-a8d5-42e2-aa73-4be50cbc33a5" ] }, { "type": "relationship", "id": "relationship--352a3a58-e75e-4cbf-b28c-02de5fdfa36f", "spec_version": "2.1", "created": "2026-06-11T23:57:51.409Z", "modified": "2026-06-11T23:57:51.409Z", "relationship_type": "related-to", "source_ref": "attack-action--b8cd023a-4f26-43cc-ac71-38f90533cf2d", "target_ref": "url--39f9c637-8955-479d-9f8a-5ffdff0c0c96" }, { "type": "relationship", "id": "relationship--9fb1646b-e0d8-4de2-b52b-9ba3ae8ee50c", "spec_version": "2.1", "created": "2026-06-11T23:57:51.409Z", "modified": "2026-06-11T23:57:51.409Z", "relationship_type": "related-to", "source_ref": "attack-action--b8cd023a-4f26-43cc-ac71-38f90533cf2d", "target_ref": "url--bd0a5164-885e-490e-a16c-2a4d4cd1b336" }, { "type": "relationship", "id": "relationship--f693b15d-cd46-4eaa-bc6a-797a09a71397", "spec_version": "2.1", "created": "2026-06-11T23:57:51.409Z", "modified": "2026-06-11T23:57:51.409Z", "relationship_type": "related-to", "source_ref": "attack-action--b8cd023a-4f26-43cc-ac71-38f90533cf2d", "target_ref": "url--5886aa17-c1c4-418a-8cba-99a4dc690c49" }, { "type": "relationship", "id": "relationship--b9ea8c2d-34bd-4284-8bec-c5b9db9959cf", "spec_version": "2.1", "created": "2026-06-11T23:57:51.409Z", "modified": "2026-06-11T23:57:51.409Z", "relationship_type": "related-to", "source_ref": "attack-condition--01e917ac-a5d7-4f43-ba4d-407ee5a6aa2c", "target_ref": "attack-action--b8cd023a-4f26-43cc-ac71-38f90533cf2d" }, { "type": "relationship", "id": "relationship--6b355d7b-b107-4174-be70-c59b77d7626f", "spec_version": "2.1", "created": "2026-06-11T23:57:51.409Z", "modified": "2026-06-11T23:57:51.409Z", "relationship_type": "related-to", "source_ref": "attack-condition--ee68f51a-7009-460f-b06c-415ccaff65dc", "target_ref": "attack-action--1cfc90fc-4363-48e3-ae47-c2cb9ea6fb60" }, { "type": "relationship", "id": "relationship--9b1ffdb2-b617-40d5-a577-5adc5b8dde0c", "spec_version": "2.1", "created": "2026-06-11T23:57:51.409Z", "modified": "2026-06-11T23:57:51.409Z", "relationship_type": "related-to", "source_ref": "attack-action--89b4e412-c715-4a2f-b04f-1024d7c3b9c6", "target_ref": "file--d662d1c7-188c-421c-b808-de93ef92074e" }, { "type": "relationship", "id": "relationship--3bab8933-35a5-43ba-ae62-5bf838494c17", "spec_version": "2.1", "created": "2026-06-11T23:57:51.409Z", "modified": "2026-06-11T23:57:51.409Z", "relationship_type": "related-to", "source_ref": "attack-condition--aad47c8a-4610-4a61-8493-bdfb294972f6", "target_ref": "attack-action--89b4e412-c715-4a2f-b04f-1024d7c3b9c6" }, { "type": "relationship", "id": "relationship--545725b9-a662-448e-abe7-f5e79d3eaf28", "spec_version": "2.1", "created": "2026-06-11T23:57:51.409Z", "modified": "2026-06-11T23:57:51.409Z", "relationship_type": "related-to", "source_ref": "attack-action--1aa73c1d-cb93-4a7b-9da9-e4eb45d7b8e8", "target_ref": "windows-registry-key--3b4722c7-03e5-4e86-b50b-e322ab589d15" }, { "type": "relationship", "id": "relationship--874292cb-6bc3-4f48-8d0b-4909df406fec", "spec_version": "2.1", "created": "2026-06-11T23:57:51.409Z", "modified": "2026-06-11T23:57:51.409Z", "relationship_type": "related-to", "source_ref": "attack-action--1aa73c1d-cb93-4a7b-9da9-e4eb45d7b8e8", "target_ref": "windows-registry-key--7f5e21f3-bded-4e6b-a827-ff0ffc5cc5d2" }, { "type": "relationship", "id": "relationship--7946f051-0c38-4f12-b0a0-dfe2d906c155", "spec_version": "2.1", "created": "2026-06-11T23:57:51.409Z", "modified": "2026-06-11T23:57:51.409Z", "relationship_type": "related-to", "source_ref": "attack-action--1aa73c1d-cb93-4a7b-9da9-e4eb45d7b8e8", "target_ref": "tool--7c857e19-3e36-4591-989d-03e6b825c8e8" }, { "type": "relationship", "id": "relationship--8838fbaa-094a-4d19-b1ad-3a84bb138337", "spec_version": "2.1", "created": "2026-06-11T23:57:51.409Z", "modified": "2026-06-11T23:57:51.409Z", "relationship_type": "related-to", "source_ref": "attack-action--e8bf52fd-c737-4489-9c7b-018472ed744e", "target_ref": "tool--6571a561-91e7-4521-b26c-ec7b4e789e53" }, { "type": "relationship", "id": "relationship--6b6c0b24-c499-4472-8906-584570d3c63c", "spec_version": "2.1", "created": "2026-06-11T23:57:51.409Z", "modified": "2026-06-11T23:57:51.409Z", "relationship_type": "related-to", "source_ref": "attack-action--e8bf52fd-c737-4489-9c7b-018472ed744e", "target_ref": "malware--b196d9aa-f36a-4c60-9d1a-a6f4c83d701a" }, { "type": "relationship", "id": "relationship--082eb430-dd02-4048-bb44-bde7e0f9c4df", "spec_version": "2.1", "created": "2026-06-11T23:57:51.409Z", "modified": "2026-06-11T23:57:51.409Z", "relationship_type": "related-to", "source_ref": "attack-action--8702e9e7-8f4d-40b2-9898-29c92efed749", "target_ref": "malware--b33e35e5-4965-4c5a-ba80-61d0ea42da8a" }, { "type": "relationship", "id": "relationship--a2c84a22-c321-4234-b40e-301dde627058", "spec_version": "2.1", "created": "2026-06-11T23:57:51.409Z", "modified": "2026-06-11T23:57:51.409Z", "relationship_type": "related-to", "source_ref": "attack-action--2f8ce138-c255-4a43-aad4-eff29ef7968e", "target_ref": "malware--b33e35e5-4965-4c5a-ba80-61d0ea42da8a" }, { "type": "relationship", "id": "relationship--333473a8-fda9-4eda-99e4-8c2efd516e71", "spec_version": "2.1", "created": "2026-06-11T23:57:51.409Z", "modified": "2026-06-11T23:57:51.409Z", "relationship_type": "related-to", "source_ref": "attack-action--5241139e-43c4-4d7c-9dbc-354e9fabf988", "target_ref": "malware--b33e35e5-4965-4c5a-ba80-61d0ea42da8a" }, { "type": "relationship", "id": "relationship--4254e7a9-ed47-411a-a872-29eb1c9ea959", "spec_version": "2.1", "created": "2026-06-11T23:57:51.409Z", "modified": "2026-06-11T23:57:51.409Z", "relationship_type": "related-to", "source_ref": "attack-condition--e0bea8b9-4ec1-42c5-833e-36a83a59b080", "target_ref": "attack-action--219e8a53-054f-49d7-ba94-b0c63083d21e" }, { "type": "relationship", "id": "relationship--7742b5f7-c8f9-46bc-9346-e04ad63cb29f", "spec_version": "2.1", "created": "2026-06-11T23:57:51.409Z", "modified": "2026-06-11T23:57:51.409Z", "relationship_type": "related-to", "source_ref": "attack-action--219e8a53-054f-49d7-ba94-b0c63083d21e", "target_ref": "malware--cfa476db-7c0a-48b4-a863-4a1282e15213" }, { "type": "relationship", "id": "relationship--23111223-a527-482a-ac36-ce86e4549ca7", "spec_version": "2.1", "created": "2026-06-11T23:57:51.409Z", "modified": "2026-06-11T23:57:51.409Z", "relationship_type": "related-to", "source_ref": "attack-action--27af526a-99d9-4803-9b2e-f586ac27dcfb", "target_ref": "tool--c53ca03a-ecaa-4fee-8fb3-efaa3fa6d0c6" }, { "type": "relationship", "id": "relationship--a8c97af7-f576-4167-8e23-e50d9fd97f8a", "spec_version": "2.1", "created": "2026-06-11T23:57:51.409Z", "modified": "2026-06-11T23:57:51.409Z", "relationship_type": "related-to", "source_ref": "attack-action--87e0d495-959e-47dc-bb2d-3e7e02d281d6", "target_ref": "infrastructure--8db8bf96-07e0-4ba1-90e8-37c1fb08f7d9" }, { "type": "relationship", "id": "relationship--bb6de6c1-77c6-40ab-b562-a8cb317214a3", "spec_version": "2.1", "created": "2026-06-11T23:57:51.409Z", "modified": "2026-06-11T23:57:51.409Z", "relationship_type": "related-to", "source_ref": "attack-action--87e0d495-959e-47dc-bb2d-3e7e02d281d6", "target_ref": "malware--8dc0a8b4-4b85-4098-9dfb-f30fa0c29509" }, { "type": "relationship", "id": "relationship--b7c9ce51-bc63-4cd1-bbe5-5ee8c1bcf3e6", "spec_version": "2.1", "created": "2026-06-11T23:57:51.409Z", "modified": "2026-06-11T23:57:51.409Z", "relationship_type": "related-to", "source_ref": "attack-action--da40e44b-a8d5-42e2-aa73-4be50cbc33a5", "target_ref": "file--5d763214-5788-414f-bbec-73bc67f4f630" }, { "type": "relationship", "id": "relationship--2c287198-94dc-459e-8c4f-5aa471d2bc75", "spec_version": "2.1", "created": "2026-06-11T23:57:51.409Z", "modified": "2026-06-11T23:57:51.409Z", "relationship_type": "related-to", "source_ref": "attack-action--da40e44b-a8d5-42e2-aa73-4be50cbc33a5", "target_ref": "tool--7244bd51-edd5-4f1c-baac-fa4ff1b82e12" }, { "type": "relationship", "id": "relationship--24e016b9-4de0-4892-a099-7ec013721e80", "spec_version": "2.1", "created": "2026-06-11T23:57:51.409Z", "modified": "2026-06-11T23:57:51.409Z", "relationship_type": "related-to", "source_ref": "attack-condition--500893f2-d9fc-48ce-a520-85b344084dc0", "target_ref": "attack-action--27af526a-99d9-4803-9b2e-f586ac27dcfb" }, { "type": "relationship", "id": "relationship--d12d370d-7ecf-49d5-819c-f44c9ae4530e", "spec_version": "2.1", "created": "2026-06-11T23:57:51.409Z", "modified": "2026-06-11T23:57:51.409Z", "relationship_type": "related-to", "source_ref": "attack-action--d3720beb-e659-4c5a-919d-f413794bfd40", "target_ref": "tool--6c367037-c8b3-4334-b1d9-f8be333a0c5b" }, { "type": "relationship", "id": "relationship--01f34e81-e0d6-456e-a100-acb95c5e2983", "spec_version": "2.1", "created": "2026-06-11T23:57:51.409Z", "modified": "2026-06-11T23:57:51.409Z", "relationship_type": "related-to", "source_ref": "attack-action--fa506eae-7768-45fb-ad44-6a937b8a7064", "target_ref": "tool--7846c7de-9a92-468a-a5ba-7521d1724862" }, { "type": "relationship", "id": "relationship--a8813bbd-09c7-4eb6-8064-bfd6cf34d465", "spec_version": "2.1", "created": "2026-06-11T23:57:51.409Z", "modified": "2026-06-11T23:57:51.409Z", "relationship_type": "related-to", "source_ref": "attack-action--82d244af-b5a4-44dc-93a1-704f401e0a3d", "target_ref": "malware--20f289c4-1965-4d80-83ef-4e82687bb5a6" }, { "type": "relationship", "id": "relationship--56d46b50-b7b2-4636-9b94-ce19f546c892", "spec_version": "2.1", "created": "2026-06-11T23:57:51.409Z", "modified": "2026-06-11T23:57:51.409Z", "relationship_type": "related-to", "source_ref": "attack-condition--8ef7edb8-c2d5-476a-90be-26f40b18f88e", "target_ref": "attack-action--82d244af-b5a4-44dc-93a1-704f401e0a3d" }, { "type": "relationship", "id": "relationship--addfc7d2-2a51-4c2a-b15f-b748918a031c", "spec_version": "2.1", "created": "2026-06-11T23:57:51.409Z", "modified": "2026-06-11T23:57:51.409Z", "relationship_type": "related-to", "source_ref": "attack-condition--4b7e1b0e-8cf6-405f-989d-797c9bcb9b39", "target_ref": "attack-action--64563afb-79af-405b-a335-7d296ea271b7" }, { "type": "relationship", "id": "relationship--dab759ce-e602-4236-994f-346c9707260e", "spec_version": "2.1", "created": "2026-06-11T23:57:51.409Z", "modified": "2026-06-11T23:57:51.409Z", "relationship_type": "related-to", "source_ref": "attack-action--bb12a865-13bc-49b6-b377-c05be7f5d3dd", "target_ref": "malware--6a211c94-20fd-44be-9567-e2c78b833f9c" }, { "type": "relationship", "id": "relationship--b4aea2b8-7eff-49de-b64f-66bf16e92003", "spec_version": "2.1", "created": "2026-06-11T23:57:51.409Z", "modified": "2026-06-11T23:57:51.409Z", "relationship_type": "related-to", "source_ref": "attack-action--3766b6f9-bfd9-4553-8dc8-af1235b4a375", "target_ref": "tool--2a65e5da-193b-4969-9f84-a915b6ea4a8a" }, { "type": "relationship", "id": "relationship--2c18f5c3-fe92-48a0-84c5-0c005326f35d", "spec_version": "2.1", "created": "2026-06-11T23:57:51.409Z", "modified": "2026-06-11T23:57:51.409Z", "relationship_type": "related-to", "source_ref": "attack-action--fb419879-57a9-4e9a-bb0f-ae375b316a05", "target_ref": "tool--bb66727f-e4d1-4829-86c5-12ad493336ec" }, { "type": "relationship", "id": "relationship--5488515c-86b2-423f-a157-7499c14f8899", "spec_version": "2.1", "created": "2026-06-11T23:57:51.409Z", "modified": "2026-06-11T23:57:51.409Z", "relationship_type": "related-to", "source_ref": "attack-action--5bced297-0612-40f0-8a91-7d05bd05c283", "target_ref": "malware--135904f1-5ae4-48e4-a043-ec65e18837e3" }, { "type": "relationship", "id": "relationship--d720fd3e-fdbd-476f-800e-30e05093e112", "spec_version": "2.1", "created": "2026-06-11T23:57:51.409Z", "modified": "2026-06-11T23:57:51.409Z", "relationship_type": "related-to", "source_ref": "attack-condition--b154446e-0aed-4ce2-9720-8d7d12a868b9", "target_ref": "attack-action--a5f7f950-d331-4574-9762-7789b4869bd3" }, { "type": "relationship", "id": "relationship--d1cc90ea-1245-426d-9933-f39d04863021", "spec_version": "2.1", "created": "2026-06-11T23:57:51.409Z", "modified": "2026-06-11T23:57:51.409Z", "relationship_type": "related-to", "source_ref": "attack-action--a5f7f950-d331-4574-9762-7789b4869bd3", "target_ref": "tool--3cfeebe3-b88e-430d-a1e3-f6bd387a60a3" }, { "type": "relationship", "id": "relationship--70011bdd-17b8-4608-8e6a-7bcd44f80576", "spec_version": "2.1", "created": "2026-06-11T23:57:51.409Z", "modified": "2026-06-11T23:57:51.409Z", "relationship_type": "related-to", "source_ref": "url--39f9c637-8955-479d-9f8a-5ffdff0c0c96", "target_ref": "ipv4-addr--10b7013e-3184-4641-b099-af0d1a734892" }, { "type": "relationship", "id": "relationship--4427a757-dd2b-400f-a354-20828a633671", "spec_version": "2.1", "created": "2026-06-11T23:57:51.409Z", "modified": "2026-06-11T23:57:51.409Z", "relationship_type": "related-to", "source_ref": "url--bd0a5164-885e-490e-a16c-2a4d4cd1b336", "target_ref": "ipv4-addr--10b7013e-3184-4641-b099-af0d1a734892" }, { "type": "relationship", "id": "relationship--7747092e-7272-408d-a650-a20be112664e", "spec_version": "2.1", "created": "2026-06-11T23:57:51.409Z", "modified": "2026-06-11T23:57:51.409Z", "relationship_type": "related-to", "source_ref": "url--5886aa17-c1c4-418a-8cba-99a4dc690c49", "target_ref": "ipv4-addr--10b7013e-3184-4641-b099-af0d1a734892" } ] }