{ "type": "bundle", "id": "bundle--301d6977-31b5-4c88-9b7d-cd3143876ae7", "spec_version": "2.1", "created": "2026-06-11T23:57:51.732Z", "modified": "2026-06-11T23:57:51.732Z", "objects": [ { "type": "extension-definition", "id": "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4", "spec_version": "2.1", "created": "2022-08-02T19:34:35.143Z", "modified": "2022-08-02T19:34:35.143Z", "name": "Attack Flow", "description": "Extends STIX 2.1 with features to create Attack Flows.", "created_by_ref": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", "schema": "https://center-for-threat-informed-defense.github.io/attack-flow/stix/attack-flow-schema-2.0.0.json", "version": "2.0.0", "extension_types": [ "new-sdo" ], "external_references": [ { "source_name": "Documentation", "description": "Documentation for Attack Flow", "url": "https://center-for-threat-informed-defense.github.io/attack-flow" }, { "source_name": "GitHub", "description": "Source code repository for Attack Flow", "url": "https://github.com/center-for-threat-informed-defense/attack-flow" } ] }, { "type": "identity", "id": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", "spec_version": "2.1", "created": "2022-08-02T19:34:35.143Z", "modified": "2022-08-02T19:34:35.143Z", "created_by_ref": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", "name": "MITRE Center for Threat-Informed Defense", "identity_class": "organization" }, { "type": "attack-flow", "id": "attack-flow--74811f7e-911b-4400-a0e3-64703656ded4", "spec_version": "2.1", "created": "2022-10-27T02:44:54.520Z", "modified": "2026-06-11T23:57:51.732Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "created_by_ref": "identity--b68209f5-d4e4-4a81-87b5-59c1d24445a2", "start_refs": [ "attack-action--384373d8-dbe0-425e-aeaf-ad8c70fc11be", "attack-action--fce268a4-4a5d-46a0-a180-eea719995110" ], "name": "SolarWinds", "description": "A well-known supply chain attack against an Austin, TX software company.", "scope": "incident", "external_references": [ { "source_name": "Picus", "description": "Article", "url": "https://www.picussecurity.com/resource/blog/ttps-used-in-the-solarwinds-breach" }, { "source_name": "Microsoft", "description": "Article", "url": "https://www.microsoft.com/en-us/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/" }, { "source_name": "Comodo Cybersecurity", "description": "Article", "url": "https://techtalk.comodo.com/2020/12/23/sunburst-apt-against-solarwind-mapped-to-kill-chain/" }, { "source_name": "Microsoft", "description": "Article", "url": "https://www.microsoft.com/en-us/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/" } ] }, { "type": "identity", "id": "identity--b68209f5-d4e4-4a81-87b5-59c1d24445a2", "spec_version": "2.1", "created": "2026-06-11T23:57:51.732Z", "modified": "2026-06-11T23:57:51.732Z", "name": "Lauren Parker", "contact_information": "lparker@mitre.org" }, { "type": "attack-action", "id": "attack-action--384373d8-dbe0-425e-aeaf-ad8c70fc11be", "spec_version": "2.1", "created": "2026-06-11T23:57:51.732Z", "modified": "2026-06-11T23:57:51.732Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Malware", "description": "Attackers embedded their malicious payload on a legitimate component of the SolarWinds Orion Platform software. This component is a DLL library, SolarWinds.Orion.Core.BusinessLayer.dll", "effect_refs": [ "attack-operator--b0aa9f11-7722-4a9f-becd-065964a53325" ] }, { "type": "threat-actor", "id": "threat-actor--6eb7eb9a-f5e5-4943-8c29-316084ceb64f", "spec_version": "2.1", "created": "2026-06-11T23:57:51.732Z", "modified": "2026-06-11T23:57:51.732Z", "name": "APT29", "description": "In April 2021, the US and UK governments attributed the SolarWinds breach to the SVR, and public citations referenced APT29.", "first_seen": "2008-01-01T00:00:00.000Z", "roles": [ "Director" ], "sophistication": "strategic", "resource_level": "government", "primary_motivation": "organizational-gain" }, { "type": "campaign", "id": "campaign--ec6a234a-cc7b-46fd-9600-a64e9a8c3184", "spec_version": "2.1", "created": "2026-06-11T23:57:51.732Z", "modified": "2026-06-11T23:57:51.732Z", "name": "SolarWinds Breach", "description": "Attackers compromised the infrastructure of SolarWinds, a network monitoring service. In March 2020, SolarWinds unknowingly pushed out malicious updates to thousands of private and public organizations.", "objective": "conduct a supply chain attack to maintain long-term network access in a large number of organizations and potentially government entitites" }, { "type": "attack-action", "id": "attack-action--fce268a4-4a5d-46a0-a180-eea719995110", "spec_version": "2.1", "created": "2026-06-11T23:57:51.732Z", "modified": "2026-06-11T23:57:51.732Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Code Signing", "description": "To bypass application control technologies, adversaries sign their malware with valid signatures by creating, acquiring, or stealing code-signing materials. The attackers compromised the SolarWinds digital certificates, allowing them to run privileged actions and maintain a low profile", "effect_refs": [ "attack-operator--b0aa9f11-7722-4a9f-becd-065964a53325" ] }, { "type": "attack-operator", "id": "attack-operator--b0aa9f11-7722-4a9f-becd-065964a53325", "spec_version": "2.1", "created": "2026-06-11T23:57:51.732Z", "modified": "2026-06-11T23:57:51.732Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "operator": "AND", "effect_refs": [ "attack-action--0c739735-a984-4897-bc2f-a8737deff66f" ] }, { "type": "attack-action", "id": "attack-action--0c739735-a984-4897-bc2f-a8737deff66f", "spec_version": "2.1", "created": "2026-06-11T23:57:51.732Z", "modified": "2026-06-11T23:57:51.732Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Compromise Software Supply Chain", "description": "The malicious DLL file was distributed to victims through an automated update mechanism", "effect_refs": [ "attack-action--b9ac316b-c623-4fe3-8ab2-eb8673081edc" ] }, { "type": "attack-action", "id": "attack-action--b9ac316b-c623-4fe3-8ab2-eb8673081edc", "spec_version": "2.1", "created": "2026-06-11T23:57:51.732Z", "modified": "2026-06-11T23:57:51.732Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Service Execution", "description": "During the SolarWinds installation or update to victim machines, the tampered DLL is loaded by legitimate executables and installed as a Windows service. The malicious code calls the function that contains the backdoor capabilities", "effect_refs": [ "attack-action--68866dd4-7e92-4e0a-a8dc-aff4df1d46df", "attack-action--231bdc8e-30ab-4d7c-8e85-2d8ce9b1278e" ] }, { "type": "attack-action", "id": "attack-action--68866dd4-7e92-4e0a-a8dc-aff4df1d46df", "spec_version": "2.1", "created": "2026-06-11T23:57:51.732Z", "modified": "2026-06-11T23:57:51.732Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Time Based Evasion", "description": "Once loaded, the backdoor runs a series of checks to ensure it is running in an actual environment. The backdoor also checks that the last write-time of the malicious DLL was 12-14 days ago", "effect_refs": [ "attack-operator--f48d14a6-d389-41ad-b3b3-f4cdda81ed99" ] }, { "type": "attack-action", "id": "attack-action--231bdc8e-30ab-4d7c-8e85-2d8ce9b1278e", "spec_version": "2.1", "created": "2026-06-11T23:57:51.732Z", "modified": "2026-06-11T23:57:51.732Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Security Software Discovery", "description": "The backdoor checks for a variety of antivirus/endpoint detection agents prior to execution (e.g. Windbg, Autoruns, Wireshark)", "effect_refs": [ "attack-operator--f48d14a6-d389-41ad-b3b3-f4cdda81ed99" ] }, { "type": "attack-operator", "id": "attack-operator--f48d14a6-d389-41ad-b3b3-f4cdda81ed99", "spec_version": "2.1", "created": "2026-06-11T23:57:51.732Z", "modified": "2026-06-11T23:57:51.732Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "operator": "AND", "effect_refs": [ "attack-condition--8616b44b-523e-4d70-9535-752cab08d87c" ] }, { "type": "attack-condition", "id": "attack-condition--8616b44b-523e-4d70-9535-752cab08d87c", "spec_version": "2.1", "created": "2026-06-11T23:57:51.732Z", "modified": "2026-06-11T23:57:51.732Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "description": "The backdoor determines it is running in a real environment, and there are no running process related to security-related software" }, { "type": "attack-action", "id": "attack-action--b04df257-4f67-487d-a60a-077518519cab", "spec_version": "2.1", "created": "2026-06-11T23:57:51.732Z", "modified": "2026-06-11T23:57:51.732Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Process Discovery", "tactic_id": "TA0007", "tactic_ref": "x-mitre-tactic--c17c5845-175e-4421-9713-829d0573dbc9", "technique_id": "T1057", "technique_ref": "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "description": "The backdoor conducts basic reconnaissance on the compromised system to determine running processes to report to the C2 server.", "effect_refs": [ "attack-operator--fea5f208-ab16-4c3c-88b6-4c61c5a58e05" ] }, { "type": "attack-action", "id": "attack-action--dc540c5c-a840-4cd1-afd3-f887297f9593", "spec_version": "2.1", "created": "2026-06-11T23:57:51.732Z", "modified": "2026-06-11T23:57:51.732Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Query Registry", "tactic_id": "TA0007", "tactic_ref": "x-mitre-tactic--c17c5845-175e-4421-9713-829d0573dbc9", "technique_id": "T1012", "technique_ref": "attack-pattern--c32f7008-9fea-41f7-8366-5eb9b74bd896", "description": "The attacker obtains the MachineGuid registry value. This value is used to dynamically generate a portion of the C2 domain, along with the physical address of the interface and the domain name of the device", "effect_refs": [ "attack-operator--fea5f208-ab16-4c3c-88b6-4c61c5a58e05" ] }, { "type": "attack-operator", "id": "attack-operator--fea5f208-ab16-4c3c-88b6-4c61c5a58e05", "spec_version": "2.1", "created": "2026-06-11T23:57:51.732Z", "modified": "2026-06-11T23:57:51.732Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "operator": "AND", "effect_refs": [ "attack-action--bf2e8e32-d299-4094-a3ae-103a2488c931" ] }, { "type": "attack-action", "id": "attack-action--bf2e8e32-d299-4094-a3ae-103a2488c931", "spec_version": "2.1", "created": "2026-06-11T23:57:51.732Z", "modified": "2026-06-11T23:57:51.732Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Domain Generation Algorithms", "description": "Adversaries use DGAs to dynamically generate a C2 domain rather than relying on static IP addresses", "effect_refs": [ "attack-condition--7fdffb38-02ce-45a5-9041-45610e8a7344" ] }, { "type": "attack-condition", "id": "attack-condition--7fdffb38-02ce-45a5-9041-45610e8a7344", "spec_version": "2.1", "created": "2026-06-11T23:57:51.732Z", "modified": "2026-06-11T23:57:51.732Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "description": "The backdoor successfully contacts the C2 server" }, { "type": "attack-action", "id": "attack-action--4d69ebea-7c78-41b1-87bb-e75d84d5f319", "spec_version": "2.1", "created": "2026-06-11T23:57:51.732Z", "modified": "2026-06-11T23:57:51.732Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Data Encoding", "tactic_id": "TA0011", "tactic_ref": "x-mitre-tactic--f72804c5-f15a-449e-a5da-2eecd181f813", "technique_id": "T1132", "technique_ref": "attack-pattern--cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", "description": "The C2 responds with an encoded buffer of commands for the backdoor to execute. The commands allow the attackers to run, stop, enumerate processes; read, write, enumerate files and registry keys; collect and upload information about the device; and restart the device", "effect_refs": [ "attack-operator--e9d27e28-6937-4b24-a6c9-d2cd07517da1" ] }, { "type": "attack-action", "id": "attack-action--e738e657-299f-4290-b9f8-a6dbec1e8c51", "spec_version": "2.1", "created": "2026-06-11T23:57:51.732Z", "modified": "2026-06-11T23:57:51.732Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Match Legitimate Name or Location", "description": "The attackers used a legitimate hostname found within the victim's environment as the hostname on their C2 infrastructure to avoid detection. The malware also masquerades its C2 traffic as the Orion Improvement Program (OIP) Protocol", "effect_refs": [ "attack-operator--e9d27e28-6937-4b24-a6c9-d2cd07517da1" ] }, { "type": "attack-action", "id": "attack-action--a5c0b555-c306-4629-a9ba-e4a8fc67105e", "spec_version": "2.1", "created": "2026-06-11T23:57:51.732Z", "modified": "2026-06-11T23:57:51.732Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Match Legitimate Name or Location", "description": "The executing process creates two files on disk. 1) A VBScript typically named after existing services or folders to avoid detection. 2) The second-stage TEARDROP Cobalt Strike loader written into a legitimate-looking subfolder %WinDir%", "effect_refs": [ "attack-action--ff70d616-d686-4bfd-a290-0f52985f7846" ] }, { "type": "attack-operator", "id": "attack-operator--e9d27e28-6937-4b24-a6c9-d2cd07517da1", "spec_version": "2.1", "created": "2026-06-11T23:57:51.732Z", "modified": "2026-06-11T23:57:51.732Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "operator": "AND", "effect_refs": [ "attack-action--b0bc5a83-a0bb-4bf9-93b9-e63638820963", "attack-action--d5ed6bf4-dddc-435a-bd3c-114320a8e730", "attack-action--60ff27b6-55dc-40b5-8eb7-50d340913c43", "attack-action--57bb50a9-f2eb-4b6f-8754-efcbf4619d4b" ] }, { "type": "attack-action", "id": "attack-action--b0bc5a83-a0bb-4bf9-93b9-e63638820963", "spec_version": "2.1", "created": "2026-06-11T23:57:51.732Z", "modified": "2026-06-11T23:57:51.732Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Disable or Modify System Firewall", "description": "Attackers used NETSH to configure firewall rules that limit certain UDP outbound packets before intense reconnaissance with NSLOOKUP and ADFIND", "effect_refs": [ "attack-condition--025e3263-e23a-43fd-a020-fc2b6a1c6491" ] }, { "type": "tool", "id": "tool--c5ed82e7-96b4-4f42-83e0-2a1f10692da0", "spec_version": "2.1", "created": "2026-06-11T23:57:51.732Z", "modified": "2026-06-11T23:57:51.732Z", "name": "NETSH", "description": "Command-line scripting utility that allows users to display or modify the network configuration of the running computer", "tool_types": [ "unknown" ] }, { "type": "tool", "id": "tool--e01ce937-a9cd-412b-b38b-7faff606dfce", "spec_version": "2.1", "created": "2026-06-11T23:57:51.732Z", "modified": "2026-06-11T23:57:51.732Z", "name": "nslookup", "description": "Tool to query DNS to find the mapping between hostnames and IP addresses", "tool_types": [ "information-gathering" ] }, { "type": "tool", "id": "tool--adc37497-0035-4257-a920-f33140543187", "spec_version": "2.1", "created": "2026-06-11T23:57:51.732Z", "modified": "2026-06-11T23:57:51.732Z", "name": "adfind", "description": "Free command-line query tool that can be used to gather information from Active Directory", "tool_types": [ "information-gathering" ] }, { "type": "attack-action", "id": "attack-action--d5ed6bf4-dddc-435a-bd3c-114320a8e730", "spec_version": "2.1", "created": "2026-06-11T23:57:51.732Z", "modified": "2026-06-11T23:57:51.732Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Domain Trust Discovery", "tactic_id": "TA0007", "tactic_ref": "x-mitre-tactic--c17c5845-175e-4421-9713-829d0573dbc9", "technique_id": "T1482", "technique_ref": "attack-pattern--767dbf9e-df3f-45cb-8998-4903ab5f80c0", "description": "Attackers executed ADFIND to enumerate domains and to discover trust between federated accounts with a renamed filename chosen to blend into the environment", "effect_refs": [ "attack-condition--025e3263-e23a-43fd-a020-fc2b6a1c6491" ] }, { "type": "attack-action", "id": "attack-action--60ff27b6-55dc-40b5-8eb7-50d340913c43", "spec_version": "2.1", "created": "2026-06-11T23:57:51.732Z", "modified": "2026-06-11T23:57:51.732Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Rename System Utilities", "description": "The attackers renamed Windows admin tools to conduct reconnaissance to avoid detection", "effect_refs": [ "attack-condition--025e3263-e23a-43fd-a020-fc2b6a1c6491" ] }, { "type": "attack-action", "id": "attack-action--57bb50a9-f2eb-4b6f-8754-efcbf4619d4b", "spec_version": "2.1", "created": "2026-06-11T23:57:51.732Z", "modified": "2026-06-11T23:57:51.732Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Process Discovery", "tactic_id": "TA0007", "tactic_ref": "x-mitre-tactic--c17c5845-175e-4421-9713-829d0573dbc9", "technique_id": "T1057", "technique_ref": "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "description": "Attackers used WMI to discover processes, services, and signed-in users on remote systems", "effect_refs": [ "attack-condition--025e3263-e23a-43fd-a020-fc2b6a1c6491" ] }, { "type": "attack-action", "id": "attack-action--ff70d616-d686-4bfd-a290-0f52985f7846", "spec_version": "2.1", "created": "2026-06-11T23:57:51.732Z", "modified": "2026-06-11T23:57:51.732Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Image File Execution Options Injection", "description": "The attackers created a IFEO Debugger registry value for dllhost.exe to trigger execution of the installation of Cobalt Strike", "effect_refs": [ "attack-action--8d74fbce-5685-4392-a134-36d67f082742" ] }, { "type": "attack-condition", "id": "attack-condition--025e3263-e23a-43fd-a020-fc2b6a1c6491", "spec_version": "2.1", "created": "2026-06-11T23:57:51.732Z", "modified": "2026-06-11T23:57:51.732Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "description": "Attacker enumerates the network" }, { "type": "attack-action", "id": "attack-action--1850d451-cbfd-4557-869b-386321a39a44", "spec_version": "2.1", "created": "2026-06-11T23:57:51.732Z", "modified": "2026-06-11T23:57:51.732Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Kerberoasting", "description": "Attackers obtained Ticket Granting Service (TGS) tickets for Active Directory Service Principal Names (SPNs) to crack offline", "effect_refs": [ "attack-condition--5b48c5ab-bfe1-42b5-a361-cea572b8013d" ] }, { "type": "attack-action", "id": "attack-action--42e110be-0852-4c33-bb32-a6bde8fc95e8", "spec_version": "2.1", "created": "2026-06-11T23:57:51.732Z", "modified": "2026-06-11T23:57:51.732Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Credentials from Password Stores", "tactic_id": "TA0006", "tactic_ref": "x-mitre-tactic--2558fd61-8c75-4730-94c4-11926db2a263", "technique_id": "T1555", "technique_ref": "attack-pattern--3fc9b85a-2862-4363-a64d-d692e3ffbee0", "description": "Attackers attempted to access Group Managed Service Account (gMSA) passwords with account credentials already compromised", "effect_refs": [ "attack-condition--5b48c5ab-bfe1-42b5-a361-cea572b8013d" ] }, { "type": "attack-action", "id": "attack-action--796fb2bb-4bf5-4139-907b-56411e8d7080", "spec_version": "2.1", "created": "2026-06-11T23:57:51.732Z", "modified": "2026-06-11T23:57:51.732Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "DCSync", "description": "Attackers executed a DCSync attack in which they leveraged privileged accounts to access credentials", "effect_refs": [ "attack-condition--5b48c5ab-bfe1-42b5-a361-cea572b8013d" ] }, { "type": "attack-action", "id": "attack-action--8d74fbce-5685-4392-a134-36d67f082742", "spec_version": "2.1", "created": "2026-06-11T23:57:51.732Z", "modified": "2026-06-11T23:57:51.732Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Windows Service", "description": "The TEARDROP malware is run through rundll32.exe, which runs as a service in the background to estabish persistence", "effect_refs": [ "attack-action--ec689feb-2e71-45bd-808a-2f7a8cd78a7b" ] }, { "type": "attack-action", "id": "attack-action--ec689feb-2e71-45bd-808a-2f7a8cd78a7b", "spec_version": "2.1", "created": "2026-06-11T23:57:51.732Z", "modified": "2026-06-11T23:57:51.732Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Modify Registry", "description": "The VBScript removes the previously created registry value to clean up any traces of execution and deletes two more registry keys in HKEY_CURRENT_USER\\.DEFAULT", "effect_refs": [ "attack-action--4737ef94-c67f-461d-a616-8d04d949a790" ] }, { "type": "attack-condition", "id": "attack-condition--5b48c5ab-bfe1-42b5-a361-cea572b8013d", "spec_version": "2.1", "created": "2026-06-11T23:57:51.732Z", "modified": "2026-06-11T23:57:51.732Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "description": "Attacker has credentials" }, { "type": "attack-action", "id": "attack-action--fbccf7e7-4d2b-4f19-9ebb-6acab1322eb2", "spec_version": "2.1", "created": "2026-06-11T23:57:51.732Z", "modified": "2026-06-11T23:57:51.732Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Disable or Modify Tools", "description": "Attackers used the service control manager on a remote system to disable security monitoring processes before moving laterally. After they completed their lateral movement, they reenabled the services to avoid detection", "effect_refs": [ "attack-action--f55a3f10-2a62-47f2-98b3-78d4983a2b87", "attack-action--1ccc8112-936d-4237-9211-ebf6155d42f1" ] }, { "type": "attack-action", "id": "attack-action--f55a3f10-2a62-47f2-98b3-78d4983a2b87", "spec_version": "2.1", "created": "2026-06-11T23:57:51.732Z", "modified": "2026-06-11T23:57:51.732Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Scheduled Task", "description": "PowerShell remote task creation enabling lateral movement", "effect_refs": [ "attack-operator--5657cc82-defc-497d-91f0-14de0a9e8f2e" ] }, { "type": "attack-action", "id": "attack-action--1ccc8112-936d-4237-9211-ebf6155d42f1", "spec_version": "2.1", "created": "2026-06-11T23:57:51.732Z", "modified": "2026-06-11T23:57:51.732Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Valid Accounts", "technique_id": "T1078", "technique_ref": "attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81", "description": "The attackers used valid accounts to move laterally", "effect_refs": [ "attack-operator--5657cc82-defc-497d-91f0-14de0a9e8f2e" ] }, { "type": "attack-operator", "id": "attack-operator--5657cc82-defc-497d-91f0-14de0a9e8f2e", "spec_version": "2.1", "created": "2026-06-11T23:57:51.732Z", "modified": "2026-06-11T23:57:51.732Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "operator": "AND", "effect_refs": [ "attack-condition--47a4f84e-4c63-49f3-8826-856d3178c0e2" ] }, { "type": "attack-condition", "id": "attack-condition--47a4f84e-4c63-49f3-8826-856d3178c0e2", "spec_version": "2.1", "created": "2026-06-11T23:57:51.732Z", "modified": "2026-06-11T23:57:51.732Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "description": "Attacker is able to move laterally" }, { "type": "attack-action", "id": "attack-action--4737ef94-c67f-461d-a616-8d04d949a790", "spec_version": "2.1", "created": "2026-06-11T23:57:51.732Z", "modified": "2026-06-11T23:57:51.732Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Masquerading", "tactic_id": "TA0005", "tactic_ref": "x-mitre-tactic--78b23412-0651-46d7-a540-170a1ce8bd5a", "technique_id": "T1036", "technique_ref": "attack-pattern--42e8de7b-37b2-4258-905a-6897815e58e0", "description": "During lateral movement, custom-loader DLLs, including TEARDROP, were deployed into exiting Windows sub-directories. The files resemble legitimate Windows file and directory names", "effect_refs": [ "attack-action--f69ad6fa-05c5-48b9-bfea-7201321c6909" ] }, { "type": "attack-action", "id": "attack-action--f69ad6fa-05c5-48b9-bfea-7201321c6909", "spec_version": "2.1", "created": "2026-06-11T23:57:51.732Z", "modified": "2026-06-11T23:57:51.732Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Windows Management Instrumentation", "tactic_id": "TA0002", "tactic_ref": "x-mitre-tactic--4ca45d45-df4d-4613-8980-bac22d278fa5", "technique_id": "T1047", "technique_ref": "attack-pattern--01a5a209-b94c-450b-b7f9-946497d91055", "description": "When executed during lateral movement, rundll32 ran through WMIC. The Cobalt Strike beacon was loaded onto the machine", "effect_refs": [ "attack-action--fbc07276-1257-44e8-a855-3b1fa3d95290" ] }, { "type": "tool", "id": "tool--a4b72723-7fd9-45d1-a108-1559637aa9eb", "spec_version": "2.1", "created": "2026-06-11T23:57:51.732Z", "modified": "2026-06-11T23:57:51.732Z", "name": "WMIC", "tool_types": [ "unknown" ] }, { "type": "attack-action", "id": "attack-action--fbc07276-1257-44e8-a855-3b1fa3d95290", "spec_version": "2.1", "created": "2026-06-11T23:57:51.732Z", "modified": "2026-06-11T23:57:51.732Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Indicator Removal on Host", "tactic_id": "TA0005", "tactic_ref": "x-mitre-tactic--78b23412-0651-46d7-a540-170a1ce8bd5a", "technique_id": "T1070", "technique_ref": "attack-pattern--799ace7f-e227-4411-baa0-8868704f2a69", "description": "According to Microsoft, the Cobalt Strike DLL was likely deleted after execution to avoid forensic discovery", "effect_refs": [ "attack-action--e08ff657-a12d-4ed7-bbe5-be90b963a153" ] }, { "type": "tool", "id": "tool--55ef0067-c0ce-4aa0-9ffd-85b1e72a4791", "spec_version": "2.1", "created": "2026-06-11T23:57:51.732Z", "modified": "2026-06-11T23:57:51.732Z", "name": "AUDITPOL", "description": "Allows users to configure and manage audit settings from an elevated command prompt", "tool_types": [ "unknown" ] }, { "type": "attack-action", "id": "attack-action--e08ff657-a12d-4ed7-bbe5-be90b963a153", "spec_version": "2.1", "created": "2026-06-11T23:57:51.732Z", "modified": "2026-06-11T23:57:51.732Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Disable Windows Event Logging", "description": "Attackers used AUDITPOL to disable event logging while carrying out their attacks and reenabling it afterwards", "effect_refs": [ "attack-action--e4055553-f146-4d1e-99d7-6910b1e2a224" ] }, { "type": "attack-action", "id": "attack-action--e4055553-f146-4d1e-99d7-6910b1e2a224", "spec_version": "2.1", "created": "2026-06-11T23:57:51.732Z", "modified": "2026-06-11T23:57:51.732Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "System Information Discovery", "tactic_id": "TA0007", "tactic_ref": "x-mitre-tactic--c17c5845-175e-4421-9713-829d0573dbc9", "technique_id": "T1082", "technique_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1", "description": "Attackers used fsutil to check available free space before executing collection or exfiltration, which might create large files on disk", "effect_refs": [ "attack-action--0ce96a7f-cab8-4842-b19d-83db4586deca", "attack-action--fcdef663-b82f-4509-b30d-c7222101fe8a" ] }, { "type": "tool", "id": "tool--7845956b-77bd-4da3-82a5-08d723e0ad1c", "spec_version": "2.1", "created": "2026-06-11T23:57:51.732Z", "modified": "2026-06-11T23:57:51.732Z", "name": "fsutil", "description": "Allows users to view and manage settings of file systems, including FAT, NFTS, and REFS", "tool_types": [ "unknown" ] }, { "type": "attack-action", "id": "attack-action--0ce96a7f-cab8-4842-b19d-83db4586deca", "spec_version": "2.1", "created": "2026-06-11T23:57:51.732Z", "modified": "2026-06-11T23:57:51.732Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Data from Local System", "tactic_id": "TA0009", "tactic_ref": "x-mitre-tactic--d108ce10-2419-4cf9-a774-46161d6c6cfe", "technique_id": "T1005", "technique_ref": "attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "description": "The attackers were able to collect sensitive data from victims", "effect_refs": [ "attack-operator--5377f7c1-c57e-4c99-97d5-ffeb4c3f9778" ] }, { "type": "attack-action", "id": "attack-action--fcdef663-b82f-4509-b30d-c7222101fe8a", "spec_version": "2.1", "created": "2026-06-11T23:57:51.732Z", "modified": "2026-06-11T23:57:51.732Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Archive via Utility", "description": "The attackers used the 7-zip utility to create a password-protected archive with an extension not associated with archive files", "effect_refs": [ "attack-operator--5377f7c1-c57e-4c99-97d5-ffeb4c3f9778" ] }, { "type": "attack-operator", "id": "attack-operator--5377f7c1-c57e-4c99-97d5-ffeb4c3f9778", "spec_version": "2.1", "created": "2026-06-11T23:57:51.732Z", "modified": "2026-06-11T23:57:51.732Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "operator": "AND", "effect_refs": [ "attack-action--337844f6-ac0f-4d25-a565-c7af73ea6dcd" ] }, { "type": "attack-action", "id": "attack-action--337844f6-ac0f-4d25-a565-c7af73ea6dcd", "spec_version": "2.1", "created": "2026-06-11T23:57:51.732Z", "modified": "2026-06-11T23:57:51.732Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Exfiltration to Cloud Storage", "description": "The attackers mapped a OneDrive share from the command-line using the net.exe command-line utility. They also likely used other cloud services such as Google Drive" }, { "type": "malware", "id": "malware--8d20ebff-787c-4a06-b767-9f28db02d680", "spec_version": "2.1", "created": "2026-06-11T23:57:51.732Z", "modified": "2026-06-11T23:57:51.732Z", "name": "Sunburst", "description": "FireEye named the backdoored version of the DLL file SUNBURST. This backdoor delivers different payloads, such as the memory-only dropper TEARDROP, which deploys a Cobalt Strike Beacon.", "malware_types": [ "backdoor", "dropper" ], "is_family": false, "capabilities": [ "evades-av", "installs-other-components", "hides-executing-code", "persists-after-system-reboot" ] }, { "type": "note", "id": "note--72f7a185-0eb3-4177-86a3-b6eea3768a56", "spec_version": "2.1", "created": "2026-06-11T23:57:51.732Z", "modified": "2026-06-11T23:57:51.732Z", "abstract": "Hiding Cobalt Strike", "content": "According to Microsoft, each Cobalt Strike DLL was unique to each machine and avoided overlap and reuse of folder name, file name, export function names, etc. This was done to prevent full identification of all compromised assets inside a network or effective sharing of threat intel between victims", "object_refs": [ "attack-action--4737ef94-c67f-461d-a616-8d04d949a790" ] }, { "type": "malware", "id": "malware--02e6f750-080a-43fb-88d4-d7b29926381e", "spec_version": "2.1", "created": "2026-06-11T23:57:51.732Z", "modified": "2026-06-11T23:57:51.732Z", "name": "Teardrop", "malware_types": [ "trojan" ], "is_family": false }, { "type": "note", "id": "note--27fee65d-dfd3-40c5-89b3-72d6fadf61e9", "spec_version": "2.1", "created": "2026-06-11T23:57:51.732Z", "modified": "2026-06-11T23:57:51.732Z", "abstract": "Malware Design", "content": "According to Microsoft, SUNBURST and TEARDROP were designed to execute as separate components to avoid detection.", "object_refs": [ "attack-action--a5c0b555-c306-4629-a9ba-e4a8fc67105e" ] }, { "type": "relationship", "id": "relationship--ba0b7839-dea2-4e32-b59f-890343da61e1", "spec_version": "2.1", "created": "2026-06-11T23:57:51.732Z", "modified": "2026-06-11T23:57:51.732Z", "relationship_type": "related-to", "source_ref": "campaign--ec6a234a-cc7b-46fd-9600-a64e9a8c3184", "target_ref": "threat-actor--6eb7eb9a-f5e5-4943-8c29-316084ceb64f" }, { "type": "relationship", "id": "relationship--d2caa097-bf1a-46a5-a084-e943fc5223f3", "spec_version": "2.1", "created": "2026-06-11T23:57:51.732Z", "modified": "2026-06-11T23:57:51.732Z", "relationship_type": "related-to", "source_ref": "attack-condition--8616b44b-523e-4d70-9535-752cab08d87c", "target_ref": "attack-action--b04df257-4f67-487d-a60a-077518519cab" }, { "type": "relationship", "id": "relationship--41975eae-5784-47e4-b0ee-32af715b7787", "spec_version": "2.1", "created": "2026-06-11T23:57:51.732Z", "modified": "2026-06-11T23:57:51.732Z", "relationship_type": "related-to", "source_ref": "attack-condition--8616b44b-523e-4d70-9535-752cab08d87c", "target_ref": "attack-action--dc540c5c-a840-4cd1-afd3-f887297f9593" }, { "type": "relationship", "id": "relationship--3564022a-0294-4d68-b714-d72e426edb29", "spec_version": "2.1", "created": "2026-06-11T23:57:51.732Z", "modified": "2026-06-11T23:57:51.732Z", "relationship_type": "related-to", "source_ref": "attack-condition--7fdffb38-02ce-45a5-9041-45610e8a7344", "target_ref": "attack-action--4d69ebea-7c78-41b1-87bb-e75d84d5f319" }, { "type": "relationship", "id": "relationship--65c472d5-dee9-483a-afa8-601bf3a9988a", "spec_version": "2.1", "created": "2026-06-11T23:57:51.732Z", "modified": "2026-06-11T23:57:51.732Z", "relationship_type": "related-to", "source_ref": "attack-condition--7fdffb38-02ce-45a5-9041-45610e8a7344", "target_ref": "attack-action--e738e657-299f-4290-b9f8-a6dbec1e8c51" }, { "type": "relationship", "id": "relationship--0c808b91-87ec-4b11-9cf4-da558a4fe69e", "spec_version": "2.1", "created": "2026-06-11T23:57:51.732Z", "modified": "2026-06-11T23:57:51.732Z", "relationship_type": "related-to", "source_ref": "attack-condition--7fdffb38-02ce-45a5-9041-45610e8a7344", "target_ref": "attack-action--a5c0b555-c306-4629-a9ba-e4a8fc67105e" }, { "type": "relationship", "id": "relationship--2e0c538c-34b3-4058-9e18-ad5cb8edb1ae", "spec_version": "2.1", "created": "2026-06-11T23:57:51.732Z", "modified": "2026-06-11T23:57:51.732Z", "relationship_type": "related-to", "source_ref": "attack-action--a5c0b555-c306-4629-a9ba-e4a8fc67105e", "target_ref": "malware--02e6f750-080a-43fb-88d4-d7b29926381e" }, { "type": "relationship", "id": "relationship--6107819b-7d6e-4bf3-9a2a-f8ab9414bd7a", "spec_version": "2.1", "created": "2026-06-11T23:57:51.732Z", "modified": "2026-06-11T23:57:51.732Z", "relationship_type": "related-to", "source_ref": "attack-action--b0bc5a83-a0bb-4bf9-93b9-e63638820963", "target_ref": "tool--e01ce937-a9cd-412b-b38b-7faff606dfce" }, { "type": "relationship", "id": "relationship--a462d737-1001-4373-a8b3-7f0e213e9483", "spec_version": "2.1", "created": "2026-06-11T23:57:51.732Z", "modified": "2026-06-11T23:57:51.732Z", "relationship_type": "related-to", "source_ref": "attack-action--b0bc5a83-a0bb-4bf9-93b9-e63638820963", "target_ref": "tool--c5ed82e7-96b4-4f42-83e0-2a1f10692da0" }, { "type": "relationship", "id": "relationship--616fefbd-92a1-40ae-9583-fa135b108881", "spec_version": "2.1", "created": "2026-06-11T23:57:51.732Z", "modified": "2026-06-11T23:57:51.732Z", "relationship_type": "related-to", "source_ref": "attack-action--b0bc5a83-a0bb-4bf9-93b9-e63638820963", "target_ref": "tool--adc37497-0035-4257-a920-f33140543187" }, { "type": "relationship", "id": "relationship--2029370e-570c-4028-a065-ed78404bc621", "spec_version": "2.1", "created": "2026-06-11T23:57:51.732Z", "modified": "2026-06-11T23:57:51.732Z", "relationship_type": "related-to", "source_ref": "attack-action--d5ed6bf4-dddc-435a-bd3c-114320a8e730", "target_ref": "tool--adc37497-0035-4257-a920-f33140543187" }, { "type": "relationship", "id": "relationship--a392ba4a-fc42-47fa-8cb4-b9108c61e929", "spec_version": "2.1", "created": "2026-06-11T23:57:51.732Z", "modified": "2026-06-11T23:57:51.732Z", "relationship_type": "related-to", "source_ref": "attack-condition--025e3263-e23a-43fd-a020-fc2b6a1c6491", "target_ref": "attack-action--42e110be-0852-4c33-bb32-a6bde8fc95e8" }, { "type": "relationship", "id": "relationship--08865a0a-d010-462e-ba81-b9fd94429fa2", "spec_version": "2.1", "created": "2026-06-11T23:57:51.732Z", "modified": "2026-06-11T23:57:51.732Z", "relationship_type": "related-to", "source_ref": "attack-condition--025e3263-e23a-43fd-a020-fc2b6a1c6491", "target_ref": "attack-action--1850d451-cbfd-4557-869b-386321a39a44" }, { "type": "relationship", "id": "relationship--fbc9256b-c5a0-4712-b47e-bb617d8be116", "spec_version": "2.1", "created": "2026-06-11T23:57:51.732Z", "modified": "2026-06-11T23:57:51.732Z", "relationship_type": "related-to", "source_ref": "attack-condition--025e3263-e23a-43fd-a020-fc2b6a1c6491", "target_ref": "attack-action--796fb2bb-4bf5-4139-907b-56411e8d7080" }, { "type": "relationship", "id": "relationship--01e72860-4213-4099-99b4-cc163b2011c4", "spec_version": "2.1", "created": "2026-06-11T23:57:51.732Z", "modified": "2026-06-11T23:57:51.732Z", "relationship_type": "related-to", "source_ref": "attack-condition--5b48c5ab-bfe1-42b5-a361-cea572b8013d", "target_ref": "attack-action--fbccf7e7-4d2b-4f19-9ebb-6acab1322eb2" }, { "type": "relationship", "id": "relationship--7c3ac994-bbb0-425d-b765-a3251f75067a", "spec_version": "2.1", "created": "2026-06-11T23:57:51.732Z", "modified": "2026-06-11T23:57:51.732Z", "relationship_type": "related-to", "source_ref": "attack-condition--47a4f84e-4c63-49f3-8826-856d3178c0e2", "target_ref": "attack-action--4737ef94-c67f-461d-a616-8d04d949a790" }, { "type": "relationship", "id": "relationship--5cc7573a-7ae5-4b8a-887e-7115759100bb", "spec_version": "2.1", "created": "2026-06-11T23:57:51.732Z", "modified": "2026-06-11T23:57:51.732Z", "relationship_type": "related-to", "source_ref": "attack-action--f69ad6fa-05c5-48b9-bfea-7201321c6909", "target_ref": "tool--a4b72723-7fd9-45d1-a108-1559637aa9eb" }, { "type": "relationship", "id": "relationship--a013f187-f0c7-4bcb-b4db-d4326e4f2dac", "spec_version": "2.1", "created": "2026-06-11T23:57:51.732Z", "modified": "2026-06-11T23:57:51.732Z", "relationship_type": "related-to", "source_ref": "attack-action--e08ff657-a12d-4ed7-bbe5-be90b963a153", "target_ref": "tool--55ef0067-c0ce-4aa0-9ffd-85b1e72a4791" }, { "type": "relationship", "id": "relationship--5c0b4d2e-0686-44e3-bc2b-991cd26f4927", "spec_version": "2.1", "created": "2026-06-11T23:57:51.732Z", "modified": "2026-06-11T23:57:51.732Z", "relationship_type": "related-to", "source_ref": "attack-action--e4055553-f146-4d1e-99d7-6910b1e2a224", "target_ref": "tool--7845956b-77bd-4da3-82a5-08d723e0ad1c" }, { "type": "relationship", "id": "relationship--fed7c797-e31b-4f99-8377-a84ba13fb4bb", "spec_version": "2.1", "created": "2026-06-11T23:57:51.732Z", "modified": "2026-06-11T23:57:51.732Z", "relationship_type": "related-to", "source_ref": "malware--8d20ebff-787c-4a06-b767-9f28db02d680", "target_ref": "attack-action--384373d8-dbe0-425e-aeaf-ad8c70fc11be" } ] }