{ "type": "bundle", "id": "bundle--dccb1474-ea1a-44b0-a79b-f91bc497a8c7", "spec_version": "2.1", "created": "2026-06-11T23:57:51.765Z", "modified": "2026-06-11T23:57:51.765Z", "objects": [ { "type": "extension-definition", "id": "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4", "spec_version": "2.1", "created": "2022-08-02T19:34:35.143Z", "modified": "2022-08-02T19:34:35.143Z", "name": "Attack Flow", "description": "Extends STIX 2.1 with features to create Attack Flows.", "created_by_ref": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", "schema": "https://center-for-threat-informed-defense.github.io/attack-flow/stix/attack-flow-schema-2.0.0.json", "version": "2.0.0", "extension_types": [ "new-sdo" ], "external_references": [ { "source_name": "Documentation", "description": "Documentation for Attack Flow", "url": "https://center-for-threat-informed-defense.github.io/attack-flow" }, { "source_name": "GitHub", "description": "Source code repository for Attack Flow", "url": "https://github.com/center-for-threat-informed-defense/attack-flow" } ] }, { "type": "identity", "id": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", "spec_version": "2.1", "created": "2022-08-02T19:34:35.143Z", "modified": "2022-08-02T19:34:35.143Z", "created_by_ref": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", "name": "MITRE Center for Threat-Informed Defense", "identity_class": "organization" }, { "type": "attack-flow", "id": "attack-flow--dd875c61-26a9-4b8b-879e-9f00346300fd", "spec_version": "2.1", "created": "2022-10-27T02:44:54.520Z", "modified": "2026-06-11T23:57:51.766Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "created_by_ref": "identity--83972be2-f1f8-4410-a739-00fe49872e81", "start_refs": [ "attack-action--9ac3cd71-b8e4-4902-a134-5bbf2c3dc9b9", "attack-action--d2a45c19-9a32-40ce-bcc7-a4cd4682e2e4" ], "name": "Target Breach", "description": "Attack flow for the 2013 Target breach.", "scope": "incident", "external_references": [ { "source_name": "ZDNET", "description": "Article", "url": "https://www.zdnet.com/article/anatomy-of-the-target-data-breach-missed-opportunities-and-lessons-learned/" }, { "source_name": "SANS", "description": "Whitepaper/Case Study", "url": "https://sansorg.egnyte.com/dl/g5ykEMZpIk" }, { "source_name": "Committee on Commerce, Science, and Transportation", "description": "Senate Report", "url": "https://www.commerce.senate.gov/services/files/24d3c229-4f2f-405d-b8db-a3a67f183883" }, { "source_name": "Krebs on Security", "description": "Article", "url": "https://krebsonsecurity.com/2014/02/email-attack-on-vendor-set-up-breach-at-target/" } ] }, { "type": "identity", "id": "identity--83972be2-f1f8-4410-a739-00fe49872e81", "spec_version": "2.1", "created": "2026-06-11T23:57:51.765Z", "modified": "2026-06-11T23:57:51.765Z", "name": "Lauren Parker", "contact_information": "lparker@mitre.org" }, { "type": "attack-action", "id": "attack-action--9ac3cd71-b8e4-4902-a134-5bbf2c3dc9b9", "spec_version": "2.1", "created": "2026-06-11T23:57:51.766Z", "modified": "2026-06-11T23:57:51.766Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Client Configurations", "description": "Gathered information on Target network configurations", "effect_refs": [ "attack-operator--11263b9e-012f-49d6-b4d3-85894f108b4f" ] }, { "type": "attack-action", "id": "attack-action--d2a45c19-9a32-40ce-bcc7-a4cd4682e2e4", "spec_version": "2.1", "created": "2026-06-11T23:57:51.766Z", "modified": "2026-06-11T23:57:51.766Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Search Engines", "description": "Googled information on Target systems for reconnaissance", "effect_refs": [ "attack-operator--11263b9e-012f-49d6-b4d3-85894f108b4f" ] }, { "type": "attack-condition", "id": "attack-condition--f5fa9530-9b51-4dd7-9c4f-81a0d54b7313", "spec_version": "2.1", "created": "2026-06-11T23:57:51.766Z", "modified": "2026-06-11T23:57:51.766Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "description": "Identified technical configurations and 3rd party Suppliers" }, { "type": "attack-action", "id": "attack-action--698fd2b3-f021-4f74-8141-d48ba11ce09c", "spec_version": "2.1", "created": "2026-06-11T23:57:51.766Z", "modified": "2026-06-11T23:57:51.766Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Trusted Relationship", "tactic_id": "TA0001", "tactic_ref": "x-mitre-tactic--ffd5bcee-6e16-4dd2-8eca-7b3beedf33ca", "technique_id": "T1199", "technique_ref": "attack-pattern--9fa07bef-9c81-421e-a8e5-ad4366c5a925", "description": "Targeted third-party supplier to gain access to Target's internal systems", "effect_refs": [ "attack-action--371fe05f-e6b1-41ea-84ef-2c76f8186089" ] }, { "type": "attack-action", "id": "attack-action--371fe05f-e6b1-41ea-84ef-2c76f8186089", "spec_version": "2.1", "created": "2026-06-11T23:57:51.766Z", "modified": "2026-06-11T23:57:51.766Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Phishing", "tactic_id": "TA0001", "tactic_ref": "x-mitre-tactic--ffd5bcee-6e16-4dd2-8eca-7b3beedf33ca", "technique_id": "T1566", "technique_ref": "attack-pattern--a62a8db3-f23a-4d8f-afd6-9dbc77e7813b", "description": "phishing attempts toward Fazio employees", "effect_refs": [ "attack-condition--6c666fe2-0a6c-4bb1-8da7-9955f81b187b" ], "asset_refs": [ "attack-asset--c9305dd0-51f8-4edd-93e9-5a481a25e80b" ] }, { "type": "attack-asset", "id": "attack-asset--c9305dd0-51f8-4edd-93e9-5a481a25e80b", "spec_version": "2.1", "created": "2026-06-11T23:57:51.766Z", "modified": "2026-06-11T23:57:51.766Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Fazio systems", "description": "compromised by attackers" }, { "type": "attack-action", "id": "attack-action--2010cb6c-cca8-45a4-99ca-ed2a2ace8d45", "spec_version": "2.1", "created": "2026-06-11T23:57:51.766Z", "modified": "2026-06-11T23:57:51.766Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Domain Accounts", "description": "Attackers compromised AD credentials", "asset_refs": [ "attack-asset--de6fb678-73e8-4861-bde7-b2b76c166f31" ], "effect_refs": [ "attack-action--00173e68-78d0-448d-a71c-5de90b70ed70", "attack-action--8b0ac8bf-9642-4c25-811c-781942284dac" ] }, { "type": "attack-condition", "id": "attack-condition--6c666fe2-0a6c-4bb1-8da7-9955f81b187b", "spec_version": "2.1", "created": "2026-06-11T23:57:51.766Z", "modified": "2026-06-11T23:57:51.766Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "description": "Phishing attempts successful" }, { "type": "attack-asset", "id": "attack-asset--de6fb678-73e8-4861-bde7-b2b76c166f31", "spec_version": "2.1", "created": "2026-06-11T23:57:51.766Z", "modified": "2026-06-11T23:57:51.766Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Ariba System", "description": "used by Fazio employees with AD credentials" }, { "type": "attack-action", "id": "attack-action--3d2dfd9d-c7a5-40e9-aa7c-5b987d732c86", "spec_version": "2.1", "created": "2026-06-11T23:57:51.766Z", "modified": "2026-06-11T23:57:51.766Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Server Software Component", "tactic_id": "TA0003", "tactic_ref": "x-mitre-tactic--5bc1d813-693e-4823-9961-abf9af4b0e92", "technique_id": "T1505", "technique_ref": "attack-pattern--d456de47-a16f-4e46-8980-e67478a12dcb", "description": "Attackers compromised additional servers using compromised valid accounts", "asset_refs": [ "attack-asset--17eefa4c-22c9-4653-902b-1b53e98480e8" ], "effect_refs": [ "attack-condition--aa1e1686-316f-4fe9-b429-c95364d411b3" ] }, { "type": "attack-asset", "id": "attack-asset--17eefa4c-22c9-4653-902b-1b53e98480e8", "spec_version": "2.1", "created": "2026-06-11T23:57:51.766Z", "modified": "2026-06-11T23:57:51.766Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Servers" }, { "type": "attack-action", "id": "attack-action--b8a0b6a3-554c-4cdc-87c0-03c916e52765", "spec_version": "2.1", "created": "2026-06-11T23:57:51.766Z", "modified": "2026-06-11T23:57:51.766Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Ingress Tool Transfer", "tactic_id": "TA0011", "tactic_ref": "x-mitre-tactic--f72804c5-f15a-449e-a5da-2eecd181f813", "technique_id": "T1105", "technique_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", "description": "Attackers dropped malware to Target's POS systems", "effect_refs": [ "attack-condition--34892151-7072-445f-9312-c105ba550d77" ] }, { "type": "attack-condition", "id": "attack-condition--34892151-7072-445f-9312-c105ba550d77", "spec_version": "2.1", "created": "2026-06-11T23:57:51.766Z", "modified": "2026-06-11T23:57:51.766Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "description": "Dropped malware worked successfully on POS systems and RAM scrapping portion began gathering information from card swipes" }, { "type": "attack-action", "id": "attack-action--8b0ac8bf-9642-4c25-811c-781942284dac", "spec_version": "2.1", "created": "2026-06-11T23:57:51.766Z", "modified": "2026-06-11T23:57:51.766Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Default Accounts", "description": "Attackers may have compromised a default account on the BMC Software Management system to gain further access into Target's network and move laterally", "asset_refs": [ "attack-asset--6103f692-0ae1-45e8-a3e2-53b702ef0ac0" ], "effect_refs": [ "attack-operator--d662af4b-0b28-426f-af26-0e9b79339854" ] }, { "type": "attack-asset", "id": "attack-asset--6103f692-0ae1-45e8-a3e2-53b702ef0ac0", "spec_version": "2.1", "created": "2026-06-11T23:57:51.766Z", "modified": "2026-06-11T23:57:51.766Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "BMC Software Management System" }, { "type": "attack-action", "id": "attack-action--c4c51349-fb4e-49af-9466-9a926f84f874", "spec_version": "2.1", "created": "2026-06-11T23:57:51.766Z", "modified": "2026-06-11T23:57:51.766Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Scheduled Transfer", "tactic_id": "TA0010", "tactic_ref": "x-mitre-tactic--9a4e74ab-5008-408c-84bf-a10dfbc53462", "technique_id": "T1029", "technique_ref": "attack-pattern--4eeaf8a9-c86b-4954-a663-9555fb406466", "description": "Every seven hours the Trojan malware checks to see if the local time is between the hours of 10 AM and 5 PM", "effect_refs": [ "attack-condition--ec656f5c-4fe9-404f-8d9c-571cf3ebfa0b" ] }, { "type": "attack-condition", "id": "attack-condition--aa1e1686-316f-4fe9-b429-c95364d411b3", "spec_version": "2.1", "created": "2026-06-11T23:57:51.766Z", "modified": "2026-06-11T23:57:51.766Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "description": "Through moving laterally, attackers discover, target, and test malware on POS systems" }, { "type": "attack-condition", "id": "attack-condition--ec656f5c-4fe9-404f-8d9c-571cf3ebfa0b", "spec_version": "2.1", "created": "2026-06-11T23:57:51.766Z", "modified": "2026-06-11T23:57:51.766Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "description": "The POS local time is between 10 AM and 5 PM" }, { "type": "attack-action", "id": "attack-action--4ee6c3a1-4cbc-437d-80da-c78dd57d063a", "spec_version": "2.1", "created": "2026-06-11T23:57:51.766Z", "modified": "2026-06-11T23:57:51.766Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Lateral Tool Transfer", "tactic_id": "TA0008", "tactic_ref": "x-mitre-tactic--7141578b-e50b-4dcc-bfa4-08a8dd689e9e", "technique_id": "T1570", "technique_ref": "attack-pattern--bf90d72c-c00b-45e3-b3aa-68560560d4c5", "description": "Winxml.dll is sent over a temporary NetBIOS share", "effect_refs": [ "attack-action--3473c9f8-ad1c-4984-ad44-fef099578405" ] }, { "type": "attack-action", "id": "attack-action--3473c9f8-ad1c-4984-ad44-fef099578405", "spec_version": "2.1", "created": "2026-06-11T23:57:51.766Z", "modified": "2026-06-11T23:57:51.766Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "LLMNR/NBT-NS Poisoning and SMB Relay", "description": "A temporary NetBIOS share is established to transfer POS data to an internal dump server", "effect_refs": [ "attack-action--ccd71d3f-2243-4cc0-8e82-382f649073ab" ] }, { "type": "attack-action", "id": "attack-action--ccd71d3f-2243-4cc0-8e82-382f649073ab", "spec_version": "2.1", "created": "2026-06-11T23:57:51.766Z", "modified": "2026-06-11T23:57:51.766Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Remote Data Staging", "description": "An internal dump server is created to collect POS information from multiple systems via the temporary NetBIOS share", "effect_refs": [ "attack-action--08397107-cda4-4f2b-acc9-db91bf4b4e48", "attack-action--5bc375fd-6c57-48c2-8506-4c74515137b6" ] }, { "type": "attack-action", "id": "attack-action--08397107-cda4-4f2b-acc9-db91bf4b4e48", "spec_version": "2.1", "created": "2026-06-11T23:57:51.766Z", "modified": "2026-06-11T23:57:51.766Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Defense Evasion", "tactic_id": "TA0005", "tactic_ref": "x-mitre-tactic--78b23412-0651-46d7-a540-170a1ce8bd5a", "description": "The trojan malware transfer data to the internal dump server using common ports: 80, 139, and 443.", "effect_refs": [ "attack-condition--ec656f5c-4fe9-404f-8d9c-571cf3ebfa0b" ] }, { "type": "attack-action", "id": "attack-action--5bc375fd-6c57-48c2-8506-4c74515137b6", "spec_version": "2.1", "created": "2026-06-11T23:57:51.766Z", "modified": "2026-06-11T23:57:51.766Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Non-Application Layer Protocol", "tactic_id": "TA0011", "tactic_ref": "x-mitre-tactic--f72804c5-f15a-449e-a5da-2eecd181f813", "technique_id": "T1095", "technique_ref": "attack-pattern--c21d5a77-d422-4a69-acd7-2c53c1faa34b", "description": "Once data is stored on the internal dump server, an ICMP packet is sent to a remote server (possibly a C2 server) to alert attackers that data is located on the internal dump server and ready for exfiltration", "effect_refs": [ "attack-action--1b6f56cd-6a8a-459c-9960-7d8af6e5d7d1" ] }, { "type": "attack-action", "id": "attack-action--1b6f56cd-6a8a-459c-9960-7d8af6e5d7d1", "spec_version": "2.1", "created": "2026-06-11T23:57:51.766Z", "modified": "2026-06-11T23:57:51.766Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Exfiltration", "tactic_id": "TA0010", "tactic_ref": "x-mitre-tactic--9a4e74ab-5008-408c-84bf-a10dfbc53462", "description": "Attackers exfiltrate data from the internal dump server to off-site FTP servers using unknown techniques." }, { "type": "attack-action", "id": "attack-action--d87c651b-5316-414c-acd2-ef1ba840a890", "spec_version": "2.1", "created": "2026-06-11T23:57:51.766Z", "modified": "2026-06-11T23:57:51.766Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Ingress Tool Transfer", "tactic_id": "TA0011", "tactic_ref": "x-mitre-tactic--f72804c5-f15a-449e-a5da-2eecd181f813", "technique_id": "T1105", "technique_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", "description": "Attackers dropped exfiltration malware onto Target's network" }, { "type": "attack-operator", "id": "attack-operator--11263b9e-012f-49d6-b4d3-85894f108b4f", "spec_version": "2.1", "created": "2026-06-11T23:57:51.766Z", "modified": "2026-06-11T23:57:51.766Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "operator": "AND", "effect_refs": [ "attack-condition--f5fa9530-9b51-4dd7-9c4f-81a0d54b7313" ] }, { "type": "attack-operator", "id": "attack-operator--d662af4b-0b28-426f-af26-0e9b79339854", "spec_version": "2.1", "created": "2026-06-11T23:57:51.766Z", "modified": "2026-06-11T23:57:51.766Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "operator": "AND", "effect_refs": [ "attack-action--3d2dfd9d-c7a5-40e9-aa7c-5b987d732c86" ] }, { "type": "tool", "id": "tool--c492196e-a9a7-470f-bec9-113f12f656f7", "spec_version": "2.1", "created": "2026-06-11T23:57:51.766Z", "modified": "2026-06-11T23:57:51.766Z", "name": "BlackPOS malware", "description": "tailored version of the malware", "tool_types": [ "Exploitation" ] }, { "type": "tool", "id": "tool--f40b3d07-9df6-4c81-abe2-d99c05c77f51", "spec_version": "2.1", "created": "2026-06-11T23:57:51.766Z", "modified": "2026-06-11T23:57:51.766Z", "name": "winxml.dll", "tool_types": [ "Unknown" ] }, { "type": "infrastructure", "id": "infrastructure--60671446-e542-4c46-ac89-12456629cb88", "spec_version": "2.1", "created": "2026-06-11T23:57:51.766Z", "modified": "2026-06-11T23:57:51.766Z", "name": "NetBIOS Share", "infrastructure_types": [ "Unknown" ] }, { "type": "infrastructure", "id": "infrastructure--2bf42bf8-6ed2-44b0-950c-cadddf754384", "spec_version": "2.1", "created": "2026-06-11T23:57:51.766Z", "modified": "2026-06-11T23:57:51.766Z", "name": "Dump Server", "infrastructure_types": [ "Unknown" ] }, { "type": "identity", "id": "identity--a7ce421b-e112-4070-8236-c6121ed68508", "spec_version": "2.1", "created": "2026-06-11T23:57:51.766Z", "modified": "2026-06-11T23:57:51.766Z", "name": "Fazio Mechanical", "description": "3rd party HVAC company that contracted with Target", "roles": [ "Third-party company" ], "identity_class": "Organization", "sectors": [ "Utilities" ] }, { "type": "attack-action", "id": "attack-action--00173e68-78d0-448d-a71c-5de90b70ed70", "spec_version": "2.1", "created": "2026-06-11T23:57:51.766Z", "modified": "2026-06-11T23:57:51.766Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Exploitation for Client Execution", "tactic_id": "TA0002", "tactic_ref": "x-mitre-tactic--4ca45d45-df4d-4613-8980-bac22d278fa5", "technique_id": "T1203", "technique_ref": "attack-pattern--be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "description": "Attackers compromised additional servers using software vulnerabilities", "effect_refs": [ "attack-operator--d662af4b-0b28-426f-af26-0e9b79339854" ] }, { "type": "relationship", "id": "relationship--4fa95c38-e9c6-4503-bf7b-adc2fc061360", "spec_version": "2.1", "created": "2026-06-11T23:57:51.766Z", "modified": "2026-06-11T23:57:51.766Z", "relationship_type": "related-to", "source_ref": "attack-condition--f5fa9530-9b51-4dd7-9c4f-81a0d54b7313", "target_ref": "attack-action--698fd2b3-f021-4f74-8141-d48ba11ce09c" }, { "type": "relationship", "id": "relationship--c8b21c0a-a98c-49cd-9af5-54625b32fcd9", "spec_version": "2.1", "created": "2026-06-11T23:57:51.766Z", "modified": "2026-06-11T23:57:51.766Z", "relationship_type": "related-to", "source_ref": "attack-action--698fd2b3-f021-4f74-8141-d48ba11ce09c", "target_ref": "identity--a7ce421b-e112-4070-8236-c6121ed68508" }, { "type": "relationship", "id": "relationship--d24dca11-e507-4764-ac02-58ab741773a5", "spec_version": "2.1", "created": "2026-06-11T23:57:51.766Z", "modified": "2026-06-11T23:57:51.766Z", "relationship_type": "related-to", "source_ref": "attack-condition--6c666fe2-0a6c-4bb1-8da7-9955f81b187b", "target_ref": "attack-action--2010cb6c-cca8-45a4-99ca-ed2a2ace8d45" }, { "type": "relationship", "id": "relationship--de79baa8-af1b-47b1-a845-ce00cdd7e44d", "spec_version": "2.1", "created": "2026-06-11T23:57:51.766Z", "modified": "2026-06-11T23:57:51.766Z", "relationship_type": "related-to", "source_ref": "attack-action--b8a0b6a3-554c-4cdc-87c0-03c916e52765", "target_ref": "tool--c492196e-a9a7-470f-bec9-113f12f656f7" }, { "type": "relationship", "id": "relationship--1a0856a8-a2c1-4b5f-a873-ac9ccf22d4e4", "spec_version": "2.1", "created": "2026-06-11T23:57:51.766Z", "modified": "2026-06-11T23:57:51.766Z", "relationship_type": "related-to", "source_ref": "attack-condition--34892151-7072-445f-9312-c105ba550d77", "target_ref": "attack-action--d87c651b-5316-414c-acd2-ef1ba840a890" }, { "type": "relationship", "id": "relationship--26f1a0dd-ead2-4ea0-b4d0-8f0c41d51a59", "spec_version": "2.1", "created": "2026-06-11T23:57:51.766Z", "modified": "2026-06-11T23:57:51.766Z", "relationship_type": "related-to", "source_ref": "attack-condition--34892151-7072-445f-9312-c105ba550d77", "target_ref": "attack-action--c4c51349-fb4e-49af-9466-9a926f84f874" }, { "type": "relationship", "id": "relationship--d975f120-c088-444f-a488-65279b82a10f", "spec_version": "2.1", "created": "2026-06-11T23:57:51.766Z", "modified": "2026-06-11T23:57:51.766Z", "relationship_type": "related-to", "source_ref": "attack-condition--aa1e1686-316f-4fe9-b429-c95364d411b3", "target_ref": "attack-action--b8a0b6a3-554c-4cdc-87c0-03c916e52765" }, { "type": "relationship", "id": "relationship--b2abe635-0e77-4d57-af01-78912311c5c0", "spec_version": "2.1", "created": "2026-06-11T23:57:51.766Z", "modified": "2026-06-11T23:57:51.766Z", "relationship_type": "related-to", "source_ref": "attack-condition--ec656f5c-4fe9-404f-8d9c-571cf3ebfa0b", "target_ref": "attack-action--4ee6c3a1-4cbc-437d-80da-c78dd57d063a" }, { "type": "relationship", "id": "relationship--a3cf3cc9-48a5-42c8-8a4a-63e4d03ef931", "spec_version": "2.1", "created": "2026-06-11T23:57:51.766Z", "modified": "2026-06-11T23:57:51.766Z", "relationship_type": "related-to", "source_ref": "attack-action--4ee6c3a1-4cbc-437d-80da-c78dd57d063a", "target_ref": "tool--f40b3d07-9df6-4c81-abe2-d99c05c77f51" }, { "type": "relationship", "id": "relationship--4bf3f3ba-956c-4359-bb47-e5054157e689", "spec_version": "2.1", "created": "2026-06-11T23:57:51.766Z", "modified": "2026-06-11T23:57:51.766Z", "relationship_type": "related-to", "source_ref": "attack-action--3473c9f8-ad1c-4984-ad44-fef099578405", "target_ref": "infrastructure--60671446-e542-4c46-ac89-12456629cb88" }, { "type": "relationship", "id": "relationship--f3aaa2c8-1e71-4073-b4bb-67d21b9ba351", "spec_version": "2.1", "created": "2026-06-11T23:57:51.766Z", "modified": "2026-06-11T23:57:51.766Z", "relationship_type": "related-to", "source_ref": "attack-action--ccd71d3f-2243-4cc0-8e82-382f649073ab", "target_ref": "infrastructure--2bf42bf8-6ed2-44b0-950c-cadddf754384" } ] }