{ "type": "bundle", "id": "bundle--4e5432cc-e49a-4c62-8908-c6f99fcbcbe6", "spec_version": "2.1", "created": "2026-06-11T23:57:51.783Z", "modified": "2026-06-11T23:57:51.783Z", "objects": [ { "type": "extension-definition", "id": "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4", "spec_version": "2.1", "created": "2022-08-02T19:34:35.143Z", "modified": "2022-08-02T19:34:35.143Z", "name": "Attack Flow", "description": "Extends STIX 2.1 with features to create Attack Flows.", "created_by_ref": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", "schema": "https://center-for-threat-informed-defense.github.io/attack-flow/stix/attack-flow-schema-2.0.0.json", "version": "2.0.0", "extension_types": [ "new-sdo" ], "external_references": [ { "source_name": "Documentation", "description": "Documentation for Attack Flow", "url": "https://center-for-threat-informed-defense.github.io/attack-flow" }, { "source_name": "GitHub", "description": "Source code repository for Attack Flow", "url": "https://github.com/center-for-threat-informed-defense/attack-flow" } ] }, { "type": "identity", "id": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", "spec_version": "2.1", "created": "2022-08-02T19:34:35.143Z", "modified": "2022-08-02T19:34:35.143Z", "created_by_ref": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", "name": "MITRE Center for Threat-Informed Defense", "identity_class": "organization" }, { "type": "attack-flow", "id": "attack-flow--c616ef4f-5a72-4529-9b06-bc4a9279c2f6", "spec_version": "2.1", "created": "2025-07-28T19:17:33.949Z", "modified": "2026-06-11T23:57:51.783Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "created_by_ref": "identity--85e8d39e-9090-43a0-a421-efd85c7271e8", "start_refs": [ "attack-action--a9dd4259-c077-4bec-9166-6c94a4ae8d70" ], "name": "ToolShell Vulnerability in Sharepoint", "description": "A widespread vulnerability in Microsoft Sharepoint on-premises leads to remote code execution and credential theft.", "scope": "campaign", "external_references": [ { "source_name": "Understand the SharePoint RCE: Exploitations, Detections, and Mitigations", "description": "Akamai Security Intelligence Group", "url": "https://www.akamai.com/blog/security-research/sharepoint-vulnerability-rce-active-exploitation-detections-mitigations " }, { "source_name": "Active Exploitation of Microsoft SharePoint Vulnerabilities: Threat Brief", "description": "Palo Alto – Unit 42", "url": "https://unit42.paloaltonetworks.com/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770/" }, { "source_name": "ToolShell: A SharePoint RCE chain actively exploited ", "description": "Varonis Threat Labs", "url": "https://www.varonis.com/blog/toolshell-sharepoint-rce" } ] }, { "type": "identity", "id": "identity--85e8d39e-9090-43a0-a421-efd85c7271e8", "spec_version": "2.1", "created": "2026-06-11T23:57:51.783Z", "modified": "2026-06-11T23:57:51.783Z", "name": "Mark Haase", "identity_class": "individual", "contact_information": "mhaase@mitre.org" }, { "type": "attack-action", "id": "attack-action--a9dd4259-c077-4bec-9166-6c94a4ae8d70", "spec_version": "2.1", "created": "2026-06-11T23:57:51.783Z", "modified": "2026-06-11T23:57:51.783Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Exploit Public-Facing Application", "tactic_id": "TA0001", "tactic_ref": "x-mitre-tactic--ffd5bcee-6e16-4dd2-8eca-7b3beedf33ca", "technique_id": "T1190", "technique_ref": "attack-pattern--3f886f2a-874f-4333-b794-aa6075009b1c", "description": "Attackers use an authentication bypass vulnerability in Microsoft Sharepoint (on-prem) to send a specially crafted HTTP request with a manipulated Referer header to the ToolPane endpoint.", "effect_refs": [ "attack-action--f162ae8a-a6c9-4eeb-b6e0-7ee6f39f8e2e" ] }, { "type": "vulnerability", "id": "vulnerability--fc666848-ebd8-4af4-a926-580fcdffaed2", "spec_version": "2.1", "created": "2026-06-11T23:57:51.783Z", "modified": "2026-06-11T23:57:51.783Z", "name": "CVE-2025-49706", "description": "Improper authentication in Microsoft Office SharePoint allows an unauthorized attacker to perform spoofing over a network." }, { "type": "note", "id": "note--3126ebce-3f8d-4685-9985-5106af6cc4d2", "spec_version": "2.1", "created": "2026-06-11T23:57:51.783Z", "modified": "2026-06-11T23:57:51.783Z", "abstract": "Manipulated Referer Header", "content": "Referer: /_layouts/SignOut.aspx", "object_refs": [ "attack-action--a9dd4259-c077-4bec-9166-6c94a4ae8d70" ] }, { "type": "attack-action", "id": "attack-action--f162ae8a-a6c9-4eeb-b6e0-7ee6f39f8e2e", "spec_version": "2.1", "created": "2026-06-11T23:57:51.783Z", "modified": "2026-06-11T23:57:51.783Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Exploit Public-Facing Application", "tactic_id": "TA0001", "tactic_ref": "x-mitre-tactic--ffd5bcee-6e16-4dd2-8eca-7b3beedf33ca", "technique_id": "T1190", "technique_ref": "attack-pattern--3f886f2a-874f-4333-b794-aa6075009b1c", "description": "The same HTTP request also contains an exploit for a deserialization vulnerability that allows remote code execution.", "effect_refs": [ "attack-action--d2509fcf-8574-42c5-9b9c-aefc7f70c1cb" ] }, { "type": "url", "id": "url--6535fc9f-c489-4ff4-b3ed-a290a25da480", "spec_version": "2.1", "created": "2026-06-11T23:57:51.783Z", "modified": "2026-06-11T23:57:51.783Z", "value": "/_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx" }, { "type": "vulnerability", "id": "vulnerability--9c343508-dc18-4c18-bb3f-720255216309", "spec_version": "2.1", "created": "2026-06-11T23:57:51.783Z", "modified": "2026-06-11T23:57:51.783Z", "name": "CVE-2025-49704", "description": "Improper control of generation of code ('code injection') in Microsoft Office SharePoint allows an authorized attacker to execute code over a network." }, { "type": "attack-action", "id": "attack-action--d2509fcf-8574-42c5-9b9c-aefc7f70c1cb", "spec_version": "2.1", "created": "2026-06-11T23:57:51.783Z", "modified": "2026-06-11T23:57:51.783Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "PowerShell", "description": "The deserialization exploit leads to execution of a powershell payload.", "effect_refs": [ "attack-action--6f4c597c-fa8a-4621-a81d-c697c8e87265", "attack-action--008353db-6512-4d03-aeea-0bd065ed0a97", "attack-action--54f36148-bba7-4a97-aaa5-8493be71ef0d" ] }, { "type": "attack-action", "id": "attack-action--6f4c597c-fa8a-4621-a81d-c697c8e87265", "spec_version": "2.1", "created": "2026-06-11T23:57:51.783Z", "modified": "2026-06-11T23:57:51.783Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Web Shell", "description": "The attackers deploy an ASPX web shell that is capable of extracting cryptographic signing keys.", "effect_refs": [ "attack-action--569b8f7c-59f2-4df3-9fd9-f8c268130cd9" ] }, { "type": "note", "id": "note--27d8f506-70aa-4732-8011-d8705d75b94a", "spec_version": "2.1", "created": "2026-06-11T23:57:51.783Z", "modified": "2026-06-11T23:57:51.783Z", "abstract": "Akamai / Unit 42 Variant 2", "content": "This attack path shows the post-exploitation behavior observed in the Akamai report. (Unit 42 published nearly identical intelligence that they called \"Variation 2\".)", "object_refs": [ "attack-action--6f4c597c-fa8a-4621-a81d-c697c8e87265" ] }, { "type": "file", "id": "file--498fda9e-66c9-48e7-8b3a-32e96c830033", "spec_version": "2.1", "created": "2026-06-11T23:57:51.783Z", "modified": "2026-06-11T23:57:51.783Z", "name": "spinstall0.aspx" }, { "type": "attack-action", "id": "attack-action--e5000cc6-e025-44ff-9d81-513ad0cbbf86", "spec_version": "2.1", "created": "2026-06-11T23:57:51.783Z", "modified": "2026-06-11T23:57:51.783Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Unsecured Credentials", "tactic_id": "TA0006", "tactic_ref": "x-mitre-tactic--2558fd61-8c75-4730-94c4-11926db2a263", "technique_id": "T1552", "technique_ref": "attack-pattern--435dfb86-2697-4867-85b5-2fef496c0517", "description": "The web shell extracts the MachineKey from memory.", "effect_refs": [ "attack-action--d2dada60-cc73-4b2d-b652-84a9104bcb37" ] }, { "type": "attack-action", "id": "attack-action--569b8f7c-59f2-4df3-9fd9-f8c268130cd9", "spec_version": "2.1", "created": "2026-06-11T23:57:51.783Z", "modified": "2026-06-11T23:57:51.783Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Reflective Code Loading", "tactic_id": "TA0005", "tactic_ref": "x-mitre-tactic--78b23412-0651-46d7-a540-170a1ce8bd5a", "technique_id": "T1620", "technique_ref": "attack-pattern--4933e63b-9b77-476e-ab29-761bc5b7d15a", "description": "The web shell uses reflection to access the web configuration from memory.", "effect_refs": [ "attack-action--e5000cc6-e025-44ff-9d81-513ad0cbbf86" ] }, { "type": "ipv4-addr", "id": "ipv4-addr--57890b7f-d16b-49a7-bc5d-fd5b68e2eee0", "spec_version": "2.1", "created": "2026-06-11T23:57:51.783Z", "modified": "2026-06-11T23:57:51.783Z", "value": "107.191.58.76" }, { "type": "ipv4-addr", "id": "ipv4-addr--05262d6e-2758-46f6-8061-2e46d7003b6d", "spec_version": "2.1", "created": "2026-06-11T23:57:51.783Z", "modified": "2026-06-11T23:57:51.783Z", "value": "104.238.159.149" }, { "type": "ipv4-addr", "id": "ipv4-addr--777dd3e3-48a8-4d7a-9002-aa19fdc07aa7", "spec_version": "2.1", "created": "2026-06-11T23:57:51.783Z", "modified": "2026-06-11T23:57:51.783Z", "value": "96.9.125.147" }, { "type": "domain-name", "id": "domain-name--3d049b16-d78d-4fd8-b2a4-91a7d159e827", "spec_version": "2.1", "created": "2026-06-11T23:57:51.783Z", "modified": "2026-06-11T23:57:51.783Z", "value": "dynastyjusticecollective.site" }, { "type": "attack-action", "id": "attack-action--d2dada60-cc73-4b2d-b652-84a9104bcb37", "spec_version": "2.1", "created": "2026-06-11T23:57:51.783Z", "modified": "2026-06-11T23:57:51.783Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Exfiltration Over C2 Channel", "tactic_id": "TA0010", "tactic_ref": "x-mitre-tactic--9a4e74ab-5008-408c-84bf-a10dfbc53462", "technique_id": "T1041", "technique_ref": "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d", "description": "The attacker exfiltrates the MachineKey through the the web shell.", "effect_refs": [ "attack-action--3e5ecd65-6165-4dfb-9642-2b49ce2e80a1" ] }, { "type": "note", "id": "note--845e5642-6ed8-4403-864e-6234ef03209c", "spec_version": "2.1", "created": "2026-06-11T23:57:51.783Z", "modified": "2026-06-11T23:57:51.783Z", "abstract": "Unit42 Variant 1", "content": "This attack path shows the post-exploitation behavior observed in the Unit 42 report labeled \"Variation 1\".", "object_refs": [ "attack-action--008353db-6512-4d03-aeea-0bd065ed0a97" ] }, { "type": "attack-action", "id": "attack-action--008353db-6512-4d03-aeea-0bd065ed0a97", "spec_version": "2.1", "created": "2026-06-11T23:57:51.783Z", "modified": "2026-06-11T23:57:51.783Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Automated Collection", "tactic_id": "TA0009", "tactic_ref": "x-mitre-tactic--d108ce10-2419-4cf9-a774-46161d6c6cfe", "technique_id": "T1119", "technique_ref": "attack-pattern--30208d3e-0d6b-43c8-883e-44462a514619", "description": "The payload iterates over the webroot recursively looking for web.config files and extracting their contents.", "effect_refs": [ "attack-action--f3f53445-df65-439e-8d00-6798a6ae52c7" ] }, { "type": "attack-action", "id": "attack-action--f3f53445-df65-439e-8d00-6798a6ae52c7", "spec_version": "2.1", "created": "2026-06-11T23:57:51.783Z", "modified": "2026-06-11T23:57:51.783Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Local Data Staging", "description": "The contents of web.config files are staged in a new file called debug_dev.js.", "effect_refs": [ "attack-action--0b2518af-d570-43f3-b1c6-90988a96ace8" ] }, { "type": "file", "id": "file--637a45fa-407f-41c3-994a-536860d4bf3f", "spec_version": "2.1", "created": "2026-06-11T23:57:51.783Z", "modified": "2026-06-11T23:57:51.783Z", "name": "\\PROGRA~1\\COMMON~1\\MICROS~1\\WEBSER~1\\16\\TEMPLATE\\LAYOUTS\\debug_dev.js" }, { "type": "attack-action", "id": "attack-action--54f36148-bba7-4a97-aaa5-8493be71ef0d", "spec_version": "2.1", "created": "2026-06-11T23:57:51.783Z", "modified": "2026-06-11T23:57:51.783Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Obfuscated Files or Information", "tactic_id": "TA0005", "tactic_ref": "x-mitre-tactic--78b23412-0651-46d7-a540-170a1ce8bd5a", "technique_id": "T1027", "technique_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "description": "The Powershell payload is base64 encoded.", "effect_refs": [ "attack-action--f3966e0f-075c-4ce1-a341-dae0e7981c2b" ] }, { "type": "attack-action", "id": "attack-action--0b2518af-d570-43f3-b1c6-90988a96ace8", "spec_version": "2.1", "created": "2026-06-11T23:57:51.783Z", "modified": "2026-06-11T23:57:51.783Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Exfiltration Over C2 Channel", "tactic_id": "TA0010", "tactic_ref": "x-mitre-tactic--9a4e74ab-5008-408c-84bf-a10dfbc53462", "technique_id": "T1041", "technique_ref": "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d", "description": "The adversary exfiltrates the staged data over HTTP.", "confidence": 0, "effect_refs": [ "attack-action--3e5ecd65-6165-4dfb-9642-2b49ce2e80a1" ] }, { "type": "note", "id": "note--9f90fa81-aa0e-4caa-b754-e33d491b56c1", "spec_version": "2.1", "created": "2026-06-11T23:57:51.783Z", "modified": "2026-06-11T23:57:51.783Z", "abstract": "Unit42 Variant 3", "content": "This attack path shows the post-exploitation behavior observed in the Unit 42 report labeled \"Variation 3\".", "object_refs": [ "attack-action--54f36148-bba7-4a97-aaa5-8493be71ef0d" ] }, { "type": "attack-action", "id": "attack-action--3e5ecd65-6165-4dfb-9642-2b49ce2e80a1", "spec_version": "2.1", "created": "2026-06-11T23:57:51.783Z", "modified": "2026-06-11T23:57:51.783Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "ViewState Persistence", "tactic_id": "TA0003", "tactic_ref": "x-mitre-tactic--5bc1d813-693e-4823-9961-abf9af4b0e92", "description": "The attacker uses the stolen MachineKey to forge the ASP.NET VIEWSTATE, which allows code execution even after the CVEs are patched and the web shells are removed." }, { "type": "file", "id": "file--5ecca340-5fd5-45f9-acb5-136cbe15dac8", "spec_version": "2.1", "created": "2026-06-11T23:57:51.783Z", "modified": "2026-06-11T23:57:51.783Z", "name": "\\PROGRA~1\\COMMON~1\\MICROS~1\\WEBSER~1\\16\\TEMPLATE\\LAYOUTS\\spinstall0.aspx" }, { "type": "file", "id": "file--d1ac682d-4af2-4f22-9816-35516654dccb", "spec_version": "2.1", "created": "2026-06-11T23:57:51.783Z", "modified": "2026-06-11T23:57:51.783Z", "name": "\\PROGRA~1\\COMMON~1\\MICROS~1\\WEBSER~1\\15\\TEMPLATE\\LAYOUTS\\spinstall0.aspx" }, { "type": "attack-action", "id": "attack-action--88ec52f4-e6a8-4566-a5ea-2148e438e4cf", "spec_version": "2.1", "created": "2026-06-11T23:57:51.783Z", "modified": "2026-06-11T23:57:51.783Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Unsecured Credentials", "tactic_id": "TA0006", "tactic_ref": "x-mitre-tactic--2558fd61-8c75-4730-94c4-11926db2a263", "technique_id": "T1552", "technique_ref": "attack-pattern--435dfb86-2697-4867-85b5-2fef496c0517", "description": "The web shell extracts the MachineKey from memory.", "effect_refs": [ "attack-action--e75d8848-b1b6-4fa9-80d5-5f50d94c387b" ] }, { "type": "attack-action", "id": "attack-action--f3966e0f-075c-4ce1-a341-dae0e7981c2b", "spec_version": "2.1", "created": "2026-06-11T23:57:51.783Z", "modified": "2026-06-11T23:57:51.783Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Reflective Code Loading", "tactic_id": "TA0005", "tactic_ref": "x-mitre-tactic--78b23412-0651-46d7-a540-170a1ce8bd5a", "technique_id": "T1620", "technique_ref": "attack-pattern--4933e63b-9b77-476e-ab29-761bc5b7d15a", "description": "The web shell uses reflection to access the web configuration from memory.", "effect_refs": [ "attack-action--88ec52f4-e6a8-4566-a5ea-2148e438e4cf" ] }, { "type": "attack-action", "id": "attack-action--e75d8848-b1b6-4fa9-80d5-5f50d94c387b", "spec_version": "2.1", "created": "2026-06-11T23:57:51.783Z", "modified": "2026-06-11T23:57:51.783Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Exfiltration Over C2 Channel", "tactic_id": "TA0010", "tactic_ref": "x-mitre-tactic--9a4e74ab-5008-408c-84bf-a10dfbc53462", "technique_id": "T1041", "technique_ref": "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d", "description": "The attacker exfiltrates the MachineKey through the the web shell.", "effect_refs": [ "attack-action--3e5ecd65-6165-4dfb-9642-2b49ce2e80a1" ] }, { "type": "note", "id": "note--575afe87-6e37-42a6-8327-697623902e25", "spec_version": "2.1", "created": "2026-06-11T23:57:51.783Z", "modified": "2026-06-11T23:57:51.783Z", "abstract": "Ysoserial", "content": "For example, ysoserial is an open source tool that forges ViewState cookies given a MachineKey: https://github.com/pwntester/ysoserial.net", "object_refs": [ "attack-action--3e5ecd65-6165-4dfb-9642-2b49ce2e80a1" ] }, { "type": "relationship", "id": "relationship--512905c6-876b-45dd-8831-c2ee31621906", "spec_version": "2.1", "created": "2026-06-11T23:57:51.783Z", "modified": "2026-06-11T23:57:51.783Z", "relationship_type": "related-to", "source_ref": "attack-action--a9dd4259-c077-4bec-9166-6c94a4ae8d70", "target_ref": "vulnerability--fc666848-ebd8-4af4-a926-580fcdffaed2" }, { "type": "relationship", "id": "relationship--cd3f0544-080f-4226-a3c0-ea9dd0e33b1d", "spec_version": "2.1", "created": "2026-06-11T23:57:51.783Z", "modified": "2026-06-11T23:57:51.783Z", "relationship_type": "related-to", "source_ref": "attack-action--a9dd4259-c077-4bec-9166-6c94a4ae8d70", "target_ref": "url--6535fc9f-c489-4ff4-b3ed-a290a25da480" }, { "type": "relationship", "id": "relationship--c62191a4-bcf2-4b6c-b7c6-a4a027d6a07c", "spec_version": "2.1", "created": "2026-06-11T23:57:51.783Z", "modified": "2026-06-11T23:57:51.783Z", "relationship_type": "related-to", "source_ref": "attack-action--f162ae8a-a6c9-4eeb-b6e0-7ee6f39f8e2e", "target_ref": "vulnerability--9c343508-dc18-4c18-bb3f-720255216309" }, { "type": "relationship", "id": "relationship--7af28cbf-15c2-4999-9f5d-b0bd7e45e767", "spec_version": "2.1", "created": "2026-06-11T23:57:51.783Z", "modified": "2026-06-11T23:57:51.783Z", "relationship_type": "related-to", "source_ref": "attack-action--6f4c597c-fa8a-4621-a81d-c697c8e87265", "target_ref": "file--498fda9e-66c9-48e7-8b3a-32e96c830033" }, { "type": "relationship", "id": "relationship--81724f1f-1f5f-457e-a4ac-ab43c75b971e", "spec_version": "2.1", "created": "2026-06-11T23:57:51.783Z", "modified": "2026-06-11T23:57:51.783Z", "relationship_type": "related-to", "source_ref": "attack-action--6f4c597c-fa8a-4621-a81d-c697c8e87265", "target_ref": "ipv4-addr--57890b7f-d16b-49a7-bc5d-fd5b68e2eee0" }, { "type": "relationship", "id": "relationship--eef0491f-fa0e-442e-8262-8bfd11829200", "spec_version": "2.1", "created": "2026-06-11T23:57:51.783Z", "modified": "2026-06-11T23:57:51.783Z", "relationship_type": "related-to", "source_ref": "attack-action--6f4c597c-fa8a-4621-a81d-c697c8e87265", "target_ref": "ipv4-addr--05262d6e-2758-46f6-8061-2e46d7003b6d" }, { "type": "relationship", "id": "relationship--17865c20-d2a6-46f5-83fb-ea00fcdb0cc1", "spec_version": "2.1", "created": "2026-06-11T23:57:51.783Z", "modified": "2026-06-11T23:57:51.783Z", "relationship_type": "related-to", "source_ref": "attack-action--6f4c597c-fa8a-4621-a81d-c697c8e87265", "target_ref": "ipv4-addr--777dd3e3-48a8-4d7a-9002-aa19fdc07aa7" }, { "type": "relationship", "id": "relationship--d34f404c-cc25-4868-a0b0-2238b11b3934", "spec_version": "2.1", "created": "2026-06-11T23:57:51.783Z", "modified": "2026-06-11T23:57:51.783Z", "relationship_type": "related-to", "source_ref": "attack-action--6f4c597c-fa8a-4621-a81d-c697c8e87265", "target_ref": "domain-name--3d049b16-d78d-4fd8-b2a4-91a7d159e827" }, { "type": "relationship", "id": "relationship--79a2d41c-8d64-48a5-9aff-f1d2c68246c5", "spec_version": "2.1", "created": "2026-06-11T23:57:51.783Z", "modified": "2026-06-11T23:57:51.783Z", "relationship_type": "related-to", "source_ref": "attack-action--f3f53445-df65-439e-8d00-6798a6ae52c7", "target_ref": "file--637a45fa-407f-41c3-994a-536860d4bf3f" }, { "type": "relationship", "id": "relationship--f48c6fae-91d4-4a8d-814b-4f177bd388e1", "spec_version": "2.1", "created": "2026-06-11T23:57:51.783Z", "modified": "2026-06-11T23:57:51.783Z", "relationship_type": "related-to", "source_ref": "attack-action--f3966e0f-075c-4ce1-a341-dae0e7981c2b", "target_ref": "file--d1ac682d-4af2-4f22-9816-35516654dccb" }, { "type": "relationship", "id": "relationship--bed94d2d-2c1e-4b9f-be6d-f2f2e4258872", "spec_version": "2.1", "created": "2026-06-11T23:57:51.783Z", "modified": "2026-06-11T23:57:51.783Z", "relationship_type": "related-to", "source_ref": "attack-action--f3966e0f-075c-4ce1-a341-dae0e7981c2b", "target_ref": "file--5ecca340-5fd5-45f9-acb5-136cbe15dac8" } ] }