{ "type": "bundle", "id": "bundle--df8adaf7-c08e-4c2e-823f-6b23b6de371d", "spec_version": "2.1", "created": "2026-06-11T23:57:51.436Z", "modified": "2026-06-11T23:57:51.436Z", "objects": [ { "type": "extension-definition", "id": "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4", "spec_version": "2.1", "created": "2022-08-02T19:34:35.143Z", "modified": "2022-08-02T19:34:35.143Z", "name": "Attack Flow", "description": "Extends STIX 2.1 with features to create Attack Flows.", "created_by_ref": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", "schema": "https://center-for-threat-informed-defense.github.io/attack-flow/stix/attack-flow-schema-2.0.0.json", "version": "2.0.0", "extension_types": [ "new-sdo" ], "external_references": [ { "source_name": "Documentation", "description": "Documentation for Attack Flow", "url": "https://center-for-threat-informed-defense.github.io/attack-flow" }, { "source_name": "GitHub", "description": "Source code repository for Attack Flow", "url": "https://github.com/center-for-threat-informed-defense/attack-flow" } ] }, { "type": "identity", "id": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", "spec_version": "2.1", "created": "2022-08-02T19:34:35.143Z", "modified": "2022-08-02T19:34:35.143Z", "created_by_ref": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", "name": "MITRE Center for Threat-Informed Defense", "identity_class": "organization" }, { "type": "attack-flow", "id": "attack-flow--1a3307e2-1efe-448d-b052-e30bef5d1093", "spec_version": "2.1", "created": "2022-10-27T02:44:54.520Z", "modified": "2026-06-11T23:57:51.436Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "created_by_ref": "identity--6257f404-31dd-42db-8afe-141628f3c19b", "start_refs": [ "attack-action--0fc122a5-7f3b-4a0d-81b4-f841e1d01e1c" ], "name": "Hancitor DLL", "description": "Attack flow on an intrusion using the Hancitor downloader.", "scope": "incident", "external_references": [ { "source_name": "DFIR", "description": "Report", "url": "https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/" } ] }, { "type": "identity", "id": "identity--6257f404-31dd-42db-8afe-141628f3c19b", "spec_version": "2.1", "created": "2026-06-11T23:57:51.436Z", "modified": "2026-06-11T23:57:51.436Z", "name": "Eric Kannampuzha", "contact_information": "ekannampuzha@mitre.org" }, { "type": "attack-action", "id": "attack-action--0fc122a5-7f3b-4a0d-81b4-f841e1d01e1c", "spec_version": "2.1", "created": "2026-06-11T23:57:51.437Z", "modified": "2026-06-11T23:57:51.437Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Spearphishing Link", "description": "Email campaign aimed to trick the user into enabling macros on a malicious document; delivered via a link to Google's Feed Proxy service", "effect_refs": [ "attack-action--1d851bc1-c568-463d-8e5e-270e997a65bd" ] }, { "type": "infrastructure", "id": "infrastructure--9dc784c0-f64e-41c6-815f-d515675071f6", "spec_version": "2.1", "created": "2026-06-11T23:57:51.437Z", "modified": "2026-06-11T23:57:51.437Z", "name": "Google's Feed Proxy service", "description": "hosted the malicious document", "infrastructure_types": [ "anonymization" ] }, { "type": "attack-action", "id": "attack-action--1d851bc1-c568-463d-8e5e-270e997a65bd", "spec_version": "2.1", "created": "2026-06-11T23:57:51.437Z", "modified": "2026-06-11T23:57:51.437Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Malicious File", "description": "User enabled macros", "effect_refs": [ "attack-action--7f226db5-d7a2-4af5-aa98-b2bc3bac699a" ] }, { "type": "attack-action", "id": "attack-action--7f226db5-d7a2-4af5-aa98-b2bc3bac699a", "spec_version": "2.1", "created": "2026-06-11T23:57:51.437Z", "modified": "2026-06-11T23:57:51.437Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Visual Basic", "description": "Macro downloads ier.dll and executes it", "effect_refs": [ "attack-action--8ec450fa-b704-40d2-8560-94d5a8fd677a" ] }, { "type": "attack-action", "id": "attack-action--8ec450fa-b704-40d2-8560-94d5a8fd677a", "spec_version": "2.1", "created": "2026-06-11T23:57:51.437Z", "modified": "2026-06-11T23:57:51.437Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Rundll32", "description": "ier.dll executed", "effect_refs": [ "attack-action--5d55cc3d-c059-4937-a4c6-c1b5a48c3fc1" ] }, { "type": "attack-action", "id": "attack-action--5d55cc3d-c059-4937-a4c6-c1b5a48c3fc1", "spec_version": "2.1", "created": "2026-06-11T23:57:51.437Z", "modified": "2026-06-11T23:57:51.437Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Ingress Tool Transfer", "tactic_id": "TA0011", "tactic_ref": "x-mitre-tactic--f72804c5-f15a-449e-a5da-2eecd181f813", "technique_id": "T1105", "technique_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", "description": "Hancitor downloaded 2 Cobalt Strike payloads (including a stager) and Ficker Stealer", "effect_refs": [ "attack-action--264c553e-266e-4143-983b-35bee0e23a63" ] }, { "type": "infrastructure", "id": "infrastructure--246d0643-cd96-4eef-9ceb-e198a3780450", "spec_version": "2.1", "created": "2026-06-11T23:57:51.437Z", "modified": "2026-06-11T23:57:51.437Z", "name": "Stager", "description": "IP address of C2 associated with stager", "infrastructure_types": [ "command-and-control", "staging" ] }, { "type": "infrastructure", "id": "infrastructure--050084ef-b861-4ebb-9269-c28b064268b3", "spec_version": "2.1", "created": "2026-06-11T23:57:51.437Z", "modified": "2026-06-11T23:57:51.437Z", "name": "C2", "description": "IP address/URL of C2 that downloaded the additional tools", "infrastructure_types": [ "command-and-control", "hosting-malware" ] }, { "type": "attack-action", "id": "attack-action--264c553e-266e-4143-983b-35bee0e23a63", "spec_version": "2.1", "created": "2026-06-11T23:57:51.437Z", "modified": "2026-06-11T23:57:51.437Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Process Injection", "tactic_id": "TA0004", "tactic_ref": "x-mitre-tactic--5e29b093-294e-49e9-a803-dab3d73b77dd", "technique_id": "T1055", "technique_ref": "attack-pattern--43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "description": "Multiple instances of svchost.exe launched and injected with Cobalt Strike", "effect_refs": [ "attack-condition--a2793461-43b8-4b30-966f-71295f564b75" ] }, { "type": "tool", "id": "tool--ad23cf1d-72aa-40d7-a66a-4e95305cb0ed", "spec_version": "2.1", "created": "2026-06-11T23:57:51.437Z", "modified": "2026-06-11T23:57:51.437Z", "name": "svchost.exe", "description": "process injection with Cobalt Strike", "tool_types": [ "unknown" ] }, { "type": "attack-asset", "id": "attack-asset--435e40bd-19a7-4099-8a32-0c268760b218", "spec_version": "2.1", "created": "2026-06-11T23:57:51.437Z", "modified": "2026-06-11T23:57:51.437Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Port Scanning", "description": "scanned SMB, TCP 5000, TCP 9392, and TCP 6106. Actors were looking for backup products Synology, Backup Exec, and Veeam" }, { "type": "attack-asset", "id": "attack-asset--de81d71c-8f3f-43db-9d07-c03f5937e028", "spec_version": "2.1", "created": "2026-06-11T23:57:51.437Z", "modified": "2026-06-11T23:57:51.437Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Ping", "description": "Actors pinged 190.114.254.116 and used the IP later in the attack", "object_ref": "ipv4-addr--8c8019bc-8d35-48de-b21f-6b3293b7a82f" }, { "type": "attack-asset", "id": "attack-asset--e4fb987f-6460-40a3-9a6a-bc66641eaf47", "spec_version": "2.1", "created": "2026-06-11T23:57:51.437Z", "modified": "2026-06-11T23:57:51.437Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Enumerated local administrative access", "description": "Attackers enumerated local admin access on remote systems by checking the C$ share for hosts discovered after the port scan" }, { "type": "attack-action", "id": "attack-action--d53ce876-ead2-4d68-a864-e340bdc1aa31", "spec_version": "2.1", "created": "2026-06-11T23:57:51.437Z", "modified": "2026-06-11T23:57:51.437Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Ingress Tool Transfer", "tactic_id": "TA0011", "tactic_ref": "x-mitre-tactic--f72804c5-f15a-449e-a5da-2eecd181f813", "technique_id": "T1105", "technique_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", "description": "Hancitor downloaded Cobalt Strike DLL and batch file on victim machine", "effect_refs": [ "attack-action--615f4282-5407-44e4-b0e1-b68198baadd3" ] }, { "type": "infrastructure", "id": "infrastructure--ea1c5706-9374-48ab-bf54-5c1572b4c4ac", "spec_version": "2.1", "created": "2026-06-11T23:57:51.437Z", "modified": "2026-06-11T23:57:51.437Z", "name": "C2 for Cobalt Strike beacons", "description": "C2 associated with the Cobalt Strike beacon", "infrastructure_types": [ "command-and-control" ] }, { "type": "tool", "id": "tool--7df9e692-418b-4d07-81bc-bd16693656b0", "spec_version": "2.1", "created": "2026-06-11T23:57:51.437Z", "modified": "2026-06-11T23:57:51.437Z", "name": "cor.bat", "description": "batch file that executes the Cobalt Strike DLL using rundll32.exe with a specific parameter", "tool_types": [ "exploitation" ] }, { "type": "attack-action", "id": "attack-action--615f4282-5407-44e4-b0e1-b68198baadd3", "spec_version": "2.1", "created": "2026-06-11T23:57:51.437Z", "modified": "2026-06-11T23:57:51.437Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Virtualization/Sandbox Evasion", "tactic_id": "TA0005", "tactic_ref": "x-mitre-tactic--78b23412-0651-46d7-a540-170a1ce8bd5a", "technique_id": "T1497", "technique_ref": "attack-pattern--82caa33e-d11a-433a-94ea-9b5a5fbef81d", "description": "Cobalt Strike DLL stager does not run unless it is given a specific command line parameter", "effect_refs": [ "attack-action--6c4ed453-8eec-4b2b-9ff0-5b45edb1a804" ] }, { "type": "attack-condition", "id": "attack-condition--a2793461-43b8-4b30-966f-71295f564b75", "spec_version": "2.1", "created": "2026-06-11T23:57:51.437Z", "modified": "2026-06-11T23:57:51.437Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "description": "Multiple instances of rundll32.exe spawning svchost.exe and svchost.exe spawning cmd.exe" }, { "type": "attack-action", "id": "attack-action--6c4ed453-8eec-4b2b-9ff0-5b45edb1a804", "spec_version": "2.1", "created": "2026-06-11T23:57:51.437Z", "modified": "2026-06-11T23:57:51.437Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Rundll32", "description": "cor.dll executed", "effect_refs": [ "attack-action--8c95b74c-07b8-4277-989f-ff499ff32ae4" ] }, { "type": "attack-action", "id": "attack-action--9c595315-eb12-4643-85be-33986d8c031b", "spec_version": "2.1", "created": "2026-06-11T23:57:51.437Z", "modified": "2026-06-11T23:57:51.437Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "PowerShell", "description": "PowerShell loader deobfuscates shellcode and runs it in memory as a thread in the same PowerShell process; shellcode includes a PE file embedded inside", "effect_refs": [ "attack-action--75818fd9-2ca6-43b1-9dd7-08be16fec19c" ] }, { "type": "tool", "id": "tool--9f0f8035-5d6a-44e8-8c66-125db8a30a25", "spec_version": "2.1", "created": "2026-06-11T23:57:51.437Z", "modified": "2026-06-11T23:57:51.437Z", "name": "agent1.ps1", "description": "PowerShell loader", "tool_types": [ "unknown" ] }, { "type": "attack-action", "id": "attack-action--8c95b74c-07b8-4277-989f-ff499ff32ae4", "spec_version": "2.1", "created": "2026-06-11T23:57:51.437Z", "modified": "2026-06-11T23:57:51.437Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Obfuscated Files or Information", "tactic_id": "TA0005", "tactic_ref": "x-mitre-tactic--78b23412-0651-46d7-a540-170a1ce8bd5a", "technique_id": "T1027", "technique_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "description": "Base64-encoded PowerShell dropped onto the machine", "effect_refs": [ "attack-action--9c595315-eb12-4643-85be-33986d8c031b" ] }, { "type": "attack-action", "id": "attack-action--75818fd9-2ca6-43b1-9dd7-08be16fec19c", "spec_version": "2.1", "created": "2026-06-11T23:57:51.437Z", "modified": "2026-06-11T23:57:51.437Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Ingress Tool Transfer", "tactic_id": "TA0011", "tactic_ref": "x-mitre-tactic--f72804c5-f15a-449e-a5da-2eecd181f813", "technique_id": "T1105", "technique_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", "description": "PE file is loaded into memory and executed; beacons out at regular intervals to C2 server for instructions", "effect_refs": [ "attack-action--15d89326-a900-4881-9811-5881bd05fb1d" ] }, { "type": "tool", "id": "tool--30bce16b-b3a2-4efe-9024-3a26d7df320c", "spec_version": "2.1", "created": "2026-06-11T23:57:51.437Z", "modified": "2026-06-11T23:57:51.437Z", "name": "PE file", "tool_types": [ "unknown" ] }, { "type": "infrastructure", "id": "infrastructure--5cb78035-4d30-4c6e-bc3b-458b3c19fb4e", "spec_version": "2.1", "created": "2026-06-11T23:57:51.437Z", "modified": "2026-06-11T23:57:51.437Z", "name": "C2 server", "infrastructure_types": [ "command-and-control" ] }, { "type": "attack-action", "id": "attack-action--15d89326-a900-4881-9811-5881bd05fb1d", "spec_version": "2.1", "created": "2026-06-11T23:57:51.437Z", "modified": "2026-06-11T23:57:51.437Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Compile After Delivery", "description": "Visual C# Command Line Compiler invoked by PowerShell script; most likely instructions that the PE file retrieved from the C2 server", "effect_refs": [ "attack-action--ba5d97f4-f1d8-4a42-8634-a43483c57389" ] }, { "type": "attack-action", "id": "attack-action--ba5d97f4-f1d8-4a42-8634-a43483c57389", "spec_version": "2.1", "created": "2026-06-11T23:57:51.437Z", "modified": "2026-06-11T23:57:51.437Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Ingress Tool Transfer", "tactic_id": "TA0011", "tactic_ref": "x-mitre-tactic--f72804c5-f15a-449e-a5da-2eecd181f813", "technique_id": "T1105", "technique_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", "description": "Attacker used a custom implementation of Zerologon", "effect_refs": [ "attack-action--5c8d3aac-79ac-4ef8-81dd-7046b5355e9c" ] }, { "type": "vulnerability", "id": "vulnerability--2b660706-ac74-475d-af2d-7be8315a9056", "spec_version": "2.1", "created": "2026-06-11T23:57:51.437Z", "modified": "2026-06-11T23:57:51.437Z", "name": "CVE-2020-1472" }, { "type": "tool", "id": "tool--22800f67-08d5-42ce-95cf-1b39eff410c1", "spec_version": "2.1", "created": "2026-06-11T23:57:51.437Z", "modified": "2026-06-11T23:57:51.437Z", "name": "zero.exe", "description": "custom implementation of Zerologon", "tool_types": [ "unknown" ] }, { "type": "attack-action", "id": "attack-action--5c8d3aac-79ac-4ef8-81dd-7046b5355e9c", "spec_version": "2.1", "created": "2026-06-11T23:57:51.437Z", "modified": "2026-06-11T23:57:51.437Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Exploitation for Credential Access", "tactic_id": "TA0006", "tactic_ref": "x-mitre-tactic--2558fd61-8c75-4730-94c4-11926db2a263", "technique_id": "T1212", "technique_ref": "attack-pattern--9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", "description": "Zero.exe executes and obtains the NTLM hash of a Domain Administrator account", "effect_refs": [ "attack-action--42530d17-73ed-4f57-86f4-de1b3f85eae1" ] }, { "type": "attack-action", "id": "attack-action--42530d17-73ed-4f57-86f4-de1b3f85eae1", "spec_version": "2.1", "created": "2026-06-11T23:57:51.437Z", "modified": "2026-06-11T23:57:51.437Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Pass the Hash", "description": "Attackers use the Domain Administrator's NTLM hash to authenticate to other domain controllers", "effect_refs": [ "attack-action--75aac24f-ecf5-4981-9349-2e1d9c9eb38a" ] }, { "type": "attack-action", "id": "attack-action--75aac24f-ecf5-4981-9349-2e1d9c9eb38a", "spec_version": "2.1", "created": "2026-06-11T23:57:51.437Z", "modified": "2026-06-11T23:57:51.437Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Ingress Tool Transfer", "tactic_id": "TA0011", "tactic_ref": "x-mitre-tactic--f72804c5-f15a-449e-a5da-2eecd181f813", "technique_id": "T1105", "technique_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", "description": "Attackers deployed Cobalt Strike beacons on the domain controllers", "effect_refs": [ "attack-action--93d9e541-add1-4515-b288-b163a60efea4" ] }, { "type": "attack-action", "id": "attack-action--858fd8b8-6914-4c92-9a7d-66277e7224e4", "spec_version": "2.1", "created": "2026-06-11T23:57:51.437Z", "modified": "2026-06-11T23:57:51.437Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "PowerShell", "description": "PowerShell executed on every Domain Controller and used the Active Directory RSAT module to get a list of computers and compiled this list into a file", "effect_refs": [ "attack-action--c0a8d30d-8908-49ea-be12-61e7dc39c9a8" ] }, { "type": "tool", "id": "tool--3380b981-3dae-4b0e-9fd9-9abee266f383", "spec_version": "2.1", "created": "2026-06-11T23:57:51.437Z", "modified": "2026-06-11T23:57:51.437Z", "name": "comp2.ps1", "description": "PowerShell script; uses the file with theĀ  enumerated list of computers", "tool_types": [ "information-gathering" ] }, { "type": "attack-action", "id": "attack-action--c0a8d30d-8908-49ea-be12-61e7dc39c9a8", "spec_version": "2.1", "created": "2026-06-11T23:57:51.437Z", "modified": "2026-06-11T23:57:51.437Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Scanning IP Blocks", "description": "Executable uses IPs and hostnames from comps.txt and checks if they are online using ICMP scans", "effect_refs": [ "attack-condition--55bbea0f-65dd-404a-bfeb-3751297f369e" ] }, { "type": "attack-condition", "id": "attack-condition--55bbea0f-65dd-404a-bfeb-3751297f369e", "spec_version": "2.1", "created": "2026-06-11T23:57:51.437Z", "modified": "2026-06-11T23:57:51.437Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "description": "Online hosts are directed to check.txt file" }, { "type": "tool", "id": "tool--5d91d93a-1071-4a5d-93f5-be75d5b7d1c1", "spec_version": "2.1", "created": "2026-06-11T23:57:51.437Z", "modified": "2026-06-11T23:57:51.437Z", "name": "check.exe", "description": "executable conducting ICMP scans, searching for online systems", "tool_types": [ "information-gathering" ] }, { "type": "attack-action", "id": "attack-action--93d9e541-add1-4515-b288-b163a60efea4", "spec_version": "2.1", "created": "2026-06-11T23:57:51.437Z", "modified": "2026-06-11T23:57:51.437Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Lateral Movement", "tactic_id": "TA0008", "tactic_ref": "x-mitre-tactic--7141578b-e50b-4dcc-bfa4-08a8dd689e9e", "description": "Attackers moved lateral throughout the network to additional domain controllers, backup servers, and file shares using Cobalt Strike", "effect_refs": [ "attack-action--858fd8b8-6914-4c92-9a7d-66277e7224e4" ] }, { "type": "malware", "id": "malware--13146797-18cc-43b6-8bab-9a88c0e4a6e2", "spec_version": "2.1", "created": "2026-06-11T23:57:51.437Z", "modified": "2026-06-11T23:57:51.437Z", "name": "ier.dll", "description": "Hancitor DLL file", "malware_types": [ "downloader", "trojan" ], "is_family": false, "capabilities": [ "communicates-with-c2", "exfiltrates-data", "installs-other-components" ] }, { "type": "directory", "id": "directory--6be350c5-1f9d-4e2b-a29a-37bd155d185f", "spec_version": "2.1", "created": "2026-06-11T23:57:51.437Z", "modified": "2026-06-11T23:57:51.437Z", "path": "%APPDATA%\\Microsoft\\templates\\" }, { "type": "url", "id": "url--a6ebeb18-dc18-47f7-b64c-07ac5828c492", "spec_version": "2.1", "created": "2026-06-11T23:57:51.437Z", "modified": "2026-06-11T23:57:51.437Z", "value": "4a5ikol.ru" }, { "type": "ipv4-addr", "id": "ipv4-addr--1f0a42b3-e753-41a6-8151-1b2751b4b914", "spec_version": "2.1", "created": "2026-06-11T23:57:51.437Z", "modified": "2026-06-11T23:57:51.437Z", "value": "8.211.241.0" }, { "type": "ipv4-addr", "id": "ipv4-addr--2ffb5de4-b7c9-4c18-a931-6b24a5cef301", "spec_version": "2.1", "created": "2026-06-11T23:57:51.437Z", "modified": "2026-06-11T23:57:51.437Z", "value": "207.148.23.64" }, { "type": "malware", "id": "malware--32f888c6-86a8-42bf-828d-44c5b398207f", "spec_version": "2.1", "created": "2026-06-11T23:57:51.437Z", "modified": "2026-06-11T23:57:51.437Z", "name": "Cobalt Strike payloads", "malware_types": [ "exploit-kit" ], "is_family": false, "capabilities": [ "accesses-remote-machines", "communicates-with-c2", "escalates-privileges", "exfiltrates-data", "fingerprints-host", "installs-other-components", "probes-network-environment", "steals-authentication-credentials" ] }, { "type": "malware", "id": "malware--c7408153-96a8-4a66-be6f-ac881bb187cc", "spec_version": "2.1", "created": "2026-06-11T23:57:51.437Z", "modified": "2026-06-11T23:57:51.437Z", "name": "Ficker Stealer", "description": "steals information", "malware_types": [ "trojan" ], "is_family": false, "capabilities": [ "fingerprints-host", "probes-network-environment", "steals-authentication-credentials", "exfiltrates-data" ] }, { "type": "tool", "id": "tool--cafb8768-db59-4764-9ea1-702ccc4337f2", "spec_version": "2.1", "created": "2026-06-11T23:57:51.437Z", "modified": "2026-06-11T23:57:51.437Z", "name": "rundll32.exe", "tool_types": [ "unknown" ] }, { "type": "ipv4-addr", "id": "ipv4-addr--8c8019bc-8d35-48de-b21f-6b3293b7a82f", "spec_version": "2.1", "created": "2026-06-11T23:57:51.437Z", "modified": "2026-06-11T23:57:51.437Z", "value": "190.114.254.116" }, { "type": "ipv4-addr", "id": "ipv4-addr--4986f18c-5013-43e6-9934-3504b2a457fc", "spec_version": "2.1", "created": "2026-06-11T23:57:51.437Z", "modified": "2026-06-11T23:57:51.437Z", "value": "190.114.254.116" }, { "type": "malware", "id": "malware--4e771a07-6800-4fb4-86e7-73718a3aa8bf", "spec_version": "2.1", "created": "2026-06-11T23:57:51.437Z", "modified": "2026-06-11T23:57:51.437Z", "name": "cor.dll", "description": "Cobalt Strike DLL", "malware_types": [ "exploit-kit" ], "is_family": false, "capabilities": [ "accesses-remote-machines", "communicates-with-c2", "escalates-privileges", "exfiltrates-data", "fingerprints-host", "installs-other-components", "probes-network-environment", "steals-authentication-credentials" ] }, { "type": "ipv4-addr", "id": "ipv4-addr--a850619d-655c-4b2a-aaf0-60ae42998c7c", "spec_version": "2.1", "created": "2026-06-11T23:57:51.437Z", "modified": "2026-06-11T23:57:51.437Z", "value": "64.235.39.32" }, { "type": "malware", "id": "malware--fe0b4d3c-79f7-4562-9fd9-73f5922bc489", "spec_version": "2.1", "created": "2026-06-11T23:57:51.437Z", "modified": "2026-06-11T23:57:51.437Z", "name": "Cobalt Strike beacons", "malware_types": [ "exploit-kit" ], "is_family": false, "capabilities": [ "accesses-remote-machines", "communicates-with-c2", "escalates-privileges", "exfiltrates-data", "fingerprints-host", "installs-other-components", "probes-network-environment", "steals-authentication-credentials" ] }, { "type": "file", "id": "file--88d6adf8-19db-4920-afc5-896c2ebc26e8", "spec_version": "2.1", "created": "2026-06-11T23:57:51.437Z", "modified": "2026-06-11T23:57:51.437Z", "name": "comps.txt" }, { "type": "attack-action", "id": "attack-action--f6ff7411-18b2-412f-ae4b-c72f8b6def69", "spec_version": "2.1", "created": "2026-06-11T23:57:51.437Z", "modified": "2026-06-11T23:57:51.437Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Local Account", "description": "enumerated local access", "asset_refs": [ "attack-asset--e4fb987f-6460-40a3-9a6a-bc66641eaf47" ], "effect_refs": [ "attack-action--d53ce876-ead2-4d68-a864-e340bdc1aa31" ] }, { "type": "attack-action", "id": "attack-action--1720c263-4ec3-4c13-b637-10336d59fcea", "spec_version": "2.1", "created": "2026-06-11T23:57:51.437Z", "modified": "2026-06-11T23:57:51.437Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Internet Connection Discovery", "description": "checks for internet connection", "asset_refs": [ "attack-asset--de81d71c-8f3f-43db-9d07-c03f5937e028" ], "effect_refs": [ "attack-action--d53ce876-ead2-4d68-a864-e340bdc1aa31" ] }, { "type": "attack-action", "id": "attack-action--625c956c-e084-488f-a592-fdee309b883a", "spec_version": "2.1", "created": "2026-06-11T23:57:51.437Z", "modified": "2026-06-11T23:57:51.437Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Network Service Discovery", "tactic_id": "TA0007", "tactic_ref": "x-mitre-tactic--c17c5845-175e-4421-9713-829d0573dbc9", "technique_id": "T1046", "technique_ref": "attack-pattern--e3a12395-188d-4051-9a16-ea8e14d07b88", "description": "scans ports", "asset_refs": [ "attack-asset--435e40bd-19a7-4099-8a32-0c268760b218" ], "effect_refs": [ "attack-action--d53ce876-ead2-4d68-a864-e340bdc1aa31" ] }, { "type": "relationship", "id": "relationship--37251bc0-ad94-41d3-9fc5-5c7e1456b3a6", "spec_version": "2.1", "created": "2026-06-11T23:57:51.437Z", "modified": "2026-06-11T23:57:51.437Z", "relationship_type": "related-to", "source_ref": "attack-action--0fc122a5-7f3b-4a0d-81b4-f841e1d01e1c", "target_ref": "infrastructure--9dc784c0-f64e-41c6-815f-d515675071f6" }, { "type": "relationship", "id": "relationship--b71dcfc9-fb97-4dcf-8cac-3c306e43f7f8", "spec_version": "2.1", "created": "2026-06-11T23:57:51.437Z", "modified": "2026-06-11T23:57:51.437Z", "relationship_type": "related-to", "source_ref": "attack-action--7f226db5-d7a2-4af5-aa98-b2bc3bac699a", "target_ref": "directory--6be350c5-1f9d-4e2b-a29a-37bd155d185f" }, { "type": "relationship", "id": "relationship--713dbd2b-e05b-47cc-80bb-a4c6c38a7ce4", "spec_version": "2.1", "created": "2026-06-11T23:57:51.437Z", "modified": "2026-06-11T23:57:51.437Z", "relationship_type": "related-to", "source_ref": "attack-action--7f226db5-d7a2-4af5-aa98-b2bc3bac699a", "target_ref": "malware--13146797-18cc-43b6-8bab-9a88c0e4a6e2" }, { "type": "relationship", "id": "relationship--9dec7ac4-f4d8-43b1-8b27-937a057e0804", "spec_version": "2.1", "created": "2026-06-11T23:57:51.437Z", "modified": "2026-06-11T23:57:51.437Z", "relationship_type": "related-to", "source_ref": "attack-action--5d55cc3d-c059-4937-a4c6-c1b5a48c3fc1", "target_ref": "malware--c7408153-96a8-4a66-be6f-ac881bb187cc" }, { "type": "relationship", "id": "relationship--3275f7df-df51-4225-81d9-a4ea948bc34b", "spec_version": "2.1", "created": "2026-06-11T23:57:51.437Z", "modified": "2026-06-11T23:57:51.437Z", "relationship_type": "related-to", "source_ref": "attack-action--5d55cc3d-c059-4937-a4c6-c1b5a48c3fc1", "target_ref": "malware--32f888c6-86a8-42bf-828d-44c5b398207f" }, { "type": "relationship", "id": "relationship--55b9cc22-5fa4-481e-b1ff-038793700f31", "spec_version": "2.1", "created": "2026-06-11T23:57:51.437Z", "modified": "2026-06-11T23:57:51.437Z", "relationship_type": "related-to", "source_ref": "attack-action--5d55cc3d-c059-4937-a4c6-c1b5a48c3fc1", "target_ref": "infrastructure--050084ef-b861-4ebb-9269-c28b064268b3" }, { "type": "relationship", "id": "relationship--29a8808c-1767-4a74-806a-936d4468a84f", "spec_version": "2.1", "created": "2026-06-11T23:57:51.437Z", "modified": "2026-06-11T23:57:51.437Z", "relationship_type": "related-to", "source_ref": "attack-action--5d55cc3d-c059-4937-a4c6-c1b5a48c3fc1", "target_ref": "infrastructure--246d0643-cd96-4eef-9ceb-e198a3780450" }, { "type": "relationship", "id": "relationship--635b19e9-c021-4983-a149-a0276475eb8e", "spec_version": "2.1", "created": "2026-06-11T23:57:51.437Z", "modified": "2026-06-11T23:57:51.437Z", "relationship_type": "related-to", "source_ref": "infrastructure--246d0643-cd96-4eef-9ceb-e198a3780450", "target_ref": "ipv4-addr--2ffb5de4-b7c9-4c18-a931-6b24a5cef301" }, { "type": "relationship", "id": "relationship--32238d36-1805-4127-a93d-6963a4ebb3d7", "spec_version": "2.1", "created": "2026-06-11T23:57:51.437Z", "modified": "2026-06-11T23:57:51.437Z", "relationship_type": "related-to", "source_ref": "infrastructure--050084ef-b861-4ebb-9269-c28b064268b3", "target_ref": "url--a6ebeb18-dc18-47f7-b64c-07ac5828c492" }, { "type": "relationship", "id": "relationship--71a6a3ca-4421-419b-bf5e-428ec778f84b", "spec_version": "2.1", "created": "2026-06-11T23:57:51.437Z", "modified": "2026-06-11T23:57:51.437Z", "relationship_type": "related-to", "source_ref": "infrastructure--050084ef-b861-4ebb-9269-c28b064268b3", "target_ref": "ipv4-addr--1f0a42b3-e753-41a6-8151-1b2751b4b914" }, { "type": "relationship", "id": "relationship--e3c0abdb-b9a2-463c-b593-281580dddaf1", "spec_version": "2.1", "created": "2026-06-11T23:57:51.437Z", "modified": "2026-06-11T23:57:51.437Z", "relationship_type": "related-to", "source_ref": "attack-action--264c553e-266e-4143-983b-35bee0e23a63", "target_ref": "tool--ad23cf1d-72aa-40d7-a66a-4e95305cb0ed" }, { "type": "relationship", "id": "relationship--a31e1cc4-47ce-45dd-95f2-1d8cd0aa0e56", "spec_version": "2.1", "created": "2026-06-11T23:57:51.437Z", "modified": "2026-06-11T23:57:51.437Z", "relationship_type": "related-to", "source_ref": "attack-action--d53ce876-ead2-4d68-a864-e340bdc1aa31", "target_ref": "malware--4e771a07-6800-4fb4-86e7-73718a3aa8bf" }, { "type": "relationship", "id": "relationship--f2a46e52-d7a3-4c87-a93a-6f307d39f6ee", "spec_version": "2.1", "created": "2026-06-11T23:57:51.437Z", "modified": "2026-06-11T23:57:51.437Z", "relationship_type": "related-to", "source_ref": "attack-action--d53ce876-ead2-4d68-a864-e340bdc1aa31", "target_ref": "infrastructure--ea1c5706-9374-48ab-bf54-5c1572b4c4ac" }, { "type": "relationship", "id": "relationship--3613c7dc-3dd4-4508-9fbb-b809f99c9565", "spec_version": "2.1", "created": "2026-06-11T23:57:51.437Z", "modified": "2026-06-11T23:57:51.437Z", "relationship_type": "related-to", "source_ref": "attack-action--d53ce876-ead2-4d68-a864-e340bdc1aa31", "target_ref": "tool--7df9e692-418b-4d07-81bc-bd16693656b0" }, { "type": "relationship", "id": "relationship--b11f324d-f146-48fc-a0bb-683d7110bb41", "spec_version": "2.1", "created": "2026-06-11T23:57:51.437Z", "modified": "2026-06-11T23:57:51.437Z", "relationship_type": "related-to", "source_ref": "infrastructure--ea1c5706-9374-48ab-bf54-5c1572b4c4ac", "target_ref": "ipv4-addr--4986f18c-5013-43e6-9934-3504b2a457fc" }, { "type": "relationship", "id": "relationship--e9a1ea9b-a5b0-43d0-86c6-ce9d02878db2", "spec_version": "2.1", "created": "2026-06-11T23:57:51.437Z", "modified": "2026-06-11T23:57:51.437Z", "relationship_type": "related-to", "source_ref": "attack-condition--a2793461-43b8-4b30-966f-71295f564b75", "target_ref": "tool--cafb8768-db59-4764-9ea1-702ccc4337f2" }, { "type": "relationship", "id": "relationship--edf5202b-c876-4c4b-8639-d5c6ba71b7a8", "spec_version": "2.1", "created": "2026-06-11T23:57:51.437Z", "modified": "2026-06-11T23:57:51.437Z", "relationship_type": "related-to", "source_ref": "attack-condition--a2793461-43b8-4b30-966f-71295f564b75", "target_ref": "attack-action--1720c263-4ec3-4c13-b637-10336d59fcea" }, { "type": "relationship", "id": "relationship--4c8d5799-8ebf-4b06-a65a-94a6eaa092c1", "spec_version": "2.1", "created": "2026-06-11T23:57:51.437Z", "modified": "2026-06-11T23:57:51.437Z", "relationship_type": "related-to", "source_ref": "attack-condition--a2793461-43b8-4b30-966f-71295f564b75", "target_ref": "attack-action--f6ff7411-18b2-412f-ae4b-c72f8b6def69" }, { "type": "relationship", "id": "relationship--6b51863c-aa2e-4899-91b7-e3dd132aa27d", "spec_version": "2.1", "created": "2026-06-11T23:57:51.437Z", "modified": "2026-06-11T23:57:51.437Z", "relationship_type": "related-to", "source_ref": "attack-condition--a2793461-43b8-4b30-966f-71295f564b75", "target_ref": "attack-action--625c956c-e084-488f-a592-fdee309b883a" }, { "type": "relationship", "id": "relationship--dc151fd3-963b-4dcd-a950-ff91a0fe83ce", "spec_version": "2.1", "created": "2026-06-11T23:57:51.437Z", "modified": "2026-06-11T23:57:51.437Z", "relationship_type": "related-to", "source_ref": "attack-action--8c95b74c-07b8-4277-989f-ff499ff32ae4", "target_ref": "tool--9f0f8035-5d6a-44e8-8c66-125db8a30a25" }, { "type": "relationship", "id": "relationship--8ecede4b-ed1d-43e1-81c1-3634b6a914eb", "spec_version": "2.1", "created": "2026-06-11T23:57:51.437Z", "modified": "2026-06-11T23:57:51.437Z", "relationship_type": "related-to", "source_ref": "attack-action--75818fd9-2ca6-43b1-9dd7-08be16fec19c", "target_ref": "tool--30bce16b-b3a2-4efe-9024-3a26d7df320c" }, { "type": "relationship", "id": "relationship--ee96f3b8-18fc-4bb9-adf9-de341209a3fa", "spec_version": "2.1", "created": "2026-06-11T23:57:51.437Z", "modified": "2026-06-11T23:57:51.437Z", "relationship_type": "related-to", "source_ref": "attack-action--75818fd9-2ca6-43b1-9dd7-08be16fec19c", "target_ref": "infrastructure--5cb78035-4d30-4c6e-bc3b-458b3c19fb4e" }, { "type": "relationship", "id": "relationship--a186e14c-b6e7-47d0-a10e-f98eb4929366", "spec_version": "2.1", "created": "2026-06-11T23:57:51.437Z", "modified": "2026-06-11T23:57:51.437Z", "relationship_type": "related-to", "source_ref": "infrastructure--5cb78035-4d30-4c6e-bc3b-458b3c19fb4e", "target_ref": "ipv4-addr--a850619d-655c-4b2a-aaf0-60ae42998c7c" }, { "type": "relationship", "id": "relationship--46a739ea-68b8-444f-8848-63240f67c268", "spec_version": "2.1", "created": "2026-06-11T23:57:51.437Z", "modified": "2026-06-11T23:57:51.437Z", "relationship_type": "related-to", "source_ref": "attack-action--ba5d97f4-f1d8-4a42-8634-a43483c57389", "target_ref": "vulnerability--2b660706-ac74-475d-af2d-7be8315a9056" }, { "type": "relationship", "id": "relationship--ee144bb5-9b8e-4d03-9d16-66ff83e360f8", "spec_version": "2.1", "created": "2026-06-11T23:57:51.437Z", "modified": "2026-06-11T23:57:51.437Z", "relationship_type": "related-to", "source_ref": "attack-action--ba5d97f4-f1d8-4a42-8634-a43483c57389", "target_ref": "tool--22800f67-08d5-42ce-95cf-1b39eff410c1" }, { "type": "relationship", "id": "relationship--719306e4-a7fe-458c-9c44-a362f5c3d037", "spec_version": "2.1", "created": "2026-06-11T23:57:51.437Z", "modified": "2026-06-11T23:57:51.437Z", "relationship_type": "related-to", "source_ref": "attack-action--75aac24f-ecf5-4981-9349-2e1d9c9eb38a", "target_ref": "malware--fe0b4d3c-79f7-4562-9fd9-73f5922bc489" }, { "type": "relationship", "id": "relationship--fc0cc38e-23a3-467f-aa3e-932051dbb2aa", "spec_version": "2.1", "created": "2026-06-11T23:57:51.437Z", "modified": "2026-06-11T23:57:51.437Z", "relationship_type": "related-to", "source_ref": "attack-action--858fd8b8-6914-4c92-9a7d-66277e7224e4", "target_ref": "tool--3380b981-3dae-4b0e-9fd9-9abee266f383" }, { "type": "relationship", "id": "relationship--aa52ecd5-9605-4862-a3bf-f6dfb1d0be90", "spec_version": "2.1", "created": "2026-06-11T23:57:51.437Z", "modified": "2026-06-11T23:57:51.437Z", "relationship_type": "related-to", "source_ref": "tool--3380b981-3dae-4b0e-9fd9-9abee266f383", "target_ref": "file--88d6adf8-19db-4920-afc5-896c2ebc26e8" }, { "type": "relationship", "id": "relationship--0d76f9d6-6dd7-46b4-895f-69d6c2546a48", "spec_version": "2.1", "created": "2026-06-11T23:57:51.437Z", "modified": "2026-06-11T23:57:51.437Z", "relationship_type": "related-to", "source_ref": "attack-action--c0a8d30d-8908-49ea-be12-61e7dc39c9a8", "target_ref": "tool--5d91d93a-1071-4a5d-93f5-be75d5b7d1c1" } ] }