Skip to content

Instantly share code, notes, and snippets.

@aamedina

aamedina/enterprise-attack.ttl

Created April 21, 2024 23:24
Show Gist options
  • Save aamedina/f0f25ab46ebb775d19a217b787d6c210 to your computer and use it in GitHub Desktop.
Save aamedina/f0f25ab46ebb775d19a217b787d6c210 to your computer and use it in GitHub Desktop.
Download ZIP
Enterprise ATT&CK 14.1 in RDF (WIP)
Raw
enterprise-attack.ttl
This file has been truncated, but you can view the full file.
@prefix : <https://github.com/mitre-attack/attack-stix-data/raw/master/enterprise-attack/enterprise-attack-14.1.json#> .
@prefix d3f: <http://d3fend.mitre.org/ontologies/d3fend.owl#> .
@prefix dcterms: <http://purl.org/dc/terms/> .
@prefix owl: <http://www.w3.org/2002/07/owl#> .
@prefix rdf: <http://www.w3.org/1999/02/22-rdf-syntax-ns#> .
@prefix rdfs: <http://www.w3.org/2000/01/rdf-schema#> .
@prefix skos: <http://www.w3.org/2004/02/skos/core#> .
@prefix stix: <http://docs.oasis-open.org/cti/ns/stix#> .
@prefix xsd: <http://www.w3.org/2001/XMLSchema#> .
:relationship--ae5e7681-f93e-4b5f-80f9-8235a9015e7f
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--4283ae19-69c7-4347-a35e-b56f08eb660b;
stix:target_ref :attack-pattern--deb98323-e13f-4b0c-8d94-175379069062;
dcterms:created "2021-03-26T13:32:03.358Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[ZIRCONIUM](https://attack.mitre.org/groups/G0128) has used multi-stage packers for exploit code.(Citation: Check Point APT31 February 2021)";
dcterms:modified "2021-03-26T13:32:03.358Z"^^xsd:dateTime .
:relationship--adc6b431-0722-4287-8f37-e09ddb5b25fe
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7;
stix:target_ref :attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0;
dcterms:created "2019-09-24T12:31:43.557Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[APT41](https://attack.mitre.org/groups/G0096) collected MAC addresses from victim machines.(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021) ";
dcterms:modified "2023-03-23T15:45:58.867Z"^^xsd:dateTime .
:relationship--8a2be44e-6a93-479f-ade9-7d49a1eb692a
rdf:type stix:Relationship;
stix:source_ref :malware--2a70812b-f1ef-44db-8578-a496a227aef2;
stix:target_ref :attack-pattern--53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a;
dcterms:created "2021-01-11T19:07:12.147Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[NETWIRE](https://attack.mitre.org/software/S0198) has the ability to compress archived screenshots.(Citation: Red Canary NETWIRE January 2020)";
dcterms:modified "2021-01-11T19:07:12.147Z"^^xsd:dateTime .
:relationship--6c0aae73-fe06-4aa3-8216-568d78747c6d
rdf:type stix:Relationship;
stix:source_ref :malware--fb261c56-b80e-43a9-8351-c84081e7213d;
stix:target_ref :attack-pattern--d467bc38-284b-4a00-96ac-125f447799fc;
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Newer variants of [BACKSPACE](https://attack.mitre.org/software/S0031) will encode C2 communications with a custom system.(Citation: FireEye APT30)";
dcterms:modified "2020-03-20T22:30:03.938Z"^^xsd:dateTime .
:relationship--b71e10b8-e566-470b-8a5c-b634ddfd3965
rdf:type stix:Relationship;
stix:source_ref :malware--16040b1c-ed28-4850-9d8f-bb8b81c42092;
stix:target_ref :attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c;
dcterms:created "2021-11-30T16:13:37.396Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[ThreatNeedle](https://attack.mitre.org/software/S0665) can decrypt its payload using RC4, AES, or one-byte XORing.(Citation: Kaspersky ThreatNeedle Feb 2021)";
dcterms:modified "2022-04-13T13:37:30.318Z"^^xsd:dateTime .
:relationship--8a03f60e-bb09-4f4d-815e-88d86192042f
rdf:type stix:Relationship;
stix:source_ref :campaign--df74f7ad-b10d-431c-9f1d-a2bc18dadefa;
stix:target_ref :attack-pattern--4bc31b94-045b-4752-8920-aebaebdb6470;
dcterms:created "2023-07-12T18:57:23.334Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "During [C0027](https://attack.mitre.org/campaigns/C0027), [Scattered Spider](https://attack.mitre.org/groups/G1015) accessed Azure AD to identify email addresses.(Citation: Crowdstrike TELCO BPO Campaign December 2022)";
dcterms:modified "2023-07-12T18:57:23.334Z"^^xsd:dateTime .
:relationship--86a7ffc8-6107-4854-96a7-d39f8bb4069f
rdf:type stix:Relationship;
stix:source_ref :malware--56aa3c82-ed40-4b5a-84bf-7231356d9e96;
stix:target_ref :attack-pattern--e358d692-23c0-4a31-9eb6-ecc13a8d7735;
dcterms:created "2022-03-24T11:46:08.667Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[DRATzarus](https://attack.mitre.org/software/S0694) can search for other machines connected to compromised host and attempt to map the network.(Citation: ClearSky Lazarus Aug 2020)";
dcterms:modified "2022-04-17T18:38:15.780Z"^^xsd:dateTime .
:relationship--b8d33b58-e0d0-4bf8-a8ec-f6c4c2f1a480
rdf:type stix:Relationship;
stix:source_ref :course-of-action--9bb9e696-bff8-4ae1-9454-961fc7d91d5f;
stix:target_ref :attack-pattern--dfefe2ed-4389-4318-8762-f0272b350a1b;
dcterms:created "2020-01-17T16:49:36.593Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "The creation and modification of systemd service unit files is generally reserved for administrators such as the Linux root user and other users with superuser privileges. ";
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--a9f79f14-d160-4be5-8bbe-ad0b52770b9f
rdf:type stix:Relationship;
stix:source_ref :course-of-action--93e7968a-9074-4eac-8ae9-9f5200ec3317;
stix:target_ref :attack-pattern--544b0346-29ad-41e1-a808-501bb4193f47;
dcterms:created "2019-07-18T15:36:27.535Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Since browser pivoting requires a high integrity process to launch from, restricting user permissions and addressing Privilege Escalation and [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002) opportunities can limit the exposure to this technique.";
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--2b97e16e-8c39-4e5e-ad90-15c10f15d923
rdf:type stix:Relationship;
stix:source_ref :malware--af2ad3b7-ab6a-4807-91fd-51bcaff9acbb;
stix:target_ref :attack-pattern--a3e1e6c5-9c74-4fc0-a16c-a9d228c17829;
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[USBStealer](https://attack.mitre.org/software/S0136) exfiltrates collected files via removable media from air-gapped victims.(Citation: ESET Sednit USBStealer 2014)";
dcterms:modified "2020-03-11T17:45:54.143Z"^^xsd:dateTime .
:relationship--b49fa23f-285c-4a8d-81c6-995747e4a84b
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--92d5b3fd-3b39-438e-af68-770e447beada;
stix:target_ref :malware--e48df773-7c95-4a4c-ba70-ea3d15900148;
dcterms:created "2020-07-04T22:20:47.110Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "(Citation: ClearSky Charming Kitten Dec 2017)";
dcterms:modified "2021-04-29T14:49:39.188Z"^^xsd:dateTime .
:relationship--238e1f61-36d8-41a9-b480-bb35cb30d21d
rdf:type stix:Relationship;
stix:source_ref :tool--79dd477a-8226-4b3d-ad15-28623675f221;
stix:target_ref :attack-pattern--f005e783-57d4-4837-88ad-dbe7faee1c51;
dcterms:created "2022-04-16T22:12:54.124Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Peirates](https://attack.mitre.org/software/S0683) can use stolen service account tokens to perform its operations. It also enables adversaries to switch between valid service accounts.(Citation: Peirates GitHub)";
dcterms:modified "2022-04-16T22:15:23.599Z"^^xsd:dateTime .
:relationship--16632684-1ef3-41bb-9ef1-97c6c3294448
rdf:type stix:Relationship;
stix:source_ref :malware--cad3ba95-8c89-4146-ab10-08daa813f9de;
stix:target_ref :attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670;
dcterms:created "2021-05-10T23:54:36.034Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Clop](https://attack.mitre.org/software/S0611) has used built-in API functions such as WNetOpenEnumW(), WNetEnumResourceW(), WNetCloseEnum(), GetProcAddress(), and VirtualAlloc().(Citation: Mcafee Clop Aug 2019)(Citation: Cybereason Clop Dec 2020)";
dcterms:modified "2021-05-11T16:29:08.588Z"^^xsd:dateTime .
:relationship--81682d49-acb2-4439-a7da-1a28126cea94
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a;
stix:target_ref :attack-pattern--04fd5427-79c7-44ea-ae13-11b24778ff1c;
dcterms:created "2018-04-18T17:59:24.739Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "A [Lazarus Group](https://attack.mitre.org/groups/G0032) malware sample encodes data with base64.(Citation: McAfee Lazarus Resurfaces Feb 2018)";
dcterms:modified "2020-12-11T17:47:22.639Z"^^xsd:dateTime .
:relationship--03cb8f9a-7ad7-4aa8-966f-bf768023eb89
rdf:type stix:Relationship;
stix:source_ref :malware--c46eb8e6-bf29-4696-8008-3ddb0b4ca470;
stix:target_ref :attack-pattern--853c4192-4311-43e1-bfbb-b11b14911852;
dcterms:created "2022-12-20T21:22:44.875Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[DEADEYE](https://attack.mitre.org/software/S1052) can ensure it executes only on intended systems by identifying the victim's volume serial number, hostname, and/or DNS domain.(Citation: Mandiant APT41)";
dcterms:modified "2023-01-26T15:13:58.340Z"^^xsd:dateTime .
:relationship--42968b37-a9f4-4bd8-b2af-36a04bd2803d
rdf:type stix:Relationship;
stix:source_ref :course-of-action--21da4fd4-27ad-4e9c-b93d-0b9b14d02c96;
stix:target_ref :attack-pattern--d21a2069-23d5-4043-ad6d-64f6b644cb1a;
dcterms:created "2019-06-14T17:07:30.311Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Consider blocking download/transfer and execution of potentially uncommon file types known to be used in adversary campaigns, such as CHM files.";
dcterms:modified "2023-04-25T14:00:00.188Z"^^xsd:dateTime .
:malware--a020a61c-423f-4195-8c46-ba1d21abba37
rdf:type stix:Malware;
rdfs:label "Ryuk";
dcterms:created "2020-05-13T20:14:53.171Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Ryuk](https://attack.mitre.org/software/S0446) is a ransomware designed to target enterprise environments that has been used in attacks since at least 2018. [Ryuk](https://attack.mitre.org/software/S0446) shares code similarities with Hermes ransomware.(Citation: CrowdStrike Ryuk January 2019)(Citation: FireEye Ryuk and Trickbot January 2019)(Citation: FireEye FIN6 Apr 2019)";
dcterms:modified "2023-08-09T18:11:35.634Z"^^xsd:dateTime .
:relationship--16f64842-8ba8-4827-a47f-e7d665f942ae
rdf:type stix:Relationship;
stix:source_ref :malware--6b62e336-176f-417b-856a-8552dd8c44e1;
stix:target_ref :attack-pattern--f3c544dc-673c-4ef3-accb-53229f1ae077;
dcterms:created "2019-01-29T19:55:48.080Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Epic](https://attack.mitre.org/software/S0091) uses the <code>net time</code> command to get the system time from the machine and collect the current date and time zone information.(Citation: Kaspersky Turla)";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--79958036-a8bf-4808-af4f-f9f7a9cb6e7c
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7;
stix:target_ref :attack-pattern--1d24cdee-9ea2-4189-b08e-af110bf2435d;
dcterms:created "2019-09-23T22:53:30.129Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[APT41](https://attack.mitre.org/groups/G0096) performed password brute-force attacks on the local admin account.(Citation: FireEye APT41 Aug 2019)";
dcterms:modified "2023-03-23T15:27:10.530Z"^^xsd:dateTime .
:relationship--f705286a-3372-4343-b74f-cab6ff672774
rdf:type stix:Relationship;
stix:source_ref :course-of-action--eb88d97c-32f1-40be-80f0-d61a4b0b4b31;
stix:target_ref :attack-pattern--4a5b7ade-8bb5-4853-84ed-23f262002665;
dcterms:created "2023-03-08T20:11:59.732Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Remove unnecessary tools and software from containers.";
dcterms:modified "2023-03-08T20:11:59.732Z"^^xsd:dateTime .
:relationship--4859e904-e404-4bae-a106-d347c9cc2e18
rdf:type stix:Relationship;
stix:source_ref :malware--599cd7b5-37b5-4cdd-8174-2811531ce9d0;
stix:target_ref :attack-pattern--e3b6daca-e963-4a69-aee6-ed4fd653ad58;
dcterms:created "2021-09-21T15:10:56.095Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[SpicyOmelette](https://attack.mitre.org/software/S0646) can enumerate running software on a targeted system.(Citation: Secureworks GOLD KINGSWOOD September 2018)";
dcterms:modified "2021-09-21T15:10:56.095Z"^^xsd:dateTime .
:relationship--e61e5dc3-b6ac-4909-b188-eaede02385df
rdf:type stix:Relationship;
stix:source_ref :malware--1d1fce2f-0db5-402b-9843-4278a0694637;
stix:target_ref :attack-pattern--b18eae87-b469-4e14-b454-b171b416bc18;
dcterms:created "2020-03-30T20:44:34.666Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[GravityRAT](https://attack.mitre.org/software/S0237) has used HTTP over a non-standard port, such as TCP port 46769.(Citation: Talos GravityRAT)";
dcterms:modified "2020-03-30T20:44:34.666Z"^^xsd:dateTime .
:relationship--08f2da07-4e03-46bd-a3d9-c79ef7dd9a45
rdf:type stix:Relationship;
stix:source_ref :campaign--df74f7ad-b10d-431c-9f1d-a2bc18dadefa;
stix:target_ref :attack-pattern--830c9528-df21-472c-8c14-a036bf17d665;
dcterms:created "2023-07-12T20:35:24.120Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "During [C0027](https://attack.mitre.org/campaigns/C0027), [Scattered Spider](https://attack.mitre.org/groups/G1015) downloaded tools from sites including file.io, GitHub, and paste.ee.(Citation: Crowdstrike TELCO BPO Campaign December 2022)";
dcterms:modified "2023-07-12T20:35:24.120Z"^^xsd:dateTime .
:relationship--e84df21f-b55f-4b5d-ae7b-0f8fcc4eed95
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--da85d358-741a-410d-9433-20d6269a6170;
stix:target_ref :attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279;
dcterms:created "2022-03-30T14:26:51.864Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Monitor Registry for changes to run keys that do not correlate with known software, patch cycles, etc. Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing the run keys' Registry locations. (Citation: TechNet Autoruns)\n\nDetection of the modification of the registry key <code>Common Startup</code> located in HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\ and HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\. When a user logs on, any files located in the Startup Folder are launched. Attackers may modify these folders with other files in order to evade detection set on these default folders. This detection focuses on EventIDs 4688 and 1 for process creation and EventID 4657 for the modification of the Registry Keys.\n\n<h4>Analytic 1 - Modification of Default Startup Folder in the Registry Key ‘Common Startup’</h4>\n<code>logon_reg_processes = filter processes where (command_line CONTAINS(\"*reg*\") AND command_line CONTAINS(\"*add*\") AND command_line CONTAINS(\"*/d*\") OR (command_line CONTAINS(\"*Set-ItemProperty*\") AND command_line CONTAINS(\"*-value*\")) AND command_line CONTAINS(\"*Common Startup*\"))\nreg_keys = search Registry:value_edit\nlogon_reg_keys = filter reg_keys where value=\"Common Startup\"</code>";
dcterms:modified "2023-09-15T17:16:19.133Z"^^xsd:dateTime .
:relationship--60269020-6ab2-496a-9649-3b1cd707aced
rdf:type stix:Relationship;
stix:source_ref :malware--be25c1c0-1590-4219-a3d5-6f31799d1d1b;
stix:target_ref :attack-pattern--7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c;
dcterms:created "2022-10-13T15:28:44.218Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[FunnyDream](https://attack.mitre.org/software/S1044) has used a service named `WSearch` for execution.(Citation: Bitdefender FunnyDream Campaign November 2020)";
dcterms:modified "2022-10-13T16:10:56.771Z"^^xsd:dateTime .
:relationship--8c418cb5-2cff-45f9-ad5d-b8b65cde713c
rdf:type stix:Relationship;
stix:source_ref :malware--c9ccc4df-1f56-49e7-ad57-b383e1451688;
stix:target_ref :attack-pattern--24bfaeba-cb0d-4525-b3dc-507c77ecec41;
dcterms:created "2021-03-01T14:07:36.882Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[LookBack](https://attack.mitre.org/software/S0582) uses a modified version of RC4 for data transfer.(Citation: Proofpoint LookBack Malware Aug 2019)";
dcterms:modified "2021-03-02T18:15:56.541Z"^^xsd:dateTime .
:malware--b7e9880a-7a7c-4162-bddb-e28e8ef2bf1f
rdf:type stix:Malware;
rdfs:label "Carbon";
dcterms:created "2019-01-29T19:36:02.103Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Carbon](https://attack.mitre.org/software/S0335) is a sophisticated, second-stage backdoor and framework that can be used to steal sensitive information from victims. [Carbon](https://attack.mitre.org/software/S0335) has been selectively used by [Turla](https://attack.mitre.org/groups/G0010) to target government and foreign affairs-related organizations in Central Asia.(Citation: ESET Carbon Mar 2017)(Citation: Securelist Turla Oct 2018)";
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--10c609ce-f256-436c-8288-3441cb123fc5
rdf:type stix:Relationship;
stix:source_ref :malware--7bef1b56-4870-4e74-b32a-7dd88c390c44;
stix:target_ref :attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2;
dcterms:created "2020-07-01T20:27:58.395Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Bundlore](https://attack.mitre.org/software/S0482) has disguised a malicious .app file as a Flash Player update.(Citation: MacKeeper Bundlore Apr 2019)";
dcterms:modified "2020-07-01T21:30:17.251Z"^^xsd:dateTime .
:relationship--c4cd9acb-aaea-4b77-890e-f153a58623a4
rdf:type stix:Relationship;
stix:source_ref :course-of-action--2f316f6c-ae42-44fe-adf8-150989e0f6d3;
stix:target_ref :attack-pattern--f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a;
dcterms:created "2019-07-18T15:05:36.677Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Consider technical controls to prevent the disabling of services or deletion of files involved in system recovery. Additionally, ensure that WinRE is enabled using the following command: <code>reagentc /enable</code>.(Citation: reagentc_cmd)";
dcterms:modified "2023-02-20T18:48:15.794Z"^^xsd:dateTime .
:relationship--73bcd300-467e-4473-9ba7-772ae1c58610
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265df3258;
stix:target_ref :malware--63c4511b-2d6e-4bb2-b582-e2e99a8a467d;
dcterms:created "2021-01-14T20:19:39.292Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "(Citation: Microsoft GALLIUM December 2019)";
dcterms:modified "2021-01-14T20:19:39.292Z"^^xsd:dateTime .
:relationship--ed821f5e-9527-4fbb-ae76-37a79592dfb6
rdf:type stix:Relationship;
stix:source_ref :course-of-action--a6a47a06-08fc-4ec4-bdc3-20373375ebb9;
stix:target_ref :attack-pattern--a62a8db3-f23a-4d8f-afd6-9dbc77e7813b;
dcterms:created "2020-03-02T18:49:28.109Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Anti-virus can automatically quarantine suspicious files.";
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:malware--199463de-d9be-46d6-bb41-07234c1dd5a6
rdf:type stix:Malware;
rdfs:label "GeminiDuke";
dcterms:created "2017-05-31T21:32:36.177Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[GeminiDuke](https://attack.mitre.org/software/S0049) is malware that was used by [APT29](https://attack.mitre.org/groups/G0016) from 2009 to 2012. (Citation: F-Secure The Dukes)";
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--04d60222-e8da-4de5-bc58-dcfae65986f5
rdf:type stix:Relationship;
stix:source_ref :malware--edb24a93-1f7a-4bbf-a738-1397a14662c6;
stix:target_ref :attack-pattern--f3c544dc-673c-4ef3-accb-53229f1ae077;
dcterms:created "2019-04-17T13:46:38.848Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Astaroth](https://attack.mitre.org/software/S0373) collects the timestamp from the infected machine. (Citation: Cofense Astaroth Sept 2018)";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--c65d4006-003c-4aff-a8c7-bd5834678b58
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--bfc5ddb3-4dfb-4278-8928-020e1b3feddd;
stix:target_ref :attack-pattern--c21d5a77-d422-4a69-acd7-2c53c1faa34b;
dcterms:created "2023-04-03T17:31:01.013Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Metador](https://attack.mitre.org/groups/G1013) has used TCP for C2.(Citation: SentinelLabs Metador Sept 2022)";
dcterms:modified "2023-04-03T17:31:01.013Z"^^xsd:dateTime .
:relationship--85fda77f-5129-4de7-bc44-f81ccc46f6d9
rdf:type stix:Relationship;
stix:source_ref :malware--3bc7e862-5610-4c02-9c48-15b2e2dc1ddb;
stix:target_ref :attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688;
dcterms:created "2023-02-14T18:36:46.095Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Woody RAT](https://attack.mitre.org/software/S1065) has the ability to take a screenshot of the infected host desktop using Windows GDI+.(Citation: MalwareBytes WoodyRAT Aug 2022) ";
dcterms:modified "2023-02-23T22:34:17.920Z"^^xsd:dateTime .
:relationship--25407fd4-3940-4446-9c17-6eebe902dbdf
rdf:type stix:Relationship;
stix:source_ref :course-of-action--21da4fd4-27ad-4e9c-b93d-0b9b14d02c96;
stix:target_ref :attack-pattern--890c9858-598c-401d-a4d5-c67ebcdd703a;
dcterms:created "2019-10-08T19:55:33.752Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Administrators can block end-user consent to OAuth applications, disabling users from authorizing third-party apps through OAuth 2.0 and forcing administrative consent for all requests. They can also block end-user registration of applications by their users, to reduce risk. A Cloud Access Security Broker can also be used to ban applications.\n\nAzure offers a couple of enterprise policy settings in the Azure Management Portal that may help:\n\n\"Users -> User settings -> App registrations: Users can register applications\" can be set to \"no\" to prevent users from registering new applications. \n\"Enterprise applications -> User settings -> Enterprise applications: Users can consent to apps accessing company data on their behalf\" can be set to \"no\" to prevent users from consenting to allow third-party multi-tenant applications";
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime .
:relationship--3de1cc89-ee9a-4476-9d93-a034da6a90bf
rdf:type stix:Relationship;
stix:source_ref :malware--3c18ad16-9eaf-4649-984e-68551bff0d47;
stix:target_ref :attack-pattern--ef67e13e-5598-4adc-bdb2-998225874fa9;
dcterms:created "2022-08-26T22:08:14.801Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Squirrelwaffle](https://attack.mitre.org/software/S1030) has relied on victims to click on a malicious link send via phishing campaigns.(Citation: ZScaler Squirrelwaffle Sep 2021)";
dcterms:modified "2022-08-26T22:08:14.801Z"^^xsd:dateTime .
:relationship--e6c6afdc-a52f-405c-8480-a4b2d2d797bf
rdf:type stix:Relationship;
stix:source_ref :malware--d3105fb5-c494-4fd1-a7be-414eab9e0c96;
stix:target_ref :attack-pattern--2b742742-28c3-4e1b-bab7-8350d6300fa7;
dcterms:created "2020-11-10T20:55:27.393Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Melcoz](https://attack.mitre.org/software/S0530) has been spread through malicious links embedded in e-mails.(Citation: Securelist Brazilian Banking Malware July 2020)";
dcterms:modified "2020-11-10T20:55:27.393Z"^^xsd:dateTime .
:relationship--3d1ba730-3f10-499c-ada3-47d975d5b7e0
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--dc5e2999-ca1a-47d4-8d12-a6984b138a1b;
stix:target_ref :attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18;
dcterms:created "2021-01-05T17:45:48.946Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[UNC2452](https://attack.mitre.org/groups/G0118) obtained information about the configured Exchange virtual directory using <code>Get-WebServicesVirtualDirectory</code>.(Citation: Volexity SolarWinds)";
dcterms:modified "2023-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--973e4318-a08c-491c-afa3-d110f9d87758
rdf:type stix:Relationship;
stix:source_ref :malware--6ba1d7ae-d60b-43e6-9f08-a8b787e9d9cb;
stix:target_ref :attack-pattern--d0613359-5781-4fd2-b5be-c269270be1f6;
dcterms:created "2019-06-28T16:02:08.208Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[LightNeuron](https://attack.mitre.org/software/S0395) is capable of modifying email content, headers, and attachments during transit.(Citation: ESET LightNeuron May 2019)";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--81763def-b0ec-4938-832d-cffb382bb4a8
rdf:type stix:Relationship;
stix:source_ref :malware--088f1d6e-0783-47c6-9923-9c79b2af43d4;
stix:target_ref :attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161;
dcterms:created "2020-12-14T17:34:58.764Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Stuxnet](https://attack.mitre.org/software/S0603) uses HTTP to communicate with a command and control server. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)";
dcterms:modified "2023-03-17T18:04:50.942Z"^^xsd:dateTime .
:malware--ec9e00dd-0313-4d5b-8105-c20aa47abffc
rdf:type stix:Malware;
rdfs:label "ShadowPad";
dcterms:created "2021-03-23T20:49:39.954Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[ShadowPad](https://attack.mitre.org/software/S0596) is a modular backdoor that was first identified in a supply chain compromise of the NetSarang software in mid-July 2017. The malware was originally thought to be exclusively used by [APT41](https://attack.mitre.org/groups/G0096), but has since been observed to be used by various Chinese threat activity groups. (Citation: Recorded Future RedEcho Feb 2021)(Citation: Securelist ShadowPad Aug 2017)(Citation: Kaspersky ShadowPad Aug 2017) ";
dcterms:modified "2023-03-26T20:09:03.093Z"^^xsd:dateTime .
:attack-pattern--2e114e45-2c50-404c-804a-3af9564d240e
rdf:type d3f:OffensiveTechnique;
rdfs:label "Disk Structure Wipe";
dcterms:created "2019-03-19T19:38:27.097Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Adversaries may corrupt or wipe the disk data structures on hard drive necessary to boot systems; targeting specific critical systems as well as a large number of systems in a network to interrupt availability to system and network resources. \n\nAdversaries may attempt to render the system unable to boot by overwriting critical data located in structures such as the master boot record (MBR) or partition table.(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018) The data contained in disk structures may include the initial executable code for loading an operating system or the location of the file system partitions on disk. If this information is not present, the computer will not be able to load an operating system during the boot process, leaving the computer unavailable. [Disk Structure Wipe](https://attack.mitre.org/techniques/T1487) may be performed in isolation, or along with [Disk Content Wipe](https://attack.mitre.org/techniques/T1488) if all sectors of a disk are wiped.\n\nTo maximize impact on the target organization, malware designed for destroying disk structures may have worm-like features to propagate across a network by leveraging other techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [Windows Admin Shares](https://attack.mitre.org/techniques/T1077).(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)";
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--2303e878-ce48-459d-a5da-256142e2bfd8
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--1887a270-576a-4049-84de-ef746b2572d6;
stix:target_ref :attack-pattern--10ffac09-e42d-4f56-ab20-db94c67d76ff;
dcterms:created "2022-03-30T14:26:51.871Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Monitor for attempts by programs to inject into or dump browser process memory.";
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime .
:relationship--3a30af61-b9b4-488e-aebc-dee4dfce52b6
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc;
stix:target_ref :attack-pattern--01a5a209-b94c-450b-b7f9-946497d91055;
dcterms:created "2021-09-22T13:52:51.063Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[FIN7](https://attack.mitre.org/groups/G0046) has used WMI to install malware on targeted systems.(Citation: eSentire FIN7 July 2021)";
dcterms:modified "2021-09-22T13:52:51.063Z"^^xsd:dateTime .
:relationship--29f12e79-a73e-4660-aefd-40dee902fefa
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--3551476e-14f5-4e48-a518-e82135329e03;
stix:target_ref :attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4;
dcterms:created "2022-03-30T14:26:51.853Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Monitor for unusual kernel driver installation activity ";
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime .
:relationship--3100a612-59cf-4fb0-b5f0-d0e09198a487
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa;
stix:target_ref :attack-pattern--bb5e59c4-abe7-40c7-8196-e373cb1e5974;
dcterms:created "2023-09-08T20:26:43.965Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Monitor call logs from corporate devices to identify patterns of potential voice phishing, such as calls to/from known malicious phone numbers. Correlate these records with system events.";
dcterms:modified "2023-09-08T20:58:53.173Z"^^xsd:dateTime .
:relationship--79c46f52-743a-4a17-bede-aa003c03f6b1
rdf:type stix:Relationship;
stix:source_ref :malware--d2c7f8ad-3b50-4cfa-bbb1-799eff06fb40;
stix:target_ref :attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384;
dcterms:created "2020-06-10T19:31:48.084Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[build_downer](https://attack.mitre.org/software/S0471) has the ability to detect if the infected host is running an anti-virus process.(Citation: Trend Micro Tick November 2019)";
dcterms:modified "2020-06-24T01:27:32.405Z"^^xsd:dateTime .
:relationship--2e03c99d-473d-406e-b903-1fc9c9a6a5ec
rdf:type stix:Relationship;
stix:source_ref :malware--03acae53-9b98-46f6-b204-16b930839055;
stix:target_ref :attack-pattern--365be77f-fc0e-42ee-bac8-4faf806d9336;
dcterms:created "2021-11-29T16:31:50.618Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[RCSession](https://attack.mitre.org/software/S0662) has the ability to execute inside the msiexec.exe process.(Citation: Profero APT27 December 2020)";
dcterms:modified "2023-03-26T20:05:38.078Z"^^xsd:dateTime .
:relationship--f3d30d20-ee51-4976-8611-5667df771567
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--6713ab67-e25b-49cc-808d-2b36d4fbc35c;
stix:target_ref :attack-pattern--1ecfdab8-7d59-4c98-95d4-dc41970f57fc;
dcterms:created "2020-03-19T23:03:33.778Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Ke3chang](https://attack.mitre.org/groups/G0004) has dumped credentials, including by using gsecdump.(Citation: Mandiant Operation Ke3chang November 2014)(Citation: NCC Group APT15 Alive and Strong)";
dcterms:modified "2021-11-01T21:12:15.488Z"^^xsd:dateTime .
:relationship--91bd508e-7f5a-4514-b886-95d97f8eefff
rdf:type stix:Relationship;
stix:source_ref :malware--65ffc206-d7c1-45b3-b543-f6b726e7840d;
stix:target_ref :attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e;
dcterms:created "2022-04-13T19:05:51.100Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Bisonal](https://attack.mitre.org/software/S0268) has relied on users to execute malicious file attachments delivered via spearphishing emails.(Citation: Talos Bisonal Mar 2020) ";
dcterms:modified "2022-04-18T18:10:36.843Z"^^xsd:dateTime .
:relationship--f957f429-c0d1-4b02-aef8-1d8500421225
rdf:type stix:Relationship;
stix:source_ref :malware--a4f57468-fbd5-49e4-8476-52088220b92d;
stix:target_ref :attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9;
dcterms:created "2020-12-09T21:53:58.664Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Zebrocy](https://attack.mitre.org/software/S0251) has a command to create a scheduled task for persistence.(Citation: CISA Zebrocy Oct 2020)";
dcterms:modified "2020-12-09T21:53:58.664Z"^^xsd:dateTime .
:relationship--952edf61-e906-4ab5-989f-1d6a5dd95dce
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d;
stix:target_ref :attack-pattern--ef67e13e-5598-4adc-bdb2-998225874fa9;
dcterms:created "2020-03-17T14:52:21.694Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[OilRig](https://attack.mitre.org/groups/G0049) has delivered malicious links to achieve execution on the target system.(Citation: Unit 42 OopsIE! Feb 2018)(Citation: Unit 42 QUADAGENT July 2018)(Citation: Crowdstrike Helix Kitten Nov 2018)";
dcterms:modified "2020-03-17T14:52:21.694Z"^^xsd:dateTime .
:relationship--20c01d16-fdd8-4f6b-ba0c-d81b70329440
rdf:type stix:Relationship;
stix:source_ref :attack-pattern--37b11151-1776-4f8f-b328-30939fbf2ceb;
stix:target_ref :attack-pattern--7385dfaf-6886-4229-9ecd-6fd678040830;
dcterms:created "2020-03-09T14:07:54.891Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--6a0f3ebb-c805-402f-bb2e-aac2f8d174fa
rdf:type stix:Relationship;
stix:source_ref :malware--08d20cd2-f084-45ee-8558-fa6ef5a18519;
stix:target_ref :attack-pattern--120d5519-3098-4e1c-9191-2aa61232f073;
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Downdelph](https://attack.mitre.org/software/S0134) bypasses UAC to escalate privileges by using a custom “RedirectEXE” shim database.(Citation: ESET Sednit Part 3)";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--4f1793cb-51f9-47d0-a2a7-374a57f56b82
rdf:type stix:Relationship;
stix:source_ref :campaign--4603cf2f-06d0-4970-9c5d-5071b08c817f;
stix:target_ref :attack-pattern--40f5caa0-4cb7-4117-89fc-d421bb493df3;
dcterms:created "2022-09-30T19:00:48.584Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "For [Operation Dust Storm](https://attack.mitre.org/campaigns/C0016), the threat actors established domains as part of their operational infrastructure.(Citation: Cylance Dust Storm)";
dcterms:modified "2022-09-30T19:00:48.584Z"^^xsd:dateTime .
:relationship--2e80a049-220e-4d47-98f7-c0dbfe245cdc
rdf:type stix:Relationship;
stix:source_ref :malware--ae9d818d-95d0-41da-b045-9cabea1ca164;
stix:target_ref :attack-pattern--0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22;
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[PinchDuke](https://attack.mitre.org/software/S0048) steals credentials from compromised hosts. [PinchDuke](https://attack.mitre.org/software/S0048)'s credential stealing functionality is believed to be based on the source code of the Pinch credential stealing malware (also known as LdPinch). Credentials targeted by [PinchDuke](https://attack.mitre.org/software/S0048) include ones associated many sources such as WinInet Credential Cache, and Lightweight Directory Access Protocol (LDAP).(Citation: F-Secure The Dukes)";
dcterms:modified "2020-03-19T23:56:41.619Z"^^xsd:dateTime .
:relationship--a5848e5c-0a64-44f2-9432-4d503baea628
rdf:type stix:Relationship;
stix:source_ref :malware--3161d76a-e2b2-4b97-9906-24909b735386;
stix:target_ref :attack-pattern--86850eff-2729-40c3-b85e-c4af26da4a2d;
dcterms:created "2020-05-27T13:35:36.629Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Aria-body](https://attack.mitre.org/software/S0456) has the ability to duplicate a token from ntprint.exe.(Citation: CheckPoint Naikon May 2020)";
dcterms:modified "2020-06-03T20:11:27.728Z"^^xsd:dateTime .
:relationship--c5cf4822-a0bf-442a-9943-1937ac45520b
rdf:type stix:Relationship;
stix:source_ref :malware--2fb26586-2b53-4b9a-ad4f-2b3bcb9a2421;
stix:target_ref :attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2;
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "To establish persistence, [SslMM](https://attack.mitre.org/software/S0058) identifies the Start Menu Startup directory and drops a link to its own executable disguised as an “Office Start,” “Yahoo Talk,” “MSN Gaming Z0ne,” or “MSN Talk” shortcut.(Citation: Baumgartner Naikon 2015)";
dcterms:modified "2020-03-18T15:53:57.648Z"^^xsd:dateTime .
:relationship--ff5d1433-de7a-4aba-95c4-5d92782589f9
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--93f52415-0fe4-4d3d-896c-fc9b8e88ab90;
stix:target_ref :malware--36ede314-7db4-4d09-b53d-81bbfbe5f6f8;
dcterms:created "2020-06-11T16:19:17.925Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "(Citation: Trend Micro Tick November 2019)";
dcterms:modified "2020-06-24T01:27:32.664Z"^^xsd:dateTime .
:relationship--8119ee71-e017-4ba0-9aeb-a14c46f64f1a
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--2a158b0a-7ef8-43cb-9985-bf34d1e12050;
stix:target_ref :malware--007b44b6-e4c5-480b-b5b9-56f2081b1b7b;
dcterms:created "2017-05-31T21:33:27.054Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "(Citation: Baumgartner Naikon 2015)";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--2c79282f-5e60-48b9-962a-d61c3d73b334
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d;
stix:target_ref :attack-pattern--7385dfaf-6886-4229-9ecd-6fd678040830;
dcterms:created "2018-01-16T16:13:52.465Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[OilRig](https://attack.mitre.org/groups/G0049) has used the command-line interface for execution.";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--04558d61-aa04-46b5-a65f-921011ac9621
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--fe8796a4-2a02-41a0-9d27-7aa1e995feb6;
stix:target_ref :attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279;
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "An [APT19](https://attack.mitre.org/groups/G0073) HTTP malware variant establishes persistence by setting the Registry key <code>HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Windows Debug Tools-%LOCALAPPDATA%\\</code>.(Citation: Unit 42 C0d0so0 Jan 2016)";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--8ebf7956-a41c-4f3c-b586-a38a107518d6
rdf:type stix:Relationship;
stix:source_ref :campaign--0257b35b-93ef-4a70-80dd-ad5258e6045b;
stix:target_ref :attack-pattern--c9e0c59e-162e-40a4-b8b1-78fab4329ada;
dcterms:created "2023-09-20T15:11:06.448Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "During [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) impersonated HR hiring personnel through LinkedIn messages and conducted interviews with victims in order to deceive them into downloading malware.(Citation: ClearSky Lazarus Aug 2020)(Citation: ESET Lazarus Jun 2020)(Citation: The Hacker News Lazarus Aug 2022)";
dcterms:modified "2023-09-28T22:18:25.164Z"^^xsd:dateTime .
:attack-pattern--f8ef3a62-3f44-40a4-abca-761ab235c436
rdf:type d3f:OffensiveTechnique;
rdfs:label "Container API";
dcterms:created "2021-03-31T14:01:52.321Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Adversaries may gather credentials via APIs within a containers environment. APIs in these environments, such as the Docker API and Kubernetes APIs, allow a user to remotely manage their container resources and cluster components.(Citation: Docker API)(Citation: Kubernetes API)\n\nAn adversary may access the Docker API to collect logs that contain credentials to cloud, container, and various other resources in the environment.(Citation: Unit 42 Unsecured Docker Daemons) An adversary with sufficient permissions, such as via a pod's service account, may also use the Kubernetes API to retrieve credentials from the Kubernetes API server. These credentials may include those needed for Docker API authentication or secrets from Kubernetes cluster components. ";
dcterms:modified "2023-10-31T14:00:00.188Z"^^xsd:dateTime .
:malware--4efc3e00-72f2-466a-ab7c-8a7dc6603b19
rdf:type stix:Malware;
rdfs:label "Raindrop";
dcterms:created "2021-01-19T19:43:27.828Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Raindrop](https://attack.mitre.org/software/S0565) is a loader used by [APT29](https://attack.mitre.org/groups/G0016) that was discovered on some victim machines during investigations related to the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024). It was discovered in January 2021 and was likely used since at least May 2020.(Citation: Symantec RAINDROP January 2021)(Citation: Microsoft Deep Dive Solorigate January 2021)";
dcterms:modified "2023-03-27T19:53:24.461Z"^^xsd:dateTime .
:relationship--e80f97df-4984-4e62-bba6-1333d4c2c977
rdf:type stix:Relationship;
stix:source_ref :tool--8f8cd191-902c-4e83-bf20-b57c8c4640e9;
stix:target_ref :attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18;
dcterms:created "2020-05-05T18:47:47.317Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Imminent Monitor](https://attack.mitre.org/software/S0434) has a dynamic debugging feature to check whether it is located in the %TEMP% directory, otherwise it copies itself there.(Citation: QiAnXin APT-C-36 Feb2019)";
dcterms:modified "2020-10-14T14:40:36.366Z"^^xsd:dateTime .
:relationship--ad6cad0b-d827-4182-baf9-826c6788cf4e
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--174279b4-399f-4ddb-966e-5efedd1dd5f2;
stix:target_ref :tool--b77b563c-34bb-4fb8-86a3-3694338f7b47;
dcterms:created "2023-07-31T19:35:50.201Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "(Citation: Microsoft Volt Typhoon May 2023)";
dcterms:modified "2023-07-31T19:35:50.201Z"^^xsd:dateTime .
:relationship--58d0e93e-15d3-476f-9fb9-4c953b072f53
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0;
stix:target_ref :attack-pattern--799ace7f-e227-4411-baa0-8868704f2a69;
dcterms:created "2022-03-30T14:26:51.851Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Monitor executed commands and arguments that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.";
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime .
:attack-pattern--1c34f7aa-9341-4a48-bfab-af22e51aca6c
rdf:type d3f:OffensiveTechnique;
rdfs:label "Local Data Staging";
dcterms:created "2020-03-13T21:13:10.467Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Adversaries may stage collected data in a central location or directory on the local system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.\n\nAdversaries may also stage collected data in various available formats/locations of a system, including local storage databases/repositories or the Windows Registry.(Citation: Prevailion DarkWatchman 2021)";
dcterms:modified "2022-05-11T14:00:00.188Z"^^xsd:dateTime .
:relationship--4d4c8221-17a9-4e5b-86f9-6a0cffc42424
rdf:type stix:Relationship;
stix:source_ref :malware--66b1dcde-17a0-4c7b-95fa-b08d430c2131;
stix:target_ref :attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161;
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[S-Type](https://attack.mitre.org/software/S0085) uses HTTP for C2.(Citation: Cylance Dust Storm)";
dcterms:modified "2022-01-19T21:00:45.681Z"^^xsd:dateTime .
:relationship--ef934eda-a3ad-40fb-8923-fc2f72fb8f6e
rdf:type stix:Relationship;
stix:source_ref :malware--81c57a96-fc8c-4f91-af8e-63e24c2927c2;
stix:target_ref :attack-pattern--cbb66055-0325-4111-aca0-40547b6ad5b0;
dcterms:created "2020-06-24T19:58:56.888Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Metamorfo](https://attack.mitre.org/software/S0455) has hidden its GUI using the ShowWindow() WINAPI call.(Citation: Medium Metamorfo Apr 2020) ";
dcterms:modified "2020-06-24T19:58:56.888Z"^^xsd:dateTime .
:relationship--bcedecdf-e98d-4cf7-84a4-d4769a10858d
rdf:type stix:Relationship;
stix:source_ref :malware--64122557-5940-4271-9123-25bfc0c693db;
stix:target_ref :attack-pattern--f7827069-0bf2-4764-af4f-23fae0d181b7;
dcterms:created "2020-11-10T19:27:14.615Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Javali](https://attack.mitre.org/software/S0528) can read C2 information from Google Documents and YouTube.(Citation: Securelist Brazilian Banking Malware July 2020)";
dcterms:modified "2020-11-10T19:27:14.615Z"^^xsd:dateTime .
:relationship--5e23c694-3f4a-43f7-823b-8ea36558c928
rdf:type stix:Relationship;
stix:source_ref :malware--4c59cce8-cb48-4141-b9f1-f646edfaadb0;
stix:target_ref :attack-pattern--9a60a291-8960-4387-8a4a-2ab5c18bb50b;
dcterms:created "2020-03-17T02:25:11.600Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "The [Regin](https://attack.mitre.org/software/S0019) malware platform supports many standard protocols, including SMB.(Citation: Kaspersky Regin)";
dcterms:modified "2023-10-01T02:49:27.909Z"^^xsd:dateTime .
:relationship--7a1a5bda-170c-44fd-8094-7f78b7f803c9
rdf:type stix:Relationship;
stix:source_ref :malware--6b62e336-176f-417b-856a-8552dd8c44e1;
stix:target_ref :attack-pattern--0042a9f5-f053-4769-b3ef-9ad018dfa298;
dcterms:created "2019-05-07T17:47:25.127Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Epic](https://attack.mitre.org/software/S0091) has overwritten the function pointer in the extra window memory of Explorer's Shell_TrayWnd in order to execute malicious code in the context of the explorer.exe process.(Citation: ESET Recon Snake Nest)";
dcterms:modified "2020-03-18T19:55:30.854Z"^^xsd:dateTime .
:relationship--452e340a-df31-4ae9-a801-d26c57d491ea
rdf:type stix:Relationship;
stix:source_ref :malware--7e0f8b0f-716e-494d-827e-310bd6ed709e;
stix:target_ref :attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add;
dcterms:created "2021-09-22T21:57:30.206Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[SMOKEDHAM](https://attack.mitre.org/software/S0649) has used Powershell to download UltraVNC and [ngrok](https://attack.mitre.org/software/S0508) from third-party file sharing sites.(Citation: FireEye SMOKEDHAM June 2021)";
dcterms:modified "2023-10-31T14:00:00.188Z"^^xsd:dateTime .
:relationship--151da49e-c3ee-4615-b62e-c8a3c93a32a6
rdf:type stix:Relationship;
stix:source_ref :malware--bdee9574-7479-4073-a7dc-e86d8acd073a;
stix:target_ref :attack-pattern--c21d5a77-d422-4a69-acd7-2c53c1faa34b;
dcterms:created "2022-06-09T14:47:59.956Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[MacMa](https://attack.mitre.org/software/S1016) has used a custom JSON-based protocol for its C&C communications.(Citation: ESET DazzleSpy Jan 2022)";
dcterms:modified "2022-06-09T14:47:59.956Z"^^xsd:dateTime .
:course-of-action--5c49bc54-9929-48ca-b581-7018219b5a97
rdf:type stix:CourseOfAction;
rdfs:label "Account Discovery Mitigation";
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Prevent administrator accounts from being enumerated when an application is elevating through UAC since it can lead to the disclosure of account names. The Registry key is located <code>HKLM\\ SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\CredUI\\EnumerateAdministrators</code>. It can be disabled through GPO: Computer Configuration > [Policies] > Administrative Templates > Windows Components > Credential User Interface: E numerate administrator accounts on elevation. (Citation: UCF STIG Elevation Account Enumeration)\n\nIdentify unnecessary system utilities or potentially malicious software that may be used to acquire information about system and domain accounts, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)";
dcterms:modified "2021-08-23T20:25:18.116Z"^^xsd:dateTime .
:relationship--178dda13-999c-481f-8a1b-8dc062d7b0ff
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--f8cb7b36-62ef-4488-8a6d-a7033e3271c1;
stix:target_ref :attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e;
dcterms:created "2022-02-01T15:37:38.932Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[WIRTE](https://attack.mitre.org/groups/G0090) has attempted to lure users into opening malicious MS Word and Excel files to execute malicious payloads.(Citation: Kaspersky WIRTE November 2021)";
dcterms:modified "2022-02-01T15:37:38.932Z"^^xsd:dateTime .
:relationship--99cfee83-7db8-44c1-8fd8-75bc1c67d17c
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--269e8108-68c6-4f99-b911-14b2e765dec2;
stix:target_ref :attack-pattern--7e150503-88e7-4861-866b-ff1ac82c4475;
dcterms:created "2021-03-19T13:38:12.533Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[MuddyWater](https://attack.mitre.org/groups/G0069) has used a PowerShell backdoor to check for Skype connections on the target machine.(Citation: Trend Micro Muddy Water March 2021)";
dcterms:modified "2021-03-19T13:38:12.533Z"^^xsd:dateTime .
:relationship--3231ef46-26f9-4711-adfe-cfa68425f848
rdf:type stix:Relationship;
stix:source_ref :malware--86b92f6c-9c05-4c51-b361-4c7bb13e21a1;
stix:target_ref :attack-pattern--93591901-3172-4e94-abf8-6034ab26f44a;
dcterms:created "2022-01-06T20:23:01.566Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[KONNI](https://attack.mitre.org/software/S0356) has used parent PID spoofing to spawn a new `cmd` process using `CreateProcessW` and a handle to `Taskmgr.exe`.(Citation: Malwarebytes Konni Aug 2021) ";
dcterms:modified "2022-04-18T19:48:24.407Z"^^xsd:dateTime .
:relationship--91cea20a-9698-4bec-8fdd-c1eda3ea66e7
rdf:type stix:Relationship;
stix:source_ref :malware--3be1fb7a-0f7e-415e-8e3a-74a80d596e68;
stix:target_ref :attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1;
dcterms:created "2023-04-04T21:50:08.665Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Mafalda](https://attack.mitre.org/software/S1060) can collect the computer name and enumerate all drives on a compromised host.(Citation: SentinelLabs Metador Sept 2022)(Citation: SentinelLabs Metador Technical Appendix Sept 2022)";
dcterms:modified "2023-04-04T21:50:08.665Z"^^xsd:dateTime .
:relationship--b6fed470-c730-4bac-b347-25d27fae9b7c
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542;
stix:target_ref :attack-pattern--438c967d-3996-4870-bfc2-3954752a1927;
dcterms:created "2022-07-11T20:34:55.627Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[APT29](https://attack.mitre.org/groups/G0016) removed evidence of email export requests using <code>Remove-MailboxExportRequest</code>.(Citation: Volexity SolarWinds)";
dcterms:modified "2023-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--0390ebec-176f-421a-9823-cce48756aef1
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--8c1f0187-0826-4320-bddc-5f326cfcfe2c;
stix:target_ref :attack-pattern--e64c62cf-9cd7-4a14-94ec-cdaac43ab44b;
dcterms:created "2021-01-22T16:51:10.393Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Chimera](https://attack.mitre.org/groups/G0114) has used side loading to place malicious DLLs in memory.(Citation: NCC Group Chimera January 2021)";
dcterms:modified "2021-01-22T16:51:10.393Z"^^xsd:dateTime .
:relationship--2f081501-0c5c-4662-b7b4-3dc5a8a3b1af
rdf:type stix:Relationship;
stix:source_ref :malware--fde19a18-e502-467f-be14-58c71b4e7f4b;
stix:target_ref :attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add;
dcterms:created "2021-12-27T19:19:42.895Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[WarzoneRAT](https://attack.mitre.org/software/S0670) can download and execute additional files.(Citation: Check Point Warzone Feb 2020)";
dcterms:modified "2022-04-07T16:00:36.787Z"^^xsd:dateTime .
:relationship--f06c48f0-88de-4850-90dd-9ff4979dde95
rdf:type stix:Relationship;
stix:source_ref :course-of-action--cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8;
stix:target_ref :attack-pattern--f4c1826f-a322-41cd-9557-562100848c84;
dcterms:created "2022-10-17T21:58:20.451Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Review authentication logs to ensure that mechanisms such as enforcement of MFA are functioning as intended.\n\nPeriodically review the hybrid identity solution in use for any discrepancies. For example, review all Pass Through Authentication (PTA) agents in the Azure Management Portal to identify any unwanted or unapproved ones.(Citation: Mandiant Azure AD Backdoors) If ADFS is in use, review DLLs and executable files in the AD FS and Global Assembly Cache directories to ensure that they are signed by Microsoft. Note that in some cases binaries may be catalog-signed, which may cause the file to appear unsigned when viewing file properties.(Citation: MagicWeb)\n\nPeriodically review for new and unknown network provider DLLs within the Registry (`HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\<NetworkProviderName>\\NetworkProvider\\ProviderPath`). Ensure only valid network provider DLLs are registered. The name of these can be found in the Registry key at `HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\NetworkProvider\\Order`, and have corresponding service subkey pointing to a DLL at `HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentC ontrolSet\\Services\\<NetworkProviderName>\\NetworkProvider`.";
dcterms:modified "2023-04-11T14:27:42.484Z"^^xsd:dateTime .
:attack-pattern--b8cfed42-6a8a-4989-ad72-541af74475ec
rdf:type d3f:OffensiveTechnique;
rdfs:label "Authentication Package";
dcterms:created "2020-01-24T14:54:42.757Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Adversaries may abuse authentication packages to execute DLLs when the system boots. Windows authentication package DLLs are loaded by the Local Security Authority (LSA) process at system start. They provide support for multiple logon processes and multiple security protocols to the operating system.(Citation: MSDN Authentication Packages)\n\nAdversaries can use the autostart mechanism provided by LSA authentication packages for persistence by placing a reference to a binary in the Windows Registry location <code>HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\</code> with the key value of <code>\"Authentication Packages\"=&lt;target binary&gt;</code>. The binary will then be executed by the system when the authentication packages are loaded.";
dcterms:modified "2022-05-11T14:00:00.188Z"^^xsd:dateTime .
:relationship--cf16ba1d-ea81-4301-a1a4-083e4a8927fe
rdf:type stix:Relationship;
stix:source_ref :course-of-action--21da4fd4-27ad-4e9c-b93d-0b9b14d02c96;
stix:target_ref :attack-pattern--bf1b6176-597c-4600-bfcd-ac989670f96b;
dcterms:created "2020-03-09T15:04:32.848Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Web proxies can be used to enforce an external network communication policy that prevents use of unauthorized external services.";
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--0d1ae008-8b7f-4b64-8b05-2df3ef55f323
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a;
stix:target_ref :attack-pattern--67073dde-d720-45ae-83da-b12d5e73ca3b;
dcterms:created "2022-03-30T14:26:51.833Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.";
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime .
:relationship--5e82824d-3548-4ffe-98fd-8e432a36847b
rdf:type stix:Relationship;
stix:source_ref :course-of-action--ec42d8be-f762-4127-80f4-f079ea6d7135;
stix:target_ref :attack-pattern--6a5848a8-6201-4a2c-8a6a-ca5af8c6f3df;
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:modified "2023-04-25T14:00:00.188Z"^^xsd:dateTime .
:course-of-action--3bd2cf87-1ceb-4317-9aee-3e7dc713261b
rdf:type stix:CourseOfAction;
rdfs:label "Domain Generation Algorithms Mitigation";
dcterms:created "2019-02-18T17:22:57.941Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "This technique may be difficult to mitigate since the domains can be registered just before they are used, and disposed shortly after. Malware researchers can reverse-engineer malware variants that use DGAs and determine future domains that the malware will attempt to contact, but this is a time and resource intensive effort.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA Brute Force) Malware is also increasingly incorporating seed values that can be unique for each instance, which would then need to be determined to extract future generated domains. In some cases, the seed that a particular sample uses can be extracted from DNS traffic.(Citation: Akamai DGA Mitigation) Even so, there can be thousands of possible domains generated per day; this makes it impractical for defenders to preemptively register all possible C2 domains due to the cost. In some cases a local DNS sinkhole may be used to help prevent DGA-based command and control at a reduced cost.\n\nNetwork intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific protocol used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)";
dcterms:modified "2019-07-24T19:13:31.378Z"^^xsd:dateTime .
:relationship--b1371fd9-1bfd-40b2-90a2-4876d89029bf
rdf:type stix:Relationship;
stix:source_ref :malware--a8d3d497-2da9-4797-8e0b-ed176be08654;
stix:target_ref :attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384;
dcterms:created "2018-01-16T16:13:52.465Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Wingbird](https://attack.mitre.org/software/S0176) checks for the presence of Bitdefender security software.(Citation: Microsoft SIR Vol 21)";
dcterms:modified "2020-02-11T19:39:04.039Z"^^xsd:dateTime .
:relationship--3b02e08d-f6fe-4d7b-907d-e8c6534f9a98
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--fd66436e-4d33-450e-ac4c-f7810f1c85f4;
stix:target_ref :attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736;
dcterms:created "2023-07-27T20:50:01.946Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[FIN13](https://attack.mitre.org/groups/G1016) has used PowerShell commands to obtain DNS data from a compromised network.(Citation: Mandiant FIN13 Aug 2022)";
dcterms:modified "2023-09-29T18:38:18.946Z"^^xsd:dateTime .
:relationship--7064e494-5a32-4a40-b0b1-b19b9a145e73
rdf:type stix:Relationship;
stix:source_ref :campaign--0257b35b-93ef-4a70-80dd-ad5258e6045b;
stix:target_ref :attack-pattern--9e7452df-5144-4b6e-b04a-b66dd4016747;
dcterms:created "2023-04-10T15:38:02.911Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "During [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) conducted internal spearphishing from within a compromised organization.(Citation: ClearSky Lazarus Aug 2020)";
dcterms:modified "2023-04-10T15:38:02.911Z"^^xsd:dateTime .
:relationship--fc8ef14d-1a07-4f96-85c3-b62ba6bcffc1
rdf:type stix:Relationship;
stix:source_ref :course-of-action--2f316f6c-ae42-44fe-adf8-150989e0f6d3;
stix:target_ref :attack-pattern--f4c1826f-a322-41cd-9557-562100848c84;
dcterms:created "2020-03-16T14:49:02.714Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Ensure only valid password filters are registered. Filter DLLs must be present in Windows installation directory (`C:\\Windows\\System32\\` by default) of a domain controller and/or local computer with a corresponding entry in `HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Notification Packages`. \n\nStarting in Windows 11 22H2, the `EnableMPRNotifications` policy can be disabled through Group Policy or through a configuration service provider to prevent Winlogon from sending credentials to network providers.(Citation: EnableMPRNotifications)";
dcterms:modified "2023-04-11T14:27:30.007Z"^^xsd:dateTime .
:relationship--60b36de9-e8ce-4aff-b5aa-5a8c2e7fe197
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542;
stix:target_ref :attack-pattern--eb062747-2193-45de-8fa2-e62549c37ddf;
dcterms:created "2022-02-07T16:31:15.990Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[APT29](https://attack.mitre.org/groups/G0016) has used RDP sessions from public-facing systems to internal servers.(Citation: CrowdStrike StellarParticle January 2022)";
dcterms:modified "2023-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--4d4db495-6366-414f-aa58-1dbd97032412
rdf:type stix:Relationship;
stix:source_ref :attack-pattern--6636bc83-0611-45a6-b74f-1f3daf635b8e;
stix:target_ref :attack-pattern--f3d95a1f-bba2-44ce-9af7-37866cd63fd0;
dcterms:created "2022-04-16T20:45:01.832Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "";
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime .
:attack-pattern--7bd9c723-2f78-4309-82c5-47cad406572b
rdf:type d3f:OffensiveTechnique;
rdfs:label "Dynamic Resolution";
dcterms:created "2020-03-10T17:28:11.747Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware's communications. These calculations can be used to dynamically adjust parameters such as the domain name, IP address, or port number the malware uses for command and control.\n\nAdversaries may use dynamic resolution for the purpose of [Fallback Channels](https://attack.mitre.org/techniques/T1008). When contact is lost with the primary command and control server malware may employ dynamic resolution as a means to reestablishing command and control.(Citation: Talos CCleanup 2017)(Citation: FireEye POSHSPY April 2017)(Citation: ESET Sednit 2017 Activity)";
dcterms:modified "2022-05-11T14:00:00.188Z"^^xsd:dateTime .
:relationship--087c222c-4108-4fbf-ac8f-983cd71548fa
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--e44e0985-bc65-4a8f-b578-211c858128e3;
stix:target_ref :attack-pattern--31fe0ba2-62fd-4fd9-9293-4043d84f7fe9;
dcterms:created "2021-09-07T13:27:47.515Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Transparent Tribe](https://attack.mitre.org/groups/G0134) has set up websites with malicious hyperlinks and iframes to infect targeted victims with [Crimson](https://attack.mitre.org/software/S0115), [njRAT](https://attack.mitre.org/software/S0385), and other malicious tools.(Citation: Proofpoint Operation Transparent Tribe March 2016)(Citation: Unit 42 ProjectM March 2016)(Citation: Talos Transparent Tribe May 2021)";
dcterms:modified "2021-10-15T19:27:15.824Z"^^xsd:dateTime .
:relationship--da4059ab-c858-4df1-94e0-25db2d6ea136
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--35d1b3be-49d4-42f1-aaa6-ef159c880bca;
stix:target_ref :attack-pattern--55bb4471-ff1f-43b4-88c1-c9384ec47abf;
dcterms:created "2023-03-13T21:10:40.799Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[TeamTNT](https://attack.mitre.org/groups/G0139) has leveraged AWS CLI to enumerate cloud environments with compromised credentials.(Citation: Talos TeamTNT)";
dcterms:modified "2023-04-11T00:17:22.553Z"^^xsd:dateTime .
:relationship--3c662aa7-0ee8-4e42-b0b9-de0dc2f02a57
rdf:type stix:Relationship;
stix:source_ref :malware--958b5d06-8bb0-4c5b-a2e7-0130fe654ac7;
stix:target_ref :attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d;
dcterms:created "2020-11-13T21:52:00.732Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Grandoreiro](https://attack.mitre.org/software/S0531) can send data it retrieves to the C2 server.(Citation: ESET Grandoreiro April 2020)";
dcterms:modified "2020-11-13T21:52:00.732Z"^^xsd:dateTime .
:relationship--bb01eb87-696e-496d-9fb9-5abe60b57b12
rdf:type stix:Relationship;
stix:source_ref :course-of-action--20a2baeb-98c2-4901-bad7-dc62d0a03dea;
stix:target_ref :attack-pattern--d2c4e5ea-dbdf-4113-805a-b1e2a337fb33;
dcterms:created "2022-07-29T19:33:39.802Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Automatically forward events to a log server or data repository to prevent conditions in which the adversary can locate and manipulate data on the local system. When possible, minimize time delay on event reporting to avoid prolonged storage on the local system. ";
dcterms:modified "2022-07-29T19:33:39.802Z"^^xsd:dateTime .
:course-of-action--7aee8ea0-0baa-4232-b379-5d9ce98352cf
rdf:type stix:CourseOfAction;
rdfs:label "Hooking Mitigation";
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of operating system design features. For example, mitigating all hooking will likely have unintended side effects, such as preventing legitimate software (i.e., security products) from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior.";
dcterms:modified "2019-07-24T19:37:27.850Z"^^xsd:dateTime .
:relationship--a4106a52-b3e7-4aa9-b2ca-125f206dbf91
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--c5574ca0-d5a4-490a-b207-e4658e5fd1d7;
stix:target_ref :malware--cb7bcf6f-085f-41db-81ee-4b68481661b5;
dcterms:created "2017-05-31T21:33:27.064Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "(Citation: Scarlet Mimic Jan 2016)";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--2af126e3-89ef-45b4-b345-45567ef17dfa
rdf:type stix:Relationship;
stix:source_ref :malware--00806466-754d-44ea-ad6f-0caf59cb8556;
stix:target_ref :attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670;
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[TrickBot](https://attack.mitre.org/software/S0266) uses the Windows API call, CreateProcessW(), to manage execution flow.(Citation: S2 Grupo TrickBot June 2017) [TrickBot](https://attack.mitre.org/software/S0266) has also used <code>Nt*</code> API functions to perform [Process Injection](https://attack.mitre.org/techniques/T1055).(Citation: Joe Sec Trickbot)";
dcterms:modified "2021-10-01T14:12:53.053Z"^^xsd:dateTime .
:relationship--f783c5c8-0620-4fb0-9e8f-55df960cf41c
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--0dcbbf4f-929c-489a-b66b-9b820d3f7f0e;
stix:target_ref :attack-pattern--19401639-28d0-4c3c-adcc-bc2ba22f6421;
dcterms:created "2022-03-30T14:26:51.842Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Monitor for logged network traffic in response to a scan showing both protocol header and body values that may buy and/or steal SSL/TLS certificates that can be used during targeting. Detection efforts may be focused on related behaviors, such as [Web Protocols](https://attack.mitre.org/techniques/T1071/001), [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002), and/or [Install Root Certificate](https://attack.mitre.org/techniques/T1553/004).";
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime .
:relationship--6c303446-f8d1-424c-b1ac-8c10f82d33d7
rdf:type stix:Relationship;
stix:source_ref :malware--a7881f21-e978-4fe4-af56-92c9416a2616;
stix:target_ref :attack-pattern--b200542e-e877-4395-875b-cf1a44537ca4;
dcterms:created "2018-01-16T16:13:52.465Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Cobalt Strike](https://attack.mitre.org/software/S0154) can use process hollowing for execution.(Citation: Cobalt Strike TTPs Dec 2017)";
dcterms:modified "2021-04-29T14:49:39.188Z"^^xsd:dateTime .
:relationship--22ba966c-e07e-4718-821c-4a57fe3705ad
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0;
stix:target_ref :attack-pattern--f3d95a1f-bba2-44ce-9af7-37866cd63fd0;
dcterms:created "2022-03-30T14:26:51.835Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Monitor executed commands and arguments for actions that could be taken to create/modify tasks. Tasks may also be created through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001), so additional logging may need to be configured to gather the appropriate data.";
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime .
:relationship--11f31998-c76f-4433-8e9c-c0ef0b7574d5
rdf:type stix:Relationship;
stix:source_ref :malware--32066e94-3112-48ca-b9eb-ba2b59d2f023;
stix:target_ref :attack-pattern--01a5a209-b94c-450b-b7f9-946497d91055;
dcterms:created "2019-06-10T18:55:43.635Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Emotet](https://attack.mitre.org/software/S0367) has used WMI to execute powershell.exe.(Citation: Carbon Black Emotet Apr 2019)";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--2209a958-9359-4866-80e9-80d0cc660868
rdf:type stix:Relationship;
stix:source_ref :malware--a5575606-9b85-4e3d-9cd2-40ef30e3672d;
stix:target_ref :attack-pattern--cc3502b5-30cc-4473-ad48-42d51a6ef6d1;
dcterms:created "2019-04-17T18:43:36.389Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[SpeakUp](https://attack.mitre.org/software/S0374) uses Python scripts.(Citation: CheckPoint SpeakUp Feb 2019)";
dcterms:modified "2020-03-19T17:09:03.651Z"^^xsd:dateTime .
:relationship--7bf67f44-6349-4576-8145-44e53a91676a
rdf:type stix:Relationship;
stix:source_ref :attack-pattern--83a766f8-1501-4b3a-a2de-2e2849e8dfc1;
stix:target_ref :attack-pattern--7bd9c723-2f78-4309-82c5-47cad406572b;
dcterms:created "2020-03-11T14:58:52.196Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--0fe893d6-a52f-4828-a792-eeb6a3e4f979
rdf:type stix:Relationship;
stix:source_ref :course-of-action--12cba7de-0a22-4a56-b51e-c514c67c3b43;
stix:target_ref :attack-pattern--ce73ea43-8e77-47ba-9c11-5e9c9c58b9ff;
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:modified "2023-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--c253f0c5-1802-4853-b93f-c426d2a48fae
rdf:type stix:Relationship;
stix:source_ref :malware--6cd07296-14aa-403d-9229-6343d03d4752;
stix:target_ref :attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580;
dcterms:created "2021-06-21T18:07:57.500Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Cuba](https://attack.mitre.org/software/S0625) can enumerate processes running on a victim's machine.(Citation: McAfee Cuba April 2021)";
dcterms:modified "2021-08-31T21:30:39.509Z"^^xsd:dateTime .
:relationship--3d8e97f7-9c58-47e1-b2c9-2cc55cca974f
rdf:type stix:Relationship;
stix:source_ref :malware--edc5e045-5401-42bb-ad92-52b5b2ee0de9;
stix:target_ref :attack-pattern--1e9eb839-294b-48cc-b0d3-c45555a2a004;
dcterms:created "2021-09-28T15:46:27.092Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[QakBot](https://attack.mitre.org/software/S0650) can target and steal locally stored emails to support thread hijacking phishing campaigns.(Citation: Kroll Qakbot June 2020)\n(Citation: Kroll Qakbot June 2020)(Citation: Trend Micro Qakbot December 2020)(Citation: Kaspersky QakBot September 2021)";
dcterms:modified "2021-10-13T18:28:38.894Z"^^xsd:dateTime .
:relationship--ca56b2a6-39a7-4449-9017-fa8ce4285ed5
rdf:type stix:Relationship;
stix:source_ref :tool--2f7f03bb-f367-4a5a-ad9b-310a12a48906;
stix:target_ref :attack-pattern--4fe28b27-b13c-453e-a386-c2ef362a573b;
dcterms:created "2023-09-14T19:01:00.251Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[ngrok](https://attack.mitre.org/software/S0508) can tunnel RDP and other services securely over internet connections.(Citation: FireEye Maze May 2020)(Citation: Cyware Ngrok May 2019)(Citation: MalwareBytes Ngrok February 2020)(Citation: Trend Micro Ngrok September 2020)";
dcterms:modified "2023-09-14T19:01:00.251Z"^^xsd:dateTime .
:relationship--2dcd6644-f1d4-4001-81a5-95701fd29360
rdf:type stix:Relationship;
stix:source_ref :course-of-action--2c2ad92a-d710-41ab-a996-1db143bb4808;
stix:target_ref :attack-pattern--e624264c-033a-424d-9fd7-fc9c3bbdb03e;
dcterms:created "2020-01-30T16:36:51.574Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Enable pass the hash mitigations to apply UAC restrictions to local accounts on network logon. The associated Registry key is located <code>HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\LocalAccountTokenFilterPolicy</code>.\n\nThrough GPO: Computer Configuration > [Policies] > Administrative Templates > SCM: Pass the Hash Mitigations: Apply UAC restrictions to local accounts on network logons.(Citation: GitHub IAD Secure Host Baseline UAC Filtering)";
dcterms:modified "2021-08-31T19:55:02.841Z"^^xsd:dateTime .
:relationship--f9283994-d216-4796-989d-a375eb4834a9
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--dc6fe6ee-04c2-49be-ba3d-f38d2463c02a;
stix:target_ref :attack-pattern--eb125d40-0b2d-41ac-a71a-3229241c2cd3;
dcterms:created "2019-01-30T19:27:46.126Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Cobalt Group](https://attack.mitre.org/groups/G0080) has added persistence by registering the file name for the next stage malware under <code>HKCU\\Environment\\UserInitMprLogonScript</code>.(Citation: Morphisec Cobalt Gang Oct 2018)";
dcterms:modified "2020-01-17T22:28:55.233Z"^^xsd:dateTime .
:relationship--618cfee6-a12a-4e17-b66b-cbd965a08357
rdf:type stix:Relationship;
stix:source_ref :attack-pattern--39a130e1-6ab7-434a-8bd2-418e7d9d6427;
stix:target_ref :attack-pattern--17cc750b-e95b-4d7d-9dde-49e0de24148c;
dcterms:created "2020-03-19T15:12:13.292Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--2caa19fb-fe02-4365-b53a-1ff554a13889
rdf:type stix:Relationship;
stix:source_ref :campaign--26d9ebae-de59-427f-ae9a-349456bae4b1;
stix:target_ref :attack-pattern--774a3188-6ba9-4dc4-879d-d54ee48a5ce9;
dcterms:created "2022-09-07T13:51:23.961Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "During [Frankenstein](https://attack.mitre.org/campaigns/C0001), the threat actors collected information via [Empire](https://attack.mitre.org/software/S0363), which was automatically sent back to the adversary's C2.(Citation: Talos Frankenstein June 2019)";
dcterms:modified "2022-09-21T15:05:31.974Z"^^xsd:dateTime .
:attack-pattern--7c93aa74-4bc0-4a9e-90ea-f25f86301566
rdf:type d3f:OffensiveTechnique;
rdfs:label "Application Shimming";
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10. (Citation: Elastic Process Injection July 2017) Within the framework, shims are created to act as a buffer between the program (or more specifically, the Import Address Table) and the Windows OS. When a program is executed, the shim cache is referenced to determine if the program requires the use of the shim database (.sdb). If so, the shim database uses [Hooking](https://attack.mitre.org/techniques/T1179) to redirect the code as necessary in order to communicate with the OS. \n\nA list of all shims currently installed by the default Windows installer (sdbinst.exe) is kept in:\n\n* <code>%WINDIR%\\AppPatch\\sysmain.sdb</code>\n* <code>hklm\\software\\microsoft\\windows nt\\currentversion\\appcompatflags\\installedsdb</code>\n\nCustom databases are stored in:\n\n* <code>%WINDIR%\\AppPatch\\custom & %WINDIR%\\AppPatch\\AppPatch64\\Custom</code>\n* <code>hklm\\software\\microsoft\\windows nt\\currentversion\\appcompatflags\\custom</code>\n\nTo keep shims secure, Windows designed them to run in user mode so they cannot modify the kernel and you must have administrator privileges to install a shim. However, certain shims can be used to [Bypass User Account Control](https://attack.mitre.org/techniques/T1088) (UAC) (RedirectEXE), inject DLLs into processes (InjectDLL), disable Data Execution Prevention (DisableNX) and Structure Exception Handling (DisableSEH), and intercept memory addresses (GetProcAddress). Similar to [Hooking](https://attack.mitre.org/techniques/T1179), utilizing these shims may allow an adversary to perform several malicious acts such as elevate privileges, install backdoors, disable defenses like Windows Defender, etc.";
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--7b5919ce-efab-45d1-855b-f827d7489b2b
rdf:type stix:Relationship;
stix:source_ref :malware--9e9b9415-a7df-406b-b14d-92bfe6809fbe;
stix:target_ref :attack-pattern--4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5;
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Nidiran](https://attack.mitre.org/software/S0118) uses RC4 to encrypt C2 traffic.(Citation: Symantec Suckfly May 2016)";
dcterms:modified "2023-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--5ebd97d4-1979-40b2-b38b-b6ed44a2f32f
rdf:type stix:Relationship;
stix:source_ref :malware--cbf646f1-7db5-4dc6-808b-0094313949df;
stix:target_ref :attack-pattern--be055942-6e63-49d7-9fa1-9cb7d8a8f3f4;
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "One variant of [CloudDuke](https://attack.mitre.org/software/S0054) uses a Microsoft OneDrive account to exchange commands and stolen data with its operators.(Citation: F-Secure The Dukes)";
dcterms:modified "2020-03-20T21:07:48.537Z"^^xsd:dateTime .
:relationship--9d239fc5-5d40-4991-ae41-761686ab43a2
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--420ac20b-f2b9-42b8-aa1a-6d4b72895ca4;
stix:target_ref :attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597;
dcterms:created "2021-04-13T20:27:51.729Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Mustang Panda](https://attack.mitre.org/groups/G0129) has used spearphishing attachments to deliver initial access payloads.(Citation: Recorded Future REDDELTA July 2020)(Citation: Proofpoint TA416 November 2020)(Citation: Google TAG Ukraine Threat Landscape March 2022)";
dcterms:modified "2022-03-16T18:38:10.452Z"^^xsd:dateTime .
:relationship--ce26fb61-137e-489c-8c69-d2ac5a9f59ce
rdf:type stix:Relationship;
stix:source_ref :tool--2c5281dd-b5fd-4531-8aea-c1bf8a0f8756;
stix:target_ref :attack-pattern--8f104855-e5b7-4077-b1f5-bc3103b41abe;
dcterms:created "2022-02-01T15:08:45.248Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[AADInternals](https://attack.mitre.org/software/S0677) can enumerate Azure AD users.(Citation: AADInternals Documentation)";
dcterms:modified "2022-04-13T14:22:52.901Z"^^xsd:dateTime .
:relationship--aca30dc6-34c2-45f3-87a4-9d9abda01036
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1;
stix:target_ref :attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161;
dcterms:created "2021-04-09T16:08:58.515Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Windshift](https://attack.mitre.org/groups/G0112) has used tools that communicate with C2 over HTTP.(Citation: BlackBerry Bahamut)";
dcterms:modified "2021-05-24T13:16:56.581Z"^^xsd:dateTime .
:relationship--033a5e59-ab65-485b-a9c0-775977e8abd0
rdf:type stix:Relationship;
stix:source_ref :malware--dcac85c1-6485-4790-84f6-de5e6f6b91dd;
stix:target_ref :attack-pattern--be055942-6e63-49d7-9fa1-9cb7d8a8f3f4;
dcterms:created "2019-06-21T17:23:28.006Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[PowerStallion](https://attack.mitre.org/software/S0393) uses Microsoft OneDrive as a C2 server via a network drive mapped with <code>net use</code>.(Citation: ESET Turla PowerShell May 2019)";
dcterms:modified "2020-03-20T21:24:24.092Z"^^xsd:dateTime .
:relationship--12c14ace-db29-4b08-a052-ba867c9ba534
rdf:type stix:Relationship;
stix:source_ref :malware--32066e94-3112-48ca-b9eb-ba2b59d2f023;
stix:target_ref :attack-pattern--b18eae87-b469-4e14-b454-b171b416bc18;
dcterms:created "2020-03-30T19:29:56.297Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Emotet](https://attack.mitre.org/software/S0367) has used HTTP over ports such as 20, 22, 443, 7080, and 50000, in addition to using ports commonly associated with HTTP/S.(Citation: Talos Emotet Jan 2019)(Citation: Binary Defense Emotes Wi-Fi Spreader)";
dcterms:modified "2023-09-29T20:25:07.828Z"^^xsd:dateTime .
:relationship--8bba06f3-fac2-4484-a177-53d5716f80a6
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--7eda3dd8-b09b-4705-8090-c2ad9fb8c14d;
stix:target_ref :attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c;
dcterms:created "2022-07-14T17:22:54.577Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[TA505](https://attack.mitre.org/groups/G0092) has decrypted packed DLLs with an XOR key.(Citation: NCC Group TA505)";
dcterms:modified "2022-07-14T18:26:34.872Z"^^xsd:dateTime .
:relationship--8492aff7-1171-4805-9052-3decdd677c94
rdf:type stix:Relationship;
stix:source_ref :malware--29231689-5837-4a7a-aafc-1b65b3f50cc7;
stix:target_ref :attack-pattern--f24faf46-3b26-4dbb-98f2-63460498e433;
dcterms:created "2021-06-29T15:21:28.785Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[RainyDay](https://attack.mitre.org/software/S0629) has the ability to switch between TCP and HTTP for C2 if one method is not working.(Citation: Bitdefender Naikon April 2021)";
dcterms:modified "2021-06-29T15:21:28.785Z"^^xsd:dateTime .
:relationship--3f27ef2a-48e8-4d37-8618-fe61dfcafd3e
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7;
stix:target_ref :tool--4664b683-f578-434f-919b-1c1aad2a1111;
dcterms:created "2019-09-23T23:14:16.750Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "(Citation: FireEye APT41 Aug 2019)";
dcterms:modified "2023-03-23T15:27:10.510Z"^^xsd:dateTime .
:relationship--f5e2c4ef-fe56-416e-8d74-733272c7310b
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542;
stix:target_ref :malware--a8839c95-029f-44cf-8f3d-a3cf2039e927;
dcterms:created "2021-04-16T19:04:13.689Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "(Citation: FireEye SUNBURST Backdoor December 2020)(Citation: MSTIC NOBELIUM May 2021)(Citation: Secureworks IRON RITUAL Profile)";
dcterms:modified "2022-02-24T20:32:44.499Z"^^xsd:dateTime .
:relationship--d6dcaa34-12d9-45f3-8f7b-397c2da0995a
rdf:type stix:Relationship;
stix:source_ref :malware--a19c1197-9414-46e3-986f-0f609ff4a46b;
stix:target_ref :attack-pattern--f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a;
dcterms:created "2021-03-02T16:42:09.492Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Pysa](https://attack.mitre.org/software/S0583) has the functionality to delete shadow copies.(Citation: CERT-FR PYSA April 2020) ";
dcterms:modified "2021-03-02T16:42:09.492Z"^^xsd:dateTime .
:relationship--847752f4-59a2-46e9-ae28-befe0142b223
rdf:type stix:Relationship;
stix:source_ref :malware--199463de-d9be-46d6-bb41-07234c1dd5a6;
stix:target_ref :attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0;
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[GeminiDuke](https://attack.mitre.org/software/S0049) collects information on network settings and Internet proxy settings from the victim.(Citation: F-Secure The Dukes)";
dcterms:modified "2020-03-17T01:22:53.941Z"^^xsd:dateTime .
:relationship--be7f2951-ce33-4d48-ad9c-69071e54ae18
rdf:type stix:Relationship;
stix:source_ref :malware--925a6c52-5cf0-4fec-99de-b0d6917d8593;
stix:target_ref :attack-pattern--774a3188-6ba9-4dc4-879d-d54ee48a5ce9;
dcterms:created "2020-12-07T21:06:57.852Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Crutch](https://attack.mitre.org/software/S0538) has automatically exfiltrated stolen files to Dropbox.(Citation: ESET Crutch December 2020)";
dcterms:modified "2020-12-07T21:06:57.852Z"^^xsd:dateTime .
:relationship--dd48cdb6-ab24-410b-ac3e-624b1ed8cf92
rdf:type stix:Relationship;
stix:source_ref :malware--e2d34c63-6f5a-41f5-86a2-e2380f27f858;
stix:target_ref :attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e;
dcterms:created "2021-03-01T21:23:22.799Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[AppleJeus](https://attack.mitre.org/software/S0584) has required user execution of a malicious MSI installer.(Citation: CISA AppleJeus Feb 2021)";
dcterms:modified "2021-03-01T21:23:22.799Z"^^xsd:dateTime .
:relationship--cd10cc85-ccc4-4683-9421-9254a0d1259a
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--cc150ad8-ecfa-4340-9aaa-d21165873bd4;
stix:target_ref :attack-pattern--c2f59d25-87fe-44aa-8f83-e8e59d077bf5;
dcterms:created "2022-03-30T14:26:51.841Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Monitor for logged domain name system (DNS) registry data that may compromise third-party DNS servers that can be used during targeting. Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.";
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime .
:relationship--9de77d26-6424-4ee8-bd7d-1ae705020c55
rdf:type stix:Relationship;
stix:source_ref :campaign--f9cc545e-b0ef-4b92-8884-a3a4427609f6;
stix:target_ref :attack-pattern--40f5caa0-4cb7-4117-89fc-d421bb493df3;
dcterms:created "2022-10-05T16:02:55.768Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "For [CostaRicto](https://attack.mitre.org/campaigns/C0004), the threat actors established domains, some of which appeared to spoof legitimate domains.(Citation: BlackBerry CostaRicto November 2020)";
dcterms:modified "2022-10-05T16:02:55.768Z"^^xsd:dateTime .
:relationship--9e07c247-c778-496d-9972-6581f2d10c93
rdf:type stix:Relationship;
stix:source_ref :malware--00806466-754d-44ea-ad6f-0caf59cb8556;
stix:target_ref :attack-pattern--4bed873f-0b7d-41d4-b93a-b6905d1f90b0;
dcterms:created "2021-10-01T14:12:52.920Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[TrickBot](https://attack.mitre.org/software/S0266) has used <code>printf</code> and file I/O loops to delay process execution as part of API hammering.(Citation: Joe Sec Trickbot)";
dcterms:modified "2021-10-01T14:12:52.920Z"^^xsd:dateTime .
:relationship--a33d759f-6106-4e67-9452-72b684ab209a
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--8c1f0187-0826-4320-bddc-5f326cfcfe2c;
stix:target_ref :attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c;
dcterms:created "2021-03-04T22:05:10.085Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Chimera](https://attack.mitre.org/groups/G0114) has performed file deletion to evade detection.(Citation: Cycraft Chimera April 2020) ";
dcterms:modified "2023-02-06T18:11:56.976Z"^^xsd:dateTime .
:intrusion-set--e5603ea8-4c36-40e7-b7af-a077d24fedc1
rdf:type stix:IntrusionSet;
rdfs:label "IndigoZebra";
dcterms:created "2021-09-24T21:41:34.797Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[IndigoZebra](https://attack.mitre.org/groups/G0136) is a suspected Chinese cyber espionage group that has been targeting Central Asian governments since at least 2014.(Citation: HackerNews IndigoZebra July 2021)(Citation: Checkpoint IndigoZebra July 2021)(Citation: Securelist APT Trends Q2 2017)";
dcterms:modified "2021-10-16T02:06:06.404Z"^^xsd:dateTime .
:relationship--34ff9bfb-0b3a-4b83-af85-60700ed052f4
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f;
stix:target_ref :attack-pattern--a2fdce72-04b2-409a-ac10-cc1695f4fce0;
dcterms:created "2021-05-26T20:19:44.143Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[menuPass](https://attack.mitre.org/groups/G0045) has used and modified open-source tools like [Impacket](https://attack.mitre.org/software/S0357), [Mimikatz](https://attack.mitre.org/software/S0002), and [pwdump](https://attack.mitre.org/software/S0006).(Citation: PWC Cloud Hopper Technical Annex April 2017)";
dcterms:modified "2023-03-23T15:14:18.615Z"^^xsd:dateTime .
:relationship--b0f355cc-e11f-4027-9db3-59ec64cd367f
rdf:type stix:Relationship;
stix:source_ref :tool--b76b2d94-60e4-4107-a903-4a3a7622fb3b;
stix:target_ref :attack-pattern--3fc9b85a-2862-4363-a64d-d692e3ffbee0;
dcterms:created "2019-01-30T16:45:00.072Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[LaZagne](https://attack.mitre.org/software/S0349) can obtain credentials from databases, mail, and WiFi across multiple platforms.(Citation: GitHub LaZagne Dec 2018)";
dcterms:modified "2020-03-25T15:46:35.771Z"^^xsd:dateTime .
:relationship--90ae4d92-9278-4cdd-a71c-b217a8bbb86a
rdf:type stix:Relationship;
stix:source_ref :malware--295721d2-ee20-4fa3-ade3-37f4146b4570;
stix:target_ref :attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670;
dcterms:created "2021-06-10T15:41:34.691Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[AppleSeed](https://attack.mitre.org/software/S0622) has the ability to use multiple dynamically resolved API calls.(Citation: Malwarebytes Kimsuky June 2021)";
dcterms:modified "2021-06-10T15:41:34.691Z"^^xsd:dateTime .
:relationship--9ee8a8fb-798e-4fa0-9ae0-ab96e75c9f4e
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--abc5a1d4-f0dc-49d1-88a1-4a80e478bb03;
stix:target_ref :attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736;
dcterms:created "2021-11-24T20:17:35.504Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[LazyScripter](https://attack.mitre.org/groups/G0140) has used PowerShell scripts to execute malicious code.(Citation: MalwareBytes LazyScripter Feb 2021)";
dcterms:modified "2022-04-06T19:13:54.278Z"^^xsd:dateTime .
:relationship--c92d9edc-e2a9-44e4-95ef-81632eaf14f9
rdf:type stix:Relationship;
stix:source_ref :malware--d18cb958-f4ad-4fb3-bb4f-e8994d206550;
stix:target_ref :attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d;
dcterms:created "2021-03-11T18:06:46.876Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Penquin](https://attack.mitre.org/software/S0587) can execute the command code <code>do_upload</code> to send files to C2.(Citation: Leonardo Turla Penquin May 2020)";
dcterms:modified "2022-09-28T21:27:07.144Z"^^xsd:dateTime .
:relationship--8b12a0c5-9e30-47ef-a786-5c5eeaf52240
rdf:type stix:Relationship;
stix:source_ref :malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5;
stix:target_ref :attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a;
dcterms:created "2020-08-04T15:35:30.364Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[REvil](https://attack.mitre.org/software/S0496) has used encrypted strings and configuration files.(Citation: G Data Sodinokibi June 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: McAfee Sodinokibi October 2019)(Citation: Intel 471 REvil March 2020)(Citation: Group IB Ransomware May 2020)(Citation: Picus Sodinokibi January 2020)(Citation: Secureworks REvil September 2019)";
dcterms:modified "2021-04-06T14:42:52.400Z"^^xsd:dateTime .
:relationship--570da7ec-2d72-4e1b-9f30-f0e1a10085bf
rdf:type stix:Relationship;
stix:source_ref :malware--e85cae1a-bce3-4ac4-b36b-b00acac0567b;
stix:target_ref :attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736;
dcterms:created "2019-04-16T17:43:42.929Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[POWERTON](https://attack.mitre.org/software/S0371) is written in PowerShell.(Citation: FireEye APT33 Guardrail)";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:attack-pattern--59ff91cd-1430-4075-8563-e6f15f4f9ff5
rdf:type d3f:OffensiveTechnique;
rdfs:label "DHCP Spoofing";
dcterms:created "2022-03-24T19:30:56.727Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Adversaries may redirect network traffic to adversary-owned systems by spoofing Dynamic Host Configuration Protocol (DHCP) traffic and acting as a malicious DHCP server on the victim network. By achieving the adversary-in-the-middle (AiTM) position, adversaries may collect network communications, including passed credentials, especially those sent over insecure, unencrypted protocols. This may also enable follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040) or [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002).\n\nDHCP is based on a client-server model and has two functionalities: a protocol for providing network configuration settings from a DHCP server to a client and a mechanism for allocating network addresses to clients.(Citation: rfc2131) The typical server-client interaction is as follows: \n\n1. The client broadcasts a `DISCOVER` message.\n\n2. The server responds with an `OFFER` message, which includes an available network address. \n\n3. The client broadcasts a `REQUEST` message, which includes the network address offered. \n\n4. The server acknowledges with an `ACK` message and the client receives the network configuration parameters.\n\nAdversaries may spoof as a rogue DHCP server on the victim network, from which legitimate hosts may receive malicious network configurations. For example, malware can act as a DHCP server and provide adversary-owned DNS servers to the victimized computers.(Citation: new_rogue_DHCP_serv_malware)(Citation: w32.tidserv.g) Through the malicious network configurations, an adversary may achieve the AiTM position, route client traffic through adversary-controlled systems, and collect information from the client network.\n\nDHCPv6 clients can receive network configuration information without being assigned an IP address by sending a <code>INFORMATION-REQUEST (code 11)</code> message to the <code>All_DHCP_Relay_Agents_and_Servers</code> multicast address.(Citation: rfc3315) Adversaries may use their rogue DHCP server to respond to this request message with malicious network configurations.\n\nRather than establishing an AiTM position, adversaries may also abuse DHCP spoofing to perform a DHCP exhaustion attack (i.e, [Service Exhaustion Flood](https://attack.mitre.org/techniques/T1499/002)) by generating many broadcast DISCOVER messages to exhaust a network’s DHCP allocation pool. ";
dcterms:modified "2022-11-08T14:00:00.188Z"^^xsd:dateTime .
:relationship--df1b67d2-8a37-4803-a05d-9bbdb0f30819
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--269e8108-68c6-4f99-b911-14b2e765dec2;
stix:target_ref :attack-pattern--4061e78c-1284-44b4-9116-73e4ac3912f7;
dcterms:created "2021-04-08T15:41:46.444Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[MuddyWater](https://attack.mitre.org/groups/G0069) has used a legitimate application, ScreenConnect, to manage systems remotely and move laterally.(Citation: Trend Micro Muddy Water March 2021)(Citation: Anomali Static Kitten February 2021) ";
dcterms:modified "2021-04-08T19:31:30.904Z"^^xsd:dateTime .
:relationship--afa84fd1-e910-4bc7-8270-1e9f9b02b53f
rdf:type stix:Relationship;
stix:source_ref :malware--536be338-e2ef-4a6b-afb6-8d5568b91eb2;
stix:target_ref :attack-pattern--4ae4f953-fe58-4cc8-a327-33257e30a830;
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Kazuar](https://attack.mitre.org/software/S0265) gathers information about opened windows.(Citation: Unit 42 Kazuar May 2017)";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--891a97f1-d3e2-45ff-a079-43dcad21a175
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--17862c7d-9e60-48a0-b48e-da4dc4c3f6b0;
stix:target_ref :attack-pattern--deb98323-e13f-4b0c-8d94-175379069062;
dcterms:created "2017-05-31T21:33:27.077Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "A [Patchwork](https://attack.mitre.org/groups/G0040) payload was packed with UPX.(Citation: Securelist Dropping Elephant)";
dcterms:modified "2020-03-19T19:58:58.101Z"^^xsd:dateTime .
:relationship--d013882b-1092-46e4-8c07-f74e5ca2df97
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8;
stix:target_ref :attack-pattern--246fd3c7-f5e3-466d-8787-4c13d9e3b61c;
dcterms:created "2022-03-30T14:26:51.872Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Monitor for files that write or overwrite many files to a network shared directory may be suspicious.";
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime .
:relationship--c92047b8-50d6-4fde-8acd-98132dcdc32f
rdf:type stix:Relationship;
stix:source_ref :tool--afc079f3-c0ea-4096-b75d-3f05338b7f60;
stix:target_ref :attack-pattern--d336b553-5da9-46ca-98a8-0b23f49fb447;
dcterms:created "2020-11-23T17:38:03.062Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Mimikatz](https://attack.mitre.org/software/S0002) contains functionality to acquire credentials from the Windows Credential Manager.(Citation: Delpy Mimikatz Crendential Manager)";
dcterms:modified "2020-11-23T17:38:03.062Z"^^xsd:dateTime .
:relationship--51cc7dff-7fb4-41bc-a67d-39598f14f1d8
rdf:type stix:Relationship;
stix:source_ref :malware--0c824410-58ff-49b2-9cf2-1c96b182bdf0;
stix:target_ref :attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279;
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Smoke Loader](https://attack.mitre.org/software/S0226) adds a Registry Run key for persistence and adds a script in the Startup folder to deploy the payload.(Citation: Malwarebytes SmokeLoader 2016)";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--c8f79da7-cfd6-41fd-89d4-c015e7289b64
rdf:type stix:Relationship;
stix:source_ref :tool--4b57c098-f043-4da2-83ef-7588a6d426bc;
stix:target_ref :attack-pattern--767dbf9e-df3f-45cb-8998-4903ab5f80c0;
dcterms:created "2019-04-23T12:38:37.637Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[PoshC2](https://attack.mitre.org/software/S0378) has modules for enumerating domain trusts.(Citation: GitHub PoshC2)";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--16952ba0-4fae-450b-990c-2b771efbd60f
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f;
stix:target_ref :attack-pattern--837f9164-50af-4ac0-8219-379d8a74cefc;
dcterms:created "2020-03-19T22:16:54.814Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[APT33](https://attack.mitre.org/groups/G0064) has used a variety of publicly available tools like [LaZagne](https://attack.mitre.org/software/S0349) to gather credentials.(Citation: Symantec Elfin Mar 2019)(Citation: FireEye APT33 Guardrail)";
dcterms:modified "2020-03-19T22:16:54.814Z"^^xsd:dateTime .
:relationship--49f3c807-a801-4cfe-ad1c-6966bea2fc8a
rdf:type stix:Relationship;
stix:source_ref :tool--cb69b20d-56d0-41ab-8440-4a4b251614d4;
stix:target_ref :attack-pattern--1035cdf2-3e5f-446f-a7a7-e8f6d7925967;
dcterms:created "2018-04-18T17:59:24.739Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Pupy](https://attack.mitre.org/software/S0192) can record sound with the microphone.(Citation: GitHub Pupy)";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--7b5178ce-a9bc-405e-b062-22b4276fbf99
rdf:type stix:Relationship;
stix:source_ref :malware--7e6c2a9d-9dc1-4eb0-b27c-91e8076a9d77;
stix:target_ref :attack-pattern--d511a6f6-4a33-41d5-bc95-c343875d1377;
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[QUADAGENT](https://attack.mitre.org/software/S0269) was likely obfuscated using `Invoke-Obfuscation`.(Citation: Unit 42 QUADAGENT July 2018)(Citation: GitHub Invoke-Obfuscation)";
dcterms:modified "2023-03-22T05:20:42.687Z"^^xsd:dateTime .
:relationship--0bb4fb8a-0b0f-46c6-820b-d46c5f98fa12
rdf:type stix:Relationship;
stix:source_ref :malware--4b68b5ea-2e1b-4225-845b-8632f702b9a0;
stix:target_ref :attack-pattern--cd25c1b4-935c-4f0e-ba8d-552f28bc4783;
dcterms:created "2020-06-09T21:23:39.119Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Skidmap](https://attack.mitre.org/software/S0468) is a kernel-mode rootkit used for cryptocurrency mining.(Citation: Trend Micro Skidmap)";
dcterms:modified "2020-06-25T13:32:00.131Z"^^xsd:dateTime .
:relationship--bc592166-c29c-4913-b8a0-ec266321a325
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--9735c036-8ebe-47e9-9c77-b0ae656dab93;
stix:target_ref :tool--da04ac30-27da-4959-a67d-450ce47d9470;
dcterms:created "2021-09-21T14:52:49.732Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "(Citation: ESET BackdoorDiplomacy Jun 2021)";
dcterms:modified "2021-09-21T17:11:52.855Z"^^xsd:dateTime .
:relationship--5a72e713-c8fb-4438-9a08-0ded824381dd
rdf:type stix:Relationship;
stix:source_ref :course-of-action--eb88d97c-32f1-40be-80f0-d61a4b0b4b31;
stix:target_ref :attack-pattern--6e3bd510-6b33-41a4-af80-2d80f3ee0071;
dcterms:created "2020-01-24T15:01:33.185Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Odbcconf.exe may not be necessary within a given environment.";
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime .
:relationship--45310a29-78b6-4863-ab0b-49fd53ef1809
rdf:type stix:Relationship;
stix:source_ref :malware--aad11e34-02ca-4220-91cd-2ed420af4db3;
stix:target_ref :attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c;
dcterms:created "2020-05-04T19:13:35.449Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[HotCroissant](https://attack.mitre.org/software/S0431) has the ability to clean up installed files, delete files, and delete itself from the victim’s machine.(Citation: Carbon Black HotCroissant April 2020)";
dcterms:modified "2020-05-06T19:28:22.178Z"^^xsd:dateTime .
:relationship--c9a1bcec-9a4d-4693-accb-5a6f67b857f6
rdf:type stix:Relationship;
stix:source_ref :attack-pattern--1eaebf46-e361-4437-bc23-d5d65a3b92e3;
stix:target_ref :attack-pattern--3fc9b85a-2862-4363-a64d-d692e3ffbee0;
dcterms:created "2020-02-12T18:55:24.841Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--331f7990-d817-49ec-9d55-c4c64da7f4a6
rdf:type stix:Relationship;
stix:source_ref :malware--7e0f8b0f-716e-494d-827e-310bd6ed709e;
stix:target_ref :attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4;
dcterms:created "2021-09-22T21:57:30.229Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[SMOKEDHAM](https://attack.mitre.org/software/S0649) has modified registry keys for persistence, to enable credential caching for credential access, and to facilitate lateral movement via RDP.(Citation: FireEye SMOKEDHAM June 2021)";
dcterms:modified "2021-10-14T18:34:24.287Z"^^xsd:dateTime .
:relationship--bd5fd2c2-a9a3-401e-8723-92df94f9c482
rdf:type stix:Relationship;
stix:source_ref :malware--835a79f1-842d-472d-b8f4-d54b545c341b;
stix:target_ref :attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670;
dcterms:created "2021-10-11T17:54:11.520Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Bandook](https://attack.mitre.org/software/S0234) has used the ShellExecuteW() function call.(Citation: CheckPoint Bandook Nov 2020) ";
dcterms:modified "2021-10-11T17:54:11.520Z"^^xsd:dateTime .
:relationship--c81c6d91-00f3-4c8b-bf34-929972685aa3
rdf:type stix:Relationship;
stix:source_ref :malware--b4d80f8b-d2b9-4448-8844-4bef777ed676;
stix:target_ref :attack-pattern--ac08589e-ee59-4935-8667-d845e38fe579;
dcterms:created "2019-01-29T20:05:36.454Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[NanoCore](https://attack.mitre.org/software/S0336) can modify the victim's anti-virus.(Citation: DigiTrust NanoCore Jan 2017)(Citation: PaloAlto NanoCore Feb 2016)";
dcterms:modified "2020-03-28T00:59:59.461Z"^^xsd:dateTime .
:relationship--6d8b1f40-48a0-484b-8eea-48195a8bfff2
rdf:type stix:Relationship;
stix:source_ref :attack-pattern--ac08589e-ee59-4935-8667-d845e38fe579;
stix:target_ref :attack-pattern--3d333250-30e4-4a82-9edc-756c68afc529;
dcterms:created "2020-02-21T20:32:21.128Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--8b1d88b8-7990-4fef-9dd0-1a422a81d62c
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6;
stix:target_ref :attack-pattern--c675646d-e204-4aa8-978d-e3d6d65885c4;
dcterms:created "2022-03-30T14:26:51.846Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Detection of Endpoint DoS can sometimes be achieved before the effect is sufficient to cause significant impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness. Monitor for logging, messaging, and other artifacts highlighting the health of host sensors (ex: metrics, errors, and/or exceptions from logging applications)";
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime .
:relationship--3d6e0a95-3265-4a0c-aee1-feff2807489b
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--fb366179-766c-4a4a-afa1-52bff1fd601c;
stix:target_ref :attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e;
dcterms:created "2021-11-12T20:43:05.878Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Threat Group-3390](https://attack.mitre.org/groups/G0027) has lured victims into opening malicious files containing malware.(Citation: Trend Micro DRBControl February 2020)";
dcterms:modified "2021-11-12T20:43:05.878Z"^^xsd:dateTime .
:course-of-action--47e0e9fe-96ce-4f65-8bb1-8be1feacb5db
rdf:type stix:CourseOfAction;
rdfs:label "Execution Prevention";
dcterms:created "2019-06-11T16:35:25.488Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Block execution of code on a system through application control, and/or script blocking.";
dcterms:modified "2022-02-28T19:50:41.210Z"^^xsd:dateTime .
:relationship--c0a10dc5-51e4-4ec3-a827-4999bde3ed58
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--1f0f9a14-11aa-49aa-9174-bcd0eaa979de;
stix:target_ref :tool--b76b2d94-60e4-4107-a903-4a3a7622fb3b;
dcterms:created "2021-01-27T19:37:49.570Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "(Citation: ESET EvilNum July 2020)";
dcterms:modified "2021-01-27T19:37:49.570Z"^^xsd:dateTime .
:relationship--9d28bf78-0fde-4efd-85b2-fc1960f1b386
rdf:type stix:Relationship;
stix:source_ref :malware--dff90475-9f72-41a6-84ed-1fbefd3874c0;
stix:target_ref :attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18;
dcterms:created "2022-07-25T18:36:59.018Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Heyoka Backdoor](https://attack.mitre.org/software/S1027) has the ability to search the compromised host for files.(Citation: SentinelOne Aoqin Dragon June 2022)";
dcterms:modified "2022-07-25T18:36:59.018Z"^^xsd:dateTime .
:attack-pattern--0a5231ec-41af-4a35-83d0-6bdf11f28c65
rdf:type d3f:OffensiveTechnique;
rdfs:label "Shared Modules";
dcterms:created "2017-05-31T21:31:40.542Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., [Native API](https://attack.mitre.org/techniques/T1106)).\n\nAdversaries may use this functionality as a way to execute arbitrary payloads on a victim system. For example, adversaries can modularize functionality of their malware into shared objects that perform various functions such as managing C2 network communications or execution of specific actions on objective.\n\nThe Linux & macOS module loader can load and execute shared objects from arbitrary local paths. This functionality resides in `dlfcn.h` in functions such as `dlopen` and `dlsym`. Although macOS can execute `.so` files, common practice uses `.dylib` files.(Citation: Apple Dev Dynamic Libraries)(Citation: Linux Shared Libraries)(Citation: RotaJakiro 2021 netlab360 analysis)(Citation: Unit42 OceanLotus 2017)\n\nThe Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in `NTDLL.dll` and is part of the Windows [Native API](https://attack.mitre.org/techniques/T1106) which is called from functions like `LoadLibrary` at run time.(Citation: Microsoft DLL)";
dcterms:modified "2023-10-12T21:17:14.868Z"^^xsd:dateTime .
:relationship--09c10778-19ad-441a-8a75-a3cf1288f960
rdf:type stix:Relationship;
stix:source_ref :malware--6a0ef5d4-fc7c-4dda-85d7-592e4dbdc5d9;
stix:target_ref :attack-pattern--322bad5a-1c49-4d23-ab79-76d641794afa;
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Sykipot](https://attack.mitre.org/software/S0018) may use <code>net start</code> to display running services.(Citation: AlienVault Sykipot 2011)";
dcterms:modified "2020-03-16T17:50:28.664Z"^^xsd:dateTime .
:relationship--9c98640e-0307-48bb-aafc-af14a774fd5b
rdf:type stix:Relationship;
stix:source_ref :tool--3433a9e8-1c47-4320-b9bf-ed449061d1c3;
stix:target_ref :attack-pattern--1e9eb839-294b-48cc-b0d3-c45555a2a004;
dcterms:created "2019-03-11T19:24:08.172Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Empire](https://attack.mitre.org/software/S0363) has the ability to collect emails on a target system.(Citation: Github PowerShell Empire)";
dcterms:modified "2022-05-11T14:00:00.188Z"^^xsd:dateTime .
:relationship--2398e409-24d3-4dd9-9353-8b6cf9eee81d
rdf:type stix:Relationship;
stix:source_ref :malware--d6e55656-e43f-411f-a7af-45df650471c5;
stix:target_ref :attack-pattern--a9d4b653-6915-42af-98b2-5758c4ceee56;
dcterms:created "2021-04-08T18:09:43.112Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Kinsing](https://attack.mitre.org/software/S0599) has used Unix shell scripts to execute commands in the victim environment.(Citation: Aqua Kinsing April 2020)";
dcterms:modified "2021-04-08T18:09:43.112Z"^^xsd:dateTime .
:relationship--1a849525-ee44-4c28-86b2-fe883c45dc79
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265df3258;
stix:target_ref :attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81;
dcterms:created "2019-07-18T21:12:51.535Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[GALLIUM](https://attack.mitre.org/groups/G0093) leveraged valid accounts to maintain access to a victim network.(Citation: Cybereason Soft Cell June 2019)";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--1bccb381-1d71-4c9a-8785-2ada562234f2
rdf:type stix:Relationship;
stix:source_ref :attack-pattern--f232fa7a-025c-4d43-abc7-318e81a73d65;
stix:target_ref :attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81;
dcterms:created "2020-03-13T20:36:57.505Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--6512ebc3-cc9f-48e1-9a57-a5deb062f123
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924;
stix:target_ref :attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0;
dcterms:created "2020-05-21T14:55:00.293Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Tropic Trooper](https://attack.mitre.org/groups/G0081) has used scripts to collect the host's network topology.(Citation: TrendMicro Tropic Trooper May 2020)\t";
dcterms:modified "2020-05-21T14:55:00.293Z"^^xsd:dateTime .
:relationship--865fe9a3-35e7-4c5f-9292-fcf65f255615
rdf:type stix:Relationship;
stix:source_ref :course-of-action--987988f0-cf86-4680-a875-2f6456ab2448;
stix:target_ref :attack-pattern--6a5848a8-6201-4a2c-8a6a-ca5af8c6f3df;
dcterms:created "2019-06-25T14:14:54.409Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Ensure event tracers/forwarders (Citation: Microsoft ETW May 2018), firewall policies, and other associated mechanisms are secured with appropriate permissions and access controls.";
dcterms:modified "2023-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--a8b93875-6ad4-492e-afa1-0549ada7d7ca
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7;
stix:target_ref :attack-pattern--a9d4b653-6915-42af-98b2-5758c4ceee56;
dcterms:created "2020-04-30T20:31:38.012Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[APT41](https://attack.mitre.org/groups/G0096) executed <code>file /bin/pwd</code> in activity exploiting CVE-2019-19781 against Citrix devices.(Citation: FireEye APT41 March 2020)";
dcterms:modified "2020-04-30T20:31:38.012Z"^^xsd:dateTime .
:relationship--64a40a9a-ddea-430d-ab08-77c350d83497
rdf:type stix:Relationship;
stix:source_ref :malware--295721d2-ee20-4fa3-ade3-37f4146b4570;
stix:target_ref :attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5;
dcterms:created "2021-06-11T19:29:44.680Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[AppleSeed](https://attack.mitre.org/software/S0622) can collect data on a compromised host.(Citation: Malwarebytes Kimsuky June 2021)(Citation: KISA Operation Muzabi)";
dcterms:modified "2022-04-12T18:37:03.594Z"^^xsd:dateTime .
:relationship--a31ed7a5-8ed3-46e7-8e3b-32935023e19b
rdf:type stix:Relationship;
stix:source_ref :attack-pattern--005cc321-08ce-4d17-b1ea-cb5275926520;
stix:target_ref :attack-pattern--451a9977-d255-43c9-b431-66de80130c8c;
dcterms:created "2022-09-30T21:18:42.043Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "";
dcterms:modified "2022-09-30T21:18:42.043Z"^^xsd:dateTime .
:relationship--670efee1-b854-4d39-85b1-b6038e3580e3
rdf:type stix:Relationship;
stix:source_ref :malware--edc5e045-5401-42bb-ad92-52b5b2ee0de9;
stix:target_ref :attack-pattern--9db0cf3a-a3c9-4012-8268-123b9db6fd82;
dcterms:created "2021-09-28T19:49:13.903Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[QakBot](https://attack.mitre.org/software/S0650) can move laterally using worm-like functionality through exploitation of SMB.(Citation: Crowdstrike Qakbot October 2020)";
dcterms:modified "2021-09-28T19:49:13.903Z"^^xsd:dateTime .
:relationship--cd8c30eb-063a-4ee9-b67b-3668fae4df38
rdf:type stix:Relationship;
stix:source_ref :course-of-action--3bd2cf87-1ceb-4317-9aee-3e7dc713261b;
stix:target_ref :attack-pattern--118f61a5-eb3e-4fb6-931f-2096647f4ecd;
dcterms:created "2020-03-10T17:45:00.302Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Malware researchers can reverse engineer malware variants that use DGAs and determine future domains that the malware will attempt to contact, but this is a time and resource intensive effort.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA Brute Force) Malware is also increasingly incorporating seed values that can be unique for each instance, which would then need to be determined to extract future generated domains. In some cases, the seed that a particular sample uses can be extracted from DNS traffic.(Citation: Akamai DGA Mitigation) Even so, there can be thousands of possible domains generated per day; this makes it impractical for defenders to preemptively register all possible C2 domains due to the cost.";
dcterms:modified "2023-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--d101870c-304e-4597-a292-7d5e8c870f95
rdf:type stix:Relationship;
stix:source_ref :tool--2c5281dd-b5fd-4531-8aea-c1bf8a0f8756;
stix:target_ref :attack-pattern--1ecfdab8-7d59-4c98-95d4-dc41970f57fc;
dcterms:created "2022-02-01T15:08:45.251Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[AADInternals](https://attack.mitre.org/software/S0677) can dump secrets from the Local Security Authority.(Citation: AADInternals Documentation)";
dcterms:modified "2022-04-13T14:23:09.136Z"^^xsd:dateTime .
:relationship--b842af96-8422-4b23-bd17-35d123c5a9b5
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--fb366179-766c-4a4a-afa1-52bff1fd601c;
stix:target_ref :attack-pattern--bd369cd9-abb8-41ce-b5bb-fff23ee86c00;
dcterms:created "2021-11-29T21:18:40.003Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Threat Group-3390](https://attack.mitre.org/groups/G0027) has compromised the Able Desktop installer to gain access to victim's environments.(Citation: Trend Micro Iron Tiger April 2021)";
dcterms:modified "2021-11-29T21:18:40.003Z"^^xsd:dateTime .
:relationship--19161920-e6b5-481f-a240-62f05c624010
rdf:type stix:Relationship;
stix:source_ref :malware--b42378e0-f147-496f-992a-26a49705395b;
stix:target_ref :attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4;
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[PoisonIvy](https://attack.mitre.org/software/S0012) creates a Registry subkey that registers a new system device.(Citation: Symantec Darkmoon Aug 2005)";
dcterms:modified "2020-03-16T16:57:13.393Z"^^xsd:dateTime .
:relationship--9ffc8525-79a5-40a2-b371-46052daf66c5
rdf:type stix:Relationship;
stix:source_ref :course-of-action--9bb9e696-bff8-4ae1-9454-961fc7d91d5f;
stix:target_ref :attack-pattern--a10641f4-87b4-45a3-a906-92a149cb2c27;
dcterms:created "2019-06-13T16:04:04.082Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Do not allow domain administrator accounts to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems.";
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime .
:relationship--c7602a92-d2d5-488d-b0b7-986ec1ef594d
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542;
stix:target_ref :attack-pattern--7e7c2fba-7cca-486c-9582-4c1bb2851961;
dcterms:created "2022-02-10T16:46:33.851Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[APT29](https://attack.mitre.org/groups/G0016) has embedded ISO images and VHDX files in HTML to evade Mark-of-the-Web.(Citation: ESET T3 Threat Report 2021)";
dcterms:modified "2022-02-10T16:46:33.851Z"^^xsd:dateTime .
:relationship--e1f948d0-7627-408c-a2c9-669e30e43782
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7;
stix:target_ref :tool--38952eac-cb1b-4a71-bad2-ee8223a1c8fe;
dcterms:created "2023-01-04T18:57:43.336Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "(Citation: Mandiant APT41)";
dcterms:modified "2023-01-04T18:57:43.336Z"^^xsd:dateTime .
:relationship--3f010259-666c-403b-b5c7-603b319583da
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--c4d50cdf-87ce-407d-86d8-862883485842;
stix:target_ref :tool--8f8cd191-902c-4e83-bf20-b57c8c4640e9;
dcterms:created "2020-05-05T19:37:33.785Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "(Citation: QiAnXin APT-C-36 Feb2019)";
dcterms:modified "2020-10-14T14:40:36.542Z"^^xsd:dateTime .
:relationship--978d8c12-bf39-440f-ac17-b66970451152
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d;
stix:target_ref :malware--d5268dfb-ae2b-4e0e-ac07-02a460613d8a;
dcterms:created "2019-02-18T20:17:17.641Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "(Citation: FireEye APT34 Dec 2017) (Citation: Palo Alto OilRig Sep 2018)";
dcterms:modified "2020-03-18T20:18:02.875Z"^^xsd:dateTime .
:relationship--a68d8191-b374-4741-a249-1db3515d581b
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265df3258;
stix:target_ref :attack-pattern--1c34f7aa-9341-4a48-bfab-af22e51aca6c;
dcterms:created "2019-07-19T17:14:24.029Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[GALLIUM](https://attack.mitre.org/groups/G0093) compressed and staged files in multi-part archives in the Recycle Bin prior to exfiltration.(Citation: Cybereason Soft Cell June 2019)";
dcterms:modified "2021-04-29T14:49:39.188Z"^^xsd:dateTime .
:relationship--062f7bee-8b54-4edd-aca9-11437b7cbc8b
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--0ec2f388-bf0f-4b5c-97b1-fc736d26c25f;
stix:target_ref :attack-pattern--212306d8-efa4-44c9-8c2d-ed3d2e224aa0;
dcterms:created "2022-03-15T19:56:31.062Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Kimsuky](https://attack.mitre.org/groups/G0094) has developed its own unique malware such as MailFetch.py for use in operations.(Citation: KISA Operation Muzabi)(Citation: Talos Kimsuky Nov 2021)";
dcterms:modified "2022-04-18T19:49:12.056Z"^^xsd:dateTime .
:relationship--b001d78a-afd6-47bb-bdb5-73e967e35a13
rdf:type stix:Relationship;
stix:source_ref :attack-pattern--2f41939b-54c3-41d6-8f8b-35f1ec18ed97;
stix:target_ref :attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a;
dcterms:created "2022-09-29T18:30:12.366Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "";
dcterms:modified "2022-09-29T18:30:12.366Z"^^xsd:dateTime .
:relationship--229150e3-5c4b-475e-8981-27fb472ad119
rdf:type stix:Relationship;
stix:source_ref :tool--b76b2d94-60e4-4107-a903-4a3a7622fb3b;
stix:target_ref :attack-pattern--837f9164-50af-4ac0-8219-379d8a74cefc;
dcterms:created "2020-03-19T23:11:54.931Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[LaZagne](https://attack.mitre.org/software/S0349) can obtain credentials from chats, databases, mail, and WiFi.(Citation: GitHub LaZagne Dec 2018)";
dcterms:modified "2020-03-19T23:11:54.931Z"^^xsd:dateTime .
:relationship--e09c37a3-ae23-403e-93d5-aef4953bd43c
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--5636b7b3-d99b-4edd-aa05-ee649c1d4ef1;
stix:target_ref :attack-pattern--4f9ca633-15c5-463c-9724-bdcd54fde541;
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Orangeworm](https://attack.mitre.org/groups/G0071) has copied its backdoor across open network shares, including ADMIN$, C$WINDOWS, D$WINDOWS, and E$WINDOWS.(Citation: Symantec Orangeworm April 2018)";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--6ee04a90-7158-43a6-8133-9b498f1fef2c
rdf:type stix:Relationship;
stix:source_ref :malware--72911fe3-f085-40f7-b4f2-f25a4221fe44;
stix:target_ref :attack-pattern--51a14c76-dd3b-440b-9c20-2bf91d25a814;
dcterms:created "2022-04-15T17:19:18.492Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[FoggyWeb](https://attack.mitre.org/software/S0661) can allow abuse of a compromised AD FS server's SAML token.(Citation: MSTIC FoggyWeb September 2021)";
dcterms:modified "2022-04-15T17:19:18.492Z"^^xsd:dateTime .
:relationship--ef318b23-1b8c-4c24-ad20-09c0977a73b3
rdf:type stix:Relationship;
stix:source_ref :malware--e48df773-7c95-4a4c-ba70-ea3d15900148;
stix:target_ref :attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62;
dcterms:created "2018-01-16T16:13:52.465Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[DownPaper](https://attack.mitre.org/software/S0186) uses the command line.(Citation: ClearSky Charming Kitten Dec 2017)";
dcterms:modified "2020-03-20T17:05:40.089Z"^^xsd:dateTime .
:relationship--f7120568-70db-4111-985c-9970775206c1
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--8c1f0187-0826-4320-bddc-5f326cfcfe2c;
stix:target_ref :malware--a7881f21-e978-4fe4-af56-92c9416a2616;
dcterms:created "2020-11-06T18:40:38.498Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "(Citation: Cycraft Chimera April 2020)(Citation: NCC Group Chimera January 2021)";
dcterms:modified "2023-02-06T18:11:56.982Z"^^xsd:dateTime .
:relationship--a77f2c84-7538-48f5-8809-df2fa47ab6df
rdf:type stix:Relationship;
stix:source_ref :campaign--8d2bc130-89fe-466e-a4f9-6bce6129c2b8;
stix:target_ref :tool--2e45723a-31da-4a7e-aaa6-e01998a6788f;
dcterms:created "2022-09-21T14:48:46.354Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "(Citation: Bitdefender FunnyDream Campaign November 2020)";
dcterms:modified "2022-09-23T20:55:50.611Z"^^xsd:dateTime .
:relationship--78e4027f-b5ff-4cb3-8b27-ab931baf3476
rdf:type stix:Relationship;
stix:source_ref :malware--58eddbaf-7416-419a-ad7b-e65b9d4c3b55;
stix:target_ref :attack-pattern--4f9ca633-15c5-463c-9724-bdcd54fde541;
dcterms:created "2021-02-23T20:50:33.341Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Conficker](https://attack.mitre.org/software/S0608) variants spread through NetBIOS share propagation.(Citation: SANS Conficker)";
dcterms:modified "2021-10-14T16:53:14.448Z"^^xsd:dateTime .
:relationship--cf36b530-36fa-40f5-b11c-94b5f5cfaf76
rdf:type stix:Relationship;
stix:source_ref :malware--295721d2-ee20-4fa3-ade3-37f4146b4570;
stix:target_ref :attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c;
dcterms:created "2021-06-11T17:02:07.723Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[AppleSeed](https://attack.mitre.org/software/S0622) can delete files from a compromised host after they are exfiltrated.(Citation: Malwarebytes Kimsuky June 2021)";
dcterms:modified "2021-06-11T17:02:07.723Z"^^xsd:dateTime .
:relationship--7fe2431d-30b9-45ef-8857-ecef17e428a9
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--4a2ce82e-1a74-468a-a6fb-bbead541383c;
stix:target_ref :attack-pattern--232a7e42-cd6e-4902-8fe9-2960f529dd4d;
dcterms:created "2018-04-18T17:59:24.739Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[APT37](https://attack.mitre.org/groups/G0067) has used Windows DDE for execution of commands and a malicious VBS.(Citation: Securelist ScarCruft Jun 2016)";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--5bfd02aa-acc6-47a0-8867-d7962ce775f6
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7;
stix:target_ref :tool--b77b563c-34bb-4fb8-86a3-3694338f7b47;
dcterms:created "2019-09-24T12:31:43.884Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)";
dcterms:modified "2023-03-23T15:45:58.852Z"^^xsd:dateTime .
:relationship--380db9ad-f6ad-4988-8a28-b773313f07b7
rdf:type stix:Relationship;
stix:source_ref :malware--e066bf86-9cfb-407a-9d25-26fd5d91e360;
stix:target_ref :attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62;
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[HTTPBrowser](https://attack.mitre.org/software/S0070) is capable of spawning a reverse shell on a victim.(Citation: Dell TG-3390)";
dcterms:modified "2020-03-20T02:22:13.351Z"^^xsd:dateTime .
:relationship--686d91dc-692b-48a0-829b-2556c6415f59
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6;
stix:target_ref :malware--925a6c52-5cf0-4fec-99de-b0d6917d8593;
dcterms:created "2020-12-06T23:49:08.052Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "(Citation: ESET Crutch December 2020)(Citation: Talos TinyTurla September 2021)";
dcterms:modified "2021-12-02T15:45:11.521Z"^^xsd:dateTime .
:relationship--dab25d1d-e38b-491d-9842-8de94999744f
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--93a6e38c-02a5-44d8-9035-b2e08459f31f;
stix:target_ref :attack-pattern--34b3f738-bd64-40e5-a112-29b0542bc8bf;
dcterms:created "2022-03-30T14:26:51.838Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Consider analyzing self-signed code signing certificates for features that may be associated with the adversary and/or their developers, such as the thumbprint, algorithm used, validity period, and common name. Malware repositories can also be used to identify additional samples associated with the adversary and identify patterns an adversary has used in crafting self-signed code signing certificates.\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related follow-on behavior, such as [Code Signing](https://attack.mitre.org/techniques/T1553/002) or [Install Root Certificate](https://attack.mitre.org/techniques/T1553/004).";
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime .
:relationship--bfdffc50-dba0-41d1-a332-0a02a0a8de07
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--247cb30b-955f-42eb-97a5-a89fef69341e;
stix:target_ref :attack-pattern--4f9ca633-15c5-463c-9724-bdcd54fde541;
dcterms:created "2019-01-31T01:07:58.487Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[APT32](https://attack.mitre.org/groups/G0050) used [Net](https://attack.mitre.org/software/S0039) to use Windows' hidden network shares to copy their tools to remote machines for execution.(Citation: Cybereason Cobalt Kitty 2017)";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:attack-pattern--633a100c-b2c9-41bf-9be5-905c1b16c825
rdf:type d3f:OffensiveTechnique;
rdfs:label "Dynamic Linker Hijacking";
dcterms:created "2020-03-13T20:09:59.569Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Adversaries may execute their own malicious payloads by hijacking environment variables the dynamic linker uses to load shared libraries. During the execution preparation phase of a program, the dynamic linker loads specified absolute paths of shared libraries from environment variables and files, such as <code>LD_PRELOAD</code> on Linux or <code>DYLD_INSERT_LIBRARIES</code> on macOS. Libraries specified in environment variables are loaded first, taking precedence over system libraries with the same function name.(Citation: Man LD.SO)(Citation: TLDP Shared Libraries)(Citation: Apple Doco Archive Dynamic Libraries) These variables are often used by developers to debug binaries without needing to recompile, deconflict mapped symbols, and implement custom functions without changing the original library.(Citation: Baeldung LD_PRELOAD)\n\nOn Linux and macOS, hijacking dynamic linker variables may grant access to the victim process's memory, system/network resources, and possibly elevated privileges. This method may also evade detection from security products since the execution is masked under a legitimate process. Adversaries can set environment variables via the command line using the <code>export</code> command, <code>setenv</code> function, or <code>putenv</code> function. Adversaries can also leverage [Dynamic Linker Hijacking](https://attack.mitre.org/techniques/T1574/006) to export variables in a shell or set variables programmatically using higher level syntax such Python’s <code>os.environ</code>.\n\nOn Linux, adversaries may set <code>LD_PRELOAD</code> to point to malicious libraries that match the name of legitimate libraries which are requested by a victim program, causing the operating system to load the adversary's malicious code upon execution of the victim program. <code>LD_PRELOAD</code> can be set via the environment variable or <code>/etc/ld.so.preload</code> file.(Citation: Man LD.SO)(Citation: TLDP Shared Libraries) Libraries specified by <code>LD_PRELOAD</code> are loaded and mapped into memory by <code>dlopen()</code> and <code>mmap()</code> respectively.(Citation: Code Injection on Linux and macOS)(Citation: Uninformed Needle) (Citation: Phrack halfdead 1997)(Citation: Brown Exploiting Linkers) \n\nOn macOS this behavior is conceptually the same as on Linux, differing only in how the macOS dynamic libraries (dyld) is implemented at a lower level. Adversaries can set the <code>DYLD_INSERT_LIBRARIES</code> environment variable to point to malicious libraries containing names of legitimate libraries or functions requested by a victim program.(Citation: TheEvilBit DYLD_INSERT_LIBRARIES)(Citation: Timac DYLD_INSERT_LIBRARIES)(Citation: Gabilondo DYLD_INSERT_LIBRARIES Catalina Bypass) ";
dcterms:modified "2023-05-09T14:00:00.188Z"^^xsd:dateTime .
:relationship--51551fb5-48df-4143-9163-9b7ffe35bf8f
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--35d1b3be-49d4-42f1-aaa6-ef159c880bca;
stix:target_ref :attack-pattern--19bf235b-8620-4997-b5b4-94e0659ed7c3;
dcterms:created "2021-10-01T01:57:31.785Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[TeamTNT](https://attack.mitre.org/groups/G0139) has queried the AWS instance metadata service for credentials.(Citation: Trend Micro TeamTNT)(Citation: Cisco Talos Intelligence Group)";
dcterms:modified "2022-12-01T17:31:07.707Z"^^xsd:dateTime .
:relationship--ed113911-e21a-4b1b-a082-42313d5aa887
rdf:type stix:Relationship;
stix:source_ref :malware--3161d76a-e2b2-4b97-9906-24909b735386;
stix:target_ref :attack-pattern--f4599aa0-4f85-4a32-80ea-fc39dc965945;
dcterms:created "2020-05-26T19:43:49.658Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Aria-body](https://attack.mitre.org/software/S0456) has the ability to inject itself into another process such as rundll32.exe and dllhost.exe.(Citation: CheckPoint Naikon May 2020)";
dcterms:modified "2020-06-03T13:40:15.300Z"^^xsd:dateTime .
:relationship--3f824a1b-70d5-4859-bd55-6b084f602a52
rdf:type stix:Relationship;
stix:source_ref :malware--751b77e6-af1f-483b-93fe-eddf17f92a64;
stix:target_ref :attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18;
dcterms:created "2021-02-10T18:20:51.667Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Caterpillar WebShell](https://attack.mitre.org/software/S0572) can search for files in directories.(Citation: ClearSky Lebanese Cedar Jan 2021) ";
dcterms:modified "2021-02-10T18:20:51.667Z"^^xsd:dateTime .
:relationship--2b89f806-5b78-4599-9536-13b47c35d26d
rdf:type stix:Relationship;
stix:source_ref :malware--687c23e4-4e25-4ee7-a870-c5e002511f54;
stix:target_ref :attack-pattern--e3b6daca-e963-4a69-aee6-ed4fd653ad58;
dcterms:created "2020-05-14T15:14:33.527Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[DustySky](https://attack.mitre.org/software/S0062) lists all installed software for the infected machine.(Citation: Kaspersky MoleRATs April 2019)";
dcterms:modified "2020-05-14T15:14:33.527Z"^^xsd:dateTime .
:relationship--24013fde-5ce7-4995-9d9f-d2ced31b9d9a
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c;
stix:target_ref :malware--ccd61dfc-b03f-4689-8c18-7c97eab08472;
dcterms:created "2017-05-31T21:33:27.040Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "(Citation: FireEye APT28)(Citation: Kaspersky Sofacy)(Citation: Securelist Sofacy Feb 2018)(Citation: Secureworks IRON TWILIGHT Active Measures March 2017)";
dcterms:modified "2023-03-26T17:51:20.407Z"^^xsd:dateTime .
:relationship--2db515e9-4e44-4a49-917a-3108395b8590
rdf:type stix:Relationship;
stix:source_ref :tool--066b057c-944e-4cfc-b654-e3dfba04b926;
stix:target_ref :attack-pattern--b6075259-dba3-44e9-87c7-e954f37ec0d5;
dcterms:created "2020-11-20T14:11:33.320Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[BloodHound](https://attack.mitre.org/software/S0521) can collect password policy information on the target environment.(Citation: CrowdStrike BloodHound April 2018)";
dcterms:modified "2020-11-20T14:11:33.320Z"^^xsd:dateTime .
:relationship--c1c2c530-a2d2-4c2f-bcff-ceda0277de59
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--6a2e693f-24e5-451a-9f88-b36a108e5662;
stix:target_ref :attack-pattern--f9cc4d06-775f-4ee1-b401-4e2cc0da30ba;
dcterms:created "2020-10-13T01:26:50.637Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[APT1](https://attack.mitre.org/groups/G0006) hijacked FQDNs associated with legitimate websites hosted by hop points.(Citation: Mandiant APT1)";
dcterms:modified "2020-10-13T01:26:50.637Z"^^xsd:dateTime .
:relationship--b3e28a85-784f-4adb-9398-3bbdaf9275fc
rdf:type stix:Relationship;
stix:source_ref :malware--350f12cf-fd3b-4dad-b323-14b943090df4;
stix:target_ref :attack-pattern--f7c0689c-4dbd-489b-81be-7cb7c7079ade;
dcterms:created "2021-09-21T15:45:10.178Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Turian](https://attack.mitre.org/software/S0647) can insert pseudo-random characters into its network encryption setup.(Citation: ESET BackdoorDiplomacy Jun 2021)";
dcterms:modified "2021-10-18T13:19:48.355Z"^^xsd:dateTime .
:campaign--8d2bc130-89fe-466e-a4f9-6bce6129c2b8
rdf:type stix:Campaign;
rdfs:label "FunnyDream";
dcterms:created "2022-09-20T17:29:09.547Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[FunnyDream](https://attack.mitre.org/campaigns/C0007) was a suspected Chinese cyber espionage campaign that targeted government and foreign organizations in Malaysia, the Philippines, Taiwan, Vietnam, and other parts of Southeast Asia. Security researchers linked the [FunnyDream](https://attack.mitre.org/campaigns/C0007) campaign to possible Chinese-speaking threat actors through the use of the [Chinoxy](https://attack.mitre.org/software/S1041) backdoor and noted infrastructure overlap with the TAG-16 threat group.(Citation: Bitdefender FunnyDream Campaign November 2020)(Citation: Kaspersky APT Trends Q1 2020)(Citation: Recorded Future Chinese Activity in Southeast Asia December 2021)";
dcterms:modified "2022-10-10T16:19:33.560Z"^^xsd:dateTime .
:relationship--acfadf9a-afa5-413e-8855-a96947c5ab26
rdf:type stix:Relationship;
stix:source_ref :malware--e14085cb-0e8d-4be6-92ba-e3b93ee5978f;
stix:target_ref :attack-pattern--10ffac09-e42d-4f56-ab20-db94c67d76ff;
dcterms:created "2021-10-07T21:28:23.908Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[XCSSET](https://attack.mitre.org/software/S0658) uses <code>scp</code> to access the <code>~/Library/Cookies/Cookies.binarycookies</code> file.(Citation: trendmicro xcsset xcode project 2020)";
dcterms:modified "2021-10-14T22:58:54.604Z"^^xsd:dateTime .
:relationship--2365c9aa-96df-47d8-8601-1acdf66737ba
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0;
stix:target_ref :attack-pattern--a1b52199-c8c5-438a-9ded-656f1d0888c6;
dcterms:created "2022-03-30T14:26:51.853Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Loading, unloading, and manipulating modules on Linux systems can be detected by monitoring for the following commands: <code>modprobe</code>, <code>insmod</code>, <code>lsmod</code>, <code>rmmod</code>, or <code>modinfo</code> (Citation: Linux Loadable Kernel Module Insert and Remove LKMs) Adversaries may run commands on the target system before loading a malicious module in order to ensure that it is properly compiled. (Citation: iDefense Rootkit Overview) Adversaries may also execute commands to identify the exact version of the running Linux kernel and/or download multiple versions of the same .ko (kernel object) files to use the one appropriate for the running system.(Citation: Trend Micro Skidmap) Many LKMs require Linux headers (specific to the target kernel) in order to compile properly. These are typically obtained through the operating systems package manager and installed like a normal package.\n\nOn macOS, monitor for execution of <code>kextload</code> commands and user installed kernel extensions performing abnormal and/or potentially malicious activity (such as creating network connections). Monitor for new rows added in the <code>kext_policy</code> table. KextPolicy stores a list of user approved (non Apple) kernel extensions and a partial history of loaded kernel modules in a SQLite database, <code>/var/db/SystemPolicyConfiguration/KextPolicy</code>.(Citation: User Approved Kernel Extension Pike’s)(Citation: Purves Kextpocalypse 2)(Citation: Apple Developer Configuration Profile)";
dcterms:modified "2022-04-16T02:27:10.160Z"^^xsd:dateTime .
:relationship--0882cca9-ed77-4c71-85e4-78988d79236f
rdf:type stix:Relationship;
stix:source_ref :campaign--93c23946-49af-41f4-ac03-40f9ffc7419b;
stix:target_ref :attack-pattern--348f1eef-964b-4eb6-bb53-69b3dcb0c643;
dcterms:created "2022-10-06T21:19:39.963Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "During [Operation CuckooBees](https://attack.mitre.org/campaigns/C0012), the threat actors used the `fsutil fsinfo drives` command as part of their advanced reconnaissance.(Citation: Cybereason OperationCuckooBees May 2022)";
dcterms:modified "2022-10-06T21:19:39.963Z"^^xsd:dateTime .
:relationship--aff9bcd9-34b9-4c94-9ce0-dd4852118f91
rdf:type stix:Relationship;
stix:source_ref :malware--eedc01d5-95e6-4d21-bcd4-1121b1df4586;
stix:target_ref :attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5;
dcterms:created "2020-10-21T02:14:05.535Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[CookieMiner](https://attack.mitre.org/software/S0492) has retrieved iPhone text messages from iTunes phone backup files.(Citation: Unit42 CookieMiner Jan 2019)";
dcterms:modified "2020-10-21T02:14:05.535Z"^^xsd:dateTime .
:relationship--5c56206f-8ae3-4296-ab89-bc2036b74896
rdf:type stix:Relationship;
stix:source_ref :malware--75ecdbf1-c2bb-4afc-a3f9-c8da4de8c661;
stix:target_ref :attack-pattern--b80d107d-fa0d-4b60-9684-b0433e8bdba0;
dcterms:created "2019-03-26T13:38:24.567Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[WannaCry](https://attack.mitre.org/software/S0366) encrypts user files and demands that a ransom be paid in Bitcoin to decrypt those files.(Citation: LogRhythm WannaCry)(Citation: FireEye WannaCry 2017)(Citation: SecureWorks WannaCry Analysis)";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--d2f19ee3-8e1c-46e4-b803-e8b3fa36f62e
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1;
stix:target_ref :attack-pattern--3489cfc5-640f-4bb3-a103-9137b97de79f;
dcterms:created "2021-12-06T19:48:35.268Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Dragonfly](https://attack.mitre.org/groups/G0035) has identified and browsed file servers in the victim network, sometimes , viewing files pertaining to ICS or Supervisory Control and Data Acquisition (SCADA) systems.(Citation: US-CERT TA18-074A)";
dcterms:modified "2021-12-06T20:45:13.824Z"^^xsd:dateTime .
:relationship--2e5931ef-cc28-49e8-b0c1-7705227ee5cf
rdf:type stix:Relationship;
stix:source_ref :course-of-action--23bff3ce-021c-4e7a-9aee-60fd40bc7c6c;
stix:target_ref :attack-pattern--9e80ddfb-ce32-4961-a778-ca6a10cfae72;
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:modified "2023-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--12daddcc-b964-485e-8c2d-10f554d78bcc
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d;
stix:target_ref :attack-pattern--f24faf46-3b26-4dbb-98f2-63460498e433;
dcterms:created "2018-01-16T16:13:52.465Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[OilRig](https://attack.mitre.org/groups/G0049) malware ISMAgent falls back to its DNS tunneling mechanism if it is unable to reach the C2 server over HTTP.(Citation: OilRig ISMAgent July 2017)";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--d4962990-8bb3-46b9-9ca3-c946fd6ce07e
rdf:type stix:Relationship;
stix:source_ref :malware--b9704a7d-feef-4af9-8898-5280f1686326;
stix:target_ref :attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a;
dcterms:created "2020-07-23T14:29:04.744Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[GoldenSpy](https://attack.mitre.org/software/S0493)'s uninstaller has base64-encoded its variables. (Citation: Trustwave GoldenSpy2 June 2020)";
dcterms:modified "2020-07-23T14:29:04.744Z"^^xsd:dateTime .
:relationship--db393f5e-8029-423c-bfbc-da48fc932cb0
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--129f2f77-1ab2-4c35-bd5e-21260cee92af;
stix:target_ref :attack-pattern--3ee16395-03f0-4690-a32e-69ce9ada0f9e;
dcterms:created "2022-08-18T19:13:34.306Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[EXOTIC LILY](https://attack.mitre.org/groups/G1011) has uploaded malicious payloads to file-sharing services including TransferNow, TransferXL, WeTransfer, and OneDrive.(Citation: Google EXOTIC LILY March 2022)";
dcterms:modified "2022-08-19T19:40:51.937Z"^^xsd:dateTime .
:relationship--5b69fc3c-1bf7-4092-be94-755790ccf41f
rdf:type stix:Relationship;
stix:source_ref :malware--eff1a885-6f90-42a1-901f-eef6e7a1905e;
stix:target_ref :attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736;
dcterms:created "2018-01-16T16:13:52.465Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "One version of [Helminth](https://attack.mitre.org/software/S0170) uses a PowerShell script.(Citation: Palo Alto OilRig May 2016)";
dcterms:modified "2020-03-16T16:55:40.070Z"^^xsd:dateTime .
:relationship--ab11615f-a0d9-43c9-b71e-6ae83155bf3b
rdf:type stix:Relationship;
stix:source_ref :malware--051eaca1-958f-4091-9e5f-a9acd8f820b5;
stix:target_ref :attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4;
dcterms:created "2019-01-30T15:10:04.241Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Exaramel for Windows](https://attack.mitre.org/software/S0343) adds the configuration to the Registry in XML format.(Citation: ESET TeleBots Oct 2018)";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--3afd226c-934f-44fd-8194-9a6dee5cba59
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a;
stix:target_ref :attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a;
dcterms:created "2017-05-31T21:33:27.065Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Lazarus Group](https://attack.mitre.org/groups/G0032) has used multiple types of encryption and encoding for their payloads, including AES, Caracachs, RC4, XOR, Base64, and other tricks such as creating aliases in code for [Native API](https://attack.mitre.org/techniques/T1106) function names.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Loaders)(Citation: Novetta Blockbuster RATs)(Citation: McAfee Lazarus Resurfaces Feb 2018)(Citation: TrendMicro macOS Dacls May 2020)(Citation: Lazarus APT January 2022)(Citation: Qualys LolZarus)";
dcterms:modified "2023-03-14T16:18:50.582Z"^^xsd:dateTime .
:relationship--73e382dc-5808-42b6-b796-e4ca35a198f4
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e;
stix:target_ref :attack-pattern--c877e33f-1df6-40d6-b1e7-ce70f16f4979;
dcterms:created "2022-03-30T14:26:51.872Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Remote access tools with built-in features may interact directly with the Windows API, such as calling <code> GetLocaleInfoW</code> to gather information.(Citation: FBI Ragnar Locker 2020)";
dcterms:modified "2022-03-30T14:26:51.872Z"^^xsd:dateTime .
:relationship--8eed7d01-46dc-4b25-a42d-bd9afcb84963
rdf:type stix:Relationship;
stix:source_ref :malware--454fe82d-6fd2-4ac6-91ab-28a33fe01369;
stix:target_ref :attack-pattern--f1951e8a-500e-4a26-8803-76d95c4554b4;
dcterms:created "2019-04-19T15:30:36.746Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[HOPLIGHT](https://attack.mitre.org/software/S0376) has used svchost.exe to execute a malicious DLL .(Citation: US-CERT HOPLIGHT Apr 2019)";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:attack-pattern--a0a189c8-d3bd-4991-bf6f-153d185ee373
rdf:type d3f:OffensiveTechnique;
rdfs:label "LC_MAIN Hijacking";
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "**This technique has been deprecated and should no longer be used.**\n\nAs of OS X 10.8, mach-O binaries introduced a new header called LC_MAIN that points to the binary’s entry point for execution. Previously, there were two headers to achieve this same effect: LC_THREAD and LC_UNIXTHREAD (Citation: Prolific OSX Malware History). The entry point for a binary can be hijacked so that initial execution flows to a malicious addition (either another section or a code cave) and then goes back to the initial entry point so that the victim doesn’t know anything was different (Citation: Methods of Mac Malware Persistence). By modifying a binary in this way, application whitelisting can be bypassed because the file name or application path is still the same.";
dcterms:modified "2021-04-29T14:49:39.188Z"^^xsd:dateTime .
:relationship--a358f0a9-b5b9-4a84-8c83-dc0a1325d63e
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c;
stix:target_ref :attack-pattern--9db0cf3a-a3c9-4012-8268-123b9db6fd82;
dcterms:created "2018-04-18T17:59:24.739Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[APT28](https://attack.mitre.org/groups/G0007) exploited a Windows SMB Remote Code Execution Vulnerability to conduct lateral movement.(Citation: FireEye APT28)(Citation: FireEye APT28 Hospitality Aug 2017)(Citation: MS17-010 March 2017)";
dcterms:modified "2023-03-26T17:51:20.416Z"^^xsd:dateTime .
:relationship--e50b6d7a-8c22-45f3-9d60-383064cc58d4
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--76565741-3452-4069-ab08-80c0ea95bbeb;
stix:target_ref :malware--53ab35c2-d00e-491a-8753-41d35ae7e547;
dcterms:created "2019-01-29T21:37:00.018Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "(Citation: Unit42 SilverTerrier 2018)";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--f25505f6-dbd0-4d7b-8e8c-b3885f206cbf
rdf:type stix:Relationship;
stix:source_ref :tool--c8655260-9f4b-44e3-85e1-6538a5f6e4f4;
stix:target_ref :attack-pattern--3489cfc5-640f-4bb3-a103-9137b97de79f;
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Koadic](https://attack.mitre.org/software/S0250) can scan local network for open SMB.(Citation: Github Koadic)";
dcterms:modified "2020-03-16T16:55:04.386Z"^^xsd:dateTime .
:relationship--4ab6ada3-0129-4f34-ba29-b793c6d98fff
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--269e8108-68c6-4f99-b911-14b2e765dec2;
stix:target_ref :attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0;
dcterms:created "2019-01-30T17:33:41.156Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[MuddyWater](https://attack.mitre.org/groups/G0069) has used malware to collect the victim’s IP address and domain name.(Citation: Securelist MuddyWater Oct 2018)";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--ecd6c482-51ae-402c-8482-4feb9cda9b05
rdf:type stix:Relationship;
stix:source_ref :malware--c9b99d03-ff11-4a48-95f0-82660d582c25;
stix:target_ref :attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a;
dcterms:created "2021-07-16T19:42:59.611Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[GrimAgent](https://attack.mitre.org/software/S0632) has used Rotate on Right (RoR) and Rotate on Left (RoL) functionality to encrypt strings.(Citation: Group IB GrimAgent July 2021)";
dcterms:modified "2021-07-16T19:42:59.611Z"^^xsd:dateTime .
:relationship--9505cb0b-a9b6-4680-94ed-ae74916444f0
rdf:type stix:Relationship;
stix:source_ref :campaign--808d6b30-df4e-4341-8248-724da4bac650;
stix:target_ref :attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c;
dcterms:created "2023-03-26T16:38:22.644Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "During the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024), [APT29](https://attack.mitre.org/groups/G0016) routinely removed their tools, including custom backdoors, once remote access was achieved.(Citation: FireEye SUNBURST Backdoor December 2020)";
dcterms:modified "2023-03-26T16:38:22.644Z"^^xsd:dateTime .
:relationship--5181727e-706d-4e57-8a41-628a27e03c6c
rdf:type stix:Relationship;
stix:source_ref :tool--c256da91-6dd5-40b2-beeb-ee3b22ab3d27;
stix:target_ref :attack-pattern--f2857333-11d4-45bf-b064-2c28d8525be5;
dcterms:created "2019-09-03T18:32:49.397Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[esentutl](https://attack.mitre.org/software/S0404) can be used to read and write alternate data streams.(Citation: LOLBAS Esentutl)";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--c8a0012e-9b2c-4fef-8aeb-7bc77d1b16c3
rdf:type stix:Relationship;
stix:source_ref :malware--11194d8b-fdce-45d2-8047-df15bb8f16bd;
stix:target_ref :attack-pattern--6831414d-bb70-42b7-8030-d4e06b2660c9;
dcterms:created "2021-04-01T16:05:11.061Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Exaramel for Linux](https://attack.mitre.org/software/S0401) can execute commands with high privileges via a specific binary with setuid functionality.(Citation: ANSSI Sandworm January 2021)";
dcterms:modified "2021-04-13T00:50:31.596Z"^^xsd:dateTime .
:course-of-action--d9f4b5fa-2a39-4bdf-b40a-ea998933cd6d
rdf:type stix:CourseOfAction;
rdfs:label "Video Capture Mitigation";
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Mitigating this technique specifically may be difficult as it requires fine-grained API control. Efforts should be focused on preventing unwanted or unknown code from executing on a system.\n\nIdentify and block potentially malicious software that may be used to capture video and images by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)";
dcterms:modified "2021-08-23T20:25:20.925Z"^^xsd:dateTime .
:relationship--52e9ca8d-a778-46d1-9521-743a8e47c503
rdf:type stix:Relationship;
stix:source_ref :malware--72911fe3-f085-40f7-b4f2-f25a4221fe44;
stix:target_ref :attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5;
dcterms:created "2021-11-16T15:32:34.252Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[FoggyWeb](https://attack.mitre.org/software/S0661) can retrieve configuration data from a compromised AD FS server.(Citation: MSTIC FoggyWeb September 2021)";
dcterms:modified "2022-04-15T17:05:10.474Z"^^xsd:dateTime .
:relationship--7b458295-8e67-4f1f-acde-3316ae2e061e
rdf:type stix:Relationship;
stix:source_ref :malware--32066e94-3112-48ca-b9eb-ba2b59d2f023;
stix:target_ref :attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736;
dcterms:created "2019-03-26T17:48:52.143Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Emotet](https://attack.mitre.org/software/S0367) has used Powershell to retrieve the malicious payload and download additional resources like [Mimikatz](https://attack.mitre.org/software/S0002). (Citation: Symantec Emotet Jul 2018)(Citation: Trend Micro Emotet Jan 2019)(Citation: Picus Emotet Dec 2018)(Citation: Red Canary Emotet Feb 2019)(Citation: Carbon Black Emotet Apr 2019)";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--10c6cc56-a028-4c2a-b24e-38d97fb4ebb7
rdf:type stix:Relationship;
stix:source_ref :malware--cafd0bf8-2b9c-46c7-ae3c-3e0f42c5062e;
stix:target_ref :attack-pattern--4ae4f953-fe58-4cc8-a327-33257e30a830;
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[NetTraveler](https://attack.mitre.org/software/S0033) reports window names along with keylogger information to provide application context.(Citation: Kaspersky NetTraveler)";
dcterms:modified "2020-03-16T17:20:39.755Z"^^xsd:dateTime .
:relationship--b28f8635-6a79-4be1-b05a-b4356a04e7c2
rdf:type stix:Relationship;
stix:source_ref :course-of-action--2995bc22-2851-4345-ad19-4e7e295be264;
stix:target_ref :attack-pattern--d40239b3-05ff-46d8-9bdd-b46d13463ef9;
dcterms:created "2019-06-25T14:33:33.684Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Block unknown devices and accessories by endpoint security configuration and monitoring agent.";
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime .
:intrusion-set--4283ae19-69c7-4347-a35e-b56f08eb660b
rdf:type stix:IntrusionSet;
rdfs:label "ZIRCONIUM";
dcterms:created "2021-03-24T15:48:17.731Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[ZIRCONIUM](https://attack.mitre.org/groups/G0128) is a threat group operating out of China, active since at least 2017, that has targeted individuals associated with the 2020 US presidential election and prominent leaders in the international affairs community.(Citation: Microsoft Targeting Elections September 2020)(Citation: Check Point APT31 February 2021)";
dcterms:modified "2023-03-22T22:10:43.732Z"^^xsd:dateTime .
:relationship--690d1b72-9fb0-426a-9db4-075abf045688
rdf:type stix:Relationship;
stix:source_ref :malware--bd7a9e13-69fa-4243-a5e5-04326a63f9f2;
stix:target_ref :attack-pattern--02c5abff-30bf-4703-ab92-1f6072fae939;
dcterms:created "2023-03-26T19:37:12.922Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Pillowmint](https://attack.mitre.org/software/S0517) has stored a compressed payload in the Registry key <code>HKLM\\SOFTWARE\\Microsoft\\DRM</code>.(Citation: Trustwave Pillowmint June 2020)";
dcterms:modified "2023-03-26T19:37:58.169Z"^^xsd:dateTime .
:relationship--7696d163-7556-47e2-9ade-25924311fba6
rdf:type stix:Relationship;
stix:source_ref :malware--3e4e2c79-2b27-4245-a5c1-5586a3cbd8f5;
stix:target_ref :attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5;
dcterms:created "2022-08-07T15:36:18.985Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[AuTo Stealer](https://attack.mitre.org/software/S1029) can collect data such as PowerPoint files, Word documents, Excel files, PDF files, text files, database files, and image files from an infected machine.(Citation: MalwareBytes SideCopy Dec 2021)";
dcterms:modified "2022-08-24T16:52:51.000Z"^^xsd:dateTime .
:relationship--00e99176-c74e-4f49-a498-c66a71612a5b
rdf:type stix:Relationship;
stix:source_ref :malware--a7881f21-e978-4fe4-af56-92c9416a2616;
stix:target_ref :attack-pattern--32901740-b42c-4fdd-bc02-345b5dc57082;
dcterms:created "2021-04-07T13:57:06.538Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Cobalt Strike](https://attack.mitre.org/software/S0154) can use self signed Java applets to execute signed applet attacks.(Citation: Talos Cobalt Strike September 2020)(Citation: Cobalt Strike Manual 4.3 November 2020)";
dcterms:modified "2022-11-30T22:37:12.371Z"^^xsd:dateTime .
:attack-pattern--16ab6452-c3c1-497c-a47d-206018ca1ada
rdf:type d3f:OffensiveTechnique;
rdfs:label "System Firmware";
dcterms:created "2019-12-19T19:43:34.507Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. (Citation: Wikipedia BIOS) (Citation: Wikipedia UEFI) (Citation: About UEFI)\n\nSystem firmware like BIOS and (U)EFI underly the functionality of a computer and may be modified by an adversary to perform or assist in malicious activity. Capabilities exist to overwrite the system firmware, which may give sophisticated adversaries a means to install malicious firmware updates as a means of persistence on a system that may be difficult to detect.";
dcterms:modified "2023-03-30T21:01:49.493Z"^^xsd:dateTime .
:attack-pattern--0cfe31a7-81fc-472c-bc45-e2808d1066a3
rdf:type d3f:OffensiveTechnique;
rdfs:label "External Defacement";
dcterms:created "2020-02-20T14:34:08.496Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "An adversary may deface systems external to an organization in an attempt to deliver messaging, intimidate, or otherwise mislead an organization or users. [External Defacement](https://attack.mitre.org/techniques/T1491/002) may ultimately cause users to distrust the systems and to question/discredit the system’s integrity. Externally-facing websites are a common victim of defacement; often targeted by adversary and hacktivist groups in order to push a political message or spread propaganda.(Citation: FireEye Cyber Threats to Media Industries)(Citation: Kevin Mandia Statement to US Senate Committee on Intelligence)(Citation: Anonymous Hackers Deface Russian Govt Site) [External Defacement](https://attack.mitre.org/techniques/T1491/002) may be used as a catalyst to trigger events, or as a response to actions taken by an organization or government. Similarly, website defacement may also be used as setup, or a precursor, for future attacks such as [Drive-by Compromise](https://attack.mitre.org/techniques/T1189).(Citation: Trend Micro Deep Dive Into Defacement)";
dcterms:modified "2022-05-11T14:00:00.188Z"^^xsd:dateTime .
:relationship--f60b8223-eea6-422e-99c6-7f9b70e8ea53
rdf:type stix:Relationship;
stix:source_ref :malware--9b19d6b4-cfcb-492f-8ca8-8449e7331573;
stix:target_ref :attack-pattern--30208d3e-0d6b-43c8-883e-44462a514619;
dcterms:created "2020-05-11T22:12:28.689Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[MESSAGETAP](https://attack.mitre.org/software/S0443) checks two files, keyword_parm.txt and parm.txt, for instructions on how to target and save data parsed and extracted from SMS message data from the network traffic. If an SMS message contained either a phone number, IMSI number, or keyword that matched the predefined list, it is saved to a CSV file for later theft by the threat actor.(Citation: FireEye MESSAGETAP October 2019)";
dcterms:modified "2020-06-24T01:43:11.357Z"^^xsd:dateTime .
:relationship--9af6241d-355a-4673-b772-8384a718ed64
rdf:type stix:Relationship;
stix:source_ref :malware--d6b3fcd0-1c86-4350-96f0-965ed02fcc51;
stix:target_ref :attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a;
dcterms:created "2019-04-26T20:07:36.100Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Ebury](https://attack.mitre.org/software/S0377) has obfuscated its strings with a simple XOR encryption with a static key.(Citation: ESET Ebury Feb 2014)";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--16e0be5b-93bb-4db2-b6ed-02e34a6ce3cb
rdf:type stix:Relationship;
stix:source_ref :tool--3433a9e8-1c47-4320-b9bf-ed449061d1c3;
stix:target_ref :attack-pattern--d511a6f6-4a33-41d5-bc95-c343875d1377;
dcterms:created "2019-03-13T14:38:31.345Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Empire](https://attack.mitre.org/software/S0363) has the ability to obfuscate commands using <code>Invoke-Obfuscation</code>.(Citation: Github PowerShell Empire)";
dcterms:modified "2023-03-22T03:43:28.823Z"^^xsd:dateTime .
:relationship--1c7e778c-4193-44e5-85b4-ba7e7668455f
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--93a6e38c-02a5-44d8-9035-b2e08459f31f;
stix:target_ref :attack-pattern--edadea33-549c-4ed1-9783-8f5a5853cbdf;
dcterms:created "2022-03-30T14:26:51.842Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Monitor for contextual data about a malicious payload, such as compilation times, file hashes, as well as watermarks or other identifiable configuration information. Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Defense Evasion or Command and Control.";
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime .
:relationship--a7ec0d1d-462b-4909-acee-f2aa1f9199b1
rdf:type stix:Relationship;
stix:source_ref :malware--04378e79-4387-468a-a8f7-f974b8254e44;
stix:target_ref :attack-pattern--0a5231ec-41af-4a35-83d0-6bdf11f28c65;
dcterms:created "2022-09-02T20:10:18.795Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description " [Bumblebee](https://attack.mitre.org/software/S1039) can use `LoadLibrary` to attempt to execute GdiPlus.dll.(Citation: Medium Ali Salem Bumblebee April 2022)";
dcterms:modified "2022-09-02T20:10:18.795Z"^^xsd:dateTime .
:relationship--a291d185-31c8-4458-a3fc-9af617af28d9
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1;
stix:target_ref :attack-pattern--edf91964-b26e-4b4a-9600-ccacd7d7df24;
dcterms:created "2021-12-06T19:48:35.203Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Dragonfly](https://attack.mitre.org/groups/G0035) has dropped and executed SecretsDump to dump password hashes. They also obtained ntds.dit from domain controllers.(Citation: US-CERT TA18-074A)(Citation: Core Security Impacket)";
dcterms:modified "2023-02-06T22:09:34.693Z"^^xsd:dateTime .
:relationship--431ec495-5f92-40e9-9955-58ca334ea3c8
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d;
stix:target_ref :tool--0a68f1f1-da74-4d28-8d9a-696c082706cc;
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "(Citation: FireEye APT34 Dec 2017)";
dcterms:modified "2020-03-18T20:18:02.878Z"^^xsd:dateTime .
:relationship--0559aa0e-31c2-478b-afce-00d0939066c3
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--35d1b3be-49d4-42f1-aaa6-ef159c880bca;
stix:target_ref :attack-pattern--d157f9d2-d09a-4efa-bb2a-64963f94e253;
dcterms:created "2022-08-18T19:19:20.765Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[TeamTNT](https://attack.mitre.org/groups/G0139) has created system services to execute cryptocurrency mining software.(Citation: Cisco Talos Intelligence Group)";
dcterms:modified "2022-12-01T17:31:07.698Z"^^xsd:dateTime .
:attack-pattern--613d08bc-e8f4-4791-80b0-c8b974340dfd
rdf:type d3f:OffensiveTechnique;
rdfs:label "Exfiltration Over Bluetooth";
dcterms:created "2020-03-09T17:07:57.392Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Adversaries may attempt to exfiltrate data over Bluetooth rather than the command and control channel. If the command and control network is a wired Internet connection, an adversary may opt to exfiltrate data using a Bluetooth communication channel.\n\nAdversaries may choose to do this if they have sufficient access and proximity. Bluetooth connections might not be secured or defended as well as the primary Internet-connected channel because it is not routed through the same enterprise network.";
dcterms:modified "2022-05-11T14:00:00.188Z"^^xsd:dateTime .
:relationship--ab3fe31a-051e-4db5-bcf0-20a93b4bae9b
rdf:type stix:Relationship;
stix:source_ref :malware--47afe41c-4c08-485e-b062-c3bd209a1cce;
stix:target_ref :attack-pattern--25659dd6-ea12-45c4-97e6-381e3e4b593e;
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[InvisiMole](https://attack.mitre.org/software/S0260) has a command to list account information on the victim’s machine.(Citation: ESET InvisiMole June 2018)";
dcterms:modified "2020-03-18T20:01:05.712Z"^^xsd:dateTime .
:relationship--7b510a6f-3e11-49b3-bf97-a1ca24bca663
rdf:type stix:Relationship;
stix:source_ref :malware--8393dac0-0583-456a-9372-fd81691bca20;
stix:target_ref :attack-pattern--c21d5a77-d422-4a69-acd7-2c53c1faa34b;
dcterms:created "2020-08-24T14:27:37.560Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "The [PipeMon](https://attack.mitre.org/software/S0501) communication module can use a custom protocol based on TLS over TCP.(Citation: ESET PipeMon May 2020)";
dcterms:modified "2020-08-24T14:27:37.560Z"^^xsd:dateTime .
:relationship--8f925090-4063-429f-a0a4-ccaf4825ef78
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0;
stix:target_ref :attack-pattern--63220765-d418-44de-8fae-694b3912317d;
dcterms:created "2022-03-30T14:26:51.873Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Monitor executed commands and arguments that may establish persistence by executing malicious content triggered by an interrupt signal.";
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime .
:relationship--dcafed44-9d31-4d75-915f-660f5fd62fed
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--01e28736-2ffc-455b-9880-ed4d1407ae07;
stix:target_ref :malware--fa766a65-5136-4ff3-8429-36d08eaa0100;
dcterms:created "2021-03-05T18:09:35.145Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "(Citation: Crowdstrike Indrik November 2018)(Citation: Crowdstrike EvilCorp March 2021)";
dcterms:modified "2021-10-01T20:31:32.461Z"^^xsd:dateTime .
:relationship--a3a7d091-49bb-4fd1-9442-d02e83a48ea1
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--269e8108-68c6-4f99-b911-14b2e765dec2;
stix:target_ref :attack-pattern--84e02621-8fdf-470f-bd58-993bb6a89d91;
dcterms:created "2019-06-05T13:50:11.204Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[MuddyWater](https://attack.mitre.org/groups/G0069) has used one C2 to obtain enumeration scripts and monitor web logs, but a different C2 to send data back.(Citation: Talos MuddyWater May 2019) ";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--927e8d82-d094-4170-bc76-10717ffd8d7f
rdf:type stix:Relationship;
stix:source_ref :malware--e8545794-b98c-492b-a5b3-4b5a02682e37;
stix:target_ref :attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0;
dcterms:created "2018-04-18T17:59:24.739Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[POWERSTATS](https://attack.mitre.org/software/S0223) can retrieve IP, network adapter configuration information, and domain from compromised hosts.(Citation: FireEye MuddyWater Mar 2018)(Citation: TrendMicro POWERSTATS V3 June 2019)";
dcterms:modified "2020-05-18T19:37:52.427Z"^^xsd:dateTime .
:relationship--2315fa7f-2161-45c1-9f23-d47a96488465
rdf:type stix:Relationship;
stix:source_ref :malware--fb78294a-7d7a-4d38-8ad0-92e67fddc9f0;
stix:target_ref :attack-pattern--24bfaeba-cb0d-4525-b3dc-507c77ecec41;
dcterms:created "2022-08-15T17:07:19.295Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[StrifeWater](https://attack.mitre.org/software/S1034) can encrypt C2 traffic using XOR with a hard coded key.(Citation: Cybereason StrifeWater Feb 2022)";
dcterms:modified "2022-10-11T18:43:42.498Z"^^xsd:dateTime .
:relationship--8df1a464-9623-46bf-b23b-0430aa0a8c44
rdf:type stix:Relationship;
stix:source_ref :malware--88c621a7-aef9-4ae0-94e3-1fc87123eb24;
stix:target_ref :attack-pattern--24bfaeba-cb0d-4525-b3dc-507c77ecec41;
dcterms:created "2019-01-29T14:51:06.828Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[gh0st RAT](https://attack.mitre.org/software/S0032) uses RC4 and XOR to encrypt C2 traffic.(Citation: Nccgroup Gh0st April 2018)";
dcterms:modified "2021-03-29T19:49:11.282Z"^^xsd:dateTime .
:relationship--aa4038e3-451f-4ad7-acc7-5c971825967b
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--df71bb3b-813c-45eb-a8bc-f2a419837411;
stix:target_ref :attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279;
dcterms:created "2020-05-13T19:39:41.704Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Molerats](https://attack.mitre.org/groups/G0021) saved malicious files within the AppData and Startup folders to maintain persistence.(Citation: Kaspersky MoleRATs April 2019)";
dcterms:modified "2020-05-14T14:30:09.500Z"^^xsd:dateTime .
:relationship--c128b821-b39b-481a-91a1-a2bad7d6dda2
rdf:type stix:Relationship;
stix:source_ref :malware--d6b3fcd0-1c86-4350-96f0-965ed02fcc51;
stix:target_ref :attack-pattern--04fd5427-79c7-44ea-ae13-11b24778ff1c;
dcterms:created "2019-04-23T15:49:35.541Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Ebury](https://attack.mitre.org/software/S0377) has encoded C2 traffic in hexadecimal format.(Citation: ESET Ebury Feb 2014)\t";
dcterms:modified "2020-03-20T18:11:07.913Z"^^xsd:dateTime .
:relationship--651fab10-d53c-47ca-bd1d-a40b47d0af41
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--28f04ed3-8e91-4805-b1f6-869020517871;
stix:target_ref :attack-pattern--a782ebe2-daba-42c7-bc82-e8e9d923162d;
dcterms:created "2020-11-17T21:06:05.077Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Operation Wocao](https://attack.mitre.org/groups/G0116) has executed commands through the installed web shell via Tor exit nodes.(Citation: FoxIT Wocao December 2019)";
dcterms:modified "2022-10-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--33390e6e-f262-48fb-a74a-084c310b3aa2
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--f9d6633a-55e6-4adc-9263-6ae080421a13;
stix:target_ref :attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9;
dcterms:created "2022-05-25T18:56:20.248Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Magic Hound](https://attack.mitre.org/groups/G0059) has used scheduled tasks to establish persistence and execution.(Citation: DFIR Report APT35 ProxyShell March 2022)(Citation: DFIR Phosphorus November 2021)";
dcterms:modified "2023-01-09T19:49:22.026Z"^^xsd:dateTime .
:relationship--2c93a27a-c6f0-46b9-857b-b746e2204670
rdf:type stix:Relationship;
stix:source_ref :malware--72911fe3-f085-40f7-b4f2-f25a4221fe44;
stix:target_ref :attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d;
dcterms:created "2021-11-16T15:32:34.263Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[FoggyWeb](https://attack.mitre.org/software/S0661) can remotely exfiltrate sensitive information from a compromised AD FS server.(Citation: MSTIC FoggyWeb September 2021)";
dcterms:modified "2022-04-15T20:01:10.774Z"^^xsd:dateTime .
:relationship--519c4c7f-8495-4b8a-b58e-551a78e469cc
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6;
stix:target_ref :attack-pattern--c32f7008-9fea-41f7-8366-5eb9b74bd896;
dcterms:created "2017-05-31T21:33:27.045Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Turla](https://attack.mitre.org/groups/G0010) surveys a system upon check-in to discover information in the Windows Registry with the <code>reg query</code> command.(Citation: Kaspersky Turla) [Turla](https://attack.mitre.org/groups/G0010) has also retrieved PowerShell payloads hidden in Registry keys as well as checking keys associated with null session named pipes .(Citation: ESET Turla PowerShell May 2019)";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:malware--7724581b-06ff-4d2b-b77c-80dc8d53070b
rdf:type stix:Malware;
rdfs:label "Saint Bot";
dcterms:created "2022-06-09T18:50:58.722Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Saint Bot](https://attack.mitre.org/software/S1018) is a .NET downloader that has been used by [Ember Bear](https://attack.mitre.org/groups/G1003) since at least March 2021.(Citation: Malwarebytes Saint Bot April 2021)(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )";
dcterms:modified "2022-06-09T19:56:56.809Z"^^xsd:dateTime .
:relationship--289e01df-60e6-4eee-830e-9d742ac10c86
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--d519164e-f5fa-4b8c-a1fb-cf0172ad0983;
stix:target_ref :attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62;
dcterms:created "2017-05-31T21:33:27.064Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Threat Group-1314](https://attack.mitre.org/groups/G0028) actors spawned shells on remote systems on a victim network to execute commands.(Citation: Dell TG-1314)";
dcterms:modified "2020-03-19T21:58:20.958Z"^^xsd:dateTime .
:relationship--52b6181e-881e-4b96-93a3-1292bc2f1352
rdf:type stix:Relationship;
stix:source_ref :course-of-action--9378f139-10ef-4e4b-b679-2255a0818902;
stix:target_ref :attack-pattern--39a130e1-6ab7-434a-8bd2-418e7d9d6427;
dcterms:created "2017-05-31T21:33:27.023Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:modified "2023-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--c7c2e904-7797-4d67-a0bf-dae4abf53689
rdf:type stix:Relationship;
stix:source_ref :malware--5864e59f-eb4c-43ad-83b2-b5e4fae056c9;
stix:target_ref :attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104;
dcterms:created "2021-09-09T13:53:16.364Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[ObliqueRAT](https://attack.mitre.org/software/S0644) can check for blocklisted usernames on infected endpoints.(Citation: Talos Oblique RAT March 2021)";
dcterms:modified "2021-10-15T14:43:12.266Z"^^xsd:dateTime .
:course-of-action--23bff3ce-021c-4e7a-9aee-60fd40bc7c6c
rdf:type stix:CourseOfAction;
rdfs:label "Sudo Mitigation";
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "The sudoers file should be strictly edited such that passwords are always required and that users can’t spawn risky processes as users with higher privilege. By requiring a password, even if an adversary can get terminal access, they must know the password to run anything in the sudoers file.";
dcterms:modified "2019-07-25T12:03:12.876Z"^^xsd:dateTime .
:relationship--24d5ba1b-dbce-4c25-8180-1ee40b8c827f
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--5e78ae92-3ffd-4b16-bf62-e798529d73f1;
stix:target_ref :attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e;
dcterms:created "2020-05-14T21:40:31.265Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Sharpshooter](https://attack.mitre.org/groups/G0104) has sent malicious DOC and PDF files to targets so that they can be opened by a user.(Citation: McAfee Sharpshooter December 2018)";
dcterms:modified "2022-10-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--87cf80be-bae1-4a12-a754-38cad36724ac
rdf:type stix:Relationship;
stix:source_ref :course-of-action--23843cff-f7b9-4659-a7b7-713ef347f547;
stix:target_ref :attack-pattern--92a78814-b191-47ca-909c-1ccfe3777414;
dcterms:created "2023-07-10T15:23:12.206Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Restrict the use of third-party software suites installed within an enterprise network. ";
dcterms:modified "2023-07-10T15:23:12.206Z"^^xsd:dateTime .
:relationship--d3e06c85-ec0b-4e6d-b1f0-f65ff9bc5e3a
rdf:type stix:Relationship;
stix:source_ref :malware--f36b2598-515f-4345-84e5-5ccde253edbe;
stix:target_ref :attack-pattern--84601337-6a55-4ad7-9c35-79e0d1ea2ab3;
dcterms:created "2021-10-06T02:04:09.765Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Dok](https://attack.mitre.org/software/S0281) uses AppleScript to install a login Item by sending Apple events to the <code>System Events</code> process.(Citation: hexed osx.dok analysis 2019)";
dcterms:modified "2021-10-06T02:04:09.765Z"^^xsd:dateTime .
:relationship--52ed39dd-0f4c-4e30-8b3b-7eb75b5c87e3
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--64b52e7d-b2c4-4a02-9372-08a463f5dc11;
stix:target_ref :attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add;
dcterms:created "2022-01-18T18:15:50.985Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Aquatic Panda](https://attack.mitre.org/groups/G0143) has downloaded additional malware onto compromised hosts.(Citation: CrowdStrike AQUATIC PANDA December 2021)";
dcterms:modified "2022-04-10T18:32:55.533Z"^^xsd:dateTime .
:relationship--f8b6eae9-cf2b-4b16-8c44-03d989533dd6
rdf:type stix:Relationship;
stix:source_ref :course-of-action--90f39ee1-d5a3-4aaa-9f28-3b42815b0d46;
stix:target_ref :attack-pattern--f4599aa0-4f85-4a32-80ea-fc39dc965945;
dcterms:created "2020-02-21T18:52:23.547Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. ";
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--78ca7fcf-95b9-485c-a87b-2ac083312885
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a;
stix:target_ref :attack-pattern--fb640c43-aa6b-431e-a961-a279010424ac;
dcterms:created "2019-04-12T16:59:08.044Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Lazarus Group](https://attack.mitre.org/groups/G0032) has used malware like WhiskeyAlfa to overwrite the first 64MB of every drive with a mix of static and random buffers. A similar process is then used to wipe content in logical drives and, finally, attempt to wipe every byte of every sector on every drive. WhiskeyBravo can be used to overwrite the first 4.9MB of physical drives. WhiskeyDelta can overwrite the first 132MB or 1.5MB of each drive with random data from heap memory.(Citation: Novetta Blockbuster Destructive Malware)";
dcterms:modified "2022-07-28T18:55:36.008Z"^^xsd:dateTime .
:relationship--529360d5-172a-4326-b993-e3af75d3e7af
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--93f52415-0fe4-4d3d-896c-fc9b8e88ab90;
stix:target_ref :attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67;
dcterms:created "2020-03-17T18:23:51.085Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[BRONZE BUTLER](https://attack.mitre.org/groups/G0060) has used VBS and VBE scripts for execution.(Citation: Secureworks BRONZE BUTLER Oct 2017)(Citation: Trend Micro Tick November 2019)";
dcterms:modified "2020-06-24T01:27:32.169Z"^^xsd:dateTime .
:relationship--eda23a3d-a1d0-4e98-85fc-5ac083f53f5c
rdf:type stix:Relationship;
stix:source_ref :attack-pattern--3d1b9d7e-3921-4d25-845a-7d9f15c0da44;
stix:target_ref :attack-pattern--2c4d4e92-0ccf-4a97-b54c-86d662988a53;
dcterms:created "2020-01-13T16:33:20.771Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--e4fa961c-e72b-47b3-b0fb-8051f9ca4d63
rdf:type stix:Relationship;
stix:source_ref :malware--df350889-4de9-44e5-8cb3-888b8343e97c;
stix:target_ref :attack-pattern--24bfaeba-cb0d-4525-b3dc-507c77ecec41;
dcterms:created "2023-02-08T00:26:56.918Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[metaMain](https://attack.mitre.org/software/S1059) can encrypt the data that it sends and receives from the C2 server using an RC4 encryption algorithm.(Citation: SentinelLabs Metador Sept 2022)(Citation: SentinelLabs Metador Technical Appendix Sept 2022)";
dcterms:modified "2023-04-05T15:01:59.556Z"^^xsd:dateTime .
:relationship--03256e99-70fb-4d2d-ac8e-79294aef87dc
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--b9a1578e-8653-4103-be23-cb52e0b1816e;
stix:target_ref :attack-pattern--bf90d72c-c00b-45e3-b3aa-68560560d4c5;
dcterms:created "2022-03-30T14:26:51.854Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Monitor for contextual data about named pipes on the system.";
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime .
:relationship--7ec9fb4c-0adb-477e-b8ef-3a7973d40e99
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--28f04ed3-8e91-4805-b1f6-869020517871;
stix:target_ref :attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4;
dcterms:created "2020-11-18T17:17:06.515Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Operation Wocao](https://attack.mitre.org/groups/G0116) has enabled Wdigest by changing the registry value from 0 to 1.(Citation: FoxIT Wocao December 2019)";
dcterms:modified "2022-10-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--43c68bb8-28e2-4ee0-91aa-ffc16dcc45bc
rdf:type stix:Relationship;
stix:source_ref :malware--6c575670-d14c-4c7f-9b9d-fd1b363e255d;
stix:target_ref :attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c;
dcterms:created "2023-01-03T21:06:00.496Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[KEYPLUG](https://attack.mitre.org/software/S1051) can decode its configuration file to determine C2 protocols.(Citation: Mandiant APT41)";
dcterms:modified "2023-01-03T21:06:00.496Z"^^xsd:dateTime .
:relationship--37b7ba1e-5093-4a0d-920b-c86d3c9c766b
rdf:type stix:Relationship;
stix:source_ref :tool--4b57c098-f043-4da2-83ef-7588a6d426bc;
stix:target_ref :attack-pattern--f1951e8a-500e-4a26-8803-76d95c4554b4;
dcterms:created "2019-04-23T15:06:52.791Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[PoshC2](https://attack.mitre.org/software/S0378) contains an implementation of [PsExec](https://attack.mitre.org/software/S0029) for remote execution.(Citation: GitHub PoshC2)";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--fcd3bc09-f88b-43d7-989d-10f7058e655e
rdf:type stix:Relationship;
stix:source_ref :malware--4b6ec280-7bbb-48ff-ae59-b189520ebe83;
stix:target_ref :attack-pattern--c325b232-d5bc-4dde-a3ec-71f3db9e8adc;
dcterms:created "2020-05-06T21:31:07.327Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Okrum](https://attack.mitre.org/software/S0439) mimics HTTP protocol for C2 communication, while hiding the actual messages in the Cookie and Set-Cookie headers of the HTTP requests.(Citation: ESET Okrum July 2019)";
dcterms:modified "2020-05-06T21:31:07.327Z"^^xsd:dateTime .
:relationship--7ee6890f-748e-419e-a442-7dd44e29958a
rdf:type stix:Relationship;
stix:source_ref :malware--f4c80d39-ce10-4f74-9b50-a7e3f5df1f2e;
stix:target_ref :attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161;
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Comnie](https://attack.mitre.org/software/S0244) uses HTTP for C2 communication.(Citation: Palo Alto Comnie)";
dcterms:modified "2020-03-17T00:43:32.094Z"^^xsd:dateTime .
:relationship--49d40f3b-33b4-424c-a645-82d2a84e5c28
rdf:type stix:Relationship;
stix:source_ref :course-of-action--987988f0-cf86-4680-a875-2f6456ab2448;
stix:target_ref :attack-pattern--d201d4cc-214d-4a74-a1ba-b3fa09fd4591;
dcterms:created "2020-02-21T22:16:10.099Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Restrict the permissions on sensitive files such as <code>/proc/[pid]/maps</code> or <code>/proc/[pid]/mem</code>. ";
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--7ae9b8ce-5675-4a39-822c-b603f7ad816b
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c;
stix:target_ref :attack-pattern--f0589bc3-a6ae-425a-a3d5-5659bfee07f4;
dcterms:created "2022-03-30T14:26:51.853Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Monitor newly constructed files that may modify or add LSASS drivers to obtain persistence on compromised systems.";
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime .
:relationship--026a63ae-dd3d-4ea6-8a32-c40c9b37b893
rdf:type stix:Relationship;
stix:source_ref :malware--4ab44516-ad75-4e43-a280-705dc0420e2f;
stix:target_ref :attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c;
dcterms:created "2018-04-18T17:59:24.739Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[ZeroT](https://attack.mitre.org/software/S0230) shellcode decrypts and decompresses its RC4-encrypted payload.(Citation: Proofpoint ZeroT Feb 2017)";
dcterms:modified "2020-03-17T02:54:39.798Z"^^xsd:dateTime .
:relationship--38be247c-74b0-42f3-964e-5f23ef42a353
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265df3258;
stix:target_ref :attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5;
dcterms:created "2019-07-22T15:35:24.351Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[GALLIUM](https://attack.mitre.org/groups/G0093) collected data from the victim's local system, including password hashes from the SAM hive in the Registry.(Citation: Cybereason Soft Cell June 2019)";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:x-mitre-data-component--d6257b8e-869c-41c0-8731-fdca40858a91
rdf:type :MitreDataComponent;
rdfs:label "User Account Deletion";
dcterms:created "2021-10-20T15:05:19.271Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Removal of an account (ex: Windows EID 4726 or /var/log access/authentication logs)";
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--328e9746-4bb6-47e1-8e71-6418ca04c5fa
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--73a80fab-2aa3-48e0-a4d0-3a4828200aee;
stix:target_ref :attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32;
dcterms:created "2020-05-27T15:31:09.539Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Blue Mockingbird](https://attack.mitre.org/groups/G0108) has made their XMRIG payloads persistent as a Windows Service.(Citation: RedCanary Mockingbird May 2020)";
dcterms:modified "2020-06-25T13:59:09.943Z"^^xsd:dateTime .
:relationship--ac72c3da-6b58-4f66-8476-8d3cc9ccf6bd
rdf:type stix:Relationship;
stix:source_ref :malware--fbb470da-1d44-4f29-bbb3-9efbe20f94a3;
stix:target_ref :attack-pattern--1644e709-12d2-41e5-a60f-3470991f5011;
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Mivast](https://attack.mitre.org/software/S0080) has the capability to gather NTLM password information.(Citation: Symantec Backdoor.Mivast)";
dcterms:modified "2020-03-25T16:03:27.015Z"^^xsd:dateTime .
:relationship--e6b509c8-0e00-48ac-b76d-f42d18a0ae51
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--fe8796a4-2a02-41a0-9d27-7aa1e995feb6;
stix:target_ref :attack-pattern--a2fdce72-04b2-409a-ac10-cc1695f4fce0;
dcterms:created "2021-05-26T12:38:01.263Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[APT19](https://attack.mitre.org/groups/G0073) has obtained and used publicly-available tools like [Empire](https://attack.mitre.org/software/S0363).(Citation: NCSC Joint Report Public Tools)(Citation: FireEye APT19)";
dcterms:modified "2021-05-26T12:38:01.263Z"^^xsd:dateTime .
:relationship--40ed9be1-9c97-46fc-a967-9468888576a8
rdf:type stix:Relationship;
stix:source_ref :campaign--4603cf2f-06d0-4970-9c5d-5071b08c817f;
stix:target_ref :malware--e1161124-f22e-487f-9d5f-ed8efc8dcd61;
dcterms:created "2022-09-29T20:25:16.869Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "(Citation: Cylance Dust Storm)";
dcterms:modified "2022-09-29T20:25:16.869Z"^^xsd:dateTime .
:relationship--c8f99c96-d4f7-49dc-9ee9-0bcae28ab045
rdf:type stix:Relationship;
stix:source_ref :malware--425771c5-48b4-4ecd-9f95-74ed3fc9da59;
stix:target_ref :attack-pattern--322bad5a-1c49-4d23-ab79-76d641794afa;
dcterms:created "2021-10-15T13:47:16.400Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[SombRAT](https://attack.mitre.org/software/S0615) can enumerate services on a victim machine.(Citation: BlackBerry CostaRicto November 2020)";
dcterms:modified "2021-10-15T13:47:16.400Z"^^xsd:dateTime .
:relationship--dddaffe1-4d47-4ffd-93e4-3827dc9abb50
rdf:type stix:Relationship;
stix:source_ref :malware--d6b3fcd0-1c86-4350-96f0-965ed02fcc51;
stix:target_ref :attack-pattern--32901740-b42c-4fdd-bc02-345b5dc57082;
dcterms:created "2019-04-23T15:49:35.554Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Ebury](https://attack.mitre.org/software/S0377) has installed a self-signed RPM package mimicking the original system package on RPM based systems.(Citation: ESET Ebury Feb 2014)";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--48cff69b-577c-4837-b894-95b19f255134
rdf:type stix:Relationship;
stix:source_ref :campaign--4c840263-bbda-440d-a22b-674679ddebf1;
stix:target_ref :attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e;
dcterms:created "2022-09-16T15:56:47.769Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "During [Operation Spalax](https://attack.mitre.org/campaigns/C0005), the threat actors relied on a victim to open a PDF document and click on an embedded malicious link to download malware.(Citation: ESET Operation Spalax Jan 2021) ";
dcterms:modified "2022-09-16T15:56:47.769Z"^^xsd:dateTime .
:relationship--a868dec8-2bfc-449e-b720-d4e6c7e37d13
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c;
stix:target_ref :attack-pattern--f870408c-b1cd-49c7-a5c7-0ef0fc496cc6;
dcterms:created "2022-03-30T14:26:51.870Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).";
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime .
:relationship--d2a8729f-6271-46a0-8a40-a8567c9e5092
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--32bca8ff-d900-4877-aa65-d70baa041b74;
stix:target_ref :tool--ff6caf67-ea1f-4895-b80e-4bb0fc31c6db;
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "(Citation: Symantec Leafminer July 2018)";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--c5e3e18d-124e-4ae2-a95c-9db8f6d53000
rdf:type stix:Relationship;
stix:source_ref :malware--5147ef15-1cae-4707-8ea1-bee8d98b7f1d;
stix:target_ref :attack-pattern--544b0346-29ad-41e1-a808-501bb4193f47;
dcterms:created "2020-07-15T19:02:25.131Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[IcedID](https://attack.mitre.org/software/S0483) has used web injection attacks to redirect victims to spoofed sites designed to harvest banking and other credentials. [IcedID](https://attack.mitre.org/software/S0483) can use a self signed TLS certificate in connection with the spoofed site and simultaneously maintains a live connection with the legitimate site to display the correct URL and certificates in the browser.(Citation: IBM IcedID November 2017)(Citation: Juniper IcedID June 2020)";
dcterms:modified "2020-08-14T14:25:54.036Z"^^xsd:dateTime .
:relationship--37da9e7e-f366-4211-84bd-34fd9c43d681
rdf:type stix:Relationship;
stix:source_ref :malware--47afe41c-4c08-485e-b062-c3bd209a1cce;
stix:target_ref :attack-pattern--7c0f17c9-1af6-4628-9cbd-9e45482dd605;
dcterms:created "2020-08-17T14:37:43.670Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[InvisiMole](https://attack.mitre.org/software/S0260) can inject its code into a trusted process via the APC queue.(Citation: ESET InvisiMole June 2020)";
dcterms:modified "2020-08-17T14:37:43.670Z"^^xsd:dateTime .
:relationship--1c935a6d-dd69-4be3-bfed-56c01d0f9413
rdf:type stix:Relationship;
stix:source_ref :malware--04378e79-4387-468a-a8f7-f974b8254e44;
stix:target_ref :attack-pattern--01a5a209-b94c-450b-b7f9-946497d91055;
dcterms:created "2022-08-19T20:53:00.366Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Bumblebee](https://attack.mitre.org/software/S1039) can use WMI to gather system information and to spawn processes for code injection.(Citation: Google EXOTIC LILY March 2022)(Citation: Proofpoint Bumblebee April 2022)(Citation: Cybereason Bumblebee August 2022)";
dcterms:modified "2022-10-12T21:50:55.250Z"^^xsd:dateTime .
:relationship--f8127cf5-e2b6-41a3-b18f-ba250e2c01f9
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0;
stix:target_ref :attack-pattern--0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d;
dcterms:created "2022-03-30T14:26:51.853Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Scripting execution is likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for execution and subsequent behavior. Actions may be related to network and system information [Discovery](https://attack.mitre.org/tactics/TA0007), [Collection](https://attack.mitre.org/tactics/TA0009), or other programmable post-compromise behaviors and could be used as indicators of detection leading back to the source. Monitor for execution of JXA through <code>osascript</code> and usage of <code>OSAScript</code> API that may be related to other suspicious behavior occurring on the system. ";
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime .
:relationship--699979b0-6a9a-4482-9656-82c8fb210676
rdf:type stix:Relationship;
stix:source_ref :malware--2f8229dc-da94-41c6-89ba-b5b6c32f6b7d;
stix:target_ref :attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a;
dcterms:created "2021-08-03T14:06:06.942Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[EnvyScout](https://attack.mitre.org/software/S0634) can Base64 encode payloads.(Citation: MSTIC Nobelium Toolset May 2021)";
dcterms:modified "2021-08-04T13:54:53.439Z"^^xsd:dateTime .
:relationship--6eb97f82-c49f-465d-b788-15a789f928b5
rdf:type stix:Relationship;
stix:source_ref :malware--3be1fb7a-0f7e-415e-8e3a-74a80d596e68;
stix:target_ref :attack-pattern--bb5a00de-e086-4859-a231-fa793f6797e2;
dcterms:created "2023-04-04T22:02:38.620Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Mafalda](https://attack.mitre.org/software/S1060) can conduct mouse event logging.(Citation: SentinelLabs Metador Technical Appendix Sept 2022)";
dcterms:modified "2023-04-04T22:02:38.620Z"^^xsd:dateTime .
:relationship--35aac341-5371-42e8-ad93-3ab94a11b51a
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--7ecc3b4f-5cdb-457e-b55a-df376b359446;
stix:target_ref :attack-pattern--0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22;
dcterms:created "2017-05-31T21:33:27.070Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Poseidon Group](https://attack.mitre.org/groups/G0033) conducts credential dumping on victims, with a focus on obtaining credentials belonging to domain and database servers.(Citation: Kaspersky Poseidon Group)";
dcterms:modified "2020-03-18T15:34:54.805Z"^^xsd:dateTime .
:relationship--c298538c-bab6-4982-9b83-17f752358932
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--1f21da59-6a13-455b-afd0-d58d0a5a7d27;
stix:target_ref :attack-pattern--a2fdce72-04b2-409a-ac10-cc1695f4fce0;
dcterms:created "2021-10-12T21:57:25.960Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Gorgon Group](https://attack.mitre.org/groups/G0078) has obtained and used tools such as [QuasarRAT](https://attack.mitre.org/software/S0262) and [Remcos](https://attack.mitre.org/software/S0332).(Citation: Unit 42 Gorgon Group Aug 2018)";
dcterms:modified "2021-10-12T21:57:25.960Z"^^xsd:dateTime .
:relationship--d08b9cb8-0f97-4933-b0de-40e4626dd13e
rdf:type stix:Relationship;
stix:source_ref :malware--ecc2f65a-b452-4eaf-9689-7e181f17f7a5;
stix:target_ref :attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67;
dcterms:created "2019-04-17T19:18:00.433Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Remexi](https://attack.mitre.org/software/S0375) uses AutoIt and VBS scripts throughout its execution process.(Citation: Securelist Remexi Jan 2019)";
dcterms:modified "2020-03-17T19:24:27.802Z"^^xsd:dateTime .
:relationship--64c83ccd-f074-4ff2-80c9-05d03f8fc9d3
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--d8bc9788-4f7d-41a9-9e9d-ee1ea18a8cf7;
stix:target_ref :attack-pattern--8c32eb4d-805f-4fc5-bf60-c4d476c131b5;
dcterms:created "2022-06-10T16:43:53.015Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[LAPSUS$](https://attack.mitre.org/groups/G1004) has recruited target organization employees or contractors who provide credentials and approve an associated MFA prompt, or install remote management software onto a corporate workstation, allowing [LAPSUS$](https://attack.mitre.org/groups/G1004) to take control of an authenticated system.(Citation: MSTIC DEV-0537 Mar 2022)";
dcterms:modified "2022-10-12T13:03:14.255Z"^^xsd:dateTime .
:relationship--f8c320cc-97f5-4b3a-8847-92c42b6a48b7
rdf:type stix:Relationship;
stix:source_ref :attack-pattern--2db31dcd-54da-405d-acef-b9129b816ed6;
stix:target_ref :attack-pattern--54a649ff-439a-41a4-9856-8d144a2551ba;
dcterms:created "2020-02-11T18:27:15.862Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--2fdc9078-0737-4b2c-bb6c-f046b63c368b
rdf:type stix:Relationship;
stix:source_ref :malware--99fdf3b4-96ef-4ab9-b191-fc683441cad0;
stix:target_ref :attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384;
dcterms:created "2020-11-19T17:01:57.288Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Bazar](https://attack.mitre.org/software/S0534) can identify the installed antivirus engine.(Citation: Cybereason Bazar July 2020)";
dcterms:modified "2020-11-19T17:01:57.288Z"^^xsd:dateTime .
:relationship--09505cc8-8e0f-4283-9329-df2bea12867c
rdf:type stix:Relationship;
stix:source_ref :malware--29231689-5837-4a7a-aafc-1b65b3f50cc7;
stix:target_ref :attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670;
dcterms:created "2021-07-02T14:39:07.851Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "The file collection tool used by [RainyDay](https://attack.mitre.org/software/S0629) can utilize native API including <code>ReadDirectoryChangeW</code> for folder monitoring.(Citation: Bitdefender Naikon April 2021)";
dcterms:modified "2021-07-02T14:40:30.230Z"^^xsd:dateTime .
:relationship--b09075c8-6a45-4fd1-bdaf-c48a193bdd23
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--9f387817-df83-432a-b56b-a8fb7f71eedd;
stix:target_ref :attack-pattern--53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a;
dcterms:created "2022-03-30T14:26:51.834Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. ";
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime .
:x-mitre-data-component--b5b0e8ae-7436-4951-950a-7b83c4dd3f2c
rdf:type :MitreDataComponent;
rdfs:label "Instance Creation";
dcterms:created "2021-10-20T15:05:19.274Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Initial construction of a new instance (ex: instance.insert within GCP Audit Logs)";
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--52eba50c-4ebb-4e61-8065-4f6483f55321
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c;
stix:target_ref :attack-pattern--9e8b28c9-35fe-48ac-a14d-e6cc032dcbcd;
dcterms:created "2022-03-30T14:26:51.869Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Monitor for creation of binaries and service executables that do not occur during a regular software update or an update scheduled by the organization. This behavior also considers files that are overwritten.";
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime .
:relationship--3b947696-f88a-4e6b-b408-b9f91c3cecdf
rdf:type stix:Relationship;
stix:source_ref :malware--7e100ca4-e639-48d9-9a9d-8ad84aa7b448;
stix:target_ref :attack-pattern--b97f1d35-4249-4486-a6b5-ee60ccf24fab;
dcterms:created "2022-09-30T15:34:41.298Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Mori](https://attack.mitre.org/software/S1047) can use `regsvr32.exe` for DLL execution.(Citation: DHS CISA AA22-055A MuddyWater February 2022)";
dcterms:modified "2022-10-12T18:43:03.146Z"^^xsd:dateTime .
:relationship--514a384a-2b09-4b4f-9def-8e4007b49734
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--174279b4-399f-4ddb-966e-5efedd1dd5f2;
stix:target_ref :attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1;
dcterms:created "2023-07-31T18:18:33.737Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Volt Typhoon](https://attack.mitre.org/groups/G1017) has discovered file system types, drive names, size, and free space on compromised systems.(Citation: Microsoft Volt Typhoon May 2023)(Citation: Joint Cybersecurity Advisory Volt Typhoon June 2023)(Citation: Secureworks BRONZE SILHOUETTE May 2023)";
dcterms:modified "2023-09-08T17:13:44.825Z"^^xsd:dateTime .
:relationship--e57ffe68-7c4c-42dc-9192-78040606ec58
rdf:type stix:Relationship;
stix:source_ref :malware--dcac85c1-6485-4790-84f6-de5e6f6b91dd;
stix:target_ref :attack-pattern--7fd87010-3a00-4da3-b905-410525e8ec44;
dcterms:created "2019-06-21T17:23:28.017Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[PowerStallion](https://attack.mitre.org/software/S0393) uses [PowerShell](https://attack.mitre.org/techniques/T1086) loops to iteratively check for available commands in its OneDrive C2 server.";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:intrusion-set--f29b7c5e-2439-42ad-a86f-9f8984fafae3
rdf:type stix:IntrusionSet;
rdfs:label "HEXANE";
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[HEXANE](https://attack.mitre.org/groups/G1001) is a cyber espionage threat group that has targeted oil & gas, telecommunications, aviation, and internet service provider organizations since at least 2017. Targeted companies have been located in the Middle East and Africa, including Israel, Saudi Arabia, Kuwait, Morocco, and Tunisia. [HEXANE](https://attack.mitre.org/groups/G1001)'s TTPs appear similar to [APT33](https://attack.mitre.org/groups/G0064) and [OilRig](https://attack.mitre.org/groups/G0049) but due to differences in victims and tools it is tracked as a separate entity.(Citation: Dragos Hexane)(Citation: Kaspersky Lyceum October 2021)(Citation: ClearSky Siamesekitten August 2021)(Citation: Accenture Lyceum Targets November 2021)";
dcterms:modified "2023-03-22T04:43:59.082Z"^^xsd:dateTime .
:relationship--03f288cd-a189-4de9-abd4-6b10bda138a4
rdf:type stix:Relationship;
stix:source_ref :malware--327b3a25-9e60-4431-b3b6-93b9c64eacbc;
stix:target_ref :attack-pattern--7bd9c723-2f78-4309-82c5-47cad406572b;
dcterms:created "2022-03-09T21:09:11.109Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Tomiris](https://attack.mitre.org/software/S0671) has connected to a signalization server that provides a URL and port, and then [Tomiris](https://attack.mitre.org/software/S0671) sends a GET request to that URL to establish C2.(Citation: Kaspersky Tomiris Sep 2021)";
dcterms:modified "2022-05-11T14:00:00.188Z"^^xsd:dateTime .
:relationship--9e0a19f8-e970-49a1-9952-ae7380247ace
rdf:type stix:Relationship;
stix:source_ref :course-of-action--23843cff-f7b9-4659-a7b7-713ef347f547;
stix:target_ref :attack-pattern--cc3502b5-30cc-4473-ad48-42d51a6ef6d1;
dcterms:created "2020-03-09T14:38:24.604Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Prevent users from installing Python where not required.";
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--6988bc63-8020-44c2-9e38-03370f97e96a
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa;
stix:target_ref :attack-pattern--9e7452df-5144-4b6e-b04a-b66dd4016747;
dcterms:created "2022-03-30T14:26:51.852Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Monitor email gateways usually do not scan internal email, but an organization can leverage the journaling-based solution which sends a copy of emails to a security service for offline analysis or incorporate service-integrated solutions using on-premise or API-based integrations to help detect internal spearphishing attacks.(Citation: Trend Micro When Phishing Starts from the Inside 2017)";
dcterms:modified "2022-04-20T14:27:01.264Z"^^xsd:dateTime .
:relationship--618d4835-6022-46df-bee1-38fcb97ffb91
rdf:type stix:Relationship;
stix:source_ref :malware--cb444a16-3ea5-4a91-88c6-f329adcb8af3;
stix:target_ref :attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384;
dcterms:created "2019-06-17T18:49:30.445Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[YAHOYAH](https://attack.mitre.org/software/S0388) checks for antimalware solution processes on the system.(Citation: TrendMicro TropicTrooper 2015)";
dcterms:modified "2023-03-23T15:24:22.263Z"^^xsd:dateTime .
:relationship--93b62fc4-f024-4482-9ea1-041bc3d29bfd
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--44102191-3a31-45f8-acbe-34bdb441d5ad;
stix:target_ref :attack-pattern--2bce5b30-7014-4a5d-ade7-12913fe6ac36;
dcterms:created "2020-06-11T19:52:07.230Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Rocke](https://attack.mitre.org/groups/G0106) has cleared log files within the /var/log/ folder.(Citation: Anomali Rocke March 2019)";
dcterms:modified "2020-06-11T19:52:07.230Z"^^xsd:dateTime .
:relationship--ddbbd283-6874-4348-82c7-98df6d59ac41
rdf:type stix:Relationship;
stix:source_ref :malware--4a98e44a-bd52-461e-af1e-a4457de87a36;
stix:target_ref :attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18;
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[FruitFly](https://attack.mitre.org/software/S0277) looks for specific files and file types.(Citation: objsee mac malware 2017)";
dcterms:modified "2020-01-17T19:43:39.447Z"^^xsd:dateTime .
:attack-pattern--04ef4356-8926-45e2-9441-634b6f3dcecb
rdf:type d3f:OffensiveTechnique;
rdfs:label "LC_LOAD_DYLIB Addition";
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOAD_DYLIB header in a Mach-O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time. These can be added ad-hoc to the compiled binary as long adjustments are made to the rest of the fields and dependencies (Citation: Writing Bad Malware for OSX). There are tools available to perform these changes. Any changes will invalidate digital signatures on binaries because the binary is being modified. Adversaries can remediate this issue by simply removing the LC_CODE_SIGNATURE command from the binary so that the signature isn’t checked at load time (Citation: Malware Persistence on OS X).";
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--17e5edb8-fcdf-4581-a428-5a3a75fc675a
rdf:type stix:Relationship;
stix:source_ref :malware--e2031fd5-02c2-43d4-85e2-b64f474530c2;
stix:target_ref :attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5;
dcterms:created "2021-10-13T23:51:59.970Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Octopus](https://attack.mitre.org/software/S0340) can exfiltrate files from the system using a documents collector tool.(Citation: ESET Nomadic Octopus 2018)";
dcterms:modified "2021-10-14T14:09:00.920Z"^^xsd:dateTime .
:relationship--a8fd0806-56eb-4438-bcce-18f7851a07c6
rdf:type stix:Relationship;
stix:source_ref :campaign--c89fa3ff-4773-4daf-8aec-d8f43f10116e;
stix:target_ref :attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add;
dcterms:created "2023-07-25T20:23:35.966Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "During [C0026](https://attack.mitre.org/campaigns/C0026), the threat actors downloaded malicious payloads onto select compromised hosts.(Citation: Mandiant Suspected Turla Campaign February 2023)";
dcterms:modified "2023-07-25T20:23:35.967Z"^^xsd:dateTime .
:relationship--f02fafab-e905-48a4-953d-6238f740cc77
rdf:type stix:Relationship;
stix:source_ref :malware--1fefb062-feda-484a-8f10-0cebf65e20e3;
stix:target_ref :attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add;
dcterms:created "2023-10-04T18:06:27.622Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[SharpDisco](https://attack.mitre.org/software/S1089) has been used to download a Python interpreter to `C:\\Users\\Public\\WinTN\\WinTN.exe` as well as other plugins from external sources.(Citation: MoustachedBouncer ESET August 2023)";
dcterms:modified "2023-10-04T18:07:34.751Z"^^xsd:dateTime .
:relationship--23d16034-a2eb-40ef-857b-63708e63bf9a
rdf:type stix:Relationship;
stix:source_ref :malware--06d735e7-1db1-4dbe-ab4b-acbe419f902b;
stix:target_ref :attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1;
dcterms:created "2018-04-18T17:59:24.739Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Orz](https://attack.mitre.org/software/S0229) can gather the victim OS version and whether it is 64 or 32 bit.(Citation: Proofpoint Leviathan Oct 2017)";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--9ee064f9-05bc-4b9e-ad95-d1ae4f1c048a
rdf:type stix:Relationship;
stix:source_ref :malware--a5528622-3a8a-4633-86ce-8cdaf8423858;
stix:target_ref :attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32;
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[FinFisher](https://attack.mitre.org/software/S0182) creates a new Windows service with the malicious executable for persistence.(Citation: FinFisher Citation)(Citation: Microsoft FinFisher March 2018)";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--d53305c1-45c5-4a3c-9c9d-c5d324161402
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--da85d358-741a-410d-9433-20d6269a6170;
stix:target_ref :attack-pattern--67720091-eee3-4d2d-ae16-8264567f6f5b;
dcterms:created "2022-03-30T14:26:51.832Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "There are many ways to perform UAC bypasses when a user is in the local administrator group on a system, so it may be difficult to target detection on all variations. Efforts should likely be placed on mitigation and collecting enough information on process launches and actions that could be performed before and after a UAC bypass is performed. Some UAC bypass methods rely on modifying specific, user-accessible Registry settings. Analysts should monitor Registry settings for unauthorized changes.";
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime .
:attack-pattern--24bfaeba-cb0d-4525-b3dc-507c77ecec41
rdf:type d3f:OffensiveTechnique;
rdfs:label "Symmetric Cryptography";
dcterms:created "2020-03-16T15:45:17.032Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Adversaries may employ a known symmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Symmetric encryption algorithms use the same key for plaintext encryption and ciphertext decryption. Common symmetric encryption algorithms include AES, DES, 3DES, Blowfish, and RC4.";
dcterms:modified "2021-04-29T14:49:39.188Z"^^xsd:dateTime .
:relationship--e525352e-0d7e-41e4-bb35-9c50f9ef39c6
rdf:type stix:Relationship;
stix:source_ref :attack-pattern--70e52b04-2a0c-4cea-9d18-7149f1df9dc5;
stix:target_ref :attack-pattern--b6301b64-ef57-4cce-bb0b-77026f14a8db;
dcterms:created "2020-01-24T14:32:40.533Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:attack-pattern--101c3a64-9ba5-46c9-b573-5c501053cbca
rdf:type d3f:OffensiveTechnique;
rdfs:label "Elevated Execution with Prompt";
dcterms:created "2019-08-08T14:29:37.108Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Adversaries may leverage the AuthorizationExecuteWithPrivileges API to escalate privileges by prompting the user for credentials.(Citation: AppleDocs AuthorizationExecuteWithPrivileges) The purpose of this API is to give application developers an easy way to perform operations with root privileges, such as for application installation or updating. This API does not validate that the program requesting root privileges comes from a reputable source or has been maliciously modified. Although this API is deprecated, it still fully functions in the latest releases of macOS. When calling this API, the user will be prompted to enter their credentials but no checks on the origin or integrity of the program are made. The program calling the API may also load world writable files which can be modified to perform malicious behavior with elevated privileges.\n\nAdversaries may abuse AuthorizationExecuteWithPrivileges to obtain root privileges in order to install malicious software on victims and install persistence mechanisms.(Citation: Death by 1000 installers; it's all broken!)(Citation: Carbon Black Shlayer Feb 2019)(Citation: OSX Coldroot RAT) This technique may be combined with [Masquerading](https://attack.mitre.org/techniques/T1036) to trick the user into granting escalated privileges to malicious code.(Citation: Death by 1000 installers; it's all broken!)(Citation: Carbon Black Shlayer Feb 2019) This technique has also been shown to work by modifying legitimate programs present on the machine that make use of this API.(Citation: Death by 1000 installers; it's all broken!)";
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--e94dc1ba-678b-4c09-9c29-515a5d277ec4
rdf:type stix:Relationship;
stix:source_ref :malware--532c6004-b1e8-415b-9516-f7c14ba783b1;
stix:target_ref :attack-pattern--30973a08-aed9-4edf-8604-9084ce1b5c4f;
dcterms:created "2021-09-28T17:59:40.603Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[MarkiRAT](https://attack.mitre.org/software/S0652) can capture clipboard content.(Citation: Kaspersky Ferocious Kitten Jun 2021)";
dcterms:modified "2021-10-15T15:03:46.221Z"^^xsd:dateTime .
:relationship--1555866c-1eca-4de3-aded-d745fdd47d1c
rdf:type stix:Relationship;
stix:source_ref :malware--be25c1c0-1590-4219-a3d5-6f31799d1d1b;
stix:target_ref :attack-pattern--348f1eef-964b-4eb6-bb53-69b3dcb0c643;
dcterms:created "2022-09-26T18:00:22.254Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "The [FunnyDream](https://attack.mitre.org/software/S1044) FilepakMonitor component can detect removable drive insertion.(Citation: Bitdefender FunnyDream Campaign November 2020)";
dcterms:modified "2022-09-26T18:00:22.254Z"^^xsd:dateTime .
:relationship--f4ea1985-0e88-488d-b7ed-ac294719738a
rdf:type stix:Relationship;
stix:source_ref :malware--2a70812b-f1ef-44db-8578-a496a227aef2;
stix:target_ref :attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add;
dcterms:created "2021-01-07T20:53:11.172Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[NETWIRE](https://attack.mitre.org/software/S0198) can downloaded payloads from C2 to the compromised host.(Citation: FireEye NETWIRE March 2019)(Citation: Proofpoint NETWIRE December 2020)";
dcterms:modified "2023-09-13T18:16:43.590Z"^^xsd:dateTime .
:relationship--2db67ddf-b414-4dc7-87ab-0846a8bd1e8e
rdf:type stix:Relationship;
stix:source_ref :course-of-action--987988f0-cf86-4680-a875-2f6456ab2448;
stix:target_ref :attack-pattern--4ff5d6a8-c062-4c68-a778-36fc5edd564f;
dcterms:created "2020-01-23T19:59:52.898Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Restrict storage and execution of Control Panel items to protected directories, such as <code>C:\\Windows</code>, rather than user directories.";
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime .
:relationship--e8edf0d8-3c24-4082-9177-1bfb6e7d95c6
rdf:type stix:Relationship;
stix:source_ref :malware--eac3d77f-2b7b-4599-ba74-948dc16633ad;
stix:target_ref :attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2;
dcterms:created "2020-06-26T16:17:18.217Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Goopy](https://attack.mitre.org/software/S0477) has impersonated the legitimate goopdate.dll, which was dropped on the target system with a legitimate GoogleUpdate.exe.(Citation: Cybereason Cobalt Kitty 2017)";
dcterms:modified "2020-06-29T21:37:56.053Z"^^xsd:dateTime .
:relationship--2843ccc2-4869-48a0-8967-b9856a778a2c
rdf:type stix:Relationship;
stix:source_ref :malware--196f1f32-e0c2-4d46-99cd-234d4b6befe1;
stix:target_ref :attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2;
dcterms:created "2018-01-16T16:13:52.465Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Felismus](https://attack.mitre.org/software/S0171) has masqueraded as legitimate Adobe Content Management System files.(Citation: Forcepoint Felismus Mar 2017)";
dcterms:modified "2020-03-17T23:48:42.867Z"^^xsd:dateTime .
:relationship--9eeb0de3-2010-4f77-949d-501299902a63
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077;
stix:target_ref :attack-pattern--37b11151-1776-4f8f-b328-30939fbf2ceb;
dcterms:created "2022-03-30T14:26:51.834Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Monitor for newly executed processes that may abuse AppleScript for execution. Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Actions may be related to network and system information [Discovery](https://attack.mitre.org/tactics/TA0007), [Collection](https://attack.mitre.org/tactics/TA0009), or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script.";
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime .
:relationship--e711d51c-94d3-4a20-ae11-d3584bae36d9
rdf:type stix:Relationship;
stix:source_ref :malware--727afb95-3d0f-4451-b297-362a43909923;
stix:target_ref :attack-pattern--e4dc8c01-417f-458d-9ee0-bb0617c1b391;
dcterms:created "2021-03-22T21:57:48.752Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[ThiefQuest](https://attack.mitre.org/software/S0595) uses a function named <code>is_debugging</code> to perform anti-debugging logic. The function invokes <code>sysctl</code> checking the returned value of <code>P_TRACED</code>. [ThiefQuest](https://attack.mitre.org/software/S0595) also calls <code>ptrace</code> with the <code>PTRACE_DENY_ATTACH</code> flag to prevent debugging.(Citation: wardle evilquest partii)";
dcterms:modified "2022-04-16T15:01:18.203Z"^^xsd:dateTime .
:attack-pattern--1988cc35-ced8-4dad-b2d1-7628488fa967
rdf:type d3f:OffensiveTechnique;
rdfs:label "Disk Wipe";
dcterms:created "2020-02-20T22:02:20.372Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Adversaries may wipe or corrupt raw disk data on specific systems or in large numbers in a network to interrupt availability to system and network resources. With direct write access to a disk, adversaries may attempt to overwrite portions of disk data. Adversaries may opt to wipe arbitrary portions of disk data and/or wipe disk structures like the master boot record (MBR). A complete wipe of all disk sectors may be attempted.\n\nTo maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware used for wiping disks may have worm-like features to propagate across a network by leveraging additional techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: Novetta Blockbuster Destructive Malware)\n\nOn network devices, adversaries may wipe configuration files and other data from the device using [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `erase`.(Citation: erase_cmd_cisco)";
dcterms:modified "2023-05-09T14:00:00.188Z"^^xsd:dateTime .
:relationship--3f0d3b07-9996-40bc-a2c3-6ed7eb39e5fc
rdf:type stix:Relationship;
stix:source_ref :tool--d505fc8b-2e64-46eb-96d6-9ef7ffca5b66;
stix:target_ref :attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161;
dcterms:created "2022-03-26T03:47:59.041Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Mythic](https://attack.mitre.org/software/S0699) supports HTTP-based C2 profiles.(Citation: Mythc Documentation)\t";
dcterms:modified "2022-03-26T03:47:59.041Z"^^xsd:dateTime .
:relationship--6a1d90c0-f103-4e7f-b462-73749407dceb
rdf:type stix:Relationship;
stix:source_ref :course-of-action--90c218c3-fbf8-4830-98a7-e8cfb7eaa485;
stix:target_ref :attack-pattern--f4c1826f-a322-41cd-9557-562100848c84;
dcterms:created "2022-02-09T19:46:57.209Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Ensure that <code>AllowReversiblePasswordEncryption</code> property is set to disabled unless there are application requirements.(Citation: store_pwd_rev_enc)";
dcterms:modified "2022-02-10T22:26:34.270Z"^^xsd:dateTime .
:relationship--00c0e096-f023-4ccc-8567-d1e8c8494cb5
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--6b1b551c-d770-4f95-8cfc-3cd253c4c04e;
stix:target_ref :attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5;
dcterms:created "2020-05-11T21:30:27.895Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Frankenstein](https://attack.mitre.org/groups/G0101) has enumerated hosts via [Empire](https://attack.mitre.org/software/S0363), gathering various local system information.(Citation: Talos Frankenstein June 2019)";
dcterms:modified "2022-10-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--1770cc28-c49c-4b70-b4d0-6976efaede16
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--17862c7d-9e60-48a0-b48e-da4dc4c3f6b0;
stix:target_ref :attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4;
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "A [Patchwork](https://attack.mitre.org/groups/G0040) payload deletes Resiliency Registry keys created by Microsoft Office applications in an apparent effort to trick users into thinking there were no issues during application runs.(Citation: TrendMicro Patchwork Dec 2017)";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--4f6975b8-e16e-47ba-b241-b2267c5da4ef
rdf:type stix:Relationship;
stix:source_ref :campaign--b03d5112-e23a-4ac8-add0-be7502d24eff;
stix:target_ref :attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5;
dcterms:created "2022-09-27T16:21:58.161Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "During [Operation Wocao](https://attack.mitre.org/campaigns/C0014), threat actors exfiltrated files and directories of interest from the targeted system.(Citation: FoxIT Wocao December 2019)";
dcterms:modified "2022-09-27T16:21:58.161Z"^^xsd:dateTime .
:relationship--5508061c-abeb-4c96-8daf-cb0d612bce08
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--8e44412e-3238-4d64-8878-4f11e27784fe;
stix:target_ref :attack-pattern--25659dd6-ea12-45c4-97e6-381e3e4b593e;
dcterms:created "2022-06-16T13:09:57.102Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Monitor for logging that may suggest a list of available groups and/or their associated settings has been extracted, ex. Windows EID 4798 and 4799.";
dcterms:modified "2022-06-16T13:09:57.102Z"^^xsd:dateTime .
:relationship--e04e9e57-90e8-44f7-8596-0fc5365360e1
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1;
stix:target_ref :attack-pattern--70d81154-b187-45f9-8ec5-295d01255979;
dcterms:created "2022-03-30T14:26:51.847Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Monitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process.";
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime .
:relationship--616bf309-ed87-4573-8640-416e6f05285d
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542;
stix:target_ref :attack-pattern--ef67e13e-5598-4adc-bdb2-998225874fa9;
dcterms:created "2021-04-16T21:44:38.728Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[APT29](https://attack.mitre.org/groups/G0016) has used various forms of spearphishing attempting to get a user to click on a malicous link.(Citation: MSTIC NOBELIUM May 2021)(Citation: Secureworks IRON RITUAL USAID Phish May 2021)";
dcterms:modified "2023-03-23T19:33:58.651Z"^^xsd:dateTime .
:attack-pattern--09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119
rdf:type d3f:OffensiveTechnique;
rdfs:label "Password Guessing";
dcterms:created "2020-02-11T18:38:22.617Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism. An adversary may guess login credentials without prior knowledge of system or environment passwords during an operation by using a list of common passwords. Password guessing may or may not take into account the target's policies on password complexity or use policies that may lock accounts out after a number of failed attempts.\n\nGuessing passwords can be a risky option because it could cause numerous authentication failures and account lockouts, depending on the organization's login failure policies. (Citation: Cylance Cleaver)\n\nTypically, management services over commonly used ports are used when guessing passwords. Commonly targeted services include the following:\n\n* SSH (22/TCP)\n* Telnet (23/TCP)\n* FTP (21/TCP)\n* NetBIOS / SMB / Samba (139/TCP & 445/TCP)\n* LDAP (389/TCP)\n* Kerberos (88/TCP)\n* RDP / Terminal Services (3389/TCP)\n* HTTP/HTTP Management Services (80/TCP & 443/TCP)\n* MSSQL (1433/TCP)\n* Oracle (1521/TCP)\n* MySQL (3306/TCP)\n* VNC (5900/TCP)\n* SNMP (161/UDP and 162/TCP/UDP)\n\nIn addition to management services, adversaries may \"target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols,\" as well as externally facing email applications, such as Office 365.(Citation: US-CERT TA18-068A 2018). Further, adversaries may abuse network device interfaces (such as `wlanAPI`) to brute force accessible wifi-router(s) via wireless authentication protocols.(Citation: Trend Micro Emotet 2020)\n\nIn default environments, LDAP and Kerberos connection attempts are less likely to trigger events over SMB, which creates Windows \"logon failure\" event ID 4625.";
dcterms:modified "2023-10-16T16:57:41.743Z"^^xsd:dateTime .
:relationship--4d90fd9d-9f9b-45f8-986d-3db43b679905
rdf:type stix:Relationship;
stix:source_ref :malware--26fed817-e7bf-41f9-829a-9075ffac45c2;
stix:target_ref :attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580;
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Kasidet](https://attack.mitre.org/software/S0088) has the ability to search for a given process name in processes currently running in the system.(Citation: Zscaler Kasidet)";
dcterms:modified "2020-03-16T17:02:26.253Z"^^xsd:dateTime .
:relationship--e0e492ef-c67d-4a02-be8d-2e9a650ea6f0
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6;
stix:target_ref :attack-pattern--830c9528-df21-472c-8c14-a036bf17d665;
dcterms:created "2020-12-03T20:47:09.694Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Turla](https://attack.mitre.org/groups/G0010) has used legitimate web services including Pastebin, Dropbox, and GitHub for C2 communications.(Citation: Accenture HyperStack October 2020)(Citation: ESET Crutch December 2020)";
dcterms:modified "2020-12-04T21:04:06.898Z"^^xsd:dateTime .
:relationship--a3ee84d8-139e-4703-97c9-53cdeea94f66
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c;
stix:target_ref :attack-pattern--7385dfaf-6886-4229-9ecd-6fd678040830;
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[APT28](https://attack.mitre.org/groups/G0007) uses cmd.exe to execute commands and custom backdoors.";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:malware--ff7ed9c1-dca3-4e62-9da6-72c5d388b8fa
rdf:type stix:Malware;
rdfs:label "HermeticWizard";
dcterms:created "2022-03-25T20:47:06.942Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[HermeticWizard](https://attack.mitre.org/software/S0698) is a worm that has been used to spread [HermeticWiper](https://attack.mitre.org/software/S0697) in attacks against organizations in Ukraine since at least 2022.(Citation: ESET Hermetic Wizard March 2022)";
dcterms:modified "2022-05-11T14:00:00.188Z"^^xsd:dateTime .
:relationship--6f3caebf-2c07-45de-b2f3-622dc8fcf59e
rdf:type stix:Relationship;
stix:source_ref :course-of-action--86598de0-b347-4928-9eb0-0acbfc21908c;
stix:target_ref :attack-pattern--56e0d8b8-3e25-49dd-9050-3aa252f5aa92;
dcterms:created "2021-03-29T16:51:26.182Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Deny direct remote access to internal systems through the use of network proxies, gateways, and firewalls.";
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime .
:relationship--8b86fa49-6d13-42b4-bd48-814abfd6793f
rdf:type stix:Relationship;
stix:source_ref :attack-pattern--6b57dc31-b814-4a03-8706-28bc20d739c4;
stix:target_ref :attack-pattern--a10641f4-87b4-45a3-a906-92a149cb2c27;
dcterms:created "2020-06-24T12:42:35.464Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:attack-pattern--799ace7f-e227-4411-baa0-8868704f2a69
rdf:type d3f:OffensiveTechnique;
rdfs:label "Indicator Removal";
dcterms:created "2017-05-31T21:30:55.892Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.\n\nRemoval of these indicators may interfere with event collection, reporting, or other processes used to detect intrusion activity. This may compromise the integrity of security solutions by causing notable events to go unreported. This activity may also impede forensic analysis and incident response, due to lack of sufficient data to determine what occurred.";
dcterms:modified "2023-05-09T14:00:00.188Z"^^xsd:dateTime .
:relationship--86c16ccf-cd37-4c5a-822b-034448056066
rdf:type stix:Relationship;
stix:source_ref :attack-pattern--f63fe421-b1d1-45c0-b8a7-02cd16ff2bed;
stix:target_ref :attack-pattern--b6301b64-ef57-4cce-bb0b-77026f14a8db;
dcterms:created "2020-01-24T14:26:51.389Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--24892996-c220-4d25-92d8-7db597873090
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--4c4a7846-45d5-4761-8eea-725fa989914c;
stix:target_ref :attack-pattern--25659dd6-ea12-45c4-97e6-381e3e4b593e;
dcterms:created "2022-10-11T19:18:15.522Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Moses Staff](https://attack.mitre.org/groups/G1009) has collected the administrator username from a compromised host.(Citation: Checkpoint MosesStaff Nov 2021)";
dcterms:modified "2022-10-11T19:18:15.522Z"^^xsd:dateTime .
:relationship--ba215171-4b5b-407f-931e-0d97ddb64909
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--64b52e7d-b2c4-4a02-9372-08a463f5dc11;
stix:target_ref :malware--a7881f21-e978-4fe4-af56-92c9416a2616;
dcterms:created "2022-01-18T18:56:49.708Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "(Citation: CrowdStrike AQUATIC PANDA December 2021)";
dcterms:modified "2022-01-18T18:56:49.708Z"^^xsd:dateTime .
:relationship--699d04f6-bace-4bf8-af2a-c80c62fcdd23
rdf:type stix:Relationship;
stix:source_ref :campaign--ba6dfa37-f401-4140-88b0-8938f2895e61;
stix:target_ref :attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d;
dcterms:created "2023-01-04T18:35:19.697Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "During [C0017](https://attack.mitre.org/campaigns/C0017), [APT41](https://attack.mitre.org/groups/G0096) used its Cloudflare services C2 channels for data exfiltration.(Citation: Mandiant APT41)";
dcterms:modified "2023-01-26T16:43:29.430Z"^^xsd:dateTime .
:relationship--d670ddce-d32a-4165-a56e-5bb183f4c904
rdf:type stix:Relationship;
stix:source_ref :malware--ade37ada-14af-4b44-b36c-210eec255d53;
stix:target_ref :attack-pattern--25659dd6-ea12-45c4-97e6-381e3e4b593e;
dcterms:created "2020-06-19T19:08:40.400Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Valak](https://attack.mitre.org/software/S0476) has the ability to enumerate local admin accounts.(Citation: Cybereason Valak May 2020)";
dcterms:modified "2020-06-22T23:46:45.354Z"^^xsd:dateTime .
:relationship--da69efe7-e99e-4d79-a455-c59f4c087b22
rdf:type stix:Relationship;
stix:source_ref :malware--198db886-47af-4f4c-bff5-11b891f85946;
stix:target_ref :attack-pattern--806a49c4-970d-43f9-9acc-ac0ee11e6662;
dcterms:created "2019-01-29T17:59:44.519Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Zeus Panda](https://attack.mitre.org/software/S0330) checks processes on the system and if they meet the necessary requirements, it injects into that process.(Citation: GDATA Zeus Panda June 2017)";
dcterms:modified "2020-03-16T19:32:51.125Z"^^xsd:dateTime .
:relationship--61929ceb-3933-46f1-a11b-4d67482b1d59
rdf:type stix:Relationship;
stix:source_ref :malware--f8774023-8021-4ece-9aca-383ac89d2759;
stix:target_ref :attack-pattern--7e150503-88e7-4861-866b-ff1ac82c4475;
dcterms:created "2021-01-25T13:58:25.281Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Dtrack](https://attack.mitre.org/software/S0567) can collect network and active connection information.(Citation: Securelist Dtrack)";
dcterms:modified "2021-04-26T14:23:04.020Z"^^xsd:dateTime .
:relationship--129d828d-a84b-43dc-afc1-f46d8a25de0a
rdf:type stix:Relationship;
stix:source_ref :malware--083bb47b-02c8-4423-81a2-f9ef58572974;
stix:target_ref :attack-pattern--e3a12395-188d-4051-9a16-ea8e14d07b88;
dcterms:created "2021-12-08T18:24:25.594Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Backdoor.Oldrea](https://attack.mitre.org/software/S0093) can use a network scanning module to identify ICS-related ports.(Citation: Gigamon Berserk Bear October 2021)";
dcterms:modified "2021-12-08T18:24:25.594Z"^^xsd:dateTime .
:malware--5763217a-05b6-4edd-9bca-057e47b5e403
rdf:type stix:Malware;
rdfs:label "ShimRat";
dcterms:created "2020-05-12T21:28:20.934Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[ShimRat](https://attack.mitre.org/software/S0444) has been used by the suspected China-based adversary [Mofang](https://attack.mitre.org/groups/G0103) in campaigns targeting multiple countries and sectors including government, military, critical infrastructure, automobile, and weapons development. The name \"[ShimRat](https://attack.mitre.org/software/S0444)\" comes from the malware's extensive use of Windows Application Shimming to maintain persistence. (Citation: FOX-IT May 2016 Mofang)";
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--98c5b069-4550-4e12-98b9-701761c4a39a
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0;
stix:target_ref :attack-pattern--208884f1-7b83-4473-ac22-4e1cf6c41471;
dcterms:created "2023-03-08T22:41:29.185Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Monitor for abnormal command execution from otherwise non-executable file types (such as `.txt` and `.jpg`). ";
dcterms:modified "2023-04-11T22:43:44.996Z"^^xsd:dateTime .
:relationship--4cc39e53-3498-4ecc-a316-603f3a47dbf6
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077;
stix:target_ref :attack-pattern--ffe59ad3-ad9b-4b9f-b74f-5beb3c309dc1;
dcterms:created "2022-05-06T14:49:39.254Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Analyze process behavior to determine if a process is performing actions it usually does not and/or do no align with its logged command-line arguments.\n\nDetection of process argument spoofing may be difficult as adversaries may momentarily modify stored arguments used for malicious execution. These changes may bypass process creation detection and/or later process memory analysis. Consider monitoring for [Process Hollowing](https://attack.mitre.org/techniques/T1055/012), which includes monitoring for process creation (especially those in a suspended state) as well as access and/or modifications of these processes (especially by the parent process) via Windows API calls.(Citation: Nviso Spoof Command Line 2020)(Citation: Mandiant Endpoint Evading 2019)";
dcterms:modified "2022-05-06T14:49:39.254Z"^^xsd:dateTime .
:relationship--f47a9039-b5c0-49e5-9998-2820b075643f
rdf:type stix:Relationship;
stix:source_ref :tool--115f88dd-0618-4389-83cb-98d33ae81848;
stix:target_ref :attack-pattern--30208d3e-0d6b-43c8-883e-44462a514619;
dcterms:created "2020-05-12T21:44:41.005Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[ShimRatReporter](https://attack.mitre.org/software/S0445) gathered information automatically, without instruction from a C2, related to the user and host machine that is compiled into a report and sent to the operators.(Citation: FOX-IT May 2016 Mofang)";
dcterms:modified "2020-05-15T18:47:04.386Z"^^xsd:dateTime .
:relationship--cca195e2-b748-4881-b2bf-e6b3b993b460
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--f8cb7b36-62ef-4488-8a6d-a7033e3271c1;
stix:target_ref :attack-pattern--b97f1d35-4249-4486-a6b5-ee60ccf24fab;
dcterms:created "2019-05-24T17:02:44.393Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[WIRTE](https://attack.mitre.org/groups/G0090) has used `regsvr32.exe` to trigger the execution of a malicious script.(Citation: Lab52 WIRTE Apr 2019)";
dcterms:modified "2022-04-15T17:04:28.702Z"^^xsd:dateTime .
:relationship--f813e8ab-96d7-4880-a3c2-50e164d4bd66
rdf:type stix:Relationship;
stix:source_ref :campaign--4553292d-12c6-4a93-934d-12160370d4e0;
stix:target_ref :attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c;
dcterms:created "2022-09-16T21:36:39.578Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "During [Operation Honeybee](https://attack.mitre.org/campaigns/C0006), malicious files were decoded prior to execution.(Citation: McAfee Honeybee)";
dcterms:modified "2022-09-16T21:36:39.578Z"^^xsd:dateTime .
:relationship--4b314d34-1e53-46a4-a3b8-131a19b256d6
rdf:type stix:Relationship;
stix:source_ref :malware--d906e6f7-434c-44c0-b51a-ed50af8f7945;
stix:target_ref :attack-pattern--e358d692-23c0-4a31-9eb6-ecc13a8d7735;
dcterms:created "2019-06-05T17:05:57.768Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[njRAT](https://attack.mitre.org/software/S0385) can identify remote hosts on connected networks.(Citation: Fidelis njRAT June 2013)";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--ccdab928-86cd-4e6d-b477-0ec156f6105a
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--2e290bfe-93b5-48ce-97d6-edcd6d32b7cf;
stix:target_ref :attack-pattern--40f5caa0-4cb7-4117-89fc-d421bb493df3;
dcterms:created "2022-02-18T15:21:51.169Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Gamaredon Group](https://attack.mitre.org/groups/G0047) has registered multiple domains to facilitate payload staging and C2.(Citation: Microsoft Actinium February 2022)(Citation: Unit 42 Gamaredon February 2022)";
dcterms:modified "2022-02-21T15:11:39.858Z"^^xsd:dateTime .
:relationship--c9fa803b-3d37-49bc-b0b3-ec409ad372fa
rdf:type stix:Relationship;
stix:source_ref :malware--94d6d788-07bb-4dcc-b62f-e02626b00108;
stix:target_ref :attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580;
dcterms:created "2021-10-11T15:50:26.291Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[SodaMaster](https://attack.mitre.org/software/S0627) can search a list of running processes.(Citation: Securelist APT10 March 2021)";
dcterms:modified "2021-10-11T15:50:26.291Z"^^xsd:dateTime .
:relationship--201802a3-afae-4c10-a125-0fc4fd62f1d2
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--fd19bd82-1b14-49a1-a176-6cdc46b8a826;
stix:target_ref :tool--b77b563c-34bb-4fb8-86a3-3694338f7b47;
dcterms:created "2023-09-06T15:06:34.897Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "(Citation: Bitdefender Sardonic Aug 2021)";
dcterms:modified "2023-09-19T13:34:13.634Z"^^xsd:dateTime .
:relationship--ea71022e-7f2a-4065-9cb1-304f85dbaf6d
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265df3258;
stix:target_ref :attack-pattern--e358d692-23c0-4a31-9eb6-ecc13a8d7735;
dcterms:created "2019-07-19T17:27:02.530Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[GALLIUM](https://attack.mitre.org/groups/G0093) used a modified version of [NBTscan](https://attack.mitre.org/software/S0590) to identify available NetBIOS name servers over the network as well as <code>ping</code> to identify remote systems.(Citation: Cybereason Soft Cell June 2019)";
dcterms:modified "2021-03-17T16:14:44.277Z"^^xsd:dateTime .
:relationship--d75dcb5a-4997-4d2f-b1ba-815ebae54478
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--a7f57cc1-4540-4429-823f-f4e56b8473c9;
stix:target_ref :attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62;
dcterms:created "2022-06-09T15:40:26.451Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Ember Bear](https://attack.mitre.org/groups/G1003) had used `cmd.exe` and Windows Script Host (wscript) to execute malicious code.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )";
dcterms:modified "2022-06-09T15:40:26.451Z"^^xsd:dateTime .
:relationship--f2dfe70c-701e-4cda-997f-12b91f7eb288
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5;
stix:target_ref :attack-pattern--7de1f7ac-5d0c-4c9c-8873-627202205331;
dcterms:created "2022-08-03T03:24:18.036Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Monitor certificate-based authentication events, such as EID 4768 when an AD CS certificate is used for Kerberos authentication (especially those that don’t correspond to legitimately issued certificates) or when Secure Channel (`Schannel`, associated with SSL/TLS) is highlighted as the `Logon Process` associated with an EID 4624 logon event.(Citation: SpecterOps Certified Pre Owned)";
dcterms:modified "2022-10-21T20:32:29.699Z"^^xsd:dateTime .
:relationship--535e3fbe-e6d9-4608-9689-f8f1f8c1ddc9
rdf:type stix:Relationship;
stix:source_ref :malware--083bb47b-02c8-4423-81a2-f9ef58572974;
stix:target_ref :attack-pattern--43e7dc91-05b2-474c-b9ac-2ed4fe101f4d;
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Backdoor.Oldrea](https://attack.mitre.org/software/S0093) injects itself into explorer.exe.(Citation: Symantec Dragonfly)(Citation: Gigamon Berserk Bear October 2021)";
dcterms:modified "2022-05-11T14:00:00.188Z"^^xsd:dateTime .
:relationship--a8b39fac-bfe0-49c0-957f-8b8ebe2088c1
rdf:type stix:Relationship;
stix:source_ref :malware--532c6004-b1e8-415b-9516-f7c14ba783b1;
stix:target_ref :attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2;
dcterms:created "2021-09-28T18:53:02.507Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[MarkiRAT](https://attack.mitre.org/software/S0652) can masquerade as <code>update.exe</code> and <code>svehost.exe</code>; it has also mimicked legitimate Telegram and Chrome files.(Citation: Kaspersky Ferocious Kitten Jun 2021)";
dcterms:modified "2021-10-15T15:03:46.308Z"^^xsd:dateTime .
:relationship--e58cc6e6-cc6c-4a31-9056-e24c8071c736
rdf:type stix:Relationship;
stix:source_ref :course-of-action--78bb71be-92b4-46de-acd6-5f998fedf1cc;
stix:target_ref :attack-pattern--55fc4df0-b42c-479a-b860-7a6761bcaad0;
dcterms:created "2020-10-20T03:34:45.501Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.";
dcterms:modified "2022-10-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--98fd9ed1-abf3-4e2f-b071-8aea2dc44a64
rdf:type stix:Relationship;
stix:source_ref :malware--aad11e34-02ca-4220-91cd-2ed420af4db3;
stix:target_ref :attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62;
dcterms:created "2020-05-04T19:13:35.457Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[HotCroissant](https://attack.mitre.org/software/S0431) can remotely open applications on the infected host with the <code>ShellExecuteA</code> command.(Citation: Carbon Black HotCroissant April 2020)";
dcterms:modified "2020-05-04T19:13:35.457Z"^^xsd:dateTime .
:relationship--21d94923-38bb-489d-bc6a-23e03fef7b91
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--44e43fad-ffcb-4210-abcf-eaaed9735f80;
stix:target_ref :malware--dfa03c7d-79ed-4ce2-b9d1-ddc9dbf56ad2;
dcterms:created "2020-05-28T14:00:25.604Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "(Citation: Unit 42 MechaFlounder March 2019)";
dcterms:modified "2020-05-28T14:00:25.604Z"^^xsd:dateTime .
:attack-pattern--f5bb433e-bdf6-4781-84bc-35e97e43be89
rdf:type d3f:OffensiveTechnique;
rdfs:label "Firmware Corruption";
dcterms:created "2019-04-12T18:28:15.451Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Adversaries may overwrite or corrupt the flash memory contents of system BIOS or other firmware in devices attached to a system in order to render them inoperable or unable to boot, thus denying the availability to use the devices and/or the system.(Citation: Symantec Chernobyl W95.CIH) Firmware is software that is loaded and executed from non-volatile memory on hardware devices in order to initialize and manage device functionality. These devices may include the motherboard, hard drive, or video cards.\n\nIn general, adversaries may manipulate, overwrite, or corrupt firmware in order to deny the use of the system or devices. For example, corruption of firmware responsible for loading the operating system for network devices may render the network devices inoperable.(Citation: dhs_threat_to_net_devices)(Citation: cisa_malware_orgs_ukraine) Depending on the device, this attack may also result in [Data Destruction](https://attack.mitre.org/techniques/T1485). ";
dcterms:modified "2022-08-31T17:30:05.440Z"^^xsd:dateTime .
:relationship--44cc2a12-21bd-405d-b3d4-ebbf03e28722
rdf:type stix:Relationship;
stix:source_ref :course-of-action--86598de0-b347-4928-9eb0-0acbfc21908c;
stix:target_ref :attack-pattern--ca205a36-c1ad-488b-aa6c-ab34bdd3a36b;
dcterms:created "2019-07-18T17:56:46.196Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Identify critical business and system processes that may be targeted by adversaries and work to isolate and secure those systems against unauthorized access and tampering. ";
dcterms:modified "2023-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--a1c62ce5-2f11-415f-bca1-c9021530c090
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--44e43fad-ffcb-4210-abcf-eaaed9735f80;
stix:target_ref :attack-pattern--7385dfaf-6886-4229-9ecd-6fd678040830;
dcterms:created "2019-02-21T21:17:37.986Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[APT39](https://attack.mitre.org/groups/G0087) has utilized AutoIt and custom scripts to perform internal reconnaissance.(Citation: FireEye APT39 Jan 2019)(Citation: FBI FLASH APT39 September 2020)";
dcterms:modified "2021-10-12T23:00:49.645Z"^^xsd:dateTime .
:relationship--48e3f4e2-0506-4b5c-b40c-2c6edc92b0a5
rdf:type stix:Relationship;
stix:source_ref :malware--ade37ada-14af-4b44-b36c-210eec255d53;
stix:target_ref :attack-pattern--84e02621-8fdf-470f-bd58-993bb6a89d91;
dcterms:created "2020-09-25T17:35:36.444Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Valak](https://attack.mitre.org/software/S0476) can download additional modules and malware capable of using separate C2 channels.(Citation: Unit 42 Valak July 2020)";
dcterms:modified "2020-09-25T17:35:36.444Z"^^xsd:dateTime .
:relationship--29e9bfd8-e2d3-4e25-8683-6605d99538de
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--2e290bfe-93b5-48ce-97d6-edcd6d32b7cf;
stix:target_ref :attack-pattern--045d0922-2310-4e60-b5e4-3302302cb3c5;
dcterms:created "2020-08-31T15:06:48.172Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Gamaredon Group](https://attack.mitre.org/groups/G0047) malware has used rundll32 to launch additional malicious components.(Citation: ESET Gamaredon June 2020)";
dcterms:modified "2020-08-31T15:06:48.172Z"^^xsd:dateTime .
:relationship--18ba352d-274c-4cb5-8916-d95035a2423c
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--b7f627e2-0817-4cd5-8d50-e75f8aa85cc6;
stix:target_ref :attack-pattern--3ee16395-03f0-4690-a32e-69ce9ada0f9e;
dcterms:created "2023-04-10T17:14:00.713Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[LuminousMoth](https://attack.mitre.org/groups/G1014) has hosted malicious payloads on Dropbox.(Citation: Kaspersky LuminousMoth July 2021)";
dcterms:modified "2023-04-10T17:14:00.713Z"^^xsd:dateTime .
:relationship--e41eea8b-20d6-4050-96e6-6b59670f6e65
rdf:type stix:Relationship;
stix:source_ref :malware--979adb5a-dc30-48f0-9e3d-9a26d866928c;
stix:target_ref :attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4;
dcterms:created "2021-03-12T18:46:47.265Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Sibot](https://attack.mitre.org/software/S0589) has modified the Registry to install a second-stage script in the <code>HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\sibot</code>.(Citation: MSTIC NOBELIUM Mar 2021)";
dcterms:modified "2023-03-26T20:12:57.204Z"^^xsd:dateTime .
:relationship--f3b8a97f-4e9c-4190-be08-467d136fc943
rdf:type stix:Relationship;
stix:source_ref :malware--ccd61dfc-b03f-4689-8c18-7c97eab08472;
stix:target_ref :attack-pattern--bf176076-b789-408e-8cba-7275e81c0ada;
dcterms:created "2020-03-20T23:11:09.649Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[CHOPSTICK](https://attack.mitre.org/software/S0023) encrypts C2 communications with TLS.(Citation: ESET Sednit Part 2)";
dcterms:modified "2020-03-20T23:11:09.649Z"^^xsd:dateTime .
:relationship--0927eb00-4a08-4ed1-8678-84d6e1e87b98
rdf:type stix:Relationship;
stix:source_ref :course-of-action--20f6a9df-37c4-4e20-9e47-025983b1b39d;
stix:target_ref :attack-pattern--4fe28b27-b13c-453e-a386-c2ef362a573b;
dcterms:created "2020-03-15T16:03:39.245Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Consider filtering network traffic to untrusted or known bad domains and resources. ";
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--6d8147e4-fca3-4348-9376-dd96cc7b9e30
rdf:type stix:Relationship;
stix:source_ref :malware--4b6ec280-7bbb-48ff-ae59-b189520ebe83;
stix:target_ref :attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104;
dcterms:created "2020-05-06T21:31:07.554Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Okrum](https://attack.mitre.org/software/S0439) can collect the victim username.(Citation: ESET Okrum July 2019)";
dcterms:modified "2020-05-06T21:31:07.554Z"^^xsd:dateTime .
:malware--f1314e75-ada8-49f4-b281-b1fb8b48f2a7
rdf:type stix:Malware;
rdfs:label "OSX/Shlayer";
dcterms:created "2019-08-29T18:52:20.879Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[OSX/Shlayer](https://attack.mitre.org/software/S0402) is a Trojan designed to install adware on macOS that was first discovered in 2018.(Citation: Carbon Black Shlayer Feb 2019)(Citation: Intego Shlayer Feb 2018)";
dcterms:modified "2023-08-30T16:28:36.699Z"^^xsd:dateTime .
:relationship--ede8d04b-ac86-4210-af8c-52bb75fef6f3
rdf:type stix:Relationship;
stix:source_ref :course-of-action--47e0e9fe-96ce-4f65-8bb1-8be1feacb5db;
stix:target_ref :attack-pattern--215190a9-9f02-4e83-bb5f-e0589965a302;
dcterms:created "2019-07-18T17:31:27.470Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Block execution of Regsvcs.exe and Regasm.exe if they are not required for a given system or network to prevent potential misuse by adversaries.";
dcterms:modified "2023-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--8996ab0b-8bc5-4c17-9bd5-a29b6c771f62
rdf:type stix:Relationship;
stix:source_ref :campaign--ba6dfa37-f401-4140-88b0-8938f2895e61;
stix:target_ref :attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2;
dcterms:created "2022-12-20T19:51:29.692Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "During [C0017](https://attack.mitre.org/campaigns/C0017), [APT41](https://attack.mitre.org/groups/G0096) used file names beginning with USERS, SYSUSER, and SYSLOG for [DEADEYE](https://attack.mitre.org/software/S1052), and changed [KEYPLUG](https://attack.mitre.org/software/S1051) file extensions from .vmp to .upx likely to avoid hunting detections.(Citation: Mandiant APT41)";
dcterms:modified "2023-01-25T21:09:14.791Z"^^xsd:dateTime .
:relationship--ba7fad22-26af-43f1-a120-6a4d4269d9ab
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--c77c5576-ca19-42ed-a36f-4b4486a84133;
stix:target_ref :attack-pattern--d511a6f6-4a33-41d5-bc95-c343875d1377;
dcterms:created "2020-12-18T16:54:50.273Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) has executed base64 encoded PowerShell scripts on compromised hosts.(Citation: Tetra Defense Sodinokibi March 2020)";
dcterms:modified "2023-03-22T04:40:20.070Z"^^xsd:dateTime .
:relationship--502d4200-719b-4b42-8221-0ecd0ed0d6e7
rdf:type stix:Relationship;
stix:source_ref :malware--04378e79-4387-468a-a8f7-f974b8254e44;
stix:target_ref :attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384;
dcterms:created "2022-08-24T19:57:43.105Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Bumblebee](https://attack.mitre.org/software/S1039) can identify specific analytical tools based on running processes.(Citation: Proofpoint Bumblebee April 2022)(Citation: Symantec Bumblebee June 2022)(Citation: Medium Ali Salem Bumblebee April 2022)";
dcterms:modified "2022-09-06T13:43:26.336Z"^^xsd:dateTime .
:relationship--2fb450c6-e236-4b81-b5ac-a9d4be0cf167
rdf:type stix:Relationship;
stix:source_ref :malware--76abb3ef-dafd-4762-97cb-a35379429db4;
stix:target_ref :attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279;
dcterms:created "2018-01-16T16:13:52.465Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Gazer](https://attack.mitre.org/software/S0168) can establish persistence by creating a .lnk file in the Start menu.(Citation: ESET Gazer Aug 2017)(Citation: Securelist WhiteBear Aug 2017)";
dcterms:modified "2020-03-17T01:22:43.612Z"^^xsd:dateTime .
:relationship--833c9993-3551-45af-9bbd-413de2d4dac3
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--64b52e7d-b2c4-4a02-9372-08a463f5dc11;
stix:target_ref :attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384;
dcterms:created "2022-01-18T18:04:47.164Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Aquatic Panda](https://attack.mitre.org/groups/G0143) has attempted to discover third party endpoint detection and response (EDR) tools on compromised systems.(Citation: CrowdStrike AQUATIC PANDA December 2021)";
dcterms:modified "2022-01-18T18:04:47.164Z"^^xsd:dateTime .
:relationship--e40a416e-ca15-4c15-b469-20549b81e6bd
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--8c1f0187-0826-4320-bddc-5f326cfcfe2c;
stix:target_ref :attack-pattern--01a5a209-b94c-450b-b7f9-946497d91055;
dcterms:created "2020-08-27T17:29:05.225Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Chimera](https://attack.mitre.org/groups/G0114) has used WMIC to execute remote commands.(Citation: Cycraft Chimera April 2020)(Citation: NCC Group Chimera January 2021)";
dcterms:modified "2023-02-06T18:11:56.981Z"^^xsd:dateTime .
:relationship--77b9cc09-ebbe-44cc-86dc-452a9648caef
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0;
stix:target_ref :attack-pattern--22905430-4901-4c2a-84f6-98243cb173f8;
dcterms:created "2022-03-30T14:26:51.850Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Monitor executed commands and arguments that may attempt to hide artifacts associated with their behaviors to evade detection.";
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime .
:relationship--dfeef37f-a2da-4e85-addb-2bace5fd2de5
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--da85d358-741a-410d-9433-20d6269a6170;
stix:target_ref :attack-pattern--650c784b-7504-4df7-ab2c-4ea882384d1e;
dcterms:created "2022-03-30T14:26:51.853Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Monitor HKLM\\Software\\Policies\\Microsoft\\Windows NT\\DNSClient for changes to the \"EnableMulticast\" DWORD value. A value of \"0\" indicates LLMNR is disabled.";
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime .
:relationship--1525d82a-05a7-4027-9d2d-02f8039d68b5
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--6713ab67-e25b-49cc-808d-2b36d4fbc35c;
stix:target_ref :attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add;
dcterms:created "2022-03-22T15:32:50.210Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Ke3chang](https://attack.mitre.org/groups/G0004) has used tools to download files to compromised machines.(Citation: Microsoft NICKEL December 2021)";
dcterms:modified "2022-04-15T17:25:01.727Z"^^xsd:dateTime .
:relationship--03aece39-d7a2-47a4-be1a-b1d6f1d72654
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--b7f627e2-0817-4cd5-8d50-e75f8aa85cc6;
stix:target_ref :attack-pattern--bf1b6176-597c-4600-bfcd-ac989670f96b;
dcterms:created "2023-02-23T18:19:34.153Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[LuminousMoth](https://attack.mitre.org/groups/G1014) has exfiltrated data to Google Drive.(Citation: Bitdefender LuminousMoth July 2021)";
dcterms:modified "2023-04-10T16:01:14.160Z"^^xsd:dateTime .
:relationship--26c10016-0df4-4dc0-a74b-4b0d51876965
rdf:type stix:Relationship;
stix:source_ref :malware--4f1c389e-a80e-4a3e-9b0e-9be8c91df64f;
stix:target_ref :attack-pattern--118f61a5-eb3e-4fb6-931f-2096647f4ecd;
dcterms:created "2021-04-06T15:53:34.982Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Doki](https://attack.mitre.org/software/S0600) has used the DynDNS service and a DGA based on the Dogecoin blockchain to generate C2 domains.(Citation: Intezer Doki July 20)";
dcterms:modified "2021-04-09T13:34:40.215Z"^^xsd:dateTime .
:relationship--cbf9284f-2f47-4d1f-b708-861b0e1e85b5
rdf:type stix:Relationship;
stix:source_ref :malware--eac3d77f-2b7b-4599-ba74-948dc16633ad;
stix:target_ref :attack-pattern--e64c62cf-9cd7-4a14-94ec-cdaac43ab44b;
dcterms:created "2020-06-19T21:25:43.678Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Goopy](https://attack.mitre.org/software/S0477) has the ability to side-load malicious DLLs with legitimate applications from Kaspersky, Microsoft, and Google.(Citation: Cybereason Cobalt Kitty 2017)";
dcterms:modified "2020-06-29T21:37:55.984Z"^^xsd:dateTime .
:relationship--81a6a1c2-a834-47ed-ba5e-3048c62115ff
rdf:type stix:Relationship;
stix:source_ref :attack-pattern--7decb26c-715c-40cf-b7e0-026f7d7cc215;
stix:target_ref :attack-pattern--a10641f4-87b4-45a3-a906-92a149cb2c27;
dcterms:created "2022-03-04T18:30:39.100Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime .
:relationship--f04dbb1e-bf75-4eee-9222-374c704bc07b
rdf:type stix:Relationship;
stix:source_ref :malware--bdee9574-7479-4073-a7dc-e86d8acd073a;
stix:target_ref :attack-pattern--b8902400-e6c5-4ba2-95aa-2d35b442b118;
dcterms:created "2022-06-09T14:48:40.963Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[MacMa](https://attack.mitre.org/software/S1016) has used TLS encryption to initialize a custom protocol for C2 communications.(Citation: ESET DazzleSpy Jan 2022)";
dcterms:modified "2022-06-09T14:48:40.963Z"^^xsd:dateTime .
:relationship--2c7ff110-3d42-4e1c-b53f-449fa6cc6ab9
rdf:type stix:Relationship;
stix:source_ref :course-of-action--21da4fd4-27ad-4e9c-b93d-0b9b14d02c96;
stix:target_ref :attack-pattern--27960489-4e7f-461d-a62a-f5c0cb521e4a;
dcterms:created "2019-08-30T12:55:58.775Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Update corporate policies to restrict what types of third-party applications may be added to any online service or tool that is linked to the company's information, accounts or network (example: Google, Microsoft, Dropbox, Basecamp, GitHub). However, rather than providing high-level guidance on this, be extremely specific—include a list of pre-approved applications and deny all others not on the list. Administrators may also block end-user consent through administrative portals, such as the Azure Portal, disabling users from authorizing third-party apps through OAuth and forcing administrative consent.(Citation: Microsoft Azure AD Admin Consent)";
dcterms:modified "2023-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--0bb1573c-f30f-449c-931e-c5de024e96f8
rdf:type stix:Relationship;
stix:source_ref :malware--5c747acd-47f0-4c5a-b9e5-213541fc01e0;
stix:target_ref :attack-pattern--deb98323-e13f-4b0c-8d94-175379069062;
dcterms:created "2021-04-25T21:45:21.073Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[GoldMax](https://attack.mitre.org/software/S0588) has been packed for obfuscation.(Citation: FireEye SUNSHUTTLE Mar 2021)";
dcterms:modified "2021-04-25T21:45:21.073Z"^^xsd:dateTime .
:relationship--8e2b7383-c6dc-40c1-bb88-3176ff98c9dc
rdf:type stix:Relationship;
stix:source_ref :malware--3ae6097d-d700-46c6-8b21-42fc0bcb48fa;
stix:target_ref :attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c;
dcterms:created "2020-12-23T13:37:53.541Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[DropBook](https://attack.mitre.org/software/S0547) can unarchive data downloaded from the C2 to obtain the payload and persistence modules.(Citation: Cybereason Molerats Dec 2020) ";
dcterms:modified "2020-12-23T13:37:53.541Z"^^xsd:dateTime .
:relationship--747c6b21-0916-43ee-9655-937cc9e9f0ab
rdf:type stix:Relationship;
stix:source_ref :course-of-action--90f39ee1-d5a3-4aaa-9f28-3b42815b0d46;
stix:target_ref :attack-pattern--2c4d4e92-0ccf-4a97-b54c-86d662988a53;
dcterms:created "2021-07-07T01:57:06.451Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Office applications from creating child processes and from writing potentially malicious executable content to disk. (Citation: win10_asr)";
dcterms:modified "2021-09-20T17:42:18.690Z"^^xsd:dateTime .
:relationship--c0792868-a5da-4486-9b3b-cefbc2667e54
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--54dfec3e-6464-4f74-9d69-b7c817b7e5a3;
stix:target_ref :attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279;
dcterms:created "2021-03-05T18:54:56.747Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Higaisa](https://attack.mitre.org/groups/G0126) added a spoofed binary to the start-up folder for persistence.(Citation: Malwarebytes Higaisa 2020)(Citation: Zscaler Higaisa 2020)";
dcterms:modified "2021-03-05T18:54:56.747Z"^^xsd:dateTime .
:relationship--44858dc2-c869-42a0-8f67-3ddd9660b538
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--6a2e693f-24e5-451a-9f88-b36a108e5662;
stix:target_ref :tool--2fab555f-7664-4623-b4e0-1675ae38190b;
dcterms:created "2017-05-31T21:33:27.037Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "(Citation: Mandiant APT1)";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--147cd553-fd25-46ea-83ed-594cdb82c440
rdf:type stix:Relationship;
stix:source_ref :malware--3bc7e862-5610-4c02-9c48-15b2e2dc1ddb;
stix:target_ref :attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104;
dcterms:created "2023-02-14T18:29:52.943Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Woody RAT](https://attack.mitre.org/software/S1065) can retrieve a list of user accounts and usernames from an infected machine.(Citation: MalwareBytes WoodyRAT Aug 2022)";
dcterms:modified "2023-02-14T18:29:52.943Z"^^xsd:dateTime .
:intrusion-set--94873029-f950-4268-9cfd-5032e15cb182
rdf:type stix:IntrusionSet;
rdfs:label "TA551";
dcterms:created "2021-03-19T21:04:00.692Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[TA551](https://attack.mitre.org/groups/G0127) is a financially-motivated threat group that has been active since at least 2018. (Citation: Secureworks GOLD CABIN) The group has primarily targeted English, German, Italian, and Japanese speakers through email-based malware distribution campaigns. (Citation: Unit 42 TA551 Jan 2021)";
dcterms:modified "2023-03-22T05:40:21.255Z"^^xsd:dateTime .
:relationship--9774fd36-2d85-4570-9f63-97f2d6c1ca6c
rdf:type stix:Relationship;
stix:source_ref :attack-pattern--4cbc6a62-9e34-4f94-8a19-5c1a11392a49;
stix:target_ref :attack-pattern--457c7820-d331-465a-915e-42f85500ccc4;
dcterms:created "2020-03-27T21:08:25.409Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--591c9a90-95e5-44cc-8a16-2d972c7174e9
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0;
stix:target_ref :attack-pattern--4d2a5b3e-340d-4600-9123-309dd63c9bf8;
dcterms:created "2022-03-30T14:26:51.867Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Monitor executed commands and arguments that may hijack a legitimate user's SSH session to move laterally within an environment.";
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime .
:relationship--ecb0d858-dd15-4181-b15b-76459db1d294
rdf:type stix:Relationship;
stix:source_ref :malware--5967cc93-57c9-404a-8ffd-097edfa7bdfc;
stix:target_ref :attack-pattern--b97f1d35-4249-4486-a6b5-ee60ccf24fab;
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Hi-Zor](https://attack.mitre.org/software/S0087) executes using regsvr32.exe called from the [Registry Run Keys / Startup Folder](https://attack.mitre.org/techniques/T1547/001) persistence mechanism.(Citation: Fidelis INOCNATION)";
dcterms:modified "2021-02-09T14:57:16.183Z"^^xsd:dateTime .
:relationship--e6884060-8245-46ff-b71f-025c6a82eb3f
rdf:type stix:Relationship;
stix:source_ref :malware--f72251cb-2be5-421f-a081-99c29a1209e7;
stix:target_ref :attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4;
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[MacSpy](https://attack.mitre.org/software/S0282) captures keystrokes.(Citation: objsee mac malware 2017)";
dcterms:modified "2020-03-16T17:10:02.084Z"^^xsd:dateTime .
:malware--251fbae2-78f6-4de7-84f6-194c727a64ad
rdf:type stix:Malware;
rdfs:label "Lurid";
dcterms:created "2017-05-31T21:32:14.527Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Lurid](https://attack.mitre.org/software/S0010) is a malware family that has been used by several groups, including [PittyTiger](https://attack.mitre.org/groups/G0011), in targeted attacks as far back as 2006. (Citation: Villeneuve 2014) (Citation: Villeneuve 2011)";
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--e465cb38-ba50-4d2d-b2cd-659742815317
rdf:type stix:Relationship;
stix:source_ref :malware--295721d2-ee20-4fa3-ade3-37f4146b4570;
stix:target_ref :attack-pattern--1b7ba276-eedc-4951-a762-0ceea2c030ec;
dcterms:created "2021-06-11T19:27:09.116Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[AppleSeed](https://attack.mitre.org/software/S0622) can find and collect data from removable media devices.(Citation: Malwarebytes Kimsuky June 2021)(Citation: KISA Operation Muzabi)";
dcterms:modified "2022-04-18T17:53:22.381Z"^^xsd:dateTime .
:relationship--2df6acb7-87cc-49be-9cd6-6adbdfdd773f
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--d46272ce-a0fe-4256-855e-738de7bb63ee;
stix:target_ref :attack-pattern--144e007b-e638-431d-a894-45d90c54ab90;
dcterms:created "2022-03-30T14:26:51.856Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Monitor for the unexpected changes to cloud block storage volumes . To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones.";
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime .
:relationship--4269e5cb-b2ad-4757-b0b0-bfd5e8b7dc38
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--129f2f77-1ab2-4c35-bd5e-21260cee92af;
stix:target_ref :attack-pattern--b1ccd744-3f78-4a0e-9bb2-2002057f7928;
dcterms:created "2022-08-19T19:21:57.754Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[EXOTIC LILY](https://attack.mitre.org/groups/G1011) has established social media profiles to mimic employees of targeted companies.(Citation: Google EXOTIC LILY March 2022)";
dcterms:modified "2022-08-19T19:21:57.754Z"^^xsd:dateTime .
:relationship--1be18787-844d-4135-9781-e5b6a8e76d14
rdf:type stix:Relationship;
stix:source_ref :tool--7cd0bc75-055b-4098-a00e-83dc8beaff14;
stix:target_ref :attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279;
dcterms:created "2019-01-29T18:55:20.763Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Remcos](https://attack.mitre.org/software/S0332) can add itself to the Registry key <code>HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run</code> for persistence.(Citation: Fortinet Remcos Feb 2017)";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--a4346806-c7aa-4fa4-896d-a279ceeaf487
rdf:type stix:Relationship;
stix:source_ref :campaign--808d6b30-df4e-4341-8248-724da4bac650;
stix:target_ref :attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62;
dcterms:created "2023-03-26T15:11:14.242Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "During the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024), [APT29](https://attack.mitre.org/groups/G0016) used `cmd.exe` to execute commands on remote machines.(Citation: Volexity SolarWinds)(Citation: Microsoft Analyzing Solorigate Dec 2020)";
dcterms:modified "2023-03-26T15:11:14.242Z"^^xsd:dateTime .
:relationship--55ec954d-e553-4055-bc56-56b9dd0c433f
rdf:type stix:Relationship;
stix:source_ref :malware--0c52f5bc-557d-4083-bd27-66d7cdb794bb;
stix:target_ref :attack-pattern--3489cfc5-640f-4bb3-a103-9137b97de79f;
dcterms:created "2023-09-06T14:21:40.920Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Sardonic](https://attack.mitre.org/software/S1085) has the ability to execute the `net view` command.(Citation: Bitdefender Sardonic Aug 2021)";
dcterms:modified "2023-09-19T13:34:13.639Z"^^xsd:dateTime .
:relationship--f837c70e-984e-4681-ab3a-0ad4ad1a512f
rdf:type stix:Relationship;
stix:source_ref :malware--c009560a-f097-45a3-8f9f-78ec1440a783;
stix:target_ref :attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32;
dcterms:created "2021-11-29T19:16:55.963Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[SysUpdate](https://attack.mitre.org/software/S0663) can create a service to establish persistence.(Citation: Trend Micro Iron Tiger April 2021)";
dcterms:modified "2021-11-29T19:16:55.963Z"^^xsd:dateTime .
:relationship--56d023cf-4390-40d9-afc6-cb0d40b4cdd1
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c;
stix:target_ref :attack-pattern--348f1eef-964b-4eb6-bb53-69b3dcb0c643;
dcterms:created "2017-05-31T21:33:27.040Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[APT28](https://attack.mitre.org/groups/G0007) uses a module to receive a notification every time a USB mass storage device is inserted into a victim.(Citation: Microsoft SIR Vol 19)";
dcterms:modified "2019-12-20T14:26:00.564Z"^^xsd:dateTime .
:relationship--1f1de0ea-581b-4b41-953f-1b8f552f84e7
rdf:type stix:Relationship;
stix:source_ref :course-of-action--d2a24649-9694-4c97-9c62-ce7b270bf6a3;
stix:target_ref :attack-pattern--457c7820-d331-465a-915e-42f85500ccc4;
dcterms:created "2020-03-29T17:17:31.571Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Microsoft's Enhanced Mitigation Experience Toolkit (EMET) Attack Surface Reduction (ASR) feature can be used to block methods of using using trusted binaries to bypass application control.";
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime .
:relationship--80d612e4-8d4a-45f7-8c29-d44a1aae794c
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--269e8108-68c6-4f99-b911-14b2e765dec2;
stix:target_ref :attack-pattern--120d5519-3098-4e1c-9191-2aa61232f073;
dcterms:created "2019-01-30T17:33:40.871Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[MuddyWater](https://attack.mitre.org/groups/G0069) uses various techniques to bypass UAC.(Citation: ClearSky MuddyWater Nov 2018)";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--8b0e9de1-a7b0-479e-aee7-76f2549508c6
rdf:type stix:Relationship;
stix:source_ref :malware--d69c8146-ab35-4d50-8382-6fc80e641d43;
stix:target_ref :attack-pattern--f7827069-0bf2-4764-af4f-23fae0d181b7;
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[BLACKCOFFEE](https://attack.mitre.org/software/S0069) uses Microsoft’s TechNet Web portal to obtain a dead drop resolver containing an encoded tag with the IP address of a command and control server.(Citation: FireEye APT17)(Citation: FireEye Periscope March 2018)";
dcterms:modified "2020-03-20T21:04:48.996Z"^^xsd:dateTime .
:relationship--391c4e76-2560-4a05-9024-1e16b4cdd3ae
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c;
stix:target_ref :attack-pattern--5d0d3609-d06d-49e1-b9c9-b544e0c618cb;
dcterms:created "2022-03-30T14:26:51.876Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "File monitoring may be used to detect changes to files in the Web directory of a Web server that do not match with updates to the Web server's content and may indicate implantation of a Web shell script.(Citation: NSA Cyber Mitigating Web Shells)";
dcterms:modified "2022-03-30T14:26:51.876Z"^^xsd:dateTime .
:attack-pattern--2339cf19-8f1e-48f7-8a91-0262ba547b6f
rdf:type d3f:OffensiveTechnique;
rdfs:label "Identify Business Tempo";
dcterms:created "2020-10-02T16:34:32.435Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Adversaries may gather information about the victim's business tempo that can be used during targeting. Information about an organization’s business tempo may include a variety of details, including operational hours/days of the week. This information may also reveal times/dates of purchases and shipments of the victim’s hardware and software resources.\n\nAdversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about business tempo may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: ThreatPost Broadvoice Leak) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [Trusted Relationship](https://attack.mitre.org/techniques/T1199))";
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--926f0751-679b-474e-acd0-06e485afd9f5
rdf:type stix:Relationship;
stix:source_ref :malware--e355fc84-6f3c-4888-8e0a-d7fa9c378532;
stix:target_ref :attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67;
dcterms:created "2022-08-18T15:34:15.069Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[STARWHALE](https://attack.mitre.org/software/S1037) can use the VBScript function `GetRef` as part of its persistence mechanism.(Citation: Mandiant UNC3313 Feb 2022)";
dcterms:modified "2022-10-14T15:23:17.972Z"^^xsd:dateTime .
:relationship--9453d60b-4f3f-494f-985d-e29094ef8945
rdf:type stix:Relationship;
stix:source_ref :malware--fde50aaa-f5de-4cb8-989a-babb57d6a704;
stix:target_ref :attack-pattern--f1951e8a-500e-4a26-8803-76d95c4554b4;
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Net Crawler](https://attack.mitre.org/software/S0056) uses [PsExec](https://attack.mitre.org/software/S0029) to perform remote service manipulation to execute a copy of itself as part of lateral movement.(Citation: Cylance Cleaver)";
dcterms:modified "2022-07-22T18:37:22.200Z"^^xsd:dateTime .
:relationship--ed91791b-8e5a-4e0c-b77c-6fad78be7378
rdf:type stix:Relationship;
stix:source_ref :malware--9b325b06-35a1-457d-be46-a4ecc0b7ff0c;
stix:target_ref :attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736;
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "There is a variant of [RATANKBA](https://attack.mitre.org/software/S0241) that uses a PowerShell script instead of the traditional PE form.(Citation: Lazarus RATANKBA)(Citation: RATANKBA)";
dcterms:modified "2020-09-02T18:46:33.031Z"^^xsd:dateTime .
:relationship--180f0c7c-c7bb-4131-b831-f406ee0516e2
rdf:type stix:Relationship;
stix:source_ref :malware--65ffc206-d7c1-45b3-b543-f6b726e7840d;
stix:target_ref :attack-pattern--24bfaeba-cb0d-4525-b3dc-507c77ecec41;
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Bisonal](https://attack.mitre.org/software/S0268) variants reported on in 2014 and 2015 used a simple XOR cipher for C2. Some [Bisonal](https://attack.mitre.org/software/S0268) samples encrypt C2 communications with RC4.(Citation: Unit 42 Bisonal July 2018)(Citation: Kaspersky CactusPete Aug 2020)(Citation: Talos Bisonal Mar 2020) ";
dcterms:modified "2022-04-18T18:11:05.542Z"^^xsd:dateTime .
:relationship--277532f0-8f01-4b9d-b59a-3c993f5e528d
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--7251b44b-6072-476c-b8d9-a6e32c355b28;
stix:target_ref :attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736;
dcterms:created "2023-09-26T18:38:56.338Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[MoustachedBouncer](https://attack.mitre.org/groups/G1019) has used plugins to execute PowerShell scripts.(Citation: MoustachedBouncer ESET August 2023)";
dcterms:modified "2023-09-26T18:38:56.338Z"^^xsd:dateTime .
:tool--c8655260-9f4b-44e3-85e1-6538a5f6e4f4
rdf:type stix:Tool;
rdfs:label "Koadic";
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Koadic](https://attack.mitre.org/software/S0250) is a Windows post-exploitation framework and penetration testing tool that is publicly available on GitHub. [Koadic](https://attack.mitre.org/software/S0250) has several options for staging payloads and creating implants, and performs most of its operations using Windows Script Host.(Citation: Github Koadic)(Citation: Palo Alto Sofacy 06-2018)(Citation: MalwareBytes LazyScripter Feb 2021)";
dcterms:modified "2022-05-11T14:00:00.188Z"^^xsd:dateTime .
:relationship--6157e239-92a8-427f-ba9b-2f06f5b03f12
rdf:type stix:Relationship;
stix:source_ref :malware--5719af9d-6b16-46f9-9b28-fb019541ddbb;
stix:target_ref :attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384;
dcterms:created "2020-11-30T17:38:40.968Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[NotPetya](https://attack.mitre.org/software/S0368) determines if specific antivirus programs are running on an infected host machine.(Citation: US District Court Indictment GRU Unit 74455 October 2020)";
dcterms:modified "2020-11-30T17:38:40.968Z"^^xsd:dateTime .
:relationship--4c42863f-8f57-4948-afe3-922a30f193fa
rdf:type stix:Relationship;
stix:source_ref :attack-pattern--c2f59d25-87fe-44aa-8f83-e8e59d077bf5;
stix:target_ref :attack-pattern--7e3beebd-8bfe-4e7b-a892-e44ab06a75f9;
dcterms:created "2020-10-01T00:54:30.974Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--b335924f-4bf8-4e47-824d-2010add95615
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--5297a638-1382-4f0c-8472-0d21830bf705;
stix:target_ref :attack-pattern--dfefe2ed-4389-4318-8762-f0272b350a1b;
dcterms:created "2022-03-30T14:26:51.872Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Monitor for new constructed systemd services to repeatedly execute malicious payloads as part of persistence.";
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime .
:relationship--d4e351be-ccdc-4c51-a52a-b4d6a55cbeca
rdf:type stix:Relationship;
stix:source_ref :malware--a7881f21-e978-4fe4-af56-92c9416a2616;
stix:target_ref :attack-pattern--045d0922-2310-4e60-b5e4-3302302cb3c5;
dcterms:created "2021-05-18T18:19:23.351Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Cobalt Strike](https://attack.mitre.org/software/S0154) can use `rundll32.exe` to load DLL from the command line.(Citation: Cobalt Strike Manual 4.3 November 2020)(Citation: DFIR Conti Bazar Nov 2021)(Citation: Trend Micro Black Basta October 2022)";
dcterms:modified "2023-02-16T18:58:14.848Z"^^xsd:dateTime .
:relationship--5514c844-4f4b-4a07-a98b-60715a1c587f
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71;
stix:target_ref :attack-pattern--e358d692-23c0-4a31-9eb6-ecc13a8d7735;
dcterms:created "2022-03-30T14:26:51.865Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Monitor for files (such as <code>/etc/hosts</code>) being accessed that may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system.\n\nFor Windows, Event ID 4663 (An Attempt Was Made to Access An Object) can be used to alert on access attempts of local files that store host data, including C:\\Windows\\System32\\Drivers\\etc\\hosts.\n\nFor Linux, auditing frameworks such as the audit daemon (auditd) can be used to alert on access attempts of local files that store host data, including /etc/hosts.";
dcterms:modified "2023-08-14T19:07:51.788Z"^^xsd:dateTime .
:x-mitre-data-source--3bef4799-906c-409c-ac00-3fb7a1e352e6
rdf:type :MitreDataSource;
rdfs:label "Persona";
dcterms:created "2021-10-20T15:05:19.273Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "A malicious online profile representing a user commonly used by adversaries to social engineer or otherwise target victims";
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--e5fea1b8-e72c-4d5a-84a7-5545bc2f5dc3
rdf:type stix:Relationship;
stix:source_ref :malware--4dea7d8e-af94-4bfb-afe4-7ff54f59308b;
stix:target_ref :attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62;
dcterms:created "2021-02-17T19:22:30.946Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Conti](https://attack.mitre.org/software/S0575) can utilize command line options to allow an attacker control over how it scans and encrypts files.(Citation: CarbonBlack Conti July 2020)(Citation: DFIR Conti Bazar Nov 2021)";
dcterms:modified "2022-09-30T12:59:47.057Z"^^xsd:dateTime .
:relationship--911d412e-9dd7-49ae-ab6a-a078b44a1791
rdf:type stix:Relationship;
stix:source_ref :attack-pattern--18d4ab39-12ed-4a16-9fdb-ae311bba4a0f;
stix:target_ref :attack-pattern--dca670cf-eeec-438f-8185-fd959d9ef211;
dcterms:created "2020-01-15T16:27:32.733Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--adffe817-2460-49c7-be30-44afea58d7f8
rdf:type stix:Relationship;
stix:source_ref :course-of-action--9bb9e696-bff8-4ae1-9454-961fc7d91d5f;
stix:target_ref :attack-pattern--69e5226d-05dc-4f15-95d7-44f5ed78d06e;
dcterms:created "2020-03-24T21:16:16.730Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Do not allow administrator accounts that have permissions to modify the Web content of organization login portals to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems.";
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:course-of-action--cba5667e-e3c6-44a4-811c-266dbc00e440
rdf:type stix:CourseOfAction;
rdfs:label "Extra Window Memory Injection Mitigation";
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of operating system design features. For example, mitigating specific API calls will likely have unintended side effects, such as preventing legitimate software (i.e., security products) from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior.\n\nAlthough EWM injection may be used to evade certain types of defenses, it is still good practice to identify potentially malicious software that may be used to perform adversarial actions and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)";
dcterms:modified "2021-08-23T20:25:19.367Z"^^xsd:dateTime .
:relationship--851b5150-ad44-4af5-915a-845b3239168d
rdf:type stix:Relationship;
stix:source_ref :malware--a020a61c-423f-4195-8c46-ba1d21abba37;
stix:target_ref :attack-pattern--34e793de-0274-4982-9c1a-246ed1c19dee;
dcterms:created "2021-03-29T13:01:52.172Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Ryuk](https://attack.mitre.org/software/S0446) can launch <code>icacls <path> /grant Everyone:F /T /C /Q</code> to delete every access-based restrictions on files and directories.(Citation: ANSSI RYUK RANSOMWARE)";
dcterms:modified "2021-03-29T13:01:52.172Z"^^xsd:dateTime .
:relationship--fbb82f95-94fd-4faf-a106-8c7a7191446e
rdf:type stix:Relationship;
stix:source_ref :course-of-action--78bb71be-92b4-46de-acd6-5f998fedf1cc;
stix:target_ref :attack-pattern--ec4be82f-940c-4dcb-87fe-2bbdd17c692f;
dcterms:created "2020-10-20T03:37:05.106Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.";
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--b91e06c1-9546-4184-9552-ba501bf9182e
rdf:type stix:Relationship;
stix:source_ref :tool--294e2560-bd48-44b2-9da2-833b5588ad11;
stix:target_ref :attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0;
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[ipconfig](https://attack.mitre.org/software/S0100) can be used to display adapter configuration on Windows systems, including information for TCP/IP, DNS, and DHCP.";
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--9c203488-e4e0-4e41-8a92-e350eabf6e65
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a;
stix:target_ref :tool--afc079f3-c0ea-4096-b75d-3f05338b7f60;
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "(Citation: Lazarus KillDisk)";
dcterms:modified "2021-10-21T14:00:00.188Z"^^xsd:dateTime .
:relationship--7a64941e-c585-4ded-b0d7-2d7f3d71eaa8
rdf:type stix:Relationship;
stix:source_ref :malware--cad3ba95-8c89-4146-ab10-08daa813f9de;
stix:target_ref :attack-pattern--c1b68a96-3c48-49ea-a6c0-9b27359f9c19;
dcterms:created "2021-07-30T21:03:08.929Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Clop](https://attack.mitre.org/software/S0611) has checked the keyboard language using the GetKeyboardLayout() function to avoid installation on Russian-language or other Commonwealth of Independent States-language machines; it will also check the <code>GetTextCharset</code> function.(Citation: Mcafee Clop Aug 2019) ";
dcterms:modified "2021-10-14T20:22:46.968Z"^^xsd:dateTime .
:relationship--58996a9f-ab17-4942-9afd-bb336af9a15b
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--0ec2f388-bf0f-4b5c-97b1-fc736d26c25f;
stix:target_ref :attack-pattern--dd43c543-bb85-4a6f-aa6e-160d90d06a49;
dcterms:created "2022-03-15T20:02:43.799Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Kimsuky](https://attack.mitre.org/groups/G0094) has used a proprietary tool to intercept one time passwords required for two-factor authentication.(Citation: KISA Operation Muzabi)";
dcterms:modified "2022-04-12T18:26:56.015Z"^^xsd:dateTime .
:relationship--ec5259f2-5a6c-4d42-bf21-f91c2df64f61
rdf:type stix:Relationship;
stix:source_ref :malware--0d1f9f5b-11ea-42c3-b5f4-63cce0122541;
stix:target_ref :attack-pattern--cbb66055-0325-4111-aca0-40547b6ad5b0;
dcterms:created "2020-06-25T18:24:00.644Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[WindTail](https://attack.mitre.org/software/S0466) can instruct the OS to execute an application without a dock icon or menu.(Citation: objective-see windtail1 dec 2018)";
dcterms:modified "2020-06-25T18:24:00.644Z"^^xsd:dateTime .
:relationship--ba31b51b-d55c-4047-a3f5-1455bca4caa1
rdf:type stix:Relationship;
stix:source_ref :course-of-action--93e7968a-9074-4eac-8ae9-9f5200ec3317;
stix:target_ref :attack-pattern--e99ec083-abdd-48de-ad87-4dbf6f8ba2a4;
dcterms:created "2019-07-18T15:26:40.751Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create new Launch Daemons.";
dcterms:modified "2023-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--fe1c5e06-ea4b-4286-af2d-984a095f7924
rdf:type stix:Relationship;
stix:source_ref :malware--7ba0fc46-197d-466d-8b9f-f1c64d5d81e5;
stix:target_ref :attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18;
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[TYPEFRAME](https://attack.mitre.org/software/S0263) can search directories for files on the victim’s machine.(Citation: US-CERT TYPEFRAME June 2018)";
dcterms:modified "2020-03-17T13:49:31.232Z"^^xsd:dateTime .
:relationship--2c78a913-5b17-4942-a6e9-8bfa4c24149b
rdf:type stix:Relationship;
stix:source_ref :attack-pattern--a782ebe2-daba-42c7-bc82-e8e9d923162d;
stix:target_ref :attack-pattern--731f4f55-b6d0-41d1-a7a9-072a66389aea;
dcterms:created "2020-03-14T23:23:41.917Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--fe1cd6bf-abca-4032-8c94-15168005e96d
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--a953ca55-921a-44f7-9b8d-3d40141aa17e;
stix:target_ref :attack-pattern--fdc47f44-dd32-4b99-af5f-209f556f63c2;
dcterms:created "2022-03-30T14:26:51.854Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Monitor for an attempt by a user to gain access to a network or computing resource, often by the use of domain authentication services, such as the System Security Services Daemon (sssd) on Linux.\n\nNotes: For Linux, auditing frameworks such as the audit daemon (auditd) can be used to alert on changes to log files that track authentication attempts, including <code>/var/log/secure</code>.";
dcterms:modified "2023-08-23T21:24:09.270Z"^^xsd:dateTime .
:relationship--00490a17-1032-461b-8085-500d56bb80f5
rdf:type stix:Relationship;
stix:source_ref :malware--1492d0f8-7e14-4af3-9239-bc3fe10d3407;
stix:target_ref :attack-pattern--322bad5a-1c49-4d23-ab79-76d641794afa;
dcterms:created "2019-06-05T17:31:22.436Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Ursnif](https://attack.mitre.org/software/S0386) has gathered information about running services.(Citation: TrendMicro Ursnif Mar 2015)";
dcterms:modified "2019-10-23T14:19:37.289Z"^^xsd:dateTime .
:relationship--9ebc2d8a-a945-4b5d-805f-56e16bcc6676
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7;
stix:target_ref :attack-pattern--cd25c1b4-935c-4f0e-ba8d-552f28bc4783;
dcterms:created "2019-09-23T23:08:25.395Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[APT41](https://attack.mitre.org/groups/G0096) deployed a Monero cryptocurrency mining tool in a victim’s environment.(Citation: FireEye APT41 Aug 2019)";
dcterms:modified "2023-03-23T15:27:10.535Z"^^xsd:dateTime .
:relationship--22301618-a676-4d94-975a-2a56e5a7f919
rdf:type stix:Relationship;
stix:source_ref :malware--e6ef745b-077f-42e1-a37d-29eecff9c754;
stix:target_ref :attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161;
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[CozyCar](https://attack.mitre.org/software/S0046)'s main method of communicating with its C2 servers is using HTTP or HTTPS.(Citation: F-Secure CozyDuke)";
dcterms:modified "2022-05-11T14:00:00.188Z"^^xsd:dateTime .
:relationship--8f40c44c-80c5-4f9d-a467-6b71f646cdf7
rdf:type stix:Relationship;
stix:source_ref :malware--16040b1c-ed28-4850-9d8f-bb8b81c42092;
stix:target_ref :attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5;
dcterms:created "2022-04-13T13:17:13.025Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[ThreatNeedle](https://attack.mitre.org/software/S0665) can collect data and files from a compromised host.(Citation: Kaspersky ThreatNeedle Feb 2021)";
dcterms:modified "2022-04-13T13:17:13.025Z"^^xsd:dateTime .
:relationship--4d7add6f-ebd5-477f-9958-a5176835da2e
rdf:type stix:Relationship;
stix:source_ref :malware--2eb9b131-d333-4a48-9eb4-d8dec46c19ee;
stix:target_ref :attack-pattern--3fc9b85a-2862-4363-a64d-d692e3ffbee0;
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[CosmicDuke](https://attack.mitre.org/software/S0050) collects user credentials, including passwords, for various programs including popular instant messaging applications and email clients as well as WLAN keys.(Citation: F-Secure The Dukes)";
dcterms:modified "2020-03-19T22:38:12.985Z"^^xsd:dateTime .
:relationship--dbccbeab-26c9-476e-b529-c193f9796cbc
rdf:type stix:Relationship;
stix:source_ref :malware--a8d3d497-2da9-4797-8e0b-ed176be08654;
stix:target_ref :attack-pattern--b21c3b2d-02e6-45b1-980b-e69051040839;
dcterms:created "2018-01-16T16:13:52.465Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Wingbird](https://attack.mitre.org/software/S0176) exploits CVE-2016-4117 to allow an executable to gain escalated privileges.(Citation: Microsoft SIR Vol 21)";
dcterms:modified "2020-02-11T19:39:04.054Z"^^xsd:dateTime .
:malware--21583311-6321-4891-8a37-3eb4e57b0fb1
rdf:type stix:Malware;
rdfs:label "xCaon";
dcterms:created "2021-09-29T00:04:26.906Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[xCaon](https://attack.mitre.org/software/S0653) is an HTTP variant of the [BoxCaon](https://attack.mitre.org/software/S0651) malware family that has used by [IndigoZebra](https://attack.mitre.org/groups/G0136) since at least 2014. [xCaon](https://attack.mitre.org/software/S0653) has been used to target political entities in Central Asia, including Kyrgyzstan and Uzbekistan.(Citation: Checkpoint IndigoZebra July 2021)(Citation: Securelist APT Trends Q2 2017)";
dcterms:modified "2021-10-16T02:20:16.562Z"^^xsd:dateTime .
:relationship--d7836be5-6c99-4a14-90ca-e342455516ab
rdf:type stix:Relationship;
stix:source_ref :campaign--37764c78-2a99-46d1-a7ea-6454b9bf93a0;
stix:target_ref :attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e;
dcterms:created "2022-09-26T21:48:13.506Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "During [Operation Sharpshooter](https://attack.mitre.org/campaigns/C0013), the threat actors relied on victims executing malicious Microsoft Word or PDF files.(Citation: McAfee Sharpshooter December 2018) ";
dcterms:modified "2022-09-26T21:48:13.506Z"^^xsd:dateTime .
:relationship--f528d6d4-7118-48f4-a875-310a2f511900
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--467271fd-47c0-4e90-a3f9-d84f5cf790d0;
stix:target_ref :malware--d906e6f7-434c-44c0-b51a-ed50af8f7945;
dcterms:created "2023-09-15T20:13:08.233Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "(Citation: Proofpoint TA2541 February 2022)(Citation: Cisco Operation Layover September 2021)";
dcterms:modified "2023-09-15T20:14:41.009Z"^^xsd:dateTime .
:relationship--6de233bc-efe2-4dbd-b0a6-994d45f6bc23
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--7113eaa5-ba79-4fb3-b68a-398ee9cd698e;
stix:target_ref :attack-pattern--b1ccd744-3f78-4a0e-9bb2-2002057f7928;
dcterms:created "2021-08-18T18:22:07.864Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Leviathan](https://attack.mitre.org/groups/G0065) has created new social media accounts for targeting efforts.(Citation: CISA AA21-200A APT40 July 2021)";
dcterms:modified "2022-05-11T14:00:00.188Z"^^xsd:dateTime .
:relationship--b9ed3f57-0331-431a-96ff-b536c966aa6d
rdf:type stix:Relationship;
stix:source_ref :malware--7ba0fc46-197d-466d-8b9f-f1c64d5d81e5;
stix:target_ref :attack-pattern--478aa214-2ca7-4ec0-9978-18798e514790;
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[TYPEFRAME](https://attack.mitre.org/software/S0263) variants can add malicious DLL modules as new services.";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:attack-pattern--0c4b4fda-9062-47da-98b9-ceae2dcf052a
rdf:type d3f:OffensiveTechnique;
rdfs:label "Sharepoint";
dcterms:created "2020-02-14T13:35:32.938Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Adversaries may leverage the SharePoint repository as a source to mine valuable information. SharePoint will often contain useful information for an adversary to learn about the structure and functionality of the internal network and systems. For example, the following is a list of example information that may hold potential value to an adversary and may also be found on SharePoint:\n\n* Policies, procedures, and standards\n* Physical / logical network diagrams\n* System architecture diagrams\n* Technical system documentation\n* Testing / development credentials\n* Work / project schedules\n* Source code snippets\n* Links to network shares and other internal resources\n";
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--331da7a8-d1ad-4feb-892a-c440aa5eb810
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--35d1b3be-49d4-42f1-aaa6-ef159c880bca;
stix:target_ref :attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32;
dcterms:created "2021-10-01T01:57:31.713Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[TeamTNT](https://attack.mitre.org/groups/G0139) has used malware that adds cryptocurrency miners as a service.(Citation: ATT TeamTNT Chimaera September 2020)";
dcterms:modified "2022-10-19T19:39:12.869Z"^^xsd:dateTime .
:relationship--8d7957af-a314-4e12-bde6-6148e234ff58
rdf:type stix:Relationship;
stix:source_ref :attack-pattern--0dbf5f1b-a560-4d51-ac1b-d70caab3e1f0;
stix:target_ref :attack-pattern--650c784b-7504-4df7-ab2c-4ea882384d1e;
dcterms:created "2020-02-11T19:09:48.749Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--75fcbeab-4f32-4e6d-a02a-9d5509fd4c4f
rdf:type stix:Relationship;
stix:source_ref :tool--4b57c098-f043-4da2-83ef-7588a6d426bc;
stix:target_ref :attack-pattern--a01bf75f-00b2-4568-a58f-565ff9bf202b;
dcterms:created "2019-04-23T16:12:37.610Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[PoshC2](https://attack.mitre.org/software/S0378) contains modules, such as <code>Get-LocAdm</code> for enumerating permission groups.(Citation: GitHub PoshC2)";
dcterms:modified "2020-03-18T22:54:27.969Z"^^xsd:dateTime .
:relationship--4ca73e82-4e56-4044-a21a-d613a80f171c
rdf:type stix:Relationship;
stix:source_ref :malware--b00f90b6-c75c-4bfd-b813-ca9e6c9ebf29;
stix:target_ref :attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c;
dcterms:created "2023-09-21T22:50:57.499Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[OSX_OCEANLOTUS.D](https://attack.mitre.org/software/S0352) uses a decode routine combining bit shifting and XOR operations with a variable key that depends on the length of the string that was encoded. If the computation for the variable XOR key turns out to be 0, the default XOR key of 0x1B is used. This routine is also referenced as the `rotate` function in reporting.(Citation: Unit42 OceanLotus 2017)";
dcterms:modified "2023-09-21T22:50:57.499Z"^^xsd:dateTime .
:relationship--5221fc94-cddd-416a-b027-67bc7a68ced1
rdf:type stix:Relationship;
stix:source_ref :attack-pattern--60c4b628-4807-4b0b-bbf5-fdac8643c337;
stix:target_ref :attack-pattern--0458aab9-ad42-4eac-9e22-706a95bafee2;
dcterms:created "2020-10-01T00:48:09.642Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--6d887394-6007-451e-beb9-0ce76b58ebc3
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--35d1b3be-49d4-42f1-aaa6-ef159c880bca;
stix:target_ref :tool--79dd477a-8226-4b3d-ad15-28623675f221;
dcterms:created "2022-02-08T16:13:42.116Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "(Citation: TeamTNT Cloud Enumeration)";
dcterms:modified "2022-02-08T16:13:42.116Z"^^xsd:dateTime .
:relationship--8ecc61b0-c0b9-4f3a-a6b4-53c88e1d9bb7
rdf:type stix:Relationship;
stix:source_ref :malware--751b77e6-af1f-483b-93fe-eddf17f92a64;
stix:target_ref :attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4;
dcterms:created "2021-02-10T19:41:52.619Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Caterpillar WebShell](https://attack.mitre.org/software/S0572) has a command to modify a Registry key.(Citation: ClearSky Lebanese Cedar Jan 2021)";
dcterms:modified "2021-02-10T19:41:52.619Z"^^xsd:dateTime .
:relationship--7aea964a-cd9b-471e-bc7b-2a270c974289
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--4a2ce82e-1a74-468a-a6fb-bbead541383c;
stix:target_ref :malware--60a9c2f0-b7a5-4e8e-959c-e1a3ff314a5f;
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "(Citation: Talos Group123)(Citation: Securelist ScarCruft May 2019)";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--f8aff281-c6e4-47fd-8111-d1720126b49b
rdf:type stix:Relationship;
stix:source_ref :course-of-action--7da0387c-ba92-4553-b291-b636ee42b2eb;
stix:target_ref :attack-pattern--28abec6c-4443-4b03-8206-07f2e264a6b4;
dcterms:created "2020-10-20T17:59:21.323Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Enable secure boot features to validate the digital signature of the boot environment and system image using a special purpose hardware device. If the validation check fails, the device will fail to boot preventing loading of unauthorized software. (Citation: Cisco IOS Software Integrity Assurance - Secure Boot) ";
dcterms:modified "2020-10-22T16:35:54.421Z"^^xsd:dateTime .
:relationship--50f39180-6e5a-476b-b18f-d4e09e83c9d9
rdf:type stix:Relationship;
stix:source_ref :malware--5f9f7648-04ba-4a9f-bb4c-2a13e74572bd;
stix:target_ref :attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161;
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Pteranodon](https://attack.mitre.org/software/S0147) can use HTTP for C2.(Citation: Palo Alto Gamaredon Feb 2017)";
dcterms:modified "2020-06-22T17:54:15.482Z"^^xsd:dateTime .
:relationship--e68684df-28b4-4f06-b553-cacf14866605
rdf:type stix:Relationship;
stix:source_ref :malware--dc5d1a33-62aa-4a0c-aa8c-589b87beb11e;
stix:target_ref :attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2;
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[ChChes](https://attack.mitre.org/software/S0144) copies itself to an .exe file with a filename that is likely intended to imitate Norton Antivirus but has several letters reversed (e.g. notron.exe).(Citation: PWC Cloud Hopper Technical Annex April 2017)";
dcterms:modified "2023-03-23T15:14:18.650Z"^^xsd:dateTime .
:relationship--e46d31bf-23d8-4464-96e8-aee04f745921
rdf:type stix:Relationship;
stix:source_ref :malware--efa7c4d6-8e30-41d9-a8fd-26dc337f4a1b;
stix:target_ref :attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a;
dcterms:created "2021-11-30T19:26:17.245Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Gelsemium](https://attack.mitre.org/software/S0666) has the ability to compress its components.(Citation: ESET Gelsemium June 2021)";
dcterms:modified "2021-11-30T19:26:17.245Z"^^xsd:dateTime .
:malware--bdee9574-7479-4073-a7dc-e86d8acd073a
rdf:type stix:Malware;
rdfs:label "MacMa";
dcterms:created "2022-05-06T01:29:34.860Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[MacMa](https://attack.mitre.org/software/S1016) is a macOS-based backdoor with a large set of functionalities to control and exfiltrate files from a compromised computer. [MacMa](https://attack.mitre.org/software/S1016) has been observed in the wild since November 2021.(Citation: ESET DazzleSpy Jan 2022)";
dcterms:modified "2022-10-24T18:52:29.002Z"^^xsd:dateTime .
:relationship--e91c647e-7076-4290-b7c4-017822fdfd59
rdf:type stix:Relationship;
stix:source_ref :malware--7e0f8b0f-716e-494d-827e-310bd6ed709e;
stix:target_ref :attack-pattern--25659dd6-ea12-45c4-97e6-381e3e4b593e;
dcterms:created "2021-09-22T21:17:31.982Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[SMOKEDHAM](https://attack.mitre.org/software/S0649) has used <code>net.exe user</code> and <code>net.exe users</code> to enumerate local accounts on a compromised host.(Citation: FireEye SMOKEDHAM June 2021)";
dcterms:modified "2021-09-23T13:29:34.251Z"^^xsd:dateTime .
:relationship--8d5a5b8c-48a3-4d1c-bb39-89fd4a03bd15
rdf:type stix:Relationship;
stix:source_ref :attack-pattern--98034fef-d9fb-4667-8dc4-2eab6231724c;
stix:target_ref :attack-pattern--b6301b64-ef57-4cce-bb0b-77026f14a8db;
dcterms:created "2020-01-24T13:40:47.476Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--b033e131-e448-46c6-815b-b86e4bd6d638
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--fe8796a4-2a02-41a0-9d27-7aa1e995feb6;
stix:target_ref :attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e;
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[APT19](https://attack.mitre.org/groups/G0073) attempted to get users to launch malicious attachments delivered via spearphishing emails.(Citation: FireEye APT19)";
dcterms:modified "2020-03-12T00:28:05.750Z"^^xsd:dateTime .
:relationship--97aea4a9-1016-40d0-8869-9b4c4d4eec72
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--64b52e7d-b2c4-4a02-9372-08a463f5dc11;
stix:target_ref :attack-pattern--ac08589e-ee59-4935-8667-d845e38fe579;
dcterms:created "2022-01-18T18:07:56.219Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Aquatic Panda](https://attack.mitre.org/groups/G0143) has attempted to stop endpoint detection and response (EDR) tools on compromised systems.(Citation: CrowdStrike AQUATIC PANDA December 2021)";
dcterms:modified "2022-01-18T18:07:56.219Z"^^xsd:dateTime .
:tool--115f88dd-0618-4389-83cb-98d33ae81848
rdf:type stix:Tool;
rdfs:label "ShimRatReporter";
dcterms:created "2020-05-12T21:29:48.294Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[ShimRatReporter](https://attack.mitre.org/software/S0445) is a tool used by suspected Chinese adversary [Mofang](https://attack.mitre.org/groups/G0103) to automatically conduct initial discovery. The details from this discovery are used to customize follow-on payloads (such as [ShimRat](https://attack.mitre.org/software/S0444)) as well as set up faux infrastructure which mimics the adversary's targets. [ShimRatReporter](https://attack.mitre.org/software/S0445) has been used in campaigns targeting multiple countries and sectors including government, military, critical infrastructure, automobile, and weapons development.(Citation: FOX-IT May 2016 Mofang)";
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--0d2a66c5-fb8e-4cbb-9526-579b5c9c881c
rdf:type stix:Relationship;
stix:source_ref :malware--876f6a77-fbc5-4e13-ab1a-5611986730a3;
stix:target_ref :attack-pattern--f3c544dc-673c-4ef3-accb-53229f1ae077;
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[T9000](https://attack.mitre.org/software/S0098) gathers and beacons the system time during installation.(Citation: Palo Alto T9000 Feb 2016)";
dcterms:modified "2020-03-30T03:07:37.770Z"^^xsd:dateTime .
:relationship--feb4ca91-caee-41ae-a955-3c435cc058e0
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--dc5e2999-ca1a-47d4-8d12-a6984b138a1b;
stix:target_ref :attack-pattern--f2877f7f-9a4c-4251-879f-1224e3006bee;
dcterms:created "2021-01-25T14:25:12.679Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[UNC2452](https://attack.mitre.org/groups/G0118) obtained Ticket Granting Service (TGS) tickets for Active Directory Service Principle Names to crack offline.(Citation: Microsoft Deep Dive Solorigate January 2021)";
dcterms:modified "2023-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--02e4c930-ffc1-4bcb-a989-12db90671f90
rdf:type stix:Relationship;
stix:source_ref :malware--4b072c90-bc7a-432b-940e-016fc1c01761;
stix:target_ref :attack-pattern--a782ebe2-daba-42c7-bc82-e8e9d923162d;
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Keydnap](https://attack.mitre.org/software/S0276) uses a copy of tor2web proxy for HTTPS communications.(Citation: synack 2016 review)";
dcterms:modified "2020-01-17T19:44:36.672Z"^^xsd:dateTime .
:relationship--8720f2bc-c099-4d2c-a9b4-faf019bf55a4
rdf:type stix:Relationship;
stix:source_ref :malware--86b92f6c-9c05-4c51-b361-4c7bb13e21a1;
stix:target_ref :attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add;
dcterms:created "2019-01-31T00:36:41.003Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[KONNI](https://attack.mitre.org/software/S0356) can download files and execute them on the victim’s machine.(Citation: Talos Konni May 2017)(Citation: Malwarebytes Konni Aug 2021) ";
dcterms:modified "2022-01-06T19:47:22.700Z"^^xsd:dateTime .
:relationship--5d0c84c6-1f4b-4adf-924a-7b5489bd0933
rdf:type stix:Relationship;
stix:source_ref :course-of-action--2f316f6c-ae42-44fe-adf8-150989e0f6d3;
stix:target_ref :attack-pattern--e0033c16-a07e-48aa-8204-7c3ca669998c;
dcterms:created "2020-02-25T19:19:09.960Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Change GPOs to define shorter timeouts sessions and maximum amount of time any single session can be active. Change GPOs to specify the maximum amount of time that a disconnected session stays active on the RD session host server.(Citation: Windows RDP Sessions)";
dcterms:modified "2020-05-20T13:33:51.038Z"^^xsd:dateTime .
:relationship--b32b4e03-1469-4a70-8d0b-cd3344e92b3f
rdf:type stix:Relationship;
stix:source_ref :malware--8dbadf80-468c-4a62-b817-4e4d8b606887;
stix:target_ref :attack-pattern--0af0ca99-357d-4ba1-805f-674fdfb7bef9;
dcterms:created "2019-05-14T17:08:39.345Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[StoneDrill](https://attack.mitre.org/software/S0380) can wipe the master boot record of an infected computer.(Citation: Symantec Elfin Mar 2019)";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--ded85906-e996-45cd-ae64-82adc22397e3
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--9559ecaf-2e75-48a7-aee8-9974020bc772;
stix:target_ref :malware--f5352566-1a64-49ac-8f7f-97e1d1a03300;
dcterms:created "2017-05-31T21:33:27.078Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:modified "2018-04-18T17:59:24.739Z"^^xsd:dateTime .
:relationship--cbbaed8a-28ce-4cea-bbb9-ea200dcf9e66
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--0dcbbf4f-929c-489a-b66b-9b820d3f7f0e;
stix:target_ref :attack-pattern--84771bc3-f6a0-403e-b144-01af70e5fda0;
dcterms:created "2022-03-30T14:26:51.870Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "If infrastructure or patterns in malware, tooling, certificates, or malicious web content have been previously identified, internet scanning may uncover when an adversary has staged their capabilities.\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as initial access and post-compromise behaviors.";
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime .
:relationship--5047ac79-8ed7-4f22-bfa2-fad8195f72b8
rdf:type stix:Relationship;
stix:source_ref :malware--835a79f1-842d-472d-b8f4-d54b545c341b;
stix:target_ref :attack-pattern--348f1eef-964b-4eb6-bb53-69b3dcb0c643;
dcterms:created "2021-06-04T16:28:59.507Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Bandook](https://attack.mitre.org/software/S0234) can detect USB devices.(Citation: EFF Manul Aug 2016)";
dcterms:modified "2021-06-04T16:28:59.507Z"^^xsd:dateTime .
:relationship--8e824b6e-a0b7-4a57-9a7e-89b2c390beec
rdf:type stix:Relationship;
stix:source_ref :malware--64fa0de0-6240-41f4-8638-f4ca7ed528fd;
stix:target_ref :attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2;
dcterms:created "2022-04-14T20:02:28.417Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[PlugX](https://attack.mitre.org/software/S0013) has been disguised as legitimate Adobe and PotPlayer files.(Citation: Proofpoint TA416 Europe March 2022)";
dcterms:modified "2022-04-14T20:02:28.417Z"^^xsd:dateTime .
:relationship--4f41a697-db81-4df8-8b46-a59d294112fa
rdf:type stix:Relationship;
stix:source_ref :campaign--aa73efef-1418-4dbe-b43c-87a498e97234;
stix:target_ref :attack-pattern--e01be9c5-e763-4caf-aeb7-000b416aef67;
dcterms:created "2023-03-31T17:37:21.531Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "During the [2016 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0025), [Sandworm Team](https://attack.mitre.org/groups/G0034) added a login to a SQL Server with `sp_addlinkedsrvlogin`.(Citation: Dragos Crashoverride 2018)";
dcterms:modified "2023-04-07T19:50:30.910Z"^^xsd:dateTime .
:relationship--0afa86ee-1253-4f15-87a8-abb46422313b
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--fd66436e-4d33-450e-ac4c-f7810f1c85f4;
stix:target_ref :attack-pattern--6151cbea-819b-455a-9fa6-99a1cc58797d;
dcterms:created "2023-07-28T16:48:29.357Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[FIN13](https://attack.mitre.org/groups/G1016) has leveraged default credentials for authenticating myWebMethods (WMS) and QLogic web management interface to gain initial access.(Citation: Sygnia Elephant Beetle Jan 2022)";
dcterms:modified "2023-07-28T16:48:29.357Z"^^xsd:dateTime .
:relationship--6ea6ad5d-28f1-425c-a2e9-c51a12b14d87
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--ebb73863-fa44-4617-b4cb-b9ed3414eb87;
stix:target_ref :attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18;
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Honeybee](https://attack.mitre.org/groups/G0072)'s service-based DLL implant traverses the FTP server’s directories looking for files with keyword matches for computer names or certain keywords.(Citation: McAfee Honeybee)";
dcterms:modified "2022-10-25T14:00:00.188Z"^^xsd:dateTime .
:attack-pattern--8c32eb4d-805f-4fc5-bf60-c4d476c131b5
rdf:type d3f:OffensiveTechnique;
rdfs:label "User Execution";
dcterms:created "2018-04-18T17:59:24.739Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of [Phishing](https://attack.mitre.org/techniques/T1566).\n\nWhile [User Execution](https://attack.mitre.org/techniques/T1204) frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after [Internal Spearphishing](https://attack.mitre.org/techniques/T1534).\n\nAdversaries may also deceive users into performing actions such as enabling [Remote Access Software](https://attack.mitre.org/techniques/T1219), allowing direct control of the system to the adversary, or downloading and executing malware for [User Execution](https://attack.mitre.org/techniques/T1204). For example, tech support scams can be facilitated through [Phishing](https://attack.mitre.org/techniques/T1566), vishing, or various forms of user interaction. Adversaries can use a combination of these methods, such as spoofing and promoting toll-free numbers or call centers that are used to direct victims to malicious websites, to deliver and execute payloads containing malware or [Remote Access Software](https://attack.mitre.org/techniques/T1219).(Citation: Telephone Attack Delivery)";
dcterms:modified "2022-05-11T14:00:00.188Z"^^xsd:dateTime .
:relationship--b1ef4ee2-30bc-4f25-9e77-cf9d6cc576a8
rdf:type stix:Relationship;
stix:source_ref :malware--835a79f1-842d-472d-b8f4-d54b545c341b;
stix:target_ref :attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0;
dcterms:created "2021-05-31T16:31:47.812Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Bandook](https://attack.mitre.org/software/S0234) has a command to get the public IP address from a system.(Citation: CheckPoint Bandook Nov 2020) ";
dcterms:modified "2021-05-31T16:31:47.812Z"^^xsd:dateTime .
:relationship--19198d4f-e858-4288-a7cb-e2ec03134de7
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8;
stix:target_ref :attack-pattern--9e8b28c9-35fe-48ac-a14d-e6cc032dcbcd;
dcterms:created "2022-03-30T14:26:51.869Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Monitor for modification of binaries and service executables that do not occur during a regular software update or an update scheduled by the organization. Modification of files considers actions such as renaming and directory moving.";
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime .
:relationship--7ac04e64-a09e-4a66-b6ce-047030400045
rdf:type stix:Relationship;
stix:source_ref :malware--32066e94-3112-48ca-b9eb-ba2b59d2f023;
stix:target_ref :attack-pattern--58a3e6aa-4453-4cc8-a51f-4befe80b31a8;
dcterms:created "2020-03-19T22:47:20.671Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Emotet](https://attack.mitre.org/software/S0367) has been observed dropping browser password grabber modules. (Citation: Trend Micro Emotet Jan 2019)(Citation: IBM IcedID November 2017)";
dcterms:modified "2020-07-15T18:05:15.624Z"^^xsd:dateTime .
:relationship--ab4d7a1b-2b5a-44b6-a363-363d3f3f6e05
rdf:type stix:Relationship;
stix:source_ref :malware--95e2cbae-d82c-4f7b-b63c-16462015d35d;
stix:target_ref :attack-pattern--4bed873f-0b7d-41d4-b93a-b6905d1f90b0;
dcterms:created "2021-05-05T13:48:03.687Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[LiteDuke](https://attack.mitre.org/software/S0513) can wait 30 seconds before executing additional code if security software is detected.(Citation: ESET Dukes October 2019)";
dcterms:modified "2021-05-05T13:48:03.687Z"^^xsd:dateTime .
:x-mitre-data-component--ff9b665a-598b-4bcb-8b2a-a87566aa1256
rdf:type :MitreDataComponent;
rdfs:label "Domain Registration";
dcterms:created "2021-10-20T15:05:19.275Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Information about domain name assignments and other domain metadata (ex: WHOIS)";
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--736a676f-7a27-4459-9dab-22d214a4db9e
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--7eda3dd8-b09b-4705-8090-c2ad9fb8c14d;
stix:target_ref :attack-pattern--ac08589e-ee59-4935-8667-d845e38fe579;
dcterms:created "2022-10-17T16:10:10.001Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[TA505](https://attack.mitre.org/groups/G0092) has used malware to disable Windows Defender.(Citation: Korean FSI TA505 2020)";
dcterms:modified "2022-10-17T16:10:10.001Z"^^xsd:dateTime .
:relationship--9ea7df8f-3720-4153-8090-4f1a18ecefac
rdf:type stix:Relationship;
stix:source_ref :malware--22b17791-45bf-45c0-9322-ff1a0af5cf2b;
stix:target_ref :attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32;
dcterms:created "2021-07-02T15:57:45.256Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Nebulae](https://attack.mitre.org/software/S0630) can create a service to establish persistence.(Citation: Bitdefender Naikon April 2021)";
dcterms:modified "2021-07-02T15:57:45.256Z"^^xsd:dateTime .
:relationship--33823f15-f43f-41ef-bc14-7dea2ab21acf
rdf:type stix:Relationship;
stix:source_ref :malware--8393dac0-0583-456a-9372-fd81691bca20;
stix:target_ref :attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4;
dcterms:created "2020-08-24T13:40:23.074Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[PipeMon](https://attack.mitre.org/software/S0501) has modified the Registry to store its encrypted payload.(Citation: ESET PipeMon May 2020)";
dcterms:modified "2023-03-26T19:39:13.881Z"^^xsd:dateTime .
:relationship--d22af09f-5536-4416-827c-e401cfae3002
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f;
stix:target_ref :tool--03342581-f790-4f03-ba41-e82e67392e23;
dcterms:created "2019-04-10T15:21:29.533Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "(Citation: Symantec Elfin Mar 2019)";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--6765828a-168f-4dd7-8c1b-00f7d98daef5
rdf:type stix:Relationship;
stix:source_ref :malware--bdb27a1d-1844-42f1-a0c0-826027ae0326;
stix:target_ref :attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1;
dcterms:created "2019-05-02T01:07:37.020Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Revenge RAT](https://attack.mitre.org/software/S0379) collects the CPU information, OS information, and system language.(Citation: Cylance Shaheen Nov 2018)";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--70b511c9-5a2c-4810-87b6-73dfc648ec29
rdf:type stix:Relationship;
stix:source_ref :course-of-action--a6a47a06-08fc-4ec4-bdc3-20373375ebb9;
stix:target_ref :attack-pattern--cc3502b5-30cc-4473-ad48-42d51a6ef6d1;
dcterms:created "2020-06-23T19:03:15.337Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Anti-virus can be used to automatically quarantine suspicious files. ";
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--a581fb2c-604a-4417-b782-cafd76b11c37
rdf:type stix:Relationship;
stix:source_ref :course-of-action--2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a;
stix:target_ref :attack-pattern--8982a661-d84c-48c0-b4ec-1db29c6cf3bc;
dcterms:created "2020-10-19T04:16:36.949Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Users can be trained to identify social engineering techniques and spearphishing attempts.";
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:attack-pattern--cf1c2504-433f-4c4e-a1f8-91de45a0318c
rdf:type d3f:OffensiveTechnique;
rdfs:label "Create Cloud Instance";
dcterms:created "2020-05-14T14:45:15.978Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "An adversary may create a new instance or virtual machine (VM) within the compute service of a cloud account to evade defenses. Creating a new instance may allow an adversary to bypass firewall rules and permissions that exist on instances currently residing within an account. An adversary may [Create Snapshot](https://attack.mitre.org/techniques/T1578/001) of one or more volumes in an account, create a new instance, mount the snapshots, and then apply a less restrictive security policy to collect [Data from Local System](https://attack.mitre.org/techniques/T1005) or for [Remote Data Staging](https://attack.mitre.org/techniques/T1074/002).(Citation: Mandiant M-Trends 2020)\n\nCreating a new instance may also allow an adversary to carry out malicious activity within an environment without affecting the execution of current running instances.";
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--a6ef1c3f-291a-4ccb-961b-45a8b92effbe
rdf:type stix:Relationship;
stix:source_ref :course-of-action--47e0e9fe-96ce-4f65-8bb1-8be1feacb5db;
stix:target_ref :attack-pattern--04ef4356-8926-45e2-9441-634b6f3dcecb;
dcterms:created "2019-07-18T15:28:31.824Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Whitelist applications via known hashes.";
dcterms:modified "2023-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--7c817fbc-5dff-4059-8230-b8040dabde61
rdf:type stix:Relationship;
stix:source_ref :course-of-action--78bb71be-92b4-46de-acd6-5f998fedf1cc;
stix:target_ref :attack-pattern--31fe0ba2-62fd-4fd9-9293-4043d84f7fe9;
dcterms:created "2021-04-16T03:01:55.663Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.";
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime .
:relationship--f0a36615-b3eb-47d5-8a2a-9d7429643a0a
rdf:type stix:Relationship;
stix:source_ref :malware--802a874d-7463-4f2a-99e3-6a1f5a919a21;
stix:target_ref :attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580;
dcterms:created "2023-03-31T20:31:09.627Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Royal](https://attack.mitre.org/software/S1073) can use `GetCurrentProcess` to enumerate processes.(Citation: Cybereason Royal December 2022)";
dcterms:modified "2023-03-31T20:31:09.627Z"^^xsd:dateTime .
:relationship--e7740e58-d87c-44c4-907c-f66b88851ffc
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--fb366179-766c-4a4a-afa1-52bff1fd601c;
stix:target_ref :tool--b63970b7-ddfb-4aee-97b1-80d335e033a8;
dcterms:created "2021-03-17T16:21:47.087Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "(Citation: Dell TG-3390)(Citation: Trend Micro DRBControl February 2020)";
dcterms:modified "2022-04-11T16:21:36.766Z"^^xsd:dateTime .
:relationship--24caab23-239c-4012-bb62-5b843f1ff767
rdf:type stix:Relationship;
stix:source_ref :malware--c113230f-f044-423b-af63-9b63c802f5ae;
stix:target_ref :attack-pattern--ef67e13e-5598-4adc-bdb2-998225874fa9;
dcterms:created "2022-06-09T19:51:06.415Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[OutSteel](https://attack.mitre.org/software/S1017) has relied on a user to click a malicious link within a spearphishing email.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )";
dcterms:modified "2022-06-09T19:51:06.415Z"^^xsd:dateTime .
:relationship--2e165a8a-928e-488e-ad16-afb77a94b460
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--2fd2be6a-d3a2-4a65-b499-05ea2693abee;
stix:target_ref :attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a;
dcterms:created "2019-01-30T14:26:43.110Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Gallmaker](https://attack.mitre.org/groups/G0084) obfuscated shellcode used during execution.(Citation: Symantec Gallmaker Oct 2018)";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--baa9bb45-b4d2-4eea-803f-d2d1126330d4
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--4a2ce82e-1a74-468a-a6fb-bbead541383c;
stix:target_ref :malware--211cfe9f-2676-4e1c-a5f5-2c8091da2a68;
dcterms:created "2018-04-18T17:59:24.739Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "(Citation: FireEye APT37 Feb 2018)";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--8e7ff07b-7a32-4ced-ac22-b523586dbde3
rdf:type stix:Relationship;
stix:source_ref :malware--69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8;
stix:target_ref :attack-pattern--1b7ba276-eedc-4951-a762-0ceea2c030ec;
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Remsec](https://attack.mitre.org/software/S0125) has a package that collects documents from any inserted USB sticks.(Citation: Kaspersky ProjectSauron Technical Analysis)";
dcterms:modified "2020-03-11T17:45:33.708Z"^^xsd:dateTime .
:course-of-action--96150c35-466f-4f0a-97a9-ae87ee27f751
rdf:type stix:CourseOfAction;
rdfs:label "Bootkit Mitigation";
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Ensure proper permissions are in place to help prevent adversary access to privileged accounts necessary to perform this action. Use Trusted Platform Module technology and a secure or trusted boot process to prevent system integrity from being compromised. (Citation: TCG Trusted Platform Module) (Citation: TechNet Secure Boot Process)";
dcterms:modified "2020-04-23T19:10:28.284Z"^^xsd:dateTime .
:relationship--76ca2629-da20-42ce-95e1-b9f93406a87c
rdf:type stix:Relationship;
stix:source_ref :malware--e9e9bfe2-76f4-4870-a2a1-b7af89808613;
stix:target_ref :attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62;
dcterms:created "2018-04-18T17:59:24.739Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Linfo](https://attack.mitre.org/software/S0211) creates a backdoor through which remote attackers can start a remote shell.(Citation: Symantec Linfo May 2012)";
dcterms:modified "2020-03-20T02:11:07.211Z"^^xsd:dateTime .
:relationship--7ce75658-c5ea-484d-ab1d-2dca045a244b
rdf:type stix:Relationship;
stix:source_ref :malware--59c8a28c-200c-4565-9af1-cbdb24870ba0;
stix:target_ref :attack-pattern--1996eef1-ced3-4d7f-bf94-33298cabbf72;
dcterms:created "2022-03-21T22:57:40.656Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Green Lambert](https://attack.mitre.org/software/S0690) can use DNS for C2 communications.(Citation: Objective See Green Lambert for OSX Oct 2021)(Citation: Glitch-Cat Green Lambert ATTCK Oct 2021)";
dcterms:modified "2022-03-21T22:57:40.656Z"^^xsd:dateTime .
:relationship--74fd87b9-3aff-4278-a408-11ae470082e5
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced744dd12;
stix:target_ref :attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279;
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Dark Caracal](https://attack.mitre.org/groups/G0070)'s version of [Bandook](https://attack.mitre.org/software/S0234) adds a registry key to <code>HKEY_USERS\\Software\\Microsoft\\Windows\\CurrentVersion\\Run</code> for persistence.(Citation: Lookout Dark Caracal Jan 2018)";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--6c42fa31-80df-4d67-92d2-4273c22a4d5b
rdf:type stix:Relationship;
stix:source_ref :malware--6ba1d7ae-d60b-43e6-9f08-a8b787e9d9cb;
stix:target_ref :attack-pattern--b4694861-542c-48ea-9eb1-10d356e7140a;
dcterms:created "2019-06-28T13:52:51.413Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[LightNeuron](https://attack.mitre.org/software/S0395) collects Exchange emails matching rules specified in its configuration.(Citation: ESET LightNeuron May 2019)";
dcterms:modified "2020-03-17T16:29:51.887Z"^^xsd:dateTime .
:relationship--7a75d200-29f5-4f8a-b052-bcbe4e5ca236
rdf:type stix:Relationship;
stix:source_ref :course-of-action--12241367-a8b7-49b4-b86e-2236901ba50c;
stix:target_ref :attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597;
dcterms:created "2020-03-02T19:05:18.271Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Network intrusion prevention systems and systems designed to scan and remove malicious email attachments can be used to block activity.";
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--5c039dbf-c443-4f9b-b036-fcabaed74a3b
rdf:type stix:Relationship;
stix:source_ref :malware--feb2d7bb-aacb-48df-ad04-ccf41a30cd90;
stix:target_ref :attack-pattern--7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c;
dcterms:created "2020-11-17T18:39:06.904Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[SLOTHFULMEDIA](https://attack.mitre.org/software/S0533) has named a service it establishes on victim machines as \"TaskFrame\" to hide its malicious purpose.(Citation: CISA MAR SLOTHFULMEDIA October 2020) ";
dcterms:modified "2020-11-17T18:39:06.904Z"^^xsd:dateTime .
:relationship--97e31242-661f-4aae-866d-26d32fbb88c4
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1;
stix:target_ref :attack-pattern--3731fbcd-0e43-47ae-ae6c-d15e510f0d42;
dcterms:created "2022-03-30T14:26:51.860Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Monitor for new, unfamiliar DLL files written to a domain controller and/or local computer. Password filters will also show up as an autorun and loaded DLL in lsass.exe.(Citation: Clymb3r Function Hook Passwords Sept 2013)";
dcterms:modified "2022-03-30T14:26:51.860Z"^^xsd:dateTime .
:relationship--1477187e-7bd8-4622-8c2d-e5978c1fd29f
rdf:type stix:Relationship;
stix:source_ref :malware--e8545794-b98c-492b-a5b3-4b5a02682e37;
stix:target_ref :attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c;
dcterms:created "2019-01-30T17:13:11.897Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[POWERSTATS](https://attack.mitre.org/software/S0223) can deobfuscate the main backdoor code.(Citation: ClearSky MuddyWater Nov 2018)";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--5e4ec089-c86d-4684-9783-af348d4aaa14
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1;
stix:target_ref :attack-pattern--10d51417-ee35-4589-b1ff-b6df1c334e8d;
dcterms:created "2018-01-16T16:13:52.465Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Dragonfly used remote access services, including VPN and Outlook Web Access (OWA).";
dcterms:modified "2018-10-23T00:14:20.652Z"^^xsd:dateTime .
:attack-pattern--22905430-4901-4c2a-84f6-98243cb173f8
rdf:type d3f:OffensiveTechnique;
rdfs:label "Hide Artifacts";
dcterms:created "2020-02-26T17:41:25.933Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection.(Citation: Sofacy Komplex Trojan)(Citation: Cybereason OSX Pirrit)(Citation: MalwareBytes ADS July 2015)\n\nAdversaries may also attempt to hide artifacts associated with malicious behavior by creating computing regions that are isolated from common security instrumentation, such as through the use of virtualization technology.(Citation: Sophos Ragnar May 2020)";
dcterms:modified "2022-05-11T14:00:00.188Z"^^xsd:dateTime .
:relationship--22af1cbd-a7fd-4d9f-ba15-d640c217603e
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7;
stix:target_ref :malware--64fa0de0-6240-41f4-8638-f4ca7ed528fd;
dcterms:created "2019-09-23T23:18:23.730Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "(Citation: FireEye APT41 Aug 2019)";
dcterms:modified "2023-03-23T15:27:10.504Z"^^xsd:dateTime .
:relationship--8303719d-b2ed-4860-9af4-57b636c4f865
rdf:type stix:Relationship;
stix:source_ref :tool--4b57c098-f043-4da2-83ef-7588a6d426bc;
stix:target_ref :attack-pattern--a93494bb-4b80-4ea1-8695-3236a49916fd;
dcterms:created "2019-04-23T12:38:37.626Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[PoshC2](https://attack.mitre.org/software/S0378) has modules for brute forcing local administrator and AD user accounts.(Citation: GitHub PoshC2)";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--05a3d203-4b38-4f38-a015-dcfe3bdf9c07
rdf:type stix:Relationship;
stix:source_ref :malware--d6b3fcd0-1c86-4350-96f0-965ed02fcc51;
stix:target_ref :attack-pattern--0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b;
dcterms:created "2021-02-10T18:41:29.203Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Ebury](https://attack.mitre.org/software/S0377) has used user mode rootkit techniques to remain hidden on the system.(Citation: ESET Ebury Oct 2017)";
dcterms:modified "2021-02-10T18:41:29.204Z"^^xsd:dateTime .
:relationship--e79c9756-9b81-4711-8e35-6ea330f152a1
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--b9d031bb-d150-4fc6-8025-688201bf3ffd;
stix:target_ref :attack-pattern--7f0ca133-88c4-40c6-a62f-b3083a7fbc2e;
dcterms:created "2022-03-30T14:26:51.863Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Monitor for changes made on pre-OS boot mechanisms that can be manipulated for malicious purposes. Take snapshots of boot records and firmware and compare against known good images. Log changes to boot records, BIOS, and EFI";
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime .
:relationship--3a9117f6-9244-4d09-a69b-43afbb4d2998
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--2e290bfe-93b5-48ce-97d6-edcd6d32b7cf;
stix:target_ref :attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688;
dcterms:created "2020-06-16T17:53:18.390Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Gamaredon Group](https://attack.mitre.org/groups/G0047)'s malware can take screenshots of the compromised computer every minute.(Citation: ESET Gamaredon June 2020)\t";
dcterms:modified "2020-06-16T17:53:18.390Z"^^xsd:dateTime .
:relationship--3d78512d-1a97-4132-8d8f-cd9ceaf03246
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--0ec2f388-bf0f-4b5c-97b1-fc736d26c25f;
stix:target_ref :attack-pattern--bbe5b322-e2af-4a5e-9625-a4e62bf84ed3;
dcterms:created "2021-06-10T14:42:56.938Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Kimsuky](https://attack.mitre.org/groups/G0094) has used Twitter to monitor potential victims and to prepare targeted phishing e-mails.(Citation: Malwarebytes Kimsuky June 2021)";
dcterms:modified "2021-06-10T14:42:56.938Z"^^xsd:dateTime .
:relationship--62192379-d052-4618-be33-8511d636c67c
rdf:type stix:Relationship;
stix:source_ref :campaign--0257b35b-93ef-4a70-80dd-ad5258e6045b;
stix:target_ref :attack-pattern--a93494bb-4b80-4ea1-8695-3236a49916fd;
dcterms:created "2023-03-17T14:56:40.450Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "During [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) performed brute force attacks against administrator accounts.(Citation: ESET Lazarus Jun 2020) ";
dcterms:modified "2023-04-07T16:40:27.254Z"^^xsd:dateTime .
:relationship--03a2f02b-ca0c-4366-8880-6cb6015fd722
rdf:type stix:Relationship;
stix:source_ref :malware--d23de441-f9cf-4802-b1ff-f588a11a896b;
stix:target_ref :attack-pattern--c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f;
dcterms:created "2022-07-08T14:14:43.779Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[CreepySnail](https://attack.mitre.org/software/S1024) can use stolen credentials to authenticate on target networks.(Citation: Microsoft POLONIUM June 2022)";
dcterms:modified "2022-07-25T16:18:35.128Z"^^xsd:dateTime .
:relationship--c5a8316e-f45c-432d-beb3-d8de4785dba3
rdf:type stix:Relationship;
stix:source_ref :malware--03acae53-9b98-46f6-b204-16b930839055;
stix:target_ref :attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5;
dcterms:created "2022-04-11T17:18:45.080Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[RCSession](https://attack.mitre.org/software/S0662) can collect data from a compromised host.(Citation: Profero APT27 December 2020)(Citation: Trend Micro DRBControl February 2020)";
dcterms:modified "2023-03-26T20:05:38.086Z"^^xsd:dateTime .
:malware--308b3d68-a084-4dfb-885a-3125e1a9c1e8
rdf:type stix:Malware;
rdfs:label "GreyEnergy";
dcterms:created "2019-01-30T13:53:14.264Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[GreyEnergy](https://attack.mitre.org/software/S0342) is a backdoor written in C and compiled in Visual Studio. [GreyEnergy](https://attack.mitre.org/software/S0342) shares similarities with the [BlackEnergy](https://attack.mitre.org/software/S0089) malware and is thought to be the successor of it.(Citation: ESET GreyEnergy Oct 2018)";
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--4a419b18-5fb2-43a0-8c0a-6521b8d9de63
rdf:type stix:Relationship;
stix:source_ref :malware--f8dfbc54-b070-4224-b560-79aaa5f835bd;
stix:target_ref :attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62;
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[H1N1](https://attack.mitre.org/software/S0132) kills and disables services by using cmd.exe.(Citation: Cisco H1N1 Part 2)";
dcterms:modified "2020-03-20T02:27:41.213Z"^^xsd:dateTime .
:relationship--b6a22f6c-e7a4-499e-9732-afb37a4e5254
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077;
stix:target_ref :attack-pattern--c63a348e-ffc2-486a-b9d9-d7f11ec54d99;
dcterms:created "2022-03-30T14:26:51.858Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Monitor for newly constructed processes and/or command-lines that execute logon scripts";
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime .
:relationship--7e7c0aa8-a17e-4079-b1fd-188977cf1a6e
rdf:type stix:Relationship;
stix:source_ref :malware--687c23e4-4e25-4ee7-a870-c5e002511f54;
stix:target_ref :attack-pattern--1c34f7aa-9341-4a48-bfab-af22e51aca6c;
dcterms:created "2020-05-13T19:59:39.312Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[DustySky](https://attack.mitre.org/software/S0062) created folders in temp directories to host collected files before exfiltration.(Citation: Kaspersky MoleRATs April 2019)";
dcterms:modified "2020-05-13T19:59:39.312Z"^^xsd:dateTime .
:relationship--ad4a2d0b-a268-4334-903c-153858088138
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--7113eaa5-ba79-4fb3-b68a-398ee9cd698e;
stix:target_ref :attack-pattern--232a7e42-cd6e-4902-8fe9-2960f529dd4d;
dcterms:created "2021-08-31T15:25:13.471Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Leviathan](https://attack.mitre.org/groups/G0065) has utilized OLE as a method to insert malicious content inside various phishing documents. (Citation: Accenture MUDCARP March 2019)";
dcterms:modified "2021-08-31T15:25:13.471Z"^^xsd:dateTime .
:x-mitre-data-component--2e521444-7295-4dec-96c1-7595b2df7811
rdf:type :MitreDataComponent;
rdfs:label "Active DNS";
dcterms:created "2021-10-20T15:05:19.275Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Queried domain name system (DNS) registry data highlighting current domain to IP address resolutions (ex: dig/nslookup queries)";
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime .
:relationship--c08ebacd-b5e4-48c3-8ee6-389c635801da
rdf:type stix:Relationship;
stix:source_ref :malware--bdee9574-7479-4073-a7dc-e86d8acd073a;
stix:target_ref :attack-pattern--a9d4b653-6915-42af-98b2-5758c4ceee56;
dcterms:created "2022-06-09T14:44:16.021Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[MacMa](https://attack.mitre.org/software/S1016) can execute supplied shell commands and uses bash scripts to perform additional actions.(Citation: ESET DazzleSpy Jan 2022)(Citation: Objective-See MacMa Nov 2021)";
dcterms:modified "2022-06-30T21:25:02.663Z"^^xsd:dateTime .
:relationship--aee0bd8a-1900-448b-bd88-5493f9ed8d28
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--5e78ae92-3ffd-4b16-bf62-e798529d73f1;
stix:target_ref :attack-pattern--43e7dc91-05b2-474c-b9ac-2ed4fe101f4d;
dcterms:created "2020-05-14T21:40:31.248Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Sharpshooter](https://attack.mitre.org/groups/G0104) has leveraged embedded shellcode to inject a downloader into the memory of Word.(Citation: McAfee Sharpshooter December 2018)";
dcterms:modified "2022-10-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--fe8a320f-e5e5-4503-8c3a-5c21b628a61d
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--fb366179-766c-4a4a-afa1-52bff1fd601c;
stix:target_ref :attack-pattern--7e150503-88e7-4861-866b-ff1ac82c4475;
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Threat Group-3390](https://attack.mitre.org/groups/G0027) has used `net use` and `netstat` to conduct internal discovery of systems. The group has also used `quser.exe` to identify existing RDP sessions on a victim.(Citation: SecureWorks BRONZE UNION June 2017)";
dcterms:modified "2022-04-11T16:27:36.517Z"^^xsd:dateTime .
:relationship--b94e707d-b2f8-4b68-acac-44d3777dd93f
rdf:type stix:Relationship;
stix:source_ref :malware--17b40f60-729f-4fe8-8aea-cc9ee44a95d5;
stix:target_ref :attack-pattern--24bfaeba-cb0d-4525-b3dc-507c77ecec41;
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[RedLeaves](https://attack.mitre.org/software/S0153) has encrypted C2 traffic with RC4, previously using keys of 88888888 and babybear.(Citation: PWC Cloud Hopper Technical Annex April 2017)";
dcterms:modified "2023-03-23T15:14:18.638Z"^^xsd:dateTime .
:attack-pattern--d742a578-d70e-4d0e-96a6-02a9c30204e6
rdf:type d3f:OffensiveTechnique;
rdfs:label "Drive-by Compromise";
dcterms:created "2018-04-18T17:59:24.739Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation, but adversaries may also use compromised websites for non-exploitation behavior such as acquiring [Application Access Token](https://attack.mitre.org/techniques/T1550/001).\n\nMultiple ways of delivering exploit code to a browser exist (i.e., [Drive-by Target](https://attack.mitre.org/techniques/T1608/004)), including:\n\n* A legitimate website is compromised where adversaries have injected some form of malicious code such as JavaScript, iFrames, and cross-site scripting\n* Script files served to a legitimate website from a publicly writeable cloud storage bucket are modified by an adversary\n* Malicious ads are paid for and served through legitimate ad providers (i.e., [Malvertising](https://attack.mitre.org/techniques/T1583/008))\n* Built-in web application interfaces are leveraged for the insertion of any other kind of object that can be used to display web content or contain a script that executes on the visiting client (e.g. forum posts, comments, and other user controllable web content).\n\nOften the website used by an adversary is one visited by a specific community, such as government, a particular industry, or region, where the goal is to compromise a specific user or set of users based on a shared interest. This kind of targeted campaign is often referred to a strategic web compromise or watering hole attack. There are several known examples of this occurring.(Citation: Shadowserver Strategic Web Compromise)\n\nTypical drive-by compromise process:\n\n1. A user visits a website that is used to host the adversary controlled content.\n2. Scripts automatically execute, typically searching versions of the browser and plugins for a potentially vulnerable version. \n * The user may be required to assist in this process by enabling scripting or active website components and ignoring warning dialog boxes.\n3. Upon finding a vulnerable version, exploit code is delivered to the browser.\n4. If exploitation is successful, then it will give the adversary code execution on the user's system unless other protections are in place.\n * In some cases a second visit to the website after the initial scan is required before exploit code is delivered.\n\nUnlike [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190), the focus of this technique is to exploit software on a client endpoint upon visiting a website. This will commonly give an adversary access to systems on the internal network instead of external systems that may be in a DMZ.\n\nAdversaries may also use compromised websites to deliver a user to a malicious application designed to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s, like OAuth tokens, to gain access to protected applications and information. These malicious applications have been delivered through popups on legitimate websites.(Citation: Volexity OceanLotus Nov 2017)";
dcterms:modified "2023-05-09T14:00:00.188Z"^^xsd:dateTime .
:relationship--728dce0a-125c-4d66-8622-36d4d909352b
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--7113eaa5-ba79-4fb3-b68a-398ee9cd698e;
stix:target_ref :attack-pattern--4ab929c6-ee2d-4fb5-aab4-b14be2ed7179;
dcterms:created "2018-04-18T17:59:24.739Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Leviathan](https://attack.mitre.org/groups/G0065) has used JavaScript to create a shortcut file in the Startup folder that points to its main backdoor.(Citation: Proofpoint Leviathan Oct 2017)(Citation: FireEye Periscope March 2018)";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--eed81627-aed7-477a-91e2-7be09c3d68e6
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077;
stix:target_ref :attack-pattern--2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64;
dcterms:created "2022-03-30T14:26:51.839Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Monitor for newly executed processes that are associated with COM objects, especially those invoked by a user different than the one currently logged on.";
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime .
:relationship--1e27ff4a-fa86-46b1-8aea-748ec398b47e
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--4a2ce82e-1a74-468a-a6fb-bbead541383c;
stix:target_ref :malware--8ab98e25-1672-4b5f-a2fb-e60f08a5ea9e;
dcterms:created "2018-04-18T17:59:24.739Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "(Citation: FireEye APT37 Feb 2018)";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--43ab17df-742f-4bc5-815a-7da2feed73f0
rdf:type stix:Relationship;
stix:source_ref :tool--6a5947f3-1a36-4653-8734-526df3e1d28d;
stix:target_ref :attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1;
dcterms:created "2023-09-20T18:15:42.222Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[AsyncRAT](https://attack.mitre.org/software/S1087) can check the disk size through the values obtained with `DeviceInfo.`(Citation: Telefonica Snip3 December 2021)";
dcterms:modified "2023-09-20T18:36:12.828Z"^^xsd:dateTime .
:relationship--ec456b9e-db3e-44df-8288-adf086a0c0bb
rdf:type stix:Relationship;
stix:source_ref :course-of-action--987988f0-cf86-4680-a875-2f6456ab2448;
stix:target_ref :attack-pattern--c1b11bf7-c68e-4fbf-a95b-28efbe7953bb;
dcterms:created "2019-06-24T11:01:58.826Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Ensure proper file permissions are set and harden system to prevent root privilege escalation opportunities.";
dcterms:modified "2023-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--c87a4238-eaec-4df1-b8b4-3f69aded080a
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--7f70fae7-a68d-4730-a83a-f260b9606129;
stix:target_ref :attack-pattern--34f1d81d-fe88-4f97-bd3b-a3164536255d;
dcterms:created "2022-03-30T14:26:51.833Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Audit the Registry entries relevant for enabling add-ins.(Citation: GlobalDotName Jun 2019)(Citation: MRWLabs Office Persistence Add-ins)";
dcterms:modified "2022-03-30T14:26:51.833Z"^^xsd:dateTime .
:relationship--72b03734-7e03-4cfe-8f0f-2d366febfb79
rdf:type stix:Relationship;
stix:source_ref :malware--1492d0f8-7e14-4af3-9239-bc3fe10d3407;
stix:target_ref :attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2;
dcterms:created "2019-06-05T17:31:22.358Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Ursnif](https://attack.mitre.org/software/S0386) has used strings from legitimate system files and existing folders for its file, folder, and Registry entry names.(Citation: TrendMicro Ursnif Mar 2015)";
dcterms:modified "2020-03-18T16:10:39.776Z"^^xsd:dateTime .
:relationship--1955e188-265f-41db-aebd-4a7cab2e515b
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--5297a638-1382-4f0c-8472-0d21830bf705;
stix:target_ref :attack-pattern--6747daa2-3533-4e78-8fb8-446ebb86448a;
dcterms:created "2021-11-10T09:30:48.736232Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--c257d040-c058-42db-ad75-1abb7b06e616
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--0ec2f388-bf0f-4b5c-97b1-fc736d26c25f;
stix:target_ref :malware--8bdfe255-e658-4ddd-a11c-b854762e451d;
dcterms:created "2020-11-06T19:01:02.254Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "(Citation: Cybereason Kimsuky November 2020)";
dcterms:modified "2020-11-06T19:01:02.254Z"^^xsd:dateTime .
:relationship--bd315928-0b74-491c-b526-ee5e1841842b
rdf:type stix:Relationship;
stix:source_ref :malware--94379dec-5c87-49db-b36e-66abc0b81344;
stix:target_ref :attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e;
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Derusbi](https://attack.mitre.org/software/S0021) beacons to destination port 443.(Citation: Fidelis Turbo)";
dcterms:modified "2022-10-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--dc0cf30b-ec44-4b5a-8c45-f93e48974a05
rdf:type stix:Relationship;
stix:source_ref :malware--47afe41c-4c08-485e-b062-c3bd209a1cce;
stix:target_ref :attack-pattern--2fee9321-3e71-4cf4-af24-d4d40d355b34;
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[InvisiMole](https://attack.mitre.org/software/S0260) can be launched by using DLL search order hijacking in which the wrapper DLL is placed in the same folder as explorer.exe and loaded during startup into the Windows Explorer process instead of the legitimate library.(Citation: ESET InvisiMole June 2018)";
dcterms:modified "2020-03-17T00:09:26.264Z"^^xsd:dateTime .
:relationship--9a8ca137-d0ec-4861-ad1b-0686bf6ac4c9
rdf:type stix:Relationship;
stix:source_ref :course-of-action--a98be93b-a75b-4dd4-8a72-4dfd0b5e25bb;
stix:target_ref :attack-pattern--51ea26b1-ff1e-4faa-b1a0-1114cd298c87;
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:modified "2023-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--0b4cd78b-e0af-4123-b2aa-02ad66cca419
rdf:type stix:Relationship;
stix:source_ref :malware--79499993-a8d6-45eb-b343-bf58dea5bdde;
stix:target_ref :attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32;
dcterms:created "2018-04-18T17:59:24.739Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Briba](https://attack.mitre.org/software/S0204) installs a service pointing to a malicious DLL dropped to disk.(Citation: Symantec Briba May 2012)";
dcterms:modified "2021-02-09T14:56:14.783Z"^^xsd:dateTime .
:relationship--4053d6f5-e594-4b52-96a2-2b7c0fa7d332
rdf:type stix:Relationship;
stix:source_ref :malware--f4c80d39-ce10-4f74-9b50-a7e3f5df1f2e;
stix:target_ref :attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0;
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Comnie](https://attack.mitre.org/software/S0244) uses <code>ipconfig /all</code> and <code>route PRINT</code> to identify network adapter and interface information.(Citation: Palo Alto Comnie)";
dcterms:modified "2020-03-17T00:43:32.010Z"^^xsd:dateTime .
:relationship--cdd38074-895f-40e8-85fb-acc1aa4ecb69
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--6713ab67-e25b-49cc-808d-2b36d4fbc35c;
stix:target_ref :attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62;
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Ke3chang](https://attack.mitre.org/groups/G0004) has used batch scripts in its malware to install persistence mechanisms.(Citation: NCC Group APT15 Alive and Strong)";
dcterms:modified "2021-03-29T19:54:46.285Z"^^xsd:dateTime .
:relationship--f5cc5037-067a-4e29-90c4-775152d76a8f
rdf:type stix:Relationship;
stix:source_ref :malware--0715560d-4299-4e84-9e20-6e80ab57e4f2;
stix:target_ref :attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0;
dcterms:created "2022-02-02T13:03:25.614Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Torisma](https://attack.mitre.org/software/S0678) can collect the local MAC address using `GetAdaptersInfo` as well as the system's IP address.(Citation: McAfee Lazarus Nov 2020)";
dcterms:modified "2022-04-13T20:21:52.383Z"^^xsd:dateTime .
:relationship--0ef0077e-ee87-4e67-a466-2085a9148fc9
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--d0b3393b-3bec-4ba3-bda9-199d30db47b6;
stix:target_ref :attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67;
dcterms:created "2019-01-31T02:01:45.707Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[FIN4](https://attack.mitre.org/groups/G0085) has used VBA macros to display a dialog box and collect victim credentials.(Citation: FireEye Hacking FIN4 Dec 2014)(Citation: FireEye Hacking FIN4 Video Dec 2014)";
dcterms:modified "2023-02-01T21:27:44.785Z"^^xsd:dateTime .
:malware--8bdfe255-e658-4ddd-a11c-b854762e451d
rdf:type stix:Malware;
rdfs:label "KGH_SPY";
dcterms:created "2020-11-06T18:58:35.456Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[KGH_SPY](https://attack.mitre.org/software/S0526) is a modular suite of tools used by [Kimsuky](https://attack.mitre.org/groups/G0094) for reconnaissance, information stealing, and backdoor capabilities. [KGH_SPY](https://attack.mitre.org/software/S0526) derived its name from PDB paths and internal names found in samples containing \"KGH\".(Citation: Cybereason Kimsuky November 2020)";
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--0a507d28-ef6b-417b-a968-e82608e8b6a8
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--f9d6633a-55e6-4adc-9263-6ae080421a13;
stix:target_ref :attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279;
dcterms:created "2018-01-16T16:13:52.465Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Magic Hound](https://attack.mitre.org/groups/G0059) malware has used Registry Run keys to establish persistence.(Citation: Unit 42 Magic Hound Feb 2017)(Citation: DFIR Phosphorus November 2021)(Citation: Microsoft Iranian Threat Actor Trends November 2021)";
dcterms:modified "2023-01-12T20:29:53.513Z"^^xsd:dateTime .
:relationship--53d7fdab-05fb-4427-b0e0-11463e05b3f3
rdf:type stix:Relationship;
stix:source_ref :malware--16040b1c-ed28-4850-9d8f-bb8b81c42092;
stix:target_ref :attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1;
dcterms:created "2021-11-30T16:13:37.290Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[ThreatNeedle](https://attack.mitre.org/software/S0665) can collect system profile information from a compromised host.(Citation: Kaspersky ThreatNeedle Feb 2021)";
dcterms:modified "2022-04-13T13:20:08.961Z"^^xsd:dateTime .
:relationship--23c6c48b-f602-43f9-9c23-d4e46fba9194
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced744dd12;
stix:target_ref :attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161;
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Dark Caracal](https://attack.mitre.org/groups/G0070)'s version of [Bandook](https://attack.mitre.org/software/S0234) communicates with their server over a TCP port using HTTP payloads Base64 encoded and suffixed with the string “&&&”.(Citation: Lookout Dark Caracal Jan 2018)";
dcterms:modified "2020-03-17T00:51:35.118Z"^^xsd:dateTime .
:relationship--cc89825f-1180-40df-8353-ce8b42a848a5
rdf:type stix:Relationship;
stix:source_ref :malware--d6b3fcd0-1c86-4350-96f0-965ed02fcc51;
stix:target_ref :attack-pattern--c1b11bf7-c68e-4fbf-a95b-28efbe7953bb;
dcterms:created "2019-04-23T15:49:35.557Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Ebury](https://attack.mitre.org/software/S0377) has hijacked the OpenSSH process by injecting into the existing session as opposed to creating a new session.";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--c1884e62-7b2e-45a1-89fd-c76b1b717f50
rdf:type stix:Relationship;
stix:source_ref :malware--a60657fa-e2e7-4f8f-8128-a882534ae8c5;
stix:target_ref :attack-pattern--b46a801b-fd98-491c-a25a-bca25d6e3001;
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[OwaAuth](https://attack.mitre.org/software/S0072) has been loaded onto Exchange servers and disguised as an ISAPI filter (owaauth.dll). The IIS w3wp.exe process then loads the malicious DLL.(Citation: Dell TG-3390)";
dcterms:modified "2021-06-17T19:03:17.474Z"^^xsd:dateTime .
:relationship--283bdd5f-f356-43a2-864c-6f8211073d45
rdf:type stix:Relationship;
stix:source_ref :malware--96566860-9f11-4b6f-964d-1c924e4f24a4;
stix:target_ref :attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c;
dcterms:created "2018-01-16T16:13:52.465Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Starloader](https://attack.mitre.org/software/S0188) decrypts and executes shellcode from a file called Stars.jps.(Citation: Symantec Sowbug Nov 2017)";
dcterms:modified "2020-03-18T16:01:37.932Z"^^xsd:dateTime .
:relationship--90974f03-7f61-479e-bceb-6f26872d4812
rdf:type stix:Relationship;
stix:source_ref :malware--47afe41c-4c08-485e-b062-c3bd209a1cce;
stix:target_ref :attack-pattern--f6dacc85-b37d-458e-b58d-74fc4bbf5755;
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[InvisiMole](https://attack.mitre.org/software/S0260) can function as a proxy to create a server that relays communication between the client and C&C server, or between two clients.(Citation: ESET InvisiMole June 2018)";
dcterms:modified "2020-03-23T16:40:20.061Z"^^xsd:dateTime .
:relationship--924b50b9-7de3-4036-b732-c87d08971122
rdf:type stix:Relationship;
stix:source_ref :malware--326af1cd-78e7-45b7-a326-125d2f7ef8f2;
stix:target_ref :attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4;
dcterms:created "2021-09-07T14:18:54.884Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Crimson](https://attack.mitre.org/software/S0115) can set a Registry key to determine how long it has been installed and possibly to indicate the version number.(Citation: Proofpoint Operation Transparent Tribe March 2016)";
dcterms:modified "2021-10-15T14:37:09.926Z"^^xsd:dateTime .
:relationship--d37d5ca7-59f1-4938-83a6-64d30675a386
rdf:type stix:Relationship;
stix:source_ref :malware--64122557-5940-4271-9123-25bfc0c693db;
stix:target_ref :attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597;
dcterms:created "2020-11-10T19:09:21.275Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Javali](https://attack.mitre.org/software/S0528) has been delivered as malicious e-mail attachments.(Citation: Securelist Brazilian Banking Malware July 2020)";
dcterms:modified "2020-11-10T19:09:21.275Z"^^xsd:dateTime .
:relationship--8bfac9d6-8d6d-4a2f-9718-4015f231fdae
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--0ec2f388-bf0f-4b5c-97b1-fc736d26c25f;
stix:target_ref :attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384;
dcterms:created "2022-03-15T20:02:43.828Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Kimsuky](https://attack.mitre.org/groups/G0094) has checked for the presence of antivirus software with <code>powershell Get-CimInstance -Namespace root/securityCenter2 – classname antivirusproduct</code>.(Citation: KISA Operation Muzabi)";
dcterms:modified "2022-03-15T20:02:43.828Z"^^xsd:dateTime .
:relationship--fed23938-8fbc-4b67-8452-f2f413eed291
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192;
stix:target_ref :attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2;
dcterms:created "2020-06-10T21:56:40.151Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Sandworm Team](https://attack.mitre.org/groups/G0034) has avoided detection by naming a malicious binary explorer.exe.(Citation: ESET Telebots Dec 2016)(Citation: US District Court Indictment GRU Unit 74455 October 2020)";
dcterms:modified "2020-11-25T21:00:57.830Z"^^xsd:dateTime .
:relationship--40356b61-2279-47ef-b7bd-4b355e2fb98a
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--174279b4-399f-4ddb-966e-5efedd1dd5f2;
stix:target_ref :attack-pattern--e358d692-23c0-4a31-9eb6-ecc13a8d7735;
dcterms:created "2023-07-31T18:41:12.452Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Volt Typhoon](https://attack.mitre.org/groups/G1017) has used multiple methods, including [Ping](https://attack.mitre.org/software/S0097), to enumerate systems on compromised networks.(Citation: Microsoft Volt Typhoon May 2023)(Citation: Secureworks BRONZE SILHOUETTE May 2023)";
dcterms:modified "2023-08-03T20:19:25.596Z"^^xsd:dateTime .
:relationship--d9416afb-0aeb-4ee3-bd96-dc331f40f37d
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7;
stix:target_ref :attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18;
dcterms:created "2020-04-30T20:31:37.999Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[APT41](https://attack.mitre.org/groups/G0096) has executed <code>file /bin/pwd</code> on exploited victims, perhaps to return architecture related information.(Citation: FireEye APT41 March 2020)";
dcterms:modified "2020-05-01T15:05:46.940Z"^^xsd:dateTime .
:relationship--e342ee2b-d7b6-4a48-a689-06a68efe589e
rdf:type stix:Relationship;
stix:source_ref :malware--edc5e045-5401-42bb-ad92-52b5b2ee0de9;
stix:target_ref :attack-pattern--e3b6daca-e963-4a69-aee6-ed4fd653ad58;
dcterms:created "2021-09-30T15:45:56.571Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[QakBot](https://attack.mitre.org/software/S0650) can enumerate a list of installed programs.(Citation: Group IB Ransomware September 2020)";
dcterms:modified "2021-09-30T15:45:56.571Z"^^xsd:dateTime .
:relationship--774302ff-3ab9-4328-a434-6188efe0928a
rdf:type stix:Relationship;
stix:source_ref :malware--f99f3dcc-683f-4936-8791-075ac5e58f10;
stix:target_ref :attack-pattern--cd25c1b4-935c-4f0e-ba8d-552f28bc4783;
dcterms:created "2020-05-18T21:01:51.374Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[LoudMiner](https://attack.mitre.org/software/S0451) harvested system resources to mine cryptocurrency, using XMRig to mine Monero.(Citation: ESET LoudMiner June 2019)\t";
dcterms:modified "2020-06-29T23:06:26.175Z"^^xsd:dateTime .
:relationship--3fbe7146-c706-446c-a3ea-6a0704812835
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8;
stix:target_ref :attack-pattern--bf96a5a3-3bce-43b7-8597-88545984c07b;
dcterms:created "2022-03-30T14:26:51.861Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Monitor for changes made to files that may execute their own malicious payloads by hijacking vulnerable file path references.";
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime .
:relationship--7b59aa8f-d9d6-4bb5-b2ca-6fc1d36c1550
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f;
stix:target_ref :attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670;
dcterms:created "2020-12-17T19:40:29.547Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[menuPass](https://attack.mitre.org/groups/G0045) has used native APIs including <code>GetModuleFileName</code>, <code>lstrcat</code>, <code>CreateFile</code>, and <code>ReadFile</code>.(Citation: Symantec Cicada November 2020)";
dcterms:modified "2020-12-29T16:51:25.615Z"^^xsd:dateTime .
:relationship--ec5caf8f-0fb8-4c3b-bd31-08804ff2214e
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--d8bc9788-4f7d-41a9-9e9d-ee1ea18a8cf7;
stix:target_ref :attack-pattern--f232fa7a-025c-4d43-abc7-318e81a73d65;
dcterms:created "2022-06-10T17:10:42.165Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[LAPSUS$](https://attack.mitre.org/groups/G1004) has used compromised credentials to access cloud assets within a target organization.(Citation: MSTIC DEV-0537 Mar 2022)";
dcterms:modified "2022-10-12T12:57:31.067Z"^^xsd:dateTime .
:relationship--4467fb1b-60fe-4e13-a32a-8c1f60a66782
rdf:type stix:Relationship;
stix:source_ref :malware--cc4c1287-9c86-4447-810c-744f3880ec37;
stix:target_ref :attack-pattern--f3c544dc-673c-4ef3-accb-53229f1ae077;
dcterms:created "2021-01-07T20:28:30.072Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Egregor](https://attack.mitre.org/software/S0554) contains functionality to query the local/system time.(Citation: JoeSecurity Egregor 2020)";
dcterms:modified "2021-01-07T20:28:30.072Z"^^xsd:dateTime .
:relationship--6eac5e98-29dd-4dae-8375-b459b87f28c8
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--54dfec3e-6464-4f74-9d69-b7c817b7e5a3;
stix:target_ref :tool--0a68f1f1-da74-4d28-8d9a-696c082706cc;
dcterms:created "2021-03-30T20:16:51.220Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "(Citation: Malwarebytes Higaisa 2020)(Citation: PTSecurity Higaisa 2020)";
dcterms:modified "2021-03-30T20:16:51.220Z"^^xsd:dateTime .
:relationship--9d7c40f1-44ad-47ec-9a07-bc3b8f2d2cd1
rdf:type stix:Relationship;
stix:source_ref :malware--925a6c52-5cf0-4fec-99de-b0d6917d8593;
stix:target_ref :attack-pattern--7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c;
dcterms:created "2020-12-07T20:17:08.002Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Crutch](https://attack.mitre.org/software/S0538) has established persistence with a scheduled task impersonating the Outlook item finder.(Citation: ESET Crutch December 2020)";
dcterms:modified "2020-12-07T20:17:08.002Z"^^xsd:dateTime .
:relationship--12853add-45f8-4dfb-9d64-af39b1575dcf
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192;
stix:target_ref :attack-pattern--b1ccd744-3f78-4a0e-9bb2-2002057f7928;
dcterms:created "2020-11-25T20:37:53.605Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Sandworm Team](https://attack.mitre.org/groups/G0034) has established social media accounts to disseminate victim internal-only documents and other sensitive data.(Citation: US District Court Indictment GRU Unit 74455 October 2020)";
dcterms:modified "2020-11-25T20:37:53.606Z"^^xsd:dateTime .
:course-of-action--15437c6d-b998-4a36-be41-4ace3d54d266
rdf:type stix:CourseOfAction;
rdfs:label "Vulnerability Scanning";
dcterms:created "2019-06-06T16:47:30.700Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them.";
dcterms:modified "2020-07-14T22:22:06.356Z"^^xsd:dateTime .
:relationship--85129fbd-3b2f-4cc5-af3d-1d9c1dd8cdab
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--0dcbbf4f-929c-489a-b66b-9b820d3f7f0e;
stix:target_ref :attack-pattern--04a5a8ab-3bc8-4c83-95c9-55274a89786d;
dcterms:created "2022-07-08T12:42:47.567Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Once adversaries leverage serverless functions as infrastructure (ex: for command and control), it may be possible to look for unique characteristics associated with adversary software, if known.(Citation: ThreatConnect Infrastructure Dec 2020) Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle. ";
dcterms:modified "2022-07-08T12:42:47.567Z"^^xsd:dateTime .
:relationship--50cc59f8-6d62-4140-b5c6-40da528a5e13
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--03506554-5f37-4f8f-9ce4-0e9f01a1b484;
stix:target_ref :malware--e9e9bfe2-76f4-4870-a2a1-b7af89808613;
dcterms:created "2018-04-18T17:59:24.739Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "(Citation: Symantec Elderwood Sept 2012)";
dcterms:modified "2021-01-06T19:32:28.397Z"^^xsd:dateTime .
:relationship--ed40dd97-0ad0-4501-8f1e-a4bd4625432d
rdf:type stix:Relationship;
stix:source_ref :malware--cfc75b0d-e579-40ae-ad07-a1ce00d49a6c;
stix:target_ref :attack-pattern--f1951e8a-500e-4a26-8803-76d95c4554b4;
dcterms:created "2022-01-05T16:57:22.723Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[ZxShell](https://attack.mitre.org/software/S0412) can create a new service for execution.(Citation: Talos ZxShell Oct 2014)";
dcterms:modified "2022-01-05T16:57:22.723Z"^^xsd:dateTime .
:relationship--bc70728d-9f56-43df-8580-1d22c829bd14
rdf:type stix:Relationship;
stix:source_ref :malware--be25c1c0-1590-4219-a3d5-6f31799d1d1b;
stix:target_ref :attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670;
dcterms:created "2022-09-26T15:21:53.140Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[FunnyDream](https://attack.mitre.org/software/S1044) can use Native API for defense evasion, discovery, and collection.(Citation: Bitdefender FunnyDream Campaign November 2020)";
dcterms:modified "2022-09-26T17:46:21.390Z"^^xsd:dateTime .
:relationship--7744eff7-6f61-4e1d-a3be-069a417a9ff6
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077;
stix:target_ref :attack-pattern--4061e78c-1284-44b4-9116-73e4ac3912f7;
dcterms:created "2022-03-30T14:26:51.865Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Monitor for applications and processes related to remote admin software. Correlate activity with other suspicious behavior that may reduce false positives if this type of software is used by legitimate users and administrators. [Domain Fronting](https://attack.mitre.org/techniques/T1090/004) may be used in conjunction to avoid defenses. Adversaries will likely need to deploy and/or install these remote software to compromised systems. It may be possible to detect or prevent the installation of this type of software with host-based solutions.";
dcterms:modified "2023-08-28T15:00:07.079Z"^^xsd:dateTime .
:relationship--35928199-0073-4000-b2f8-726ab2d41a06
rdf:type stix:Relationship;
stix:source_ref :course-of-action--2f316f6c-ae42-44fe-adf8-150989e0f6d3;
stix:target_ref :attack-pattern--8f504411-cb96-4dac-a537-8d2bb7679c59;
dcterms:created "2020-02-21T20:56:06.721Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Make sure that the <code>HISTCONTROL</code> environment variable is set to “ignoredups” instead of “ignoreboth” or “ignorespace”.";
dcterms:modified "2020-10-27T14:49:39.188Z"^^xsd:dateTime .
:relationship--7ccf3e90-8099-4445-b39f-956d2807189b
rdf:type stix:Relationship;
stix:source_ref :malware--60a9c2f0-b7a5-4e8e-959c-e1a3ff314a5f;
stix:target_ref :attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d;
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[ROKRAT](https://attack.mitre.org/software/S0240) can send collected files back over same C2 channel.(Citation: Talos ROKRAT)";
dcterms:modified "2022-03-22T17:21:33.393Z"^^xsd:dateTime .
:relationship--14039b88-3e1f-4d21-a0a0-968a15451db1
rdf:type stix:Relationship;
stix:source_ref :course-of-action--e3388c78-2a8d-47c2-8422-c1398b324462;
stix:target_ref :attack-pattern--f232fa7a-025c-4d43-abc7-318e81a73d65;
dcterms:created "2023-02-21T20:48:13.657Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Disable legacy authentication, which does not support MFA, and require the use of modern authentication protocols instead. ";
dcterms:modified "2023-02-22T14:25:00.238Z"^^xsd:dateTime .
:relationship--3b81ee4f-c583-477f-b2e4-d1801da7bac8
rdf:type stix:Relationship;
stix:source_ref :malware--54a01db0-9fab-4d5f-8209-53cef8425f4a;
stix:target_ref :attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0;
dcterms:created "2020-09-24T14:35:41.637Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[FatDuke](https://attack.mitre.org/software/S0512) can identify the MAC address on the target computer.(Citation: ESET Dukes October 2019)";
dcterms:modified "2020-10-09T16:08:00.601Z"^^xsd:dateTime .
:relationship--496378e6-ab36-4d3b-9ae3-c493a5b56877
rdf:type stix:Relationship;
stix:source_ref :malware--7551188b-8f91-4d34-8350-0d0c57b2b913;
stix:target_ref :attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580;
dcterms:created "2019-01-29T21:57:39.556Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Elise](https://attack.mitre.org/software/S0081) enumerates processes via the <code>tasklist</code> command.(Citation: Accenture Dragonfish Jan 2018)";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--155554a0-2a5b-44e3-9942-562b8b0e30c0
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8;
stix:target_ref :attack-pattern--3d333250-30e4-4a82-9edc-756c68afc529;
dcterms:created "2023-10-03T03:36:18.645Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Monitor changes made to configuration files that contain settings for logging and defensive tools.";
dcterms:modified "2023-10-03T03:36:18.645Z"^^xsd:dateTime .
:relationship--9d4aa0d4-b460-4320-8c46-2d6ffbe675af
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f;
stix:target_ref :tool--b76b2d94-60e4-4107-a903-4a3a7622fb3b;
dcterms:created "2019-04-10T16:16:23.918Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "(Citation: Symantec Elfin Mar 2019)";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--bda95df4-bf1d-4a49-b847-cf4f3fd5f51c
rdf:type stix:Relationship;
stix:source_ref :malware--5e814485-012d-423d-b769-026bfed0f451;
stix:target_ref :attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a;
dcterms:created "2021-11-22T17:54:11.265Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[HyperBro](https://attack.mitre.org/software/S0398) can be delivered encrypted to a compromised host.(Citation: Trend Micro DRBControl February 2020)";
dcterms:modified "2021-11-22T17:54:11.265Z"^^xsd:dateTime .
:attack-pattern--3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d
rdf:type d3f:OffensiveTechnique;
rdfs:label "Custom Cryptographic Protocol";
dcterms:created "2017-05-31T21:30:31.197Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Adversaries may use a custom cryptographic protocol or algorithm to hide command and control traffic. A simple scheme, such as XOR-ing the plaintext with a fixed key, will produce a very weak ciphertext.\n\nCustom encryption schemes may vary in sophistication. Analysis and reverse engineering of malware samples may be enough to discover the algorithm and encryption key used.\n\nSome adversaries may also attempt to implement their own version of a well-known cryptographic algorithm instead of using a known implementation library, which may lead to unintentional errors. (Citation: F-Secure Cosmicduke)";
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--ab27d055-77bb-4a3d-89b2-771e532f7384
rdf:type stix:Relationship;
stix:source_ref :malware--e811ff6a-4cef-4856-a6ae-a7daf9ed39ae;
stix:target_ref :attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18;
dcterms:created "2018-04-18T17:59:24.739Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Pasam](https://attack.mitre.org/software/S0208) creates a backdoor through which remote attackers can retrieve lists of files.(Citation: Symantec Pasam May 2012)";
dcterms:modified "2020-02-11T19:38:06.237Z"^^xsd:dateTime .
:relationship--630e409c-c874-465c-bbb1-6b7778e2939b
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--a7f57cc1-4540-4429-823f-f4e56b8473c9;
stix:target_ref :attack-pattern--32901740-b42c-4fdd-bc02-345b5dc57082;
dcterms:created "2022-08-03T15:23:27.686Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Ember Bear](https://attack.mitre.org/groups/G1003) has used stolen certificates from Electrum Technologies GmbH to sign payloads.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )";
dcterms:modified "2022-10-14T16:10:37.172Z"^^xsd:dateTime .
:relationship--0a1b48b9-2063-449d-a316-c6760267720f
rdf:type stix:Relationship;
stix:source_ref :malware--be25c1c0-1590-4219-a3d5-6f31799d1d1b;
stix:target_ref :attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32;
dcterms:created "2022-09-26T13:53:16.527Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[FunnyDream](https://attack.mitre.org/software/S1044) has established persistence by running `sc.exe` and by setting the `WSearch` service to run automatically.(Citation: Bitdefender FunnyDream Campaign November 2020)";
dcterms:modified "2022-10-11T12:38:27.953Z"^^xsd:dateTime .
:relationship--396edbf6-41b5-4377-90b6-4967c24de7fb
rdf:type stix:Relationship;
stix:source_ref :malware--e48df773-7c95-4a4c-ba70-ea3d15900148;
stix:target_ref :attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1;
dcterms:created "2018-01-16T16:13:52.465Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[DownPaper](https://attack.mitre.org/software/S0186) collects the victim host name and serial number, and then sends the information to the C2 server.(Citation: ClearSky Charming Kitten Dec 2017)";
dcterms:modified "2020-03-17T00:54:56.983Z"^^xsd:dateTime .
:relationship--3318f441-6593-4a7b-bb7f-53ab15a1a672
rdf:type stix:Relationship;
stix:source_ref :malware--9b19d6b4-cfcb-492f-8ca8-8449e7331573;
stix:target_ref :attack-pattern--3257eb21-f9a7-4430-8de1-d8b6e288f529;
dcterms:created "2020-05-11T22:12:28.674Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[MESSAGETAP](https://attack.mitre.org/software/S0443) uses the libpcap library to listen to all traffic and parses network protocols starting with Ethernet and IP layers. It continues parsing protocol layers including SCTP, SCCP, and TCAP and finally extracts SMS message data and routing metadata. (Citation: FireEye MESSAGETAP October 2019)";
dcterms:modified "2020-06-24T01:43:11.274Z"^^xsd:dateTime .
:relationship--27e91ac8-9463-4a7a-8f1f-89abeba1b02d
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c;
stix:target_ref :attack-pattern--cbb66055-0325-4111-aca0-40547b6ad5b0;
dcterms:created "2019-10-10T21:54:00.462Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[APT28](https://attack.mitre.org/groups/G0007) has used the WindowStyle parameter to conceal [PowerShell](https://attack.mitre.org/techniques/T1059/001) windows.(Citation: Palo Alto Sofacy 06-2018) (Citation: McAfee APT28 DDE1 Nov 2017)";
dcterms:modified "2021-02-09T13:46:50.756Z"^^xsd:dateTime .
:relationship--ec30b3a9-69b4-4604-9def-db9e904df309
rdf:type stix:Relationship;
stix:source_ref :malware--76abb3ef-dafd-4762-97cb-a35379429db4;
stix:target_ref :attack-pattern--3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d;
dcterms:created "2018-01-16T16:13:52.465Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Gazer](https://attack.mitre.org/software/S0168) uses custom encryption for C2 using 3DES and RSA.";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--42ab2855-fe9b-4ed2-bef7-db3a9dcf5a89
rdf:type stix:Relationship;
stix:source_ref :course-of-action--383caaa3-c46a-4f61-b2e3-653eb132f0e7;
stix:target_ref :attack-pattern--1608f3e1-598a-42f4-a01a-2e252e81728f;
dcterms:created "2017-05-31T21:33:27.029Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:modified "2023-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--4806e7c3-c8df-477f-ac3b-819248878a79
rdf:type stix:Relationship;
stix:source_ref :malware--65ffc206-d7c1-45b3-b543-f6b726e7840d;
stix:target_ref :attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67;
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Bisonal](https://attack.mitre.org/software/S0268)'s dropper creates VBS scripts on the victim’s machine.(Citation: Unit 42 Bisonal July 2018)(Citation: Talos Bisonal Mar 2020) ";
dcterms:modified "2022-01-27T18:04:46.654Z"^^xsd:dateTime .
:relationship--0cf04ae0-bc60-46e8-8cc7-9311e291dc20
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077;
stix:target_ref :attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c;
dcterms:created "2022-03-30T14:26:51.842Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Monitor for newly executed processes that attempt to hide artifacts of an intrusion, such as common archive file applications and extensions (ex: Zip and RAR archive tools), and correlate with other suspicious behavior to reduce false positives from normal user and administrator behavior.\n\nCertUtil.exe may be used to encode and decode a file, including PE and script code. Encoding will convert a file to base64 with -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- tags. Malicious usage will include decoding an encoded file that was downloaded. Once decoded, it will be loaded by a parallel process. Note that there are two additional command switches that may be used - encodehex and decodehex. Similarly, the file will be encoded in HEX and later decoded for further execution. During triage, identify the source of the file being decoded. Review its contents or execution behavior for further analysis.\n\nAnalytic Event IDs are for Sysmon (Event ID 1 - process create) and Windows Security Log (Event ID 4688 - a new process has been created). The analytic is oriented around the creation of CertUtil.exe processes, which may be used to encode and decode files, including PE and script code. Malicious usage will include decoding a encoded file that was downloaded. Once decoded, it will be loaded by a parallel process.\n\n<h4> Analytic 1 - CertUtil with Decode Argument </h4>\n<code> processes = filter processes where (\n (event_id == \"1\" OR event_id == \"4688\") AND\n exe =”C:\\Windows\\System32\\certutil.exe” AND\n command_line = *decode* )</code>";
dcterms:modified "2023-08-14T19:27:35.862Z"^^xsd:dateTime .
:relationship--a3fc552f-e16d-4db7-8bca-d1c273b401f9
rdf:type stix:Relationship;
stix:source_ref :malware--50c44c34-3abb-48ae-9433-a2337de5b0bc;
stix:target_ref :attack-pattern--34e793de-0274-4982-9c1a-246ed1c19dee;
dcterms:created "2023-03-02T18:55:25.411Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[BlackCat](https://attack.mitre.org/software/S1068) can use Windows commands such as `fsutil behavior set SymLinkEvaluation R2L:1` to redirect file system access to a different location after gaining access into compromised networks.(Citation: Microsoft BlackCat Jun 2022)";
dcterms:modified "2023-03-02T18:56:42.276Z"^^xsd:dateTime .
:relationship--cb727277-5491-422f-ab40-1bd1be973d1e
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--6713ab67-e25b-49cc-808d-2b36d4fbc35c;
stix:target_ref :attack-pattern--212306d8-efa4-44c9-8c2d-ed3d2e224aa0;
dcterms:created "2022-03-21T16:07:22.479Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Ke3chang](https://attack.mitre.org/groups/G0004) has developed custom malware that allowed them to maintain persistence on victim networks.(Citation: Microsoft NICKEL December 2021)";
dcterms:modified "2022-03-21T16:07:22.479Z"^^xsd:dateTime .
:attack-pattern--b5327dd1-6bf9-4785-a199-25bcbd1f4a9d
rdf:type d3f:OffensiveTechnique;
rdfs:label "Run Virtual Instance";
dcterms:created "2020-06-29T15:36:41.535Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Adversaries may carry out malicious operations using a virtual instance to avoid detection. A wide variety of virtualization technologies exist that allow for the emulation of a computer or computing environment. By running malicious code inside of a virtual instance, adversaries can hide artifacts associated with their behavior from security tools that are unable to monitor activity inside the virtual instance. Additionally, depending on the virtual networking implementation (ex: bridged adapter), network traffic generated by the virtual instance can be difficult to trace back to the compromised host as the IP address and hostname might not match known values.(Citation: SingHealth Breach Jan 2019)\n\nAdversaries may utilize native support for virtualization (ex: Hyper-V) or drop the necessary files to run a virtual instance (ex: VirtualBox binaries). After running a virtual instance, adversaries may create a shared folder between the guest and host with permissions that enable the virtual instance to interact with the host file system.(Citation: Sophos Ragnar May 2020)";
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--3029d06e-7a13-4d17-bad5-ce3198bce2ef
rdf:type stix:Relationship;
stix:source_ref :malware--50d6688b-0985-4f3d-8cbe-0c796b30703b;
stix:target_ref :attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580;
dcterms:created "2019-09-27T13:27:07.065Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Fysbis](https://attack.mitre.org/software/S0410) can collect information about running processes.(Citation: Fysbis Dr Web Analysis) ";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--9a66e38c-ea79-4b7b-bf74-555da87d58c3
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--44e43fad-ffcb-4210-abcf-eaaed9735f80;
stix:target_ref :attack-pattern--1996eef1-ced3-4d7f-bf94-33298cabbf72;
dcterms:created "2020-05-22T18:00:52.264Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[APT39](https://attack.mitre.org/groups/G0087) has used remote access tools that leverage DNS in communications with C2.(Citation: BitDefender Chafer May 2020)";
dcterms:modified "2023-10-18T16:19:53.784Z"^^xsd:dateTime .
:relationship--ff876fa3-e156-4696-91a8-ad8996ace076
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--b5b0e8ae-7436-4951-950a-7b83c4dd3f2c;
stix:target_ref :attack-pattern--cf1c2504-433f-4c4e-a1f8-91de45a0318c;
dcterms:created "2022-03-30T14:26:51.840Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "The creation of a new instance or VM is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities. For example, the creation of an instance by a new user account or the unexpected creation of one or more snapshots followed by the creation of an instance may indicate suspicious activity.\nIn AWS, CloudTrail logs capture the creation of an instance in the RunInstances event, and in Azure the creation of a VM may be captured in Azure activity logs.(Citation: AWS CloudTrail Search) (Citation: Azure Activity Logs) Google's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of gcloud compute instances create to create a VM.(Citation: Cloud Audit Logs)";
dcterms:modified "2022-03-30T14:26:51.840Z"^^xsd:dateTime .
:attack-pattern--0ad7bc5c-235a-4048-944b-3b286676cb74
rdf:type d3f:OffensiveTechnique;
rdfs:label "Data from Configuration Repository";
dcterms:created "2020-10-19T23:46:13.931Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Adversaries may collect data related to managed devices from configuration repositories. Configuration repositories are used by management systems in order to configure, manage, and control data on remote systems. Configuration repositories may also facilitate remote access and administration of devices.\n\nAdversaries may target these repositories in order to collect large quantities of sensitive system administration data. Data from configuration repositories may be exposed by various protocols and software and can store a wide variety of data, much of which may align with adversary Discovery objectives.(Citation: US-CERT-TA18-106A)(Citation: US-CERT TA17-156A SNMP Abuse 2017)";
dcterms:modified "2022-05-11T14:00:00.188Z"^^xsd:dateTime .
:relationship--26372fd8-6298-4da6-b412-5fb155f55786
rdf:type stix:Relationship;
stix:source_ref :malware--77e0ecf7-ca91-4c06-8012-8e728986a87a;
stix:target_ref :attack-pattern--2cd950a6-16c4-404a-aa01-044322395107;
dcterms:created "2021-06-30T17:12:55.034Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Chaes](https://attack.mitre.org/software/S0631) has used Installutill to download content.(Citation: Cybereason Chaes Nov 2020)";
dcterms:modified "2021-06-30T17:12:55.034Z"^^xsd:dateTime .
:relationship--720ca7ba-f9c7-48fd-92c3-e65e187fcce4
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa;
stix:target_ref :attack-pattern--c9e0c59e-162e-40a4-b8b1-78fab4329ada;
dcterms:created "2023-08-19T01:58:31.645Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Review and monitor email and other user communication logs for signs of impersonation, such as suspicious emails (e.g., from known malicious or compromised accounts) or content associated with an adversary's actions on objective (e.g., abnormal monetary transactions).";
dcterms:modified "2023-09-30T19:48:59.637Z"^^xsd:dateTime .
:relationship--109c7cc7-fec6-4d86-ae27-087cddb2670c
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265df3258;
stix:target_ref :malware--5a3a31fe-5a8f-48e1-bff0-a753e5b1be70;
dcterms:created "2019-07-19T16:38:05.473Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "(Citation: Cybereason Soft Cell June 2019)(Citation: Microsoft GALLIUM December 2019)";
dcterms:modified "2021-01-14T19:50:15.459Z"^^xsd:dateTime .
:relationship--5db4c540-d95b-4a38-9d05-c21d7c85c9b1
rdf:type stix:Relationship;
stix:source_ref :malware--a19c1197-9414-46e3-986f-0f609ff4a46b;
stix:target_ref :attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736;
dcterms:created "2021-03-01T21:55:30.000Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Pysa](https://attack.mitre.org/software/S0583) has used Powershell scripts to deploy its ransomware.(Citation: CERT-FR PYSA April 2020) ";
dcterms:modified "2021-03-01T21:55:30.000Z"^^xsd:dateTime .
:relationship--962f1bc9-89f8-4fbe-b981-b63cce196cbf
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--7113eaa5-ba79-4fb3-b68a-398ee9cd698e;
stix:target_ref :tool--13cd9151-83b7-410d-9f98-25d0f0d1d80d;
dcterms:created "2021-08-31T13:34:25.490Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "(Citation: CISA AA21-200A APT40 July 2021)";
dcterms:modified "2022-05-11T14:00:00.188Z"^^xsd:dateTime .
:relationship--02a8db04-60e6-437c-8f1a-12aff6a13c63
rdf:type stix:Relationship;
stix:source_ref :malware--df9b350b-d4f9-4e79-a826-75cc75fbc1eb;
stix:target_ref :attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597;
dcterms:created "2022-04-06T20:05:01.789Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[KOCTOPUS](https://attack.mitre.org/software/S0669) has been distributed via spearphishing emails with malicious attachments.(Citation: MalwareBytes LazyScripter Feb 2021)";
dcterms:modified "2022-04-06T20:05:01.789Z"^^xsd:dateTime .
:relationship--a6e77d6e-a76d-446c-a8ac-03b48892b7cb
rdf:type stix:Relationship;
stix:source_ref :attack-pattern--fb640c43-aa6b-431e-a961-a279010424ac;
stix:target_ref :attack-pattern--1988cc35-ced8-4dad-b2d1-7628488fa967;
dcterms:created "2020-02-20T22:06:41.878Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--35ae6625-8563-493c-8950-1230bd0fd122
rdf:type stix:Relationship;
stix:source_ref :malware--5f9f7648-04ba-4a9f-bb4c-2a13e74572bd;
stix:target_ref :attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add;
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Pteranodon](https://attack.mitre.org/software/S0147) can download and execute additional files.(Citation: Palo Alto Gamaredon Feb 2017)(Citation: Symantec Shuckworm January 2022)(Citation: Unit 42 Gamaredon February 2022)";
dcterms:modified "2022-02-21T16:24:52.527Z"^^xsd:dateTime .
:relationship--3f8a74a9-55fe-4f9c-bddb-00b715ca3668
rdf:type stix:Relationship;
stix:source_ref :malware--17b40f60-729f-4fe8-8aea-cc9ee44a95d5;
stix:target_ref :attack-pattern--2fee9321-3e71-4cf4-af24-d4d40d355b34;
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[RedLeaves](https://attack.mitre.org/software/S0153) is launched through use of DLL search order hijacking to load a malicious dll.(Citation: FireEye APT10 April 2017)";
dcterms:modified "2020-03-17T02:23:04.232Z"^^xsd:dateTime .
:relationship--ec9f39cb-19a2-4134-a16a-ea263e958762
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71;
stix:target_ref :attack-pattern--1ecfdab8-7d59-4c98-95d4-dc41970f57fc;
dcterms:created "2020-03-19T22:46:23.486Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Dragonfly 2.0](https://attack.mitre.org/groups/G0074) dropped and executed SecretsDump to dump password hashes.(Citation: US-CERT TA18-074A)(Citation: US-CERT APT Energy Oct 2017)(Citation: Core Security Impacket)";
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--70613a9f-e8c2-44ba-a238-34acb0b7e5b8
rdf:type stix:Relationship;
stix:source_ref :malware--ff41b9b6-4c1d-407b-a7e2-835109c8dbc5;
stix:target_ref :attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279;
dcterms:created "2022-08-16T19:38:38.722Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Small Sieve](https://attack.mitre.org/software/S1035) has the ability to add itself to `HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\OutlookMicrosift` for persistence.(Citation: NCSC GCHQ Small Sieve Jan 2022)";
dcterms:modified "2022-09-30T17:13:10.324Z"^^xsd:dateTime .
:relationship--f0eb72f2-a8a1-42b6-a29b-4764a115c4af
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--bb82e0b0-6e9c-439f-970a-4c917a74c5f2;
stix:target_ref :malware--5d342981-5194-41e7-b33f-8e91998d7d88;
dcterms:created "2021-05-26T13:06:18.119Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "(Citation: BlackBerry CostaRicto November 2020)";
dcterms:modified "2022-10-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--a360fa6b-8b36-4401-b717-436badd67476
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077;
stix:target_ref :attack-pattern--246fd3c7-f5e3-466d-8787-4c13d9e3b61c;
dcterms:created "2022-03-30T14:26:51.872Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Monitor processes that are executed from removable media for malicious or abnormal activity such as network connections due to Command and Control and possible network Discovery techniques.";
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime .
:relationship--d9af5e2e-3ac5-451a-bc63-c3e26ca6371e
rdf:type stix:Relationship;
stix:source_ref :malware--50c44c34-3abb-48ae-9433-a2337de5b0bc;
stix:target_ref :attack-pattern--fb640c43-aa6b-431e-a961-a279010424ac;
dcterms:created "2023-03-02T18:46:24.302Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[BlackCat](https://attack.mitre.org/software/S1068) has the ability to wipe VM snapshots on compromised networks.(Citation: Microsoft BlackCat Jun 2022)(Citation: Sophos BlackCat Jul 2022)";
dcterms:modified "2023-03-02T18:46:24.302Z"^^xsd:dateTime .
:relationship--612eacfc-8f08-4e9e-a8f8-5461577064a3
rdf:type stix:Relationship;
stix:source_ref :malware--069af411-9b24-4e85-b26c-623d035bbe84;
stix:target_ref :attack-pattern--7fd87010-3a00-4da3-b905-410525e8ec44;
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Proxysvc](https://attack.mitre.org/software/S0238) uses a batch file to delete itself.";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--1307fdab-a09c-4d48-a917-a76ba0113098
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034;
stix:target_ref :attack-pattern--6b57dc31-b814-4a03-8706-28bc20d739c4;
dcterms:created "2022-09-02T19:38:55.971Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Earth Lusca](https://attack.mitre.org/groups/G1006) has dropped an SSH-authorized key in the `/root/.ssh` folder in order to access a compromised server with SSH.(Citation: TrendMicro EarthLusca 2022)";
dcterms:modified "2022-09-02T19:38:55.971Z"^^xsd:dateTime .
:relationship--d329d311-422b-4144-9212-aa7da4dc273a
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d;
stix:target_ref :attack-pattern--6aabc5ec-eae6-422c-8311-38d45ee9838a;
dcterms:created "2018-01-16T16:13:52.465Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[OilRig](https://attack.mitre.org/groups/G0049) has used [RGDoor](https://attack.mitre.org/software/S0258) via Web shell to establish redundant access. The group has also used harvested credentials to gain access to Internet-accessible resources such as Outlook Web Access, which could be used for redundant access.";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--29d285b9-7787-4e42-927b-c45277cbeca8
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--da85d358-741a-410d-9433-20d6269a6170;
stix:target_ref :attack-pattern--3975dbb5-0e1e-4f5b-bae1-cf2ab84b46dc;
dcterms:created "2022-06-15T18:12:18.351Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Monitor for changes to Registry keys (ex: <code>HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default</code>) and associated values that may be malicious attempts to conceal adversary network connection history.";
dcterms:modified "2022-06-15T18:12:18.351Z"^^xsd:dateTime .
:relationship--01b95067-ba65-48c2-8d2c-342e13007cc8
rdf:type stix:Relationship;
stix:source_ref :malware--91c57ed3-7c32-4c68-b388-7db00cb8dac6;
stix:target_ref :attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32;
dcterms:created "2023-09-27T19:52:33.697Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[NightClub](https://attack.mitre.org/software/S1090) has created a Windows service named `WmdmPmSp` to establish persistence.(Citation: MoustachedBouncer ESET August 2023)";
dcterms:modified "2023-10-04T18:30:16.700Z"^^xsd:dateTime .
:relationship--f661bda3-d524-44b3-aeb0-d8dd8879a569
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--0bbdf25b-30ff-4894-a1cd-49260d0dd2d9;
stix:target_ref :attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add;
dcterms:created "2018-01-16T16:13:52.465Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[APT3](https://attack.mitre.org/groups/G0022) has a tool that can copy files to remote machines.(Citation: FireEye Clandestine Fox)";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--71a8ae5e-3a78-49b5-9857-e202d636cedf
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--247cb30b-955f-42eb-97a5-a89fef69341e;
stix:target_ref :attack-pattern--47f2d673-ca62-47e9-929b-1b0be9657611;
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[APT32](https://attack.mitre.org/groups/G0050) has used scheduled task raw XML with a backdated timestamp of June 2, 2016. The group has also set the creation time of the files dropped by the second stage of the exploit to match the creation time of kernel32.dll. Additionally, [APT32](https://attack.mitre.org/groups/G0050) has used a random value to modify the timestamp of the file storing the clientID.(Citation: FireEye APT32 May 2017)(Citation: ESET OceanLotus Mar 2019)(Citation: ESET OceanLotus macOS April 2019)";
dcterms:modified "2020-06-19T20:04:12.444Z"^^xsd:dateTime .
:relationship--b6ac2ef7-350d-48ca-9ab9-8a06f9ff84e3
rdf:type stix:Relationship;
stix:source_ref :malware--77e0ecf7-ca91-4c06-8012-8e728986a87a;
stix:target_ref :attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161;
dcterms:created "2021-08-19T21:57:15.756Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Chaes](https://attack.mitre.org/software/S0631) has used HTTP for C2 communications.(Citation: Cybereason Chaes Nov 2020)";
dcterms:modified "2021-08-19T21:57:15.756Z"^^xsd:dateTime .
:relationship--4fec4445-7b29-430f-92f0-866f23178777
rdf:type stix:Relationship;
stix:source_ref :malware--86b92f6c-9c05-4c51-b361-4c7bb13e21a1;
stix:target_ref :attack-pattern--0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22;
dcterms:created "2019-01-31T00:36:41.180Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[KONNI](https://attack.mitre.org/software/S0356) can steal profiles (containing credential information) from Firefox, Chrome, and Opera.";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--79c168ca-a22b-4c1b-83d5-04560e044be2
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--dc5e2999-ca1a-47d4-8d12-a6984b138a1b;
stix:target_ref :attack-pattern--72b74d71-8169-42aa-92e0-e7b04b9f5a08;
dcterms:created "2021-01-05T15:53:47.915Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[UNC2452](https://attack.mitre.org/groups/G0118) obtained a list of users and their roles from an Exchange server using <code>Get-ManagementRoleAssignment</code>.(Citation: Volexity SolarWinds)";
dcterms:modified "2023-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--6b9e7925-876a-49b1-8b42-e789401f2fad
rdf:type stix:Relationship;
stix:source_ref :course-of-action--cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8;
stix:target_ref :attack-pattern--e0033c16-a07e-48aa-8204-7c3ca669998c;
dcterms:created "2020-02-25T19:17:33.770Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Audit the Remote Desktop Users group membership regularly. Remove unnecessary accounts and groups from Remote Desktop Users groups.";
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:malware--da5880b4-f7da-4869-85f2-e0aba84b8565
rdf:type stix:Malware;
rdfs:label "ComRAT";
dcterms:created "2017-05-31T21:33:13.252Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[ComRAT](https://attack.mitre.org/software/S0126) is a second stage implant suspected of being a descendant of [Agent.btz](https://attack.mitre.org/software/S0092) and used by [Turla](https://attack.mitre.org/groups/G0010). The first version of [ComRAT](https://attack.mitre.org/software/S0126) was identified in 2007, but the tool has undergone substantial development for many years since.(Citation: Symantec Waterbug)(Citation: NorthSec 2015 GData Uroburos Tools)(Citation: ESET ComRAT May 2020)";
dcterms:modified "2023-03-22T03:30:00.985Z"^^xsd:dateTime .
:relationship--4ecf2ecd-ae5a-417b-a6a7-9690fb83a282
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--44e43fad-ffcb-4210-abcf-eaaed9735f80;
stix:target_ref :tool--242f3da3-4425-4d11-8f5c-b842886da966;
dcterms:created "2019-02-21T21:12:55.714Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "(Citation: FireEye APT39 Jan 2019)(Citation: Dark Reading APT39 JAN 2019)";
dcterms:modified "2020-05-22T18:17:56.892Z"^^xsd:dateTime .
:relationship--6d39de5f-6fbd-43e3-8da8-03a4cbe46656
rdf:type stix:Relationship;
stix:source_ref :malware--8f423bd7-6ca7-4303-9e85-008c7ad5fdaa;
stix:target_ref :attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4;
dcterms:created "2020-05-06T21:01:23.480Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Attor](https://attack.mitre.org/software/S0438)'s dispatcher can modify the Run registry key.(Citation: ESET Attor Oct 2019)";
dcterms:modified "2020-05-06T21:01:23.480Z"^^xsd:dateTime .
:relationship--10017b2e-7234-4368-81d7-a4c8b98c26a0
rdf:type stix:Relationship;
stix:source_ref :course-of-action--b5dbb4c5-b0b1-40b1-80b6-e9e84ab90067;
stix:target_ref :attack-pattern--c3c8c916-2f3c-4e71-94b2-240bdfc996f0;
dcterms:created "2020-01-30T17:48:49.736Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Configure browsers or tasks to regularly delete persistent cookies.";
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--58cb7d29-8633-4f52-a1bc-029b544e5610
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e;
stix:target_ref :attack-pattern--ac9e6b22-11bf-45d7-9181-c1cb08360931;
dcterms:created "2022-03-30T14:26:51.841Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Monitor for API calls associated with altering data. Remote access tools with built-in features may interact directly with the Windows API to gather information.";
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime .
:relationship--8d4a82db-fce4-4dcc-a0d3-8aa14cbf2ee3
rdf:type stix:Relationship;
stix:source_ref :malware--8bd47506-29ae-44ea-a5c1-c57e8a1ab6b0;
stix:target_ref :attack-pattern--be055942-6e63-49d7-9fa1-9cb7d8a8f3f4;
dcterms:created "2021-10-01T20:57:16.408Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[BLUELIGHT](https://attack.mitre.org/software/S0657) can use different cloud providers for its C2.(Citation: Volexity InkySquid BLUELIGHT August 2021)";
dcterms:modified "2021-10-15T16:54:01.579Z"^^xsd:dateTime .
:relationship--d078f862-c090-4e79-808b-ff69887a920c
rdf:type stix:Relationship;
stix:source_ref :malware--09b2cd76-c674-47cc-9f57-d2f2ad150a46;
stix:target_ref :attack-pattern--c32f7008-9fea-41f7-8366-5eb9b74bd896;
dcterms:created "2018-01-16T16:13:52.465Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[POWRUNER](https://attack.mitre.org/software/S0184) may query the Registry by running <code>reg query</code> on a victim.(Citation: FireEye APT34 Dec 2017)";
dcterms:modified "2020-03-17T02:14:55.999Z"^^xsd:dateTime .
:relationship--0e113a7f-2aba-4dc6-b4fc-4c0f0d013c3d
rdf:type stix:Relationship;
stix:source_ref :malware--f72251cb-2be5-421f-a081-99c29a1209e7;
stix:target_ref :attack-pattern--a782ebe2-daba-42c7-bc82-e8e9d923162d;
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[MacSpy](https://attack.mitre.org/software/S0282) uses Tor for command and control.(Citation: objsee mac malware 2017)";
dcterms:modified "2020-01-17T19:50:53.350Z"^^xsd:dateTime .
:relationship--3f7f515f-25f9-4afb-becf-6247f4d6ecd2
rdf:type stix:Relationship;
stix:source_ref :attack-pattern--98be40f2-c86b-4ade-b6fc-4964932040e5;
stix:target_ref :attack-pattern--43e7dc91-05b2-474c-b9ac-2ed4fe101f4d;
dcterms:created "2020-03-15T14:59:15.485Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--61347ac0-5e9c-48d1-b7a1-7bb1535941b8
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1;
stix:target_ref :attack-pattern--aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6;
dcterms:created "2022-03-30T14:26:51.850Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Monitor DLLs loaded into a process and detect DLLs that have the same file name but abnormal paths.";
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime .
:relationship--f4e83a18-a2bf-45af-aa6b-18f72646d8b6
rdf:type stix:Relationship;
stix:source_ref :course-of-action--eb88d97c-32f1-40be-80f0-d61a4b0b4b31;
stix:target_ref :attack-pattern--ff25900d-76d5-449b-a351-8824e62fc81b;
dcterms:created "2019-06-21T16:52:53.740Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Specific developer utilities may not be necessary within a given environment and should be removed if not used.";
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:attack-pattern--d336b553-5da9-46ca-98a8-0b23f49fb447
rdf:type d3f:OffensiveTechnique;
rdfs:label "Windows Credential Manager";
dcterms:created "2020-11-23T15:35:53.793Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Adversaries may acquire credentials from the Windows Credential Manager. The Credential Manager stores credentials for signing into websites, applications, and/or devices that request authentication through NTLM or Kerberos in Credential Lockers (previously known as Windows Vaults).(Citation: Microsoft Credential Manager store)(Citation: Microsoft Credential Locker)\n\nThe Windows Credential Manager separates website credentials from application or network credentials in two lockers. As part of [Credentials from Web Browsers](https://attack.mitre.org/techniques/T1555/003), Internet Explorer and Microsoft Edge website credentials are managed by the Credential Manager and are stored in the Web Credentials locker. Application and network credentials are stored in the Windows Credentials locker.\n\nCredential Lockers store credentials in encrypted `.vcrd` files, located under `%Systemdrive%\\Users\\\\[Username]\\AppData\\Local\\Microsoft\\\\[Vault/Credentials]\\`. The encryption key can be found in a file named <code>Policy.vpol</code>, typically located in the same folder as the credentials.(Citation: passcape Windows Vault)(Citation: Malwarebytes The Windows Vault)\n\nAdversaries may list credentials managed by the Windows Credential Manager through several mechanisms. <code>vaultcmd.exe</code> is a native Windows executable that can be used to enumerate credentials stored in the Credential Locker through a command-line interface. Adversaries may also gather credentials by directly reading files located inside of the Credential Lockers. Windows APIs, such as <code>CredEnumerateA</code>, may also be absued to list credentials managed by the Credential Manager.(Citation: Microsoft CredEnumerate)(Citation: Delpy Mimikatz Crendential Manager)\n\nAdversaries may also obtain credentials from credential backups. Credential backups and restorations may be performed by running <code>rundll32.exe keymgr.dll KRShowKeyMgr</code> then selecting the “Back up...” button on the “Stored User Names and Passwords” GUI.\n\nPassword recovery tools may also obtain plain text passwords from the Credential Manager.(Citation: Malwarebytes The Windows Vault)";
dcterms:modified "2022-11-08T14:00:00.188Z"^^xsd:dateTime .
:relationship--eed67968-2d71-4394-84a9-1240d9ba6a83
rdf:type stix:Relationship;
stix:source_ref :malware--50d6688b-0985-4f3d-8cbe-0c796b30703b;
stix:target_ref :attack-pattern--e0232cb0-ded5-4c2e-9dc7-2893142a5c11;
dcterms:created "2020-11-06T14:23:21.893Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "If executing without root privileges, [Fysbis](https://attack.mitre.org/software/S0410) adds a `.desktop` configuration file to the user's `~/.config/autostart` directory.(Citation: Red Canary Netwire Linux 2022)(Citation: Fysbis Dr Web Analysis)";
dcterms:modified "2023-09-28T21:16:14.858Z"^^xsd:dateTime .
:relationship--30da3c92-05b8-40fd-b8b6-29cb20a597a1
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--f9d6633a-55e6-4adc-9263-6ae080421a13;
stix:target_ref :attack-pattern--b80d107d-fa0d-4b60-9684-b0433e8bdba0;
dcterms:created "2023-01-10T18:36:35.140Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Magic Hound](https://attack.mitre.org/groups/G0059) has used BitLocker and DiskCryptor to encrypt targeted workstations. (Citation: DFIR Phosphorus November 2021)(Citation: Microsoft Iranian Threat Actor Trends November 2021)";
dcterms:modified "2023-01-13T18:38:25.309Z"^^xsd:dateTime .
:course-of-action--9a902722-cecd-4fbe-a6c9-49333aa0f8c2
rdf:type stix:CourseOfAction;
rdfs:label "Remote System Discovery Mitigation";
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information on remotely available systems, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)";
dcterms:modified "2020-01-17T16:45:23.921Z"^^xsd:dateTime .
:relationship--abd5d73c-9eec-494c-afae-d9d2f2456b7b
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--dc5e2999-ca1a-47d4-8d12-a6984b138a1b;
stix:target_ref :attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5;
dcterms:created "2021-01-05T20:57:01.724Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[UNC2452](https://attack.mitre.org/groups/G0118) extracted files from compromised networks.(Citation: Volexity SolarWinds) ";
dcterms:modified "2023-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--a5ffea60-7694-48cd-92e9-b755669b2fdb
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--2e290bfe-93b5-48ce-97d6-edcd6d32b7cf;
stix:target_ref :attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104;
dcterms:created "2017-05-31T21:33:27.080Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "A [Gamaredon Group](https://attack.mitre.org/groups/G0047) file stealer can gather the victim's username to send to a C2 server.(Citation: Palo Alto Gamaredon Feb 2017)";
dcterms:modified "2020-06-22T17:54:15.767Z"^^xsd:dateTime .
:relationship--f76d5396-bce5-4bb8-85aa-75d9f1bec9b2
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--6566aac9-dad8-4332-ae73-20c23bad7f02;
stix:target_ref :tool--64764dc6-a032-495f-8250-1e4c06bdc163;
dcterms:created "2021-09-28T17:41:13.107Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "(Citation: Kaspersky Ferocious Kitten Jun 2021)";
dcterms:modified "2021-09-28T17:41:13.107Z"^^xsd:dateTime .
:relationship--e6f69552-fe0e-4b40-ad20-4410048277e6
rdf:type stix:Relationship;
stix:source_ref :malware--dc5d1a33-62aa-4a0c-aa8c-589b87beb11e;
stix:target_ref :attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580;
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[ChChes](https://attack.mitre.org/software/S0144) collects its process identifier (PID) on the victim.(Citation: Palo Alto menuPass Feb 2017)";
dcterms:modified "2020-03-17T00:33:19.756Z"^^xsd:dateTime .
:relationship--8278fc85-24af-4f8a-9b82-3f233f18f5a6
rdf:type stix:Relationship;
stix:source_ref :malware--fbb470da-1d44-4f29-bbb3-9efbe20f94a3;
stix:target_ref :attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e;
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Mivast](https://attack.mitre.org/software/S0080) communicates over port 80 for C2.(Citation: Symantec Backdoor.Mivast)";
dcterms:modified "2022-10-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--ac5693ea-3d10-47bd-b91b-a65177dd5462
rdf:type stix:Relationship;
stix:source_ref :malware--40a1b8ec-7295-416c-a6b1-68181d86f120;
stix:target_ref :attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c;
dcterms:created "2021-04-07T18:07:47.888Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Hildegard](https://attack.mitre.org/software/S0601) has decrypted ELF files with AES.(Citation: Unit 42 Hildegard Malware)";
dcterms:modified "2021-04-07T18:07:47.888Z"^^xsd:dateTime .
:relationship--c620753b-17ad-43bd-ace3-f572ebcac644
rdf:type stix:Relationship;
stix:source_ref :tool--2c5281dd-b5fd-4531-8aea-c1bf8a0f8756;
stix:target_ref :attack-pattern--890c9858-598c-401d-a4d5-c67ebcdd703a;
dcterms:created "2022-04-18T13:42:37.506Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[AADInternals](https://attack.mitre.org/software/S0677) can steal users’ access tokens via phishing emails containing malicious links.(Citation: AADInternals Documentation)";
dcterms:modified "2022-04-18T20:51:51.590Z"^^xsd:dateTime .
:relationship--ce0ff9c3-1e41-4103-8e2d-985d6993d08a
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c;
stix:target_ref :attack-pattern--2fee9321-3e71-4cf4-af24-d4d40d355b34;
dcterms:created "2022-03-30T14:26:51.841Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Monitor newly constructed .manifest and .local redirection files that do not correlate with software updates.";
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime .
:relationship--a6f2748c-49ec-4027-8b29-4fee3128cc2e
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c;
stix:target_ref :attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e;
dcterms:created "2022-03-30T14:26:51.855Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Monitor for newly constructed files that are downloaded and executed on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the file is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning powershell.exe).\n\nWhile batch files are not inherently malicious, it is uncommon to see them created after OS installation, especially in the Windows directory. This analytic looks for the suspicious activity of a batch file being created within the C:\\Windows\\System32 directory tree. There will be only occasional false positives due to administrator actions.\n\nFor Windows, Sysmon Event ID 11 (File create) can be used to track file creation events. This event also provides the Process ID of the process that created the file, which can be correlated with process creation events (e.g., Sysmon Event ID 1) to determine if the file was downloaded from an external network.\n\nFor MacOS, utilities that work in concert with Apple’s Endpoint Security Framework such as File Monitor can be used to track file creation events.\n\n<h4> Analytic 1 : Batch File Write to System32 </h4>\n<code> batch_files = filter files where (\n extension =\".bat\" AND file_path = \"C:\\Windows\\system32*\" ) </code>";
dcterms:modified "2023-08-14T19:32:33.085Z"^^xsd:dateTime .
:relationship--e8e6f472-e048-401c-8a2e-5e2effc09040
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--2688b13e-8e71-405a-9c40-0dee94bddf87;
stix:target_ref :attack-pattern--3f886f2a-874f-4333-b794-aa6075009b1c;
dcterms:created "2021-03-03T19:53:18.996Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[HAFNIUM](https://attack.mitre.org/groups/G0125) has exploited CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 to compromise on-premises versions of Microsoft Exchange Server, enabling access to email accounts and installation of additional malware.(Citation: Microsoft HAFNIUM March 2020)(Citation: Volexity Exchange Marauder March 2021)(Citation: FireEye Exchange Zero Days March 2021)(Citation: Tarrask scheduled task) ";
dcterms:modified "2022-10-18T14:48:52.038Z"^^xsd:dateTime .
:relationship--7fd0dc68-66b1-482a-b3bd-3037bb0045cb
rdf:type stix:Relationship;
stix:source_ref :malware--8beac7c2-48d2-4cd9-9b15-6c452f38ac06;
stix:target_ref :attack-pattern--ec8fc7e2-b356-455c-8db5-2e37be158e7d;
dcterms:created "2019-06-07T17:41:58.950Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Ixeshe](https://attack.mitre.org/software/S0015) sets its own executable file's attributes to hidden.(Citation: Trend Micro IXESHE 2012)";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--79b0a6bc-4061-468c-ac1b-eef3dc3fb419
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7;
stix:target_ref :attack-pattern--10d51417-ee35-4589-b1ff-b6df1c334e8d;
dcterms:created "2020-11-10T16:24:46.955Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Wizard Spider](https://attack.mitre.org/groups/G0102) has accessed victim networks by using stolen credentials to access the corporate VPN infrastructure.(Citation: FireEye KEGTAP SINGLEMALT October 2020)";
dcterms:modified "2020-11-10T16:24:46.955Z"^^xsd:dateTime .
:relationship--0ce9c0f3-6da9-402c-adc4-a001877e40e6
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--f29b7c5e-2439-42ad-a86f-9f8984fafae3;
stix:target_ref :tool--b77b563c-34bb-4fb8-86a3-3694338f7b47;
dcterms:created "2022-06-07T17:22:56.787Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "(Citation: ClearSky Siamesekitten August 2021)";
dcterms:modified "2022-06-07T17:22:56.787Z"^^xsd:dateTime .
:relationship--d0162247-12e2-4c0e-8efe-d5c4823e0fcd
rdf:type stix:Relationship;
stix:source_ref :malware--fa766a65-5136-4ff3-8429-36d08eaa0100;
stix:target_ref :attack-pattern--322bad5a-1c49-4d23-ab79-76d641794afa;
dcterms:created "2021-02-08T23:18:31.892Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[BitPaymer](https://attack.mitre.org/software/S0570) can enumerate existing Windows services on the host that are configured to run as LocalSystem.(Citation: Crowdstrike Indrik November 2018)";
dcterms:modified "2021-02-08T23:18:31.892Z"^^xsd:dateTime .
:relationship--47214641-972c-4924-828a-3db470553dcb
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--68ba94ab-78b8-43e7-83e2-aed3466882c6;
stix:target_ref :malware--0998045d-f96e-4284-95ce-3c8219707486;
dcterms:created "2018-01-16T16:13:52.465Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:modified "2018-10-23T00:14:20.652Z"^^xsd:dateTime .
:relationship--bd62c9fa-b1d4-4fb9-a892-99703e1f794d
rdf:type stix:Relationship;
stix:source_ref :malware--54e8672d-5338-4ad1-954a-a7c986bee530;
stix:target_ref :attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104;
dcterms:created "2019-01-30T17:48:35.671Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[zwShell](https://attack.mitre.org/software/S0350) can obtain the name of the logged-in user on the victim.(Citation: McAfee Night Dragon)";
dcterms:modified "2021-06-16T15:50:05.283Z"^^xsd:dateTime .
:malware--fb261c56-b80e-43a9-8351-c84081e7213d
rdf:type stix:Malware;
rdfs:label "BACKSPACE";
dcterms:created "2017-05-31T21:32:24.428Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[BACKSPACE](https://attack.mitre.org/software/S0031) is a backdoor used by [APT30](https://attack.mitre.org/groups/G0013) that dates back to at least 2005. (Citation: FireEye APT30)";
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--55307354-c0c5-4fc4-9a31-e0444ce240fe
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0;
stix:target_ref :attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67;
dcterms:created "2022-03-30T14:26:51.875Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Monitor executed commands and arguments that may abuse Visual Basic (VB) for execution.";
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime .
:relationship--5967cfeb-4525-44e8-9f92-e5b51fe72308
rdf:type stix:Relationship;
stix:source_ref :malware--cf8df906-179c-4a78-bd6e-6605e30f6624;
stix:target_ref :attack-pattern--7385dfaf-6886-4229-9ecd-6fd678040830;
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[FELIXROOT](https://attack.mitre.org/software/S0267) opens a remote shell to execute commands on the infected system.";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--59cb4ff6-e1fd-4088-905f-2ade864dabb0
rdf:type stix:Relationship;
stix:source_ref :malware--a7881f21-e978-4fe4-af56-92c9416a2616;
stix:target_ref :attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32;
dcterms:created "2020-11-06T18:40:37.995Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Cobalt Strike](https://attack.mitre.org/software/S0154) can install a new service.(Citation: Cobalt Strike TTPs Dec 2017)";
dcterms:modified "2020-11-06T18:40:37.995Z"^^xsd:dateTime .
:relationship--8cfc4444-a2bd-4553-8a26-9018cb561705
rdf:type stix:Relationship;
stix:source_ref :malware--e355fc84-6f3c-4888-8e0a-d7fa9c378532;
stix:target_ref :attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e;
dcterms:created "2022-09-29T20:01:34.551Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[STARWHALE](https://attack.mitre.org/software/S1037) has relied on victims opening a malicious Excel file for execution.(Citation: DHS CISA AA22-055A MuddyWater February 2022)";
dcterms:modified "2022-10-12T16:18:06.825Z"^^xsd:dateTime .
:relationship--7c56287b-94e3-4032-828c-649039a9416d
rdf:type stix:Relationship;
stix:source_ref :course-of-action--47e0e9fe-96ce-4f65-8bb1-8be1feacb5db;
stix:target_ref :attack-pattern--457c7820-d331-465a-915e-42f85500ccc4;
dcterms:created "2019-06-24T11:36:16.293Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Certain signed binaries that can be used to execute other programs may not be necessary within a given environment. Use application whitelisting configured to block execution of these binaries if they are not required for a given system or network to prevent potential misuse by adversaries.";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--b94f3018-c2f2-473e-96ee-23889cb018bb
rdf:type stix:Relationship;
stix:source_ref :course-of-action--9bb9e696-bff8-4ae1-9454-961fc7d91d5f;
stix:target_ref :attack-pattern--635cbe30-392d-4e27-978e-66774357c762;
dcterms:created "2020-01-28T13:50:22.645Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Limit the number of accounts permitted to create other accounts. Limit the usage of local administrator accounts to be used for day-to-day operations that may expose them to potential adversaries.";
dcterms:modified "2023-07-14T13:42:11.742Z"^^xsd:dateTime .
:relationship--a53cd21b-273f-43cf-a7e1-375aee6b66e9
rdf:type stix:Relationship;
stix:source_ref :course-of-action--49c06d54-9002-491d-9147-8efb537fbd26;
stix:target_ref :attack-pattern--ae7f3575-0a5e-427e-991b-fe03ad44c754;
dcterms:created "2020-10-19T19:42:19.844Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Some embedded network devices are capable of storing passwords for local accounts in either plain-text or encrypted formats. Ensure that, where available, local passwords are always encrypted, per vendor recommendations. (Citation: Cisco IOS Software Integrity Assurance - Credentials Management)";
dcterms:modified "2020-10-22T16:54:59.229Z"^^xsd:dateTime .
:x-mitre-data-component--8fb2f315-1aca-4cef-ae0d-8105e1f95985
rdf:type :MitreDataComponent;
rdfs:label "Social Media";
dcterms:created "2021-10-20T15:05:19.273Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Established, compromised, or otherwise acquired social media personas";
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--66f5e718-f910-487f-852a-98a8d752b0ba
rdf:type stix:Relationship;
stix:source_ref :malware--47afe41c-4c08-485e-b062-c3bd209a1cce;
stix:target_ref :attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4;
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[InvisiMole](https://attack.mitre.org/software/S0260) has a command to create, set, copy, or delete a specified Registry key or value.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020)";
dcterms:modified "2020-07-17T19:22:28.803Z"^^xsd:dateTime .
:relationship--c08684c8-8467-4b7f-a9ac-3330cf423261
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--247cb30b-955f-42eb-97a5-a89fef69341e;
stix:target_ref :attack-pattern--7b211ac6-c815-4189-93a9-ab415deca926;
dcterms:created "2019-01-31T01:07:58.538Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[APT32](https://attack.mitre.org/groups/G0050) successfully gained remote access by using pass the ticket.(Citation: Cybereason Cobalt Kitty 2017)";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--70749e7d-7d83-4543-8019-593de42b2a49
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c;
stix:target_ref :attack-pattern--0cfe31a7-81fc-472c-bc45-e2808d1066a3;
dcterms:created "2022-03-30T14:26:51.848Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Monitor for newly constructed files that may deface systems external to an organization in an attempt to deliver messaging, intimidate, or otherwise mislead an organization or users.";
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime .
:relationship--aacb14e6-056f-4df4-8b9c-58a36076b1ad
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c;
stix:target_ref :attack-pattern--9c99724c-a483-4d60-ad9d-7f004e42e8e8;
dcterms:created "2022-03-30T14:26:51.860Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).";
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime .
:relationship--c5d67c9b-f8de-420a-ad05-3691ca001b64
rdf:type stix:Relationship;
stix:source_ref :malware--47afe41c-4c08-485e-b062-c3bd209a1cce;
stix:target_ref :attack-pattern--a750a9f6-0bde-4bb3-9aae-1e2786e9780c;
dcterms:created "2020-08-17T15:22:29.071Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "\n[InvisiMole](https://attack.mitre.org/software/S0260) can disconnect previously connected remote drives.(Citation: ESET InvisiMole June 2018)";
dcterms:modified "2020-08-17T15:22:29.072Z"^^xsd:dateTime .
:relationship--72f9bf47-61ac-42c8-acbf-65be7c25af0f
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--247cb30b-955f-42eb-97a5-a89fef69341e;
stix:target_ref :attack-pattern--d742a578-d70e-4d0e-96a6-02a9c30204e6;
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[APT32](https://attack.mitre.org/groups/G0050) has infected victims by tricking them into visiting compromised watering hole websites.(Citation: ESET OceanLotus)(Citation: Volexity Ocean Lotus November 2020)";
dcterms:modified "2020-11-24T21:19:49.896Z"^^xsd:dateTime .
:relationship--dfb4c7e9-e1af-4716-b658-9cfbadd706dc
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--269e8108-68c6-4f99-b911-14b2e765dec2;
stix:target_ref :attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d;
dcterms:created "2020-05-18T19:04:37.694Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[MuddyWater](https://attack.mitre.org/groups/G0069) has used C2 infrastructure to receive exfiltrated data.(Citation: Reaqta MuddyWater November 2017)";
dcterms:modified "2020-05-20T20:52:34.280Z"^^xsd:dateTime .
:relationship--5543599a-779f-4955-8f3e-99cc92b1e2fc
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6;
stix:target_ref :tool--b1595ddd-a783-482a-90e1-8afc8d48467e;
dcterms:created "2021-02-25T16:48:06.231Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "(Citation: Unit 42 IronNetInjector February 2021 )";
dcterms:modified "2022-05-20T17:02:59.592Z"^^xsd:dateTime .
:relationship--4c6aea43-27ba-4e6a-8907-e5db364a145b
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--93f52415-0fe4-4d3d-896c-fc9b8e88ab90;
stix:target_ref :attack-pattern--120d5519-3098-4e1c-9191-2aa61232f073;
dcterms:created "2018-01-16T16:13:52.465Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[BRONZE BUTLER](https://attack.mitre.org/groups/G0060) has used a Windows 10 specific tool and xxmm to bypass UAC for privilege escalation.(Citation: Secureworks BRONZE BUTLER Oct 2017)(Citation: Trend Micro Tick November 2019)";
dcterms:modified "2020-06-24T01:27:31.914Z"^^xsd:dateTime .
:relationship--f7ed42df-01c4-4441-95ce-68228e157abf
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--6713ab67-e25b-49cc-808d-2b36d4fbc35c;
stix:target_ref :attack-pattern--f232fa7a-025c-4d43-abc7-318e81a73d65;
dcterms:created "2022-03-22T16:06:14.344Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Ke3chang](https://attack.mitre.org/groups/G0004) has used compromised credentials to sign into victims’ Microsoft 365 accounts.(Citation: Microsoft NICKEL December 2021)";
dcterms:modified "2022-03-22T16:06:14.344Z"^^xsd:dateTime .
:relationship--6f884bda-0c39-4d3b-97e3-29ae9099fa45
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--fb366179-766c-4a4a-afa1-52bff1fd601c;
stix:target_ref :attack-pattern--4eb28bed-d11a-4641-9863-c2ac017d910a;
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Threat Group-3390](https://attack.mitre.org/groups/G0027) has used appcmd.exe to disable logging on a victim server.(Citation: SecureWorks BRONZE UNION June 2017)";
dcterms:modified "2020-03-28T00:30:55.434Z"^^xsd:dateTime .
:relationship--b99e218f-942b-4643-b4de-35649d2a4cbd
rdf:type stix:Relationship;
stix:source_ref :malware--ade37ada-14af-4b44-b36c-210eec255d53;
stix:target_ref :attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c;
dcterms:created "2020-06-19T19:08:40.385Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Valak](https://attack.mitre.org/software/S0476) has the ability to decode and decrypt downloaded files.(Citation: Cybereason Valak May 2020)(Citation: Unit 42 Valak July 2020)";
dcterms:modified "2020-08-31T14:56:42.782Z"^^xsd:dateTime .
:relationship--922cc16d-2242-477b-89db-1ba3d5176e12
rdf:type stix:Relationship;
stix:source_ref :malware--feb2d7bb-aacb-48df-ad04-ccf41a30cd90;
stix:target_ref :attack-pattern--20fb2507-d71c-455d-9b6d-6104461cf26b;
dcterms:created "2020-11-19T18:02:58.494Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[SLOTHFULMEDIA](https://attack.mitre.org/software/S0533) has the capability to stop processes and services.(Citation: CISA MAR SLOTHFULMEDIA October 2020)";
dcterms:modified "2020-11-19T18:02:58.494Z"^^xsd:dateTime .
:attack-pattern--c898c4b5-bf36-4e6e-a4ad-5b8c4c13e35b
rdf:type d3f:OffensiveTechnique;
rdfs:label "VBA Stomping";
dcterms:created "2020-09-17T12:51:40.845Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Adversaries may hide malicious Visual Basic for Applications (VBA) payloads embedded within MS Office documents by replacing the VBA source code with benign data.(Citation: FireEye VBA stomp Feb 2020)\n\nMS Office documents with embedded VBA content store source code inside of module streams. Each module stream has a <code>PerformanceCache</code> that stores a separate compiled version of the VBA source code known as p-code. The p-code is executed when the MS Office version specified in the <code>_VBA_PROJECT</code> stream (which contains the version-dependent description of the VBA project) matches the version of the host MS Office application.(Citation: Evil Clippy May 2019)(Citation: Microsoft _VBA_PROJECT Stream)\n\nAn adversary may hide malicious VBA code by overwriting the VBA source code location with zero’s, benign code, or random bytes while leaving the previously compiled malicious p-code. Tools that scan for malicious VBA source code may be bypassed as the unwanted code is hidden in the compiled p-code. If the VBA source code is removed, some tools might even think that there are no macros present. If there is a version match between the <code>_VBA_PROJECT</code> stream and host MS Office application, the p-code will be executed, otherwise the benign VBA source code will be decompressed and recompiled to p-code, thus removing malicious p-code and potentially bypassing dynamic analysis.(Citation: Walmart Roberts Oct 2018)(Citation: FireEye VBA stomp Feb 2020)(Citation: pcodedmp Bontchev)";
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--83219112-6e5b-43ea-a7a7-78213f28397f
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--90784c1e-4aba-40eb-9adf-7556235e6384;
stix:target_ref :attack-pattern--65013dd2-bc61-43e3-afb5-a14c4fa7437a;
dcterms:created "2021-02-03T18:40:49.321Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Silent Librarian](https://attack.mitre.org/groups/G0122) has established e-mail accounts to receive e-mails forwarded from compromised accounts.(Citation: DOJ Iran Indictments March 2018)";
dcterms:modified "2021-02-03T18:40:49.321Z"^^xsd:dateTime .
:relationship--ff9e8d81-dc74-4494-a4aa-54f8039f9ad7
rdf:type stix:Relationship;
stix:source_ref :malware--f74a5069-015d-4404-83ad-5ca01056c0dc;
stix:target_ref :attack-pattern--53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a;
dcterms:created "2022-02-02T21:30:09.805Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Lizar](https://attack.mitre.org/software/S0681) has encrypted data before sending it to the server.(Citation: BiZone Lizar May 2021)";
dcterms:modified "2022-04-05T17:31:10.185Z"^^xsd:dateTime .
:relationship--fb11df98-790a-4b1c-9ca0-73224226cff3
rdf:type stix:Relationship;
stix:source_ref :malware--166c0eca-02fd-424a-92c0-6b5106994d31;
stix:target_ref :attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161;
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[ZLib](https://attack.mitre.org/software/S0086) communicates over HTTP for C2.(Citation: Cylance Dust Storm)";
dcterms:modified "2022-01-19T18:44:09.714Z"^^xsd:dateTime .
:relationship--2af3c673-c0c6-4246-aacc-984eb370e7b9
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--85403903-15e0-4f9f-9be4-a259ecad4022;
stix:target_ref :attack-pattern--1c34f7aa-9341-4a48-bfab-af22e51aca6c;
dcterms:created "2018-01-16T16:13:52.465Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[FIN5](https://attack.mitre.org/groups/G0053) scripts save memory dump data into a specific directory on hosts in the victim environment.(Citation: Mandiant FIN5 GrrCON Oct 2016)";
dcterms:modified "2020-03-16T23:51:43.031Z"^^xsd:dateTime .
:relationship--ecf3d7ec-a8f9-435a-9c09-6d264f319728
rdf:type stix:Relationship;
stix:source_ref :attack-pattern--4bf5845d-a814-4490-bc5c-ccdee6043025;
stix:target_ref :attack-pattern--7d57b371-10c2-45e5-b3cc-83a8fb380e4c;
dcterms:created "2020-01-24T14:48:05.786Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--bf0c323f-545c-4bd1-959a-5b1a28d4d06d
rdf:type stix:Relationship;
stix:source_ref :malware--8bd47506-29ae-44ea-a5c1-c57e8a1ab6b0;
stix:target_ref :attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161;
dcterms:created "2021-10-15T21:00:52.184Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[BLUELIGHT](https://attack.mitre.org/software/S0657) can use HTTP/S for C2 using the Microsoft Graph API.(Citation: Volexity InkySquid BLUELIGHT August 2021) ";
dcterms:modified "2021-10-15T21:00:52.184Z"^^xsd:dateTime .
:relationship--118b2047-826a-4ab0-94b8-69d35a4c8592
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--9e729a7e-0dd6-4097-95bf-db8d64911383;
stix:target_ref :attack-pattern--91541e7e-b969-40c6-bbd8-1b5352ec2938;
dcterms:created "2021-04-22T15:09:14.852Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Darkhotel](https://attack.mitre.org/groups/G0012) has used malware that repeatedly checks the mouse cursor position to determine if a real user is on the system.(Citation: Lastline DarkHotel Just In Time Decryption Nov 2015)";
dcterms:modified "2021-04-22T15:09:14.852Z"^^xsd:dateTime .
:relationship--83aac36d-6dfa-4c27-b1b1-c200c9240eb9
rdf:type stix:Relationship;
stix:source_ref :malware--8ae43c46-57ef-47d5-a77a-eebb35628db2;
stix:target_ref :attack-pattern--30973a08-aed9-4edf-8604-9084ce1b5c4f;
dcterms:created "2018-04-18T17:59:24.739Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "A [JHUHUGIT](https://attack.mitre.org/software/S0044) variant accesses a screenshot saved in the clipboard and converts it to a JPG image.(Citation: Unit 42 Playbook Dec 2017)";
dcterms:modified "2020-01-17T22:22:30.678Z"^^xsd:dateTime .
:relationship--cdbbaa5b-c1d7-4e94-8a0e-a0be60ec377c
rdf:type stix:Relationship;
stix:source_ref :malware--a19c1197-9414-46e3-986f-0f609ff4a46b;
stix:target_ref :attack-pattern--20fb2507-d71c-455d-9b6d-6104461cf26b;
dcterms:created "2021-03-02T16:42:09.500Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Pysa](https://attack.mitre.org/software/S0583) can stop services and processes.(Citation: CERT-FR PYSA April 2020) ";
dcterms:modified "2021-03-02T16:42:09.500Z"^^xsd:dateTime .
:relationship--dff6f183-3444-474b-8d8a-1eb05e15a986
rdf:type stix:Relationship;
stix:source_ref :course-of-action--93e7968a-9074-4eac-8ae9-9f5200ec3317;
stix:target_ref :attack-pattern--70d81154-b187-45f9-8ec5-295d01255979;
dcterms:created "2020-03-13T11:12:18.712Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service binary target path locations. Deny execution from user directories such as file download directories and temp directories where able.";
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--cb37da3b-6ffd-4882-9680-4e467f25d7f4
rdf:type stix:Relationship;
stix:source_ref :malware--e14085cb-0e8d-4be6-92ba-e3b93ee5978f;
stix:target_ref :attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1;
dcterms:created "2021-10-07T21:28:23.906Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[XCSSET](https://attack.mitre.org/software/S0658) identifies the macOS version and uses <code>ioreg</code> to determine serial number.(Citation: trendmicro xcsset xcode project 2020)";
dcterms:modified "2021-10-19T00:34:13.055Z"^^xsd:dateTime .
:relationship--317b8a78-1c04-4cd7-a249-619bacfc7a44
rdf:type stix:Relationship;
stix:source_ref :tool--4b57c098-f043-4da2-83ef-7588a6d426bc;
stix:target_ref :attack-pattern--322bad5a-1c49-4d23-ab79-76d641794afa;
dcterms:created "2019-04-23T16:12:37.562Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[PoshC2](https://attack.mitre.org/software/S0378) can enumerate service and service permission information.(Citation: GitHub PoshC2)";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--be99408a-dc65-41a0-83db-235d8495e55c
rdf:type stix:Relationship;
stix:source_ref :malware--ade37ada-14af-4b44-b36c-210eec255d53;
stix:target_ref :attack-pattern--04fd5427-79c7-44ea-ae13-11b24778ff1c;
dcterms:created "2020-08-31T14:56:42.514Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Valak](https://attack.mitre.org/software/S0476) has returned C2 data as encoded ASCII.(Citation: Unit 42 Valak July 2020)";
dcterms:modified "2020-08-31T14:56:42.514Z"^^xsd:dateTime .
:relationship--945a3286-2197-4984-8838-837afcd7925c
rdf:type stix:Relationship;
stix:source_ref :malware--1f6e3702-7ca1-4582-b2e7-4591297d05a8;
stix:target_ref :attack-pattern--c325b232-d5bc-4dde-a3ec-71f3db9e8adc;
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Bankshot](https://attack.mitre.org/software/S0239) generates a false TLS handshake using a public certificate to disguise C2 network communications.(Citation: US-CERT Bankshot Dec 2017)";
dcterms:modified "2020-03-20T22:38:19.097Z"^^xsd:dateTime .
:relationship--5dedb236-b37b-4e6b-bd3d-a09ddc1e9c17
rdf:type stix:Relationship;
stix:source_ref :attack-pattern--b46a801b-fd98-491c-a25a-bca25d6e3001;
stix:target_ref :attack-pattern--d456de47-a16f-4e46-8980-e67478a12dcb;
dcterms:created "2021-06-03T18:44:29.898Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--3ea6e72b-3d19-4864-aebd-cc31dad7d519
rdf:type stix:Relationship;
stix:source_ref :malware--222ba512-32d9-49ac-aefd-50ce981ce2ce;
stix:target_ref :attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add;
dcterms:created "2020-05-21T21:31:34.256Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Pony](https://attack.mitre.org/software/S0453) can download additional files onto the infected system.(Citation: Malwarebytes Pony April 2016)\t";
dcterms:modified "2020-05-21T21:31:34.256Z"^^xsd:dateTime .
:malware--53a42597-1974-4b8e-84fd-3675e8992053
rdf:type stix:Malware;
rdfs:label "NavRAT";
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[NavRAT](https://attack.mitre.org/software/S0247) is a remote access tool designed to upload, download, and execute files. It has been observed in attacks targeting South Korea. (Citation: Talos NavRAT May 2018)";
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--238f92b3-2573-4332-b290-4685301eae6d
rdf:type stix:Relationship;
stix:source_ref :malware--58c5a3a1-928f-4094-9e98-a5a4e56dd5f3;
stix:target_ref :attack-pattern--20fb2507-d71c-455d-9b6d-6104461cf26b;
dcterms:created "2021-08-23T19:38:33.291Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Avaddon](https://attack.mitre.org/software/S0640) looks for and attempts to stop database processes.(Citation: Arxiv Avaddon Feb 2021)";
dcterms:modified "2021-10-18T20:36:35.439Z"^^xsd:dateTime .
:relationship--31bdbd30-4938-48d6-ba95-1b90af01041c
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--6b1b551c-d770-4f95-8cfc-3cd253c4c04e;
stix:target_ref :attack-pattern--29be378d-262d-4e99-b00d-852d573628e6;
dcterms:created "2020-05-11T19:44:35.090Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Frankenstein](https://attack.mitre.org/groups/G0101) has used WMI queries to check if various security applications were running, including VMWare and Virtualbox.(Citation: Talos Frankenstein June 2019)";
dcterms:modified "2022-10-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--eda49ac0-3077-4bff-9b30-44f527914e9c
rdf:type stix:Relationship;
stix:source_ref :malware--92b55426-109f-4d93-899f-1833ce91ff90;
stix:target_ref :attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670;
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Mosquito](https://attack.mitre.org/software/S0256) leverages the CreateProcess() and LoadLibrary() calls to execute files with the .dll and .exe extensions.(Citation: ESET Turla Mosquito Jan 2018)";
dcterms:modified "2020-03-20T01:55:35.004Z"^^xsd:dateTime .
:relationship--7a58b25f-1736-48c6-90e1-70c49896ed4b
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542;
stix:target_ref :attack-pattern--54ca26f3-c172-4231-93e5-ccebcac2161f;
dcterms:created "2022-09-28T13:30:53.698Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[APT29](https://attack.mitre.org/groups/G0016) has edited the `Microsoft.IdentityServer.Servicehost.exe.config` file to load a malicious DLL into the AD FS process, thereby enabling persistent access to any service federated with AD FS for a user with a specified User Principal Name.(Citation: MagicWeb)";
dcterms:modified "2023-03-27T19:41:51.571Z"^^xsd:dateTime .
:relationship--6c7c4191-2d75-4ce8-b937-b9abb77d7b5b
rdf:type stix:Relationship;
stix:source_ref :malware--454fe82d-6fd2-4ac6-91ab-28a33fe01369;
stix:target_ref :attack-pattern--1644e709-12d2-41e5-a60f-3470991f5011;
dcterms:created "2019-04-19T15:30:36.771Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[HOPLIGHT](https://attack.mitre.org/software/S0376) has the capability to harvest credentials and passwords from the SAM database.(Citation: US-CERT HOPLIGHT Apr 2019)\t";
dcterms:modified "2020-03-25T16:02:26.468Z"^^xsd:dateTime .
:relationship--68e1b510-a985-467a-b3b6-03d5493e9b59
rdf:type stix:Relationship;
stix:source_ref :course-of-action--e5d930e9-775a-40ad-9bdb-b941d8dfe86b;
stix:target_ref :attack-pattern--389735f1-f21c-4208-b8f0-f8031e7169b8;
dcterms:created "2021-04-03T18:55:25.871Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Ensure operating systems and browsers are using the most current version. ";
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--9da590e3-3447-4401-8ac7-f6c7482e4aed
rdf:type stix:Relationship;
stix:source_ref :course-of-action--93e7968a-9074-4eac-8ae9-9f5200ec3317;
stix:target_ref :attack-pattern--677569f9-a8b0-459e-ab24-7f18091fa7bf;
dcterms:created "2020-02-18T16:48:56.795Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "An adversary must already have administrator level access on the local system to make full use of this technique; be sure to restrict users and accounts to the least privileges they require.";
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--3758634e-bb33-4354-98f3-b662e8e7e83f
rdf:type stix:Relationship;
stix:source_ref :malware--cc5497f7-a9e8-436f-94da-b2b4a9b9ad3c;
stix:target_ref :attack-pattern--ec8fc7e2-b356-455c-8db5-2e37be158e7d;
dcterms:created "2020-04-28T12:47:25.954Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[PoetRAT](https://attack.mitre.org/software/S0428) has the ability to hide and unhide files.(Citation: Talos PoetRAT April 2020)";
dcterms:modified "2020-04-28T12:47:25.954Z"^^xsd:dateTime .
:relationship--8b2af30a-523f-41fe-88c3-ab2ee15bdec5
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--44e43fad-ffcb-4210-abcf-eaaed9735f80;
stix:target_ref :attack-pattern--3fc9b85a-2862-4363-a64d-d692e3ffbee0;
dcterms:created "2020-05-22T15:43:05.190Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[APT39](https://attack.mitre.org/groups/G0087) has used the Smartftp Password Decryptor tool to decrypt FTP passwords.(Citation: BitDefender Chafer May 2020)";
dcterms:modified "2023-10-18T16:19:53.783Z"^^xsd:dateTime .
:relationship--b29088a3-47cf-4799-a8e5-428472908d06
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--b7f627e2-0817-4cd5-8d50-e75f8aa85cc6;
stix:target_ref :attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4;
dcterms:created "2023-04-10T17:01:22.574Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[LuminousMoth](https://attack.mitre.org/groups/G1014) has used malware that adds Registry keys for persistence.(Citation: Kaspersky LuminousMoth July 2021)(Citation: Bitdefender LuminousMoth July 2021)";
dcterms:modified "2023-04-10T17:01:22.574Z"^^xsd:dateTime .
:relationship--3e5cf341-4707-4de3-bb06-43530ee3e90f
rdf:type stix:Relationship;
stix:source_ref :tool--afc079f3-c0ea-4096-b75d-3f05338b7f60;
stix:target_ref :attack-pattern--b7dc639b-24cd-482d-a7f1-8897eda21023;
dcterms:created "2018-01-16T16:13:52.465Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Mimikatz](https://attack.mitre.org/software/S0002)'s <code>MISC::AddSid</code> module can appended any SID or user/group account to a user's SID-History. [Mimikatz](https://attack.mitre.org/software/S0002) also utilizes [SID-History Injection](https://attack.mitre.org/techniques/T1134/005) to expand the scope of other components such as generated Kerberos Golden Tickets and DCSync beyond a single domain.(Citation: Adsecurity Mimikatz Guide)(Citation: AdSecurity Kerberos GT Aug 2015)";
dcterms:modified "2021-02-09T15:10:55.651Z"^^xsd:dateTime .
:relationship--c1a8eea8-f273-4dad-8ae0-d5c93bf5467f
rdf:type stix:Relationship;
stix:source_ref :malware--54a73038-1937-4d71-a253-316e76d5413c;
stix:target_ref :attack-pattern--9db0cf3a-a3c9-4012-8268-123b9db6fd82;
dcterms:created "2020-11-16T20:14:25.585Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Lucifer](https://attack.mitre.org/software/S0532) can exploit multiple vulnerabilities including EternalBlue (CVE-2017-0144) and EternalRomance (CVE-2017-0144).(Citation: Unit 42 Lucifer June 2020)";
dcterms:modified "2020-11-20T17:06:17.941Z"^^xsd:dateTime .
:relationship--a48d44d2-a84c-45dc-9a59-2bc21f2f2301
rdf:type stix:Relationship;
stix:source_ref :course-of-action--4f170666-7edb-4489-85c2-9affa28a72e0;
stix:target_ref :attack-pattern--01df3350-ce05-4bdf-bdf8-0a919a66d4a8;
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:modified "2023-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--667592ad-e249-4efd-933f-75a53b25567a
rdf:type stix:Relationship;
stix:source_ref :malware--c113230f-f044-423b-af63-9b63c802f5ae;
stix:target_ref :attack-pattern--774a3188-6ba9-4dc4-879d-d54ee48a5ce9;
dcterms:created "2022-06-09T18:40:23.658Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[OutSteel](https://attack.mitre.org/software/S1017) can automatically upload collected files to its C2 server.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )";
dcterms:modified "2022-06-09T18:40:23.658Z"^^xsd:dateTime .
:relationship--828afc32-9874-40aa-b752-315c7623ffee
rdf:type stix:Relationship;
stix:source_ref :malware--26fed817-e7bf-41f9-829a-9075ffac45c2;
stix:target_ref :attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279;
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Kasidet](https://attack.mitre.org/software/S0088) creates a Registry Run key to establish persistence.(Citation: Zscaler Kasidet)(Citation: Microsoft Kasidet)";
dcterms:modified "2020-03-16T17:02:26.255Z"^^xsd:dateTime .
:relationship--b695f761-40ed-4988-935c-a1cf5e67c8d8
rdf:type stix:Relationship;
stix:source_ref :malware--32f49626-87f4-4d6c-8f59-a0dca953fe26;
stix:target_ref :attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2;
dcterms:created "2021-01-06T17:58:29.248Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[TEARDROP](https://attack.mitre.org/software/S0560) files had names that resembled legitimate Window file and directory names.(Citation: FireEye SUNBURST Backdoor December 2020)(Citation: Microsoft Deep Dive Solorigate January 2021)";
dcterms:modified "2021-04-29T14:49:39.188Z"^^xsd:dateTime .
:relationship--01292102-1f89-4358-b62c-bc0afd49fc52
rdf:type stix:Relationship;
stix:source_ref :malware--7e6c2a9d-9dc1-4eb0-b27c-91e8076a9d77;
stix:target_ref :attack-pattern--1996eef1-ced3-4d7f-bf94-33298cabbf72;
dcterms:created "2020-03-17T02:18:35.198Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[QUADAGENT](https://attack.mitre.org/software/S0269) uses DNS for C2 communications.(Citation: Unit 42 QUADAGENT July 2018)";
dcterms:modified "2020-03-17T02:18:35.198Z"^^xsd:dateTime .
:relationship--8e883c7a-3f13-42f6-8cf5-ce373586487e
rdf:type stix:Relationship;
stix:source_ref :malware--3249e92a-870b-426d-8790-ba311c1abfb4;
stix:target_ref :attack-pattern--01a5a209-b94c-450b-b7f9-946497d91055;
dcterms:created "2019-03-25T15:05:23.719Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Olympic Destroyer](https://attack.mitre.org/software/S0365) uses WMI to help propagate itself across a network.(Citation: Talos Olympic Destroyer 2018)";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--b7d36798-e9f2-4474-836e-80b100a561e6
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--7113eaa5-ba79-4fb3-b68a-398ee9cd698e;
stix:target_ref :attack-pattern--1c34f7aa-9341-4a48-bfab-af22e51aca6c;
dcterms:created "2018-04-18T17:59:24.739Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Leviathan](https://attack.mitre.org/groups/G0065) has used C:\\Windows\\Debug and C:\\Perflogs as staging directories.(Citation: FireEye Periscope March 2018)(Citation: CISA AA21-200A APT40 July 2021)";
dcterms:modified "2022-05-11T14:00:00.188Z"^^xsd:dateTime .
:relationship--c4c83769-f5e3-4556-85b8-140060c6c0d0
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--d2ff4b56-8351-4ed8-b0fb-d8605366005f;
stix:target_ref :attack-pattern--3975dbb5-0e1e-4f5b-bae1-cf2ab84b46dc;
dcterms:created "2022-08-04T00:29:13.276Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Monitor for changes made to firewall rules, especially unexpected modifications that may potentially be related to allowing and/or cleaning up previous tampering that enabled malicious network traffic.";
dcterms:modified "2022-08-04T00:29:13.276Z"^^xsd:dateTime .
:relationship--c07df1c1-3ae1-4974-af37-9c1b04cef14a
rdf:type stix:Relationship;
stix:source_ref :malware--f4c80d39-ce10-4f74-9b50-a7e3f5df1f2e;
stix:target_ref :attack-pattern--045d0922-2310-4e60-b5e4-3302302cb3c5;
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Comnie](https://attack.mitre.org/software/S0244) uses Rundll32 to load a malicious DLL.(Citation: Palo Alto Comnie)";
dcterms:modified "2020-03-17T00:43:32.014Z"^^xsd:dateTime .
:relationship--c495478b-6bae-4d1e-a43e-be07fe7cdb48
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--8c1f0187-0826-4320-bddc-5f326cfcfe2c;
stix:target_ref :attack-pattern--c32f7008-9fea-41f7-8366-5eb9b74bd896;
dcterms:created "2021-01-22T21:09:58.863Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Chimera](https://attack.mitre.org/groups/G0114) has queried Registry keys using <code>reg query \\\\<host>\\HKU\\<SID>\\SOFTWARE\\Microsoft\\Terminal Server Client\\Servers</code> and <code>reg query \\\\<host>\\HKU\\<SID>\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings</code>.(Citation: NCC Group Chimera January 2021)";
dcterms:modified "2021-01-22T21:09:58.863Z"^^xsd:dateTime .
:relationship--eb67e50e-84ac-495d-8374-547ef1f34f4f
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--0ec2f388-bf0f-4b5c-97b1-fc736d26c25f;
stix:target_ref :attack-pattern--65f2d882-3f41-4d48-8a06-29af77ec9f90;
dcterms:created "2020-11-05T15:54:26.041Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Kimsuky](https://attack.mitre.org/groups/G0094) has gathered credentials using [Mimikatz](https://attack.mitre.org/software/S0002) and ProcDump.(Citation: CISA AA20-301A Kimsuky)(Citation: Netscout Stolen Pencil Dec 2018)(Citation: KISA Operation Muzabi)";
dcterms:modified "2022-04-12T18:21:23.235Z"^^xsd:dateTime .
:relationship--4d6b8bca-ad81-41d6-8b4e-194ddf04d3dd
rdf:type stix:Relationship;
stix:source_ref :malware--5bcd5511-6756-4824-a692-e8bb109364af;
stix:target_ref :attack-pattern--f72eb8a8-cd4c-461d-a814-3f862befbf00;
dcterms:created "2018-04-18T17:59:24.739Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Chaos](https://attack.mitre.org/software/S0220) provides a reverse shell connection on 8338/TCP, encrypted via AES.(Citation: Chaos Stolen Backdoor)";
dcterms:modified "2023-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--2ff84270-830f-4de8-b93c-4ee3a9a46781
rdf:type stix:Relationship;
stix:source_ref :malware--5c747acd-47f0-4c5a-b9e5-213541fc01e0;
stix:target_ref :attack-pattern--f3c544dc-673c-4ef3-accb-53229f1ae077;
dcterms:created "2021-03-12T16:55:09.340Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[GoldMax](https://attack.mitre.org/software/S0588) can check the current date-time value of the compromised system, comparing it to the hardcoded execution trigger and can send the current timestamp to the C2 server.(Citation: MSTIC NOBELIUM Mar 2021)(Citation: FireEye SUNSHUTTLE Mar 2021) ";
dcterms:modified "2021-03-16T16:27:36.037Z"^^xsd:dateTime .
:relationship--4b66eefd-8731-4c36-bee3-88e87c9f41d3
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa;
stix:target_ref :attack-pattern--e848506b-8484-4410-8017-3d235a52f5b3;
dcterms:created "2022-05-27T13:23:37.573Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Monitor logs generated by serverless execution for unusual activity. For example, in Exchange environments emails sent by Power Automate via the Outlook 365 connector include the phrase ‘Power App’ or ‘Power Automate’ in the SMTP header 'x-ms-mail-application.'(Citation: Power Automate Email Exfiltration Controls)";
dcterms:modified "2022-10-19T15:12:33.677Z"^^xsd:dateTime .
:relationship--12168524-c6cf-4b8f-b114-7b10b06b8f32
rdf:type stix:Relationship;
stix:source_ref :malware--e355fc84-6f3c-4888-8e0a-d7fa9c378532;
stix:target_ref :attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1;
dcterms:created "2022-08-18T15:36:13.631Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[STARWHALE](https://attack.mitre.org/software/S1037) can gather the computer name of an infected host.(Citation: Mandiant UNC3313 Feb 2022)(Citation: DHS CISA AA22-055A MuddyWater February 2022)";
dcterms:modified "2022-10-14T15:23:17.964Z"^^xsd:dateTime .
:relationship--8a97476d-9e53-4212-9179-7afbab0b8915
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba;
stix:target_ref :attack-pattern--ae676644-d2d2-41b7-af7e-9bed1b55898c;
dcterms:created "2022-06-16T13:08:03.143Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Monitor for newly constructed network connections that may search network shares on computers they have compromised to find files of interest. Network Analysis frameworks such as Zeek can be used to capture, decode, and alert on network protocols such as SMB that revolve around network shares.";
dcterms:modified "2023-08-11T21:06:28.084Z"^^xsd:dateTime .
:relationship--a5f43f22-7157-4e5a-8d08-d700471f1993
rdf:type stix:Relationship;
stix:source_ref :malware--049ff071-0b3c-4712-95d2-d21c6aa54501;
stix:target_ref :attack-pattern--f3d95a1f-bba2-44ce-9af7-37866cd63fd0;
dcterms:created "2018-04-18T17:59:24.739Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[MURKYTOP](https://attack.mitre.org/software/S0233) has the capability to schedule remote AT jobs.(Citation: FireEye Periscope March 2018)";
dcterms:modified "2020-03-16T16:03:23.842Z"^^xsd:dateTime .
:relationship--e1275bcd-0462-4f79-b18f-2132b0bb74ec
rdf:type stix:Relationship;
stix:source_ref :course-of-action--c88151a5-fe3f-4773-8147-d801587065a4;
stix:target_ref :attack-pattern--327f3cc5-eea1-42d4-a6cd-ed34b7ce8f61;
dcterms:created "2017-05-31T21:33:27.019Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:modified "2023-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--ca80e49f-7129-43bc-ad58-5521f03b737c
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077;
stix:target_ref :attack-pattern--dfefe2ed-4389-4318-8762-f0272b350a1b;
dcterms:created "2022-03-30T14:26:51.872Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Suspicious processes or scripts spawned in this manner will have a parent process of ‘systemd’, a parent process ID of 1, and will usually execute as the ‘root’ user.";
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime .
:relationship--7fbbab0b-8e78-4352-ad0b-ae9a2eeffba5
rdf:type stix:Relationship;
stix:source_ref :malware--36ede314-7db4-4d09-b53d-81bbfbe5f6f8;
stix:target_ref :attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0;
dcterms:created "2020-06-23T17:59:53.341Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Avenger](https://attack.mitre.org/software/S0473) can identify the domain of the compromised host.(Citation: Trend Micro Tick November 2019)";
dcterms:modified "2020-06-24T01:27:32.649Z"^^xsd:dateTime .
:relationship--398a5e5a-b624-4992-b26c-2abb37c9c2db
rdf:type stix:Relationship;
stix:source_ref :malware--aaf3fa65-8b27-4e68-91de-2b7738fe4c82;
stix:target_ref :attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736;
dcterms:created "2019-06-18T17:20:43.750Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[JCry](https://attack.mitre.org/software/S0389) has used PowerShell to execute payloads.(Citation: Carbon Black JCry May 2019)";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--33162cc2-a800-4d42-89bb-13ac1e75dfce
rdf:type stix:Relationship;
stix:source_ref :malware--96b08451-b27a-4ff6-893f-790e26393a8e;
stix:target_ref :attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add;
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Sakula](https://attack.mitre.org/software/S0074) has the capability to download files.(Citation: Dell Sakula)";
dcterms:modified "2020-03-17T02:29:53.409Z"^^xsd:dateTime .
:relationship--24db980d-90c2-4934-838c-92209ae110f7
rdf:type stix:Relationship;
stix:source_ref :course-of-action--90f39ee1-d5a3-4aaa-9f28-3b42815b0d46;
stix:target_ref :attack-pattern--d511a6f6-4a33-41d5-bc95-c343875d1377;
dcterms:created "2023-03-14T17:49:22.252Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "On Windows 10+, enable Attack Surface Reduction (ASR) rules to block execution of potentially obfuscated scripts.(Citation: Microsoft ASR Obfuscation)";
dcterms:modified "2023-03-20T18:27:06.975Z"^^xsd:dateTime .
:malware--b00f90b6-c75c-4bfd-b813-ca9e6c9ebf29
rdf:type stix:Malware;
rdfs:label "OSX_OCEANLOTUS.D";
dcterms:created "2019-01-30T19:18:19.667Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[OSX_OCEANLOTUS.D](https://attack.mitre.org/software/S0352) is a macOS backdoor used by [APT32](https://attack.mitre.org/groups/G0050). First discovered in 2015, [APT32](https://attack.mitre.org/groups/G0050) has continued to make improvements using a plugin architecture to extend capabilities, specifically using `.dylib` files. [OSX_OCEANLOTUS.D](https://attack.mitre.org/software/S0352) can also determine it's permission level and execute according to access type (`root` or `user`).(Citation: Unit42 OceanLotus 2017)(Citation: TrendMicro MacOS April 2018)(Citation: Trend Micro MacOS Backdoor November 2020)";
dcterms:modified "2023-10-12T20:21:08.235Z"^^xsd:dateTime .
:relationship--c887c671-d467-45a1-952b-8fd20cd77ec1
rdf:type stix:Relationship;
stix:source_ref :malware--60d50676-459a-47dd-92e9-a827a9fe9c58;
stix:target_ref :attack-pattern--6495ae23-3ab4-43c5-a94f-5638a2c31fd2;
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[RunningRAT](https://attack.mitre.org/software/S0253) contains code to clear event logs.(Citation: McAfee Gold Dragon)";
dcterms:modified "2020-04-21T23:09:31.596Z"^^xsd:dateTime .
:relationship--18b2b3f9-8ed6-44e3-804e-ee0acc3457fb
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c;
stix:target_ref :attack-pattern--035bb001-ab69-4a0b-9f6c-2de8b09e1b9d;
dcterms:created "2022-03-30T14:26:51.833Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Monitor network traffic for anomalies associated with known AiTM behavior.";
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime .
:relationship--b2e0fa0b-ccc4-4bd9-a981-2aa198491333
rdf:type stix:Relationship;
stix:source_ref :malware--93289ecf-4d15-4d6b-a9c3-4ab27e145ef4;
stix:target_ref :attack-pattern--7dd95ff6-712e-4056-9626-312ea4ab4c5e;
dcterms:created "2023-05-22T19:45:53.310Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[QUIETCANARY](https://attack.mitre.org/software/S1076) has the ability to stage data prior to exfiltration.(Citation: Mandiant Suspected Turla Campaign February 2023)";
dcterms:modified "2023-05-22T19:45:53.310Z"^^xsd:dateTime .
:relationship--da542c01-9b62-4e42-9036-809ceb31eb8d
rdf:type stix:Relationship;
stix:source_ref :malware--579607c2-d046-40df-99ab-beb479c37a2a;
stix:target_ref :attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5;
dcterms:created "2022-05-04T22:33:08.949Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Chrommme](https://attack.mitre.org/software/S0667) can collect data from a local system.(Citation: ESET Gelsemium June 2021)";
dcterms:modified "2022-05-04T22:33:08.949Z"^^xsd:dateTime .
:relationship--578433f2-d3d3-4434-8b6c-986c14204b92
rdf:type stix:Relationship;
stix:source_ref :campaign--519ee082-8ab6-439b-988f-a8a3f02c8d30;
stix:target_ref :attack-pattern--bf90d72c-c00b-45e3-b3aa-68560560d4c5;
dcterms:created "2023-01-17T21:55:43.672Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "During [C0018](https://attack.mitre.org/campaigns/C0018), the threat actors transferred the SoftPerfect Network Scanner and other tools to machines in the network using AnyDesk and PDQ Deploy.(Citation: Cisco Talos Avos Jun 2022)(Citation: Costa AvosLocker May 2022)";
dcterms:modified "2023-02-14T16:47:55.127Z"^^xsd:dateTime .
:relationship--93f46e6e-cabc-4274-b50e-63bda692d01e
rdf:type stix:Relationship;
stix:source_ref :malware--8f423bd7-6ca7-4303-9e85-008c7ad5fdaa;
stix:target_ref :attack-pattern--9a60a291-8960-4387-8a4a-2ab5c18bb50b;
dcterms:created "2020-05-06T21:01:23.473Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Attor](https://attack.mitre.org/software/S0438) has used FTP protocol for C2 communication.(Citation: ESET Attor Oct 2019)";
dcterms:modified "2020-05-06T21:01:23.473Z"^^xsd:dateTime .
:relationship--a70d8d81-4d88-404c-81f3-c3ddd57d6b69
rdf:type stix:Relationship;
stix:source_ref :course-of-action--b045d015-6bed-4490-bd38-56b41ece59a0;
stix:target_ref :attack-pattern--54a649ff-439a-41a4-9856-8d144a2551ba;
dcterms:created "2019-06-24T16:04:41.149Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Use multi-factor authentication on remote service logons where possible.";
dcterms:modified "2021-10-21T14:00:00.188Z"^^xsd:dateTime .
:relationship--c3ee174d-fd40-4636-97b2-afe80854f987
rdf:type stix:Relationship;
stix:source_ref :malware--9ca488bd-9587-48ef-b923-1743523e63b2;
stix:target_ref :attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18;
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[SOUNDBITE](https://attack.mitre.org/software/S0157) is capable of enumerating and manipulating files and directories.(Citation: FireEye APT32 May 2017)";
dcterms:modified "2020-03-17T02:37:58.064Z"^^xsd:dateTime .
:relationship--6c56fdb0-d6cc-4a25-aa19-7191410704ef
rdf:type stix:Relationship;
stix:source_ref :malware--a0ab8a96-40c9-4483-8a54-3fafa6d6007a;
stix:target_ref :attack-pattern--4bed873f-0b7d-41d4-b93a-b6905d1f90b0;
dcterms:created "2022-03-25T19:30:14.793Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[HermeticWiper](https://attack.mitre.org/software/S0697) has the ability to receive a command parameter to sleep prior to carrying out destructive actions on a targeted host.(Citation: Crowdstrike DriveSlayer February 2022)";
dcterms:modified "2022-04-10T16:24:00.046Z"^^xsd:dateTime .
:relationship--52893247-a6d6-4119-881a-09e10121edf5
rdf:type stix:Relationship;
stix:source_ref :malware--dff90475-9f72-41a6-84ed-1fbefd3874c0;
stix:target_ref :attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c;
dcterms:created "2022-07-25T18:33:20.016Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Heyoka Backdoor](https://attack.mitre.org/software/S1027) can decrypt its payload prior to execution.(Citation: SentinelOne Aoqin Dragon June 2022)";
dcterms:modified "2022-07-25T18:33:20.016Z"^^xsd:dateTime .
:relationship--a78310c3-ee57-465a-9983-13c6a7cd1d4f
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--a0cb9370-e39b-44d5-9f50-ef78e412b973;
stix:target_ref :attack-pattern--e0033c16-a07e-48aa-8204-7c3ca669998c;
dcterms:created "2022-01-07T16:19:16.847Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Axiom](https://attack.mitre.org/groups/G0001) has targeted victims with remote administration tools including RDP.(Citation: Novetta-Axiom)";
dcterms:modified "2023-03-20T22:03:44.682Z"^^xsd:dateTime .
:relationship--3ce884c7-71c5-4f46-b09c-1abb45d8341b
rdf:type stix:Relationship;
stix:source_ref :malware--80a014ba-3fef-4768-990b-37d8bd10d7f4;
stix:target_ref :attack-pattern--54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b;
dcterms:created "2023-06-22T19:57:39.143Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Uroburos](https://attack.mitre.org/software/S0022) can use custom communications protocols that ride over SMTP.(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)";
dcterms:modified "2023-06-22T19:57:39.143Z"^^xsd:dateTime .
:relationship--65f7704a-358a-464d-b09b-fee5dd96adf3
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--f9d6633a-55e6-4adc-9263-6ae080421a13;
stix:target_ref :attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688;
dcterms:created "2018-01-16T16:13:52.465Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Magic Hound](https://attack.mitre.org/groups/G0059) malware can take a screenshot and upload the file to its C2 server.(Citation: Unit 42 Magic Hound Feb 2017)";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--f993e545-2d09-48c1-9b82-110ab798bdcf
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71;
stix:target_ref :attack-pattern--d742a578-d70e-4d0e-96a6-02a9c30204e6;
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Dragonfly 2.0](https://attack.mitre.org/groups/G0074) compromised legitimate organizations' websites to create watering holes to compromise victims.(Citation: US-CERT TA18-074A)";
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--e4e36dcb-9c07-4c22-a182-61ac194a434f
rdf:type stix:Relationship;
stix:source_ref :malware--f4c80d39-ce10-4f74-9b50-a7e3f5df1f2e;
stix:target_ref :attack-pattern--5bfccc3f-2326-4112-86cc-c1ece9d8a2b5;
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Comnie](https://attack.mitre.org/software/S0244) appends a total of 64MB of garbage data to a file to deter any security products in place that may be scanning files on disk.(Citation: Palo Alto Comnie)";
dcterms:modified "2020-03-17T00:43:32.130Z"^^xsd:dateTime .
:relationship--8be10d07-69bd-47ae-9dea-5918d1005699
rdf:type stix:Relationship;
stix:source_ref :attack-pattern--52f3d5a6-8a0f-4f82-977e-750abf90d0b0;
stix:target_ref :attack-pattern--0042a9f5-f053-4769-b3ef-9ad018dfa298;
dcterms:created "2020-01-14T17:23:05.953Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--abd0cc1c-8901-4645-8853-c394ae8c573c
rdf:type stix:Relationship;
stix:source_ref :malware--c541efb4-e7b1-4ad6-9da8-b4e113f5dd42;
stix:target_ref :attack-pattern--2bce5b30-7014-4a5d-ade7-12913fe6ac36;
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Proton](https://attack.mitre.org/software/S0279) removes logs from <code>/var/logs</code> and <code>/Library/logs</code>.(Citation: objsee mac malware 2017)";
dcterms:modified "2020-02-18T03:51:27.154Z"^^xsd:dateTime .
:relationship--e104cf3c-a802-4e06-8abc-6293cea9492f
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f;
stix:target_ref :attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736;
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[menuPass](https://attack.mitre.org/groups/G0045) uses [PowerSploit](https://attack.mitre.org/software/S0194) to inject shellcode into PowerShell.(Citation: PWC Cloud Hopper Technical Annex April 2017)(Citation: Symantec Cicada November 2020)";
dcterms:modified "2023-03-23T15:14:18.649Z"^^xsd:dateTime .
:relationship--b16c27b4-f94b-43e4-832d-986c03b96ffd
rdf:type stix:Relationship;
stix:source_ref :course-of-action--93e7968a-9074-4eac-8ae9-9f5200ec3317;
stix:target_ref :attack-pattern--2db31dcd-54da-405d-acef-b9129b816ed6;
dcterms:created "2020-02-12T15:05:04.382Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Limit which user accounts are allowed to login via SSH.";
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--3ed38d36-8e7c-4670-aead-cc8c28fc53cc
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a;
stix:target_ref :attack-pattern--38eb0c22-6caf-46ce-8869-5964bd735858;
dcterms:created "2022-03-30T14:26:51.869Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.";
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime .
:relationship--1820202b-0994-452a-93e7-ce21496d2ab4
rdf:type stix:Relationship;
stix:source_ref :malware--5a3a31fe-5a8f-48e1-bff0-a753e5b1be70;
stix:target_ref :attack-pattern--deb98323-e13f-4b0c-8d94-175379069062;
dcterms:created "2019-04-23T15:30:03.159Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[China Chopper](https://attack.mitre.org/software/S0020)'s client component is packed with UPX.(Citation: Lee 2013)";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--c4221728-ce93-438c-93cd-133b6176abee
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c;
stix:target_ref :attack-pattern--b18eae87-b469-4e14-b454-b171b416bc18;
dcterms:created "2022-03-30T14:26:51.858Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.";
dcterms:modified "2023-04-15T00:10:04.672Z"^^xsd:dateTime .
:relationship--ce378e64-5802-4751-8b8e-d7bf68ce4c6a
rdf:type stix:Relationship;
stix:source_ref :malware--198db886-47af-4f4c-bff5-11b891f85946;
stix:target_ref :attack-pattern--30973a08-aed9-4edf-8604-9084ce1b5c4f;
dcterms:created "2019-01-29T17:59:44.527Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Zeus Panda](https://attack.mitre.org/software/S0330) can hook GetClipboardData function to watch for clipboard pastes to collect.(Citation: GDATA Zeus Panda June 2017)";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--ee5e40d0-f72e-4e0b-8b10-cd5c2057cdc0
rdf:type stix:Relationship;
stix:source_ref :malware--5be33fef-39c0-4532-84ee-bea31e1b5324;
stix:target_ref :attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9;
dcterms:created "2018-01-16T16:13:52.465Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[ISMInjector](https://attack.mitre.org/software/S0189) creates scheduled tasks to establish persistence.(Citation: OilRig New Delivery Oct 2017)";
dcterms:modified "2020-03-28T21:35:37.266Z"^^xsd:dateTime .
:relationship--43e9c37e-9e57-4130-8510-05c65bfde6f8
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6;
stix:target_ref :malware--92b55426-109f-4d93-899f-1833ce91ff90;
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "(Citation: ESET Turla Mosquito Jan 2018)(Citation: ESET Turla Mosquito May 2018)(Citation: Secureworks IRON HUNTER Profile)";
dcterms:modified "2022-02-22T15:46:45.474Z"^^xsd:dateTime .
:relationship--37ec750b-c0d2-4b3c-bfd2-b63e4f39b8c5
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--55033a4d-3ffe-46b2-99b4-2c1541e9ce1c;
stix:target_ref :attack-pattern--f24faf46-3b26-4dbb-98f2-63460498e433;
dcterms:created "2020-12-11T15:33:01.509Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Carbanak](https://attack.mitre.org/groups/G0008)’s Harpy backdoor malware can use DNS as a backup channel for C2 if HTTP fails. (Citation: Crowdstrike GTR2020 Mar 2020)";
dcterms:modified "2021-10-21T14:00:00.188Z"^^xsd:dateTime .
:malware--c26f1c05-b861-4970-94dc-2f7f921a3074
rdf:type stix:Malware;
rdfs:label "BoomBox";
dcterms:created "2021-08-03T14:55:46.682Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[BoomBox](https://attack.mitre.org/software/S0635) is a downloader responsible for executing next stage components that has been used by [APT29](https://attack.mitre.org/groups/G0016) since at least 2021.(Citation: MSTIC Nobelium Toolset May 2021)";
dcterms:modified "2022-05-11T14:00:00.188Z"^^xsd:dateTime .
:attack-pattern--2e0dd10b-676d-4964-acd0-8a404c92b044
rdf:type d3f:OffensiveTechnique;
rdfs:label "Disabling Security Tools";
dcterms:created "2017-05-31T21:31:07.958Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security scanning or event reporting.";
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--a8b6a519-2159-46f0-916d-1f7a3d940eea
rdf:type stix:Relationship;
stix:source_ref :malware--3a4197ae-ec63-4162-907b-9a073d1157e4;
stix:target_ref :attack-pattern--2aed01ad-3df3-4410-a8cb-11ea4ded587c;
dcterms:created "2020-09-30T14:52:09.005Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[WellMess](https://attack.mitre.org/software/S0514) can identify domain group membership for the current user.(Citation: CISA WellMess July 2020)";
dcterms:modified "2020-09-30T14:52:09.005Z"^^xsd:dateTime .
:relationship--652ba0d5-1bd3-4dcb-93c5-f339ffdae886
rdf:type stix:Relationship;
stix:source_ref :malware--dd889a55-fb2c-4ec7-8e9f-c399939a49e1;
stix:target_ref :attack-pattern--b46a801b-fd98-491c-a25a-bca25d6e3001;
dcterms:created "2022-06-28T14:20:00.423Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[IceApple](https://attack.mitre.org/software/S1022) is an IIS post-exploitation framework, consisting of 18 modules that provide several functionalities.(Citation: CrowdStrike IceApple May 2022)";
dcterms:modified "2022-06-28T14:20:00.423Z"^^xsd:dateTime .
:relationship--7d72dfaf-3ba5-4420-985c-b0cd16716428
rdf:type stix:Relationship;
stix:source_ref :malware--c26f1c05-b861-4970-94dc-2f7f921a3074;
stix:target_ref :attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18;
dcterms:created "2021-10-13T15:35:20.829Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[BoomBox](https://attack.mitre.org/software/S0635) can search for specific files and directories on a machine.(Citation: MSTIC Nobelium Toolset May 2021)";
dcterms:modified "2021-10-13T15:35:20.829Z"^^xsd:dateTime .
:relationship--990d1dde-8b25-4b83-93a0-50533b557b82
rdf:type stix:Relationship;
stix:source_ref :malware--7230ded7-3b1a-4d6e-9735-d0ffd47af9f6;
stix:target_ref :attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670;
dcterms:created "2023-02-10T18:42:43.813Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[SVCReady](https://attack.mitre.org/software/S1064) can use Windows API calls to gather information from an infected host.(Citation: HP SVCReady Jun 2022)";
dcterms:modified "2023-02-10T18:42:43.813Z"^^xsd:dateTime .
:relationship--f54cba45-e641-49e0-b015-b5f6f8a05002
rdf:type stix:Relationship;
stix:source_ref :malware--432555de-63bf-4f2a-a3fa-f720a4561078;
stix:target_ref :attack-pattern--a01bf75f-00b2-4568-a58f-565ff9bf202b;
dcterms:created "2019-05-30T17:23:30.514Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[FlawedAmmyy](https://attack.mitre.org/software/S0381) enumerates the privilege level of the victim during the initial infection.(Citation: Proofpoint TA505 Mar 2018)(Citation: Korean FSI TA505 2020)";
dcterms:modified "2022-10-13T16:54:26.083Z"^^xsd:dateTime .
:relationship--59945377-5b77-4267-ae36-9feebccc42f3
rdf:type stix:Relationship;
stix:source_ref :tool--a7b5df47-73bb-4d47-b701-869f185633a6;
stix:target_ref :attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580;
dcterms:created "2022-03-25T14:32:35.653Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Donut](https://attack.mitre.org/software/S0695) includes subprojects that enumerate and identify information about [Process Injection](https://attack.mitre.org/techniques/T1055) candidates.(Citation: Donut Github)\t";
dcterms:modified "2022-03-25T14:32:35.653Z"^^xsd:dateTime .
:relationship--9ee2a9f3-9174-4927-8561-56d5c6723b9e
rdf:type stix:Relationship;
stix:source_ref :malware--db1355a7-e5c9-4e2c-8da7-eccf2ae9bf5c;
stix:target_ref :attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1;
dcterms:created "2018-04-18T17:59:24.739Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[TURNEDUP](https://attack.mitre.org/software/S0199) is capable of gathering system information.(Citation: FireEye APT33 Sept 2017)";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--5239c6fe-bb67-48c0-bd77-2267e1e71cf3
rdf:type stix:Relationship;
stix:source_ref :malware--4c6d62c2-89f5-4159-8fab-0190b1f9d328;
stix:target_ref :attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0;
dcterms:created "2020-07-16T15:10:35.341Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Bonadan](https://attack.mitre.org/software/S0486) can find the external IP address of the infected host.(Citation: ESET ForSSHe December 2018)";
dcterms:modified "2020-07-16T15:10:35.341Z"^^xsd:dateTime .
:relationship--982d9af7-45bb-4cc0-9819-aaadb3304783
rdf:type stix:Relationship;
stix:source_ref :malware--251fbae2-78f6-4de7-84f6-194c727a64ad;
stix:target_ref :attack-pattern--53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a;
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Lurid](https://attack.mitre.org/software/S0010) can compress data before sending it.(Citation: Villeneuve 2011)";
dcterms:modified "2020-03-30T02:28:58.614Z"^^xsd:dateTime .
:relationship--9c97e0aa-61fd-4f42-881f-763a1b03c16b
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--247cb30b-955f-42eb-97a5-a89fef69341e;
stix:target_ref :tool--5a63f900-5e7e-4928-a746-dd4558e1df71;
dcterms:created "2019-01-31T01:07:58.791Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "(Citation: Cybereason Cobalt Kitty 2017)";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--9ce9ab1f-b4fa-41e7-8302-11c30f918001
rdf:type stix:Relationship;
stix:source_ref :course-of-action--93e7968a-9074-4eac-8ae9-9f5200ec3317;
stix:target_ref :attack-pattern--ed2e45f9-d338-4eb2-8ce5-3a2e03323bc1;
dcterms:created "2020-06-09T15:33:13.725Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Limit permissions for creating snapshots or backups in accordance with least privilege. Organizations should limit the number of users within the organization with an IAM role that has administrative privileges, strive to reduce all permanent privileged role assignments, and conduct periodic entitlement reviews on IAM users, roles and policies.(Citation: Mandiant M-Trends 2020)";
dcterms:modified "2021-02-09T13:34:39.997Z"^^xsd:dateTime .
:attack-pattern--4fe28b27-b13c-453e-a386-c2ef362a573b
rdf:type d3f:OffensiveTechnique;
rdfs:label "Protocol Tunneling";
dcterms:created "2020-03-15T16:03:39.082Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection/network filtering and/or enable access to otherwise unreachable systems. Tunneling involves explicitly encapsulating a protocol within another. This behavior may conceal malicious traffic by blending in with existing traffic and/or provide an outer layer of encryption (similar to a VPN). Tunneling could also enable routing of network packets that would otherwise not reach their intended destination, such as SMB, RDP, or other traffic that would be filtered by network appliances or not routed over the Internet. \n\nThere are various means to encapsulate a protocol within another protocol. For example, adversaries may perform SSH tunneling (also known as SSH port forwarding), which involves forwarding arbitrary data over an encrypted SSH tunnel.(Citation: SSH Tunneling) \n\n[Protocol Tunneling](https://attack.mitre.org/techniques/T1572) may also be abused by adversaries during [Dynamic Resolution](https://attack.mitre.org/techniques/T1568). Known as DNS over HTTPS (DoH), queries to resolve C2 infrastructure may be encapsulated within encrypted HTTPS packets.(Citation: BleepingComp Godlua JUL19) \n\nAdversaries may also leverage [Protocol Tunneling](https://attack.mitre.org/techniques/T1572) in conjunction with [Proxy](https://attack.mitre.org/techniques/T1090) and/or [Protocol Impersonation](https://attack.mitre.org/techniques/T1001/003) to further conceal C2 communications and infrastructure. ";
dcterms:modified "2021-04-29T14:49:39.188Z"^^xsd:dateTime .
:relationship--e3a516b0-fa02-43dc-8247-0545a53693b1
rdf:type stix:Relationship;
stix:source_ref :malware--77e0ecf7-ca91-4c06-8012-8e728986a87a;
stix:target_ref :attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add;
dcterms:created "2021-06-30T16:13:40.671Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Chaes](https://attack.mitre.org/software/S0631) can download additional files onto an infected machine.(Citation: Cybereason Chaes Nov 2020)";
dcterms:modified "2021-08-19T21:57:15.981Z"^^xsd:dateTime .
:relationship--74dcdf15-ebdf-4faa-8316-cbf1429a8cea
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--7eda3dd8-b09b-4705-8090-c2ad9fb8c14d;
stix:target_ref :malware--a7881f21-e978-4fe4-af56-92c9416a2616;
dcterms:created "2022-10-13T16:08:14.749Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "(Citation: NCC Group TA505)";
dcterms:modified "2022-10-13T16:08:14.749Z"^^xsd:dateTime .
:relationship--696c0ce2-7829-4d95-baab-ae64db59c62a
rdf:type stix:Relationship;
stix:source_ref :malware--5633ffd3-81ef-4f98-8f93-4896b03998f0;
stix:target_ref :attack-pattern--b80d107d-fa0d-4b60-9684-b0433e8bdba0;
dcterms:created "2022-08-11T22:39:33.911Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[DCSrv](https://attack.mitre.org/software/S1033) has encrypted drives using the core encryption mechanism from DiskCryptor.(Citation: Checkpoint MosesStaff Nov 2021)";
dcterms:modified "2022-10-11T20:01:04.431Z"^^xsd:dateTime .
:relationship--e4153cab-6566-4a84-8d97-31afe694ccf3
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--28f04ed3-8e91-4805-b1f6-869020517871;
stix:target_ref :attack-pattern--6495ae23-3ab4-43c5-a94f-5638a2c31fd2;
dcterms:created "2020-11-18T17:17:06.494Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Operation Wocao](https://attack.mitre.org/groups/G0116) has deleted Windows Event Logs to hinder forensic investigation.(Citation: FoxIT Wocao December 2019)";
dcterms:modified "2022-10-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--e925337d-e878-48ad-a53c-3a3f4656849e
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--8c1f0187-0826-4320-bddc-5f326cfcfe2c;
stix:target_ref :attack-pattern--dd43c543-bb85-4a6f-aa6e-160d90d06a49;
dcterms:created "2021-01-22T19:53:33.345Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Chimera](https://attack.mitre.org/groups/G0114) has registered alternate phone numbers for compromised users to intercept 2FA codes sent via SMS.(Citation: NCC Group Chimera January 2021)";
dcterms:modified "2021-01-22T19:53:33.345Z"^^xsd:dateTime .
:attack-pattern--02c5abff-30bf-4703-ab92-1f6072fae939
rdf:type d3f:OffensiveTechnique;
rdfs:label "Fileless Storage";
dcterms:created "2023-03-23T19:55:25.546Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Adversaries may store data in \"fileless\" formats to conceal malicious activity from defenses. Fileless storage can be broadly defined as any format other than a file. Common examples of non-volatile fileless storage include the Windows Registry, event logs, or WMI repository.(Citation: Microsoft Fileless)(Citation: SecureList Fileless)\n\nSimilar to fileless in-memory behaviors such as [Reflective Code Loading](https://attack.mitre.org/techniques/T1620) and [Process Injection](https://attack.mitre.org/techniques/T1055), fileless data storage may remain undetected by anti-virus and other endpoint security tools that can only access specific file formats from disk storage.\n\nAdversaries may use fileless storage to conceal various types of stored data, including payloads/shellcode (potentially being used as part of [Persistence](https://attack.mitre.org/tactics/TA0003)) and collected data not yet exfiltrated from the victim (e.g., [Local Data Staging](https://attack.mitre.org/techniques/T1074/001)). Adversaries also often encrypt, encode, splice, or otherwise obfuscate this fileless data when stored.\n\nSome forms of fileless storage activity may indirectly create artifacts in the file system, but in central and otherwise difficult to inspect formats such as the WMI (e.g., `%SystemRoot%\\System32\\Wbem\\Repository`) or Registry (e.g., `%SystemRoot%\\System32\\Config`) physical files.(Citation: Microsoft Fileless) ";
dcterms:modified "2023-10-31T14:00:00.188Z"^^xsd:dateTime .
:attack-pattern--1b7ba276-eedc-4951-a762-0ceea2c030ec
rdf:type d3f:OffensiveTechnique;
rdfs:label "Data from Removable Media";
dcterms:created "2017-05-31T21:30:31.584Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Adversaries may search connected removable media on computers they have compromised to find files of interest. Sensitive data can be collected from any removable media (optical disk drive, USB memory, etc.) connected to the compromised system prior to Exfiltration. Interactive command shells may be in use, and common functionality within [cmd](https://attack.mitre.org/software/S0106) may be used to gather information. \n\nSome adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T1119) on removable media.";
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--9ee6eb40-881c-4928-a036-58a8df0e8f95
rdf:type stix:Relationship;
stix:source_ref :malware--0c52f5bc-557d-4083-bd27-66d7cdb794bb;
stix:target_ref :attack-pattern--b18eae87-b469-4e14-b454-b171b416bc18;
dcterms:created "2023-09-18T19:30:39.800Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Sardonic](https://attack.mitre.org/software/S1085) has the ability to connect with actor-controlled C2 servers using a custom binary protocol over port 443.(Citation: Bitdefender Sardonic Aug 2021)";
dcterms:modified "2023-10-03T16:39:57.265Z"^^xsd:dateTime .
:relationship--f229e2fb-3105-4ae5-abe1-d100209f702c
rdf:type stix:Relationship;
stix:source_ref :course-of-action--7bb5fae9-53ad-4424-866b-f0ea2a8b731d;
stix:target_ref :attack-pattern--731f4f55-b6d0-41d1-a7a9-072a66389aea;
dcterms:created "2020-03-14T23:19:38.129Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "If it is possible to inspect HTTPS traffic, the captures can be analyzed for connections that appear to be domain fronting.";
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--885a3674-5a25-42e4-aa7f-148a41493861
rdf:type stix:Relationship;
stix:source_ref :malware--7724581b-06ff-4d2b-b77c-80dc8d53070b;
stix:target_ref :attack-pattern--e4dc8c01-417f-458d-9ee0-bb0617c1b391;
dcterms:created "2022-06-09T20:47:17.474Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Saint Bot](https://attack.mitre.org/software/S1018) has used `is_debugger_present` as part of its environmental checks.(Citation: Malwarebytes Saint Bot April 2021)";
dcterms:modified "2022-06-09T20:47:17.474Z"^^xsd:dateTime .
:relationship--f6242361-3056-49da-8e2a-82e1e893b039
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--16e07530-764b-4d83-bae0-cdbfc31bf21d;
stix:target_ref :attack-pattern--144e007b-e638-431d-a894-45d90c54ab90;
dcterms:created "2022-03-30T14:26:51.856Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Establish centralized logging for the activity of cloud compute infrastructure components. Monitor for suspicious sequences of events, such as the deletion of multiple snapshots within a short period of time. To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones.";
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime .
:relationship--346d9aa5-2d93-4843-a219-e0cb79bf6362
rdf:type stix:Relationship;
stix:source_ref :malware--99854cc8-f202-4e03-aa0a-4f8a4af93229;
stix:target_ref :attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62;
dcterms:created "2022-06-13T15:51:01.115Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Shark](https://attack.mitre.org/software/S1019) has the ability to use `CMD` to execute commands.(Citation: ClearSky Siamesekitten August 2021)(Citation: Accenture Lyceum Targets November 2021)";
dcterms:modified "2022-06-16T15:12:20.485Z"^^xsd:dateTime .
:relationship--39556624-1c45-4178-bfa4-7a20b254df7e
rdf:type stix:Relationship;
stix:source_ref :malware--4b072c90-bc7a-432b-940e-016fc1c01761;
stix:target_ref :attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161;
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Keydnap](https://attack.mitre.org/software/S0276) uses HTTPS for command and control.(Citation: synack 2016 review)";
dcterms:modified "2020-03-17T01:40:25.106Z"^^xsd:dateTime .
:relationship--5eac9edf-ec42-4ad9-846e-e36b533fd257
rdf:type stix:Relationship;
stix:source_ref :attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4;
stix:target_ref :attack-pattern--bb5a00de-e086-4859-a231-fa793f6797e2;
dcterms:created "2020-02-11T18:58:11.872Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--0705be49-4ad2-4b50-a024-e8b79b53a1ab
rdf:type stix:Relationship;
stix:source_ref :malware--8fc6c9e7-a162-4ca4-a488-f1819e9a7b06;
stix:target_ref :attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c;
dcterms:created "2019-06-18T18:40:33.826Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[SQLRat](https://attack.mitre.org/software/S0390) has used been observed deleting scripts once used.(Citation: Flashpoint FIN 7 March 2019)\t";
dcterms:modified "2020-01-29T17:32:00.070Z"^^xsd:dateTime .
:relationship--b942cd55-6fed-49a1-ba05-af23836b518f
rdf:type stix:Relationship;
stix:source_ref :malware--a7881f21-e978-4fe4-af56-92c9416a2616;
stix:target_ref :attack-pattern--b21c3b2d-02e6-45b1-980b-e69051040839;
dcterms:created "2018-01-16T16:13:52.465Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Cobalt Strike](https://attack.mitre.org/software/S0154) can exploit vulnerabilities such as MS14-058.(Citation: Cobalt Strike TTPs Dec 2017)";
dcterms:modified "2021-04-29T14:49:39.188Z"^^xsd:dateTime .
:relationship--888cad71-2275-4ca6-a154-f297f972487c
rdf:type stix:Relationship;
stix:source_ref :course-of-action--21da4fd4-27ad-4e9c-b93d-0b9b14d02c96;
stix:target_ref :attack-pattern--40597f16-0963-4249-bf4c-ac93b7fb9807;
dcterms:created "2020-03-09T12:51:45.634Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Web proxies can be used to enforce an external network communication policy that prevents use of unauthorized external services.";
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--352953e9-c1ca-4d25-84b6-eb05a012b2e9
rdf:type stix:Relationship;
stix:source_ref :malware--60a9c2f0-b7a5-4e8e-959c-e1a3ff314a5f;
stix:target_ref :attack-pattern--58a3e6aa-4453-4cc8-a51f-4befe80b31a8;
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[ROKRAT](https://attack.mitre.org/software/S0240) can steal credentials stored in Web browsers by querying the sqlite database.(Citation: Talos Group123)";
dcterms:modified "2022-03-22T17:21:33.390Z"^^xsd:dateTime .
:relationship--471ac6a2-4e6b-4267-8087-c22c707bbc21
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e;
stix:target_ref :attack-pattern--30973a08-aed9-4edf-8604-9084ce1b5c4f;
dcterms:created "2022-03-30T14:26:51.837Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Monitor API calls that could collect data stored in the clipboard from users copying information within or between applications.";
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime .
:relationship--75f47e28-75dd-4471-8d00-ed4a2c4d3328
rdf:type stix:Relationship;
stix:source_ref :malware--b45747dc-87ca-4597-a245-7e16a61bc491;
stix:target_ref :attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add;
dcterms:created "2019-01-30T15:27:06.732Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Seasalt](https://attack.mitre.org/software/S0345) has a command to download additional files.(Citation: Mandiant APT1 Appendix)(Citation: Mandiant APT1 Appendix)";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--542bb806-3e73-42f5-8a3e-86b498093f4b
rdf:type stix:Relationship;
stix:source_ref :tool--0a68f1f1-da74-4d28-8d9a-696c082706cc;
stix:target_ref :attack-pattern--c615231b-f253-4f58-9d47-d5b4cbdb6839;
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[certutil](https://attack.mitre.org/software/S0160) can be used to install browser root certificates as a precursor to performing [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) between connections to banking websites. Example command: <code>certutil -addstore -f -user ROOT ProgramData\\cert512121.der</code>.(Citation: Palo Alto Retefe)";
dcterms:modified "2021-08-16T17:50:50.467Z"^^xsd:dateTime .
:malware--f74a5069-015d-4404-83ad-5ca01056c0dc
rdf:type stix:Malware;
rdfs:label "Lizar";
dcterms:created "2022-02-02T21:05:48.601Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Lizar](https://attack.mitre.org/software/S0681) is a modular remote access tool written using the .NET Framework that shares structural similarities to [Carbanak](https://attack.mitre.org/software/S0030). It has likely been used by [FIN7](https://attack.mitre.org/groups/G0046) since at least February 2021.(Citation: BiZone Lizar May 2021)(Citation: Threatpost Lizar May 2021)(Citation: Gemini FIN7 Oct 2021)";
dcterms:modified "2022-04-15T11:40:31.460Z"^^xsd:dateTime .
:relationship--abef99ab-d0a5-4c9f-9011-c79bfabccd5e
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--639e87f3-acb6-448a-9645-258f20da4bc5;
stix:target_ref :attack-pattern--42e8de7b-37b2-4258-905a-6897815e58e0;
dcterms:created "2022-03-30T14:26:51.856Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Collect file hashes; file names that do not match their expected hash are suspect. Perform file monitoring; files with known names but in unusual locations are suspect. Look for indications of common characters that may indicate an attempt to trick users into misidentifying the file type, such as a space as the last character of a file name or the right-to-left override characters\"\\u202E\", \"[U+202E]\", and \"%E2%80%AE”.\n\nCheck and ensure that file headers/signature and extensions match using magic bytes detection and/or file signature validation.(Citation: Polyglot Files: a Hacker’s best friend) In Linux, the <code>file</code> command may be used to check the file signature.(Citation: file_sig_table)";
dcterms:modified "2023-04-11T22:45:18.232Z"^^xsd:dateTime .
:relationship--5f8f4204-228c-49d3-8ec6-863b13038001
rdf:type stix:Relationship;
stix:source_ref :tool--4b57c098-f043-4da2-83ef-7588a6d426bc;
stix:target_ref :attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4;
dcterms:created "2019-04-23T13:43:22.923Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[PoshC2](https://attack.mitre.org/software/S0378) has modules for keystroke logging and capturing credentials from spoofed Outlook authentication messages.(Citation: GitHub PoshC2)";
dcterms:modified "2020-03-16T17:31:49.404Z"^^xsd:dateTime .
:relationship--e69ac347-8b74-4fcc-8b13-17d7a1b04339
rdf:type stix:Relationship;
stix:source_ref :malware--8c1d01ff-fdc0-4586-99bd-c248e0761af5;
stix:target_ref :attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e;
dcterms:created "2021-03-02T13:57:47.577Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Kerrdown](https://attack.mitre.org/software/S0585) has gained execution through victims opening malicious files.(Citation: Amnesty Intl. Ocean Lotus February 2021)(Citation: Unit 42 KerrDown February 2019)";
dcterms:modified "2021-10-01T17:13:49.115Z"^^xsd:dateTime .
:relationship--31d1ec86-7f70-48b7-b44f-c1403f5f2c19
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--da85d358-741a-410d-9433-20d6269a6170;
stix:target_ref :attack-pattern--42fe883a-21ea-4cfb-b94a-78b6476dcc83;
dcterms:created "2022-03-30T14:26:51.834Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Monitor for changes to windows registry keys and/or values that may establish persistence and/or elevate privileges by executing malicious content triggered by application shims.";
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime .
:relationship--1d65c2d6-6f59-40e4-af56-83ad4d9efea8
rdf:type stix:Relationship;
stix:source_ref :malware--bdb27a1d-1844-42f1-a0c0-826027ae0326;
stix:target_ref :attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4;
dcterms:created "2019-05-02T01:07:36.957Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Revenge RAT](https://attack.mitre.org/software/S0379) has a plugin for keylogging.(Citation: Cylance Shaheen Nov 2018)(Citation: Cofense RevengeRAT Feb 2019)";
dcterms:modified "2020-03-16T17:43:04.989Z"^^xsd:dateTime .
:relationship--0bc4d3d8-8018-4e0a-a365-ebef543e1222
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--6fe8a2a1-a1b0-4af8-953d-4babd329f8f8;
stix:target_ref :attack-pattern--e3a12395-188d-4051-9a16-ea8e14d07b88;
dcterms:created "2022-03-25T15:24:08.781Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[BlackTech](https://attack.mitre.org/groups/G0098) has used the SNScan tool to find other potential targets on victim networks.(Citation: Symantec Palmerworm Sep 2020)";
dcterms:modified "2022-03-25T15:24:08.781Z"^^xsd:dateTime .
:relationship--40ac660a-5f6d-4cac-8518-bb8dff6933ea
rdf:type stix:Relationship;
stix:source_ref :malware--77e0ecf7-ca91-4c06-8012-8e728986a87a;
stix:target_ref :attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67;
dcterms:created "2021-06-30T16:13:40.669Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Chaes](https://attack.mitre.org/software/S0631) has used VBscript to execute malicious code.(Citation: Cybereason Chaes Nov 2020) ";
dcterms:modified "2021-08-20T22:18:06.584Z"^^xsd:dateTime .
:relationship--670f37e1-8de3-441e-bc09-ff95c09ee14d
rdf:type stix:Relationship;
stix:source_ref :attack-pattern--bc0f5e80-91c0-4e04-9fbb-e4e332c85dae;
stix:target_ref :attack-pattern--b6301b64-ef57-4cce-bb0b-77026f14a8db;
dcterms:created "2020-03-16T14:12:48.061Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--66647c20-2d76-4711-9eee-07d932e75851
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--c47f937f-1022-4f42-8525-e7a4779a14cb;
stix:target_ref :attack-pattern--83a766f8-1501-4b3a-a2de-2e2849e8dfc1;
dcterms:created "2020-03-27T21:14:03.099Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[APT12](https://attack.mitre.org/groups/G0005) has used multiple variants of [DNS Calculation](https://attack.mitre.org/techniques/T1568/003) including multiplying the first two octets of an IP address and adding the third octet to that value in order to get a resulting command and control port.(Citation: Meyers Numbered Panda)";
dcterms:modified "2020-03-27T21:14:03.099Z"^^xsd:dateTime .
:relationship--088ed15f-46da-4b32-a182-68553c61f09b
rdf:type stix:Relationship;
stix:source_ref :malware--32066e94-3112-48ca-b9eb-ba2b59d2f023;
stix:target_ref :attack-pattern--53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a;
dcterms:created "2019-04-01T15:06:38.851Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Emotet](https://attack.mitre.org/software/S0367) has been observed encrypting the data it collects before sending it to the C2 server. (Citation: Fortinet Emotet May 2017)";
dcterms:modified "2020-03-30T02:52:04.537Z"^^xsd:dateTime .
:relationship--cfe2a359-bbab-4520-bdd7-b2d6abf742cc
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c;
stix:target_ref :malware--59a97b15-8189-4d51-9404-e1ce8ea4a069;
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "(Citation: XAgentOSX 2017)(Citation: Symantec APT28 Oct 2018)(Citation: US District Court Indictment GRU Oct 2018)";
dcterms:modified "2020-10-01T18:55:45.528Z"^^xsd:dateTime .
:relationship--cf6c50a3-1de8-4fb4-8e8f-0a28b642824c
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0;
stix:target_ref :attack-pattern--cc3502b5-30cc-4473-ad48-42d51a6ef6d1;
dcterms:created "2022-03-30T14:26:51.864Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Monitor systems for abnormal Python usage and python.exe behavior, which could be an indicator of malicious activity. Understanding standard usage patterns is important to avoid a high number of false positives. If scripting is restricted for normal users, then any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor executed commands and arguments that may abuse Python commands and scripts for execution.";
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime .
:relationship--a4ba7046-2937-4c08-a479-3dd59deba534
rdf:type stix:Relationship;
stix:source_ref :course-of-action--245075bc-f992-4d89-af8c-834c53d403f4;
stix:target_ref :attack-pattern--cc1e737c-236c-4e3b-83ba-32039a626ef8;
dcterms:created "2019-04-24T17:03:39.751Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:modified "2023-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--dc25eff7-fbfe-48a0-aeb7-ae8d92e75978
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--dc5e2999-ca1a-47d4-8d12-a6984b138a1b;
stix:target_ref :attack-pattern--3f886f2a-874f-4333-b794-aa6075009b1c;
dcterms:created "2021-01-05T15:53:47.938Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[UNC2452](https://attack.mitre.org/groups/G0118) exploited CVE-2020-0688 against the Microsoft Exchange Control Panel to regain access to a network.(Citation: Volexity SolarWinds)";
dcterms:modified "2023-04-25T14:00:00.188Z"^^xsd:dateTime .
:malware--2eb9b131-d333-4a48-9eb4-d8dec46c19ee
rdf:type stix:Malware;
rdfs:label "CosmicDuke";
dcterms:created "2017-05-31T21:32:36.550Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[CosmicDuke](https://attack.mitre.org/software/S0050) is malware that was used by [APT29](https://attack.mitre.org/groups/G0016) from 2010 to 2015. (Citation: F-Secure The Dukes)";
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--40dc38ff-1daf-4c3b-823d-377ae4d3a505
rdf:type stix:Relationship;
stix:source_ref :malware--65ffc206-d7c1-45b3-b543-f6b726e7840d;
stix:target_ref :attack-pattern--34f1d81d-fe88-4f97-bd3b-a3164536255d;
dcterms:created "2022-04-13T18:50:06.009Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Bisonal](https://attack.mitre.org/software/S0268) has been loaded through a `.wll` extension added to the ` %APPDATA%\\microsoft\\word\\startup\\` repository.(Citation: Talos Bisonal Mar 2020) ";
dcterms:modified "2022-04-18T18:11:57.931Z"^^xsd:dateTime .
:relationship--7a980213-1df8-481f-af86-ed105781c573
rdf:type stix:Relationship;
stix:source_ref :tool--1b3b8f96-43b1-4460-8e02-1f53d7802fb9;
stix:target_ref :attack-pattern--e24fcba8-2557-4442-a139-1ee2f2e784db;
dcterms:created "2023-09-28T13:24:54.791Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Pacu](https://attack.mitre.org/software/S1091) can enumerate AWS services, such as CloudTrail and CloudWatch.(Citation: GitHub Pacu)";
dcterms:modified "2023-10-13T16:33:31.813Z"^^xsd:dateTime .
:relationship--eeb5eeab-3fa1-4670-a7ab-f6a8f7193be9
rdf:type stix:Relationship;
stix:source_ref :malware--1fefb062-feda-484a-8f10-0cebf65e20e3;
stix:target_ref :attack-pattern--348f1eef-964b-4eb6-bb53-69b3dcb0c643;
dcterms:created "2023-09-26T20:53:11.604Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[SharpDisco](https://attack.mitre.org/software/S1089) has dropped a plugin to monitor external drives to `C:\\Users\\Public\\It3.exe`.(Citation: MoustachedBouncer ESET August 2023)";
dcterms:modified "2023-09-26T20:53:11.604Z"^^xsd:dateTime .
:relationship--3811b12a-fcfc-47d2-83ec-89df60ca4c21
rdf:type stix:Relationship;
stix:source_ref :malware--f0fc920e-57a3-4af5-89be-9ea594c8b1ea;
stix:target_ref :attack-pattern--c2e147a9-d1a8-4074-811a-d8789202d916;
dcterms:created "2020-06-24T15:36:00.917Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[BBK](https://attack.mitre.org/software/S0470) can extract a malicious Portable Executable (PE) from a photo.(Citation: Trend Micro Tick November 2019)";
dcterms:modified "2020-06-24T15:36:00.917Z"^^xsd:dateTime .
:attack-pattern--5909f20f-3c39-4795-be06-ef1ea40d350b
rdf:type d3f:OffensiveTechnique;
rdfs:label "Defacement";
dcterms:created "2019-04-08T17:51:41.390Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Adversaries may modify visual content available internally or externally to an enterprise network, thus affecting the integrity of the original content. Reasons for [Defacement](https://attack.mitre.org/techniques/T1491) include delivering messaging, intimidation, or claiming (possibly false) credit for an intrusion. Disturbing or offensive images may be used as a part of [Defacement](https://attack.mitre.org/techniques/T1491) in order to cause user discomfort, or to pressure compliance with accompanying messages. \n";
dcterms:modified "2022-05-11T14:00:00.188Z"^^xsd:dateTime .
:malware--198db886-47af-4f4c-bff5-11b891f85946
rdf:type stix:Malware;
rdfs:label "Zeus Panda";
dcterms:created "2019-01-29T17:59:43.600Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Zeus Panda](https://attack.mitre.org/software/S0330) is a Trojan designed to steal banking information and other sensitive credentials for exfiltration. [Zeus Panda](https://attack.mitre.org/software/S0330)’s original source code was leaked in 2011, allowing threat actors to use its source code as a basis for new malware variants. It is mainly used to target Windows operating systems ranging from Windows XP through Windows 10.(Citation: Talos Zeus Panda Nov 2017)(Citation: GDATA Zeus Panda June 2017)";
dcterms:modified "2023-03-22T05:47:42.436Z"^^xsd:dateTime .
:relationship--100f4917-1702-4707-bd9f-58d471e77018
rdf:type stix:Relationship;
stix:source_ref :malware--bfd2738c-8b43-43c3-bc9f-d523c8e88bf4;
stix:target_ref :attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1;
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[More_eggs](https://attack.mitre.org/software/S0284) has the capability to gather the OS version and computer name.(Citation: Talos Cobalt Group July 2018)(Citation: Security Intelligence More Eggs Aug 2019)";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--77def9ad-52ea-44c0-b800-42b17323a985
rdf:type stix:Relationship;
stix:source_ref :tool--da04ac30-27da-4959-a67d-450ce47d9470;
stix:target_ref :attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5;
dcterms:created "2022-08-02T15:41:00.445Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[QuasarRAT](https://attack.mitre.org/software/S0262) can retrieve files from compromised client machines.(Citation: CISA AR18-352A Quasar RAT December 2018)";
dcterms:modified "2022-08-02T15:41:00.445Z"^^xsd:dateTime .
:relationship--dc7e8f00-d57c-4cfd-971c-510ede375c2f
rdf:type stix:Relationship;
stix:source_ref :malware--a7881f21-e978-4fe4-af56-92c9416a2616;
stix:target_ref :attack-pattern--1644e709-12d2-41e5-a60f-3470991f5011;
dcterms:created "2020-11-06T18:40:38.194Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Cobalt Strike](https://attack.mitre.org/software/S0154) can recover hashed passwords.(Citation: cobaltstrike manual)";
dcterms:modified "2022-02-25T18:58:15.241Z"^^xsd:dateTime .
:relationship--4b4fadc1-a402-4d56-9e4f-8c76b03def23
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0;
stix:target_ref :attack-pattern--4eb28bed-d11a-4641-9863-c2ac017d910a;
dcterms:created "2022-03-30T14:26:51.843Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Monitor executed commands and arguments for commands that can be used to disable logging. For example, [Wevtutil](https://attack.mitre.org/software/S0645), auditpol, `sc stop EventLog`, <code>reg add</code>, <code>Set- or Stop-Service</code>, <code>Set- or New-ItemProperty</code>, <code>sc config</code>, \nand offensive tooling (such as [Mimikatz](https://attack.mitre.org/software/S0002) and Invoke-Phant0m) may be used to clear logs and/or change the EventLog/audit policy.(Citation: def_ev_win_event_logging)(Citation: evt_log_tampering)(Citation: disable_win_evt_logging) ";
dcterms:modified "2023-03-17T23:39:12.351Z"^^xsd:dateTime .
:relationship--a714680b-edab-459c-bb8f-cc313cfc4372
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077;
stix:target_ref :attack-pattern--79a47ad0-fc3b-4821-9f01-a026b1ddba21;
dcterms:created "2022-03-30T14:26:51.859Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Monitor newly executed processes that may abuse Microsoft Office templates to obtain persistence on a compromised system.";
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime .
:relationship--7ce7aa48-afa9-4eb6-8bc2-8f04fd6cf00e
rdf:type stix:Relationship;
stix:source_ref :malware--5f9f7648-04ba-4a9f-bb4c-2a13e74572bd;
stix:target_ref :attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c;
dcterms:created "2022-02-18T16:37:20.194Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Pteranodon](https://attack.mitre.org/software/S0147) can decrypt encrypted data strings prior to using them.(Citation: Microsoft Actinium February 2022)";
dcterms:modified "2022-02-18T16:37:20.194Z"^^xsd:dateTime .
:relationship--5ade424d-5a9d-4209-8aa4-a129783ffaa3
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced744dd12;
stix:target_ref :attack-pattern--d742a578-d70e-4d0e-96a6-02a9c30204e6;
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Dark Caracal](https://attack.mitre.org/groups/G0070) leveraged a watering hole to serve up malicious code.(Citation: Lookout Dark Caracal Jan 2018)";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--75560ec3-23f7-49e1-9dde-38f51db8b2b1
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--dc5e2999-ca1a-47d4-8d12-a6984b138a1b;
stix:target_ref :attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a;
dcterms:created "2021-01-05T22:07:13.832Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[UNC2452](https://attack.mitre.org/groups/G0118) used encoded PowerShell commands.(Citation: Microsoft - Customer Guidance on Recent Nation-State Cyber Attacks)";
dcterms:modified "2023-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--db61e886-9295-4df7-a9db-25d7b9879b82
rdf:type stix:Relationship;
stix:source_ref :malware--47afe41c-4c08-485e-b062-c3bd209a1cce;
stix:target_ref :attack-pattern--4ab929c6-ee2d-4fb5-aab4-b14be2ed7179;
dcterms:created "2020-08-17T12:57:12.103Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[InvisiMole](https://attack.mitre.org/software/S0260) can use a .lnk shortcut for the Control Panel to establish persistence.(Citation: ESET InvisiMole June 2020)";
dcterms:modified "2020-08-18T13:13:32.120Z"^^xsd:dateTime .
:relationship--1b1a7abf-72bc-44fa-8f90-4321003f0553
rdf:type stix:Relationship;
stix:source_ref :malware--c009560a-f097-45a3-8f9f-78ec1440a783;
stix:target_ref :attack-pattern--04fd5427-79c7-44ea-ae13-11b24778ff1c;
dcterms:created "2023-03-29T15:55:54.119Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[SysUpdate](https://attack.mitre.org/software/S0663) has used Base64 to encode its C2 traffic.(Citation: Lunghi Iron Tiger Linux) ";
dcterms:modified "2023-03-29T15:55:54.119Z"^^xsd:dateTime .
:relationship--778765e1-7eb6-46b1-a370-6dfe09081ee3
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--d13c8a7f-740b-4efa-a232-de7d6bb05321;
stix:target_ref :attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688;
dcterms:created "2019-05-24T17:57:36.629Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Silence](https://attack.mitre.org/groups/G0091) can capture victim screen activity.(Citation: SecureList Silence Nov 2017)(Citation: Group IB Silence Sept 2018)";
dcterms:modified "2020-05-06T03:12:02.277Z"^^xsd:dateTime .
:relationship--4f8c284a-faa2-4f58-be3b-e27f6ed84423
rdf:type stix:Relationship;
stix:source_ref :malware--bdee9574-7479-4073-a7dc-e86d8acd073a;
stix:target_ref :attack-pattern--d10cbd34-42e3-45c0-84d2-535a09849584;
dcterms:created "2022-05-12T18:22:42.472Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[MacMa](https://attack.mitre.org/software/S1016) installs a `com.apple.softwareupdate.plist` file in the `/LaunchAgents` folder with the `RunAtLoad` value set to `true`. Upon user login, [MacMa](https://attack.mitre.org/software/S1016) is executed from `/var/root/.local/softwareupdate` with root privileges. Some variations also include the `LimitLoadToSessionType` key with the value `Aqua`, ensuring the [MacMa](https://attack.mitre.org/software/S1016) only runs when there is a logged in GUI user.(Citation: ESET DazzleSpy Jan 2022)(Citation: Objective-See MacMa Nov 2021)";
dcterms:modified "2022-10-20T19:58:20.264Z"^^xsd:dateTime .
:attack-pattern--2892b9ee-ca9f-4723-b332-0dc6e843a8ae
rdf:type d3f:OffensiveTechnique;
rdfs:label "Screensaver";
dcterms:created "2018-01-16T16:13:52.465Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension.(Citation: Wikipedia Screensaver) The Windows screensaver application scrnsave.scr is located in <code>C:\\Windows\\System32\\</code>, and <code>C:\\Windows\\sysWOW64\\</code> on 64-bit Windows systems, along with screensavers included with base Windows installations. \n\nThe following screensaver settings are stored in the Registry (<code>HKCU\\Control Panel\\Desktop\\</code>) and could be manipulated to achieve persistence:\n\n* <code>SCRNSAVE.exe</code> - set to malicious PE path\n* <code>ScreenSaveActive</code> - set to '1' to enable the screensaver\n* <code>ScreenSaverIsSecure</code> - set to '0' to not require a password to unlock\n* <code>ScreenSaveTimeout</code> - sets user inactivity timeout before screensaver is executed\n\nAdversaries can use screensaver settings to maintain persistence by setting the screensaver to run malware after a certain timeframe of user inactivity. (Citation: ESET Gazer Aug 2017)";
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--eb8bc00c-91f6-434e-bfdb-ecb72c5e4391
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--74fa567d-bc90-425c-8a41-3c703abb221c;
stix:target_ref :attack-pattern--c8e87b83-edbb-48d4-9295-4974897525b7;
dcterms:created "2022-03-30T14:26:51.835Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "BITS runs as a service and its status can be checked with the Sc query utility (<code>sc query bits</code>).(Citation: Microsoft Issues with BITS July 2011)";
dcterms:modified "2022-03-30T14:26:51.835Z"^^xsd:dateTime .
:relationship--ae3be82b-3d54-4be8-939b-e074a2cea170
rdf:type stix:Relationship;
stix:source_ref :malware--0db09158-6e48-4e7c-8ce7-2b10b9c0c039;
stix:target_ref :attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add;
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Misdat](https://attack.mitre.org/software/S0083) is capable of downloading files from the C2.(Citation: Cylance Dust Storm)";
dcterms:modified "2022-01-19T21:13:03.951Z"^^xsd:dateTime .
:relationship--748cd538-d2a0-470c-b6fb-68e73b8069b1
rdf:type stix:Relationship;
stix:source_ref :malware--0945a1a5-a79a-47c8-9079-10c16cdfcb5d;
stix:target_ref :attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c;
dcterms:created "2023-01-11T21:35:37.079Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[AvosLocker](https://attack.mitre.org/software/S1053) has deobfuscated XOR-encoded strings.(Citation: Malwarebytes AvosLocker Jul 2021)";
dcterms:modified "2023-02-15T16:32:51.978Z"^^xsd:dateTime .
:relationship--4e39da36-f7e0-4e26-b354-ca34fb801e33
rdf:type stix:Relationship;
stix:source_ref :malware--aea6d6b8-d832-4c90-a1bb-f52c6684db6c;
stix:target_ref :attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add;
dcterms:created "2022-06-07T18:05:19.253Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Milan](https://attack.mitre.org/software/S1015) has received files from C2 and stored them in log folders beginning with the character sequence `a9850d2f`.(Citation: ClearSky Siamesekitten August 2021)";
dcterms:modified "2022-06-07T18:05:19.253Z"^^xsd:dateTime .
:relationship--94cbcde4-3323-41ba-948c-95f798d39a89
rdf:type stix:Relationship;
stix:source_ref :malware--63686509-069b-4143-99ea-4e59cad6cb2a;
stix:target_ref :attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161;
dcterms:created "2022-01-10T19:52:49.183Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[DarkWatchman](https://attack.mitre.org/software/S0673) uses HTTPS for command and control.(Citation: Prevailion DarkWatchman 2021)";
dcterms:modified "2022-01-11T16:03:19.251Z"^^xsd:dateTime .
:relationship--c8470c56-2c81-4826-804c-44e53d87333f
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--f29b7c5e-2439-42ad-a86f-9f8984fafae3;
stix:target_ref :attack-pattern--7e150503-88e7-4861-866b-ff1ac82c4475;
dcterms:created "2022-06-16T13:32:04.610Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[HEXANE](https://attack.mitre.org/groups/G1001) has used [netstat](https://attack.mitre.org/software/S0104) to monitor connections to specific ports.(Citation: Kaspersky Lyceum October 2021)";
dcterms:modified "2022-08-31T14:51:30.431Z"^^xsd:dateTime .
:relationship--319189e0-9db0-46f8-9386-0d909db94a46
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71;
stix:target_ref :attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0;
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Dragonfly 2.0](https://attack.mitre.org/groups/G0074) used batch scripts to enumerate network information, including information about trusts, zones, and the domain.(Citation: US-CERT TA18-074A)";
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--3b86d8fe-5677-4516-bf77-898e4da6171f
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265df3258;
stix:target_ref :malware--b42378e0-f147-496f-992a-26a49705395b;
dcterms:created "2019-07-19T16:38:05.420Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "(Citation: Cybereason Soft Cell June 2019)(Citation: Microsoft GALLIUM December 2019)";
dcterms:modified "2021-01-13T21:20:49.108Z"^^xsd:dateTime .
:relationship--eefcbce1-d2b4-40cb-a07d-7735b256c868
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--b9d031bb-d150-4fc6-8025-688201bf3ffd;
stix:target_ref :attack-pattern--28abec6c-4443-4b03-8206-07f2e264a6b4;
dcterms:created "2022-03-30T14:26:51.872Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Monitor for changes to boot information including system uptime, image booted, and startup configuration to determine if results are consistent with expected behavior in the environment. (Citation: Cisco IOS Software Integrity Assurance - Boot Information) Monitor unusual connections or connection attempts to the device that may specifically target TFTP or other file-sharing protocols.";
dcterms:modified "2022-04-20T12:51:46.076Z"^^xsd:dateTime .
:relationship--78daa7e5-f5e5-452b-a7fd-cece272294fd
rdf:type stix:Relationship;
stix:source_ref :tool--26c87906-d750-42c5-946c-d4162c73fc7b;
stix:target_ref :attack-pattern--65f2d882-3f41-4d48-8a06-29af77ec9f90;
dcterms:created "2020-03-19T23:01:00.203Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "SecretsDump and [Mimikatz](https://attack.mitre.org/software/S0002) modules within [Impacket](https://attack.mitre.org/software/S0357) can perform credential dumping to obtain account and password information.(Citation: Impacket Tools)";
dcterms:modified "2022-04-19T21:06:46.662Z"^^xsd:dateTime .
:relationship--67f029d5-c44b-446b-9efe-0e0e0d85192a
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--90784c1e-4aba-40eb-9adf-7556235e6384;
stix:target_ref :attack-pattern--7d77a07d-02fe-4e88-8bd9-e9c008c01bf0;
dcterms:created "2021-02-03T18:34:46.363Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Silent Librarian](https://attack.mitre.org/groups/G0122) has set up auto forwarding rules on compromised e-mail accounts.(Citation: DOJ Iran Indictments March 2018)";
dcterms:modified "2021-02-03T18:34:46.363Z"^^xsd:dateTime .
:relationship--bc99bfb1-8529-4116-b702-07c37d333bcf
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--467271fd-47c0-4e90-a3f9-d84f5cf790d0;
stix:target_ref :tool--6a5947f3-1a36-4653-8734-526df3e1d28d;
dcterms:created "2023-09-20T19:33:24.058Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "(Citation: Proofpoint TA2541 February 2022)(Citation: Morphisec Snip3 May 2021)(Citation: Cisco Operation Layover September 2021)(Citation: Telefonica Snip3 December 2021)";
dcterms:modified "2023-09-20T19:33:24.058Z"^^xsd:dateTime .
:relationship--bd29b3ec-5dab-49fe-90ec-37f4c0a3f442
rdf:type stix:Relationship;
stix:source_ref :attack-pattern--91177e6d-b616-4a03-ba4b-f3b32f7dda75;
stix:target_ref :attack-pattern--55fc4df0-b42c-479a-b860-7a6761bcaad0;
dcterms:created "2020-10-02T16:59:56.765Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--531e2785-0bbd-43f0-8784-ebe6808afa98
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--da85d358-741a-410d-9433-20d6269a6170;
stix:target_ref :attack-pattern--90c4a591-d02d-490b-92aa-619d9701ac04;
dcterms:created "2023-03-31T17:31:38.458Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Monitor for changes to Registry entries for network providers (e.g., `HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\NetworkProvider\\Order`) and correlate then investigate the DLL files these values reference.";
dcterms:modified "2023-04-11T03:28:04.450Z"^^xsd:dateTime .
:relationship--0766fe91-a8d9-42bd-8023-f2134b280211
rdf:type stix:Relationship;
stix:source_ref :malware--b350b47f-88fe-4921-8538-6d9c59bac84e;
stix:target_ref :attack-pattern--bf176076-b789-408e-8cba-7275e81c0ada;
dcterms:created "2022-03-07T19:33:27.021Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Cyclops Blink](https://attack.mitre.org/software/S0687) can encrypt C2 messages with AES-256-CBC sent underneath TLS. OpenSSL library functions are also used to encrypt each message using a randomly generated key and IV, which are then encrypted using a hard-coded RSA public key.(Citation: NCSC Cyclops Blink February 2022)";
dcterms:modified "2022-03-07T19:33:27.021Z"^^xsd:dateTime .
:relationship--fa426e9e-7e77-4c1b-b03c-00a4ae45ac6c
rdf:type stix:Relationship;
stix:source_ref :campaign--26d9ebae-de59-427f-ae9a-349456bae4b1;
stix:target_ref :attack-pattern--24bfaeba-cb0d-4525-b3dc-507c77ecec41;
dcterms:created "2022-09-07T14:16:35.346Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "During [Frankenstein](https://attack.mitre.org/campaigns/C0001), the threat actors communicated with C2 via an encrypted RC4 byte stream and AES-CBC.(Citation: Talos Frankenstein June 2019)";
dcterms:modified "2022-09-21T14:35:54.675Z"^^xsd:dateTime .
:relationship--d0061edc-becf-4ce9-ae91-5e1816d4a894
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--4a2ce82e-1a74-468a-a6fb-bbead541383c;
stix:target_ref :attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597;
dcterms:created "2018-04-18T17:59:24.739Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[APT37](https://attack.mitre.org/groups/G0067) delivers malware using spearphishing emails with malicious HWP attachments.(Citation: FireEye APT37 Feb 2018)(Citation: Talos Group123)(Citation: Securelist ScarCruft May 2019)";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--81c1e9d6-f478-4adb-af70-cc92e8094e8a
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--0ec2f388-bf0f-4b5c-97b1-fc736d26c25f;
stix:target_ref :attack-pattern--035bb001-ab69-4a0b-9f6c-2de8b09e1b9d;
dcterms:created "2020-11-06T18:02:10.449Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Kimsuky](https://attack.mitre.org/groups/G0094) has used modified versions of PHProxy to examine web traffic between the victim and the accessed website.(Citation: CISA AA20-301A Kimsuky)";
dcterms:modified "2020-11-06T18:02:10.449Z"^^xsd:dateTime .
:relationship--388b4637-f634-42ab-a370-981be7da89bd
rdf:type stix:Relationship;
stix:source_ref :malware--17b40f60-729f-4fe8-8aea-cc9ee44a95d5;
stix:target_ref :attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e;
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[RedLeaves](https://attack.mitre.org/software/S0153) uses a specific port of 443 and can also use ports 53 and 80 for C2. One [RedLeaves](https://attack.mitre.org/software/S0153) variant uses HTTP over port 443 to connect to its C2 server.(Citation: PWC Cloud Hopper Technical Annex April 2017)(Citation: Accenture Hogfish April 2018)";
dcterms:modified "2022-10-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--58d4910f-9d51-4961-84eb-9ef0ee2e8bc3
rdf:type stix:Relationship;
stix:source_ref :tool--75d8b521-6b6a-42ff-8af3-d97e20ce12a5;
stix:target_ref :attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a;
dcterms:created "2023-02-09T20:29:28.146Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Brute Ratel C4](https://attack.mitre.org/software/S1063) has used encrypted payload files and maintains an encrypted configuration structure in memory.(Citation: Palo Alto Brute Ratel July 2022)(Citation: MDSec Brute Ratel August 2022)";
dcterms:modified "2023-02-17T20:27:17.175Z"^^xsd:dateTime .
:relationship--33bba084-3681-4955-861d-2ff6fe02ad9b
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--d69e568e-9ac8-4c08-b32c-d93b43ba9172;
stix:target_ref :attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736;
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Thrip](https://attack.mitre.org/groups/G0076) leveraged PowerShell to run commands to download payloads, traverse the compromised networks, and carry out reconnaissance.(Citation: Symantec Thrip June 2018)";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--46ace311-9be9-4d4a-8ef0-fc2c0659fba9
rdf:type stix:Relationship;
stix:source_ref :course-of-action--2f316f6c-ae42-44fe-adf8-150989e0f6d3;
stix:target_ref :attack-pattern--28abec6c-4443-4b03-8206-07f2e264a6b4;
dcterms:created "2020-10-20T17:59:21.115Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Follow vendor device hardening best practices to disable unnecessary and unused features and services, avoid using default configurations and passwords, and introduce logging and auditing for detection.";
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--ac3ee298-bef0-4a52-9050-3dcef1701408
rdf:type stix:Relationship;
stix:source_ref :tool--cf23bf4a-e003-4116-bbae-1ea6c558d565;
stix:target_ref :attack-pattern--fb8d023d-45be-47e9-bc51-f56bcae6435b;
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[ftp](https://attack.mitre.org/software/S0095) may be used to exfiltrate data separate from the main command and control protocol.(Citation: Microsoft FTP)(Citation: Linux FTP)";
dcterms:modified "2022-02-25T20:50:26.362Z"^^xsd:dateTime .
:attack-pattern--e51137a5-1cdc-499e-911a-abaedaa5ac86
rdf:type d3f:OffensiveTechnique;
rdfs:label "Space after Filename";
dcterms:created "2020-02-10T20:47:10.082Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Adversaries can hide a program's true filetype by changing the extension of a file. With certain file types (specifically this does not work with .app extensions), appending a space to the end of a filename will change how the file is processed by the operating system.\n\nFor example, if there is a Mach-O executable file called <code>evil.bin</code>, when it is double clicked by a user, it will launch Terminal.app and execute. If this file is renamed to <code>evil.txt</code>, then when double clicked by a user, it will launch with the default text editing application (not executing the binary). However, if the file is renamed to <code>evil.txt </code> (note the space at the end), then when double clicked by a user, the true file type is determined by the OS and handled appropriately and the binary will be executed (Citation: Mac Backdoors are back).\n\nAdversaries can use this feature to trick users into double clicking benign-looking files of any format and ultimately executing something malicious.";
dcterms:modified "2023-03-30T21:01:52.873Z"^^xsd:dateTime .
:relationship--6975d10a-91bf-4a22-8353-745de444c594
rdf:type stix:Relationship;
stix:source_ref :malware--92ec0cbd-2c30-44a2-b270-73f4ec949841;
stix:target_ref :attack-pattern--232a7e42-cd6e-4902-8fe9-2960f529dd4d;
dcterms:created "2020-06-18T16:12:54.239Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[RTM](https://attack.mitre.org/software/S0148) can search for specific strings within browser tabs using a Dynamic Data Exchange mechanism.(Citation: ESET RTM Feb 2017)";
dcterms:modified "2020-06-18T16:12:54.239Z"^^xsd:dateTime .
:relationship--b46d0c20-61f1-4ab4-be3b-fa7dace805f0
rdf:type stix:Relationship;
stix:source_ref :malware--c9ccc4df-1f56-49e7-ad57-b383e1451688;
stix:target_ref :attack-pattern--c21d5a77-d422-4a69-acd7-2c53c1faa34b;
dcterms:created "2021-03-01T14:07:36.893Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[LookBack](https://attack.mitre.org/software/S0582) uses a custom binary protocol over sockets for C2 communications.(Citation: Proofpoint LookBack Malware Aug 2019)";
dcterms:modified "2021-03-02T18:15:56.497Z"^^xsd:dateTime .
:relationship--216c15b0-3091-49f2-ba85-356d56265671
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a;
stix:target_ref :malware--fece06b7-d4b1-42cf-b81a-5323c917546e;
dcterms:created "2018-01-16T16:13:52.465Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "(Citation: US-CERT FALLCHILL Nov 2017)";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--a09f7595-1281-4333-ac19-22c41da8c82d
rdf:type stix:Relationship;
stix:source_ref :malware--43155329-3edf-47a6-9a14-7dac899b01e4;
stix:target_ref :attack-pattern--f72eb8a8-cd4c-461d-a814-3f862befbf00;
dcterms:created "2019-05-29T14:48:20.998Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[FlawedGrace](https://attack.mitre.org/software/S0383) uses a custom binary protocol for its C2 communications.(Citation: Proofpoint TA505 Jan 2019)";
dcterms:modified "2023-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--30c0f7aa-473d-42c3-81ff-f39c6f21ee52
rdf:type stix:Relationship;
stix:source_ref :malware--bbcd7a02-ef24-4171-ac94-a93540173b94;
stix:target_ref :attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d;
dcterms:created "2020-08-03T15:14:17.938Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Carberp](https://attack.mitre.org/software/S0484) has exfiltrated data via HTTP to already established C2 servers.(Citation: Prevx Carberp March 2011)(Citation: Trusteer Carberp October 2010)";
dcterms:modified "2020-08-03T15:17:32.038Z"^^xsd:dateTime .
:relationship--957ca941-c089-4059-ba09-1c1d4cf62881
rdf:type stix:Relationship;
stix:source_ref :course-of-action--9bb9e696-bff8-4ae1-9454-961fc7d91d5f;
stix:target_ref :attack-pattern--c16e5409-ee53-4d79-afdc-4099dc9292df;
dcterms:created "2019-06-21T14:27:36.648Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Audit account and group permissions to ensure that accounts used to manage servers do not overlap with accounts and permissions of users in the internal network that could be acquired through Credential Access and used to log into the Web server and plant a Web shell or pivot from the Web server into the internal network. (Citation: US-CERT Alert TA15-314A Web Shells)";
dcterms:modified "2023-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--83aedf08-e8eb-4c18-80c1-727ddb0f1d07
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034;
stix:target_ref :attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4;
dcterms:created "2022-07-18T18:56:23.156Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Earth Lusca](https://attack.mitre.org/groups/G1006) modified the registry using the command <code>reg add “HKEY_CURRENT_USER\\Environment” /v UserInitMprLogonScript /t REG_SZ /d “[file path]”</code> for persistence.(Citation: TrendMicro EarthLusca 2022)";
dcterms:modified "2022-09-09T15:43:56.646Z"^^xsd:dateTime .
:relationship--e2b67455-4986-46f4-a4ff-f5ee215ef998
rdf:type stix:Relationship;
stix:source_ref :malware--d18cb958-f4ad-4fb3-bb4f-e8994d206550;
stix:target_ref :attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1;
dcterms:created "2021-03-15T15:20:25.733Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Penquin](https://attack.mitre.org/software/S0587) can report the file system type and disk space of a compromised host to C2.(Citation: Leonardo Turla Penquin May 2020)";
dcterms:modified "2022-09-28T21:27:07.148Z"^^xsd:dateTime .
:relationship--f146a331-3595-46be-abef-518708e34def
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a;
stix:target_ref :attack-pattern--3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d;
dcterms:created "2017-05-31T21:33:27.067Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Several [Lazarus Group](https://attack.mitre.org/groups/G0032) malware families encrypt C2 traffic using custom code that uses XOR with an ADD operation and XOR with a SUB operation. Another [Lazarus Group](https://attack.mitre.org/groups/G0032) malware sample XORs C2 traffic. [Lazarus Group](https://attack.mitre.org/groups/G0032) malware also uses a unique form of communication encryption known as FakeTLS that mimics TLS but uses a different encryption method, evading SSL man-in-the-middle decryption attacks.";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--bc733ee6-f441-42b1-a201-9ff84e0f522c
rdf:type stix:Relationship;
stix:source_ref :malware--cad3ba95-8c89-4146-ab10-08daa813f9de;
stix:target_ref :attack-pattern--f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a;
dcterms:created "2021-05-10T23:54:36.037Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Clop](https://attack.mitre.org/software/S0611) can delete the shadow volumes with <code>vssadmin Delete Shadows /all /quiet</code> and can use bcdedit to disable recovery options.(Citation: Mcafee Clop Aug 2019)";
dcterms:modified "2021-05-19T17:11:19.309Z"^^xsd:dateTime .
:malware--3d57dcc4-be99-4613-9482-d5218f5ec13e
rdf:type stix:Malware;
rdfs:label "PolyglotDuke";
dcterms:created "2020-09-23T15:42:59.822Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[PolyglotDuke](https://attack.mitre.org/software/S0518) is a downloader that has been used by [APT29](https://attack.mitre.org/groups/G0016) since at least 2013. [PolyglotDuke](https://attack.mitre.org/software/S0518) has been used to drop [MiniDuke](https://attack.mitre.org/software/S0051).(Citation: ESET Dukes October 2019)";
dcterms:modified "2023-03-26T19:42:34.359Z"^^xsd:dateTime .
:malware--e928333f-f3df-4039-9b8b-556c2add0e42
rdf:type stix:Malware;
rdfs:label "ECCENTRICBANDWAGON";
dcterms:created "2021-03-18T16:15:53.977Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[ECCENTRICBANDWAGON](https://attack.mitre.org/software/S0593) is a remote access Trojan (RAT) used by North Korean cyber actors that was first identified in August 2020. It is a reconnaissance tool--with keylogging and screen capture functionality--used for information gathering on compromised systems.(Citation: CISA EB Aug 2020)";
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:malware--7bef1b56-4870-4e74-b32a-7dd88c390c44
rdf:type stix:Malware;
rdfs:label "Bundlore";
dcterms:created "2020-07-01T19:34:28.366Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Bundlore](https://attack.mitre.org/software/S0482) is adware written for macOS that has been in use since at least 2015. Though categorized as adware, [Bundlore](https://attack.mitre.org/software/S0482) has many features associated with more traditional backdoors.(Citation: MacKeeper Bundlore Apr 2019)";
dcterms:modified "2022-05-11T14:00:00.188Z"^^xsd:dateTime .
:relationship--283ba7b1-cd3b-44e9-bfae-70023c53d446
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924;
stix:target_ref :attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e;
dcterms:created "2020-05-20T18:56:59.024Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Tropic Trooper](https://attack.mitre.org/groups/G0081) has lured victims into executing malware via malicious e-mail attachments.(Citation: Anomali Pirate Panda April 2020)";
dcterms:modified "2020-05-20T18:56:59.024Z"^^xsd:dateTime .
:relationship--ea187577-25ce-458f-a26b-9ee71d3879fd
rdf:type stix:Relationship;
stix:source_ref :malware--99fdf3b4-96ef-4ab9-b191-fc683441cad0;
stix:target_ref :attack-pattern--b200542e-e877-4395-875b-cf1a44537ca4;
dcterms:created "2020-11-18T20:20:31.840Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Bazar](https://attack.mitre.org/software/S0534) can inject into a target process including Svchost, Explorer, and cmd using process hollowing.(Citation: Cybereason Bazar July 2020)(Citation: NCC Group Team9 June 2020)";
dcterms:modified "2020-12-01T14:15:37.341Z"^^xsd:dateTime .
:relationship--197ade21-6787-4ed3-a3ce-ff4b59b2f15c
rdf:type stix:Relationship;
stix:source_ref :malware--c13d9621-aca7-436b-ab3d-3a95badb3d00;
stix:target_ref :attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add;
dcterms:created "2020-06-24T20:29:46.153Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[BackConfig](https://attack.mitre.org/software/S0475) can download and execute additional payloads on a compromised host.(Citation: Unit 42 BackConfig May 2020)";
dcterms:modified "2020-06-24T20:29:46.153Z"^^xsd:dateTime .
:relationship--acdc53fa-91d6-4417-bc7b-83c220ec9fae
rdf:type stix:Relationship;
stix:source_ref :malware--b45747dc-87ca-4597-a245-7e16a61bc491;
stix:target_ref :attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c;
dcterms:created "2019-01-30T15:27:06.723Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Seasalt](https://attack.mitre.org/software/S0345) has a command to delete a specified file.(Citation: Mandiant APT1 Appendix)";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--bb6be5dd-602d-4625-859a-eb6c5bddc29c
rdf:type stix:Relationship;
stix:source_ref :malware--5864e59f-eb4c-43ad-83b2-b5e4fae056c9;
stix:target_ref :attack-pattern--1c34f7aa-9341-4a48-bfab-af22e51aca6c;
dcterms:created "2021-09-09T14:15:55.323Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[ObliqueRAT](https://attack.mitre.org/software/S0644) can copy specific files, webcam captures, and screenshots to local directories.(Citation: Talos Oblique RAT March 2021)";
dcterms:modified "2022-05-11T14:00:00.188Z"^^xsd:dateTime .
:relationship--2a27a98e-ee19-49f3-96e4-a5c9ee6e65ed
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--e44e0985-bc65-4a8f-b578-211c858128e3;
stix:target_ref :attack-pattern--f9cc4d06-775f-4ee1-b401-4e2cc0da30ba;
dcterms:created "2021-09-07T13:43:36.245Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Transparent Tribe](https://attack.mitre.org/groups/G0134) has compromised domains for use in targeted malicious campaigns.(Citation: Proofpoint Operation Transparent Tribe March 2016)";
dcterms:modified "2021-10-15T14:37:09.745Z"^^xsd:dateTime .
:relationship--42de94e7-86f3-41d9-9e01-45fff8be1451
rdf:type stix:Relationship;
stix:source_ref :malware--1492d0f8-7e14-4af3-9239-bc3fe10d3407;
stix:target_ref :attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d;
dcterms:created "2020-03-17T03:07:38.540Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Ursnif](https://attack.mitre.org/software/S0386) has used HTTP POSTs to exfil gathered information.(Citation: TrendMicro Ursnif Mar 2015)(Citation: FireEye Ursnif Nov 2017)(Citation: ProofPoint Ursnif Aug 2016)";
dcterms:modified "2020-03-17T03:07:38.540Z"^^xsd:dateTime .
:tool--362dc67f-4e85-4562-9dac-1b6b7f3ec4b5
rdf:type stix:Tool;
rdfs:label "ifconfig";
dcterms:created "2017-05-31T21:33:03.377Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[ifconfig](https://attack.mitre.org/software/S0101) is a Unix-based utility used to gather information about and interact with the TCP/IP settings on a system. (Citation: Wikipedia Ifconfig)";
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--ffffed15-5695-44b9-b85b-89ba8187415d
rdf:type stix:Relationship;
stix:source_ref :malware--cfc75b0d-e579-40ae-ad07-a1ce00d49a6c;
stix:target_ref :attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add;
dcterms:created "2019-09-24T14:19:05.322Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[ZxShell](https://attack.mitre.org/software/S0412) has a command to transfer files from a remote host.(Citation: Talos ZxShell Oct 2014) ";
dcterms:modified "2022-01-05T16:34:01.994Z"^^xsd:dateTime .
:relationship--434296ee-6296-4d0a-a72e-bebb914c9700
rdf:type stix:Relationship;
stix:source_ref :malware--e355fc84-6f3c-4888-8e0a-d7fa9c378532;
stix:target_ref :attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279;
dcterms:created "2022-09-29T20:08:25.503Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[STARWHALE](https://attack.mitre.org/software/S1037) can establish persistence by installing itself in the startup folder, whereas the GO variant has created a `HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\OutlookM` registry key.(Citation: DHS CISA AA22-055A MuddyWater February 2022)(Citation: Mandiant UNC3313 Feb 2022)";
dcterms:modified "2022-10-14T15:23:17.968Z"^^xsd:dateTime .
:relationship--ccb912dd-ed1f-4844-9bc0-75a033fa8813
rdf:type stix:Relationship;
stix:source_ref :malware--73d08401-005f-4e1f-90b9-8f45d120879f;
stix:target_ref :attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c;
dcterms:created "2022-02-01T21:21:35.872Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Ferocious](https://attack.mitre.org/software/S0679) can delete files from a compromised host.(Citation: Kaspersky WIRTE November 2021)";
dcterms:modified "2022-02-01T21:21:35.872Z"^^xsd:dateTime .
:relationship--09673a33-d15e-460a-8980-55c67ee2bb19
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--c5b81590-6814-4d2a-8baa-15c4b6c7f960;
stix:target_ref :attack-pattern--3489cfc5-640f-4bb3-a103-9137b97de79f;
dcterms:created "2021-10-17T15:10:00.720Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Tonto Team](https://attack.mitre.org/groups/G0131) has used tools such as [NBTscan](https://attack.mitre.org/software/S0590) to enumerate network shares.(Citation: TrendMicro Tonto Team October 2020)";
dcterms:modified "2021-10-17T15:10:00.720Z"^^xsd:dateTime .
:relationship--6b50cc7f-4284-4b29-bb70-e4184dd52691
rdf:type stix:Relationship;
stix:source_ref :attack-pattern--2cd950a6-16c4-404a-aa01-044322395107;
stix:target_ref :attack-pattern--457c7820-d331-465a-915e-42f85500ccc4;
dcterms:created "2020-03-27T21:12:27.996Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--dc4bc74b-cd60-4853-a436-8d5e34b01564
rdf:type stix:Relationship;
stix:source_ref :malware--7e6c2a9d-9dc1-4eb0-b27c-91e8076a9d77;
stix:target_ref :attack-pattern--f24faf46-3b26-4dbb-98f2-63460498e433;
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[QUADAGENT](https://attack.mitre.org/software/S0269) uses multiple protocols (HTTPS, HTTP, DNS) for its C2 server as fallback channels if communication with one is unsuccessful.(Citation: Unit 42 QUADAGENT July 2018)";
dcterms:modified "2020-03-17T02:18:35.328Z"^^xsd:dateTime .
:relationship--7a938acf-f072-42ba-8b5f-16e78ebea7f7
rdf:type stix:Relationship;
stix:source_ref :tool--1b3b8f96-43b1-4460-8e02-1f53d7802fb9;
stix:target_ref :attack-pattern--866d0d6d-02c6-42bd-aa2f-02907fdc0969;
dcterms:created "2023-09-28T13:32:25.330Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Pacu](https://attack.mitre.org/software/S1091) can collect CloudTrail event histories and CloudWatch logs.(Citation: GitHub Pacu)";
dcterms:modified "2023-10-13T16:33:16.964Z"^^xsd:dateTime .
:relationship--1569b958-8b61-42bc-8171-91a068d7fe1a
rdf:type stix:Relationship;
stix:source_ref :course-of-action--78bb71be-92b4-46de-acd6-5f998fedf1cc;
stix:target_ref :attack-pattern--60c4b628-4807-4b0b-bbf5-fdac8643c337;
dcterms:created "2020-10-20T15:42:48.371Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.";
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--34c6a059-9496-4f1e-9331-c1986e62b6a1
rdf:type stix:Relationship;
stix:source_ref :malware--6de9cad1-eed2-4e27-b0b5-39fa29349ea0;
stix:target_ref :attack-pattern--b80d107d-fa0d-4b60-9684-b0433e8bdba0;
dcterms:created "2021-06-03T19:52:01.089Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[DEATHRANSOM](https://attack.mitre.org/software/S0616) can use public and private key pair encryption to encrypt files for ransom payment.(Citation: FireEye FiveHands April 2021)";
dcterms:modified "2021-06-03T19:52:01.089Z"^^xsd:dateTime .
:relationship--2bfc128f-2bc9-436b-abe0-4206b9e35727
rdf:type stix:Relationship;
stix:source_ref :malware--6c2550d5-a01a-4bbb-a004-6ead348ba623;
stix:target_ref :attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add;
dcterms:created "2021-09-07T15:24:47.885Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Peppy](https://attack.mitre.org/software/S0643) can download and execute remote files.(Citation: Proofpoint Operation Transparent Tribe March 2016)";
dcterms:modified "2021-10-15T14:37:10.022Z"^^xsd:dateTime .
:relationship--911beb36-2a36-4c26-9e0d-bea35f6497b6
rdf:type stix:Relationship;
stix:source_ref :malware--91c57ed3-7c32-4c68-b388-7db00cb8dac6;
stix:target_ref :attack-pattern--4ae4f953-fe58-4cc8-a327-33257e30a830;
dcterms:created "2023-09-27T20:25:38.772Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[NightClub](https://attack.mitre.org/software/S1090) can use `GetForegroundWindow` to enumerate the active window.(Citation: MoustachedBouncer ESET August 2023)";
dcterms:modified "2023-09-27T20:25:38.772Z"^^xsd:dateTime .
:relationship--60dd06c7-788f-45e7-8845-3bb1cb4f2c17
rdf:type stix:Relationship;
stix:source_ref :malware--7724581b-06ff-4d2b-b77c-80dc8d53070b;
stix:target_ref :attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e;
dcterms:created "2022-06-09T19:45:24.757Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Saint Bot](https://attack.mitre.org/software/S1018) has relied upon users to execute a malicious attachment delivered via spearphishing.(Citation: Malwarebytes Saint Bot April 2021)(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )";
dcterms:modified "2022-06-09T19:56:08.618Z"^^xsd:dateTime .
:relationship--5d972f64-4c81-43ce-ba08-2c791bd78287
rdf:type stix:Relationship;
stix:source_ref :malware--54a73038-1937-4d71-a253-316e76d5413c;
stix:target_ref :attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9;
dcterms:created "2020-11-16T20:48:01.885Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Lucifer](https://attack.mitre.org/software/S0532) has established persistence by creating the following scheduled task <code>schtasks /create /sc minute /mo 1 /tn QQMusic ^ /tr C:Users\\%USERPROFILE%\\Downloads\\spread.exe /F</code>.(Citation: Unit 42 Lucifer June 2020)";
dcterms:modified "2020-11-20T18:19:44.010Z"^^xsd:dateTime .
:relationship--06219288-2833-4a8e-b8bc-10a834e3af7f
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--f29b7c5e-2439-42ad-a86f-9f8984fafae3;
stix:target_ref :attack-pattern--d511a6f6-4a33-41d5-bc95-c343875d1377;
dcterms:created "2022-06-14T14:04:15.062Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[HEXANE](https://attack.mitre.org/groups/G1001) has used Base64-encoded scripts.(Citation: Kaspersky Lyceum October 2021)";
dcterms:modified "2023-03-22T04:44:21.382Z"^^xsd:dateTime .
:relationship--88e52860-d4cc-485a-b23f-ad2cda301727
rdf:type stix:Relationship;
stix:source_ref :malware--3bc7e862-5610-4c02-9c48-15b2e2dc1ddb;
stix:target_ref :attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add;
dcterms:created "2023-02-14T18:43:07.753Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Woody RAT](https://attack.mitre.org/software/S1065) can download files from its C2 server, including the .NET DLLs, `WoodySharpExecutor` and `WoodyPowerSession`.(Citation: MalwareBytes WoodyRAT Aug 2022) ";
dcterms:modified "2023-02-23T21:06:52.989Z"^^xsd:dateTime .
:relationship--419392f5-e6a8-4eee-b7c2-f0bac5cce833
rdf:type stix:Relationship;
stix:source_ref :tool--c8655260-9f4b-44e3-85e1-6538a5f6e4f4;
stix:target_ref :attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add;
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Koadic](https://attack.mitre.org/software/S0250) can download additional files and tools.(Citation: Github Koadic)(Citation: MalwareBytes LazyScripter Feb 2021)";
dcterms:modified "2022-04-06T19:39:45.963Z"^^xsd:dateTime .
:relationship--cd6d8071-bcca-45ee-a477-3547d23d7758
rdf:type stix:Relationship;
stix:source_ref :malware--fde19a18-e502-467f-be14-58c71b4e7f4b;
stix:target_ref :attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62;
dcterms:created "2021-12-27T19:19:42.880Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[WarzoneRAT](https://attack.mitre.org/software/S0670) can use `cmd.exe` to execute malicious code.(Citation: Check Point Warzone Feb 2020)";
dcterms:modified "2022-04-07T16:29:12.087Z"^^xsd:dateTime .
:relationship--1a5f8d73-a9c4-40db-9cd5-7f8a7aea19d7
rdf:type stix:Relationship;
stix:source_ref :course-of-action--93e7968a-9074-4eac-8ae9-9f5200ec3317;
stix:target_ref :attack-pattern--8565825b-21c8-4518-b75e-cbc4c717a156;
dcterms:created "2021-10-06T20:34:42.509Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Restrict granting of permissions related to listing objects in cloud storage to necessary accounts.";
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--c75ec383-2acd-479f-b9b7-b2038ec10a7d
rdf:type stix:Relationship;
stix:source_ref :malware--00806466-754d-44ea-ad6f-0caf59cb8556;
stix:target_ref :attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4;
dcterms:created "2019-01-30T14:11:44.111Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[TrickBot](https://attack.mitre.org/software/S0266) can modify registry entries.(Citation: Trend Micro Trickbot Nov 2018)";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--c64f3e5f-6be9-45ec-8669-5b79c479030d
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--d5fca4e4-e47a-487b-873f-3d22f8865e96;
stix:target_ref :attack-pattern--f4599aa0-4f85-4a32-80ea-fc39dc965945;
dcterms:created "2022-03-30T14:26:51.845Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Monitor for changes made to processes that may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses as well as possibly elevate privileges. Injecting a malicious DLL into a process is a common adversary TTP. Although the ways of doing this are numerous, mavinject.exe is a commonly used tool for doing so because it roles up many of the necessary steps into one, and is available within Windows. Attackers may rename the executable, so we also use the common argument “INJECTRUNNING” as a related signature here. Whitelisting certain applications may be necessary to reduce noise for this analytic.\n\n<h4>Analytic 1 - DLL Injection with Mavinject </h4>\n<code>mavinject_processes = filter processes where (\n exe = \"C:\\\\Windows\\\\SysWOW64\\\\mavinject.exe\" OR Image=\"C:\\\\Windows\\\\System32\\\\mavinject.exe\" OR command_line = \"*/INJECTRUNNING*\"</code>";
dcterms:modified "2023-08-11T21:32:05.140Z"^^xsd:dateTime .
:relationship--a6ad0908-e975-47d7-9c82-c4dfa9e16c3b
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8;
stix:target_ref :attack-pattern--106c0cf6-bf73-4601-9aa8-0945c2715ec5;
dcterms:created "2022-03-30T14:26:51.840Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Monitor for changes to files associated with system-level processes.";
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime .
:relationship--8d512a95-702d-4670-ab33-069552494102
rdf:type stix:Relationship;
stix:source_ref :tool--066b057c-944e-4cfc-b654-e3dfba04b926;
stix:target_ref :attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670;
dcterms:created "2020-11-20T13:41:44.619Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[BloodHound](https://attack.mitre.org/software/S0521) can use .NET API calls in the SharpHound ingestor component to pull Active Directory data.(Citation: GitHub Bloodhound)";
dcterms:modified "2020-11-24T20:07:19.348Z"^^xsd:dateTime .
:relationship--da2585bf-f31d-42c9-b488-e6cbab7bcd42
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--54dfec3e-6464-4f74-9d69-b7c817b7e5a3;
stix:target_ref :malware--88c621a7-aef9-4ae0-94e3-1fc87123eb24;
dcterms:created "2021-03-05T18:54:56.759Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "(Citation: Malwarebytes Higaisa 2020)";
dcterms:modified "2021-03-05T18:54:56.759Z"^^xsd:dateTime .
:relationship--84baf5e0-516f-47c2-a927-47e524959831
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a;
stix:target_ref :attack-pattern--b8017880-4b1e-42de-ad10-ae7ac6705166;
dcterms:created "2022-03-30T14:26:51.857Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.";
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime .
:relationship--e7b10c00-0860-4592-a72c-e14e993e972b
rdf:type stix:Relationship;
stix:source_ref :malware--20945359-3b39-4542-85ef-08ecb4e1c174;
stix:target_ref :attack-pattern--f1951e8a-500e-4a26-8803-76d95c4554b4;
dcterms:created "2020-07-27T16:04:39.467Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[StrongPity](https://attack.mitre.org/software/S0491) can install a service to execute itself as a service.(Citation: Talos Promethium June 2020)(Citation: Bitdefender StrongPity June 2020)";
dcterms:modified "2020-07-28T17:25:25.651Z"^^xsd:dateTime .
:relationship--d2260326-b220-46e4-ba11-3f14ec89f45f
rdf:type stix:Relationship;
stix:source_ref :malware--63686509-069b-4143-99ea-4e59cad6cb2a;
stix:target_ref :attack-pattern--c726e0a2-a57a-4b7b-a973-d0f013246617;
dcterms:created "2022-01-10T19:52:49.150Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[DarkWatchman](https://attack.mitre.org/software/S0673) has used the <code>csc.exe</code> tool to compile a C# executable.(Citation: Prevailion DarkWatchman 2021) ";
dcterms:modified "2022-01-11T16:03:18.985Z"^^xsd:dateTime .
:relationship--768dd2dd-8840-45e3-ad15-c30512a35c05
rdf:type stix:Relationship;
stix:source_ref :malware--dff90475-9f72-41a6-84ed-1fbefd3874c0;
stix:target_ref :attack-pattern--045d0922-2310-4e60-b5e4-3302302cb3c5;
dcterms:created "2022-07-25T18:32:06.486Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Heyoka Backdoor](https://attack.mitre.org/software/S1027) can use rundll32.exe to gain execution.(Citation: SentinelOne Aoqin Dragon June 2022)";
dcterms:modified "2022-07-25T18:32:06.486Z"^^xsd:dateTime .
:relationship--759ce6e8-da01-4cd6-9d03-9b0a1edde9be
rdf:type stix:Relationship;
stix:source_ref :malware--c009560a-f097-45a3-8f9f-78ec1440a783;
stix:target_ref :attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add;
dcterms:created "2021-11-29T19:16:55.904Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[SysUpdate](https://attack.mitre.org/software/S0663) has the ability to download files to a compromised host.(Citation: Trend Micro Iron Tiger April 2021)(Citation: Lunghi Iron Tiger Linux)";
dcterms:modified "2023-03-29T15:40:55.939Z"^^xsd:dateTime .
:relationship--394d53b3-da1c-44b4-8abf-e1092f34c8be
rdf:type stix:Relationship;
stix:source_ref :malware--1d1fce2f-0db5-402b-9843-4278a0694637;
stix:target_ref :attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a;
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[GravityRAT](https://attack.mitre.org/software/S0237) supports file encryption (AES with the key \"lolomycin2017\").(Citation: Talos GravityRAT)";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--0ecbbfa3-6b81-4cf7-9033-373ebbc2832f
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--3fc023b2-c5cc-481d-9c3e-70141ae1a87e;
stix:target_ref :attack-pattern--840a987a-99bd-4a80-a5c9-0cb2baa6cade;
dcterms:created "2021-01-29T19:16:42.231Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Sidewinder](https://attack.mitre.org/groups/G0121) has used <code>mshta.exe</code> to execute malicious payloads.(Citation: Rewterz Sidewinder APT April 2020)(Citation: Rewterz Sidewinder COVID-19 June 2020)";
dcterms:modified "2021-07-21T12:24:09.229Z"^^xsd:dateTime .
:relationship--2fa20fad-4ede-42f4-8ce5-7f5a6ce83ed8
rdf:type stix:Relationship;
stix:source_ref :malware--ccd61dfc-b03f-4689-8c18-7c97eab08472;
stix:target_ref :attack-pattern--7385dfaf-6886-4229-9ecd-6fd678040830;
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[CHOPSTICK](https://attack.mitre.org/software/S0023) is capable of performing remote command execution.(Citation: Crowdstrike DNC June 2016)(Citation: ESET Sednit Part 2)";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--6592447f-31c8-46d0-8e88-47584fa301f0
rdf:type stix:Relationship;
stix:source_ref :malware--9ca488bd-9587-48ef-b923-1743523e63b2;
stix:target_ref :attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4;
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[SOUNDBITE](https://attack.mitre.org/software/S0157) is capable of modifying the Registry.(Citation: FireEye APT32 May 2017)";
dcterms:modified "2020-03-17T02:38:07.464Z"^^xsd:dateTime .
:relationship--eacb7614-6cc9-4eb9-92fc-bba53ac4f59a
rdf:type stix:Relationship;
stix:source_ref :malware--54a73038-1937-4d71-a253-316e76d5413c;
stix:target_ref :attack-pattern--e3a12395-188d-4051-9a16-ea8e14d07b88;
dcterms:created "2020-11-16T20:20:30.532Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Lucifer](https://attack.mitre.org/software/S0532) can scan for open ports including TCP ports 135 and 1433.(Citation: Unit 42 Lucifer June 2020)";
dcterms:modified "2020-11-16T20:20:30.532Z"^^xsd:dateTime .
:relationship--1567eaca-2b2e-44df-b447-87769738e00a
rdf:type stix:Relationship;
stix:source_ref :malware--e8545794-b98c-492b-a5b3-4b5a02682e37;
stix:target_ref :attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104;
dcterms:created "2020-05-18T19:37:52.331Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[POWERSTATS](https://attack.mitre.org/software/S0223) has the ability to identify the username on the compromised host.(Citation: TrendMicro POWERSTATS V3 June 2019)";
dcterms:modified "2020-05-18T19:37:52.331Z"^^xsd:dateTime .
:relationship--a18968c2-e639-40fa-9751-1a5ab666bfde
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--a5ae90ca-0c4b-481c-959f-0eb18a7ff953;
stix:target_ref :attack-pattern--b0c74ef9-c61e-4986-88cb-78da98a355ec;
dcterms:created "2022-03-30T14:26:51.855Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Track the deployment of new containers, especially from newly built images.";
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime .
:attack-pattern--ba8e391f-14b5-496f-81f2-2d5ecd646c1c
rdf:type d3f:OffensiveTechnique;
rdfs:label "Credentials in Files";
dcterms:created "2017-05-31T21:31:02.188Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Adversaries may search local file systems and remote file shares for files containing passwords. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.\n\nIt is possible to extract passwords from backups or saved virtual machines through [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). (Citation: CG 2014) Passwords may also be obtained from Group Policy Preferences stored on the Windows Domain Controller. (Citation: SRD GPP)\n\nIn cloud environments, authenticated user credentials are often stored in local configuration and credential files. In some cases, these files can be copied and reused on another machine or the contents can be read and then used to authenticate without needing to copy any files. (Citation: Specter Ops - Cloud Credential Storage)\n\n";
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--f98a3b2b-d1ea-4207-8352-6470b36740ff
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--dc5e2999-ca1a-47d4-8d12-a6984b138a1b;
stix:target_ref :attack-pattern--f6dacc85-b37d-458e-b58d-74fc4bbf5755;
dcterms:created "2021-01-22T18:24:05.171Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[UNC2452](https://attack.mitre.org/groups/G0118) configured at least one instance of [Cobalt Strike](https://attack.mitre.org/software/S0154) to use a network pipe over SMB during the 2020 SolarWinds intrusion.(Citation: Symantec RAINDROP January 2021)";
dcterms:modified "2023-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--74480cd6-1f2e-4c2d-a1ad-82cc50d63d14
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--b7f627e2-0817-4cd5-8d50-e75f8aa85cc6;
stix:target_ref :attack-pattern--ef67e13e-5598-4adc-bdb2-998225874fa9;
dcterms:created "2023-02-23T18:08:10.953Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[LuminousMoth](https://attack.mitre.org/groups/G1014) has lured victims into clicking malicious Dropbox download links delivered through spearphishing.(Citation: Kaspersky LuminousMoth July 2021)";
dcterms:modified "2023-02-23T18:08:10.953Z"^^xsd:dateTime .
:relationship--863c1d57-db93-49a9-a953-eb7c2d6b2e5b
rdf:type stix:Relationship;
stix:source_ref :malware--196f1f32-e0c2-4d46-99cd-234d4b6befe1;
stix:target_ref :attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384;
dcterms:created "2018-01-16T16:13:52.465Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Felismus](https://attack.mitre.org/software/S0171) checks for processes associated with anti-virus vendors.(Citation: Forcepoint Felismus Mar 2017)";
dcterms:modified "2020-03-17T01:16:15.825Z"^^xsd:dateTime .
:relationship--80e484a4-e5b5-4de1-81c7-2bd1a927d156
rdf:type stix:Relationship;
stix:source_ref :malware--eac3d77f-2b7b-4599-ba74-948dc16633ad;
stix:target_ref :attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104;
dcterms:created "2020-06-26T16:17:18.161Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Goopy](https://attack.mitre.org/software/S0477) has the ability to enumerate the infected system's user name.(Citation: Cybereason Cobalt Kitty 2017)";
dcterms:modified "2020-06-29T21:37:56.012Z"^^xsd:dateTime .
:relationship--9b56f86f-656f-4e18-9557-84638de34f10
rdf:type stix:Relationship;
stix:source_ref :campaign--c89fa3ff-4773-4daf-8aec-d8f43f10116e;
stix:target_ref :malware--93289ecf-4d15-4d6b-a9c3-4ab27e145ef4;
dcterms:created "2023-05-19T20:37:04.605Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "During [C0026](https://attack.mitre.org/campaigns/C0026), the threat actors used [QUIETCANARY](https://attack.mitre.org/software/S1076) to gather and exfiltrate data. (Citation: Mandiant Suspected Turla Campaign February 2023)";
dcterms:modified "2023-05-19T20:37:04.605Z"^^xsd:dateTime .
:relationship--5206976b-ac4d-4286-a954-4b1ef5c20adc
rdf:type stix:Relationship;
stix:source_ref :malware--8901ac23-6b50-410c-b0dd-d8174a86f9b3;
stix:target_ref :attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0;
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Shamoon](https://attack.mitre.org/software/S0140) obtains the target's IP address and local network segment.(Citation: Palo Alto Shamoon Nov 2016)(Citation: McAfee Shamoon December 2018)";
dcterms:modified "2020-05-29T18:11:23.866Z"^^xsd:dateTime .
:relationship--e20b57e5-c010-4b9e-a04e-660daa8b5c87
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--d1acfbb3-647b-4723-9154-800ec119006e;
stix:target_ref :attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1;
dcterms:created "2018-01-16T16:13:52.465Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Sowbug](https://attack.mitre.org/groups/G0054) obtained OS version and hardware configuration from a victim.(Citation: Symantec Sowbug Nov 2017)";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--ce8eb6bf-11cc-4d9f-a81a-57bd1422efb1
rdf:type stix:Relationship;
stix:source_ref :malware--8bdfe255-e658-4ddd-a11c-b854762e451d;
stix:target_ref :attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736;
dcterms:created "2020-11-08T23:26:13.891Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[KGH_SPY](https://attack.mitre.org/software/S0526) can execute PowerShell commands on the victim's machine.(Citation: Cybereason Kimsuky November 2020)";
dcterms:modified "2020-11-08T23:26:13.891Z"^^xsd:dateTime .
:relationship--9494b0d8-26d9-48ae-8dd1-c9d8966b23a0
rdf:type stix:Relationship;
stix:source_ref :malware--198db886-47af-4f4c-bff5-11b891f85946;
stix:target_ref :attack-pattern--f3c544dc-673c-4ef3-accb-53229f1ae077;
dcterms:created "2019-01-29T17:59:44.401Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Zeus Panda](https://attack.mitre.org/software/S0330) collects the current system time (UTC) and sends it back to the C2 server.(Citation: GDATA Zeus Panda June 2017)";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--67e631d1-439f-4630-9662-8ea74ab10234
rdf:type stix:Relationship;
stix:source_ref :tool--75d8b521-6b6a-42ff-8af3-d97e20ce12a5;
stix:target_ref :attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2;
dcterms:created "2023-02-09T19:00:00.555Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Brute Ratel C4](https://attack.mitre.org/software/S1063) has used a payload file named OneDrive.update to appear benign.(Citation: Palo Alto Brute Ratel July 2022)";
dcterms:modified "2023-02-09T19:00:00.555Z"^^xsd:dateTime .
:relationship--85be49ac-785e-48af-8d0e-4b74818428fc
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--d13c8a7f-740b-4efa-a232-de7d6bb05321;
stix:target_ref :attack-pattern--f1951e8a-500e-4a26-8803-76d95c4554b4;
dcterms:created "2019-05-24T17:57:36.723Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Silence](https://attack.mitre.org/groups/G0091) has used [Winexe](https://attack.mitre.org/software/S0191) to install a service on the remote system.(Citation: SecureList Silence Nov 2017)(Citation: Group IB Silence Sept 2018)";
dcterms:modified "2020-05-06T03:12:02.433Z"^^xsd:dateTime .
:relationship--34a45578-1deb-4c58-8719-9c04f4fa7dfc
rdf:type stix:Relationship;
stix:source_ref :malware--58c5a3a1-928f-4094-9e98-a5a4e56dd5f3;
stix:target_ref :attack-pattern--ac08589e-ee59-4935-8667-d845e38fe579;
dcterms:created "2021-08-23T19:38:33.322Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Avaddon](https://attack.mitre.org/software/S0640) looks for and attempts to stop anti-malware solutions.(Citation: Arxiv Avaddon Feb 2021)";
dcterms:modified "2021-08-23T19:38:33.323Z"^^xsd:dateTime .
:relationship--a9a0ecce-239c-4666-94e9-ef1fb64cf796
rdf:type stix:Relationship;
stix:source_ref :malware--198db886-47af-4f4c-bff5-11b891f85946;
stix:target_ref :attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4;
dcterms:created "2019-01-29T17:59:44.529Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Zeus Panda](https://attack.mitre.org/software/S0330) modifies several Registry keys under <code>HKCU\\Software\\Microsoft\\Internet Explorer\\ PhishingFilter\\</code> to disable phishing filters.(Citation: GDATA Zeus Panda June 2017)";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--6a779cbf-ef5c-4018-a91f-10889b2068b0
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034;
stix:target_ref :attack-pattern--2de47683-f398-448f-b947-9abcc3e32fad;
dcterms:created "2022-09-09T15:57:19.550Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Earth Lusca](https://attack.mitre.org/groups/G1006) has added the Registry key `HKLM\\SYSTEM\\ControlSet001\\Control\\Print\\Environments\\Windows x64\\Print Processors\\UDPrint” /v Driver /d “spool.dll /f` to load malware as a Print Processor.(Citation: TrendMicro EarthLusca 2022)";
dcterms:modified "2022-09-09T15:57:19.550Z"^^xsd:dateTime .
:relationship--0dfdfffc-2d1b-487f-91e0-66d81b185367
rdf:type stix:Relationship;
stix:source_ref :malware--8f423bd7-6ca7-4303-9e85-008c7ad5fdaa;
stix:target_ref :attack-pattern--4ae4f953-fe58-4cc8-a327-33257e30a830;
dcterms:created "2020-05-06T21:01:23.245Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Attor](https://attack.mitre.org/software/S0438) can obtain application window titles and then determines which windows to perform Screen Capture on.(Citation: ESET Attor Oct 2019)";
dcterms:modified "2020-05-06T21:01:23.245Z"^^xsd:dateTime .
:attack-pattern--52f3d5a6-8a0f-4f82-977e-750abf90d0b0
rdf:type d3f:OffensiveTechnique;
rdfs:label "Extra Window Memory Injection";
dcterms:created "2018-01-16T16:13:52.465Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Before creating a window, graphical Windows-based processes must prescribe to or register a windows class, which stipulate appearance and behavior (via windows procedures, which are functions that handle input/output of data). (Citation: Microsoft Window Classes) Registration of new windows classes can include a request for up to 40 bytes of extra window memory (EWM) to be appended to the allocated memory of each instance of that class. This EWM is intended to store data specific to that window and has specific application programming interface (API) functions to set and get its value. (Citation: Microsoft GetWindowLong function) (Citation: Microsoft SetWindowLong function)\n\nAlthough small, the EWM is large enough to store a 32-bit pointer and is often used to point to a windows procedure. Malware may possibly utilize this memory location in part of an attack chain that includes writing code to shared sections of the process’s memory, placing a pointer to the code in EWM, then invoking execution by returning execution control to the address in the process’s EWM.\n\nExecution granted through EWM injection may take place in the address space of a separate live process. Similar to [Process Injection](https://attack.mitre.org/techniques/T1055), this may allow access to both the target process's memory and possibly elevated privileges. Writing payloads to shared sections also avoids the use of highly monitored API calls such as WriteProcessMemory and CreateRemoteThread. (Citation: Elastic Process Injection July 2017) More sophisticated malware samples may also potentially bypass protection mechanisms such as data execution prevention (DEP) by triggering a combination of windows procedures and other system functions that will rewrite the malicious payload inside an executable portion of the target process. (Citation: MalwareTech Power Loader Aug 2013) (Citation: WeLiveSecurity Gapz and Redyms Mar 2013)";
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--23b5fd51-bb47-4811-8a38-c768c8fa6b0e
rdf:type stix:Relationship;
stix:source_ref :malware--44c75271-0e4d-496f-ae0a-a6d883a42a65;
stix:target_ref :attack-pattern--5bfccc3f-2326-4112-86cc-c1ece9d8a2b5;
dcterms:created "2020-05-05T15:26:30.438Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Rifdoor](https://attack.mitre.org/software/S0433) has added four additional bytes of data upon launching, then saved the changed version as <code>C:\\ProgramData\\Initech\\Initech.exe</code>.(Citation: Carbon Black HotCroissant April 2020)";
dcterms:modified "2020-05-05T21:17:34.608Z"^^xsd:dateTime .
:relationship--c85af3d4-ab10-4c49-91c4-bff9054096b8
rdf:type stix:Relationship;
stix:source_ref :malware--727afb95-3d0f-4451-b297-362a43909923;
stix:target_ref :attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580;
dcterms:created "2021-03-19T16:26:04.440Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[ThiefQuest](https://attack.mitre.org/software/S0595) obtains a list of running processes using the function <code>kill_unwanted</code>.(Citation: wardle evilquest parti)";
dcterms:modified "2021-04-26T20:02:14.282Z"^^xsd:dateTime .
:relationship--fc6b1d58-05bf-41a0-a7fd-fcbbae894430
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1;
stix:target_ref :tool--5a63f900-5e7e-4928-a746-dd4558e1df71;
dcterms:created "2021-12-07T15:14:11.866Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "(Citation: US-CERT TA18-074A)";
dcterms:modified "2021-12-07T15:14:11.866Z"^^xsd:dateTime .
:relationship--287c3024-f58d-4fab-87a7-54d4b52f5a5c
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--64d5f96a-f121-4d19-89f6-6709f5c49faa;
stix:target_ref :attack-pattern--bf90d72c-c00b-45e3-b3aa-68560560d4c5;
dcterms:created "2022-07-14T20:13:55.682Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Aoqin Dragon](https://attack.mitre.org/groups/G1007) has spread malware in target networks by copying modules to folders masquerading as removable devices.(Citation: SentinelOne Aoqin Dragon June 2022)";
dcterms:modified "2022-07-14T20:16:24.548Z"^^xsd:dateTime .
:attack-pattern--ce4b7013-640e-48a9-b501-d0025a95f4bf
rdf:type d3f:OffensiveTechnique;
rdfs:label "Screensaver";
dcterms:created "2020-01-24T13:51:01.210Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension.(Citation: Wikipedia Screensaver) The Windows screensaver application scrnsave.scr is located in <code>C:\\Windows\\System32\\</code>, and <code>C:\\Windows\\sysWOW64\\</code> on 64-bit Windows systems, along with screensavers included with base Windows installations.\n\nThe following screensaver settings are stored in the Registry (<code>HKCU\\Control Panel\\Desktop\\</code>) and could be manipulated to achieve persistence:\n\n* <code>SCRNSAVE.exe</code> - set to malicious PE path\n* <code>ScreenSaveActive</code> - set to '1' to enable the screensaver\n* <code>ScreenSaverIsSecure</code> - set to '0' to not require a password to unlock\n* <code>ScreenSaveTimeout</code> - sets user inactivity timeout before screensaver is executed\n\nAdversaries can use screensaver settings to maintain persistence by setting the screensaver to run malware after a certain timeframe of user inactivity.(Citation: ESET Gazer Aug 2017)";
dcterms:modified "2023-07-28T18:17:34.185Z"^^xsd:dateTime .
:relationship--bab689ff-c89e-452f-bca6-a01078ae406e
rdf:type stix:Relationship;
stix:source_ref :attack-pattern--514ede4c-78b3-4d78-a38b-daddf6217a79;
stix:target_ref :attack-pattern--6836813e-8ec8-4375-b459-abb388cb1a35;
dcterms:created "2020-01-24T17:07:20.018Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--0ac55ad4-0f16-416e-bf88-67ee1aad85ab
rdf:type stix:Relationship;
stix:source_ref :course-of-action--ec418d1b-4963-439f-b055-f914737ef362;
stix:target_ref :attack-pattern--f792d02f-813d-402b-86a5-ab98cb391d3b;
dcterms:created "2017-05-31T21:33:27.030Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:modified "2023-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--68d151ea-6dd8-4e6b-acd5-c998ebffc357
rdf:type stix:Relationship;
stix:source_ref :malware--cfc75b0d-e579-40ae-ad07-a1ce00d49a6c;
stix:target_ref :attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580;
dcterms:created "2019-09-24T14:19:05.143Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[ZxShell](https://attack.mitre.org/software/S0412) has a command, ps, to obtain a listing of processes on the system.(Citation: Talos ZxShell Oct 2014) ";
dcterms:modified "2022-01-05T16:34:01.884Z"^^xsd:dateTime .
:relationship--801f139f-1361-4d79-965e-078787f8ec36
rdf:type stix:Relationship;
stix:source_ref :malware--f5352566-1a64-49ac-8f7f-97e1d1a03300;
stix:target_ref :attack-pattern--04fd5427-79c7-44ea-ae13-11b24778ff1c;
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[AutoIt backdoor](https://attack.mitre.org/software/S0129) has sent a C2 response that was base64-encoded.(Citation: Forcepoint Monsoon)";
dcterms:modified "2020-03-20T18:03:40.138Z"^^xsd:dateTime .
:relationship--c0b07b4a-d421-4faa-8564-4cc89668afac
rdf:type stix:Relationship;
stix:source_ref :course-of-action--bd2554b8-634f-4434-a986-9b49c29da2ae;
stix:target_ref :attack-pattern--241814ae-de3f-4656-b49e-f9a80764d4b7;
dcterms:created "2017-05-31T21:33:27.023Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:modified "2023-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--191aac5f-38bc-429b-8343-32eb17fa4919
rdf:type stix:Relationship;
stix:source_ref :campaign--26d9ebae-de59-427f-ae9a-349456bae4b1;
stix:target_ref :attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1;
dcterms:created "2022-09-07T19:17:14.632Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "During [Frankenstein](https://attack.mitre.org/campaigns/C0001), the threat actors used [Empire](https://attack.mitre.org/software/S0363) to obtain the compromised machine's name.(Citation: Talos Frankenstein June 2019)";
dcterms:modified "2022-09-21T14:38:13.835Z"^^xsd:dateTime .
:relationship--dda9f6bb-eb66-422b-aa58-fede809b6a6a
rdf:type stix:Relationship;
stix:source_ref :malware--754effde-613c-4244-a83e-fb659b2a4d06;
stix:target_ref :attack-pattern--f1951e8a-500e-4a26-8803-76d95c4554b4;
dcterms:created "2020-05-27T22:05:32.062Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Operators deploying [Netwalker](https://attack.mitre.org/software/S0457) have used psexec and certutil to retrieve the [Netwalker](https://attack.mitre.org/software/S0457) payload.(Citation: Sophos Netwalker May 2020)";
dcterms:modified "2020-05-27T22:05:32.062Z"^^xsd:dateTime .
:tool--842976c7-f9c8-41b2-8371-41dc64fbe261
rdf:type stix:Tool;
rdfs:label "ConnectWise";
dcterms:created "2021-03-18T13:39:27.676Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[ConnectWise](https://attack.mitre.org/software/S0591) is a legitimate remote administration tool that has been used since at least 2016 by threat actors including [MuddyWater](https://attack.mitre.org/groups/G0069) and [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) to connect to and conduct lateral movement in target environments.(Citation: Anomali Static Kitten February 2021)(Citation: Trend Micro Muddy Water March 2021)";
dcterms:modified "2023-04-13T13:09:38.786Z"^^xsd:dateTime .
:relationship--012617bd-bdb5-434f-996c-bea7afe1b8a5
rdf:type stix:Relationship;
stix:source_ref :malware--579607c2-d046-40df-99ab-beb479c37a2a;
stix:target_ref :attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0;
dcterms:created "2021-12-01T18:49:06.980Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Chrommme](https://attack.mitre.org/software/S0667) can enumerate the IP address of a compromised host.(Citation: ESET Gelsemium June 2021)";
dcterms:modified "2021-12-01T18:49:06.980Z"^^xsd:dateTime .
:relationship--082b64f6-cc70-4bc8-a49f-bf0f125883f7
rdf:type stix:Relationship;
stix:source_ref :malware--81c57a96-fc8c-4f91-af8e-63e24c2927c2;
stix:target_ref :attack-pattern--e3b6daca-e963-4a69-aee6-ed4fd653ad58;
dcterms:created "2020-10-21T17:01:35.599Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Metamorfo](https://attack.mitre.org/software/S0455) has searched the compromised system for banking applications.(Citation: FireEye Metamorfo Apr 2018)(Citation: ESET Casbaneiro Oct 2019)";
dcterms:modified "2021-09-27T19:32:34.723Z"^^xsd:dateTime .
:relationship--ae1592ae-15a3-45e3-a509-4fe9be3f9ed9
rdf:type stix:Relationship;
stix:source_ref :campaign--0257b35b-93ef-4a70-80dd-ad5258e6045b;
stix:target_ref :attack-pattern--b97f1d35-4249-4486-a6b5-ee60ccf24fab;
dcterms:created "2023-03-17T15:01:40.524Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "During [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) used `regsvr32` to execute malware.(Citation: ESET Lazarus Jun 2020)";
dcterms:modified "2023-04-13T21:26:07.943Z"^^xsd:dateTime .
:relationship--da759124-8047-4b58-b7d4-fa9300cb4ce1
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c;
stix:target_ref :attack-pattern--be055942-6e63-49d7-9fa1-9cb7d8a8f3f4;
dcterms:created "2021-01-13T21:54:29.651Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[APT28](https://attack.mitre.org/groups/G0007) has used Google Drive for C2.(Citation: TrendMicro Pawn Storm Dec 2020)";
dcterms:modified "2021-04-19T21:12:35.769Z"^^xsd:dateTime .
:relationship--70dc4dfe-c859-4665-88d7-ff724d88380b
rdf:type stix:Relationship;
stix:source_ref :malware--92b03a94-7147-4952-9d5a-b4d24da7487c;
stix:target_ref :attack-pattern--c877e33f-1df6-40d6-b1e7-ce70f16f4979;
dcterms:created "2022-10-13T17:19:04.454Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[SDBbot](https://attack.mitre.org/software/S0461) can collected the country code of a compromised machine.(Citation: Korean FSI TA505 2020)";
dcterms:modified "2022-10-13T17:19:04.454Z"^^xsd:dateTime .
:relationship--907df22e-fdfe-4b93-8b18-ebf66f83868c
rdf:type stix:Relationship;
stix:source_ref :malware--66b1dcde-17a0-4c7b-95fa-b08d430c2131;
stix:target_ref :attack-pattern--4ab929c6-ee2d-4fb5-aab4-b14be2ed7179;
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[S-Type](https://attack.mitre.org/software/S0085) may create the file <code>%HOMEPATH%\\Start Menu\\Programs\\Startup\\Realtek {Unique Identifier}.lnk</code>, which points to the malicious `msdtc.exe` file already created in the `%CommonFiles%` directory.(Citation: Cylance Dust Storm)";
dcterms:modified "2022-09-30T20:36:11.388Z"^^xsd:dateTime .
:relationship--32bebd4b-6bbe-4a4e-86a1-0c49fda51259
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924;
stix:target_ref :attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161;
dcterms:created "2020-05-20T19:05:37.549Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Tropic Trooper](https://attack.mitre.org/groups/G0081) has used HTTP in communication with the C2.(Citation: Anomali Pirate Panda April 2020)(Citation: TrendMicro Tropic Trooper May 2020)";
dcterms:modified "2020-05-21T16:39:27.634Z"^^xsd:dateTime .
:relationship--39670e5f-214a-48b0-81df-01c1f5030cd7
rdf:type stix:Relationship;
stix:source_ref :course-of-action--e5d930e9-775a-40ad-9bdb-b941d8dfe86b;
stix:target_ref :attack-pattern--bf147104-abf9-4221-95d1-e81585859441;
dcterms:created "2019-11-07T20:09:56.969Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "For the Outlook methods, blocking macros may be ineffective as the Visual Basic engine used for these features is separate from the macro scripting engine.(Citation: SensePost Outlook Forms) Microsoft has released patches to try to address each issue. Ensure KB3191938 which blocks Outlook Visual Basic and displays a malicious code warning, KB4011091 which disables custom forms by default, and KB4011162 which removes the legacy Home Page feature, are applied to systems.(Citation: SensePost Outlook Home Page)";
dcterms:modified "2021-08-16T21:30:02.054Z"^^xsd:dateTime .
:relationship--a49fc7fd-5af0-4a2f-a2bb-f1d153e6b66d
rdf:type stix:Relationship;
stix:source_ref :malware--7724581b-06ff-4d2b-b77c-80dc8d53070b;
stix:target_ref :attack-pattern--c877e33f-1df6-40d6-b1e7-ce70f16f4979;
dcterms:created "2022-06-09T19:12:36.907Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Saint Bot](https://attack.mitre.org/software/S1018) has conducted system locale checks to see if the compromised host is in Russia, Ukraine, Belarus, Armenia, Kazakhstan, or Moldova.(Citation: Malwarebytes Saint Bot April 2021)(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )";
dcterms:modified "2022-06-09T20:48:17.510Z"^^xsd:dateTime .
:relationship--beeaf89d-cbd4-49fd-a18a-a430e3ad8c36
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--a5ae90ca-0c4b-481c-959f-0eb18a7ff953;
stix:target_ref :attack-pattern--35dd844a-b219-4e2b-a6bb-efa9a75995a9;
dcterms:created "2022-03-30T14:26:51.868Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Monitor for newly constructed containers that may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code.";
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime .
:relationship--69513daf-2acd-4b04-a7be-9f31174a2ae9
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--2e290bfe-93b5-48ce-97d6-edcd6d32b7cf;
stix:target_ref :attack-pattern--2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64;
dcterms:created "2020-06-16T17:53:18.768Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Gamaredon Group](https://attack.mitre.org/groups/G0047) malware can insert malicious macros into documents using a <code>Microsoft.Office.Interop</code> object.(Citation: ESET Gamaredon June 2020)\t";
dcterms:modified "2020-06-22T18:27:32.047Z"^^xsd:dateTime .
:relationship--0c2ba74b-a5b0-493c-84f3-41b6131070a0
rdf:type stix:Relationship;
stix:source_ref :course-of-action--95c29444-49f9-49f7-8b20-bcd68d8fcaa6;
stix:target_ref :attack-pattern--4bf5845d-a814-4490-bc5c-ccdee6043025;
dcterms:created "2018-01-16T16:13:52.465Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:modified "2023-04-25T14:00:00.188Z"^^xsd:dateTime .
:attack-pattern--1cfcb312-b8d7-47a4-b560-4b16cc677292
rdf:type d3f:OffensiveTechnique;
rdfs:label "Stored Data Manipulation";
dcterms:created "2020-03-02T14:22:24.410Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating stored data, adversaries may attempt to affect a business process, organizational understanding, and decision making.\n\nStored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The type of modification and the impact it will have depends on the type of data as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.";
dcterms:modified "2022-05-11T14:00:00.188Z"^^xsd:dateTime .
:relationship--1cf57140-fe45-4c26-8946-071252ae8276
rdf:type stix:Relationship;
stix:source_ref :malware--0efefea5-78da-4022-92bc-d726139e8883;
stix:target_ref :attack-pattern--692074ae-bb62-4a5e-a735-02cb6bde458c;
dcterms:created "2019-03-04T17:12:37.776Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Linux Rabbit](https://attack.mitre.org/software/S0362) brute forces SSH passwords in order to attempt to gain access and install its malware onto the server. (Citation: Anomali Linux Rabbit 2018)";
dcterms:modified "2020-03-11T18:48:12.899Z"^^xsd:dateTime .
:attack-pattern--e196b5c5-8118-4a1c-ab8a-936586ce3db5
rdf:type d3f:OffensiveTechnique;
rdfs:label "Server";
dcterms:created "2020-10-01T00:56:25.135Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Adversaries may compromise third-party servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control. Instead of purchasing a [Server](https://attack.mitre.org/techniques/T1583/004) or [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003), adversaries may compromise third-party servers in support of operations.\n\nAdversaries may also compromise web servers to support watering hole operations, as in [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), or email servers to support [Phishing](https://attack.mitre.org/techniques/T1566) operations.";
dcterms:modified "2023-04-13T00:00:25.676Z"^^xsd:dateTime .
:relationship--1c677f35-b73b-47bc-b162-1fd036a38def
rdf:type stix:Relationship;
stix:source_ref :malware--00c3bfcb-99bd-4767-8c03-b08f585f5c8a;
stix:target_ref :attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a;
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[PowerDuke](https://attack.mitre.org/software/S0139) uses steganography to hide backdoors in PNG files, which are also encrypted using the Tiny Encryption Algorithm (TEA).";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--a80b33dc-0fe2-4b0d-a815-51a036fa410f
rdf:type stix:Relationship;
stix:source_ref :course-of-action--47e0e9fe-96ce-4f65-8bb1-8be1feacb5db;
stix:target_ref :attack-pattern--04ee0cb7-dac3-4c6c-9387-4c6aa096f4cf;
dcterms:created "2019-10-07T17:47:39.651Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Limit or restrict program execution using anti-virus software. On MacOS, whitelist programs that are allowed to have the plist tag. All other programs should be considered suspicious.";
dcterms:modified "2023-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--13ac3b6b-d008-44fa-88c3-53d0927961d2
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6;
stix:target_ref :attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67;
dcterms:created "2019-07-08T15:24:24.654Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Turla](https://attack.mitre.org/groups/G0010) has used VBS scripts throughout its operations.(Citation: Symantec Waterbug Jun 2019)\t";
dcterms:modified "2020-03-19T17:37:34.240Z"^^xsd:dateTime .
:relationship--4ebeacbf-4f30-4f32-86dc-54d932ea7c46
rdf:type stix:Relationship;
stix:source_ref :attack-pattern--1996eef1-ced3-4d7f-bf94-33298cabbf72;
stix:target_ref :attack-pattern--355be19c-ffc9-46d5-8d50-d6a036c675b6;
dcterms:created "2020-03-15T16:27:38.223Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--4372bc1b-e764-4208-a250-bd7d1669f0c5
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a;
stix:target_ref :attack-pattern--a62a8db3-f23a-4d8f-afd6-9dbc77e7813b;
dcterms:created "2022-03-30T14:26:51.861Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.";
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime .
:relationship--62359eba-e21f-46f1-9fb2-a3ec9d52acb3
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6;
stix:target_ref :attack-pattern--74d2a63f-3c7b-4852-92da-02d8fbab16da;
dcterms:created "2022-03-30T14:26:51.851Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Detect lack of reported activity from a host sensor. Different methods of blocking may cause different disruptions in reporting. Systems may suddenly stop reporting all data or only certain kinds of data. Depending on the types of host information collected, an analyst may be able to detect the event that triggered a process to stop or connection to be blocked. For example, Sysmon will log when its configuration state has changed (Event ID 16) and Windows Management Instrumentation (WMI) may be used to subscribe ETW providers that log any provider removal from a specific trace session. (Citation: Medium Event Tracing Tampering 2018)";
dcterms:modified "2022-03-30T14:26:51.851Z"^^xsd:dateTime .
:relationship--e342f3ae-10f0-4740-937b-5cead8204d78
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077;
stix:target_ref :attack-pattern--53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a;
dcterms:created "2022-03-30T14:26:51.834Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Monitor for newly constructed processes and/or command-lines that aid in compression or encrypting data that is collected prior to exfiltration, such as 7-Zip, WinRAR, and WinZip. ";
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime .
:relationship--35a9c64c-c305-46bf-a216-c8bb1b051614
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6;
stix:target_ref :malware--da5880b4-f7da-4869-85f2-e0aba84b8565;
dcterms:created "2017-05-31T21:33:27.046Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "(Citation: Symantec Waterbug)(Citation: Unit 42 IronNetInjector February 2021 )(Citation: Secureworks IRON HUNTER Profile)";
dcterms:modified "2022-05-20T17:02:59.591Z"^^xsd:dateTime .
:relationship--08692b08-78e8-4f04-82a0-e4efe009dba4
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--99910207-1741-4da1-9b5d-537410186b51;
stix:target_ref :attack-pattern--bd369cd9-abb8-41ce-b5bb-fff23ee86c00;
dcterms:created "2021-12-02T14:15:49.946Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Gelsemium](https://attack.mitre.org/groups/G0141) has compromised software supply chains to gain access to victims.(Citation: ESET Gelsemium June 2021)";
dcterms:modified "2022-05-11T14:00:00.188Z"^^xsd:dateTime .
:relationship--f56f129e-0a30-4be0-bc4b-5942a479e0f9
rdf:type stix:Relationship;
stix:source_ref :malware--dff90475-9f72-41a6-84ed-1fbefd3874c0;
stix:target_ref :attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e;
dcterms:created "2022-07-25T18:20:36.684Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Heyoka Backdoor](https://attack.mitre.org/software/S1027) has been spread through malicious document lures.(Citation: SentinelOne Aoqin Dragon June 2022)";
dcterms:modified "2022-07-25T18:20:36.684Z"^^xsd:dateTime .
:relationship--2f337593-16b2-40a2-928c-c7659d0326ea
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--64d5f96a-f121-4d19-89f6-6709f5c49faa;
stix:target_ref :attack-pattern--3b744087-9945-4a6f-91e8-9dbceda417a4;
dcterms:created "2022-10-11T16:03:53.721Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Aoqin Dragon](https://attack.mitre.org/groups/G1007) has used a dropper that employs a worm infection strategy using a removable device to breach a secure network environment.(Citation: SentinelOne Aoqin Dragon June 2022)";
dcterms:modified "2022-10-11T16:03:53.721Z"^^xsd:dateTime .
:relationship--70b27780-b19a-4313-88ea-1038ce0fc386
rdf:type stix:Relationship;
stix:source_ref :malware--2eaa5319-5e1e-4dd7-bbc4-566fced3964a;
stix:target_ref :attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580;
dcterms:created "2021-02-09T14:35:39.641Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Bad Rabbit](https://attack.mitre.org/software/S0606) can enumerate all running processes to compare hashes.(Citation: Secure List Bad Rabbit)";
dcterms:modified "2021-05-04T19:28:12.850Z"^^xsd:dateTime .
:relationship--438f9fb0-bf82-4c72-8fdf-0dbc39bcf4fc
rdf:type stix:Relationship;
stix:source_ref :malware--727afb95-3d0f-4451-b297-362a43909923;
stix:target_ref :attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4;
dcterms:created "2021-03-19T16:26:04.418Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[ThiefQuest](https://attack.mitre.org/software/S0595) uses the <code>CGEventTap</code> functions to perform keylogging.(Citation: Trendmicro Evolving ThiefQuest 2020)";
dcterms:modified "2021-04-26T20:02:14.275Z"^^xsd:dateTime .
:relationship--f3bbff8f-5f4b-40aa-a55f-e3880a582868
rdf:type stix:Relationship;
stix:source_ref :malware--7dbb67c7-270a-40ad-836e-c45f8948aa5a;
stix:target_ref :attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62;
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[KOMPROGO](https://attack.mitre.org/software/S0156) is capable of creating a reverse shell.(Citation: FireEye APT32 May 2017)";
dcterms:modified "2020-03-20T02:12:29.707Z"^^xsd:dateTime .
:relationship--a6a4bbf3-7a2e-46ae-877a-614bf9f81644
rdf:type stix:Relationship;
stix:source_ref :malware--5c747acd-47f0-4c5a-b9e5-213541fc01e0;
stix:target_ref :attack-pattern--f7c0689c-4dbd-489b-81be-7cb7c7079ade;
dcterms:created "2021-03-12T16:55:09.334Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[GoldMax](https://attack.mitre.org/software/S0588) has used decoy traffic to surround its malicious network traffic to avoid detection.(Citation: MSTIC NOBELIUM Mar 2021)";
dcterms:modified "2021-04-25T21:45:21.223Z"^^xsd:dateTime .
:attack-pattern--39cc9f64-cf74-4a48-a4d8-fe98c54a02e0
rdf:type d3f:OffensiveTechnique;
rdfs:label "Virtual Private Server";
dcterms:created "2020-10-01T00:55:17.771Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Adversaries may compromise third-party Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. Adversaries may compromise VPSs purchased by third-party entities. By compromising a VPS to use as infrastructure, adversaries can make it difficult to physically tie back operations to themselves.(Citation: NSA NCSC Turla OilRig)\n\nCompromising a VPS for use in later stages of the adversary lifecycle, such as Command and Control, can allow adversaries to benefit from the ubiquity and trust associated with higher reputation cloud service providers as well as that added by the compromised third-party.";
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--11178fb7-27d1-4ad2-b912-113741647377
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba;
stix:target_ref :attack-pattern--4cbc6a62-9e34-4f94-8a19-5c1a11392a49;
dcterms:created "2022-03-30T14:26:51.837Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Monitor for newly constructed network connections that are sent or received by untrusted hosts, such as Sysmon Event 3 (Network connection) where Image contains CMSTP.exe and DestinationIP is external.";
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime .
:relationship--9d62760d-5678-4ebf-9a19-aa9de5d9728c
rdf:type stix:Relationship;
stix:source_ref :course-of-action--1dcaeb21-9348-42ea-950a-f842aaf1ae1f;
stix:target_ref :attack-pattern--f8ef3a62-3f44-40a4-abca-761ab235c436;
dcterms:created "2021-03-31T14:01:52.505Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Limit communications with the container service to managed and secured channels, such as local Unix sockets or remote access via SSH. Require secure port access to communicate with the APIs over TLS by disabling unauthenticated access to the Docker API and Kubernetes API Server.(Citation: Docker Daemon Socket Protect)(Citation: Kubernetes API Control Access) In Kubernetes clusters deployed in cloud environments, use native cloud platform features to restrict the IP ranges that are permitted to access to API server.(Citation: Kubernetes Cloud Native Security) Where possible, consider enabling just-in-time (JIT) access to the Kubernetes API to place additional restrictions on access.(Citation: Microsoft AKS Azure AD 2023)";
dcterms:modified "2023-04-15T16:13:07.227Z"^^xsd:dateTime .
:relationship--ac603ee0-cb62-4ad5-852a-29b70b225c5f
rdf:type stix:Relationship;
stix:source_ref :tool--d505fc8b-2e64-46eb-96d6-9ef7ffca5b66;
stix:target_ref :attack-pattern--c3888c54-775d-4b2f-b759-75a2ececcbfd;
dcterms:created "2022-03-26T03:47:59.075Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Mythic](https://attack.mitre.org/software/S0699) supports custom chunk sizes used to upload/download files.(Citation: Mythc Documentation)\t";
dcterms:modified "2022-03-26T03:47:59.075Z"^^xsd:dateTime .
:marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
rdf:type stix:MarkingDefinition;
dcterms:created "2017-06-01T00:00:00.000Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 .
:relationship--0f43dcda-56ff-4ac2-b79a-82b09a90944f
rdf:type stix:Relationship;
stix:source_ref :tool--1244e058-fa10-48cb-b484-0bcf671107ae;
stix:target_ref :attack-pattern--8d7bd4f5-3a89-4453-9c82-2c8894d5655e;
dcterms:created "2022-03-24T19:39:24.717Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[SILENTTRINITY](https://attack.mitre.org/software/S0692) has a module that can extract cached GPP passwords.(Citation: GitHub SILENTTRINITY Modules July 2019) ";
dcterms:modified "2022-03-24T19:39:24.717Z"^^xsd:dateTime .
:relationship--4612c0bd-f6f7-4c71-92dd-9f26ff1c3eef
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--d69e568e-9ac8-4c08-b32c-d93b43ba9172;
stix:target_ref :attack-pattern--fb8d023d-45be-47e9-bc51-f56bcae6435b;
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Thrip](https://attack.mitre.org/groups/G0076) has used WinSCP to exfiltrate data from a targeted organization over FTP.(Citation: Symantec Thrip June 2018)";
dcterms:modified "2020-03-16T18:05:41.507Z"^^xsd:dateTime .
:relationship--f2ac3f65-68d3-45d2-8aab-b2bd57036fa8
rdf:type stix:Relationship;
stix:source_ref :malware--e7a5229f-05eb-440e-b982-9a6d2b2b87c8;
stix:target_ref :attack-pattern--341e222a-a6e3-4f6f-b69c-831d792b1580;
dcterms:created "2020-12-14T21:59:38.674Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Agent Tesla](https://attack.mitre.org/software/S0331) has the ability to extract credentials from the Registry.(Citation: SentinelLabs Agent Tesla Aug 2020) ";
dcterms:modified "2020-12-14T21:59:38.674Z"^^xsd:dateTime .
:relationship--1c25229d-c0f5-4ad6-a403-874d59df73fe
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1;
stix:target_ref :attack-pattern--98be40f2-c86b-4ade-b6fc-4964932040e5;
dcterms:created "2022-03-30T14:26:51.875Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Monitor library load events, especially unusual creation of these binary files followed by loading into processes. Look for libraries that are not recognized or not normally loaded into a process.";
dcterms:modified "2022-07-07T17:08:56.737Z"^^xsd:dateTime .
:relationship--79412658-c213-4746-b03d-c828957d6ddb
rdf:type stix:Relationship;
stix:source_ref :course-of-action--987988f0-cf86-4680-a875-2f6456ab2448;
stix:target_ref :attack-pattern--65917ae0-b854-4139-83fe-bf2441cf0196;
dcterms:created "2020-02-04T19:13:24.913Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Applying more restrictive permissions to files and directories could prevent adversaries from modifying their access control lists. Additionally, ensure that user settings regarding local and remote symbolic links are properly set or disabled where unneeded.(Citation: create_sym_links)";
dcterms:modified "2022-10-19T17:48:05.763Z"^^xsd:dateTime .
:relationship--9d42a47f-ccdc-42f0-9551-11bf5e2a9616
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--6688d679-ccdb-4f12-abf6-c7545dd767a4;
stix:target_ref :attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c;
dcterms:created "2019-05-02T00:08:18.466Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[The White Company](https://attack.mitre.org/groups/G0089) has the ability to delete its malware entirely from the target system.(Citation: Cylance Shaheen Nov 2018)";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--767ce5fe-06f5-4efc-aa41-129fad867c65
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--64d5f96a-f121-4d19-89f6-6709f5c49faa;
stix:target_ref :attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18;
dcterms:created "2022-07-14T19:35:43.771Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Aoqin Dragon](https://attack.mitre.org/groups/G1007) has run scripts to identify file formats including Microsoft Word.(Citation: SentinelOne Aoqin Dragon June 2022)";
dcterms:modified "2022-07-14T19:35:43.771Z"^^xsd:dateTime .
:relationship--aac15fc0-a17b-4295-bf46-b18569bc2c4f
rdf:type stix:Relationship;
stix:source_ref :malware--2a70812b-f1ef-44db-8578-a496a227aef2;
stix:target_ref :attack-pattern--ec8fc7e2-b356-455c-8db5-2e37be158e7d;
dcterms:created "2021-01-08T21:16:36.990Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[NETWIRE](https://attack.mitre.org/software/S0198) can copy itself to and launch itself from hidden folders.(Citation: Red Canary NETWIRE January 2020)";
dcterms:modified "2021-01-08T21:16:36.990Z"^^xsd:dateTime .
:relationship--91ec91fa-f468-47fa-a931-aeb9b4f74ba3
rdf:type stix:Relationship;
stix:source_ref :malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5;
stix:target_ref :attack-pattern--d742a578-d70e-4d0e-96a6-02a9c30204e6;
dcterms:created "2020-08-06T13:39:24.240Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[REvil](https://attack.mitre.org/software/S0496) has infected victim machines through compromised websites and exploit kits.(Citation: Secureworks REvil September 2019)(Citation: McAfee Sodinokibi October 2019)(Citation: Picus Sodinokibi January 2020)(Citation: Secureworks GandCrab and REvil September 2019)";
dcterms:modified "2020-08-06T13:39:24.240Z"^^xsd:dateTime .
:relationship--d1f44e84-61cb-4a96-add8-d37a38369e43
rdf:type stix:Relationship;
stix:source_ref :malware--00806466-754d-44ea-ad6f-0caf59cb8556;
stix:target_ref :attack-pattern--322bad5a-1c49-4d23-ab79-76d641794afa;
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[TrickBot](https://attack.mitre.org/software/S0266) collects a list of install programs and services on the system’s machine.(Citation: S2 Grupo TrickBot June 2017)";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--53f5aaf3-b4de-4e31-bf50-a297bb8b61ca
rdf:type stix:Relationship;
stix:source_ref :malware--326af1cd-78e7-45b7-a326-125d2f7ef8f2;
stix:target_ref :attack-pattern--4bed873f-0b7d-41d4-b93a-b6905d1f90b0;
dcterms:created "2021-09-07T14:30:30.832Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Crimson](https://attack.mitre.org/software/S0115) can determine when it has been installed on a host for at least 15 days before downloading the final payload.(Citation: Proofpoint Operation Transparent Tribe March 2016)";
dcterms:modified "2021-10-15T14:37:09.933Z"^^xsd:dateTime .
:relationship--a6bb9c7f-3e1c-429a-a81d-0d446f4abe9a
rdf:type stix:Relationship;
stix:source_ref :malware--63686509-069b-4143-99ea-4e59cad6cb2a;
stix:target_ref :attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c;
dcterms:created "2022-01-11T14:58:01.963Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[DarkWatchman](https://attack.mitre.org/software/S0673) has the ability to self-extract as a RAR archive.(Citation: Prevailion DarkWatchman 2021)";
dcterms:modified "2022-04-17T19:32:44.438Z"^^xsd:dateTime .
:relationship--d07f2da6-6497-414f-96c1-9dd60155b169
rdf:type stix:Relationship;
stix:source_ref :malware--f6d1d2cb-12f5-4221-9636-44606ea1f3f8;
stix:target_ref :attack-pattern--3489cfc5-640f-4bb3-a103-9137b97de79f;
dcterms:created "2018-01-16T16:13:52.465Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[OSInfo](https://attack.mitre.org/software/S0165) discovers shares on the network(Citation: Symantec Buckeye)";
dcterms:modified "2020-03-18T20:19:35.787Z"^^xsd:dateTime .
:relationship--406afc1a-4ea7-45c5-b137-7784f9ed53f3
rdf:type stix:Relationship;
stix:source_ref :malware--53cf6cc4-65aa-445a-bcf8-c3d296f8a7a2;
stix:target_ref :attack-pattern--7bd9c723-2f78-4309-82c5-47cad406572b;
dcterms:created "2020-03-17T01:57:57.302Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[NETEAGLE](https://attack.mitre.org/software/S0034) can use HTTP to download resources that contain an IP address and port number pair to connect to for C2.(Citation: FireEye APT30)";
dcterms:modified "2020-03-27T22:10:19.833Z"^^xsd:dateTime .
:relationship--552215a4-9761-4dce-8a59-83cd81ca43a8
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--73a80fab-2aa3-48e0-a4d0-3a4828200aee;
stix:target_ref :attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62;
dcterms:created "2020-05-27T15:31:09.471Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Blue Mockingbird](https://attack.mitre.org/groups/G0108) has used batch script files to automate execution and deployment of payloads.(Citation: RedCanary Mockingbird May 2020)";
dcterms:modified "2020-06-25T13:59:09.803Z"^^xsd:dateTime .
:relationship--9d7577f9-2003-4cbc-b7cb-58f2dc20714c
rdf:type stix:Relationship;
stix:source_ref :malware--72911fe3-f085-40f7-b4f2-f25a4221fe44;
stix:target_ref :attack-pattern--2fee9321-3e71-4cf4-af24-d4d40d355b34;
dcterms:created "2021-11-16T15:32:34.259Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[FoggyWeb](https://attack.mitre.org/software/S0661)'s loader has used DLL Search Order Hijacking to load malicious code instead of the legitimate `version.dll` during the `Microsoft.IdentityServer.ServiceHost.exe` execution process.(Citation: MSTIC FoggyWeb September 2021)";
dcterms:modified "2022-04-16T01:37:21.677Z"^^xsd:dateTime .
:relationship--f1df1a1e-2b64-4308-8f0c-f22221946677
rdf:type stix:Relationship;
stix:source_ref :course-of-action--47e0e9fe-96ce-4f65-8bb1-8be1feacb5db;
stix:target_ref :attack-pattern--f792d02f-813d-402b-86a5-ab98cb391d3b;
dcterms:created "2019-06-25T13:59:33.502Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Use application whitelisting configured to block execution of InstallUtil.exe if it is not required for a given system or network to prevent potential misuse by adversaries.";
dcterms:modified "2023-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--05c94aaf-1db8-40ce-9ec2-8628f8e17e20
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--5f7c9def-0ddf-423b-b1f8-fb2ddeed0ce3;
stix:target_ref :attack-pattern--1f9c2bae-b441-4f66-a8af-b65946ee72f2;
dcterms:created "2022-03-30T14:26:51.867Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Monitor for creation of access tokens using SAML tokens which do not have corresponding 4769 and 1200 events in the domain.(Citation: Sygnia Golden SAML)";
dcterms:modified "2022-04-14T20:00:36.648Z"^^xsd:dateTime .
:relationship--a19231c9-e6b4-4d3f-9c9d-f4e85cba5e3a
rdf:type stix:Relationship;
stix:source_ref :malware--f74a5069-015d-4404-83ad-5ca01056c0dc;
stix:target_ref :attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add;
dcterms:created "2022-04-05T19:54:50.810Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Lizar](https://attack.mitre.org/software/S0681) can download additional plugins, files, and tools.(Citation: BiZone Lizar May 2021)";
dcterms:modified "2022-04-05T19:54:50.810Z"^^xsd:dateTime .
:relationship--ba2b3c40-f9d2-4663-a5bd-3bb158553572
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--abc5a1d4-f0dc-49d1-88a1-4a80e478bb03;
stix:target_ref :tool--3433a9e8-1c47-4320-b9bf-ed449061d1c3;
dcterms:created "2021-11-24T21:30:58.058Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "(Citation: MalwareBytes LazyScripter Feb 2021)";
dcterms:modified "2021-11-24T21:30:58.058Z"^^xsd:dateTime .
:relationship--2f1588c1-16b9-4cb2-b94c-1756829183ae
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc;
stix:target_ref :attack-pattern--01327cde-66c4-4123-bf34-5f258d59457b;
dcterms:created "2021-09-23T13:09:35.868Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[FIN7](https://attack.mitre.org/groups/G0046) has used TightVNC to control compromised hosts.(Citation: CrowdStrike Carbon Spider August 2021)";
dcterms:modified "2021-09-23T13:09:35.868Z"^^xsd:dateTime .
:relationship--e0c1c9b9-b36e-4157-8dc1-26cd9ae25193
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7;
stix:target_ref :attack-pattern--43e7dc91-05b2-474c-b9ac-2ed4fe101f4d;
dcterms:created "2019-09-24T12:31:43.678Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[APT41](https://attack.mitre.org/groups/G0096) malware TIDYELF loaded the main WINTERLOVE component by injecting it into the iexplore.exe process.(Citation: FireEye APT41 Aug 2019)";
dcterms:modified "2023-03-23T15:27:10.550Z"^^xsd:dateTime .
:relationship--ef463100-ac00-44ab-805b-75e4c8886699
rdf:type stix:Relationship;
stix:source_ref :malware--f8774023-8021-4ece-9aca-383ac89d2759;
stix:target_ref :attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add;
dcterms:created "2021-01-25T13:58:25.241Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Dtrack](https://attack.mitre.org/software/S0567)’s can download and upload a file to the victim’s computer.(Citation: Securelist Dtrack)(Citation: CyberBit Dtrack)";
dcterms:modified "2021-03-12T21:10:52.969Z"^^xsd:dateTime .
:relationship--b09cad27-7b44-4a57-adf8-dcbcb3cdcb0a
rdf:type stix:Relationship;
stix:source_ref :malware--0852567d-7958-4f4b-8947-4f840ec8d57d;
stix:target_ref :attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a;
dcterms:created "2019-01-29T18:23:46.141Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[DOGCALL](https://attack.mitre.org/software/S0213) is encrypted using single-byte XOR.(Citation: Unit 42 Nokki Oct 2018)";
dcterms:modified "2020-03-16T16:43:12.126Z"^^xsd:dateTime .
:relationship--553dbb57-1174-494c-9cfd-dbc83ecc74f6
rdf:type stix:Relationship;
stix:source_ref :malware--af2ad3b7-ab6a-4807-91fd-51bcaff9acbb;
stix:target_ref :attack-pattern--47f2d673-ca62-47e9-929b-1b0be9657611;
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[USBStealer](https://attack.mitre.org/software/S0136) sets the timestamps of its dropper files to the last-access and last-write timestamps of a standard Windows library chosen on the system.(Citation: ESET Sednit USBStealer 2014)";
dcterms:modified "2020-03-11T17:45:54.124Z"^^xsd:dateTime .
:relationship--e3fe170d-55c7-4f98-9d39-6ee28403ce87
rdf:type stix:Relationship;
stix:source_ref :attack-pattern--5502c4e9-24ef-4d5f-8ee9-9e906c2f82c4;
stix:target_ref :attack-pattern--67073dde-d720-45ae-83da-b12d5e73ca3b;
dcterms:created "2020-10-02T16:55:16.136Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:course-of-action--aeff5887-8f9e-48d5-a523-9b395e2ce80a
rdf:type stix:CourseOfAction;
rdfs:label "Credential Dumping Mitigation";
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "### Windows\nMonitor/harden access to LSASS and SAM table with tools that allow process whitelisting. Limit credential overlap across systems to prevent lateral movement opportunities using [Valid Accounts](https://attack.mitre.org/techniques/T1078) if passwords and hashes are obtained. Ensure that local administrator accounts have complex, unique passwords across all systems on the network. Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled, as this is often equivalent to having a local administrator account with the same password on all systems. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers. (Citation: Microsoft Securing Privileged Access)\n\nOn Windows 8.1 and Windows Server 2012 R2, enable Protected Process Light for LSA. (Citation: Microsoft LSA)\n\nIdentify and block potentially malicious software that may be used to dump credentials by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)\n\nWith Windows 10, Microsoft implemented new protections called Credential Guard to protect the LSA secrets that can be used to obtain credentials through forms of credential dumping. It is not configured by default and has hardware and firmware system requirements. (Citation: TechNet Credential Guard) It also does not protect against all forms of credential dumping. (Citation: GitHub SHB Credential Guard)\n\nManage the access control list for “Replicating Directory Changes” and other permissions associated with domain controller replication. (Citation: AdSecurity DCSync Sept 2015) (Citation: Microsoft Replication ACL)\n\nConsider disabling or restricting NTLM traffic. (Citation: Microsoft Disable NTLM Nov 2012)\n\n### Linux\nScraping the passwords from memory requires root privileges. Follow best practices in restricting access to escalated privileges to avoid hostile programs from accessing such sensitive regions of memory.";
dcterms:modified "2021-08-23T20:25:19.916Z"^^xsd:dateTime .
:relationship--bb283a5e-7d61-4b33-aa30-e7c2f0bacbe6
rdf:type stix:Relationship;
stix:source_ref :course-of-action--39706d54-0d06-4a25-816a-78cc43455100;
stix:target_ref :attack-pattern--1b7ba276-eedc-4951-a762-0ceea2c030ec;
dcterms:created "2017-05-31T21:33:27.020Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:modified "2023-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--59c65423-347b-4a09-a24d-c228faaa5119
rdf:type stix:Relationship;
stix:source_ref :course-of-action--2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a;
stix:target_ref :attack-pattern--cabe189c-a0e3-4965-a473-dcff00f17213;
dcterms:created "2020-10-15T12:05:58.908Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Train users to be suspicious about certificate errors. Adversaries may use their own certificates in an attempt to intercept HTTPS traffic. Certificate errors may arise when the application’s certificate does not match the one expected by the host.";
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--9f89d00f-fc0f-4dbb-9b54-3553821bf7ef
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--23b6a0f5-fa95-46f9-a6f3-4549c5e45ec8;
stix:target_ref :attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161;
dcterms:created "2019-01-30T18:02:59.294Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Night Dragon](https://attack.mitre.org/groups/G0014) has used HTTP for C2.(Citation: McAfee Night Dragon)";
dcterms:modified "2022-10-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--9764e270-8c29-47c1-90c2-31f7d57a17c6
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077;
stix:target_ref :attack-pattern--824add00-99a1-4b15-9a2d-6c5683b7b497;
dcterms:created "2022-03-30T14:26:51.845Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Monitor newly executed processes that may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support updated security controls such as logging.";
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime .
:relationship--4a0ee05d-f020-4811-bba6-56d12c15e275
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--269e8108-68c6-4f99-b911-14b2e765dec2;
stix:target_ref :attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67;
dcterms:created "2020-03-18T18:01:36.710Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[MuddyWater](https://attack.mitre.org/groups/G0069) has used VBScript files to execute its [POWERSTATS](https://attack.mitre.org/software/S0223) payload, as well as macros.(Citation: FireEye MuddyWater Mar 2018)(Citation: MuddyWater TrendMicro June 2018)(Citation: Securelist MuddyWater Oct 2018)(Citation: Symantec MuddyWater Dec 2018)(Citation: ClearSky MuddyWater Nov 2018)(Citation: ClearSky MuddyWater June 2019)(Citation: Reaqta MuddyWater November 2017)(Citation: Trend Micro Muddy Water March 2021)(Citation: Talos MuddyWater Jan 2022)";
dcterms:modified "2022-09-28T19:34:31.102Z"^^xsd:dateTime .
:attack-pattern--43ba2b05-cf72-4b6c-8243-03a4aba41ee0
rdf:type d3f:OffensiveTechnique;
rdfs:label "Login Hook";
dcterms:created "2020-01-10T16:01:15.995Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Adversaries may use a Login Hook to establish persistence executed upon user logon. A login hook is a plist file that points to a specific script to execute with root privileges upon user logon. The plist file is located in the <code>/Library/Preferences/com.apple.loginwindow.plist</code> file and can be modified using the <code>defaults</code> command-line utility. This behavior is the same for logout hooks where a script can be executed upon user logout. All hooks require administrator permissions to modify or create hooks.(Citation: Login Scripts Apple Dev)(Citation: LoginWindowScripts Apple Dev) \n\nAdversaries can add or insert a path to a malicious script in the <code>com.apple.loginwindow.plist</code> file, using the <code>LoginHook</code> or <code>LogoutHook</code> key-value pair. The malicious script is executed upon the next user login. If a login hook already exists, adversaries can add additional commands to an existing login hook. There can be only one login and logout hook on a system at a time.(Citation: S1 macOs Persistence)(Citation: Wardle Persistence Chapter)\n\n**Note:** Login hooks were deprecated in 10.11 version of macOS in favor of [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) and [Launch Agent](https://attack.mitre.org/techniques/T1543/001) ";
dcterms:modified "2022-05-11T14:00:00.188Z"^^xsd:dateTime .
:relationship--9267fe42-6290-4342-8024-38d703db4376
rdf:type stix:Relationship;
stix:source_ref :malware--fb261c56-b80e-43a9-8351-c84081e7213d;
stix:target_ref :attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d;
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Adversaries can direct [BACKSPACE](https://attack.mitre.org/software/S0031) to upload files to the C2 Server.(Citation: FireEye APT30)";
dcterms:modified "2020-03-17T00:19:38.020Z"^^xsd:dateTime .
:relationship--c7c1411a-42c8-4d7e-9b56-0465370759de
rdf:type stix:Relationship;
stix:source_ref :malware--da5880b4-f7da-4869-85f2-e0aba84b8565;
stix:target_ref :attack-pattern--f3c544dc-673c-4ef3-accb-53229f1ae077;
dcterms:created "2020-12-11T20:13:44.830Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[ComRAT](https://attack.mitre.org/software/S0126) has checked the victim system's date and time to perform tasks during business hours (9 to 5, Monday to Friday).(Citation: CISA ComRAT Oct 2020) ";
dcterms:modified "2020-12-23T19:34:12.439Z"^^xsd:dateTime .
:relationship--4bd59ceb-eb44-45c0-b775-3eaea3307455
rdf:type stix:Relationship;
stix:source_ref :malware--35ee9bf3-264b-4411-8a8f-b58cec8f35e4;
stix:target_ref :attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add;
dcterms:created "2022-06-02T13:15:25.600Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[PowerLess](https://attack.mitre.org/software/S1012) can download additional payloads to a compromised host.(Citation: Cybereason PowerLess February 2022)";
dcterms:modified "2022-06-02T19:51:49.818Z"^^xsd:dateTime .
:relationship--4b5948b4-eba5-4af6-93d1-71b109167f62
rdf:type stix:Relationship;
stix:source_ref :course-of-action--cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8;
stix:target_ref :attack-pattern--890c9858-598c-401d-a4d5-c67ebcdd703a;
dcterms:created "2019-10-08T19:55:33.729Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Administrators should audit all cloud and container accounts to ensure that they are necessary and that the permissions granted to them are appropriate. Additionally, administrators should perform an audit of all OAuth applications and the permissions they have been granted to access organizational data. This should be done extensively on all applications in order to establish a baseline, followed up on with periodic audits of new or updated applications. Suspicious applications should be investigated and removed.";
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime .
:relationship--bdb0d192-3d82-4e5b-92bc-7ef24fd3e65b
rdf:type stix:Relationship;
stix:source_ref :tool--cb69b20d-56d0-41ab-8440-4a4b251614d4;
stix:target_ref :attack-pattern--25659dd6-ea12-45c4-97e6-381e3e4b593e;
dcterms:created "2018-04-18T17:59:24.739Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Pupy](https://attack.mitre.org/software/S0192) uses PowerView and Pywerview to perform discovery commands such as net user, net group, net local group, etc.(Citation: GitHub Pupy)";
dcterms:modified "2020-03-18T20:37:22.672Z"^^xsd:dateTime .
:relationship--7d8a984d-676d-47bf-a660-00c43ab49985
rdf:type stix:Relationship;
stix:source_ref :campaign--808d6b30-df4e-4341-8248-724da4bac650;
stix:target_ref :tool--afc079f3-c0ea-4096-b75d-3f05338b7f60;
dcterms:created "2023-03-26T22:03:54.870Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "(Citation: Microsoft 365 Defender Solorigate)(Citation: CrowdStrike StellarParticle January 2022)";
dcterms:modified "2023-03-26T22:03:54.870Z"^^xsd:dateTime .
:relationship--02eba953-12a6-434a-bc67-2337864cf560
rdf:type stix:Relationship;
stix:source_ref :malware--c984b414-b766-44c5-814a-2fe96c913c12;
stix:target_ref :attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a;
dcterms:created "2020-07-16T15:23:48.759Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Kessel](https://attack.mitre.org/software/S0487)'s configuration is hardcoded and RC4 encrypted within the binary.(Citation: ESET ForSSHe December 2018)";
dcterms:modified "2020-07-16T15:23:48.759Z"^^xsd:dateTime .
:relationship--9f62c4e4-02d4-497b-8039-cc4e816386a5
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a;
stix:target_ref :tool--5a63f900-5e7e-4928-a746-dd4558e1df71;
dcterms:created "2017-05-31T21:33:27.070Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "(Citation: Novetta Blockbuster Loaders)";
dcterms:modified "2019-12-20T14:28:39.536Z"^^xsd:dateTime .
:relationship--0fc8acc1-9751-4578-8f0e-29a8f0ef5cc8
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--247cb30b-955f-42eb-97a5-a89fef69341e;
stix:target_ref :attack-pattern--6ff403bc-93e3-48be-8687-e102fdba8c88;
dcterms:created "2019-04-15T20:57:46.690Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[APT32](https://attack.mitre.org/groups/G0050) uses UPX to pack their macOS backdoor.";
dcterms:modified "2019-10-23T14:19:37.289Z"^^xsd:dateTime .
:relationship--25527270-616e-4c53-a85a-03fc0b1e9a96
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--129f2f77-1ab2-4c35-bd5e-21260cee92af;
stix:target_ref :attack-pattern--f6ad61ee-65f3-4bd0-a3f5-2f0accb36317;
dcterms:created "2022-08-19T19:49:03.537Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[EXOTIC LILY](https://attack.mitre.org/groups/G1011) has used the e-mail notification features of legitimate file sharing services for spearphishing.(Citation: Google EXOTIC LILY March 2022)";
dcterms:modified "2022-08-19T19:49:03.537Z"^^xsd:dateTime .
:relationship--731d14c6-a141-4e71-ac61-c344636e13d5
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--93f52415-0fe4-4d3d-896c-fc9b8e88ab90;
stix:target_ref :attack-pattern--d742a578-d70e-4d0e-96a6-02a9c30204e6;
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[BRONZE BUTLER](https://attack.mitre.org/groups/G0060) compromised three Japanese websites using a Flash exploit to perform watering hole attacks.(Citation: Symantec Tick Apr 2016)";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--91eab726-0a0c-4898-8376-66987fd1037c
rdf:type stix:Relationship;
stix:source_ref :malware--9af05de0-bc09-4511-a350-5eb8b06185c1;
stix:target_ref :attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add;
dcterms:created "2019-01-29T21:33:34.617Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[BadPatch](https://attack.mitre.org/software/S0337) can download and execute or update malware.(Citation: Unit 42 BadPatch Oct 2017)";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--14e02371-ba11-459d-9662-188e85d3cf7c
rdf:type stix:Relationship;
stix:source_ref :malware--4e9bdf9a-4957-47f6-87b3-c76898d3f623;
stix:target_ref :attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104;
dcterms:created "2021-11-12T19:02:16.541Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Diavol](https://attack.mitre.org/software/S0659) can collect the username from a compromised host.(Citation: Fortinet Diavol July 2021)";
dcterms:modified "2022-03-09T17:40:40.609Z"^^xsd:dateTime .
:relationship--164aec0b-1e3e-4e79-b9c3-43d602a1674a
rdf:type stix:Relationship;
stix:source_ref :malware--aaf3fa65-8b27-4e68-91de-2b7738fe4c82;
stix:target_ref :attack-pattern--b80d107d-fa0d-4b60-9684-b0433e8bdba0;
dcterms:created "2019-06-18T17:20:43.762Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[JCry](https://attack.mitre.org/software/S0389) has encrypted files and demanded Bitcoin to decrypt those files. (Citation: Carbon Black JCry May 2019)";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--3a9abcd5-52ba-44f1-96a5-1593f816b9f0
rdf:type stix:Relationship;
stix:source_ref :malware--ccd61dfc-b03f-4689-8c18-7c97eab08472;
stix:target_ref :attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161;
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Various implementations of [CHOPSTICK](https://attack.mitre.org/software/S0023) communicate with C2 over HTTP.(Citation: ESET Sednit Part 2)";
dcterms:modified "2020-03-17T00:35:36.650Z"^^xsd:dateTime .
:relationship--2d7d8a67-c32a-4054-9680-6ecae87ded68
rdf:type stix:Relationship;
stix:source_ref :course-of-action--78bb71be-92b4-46de-acd6-5f998fedf1cc;
stix:target_ref :attack-pattern--df1bc34d-1634-4c93-b89e-8120994fce77;
dcterms:created "2022-07-08T12:46:35.590Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. ";
dcterms:modified "2022-07-08T12:46:35.590Z"^^xsd:dateTime .
:relationship--283ba525-5180-461a-989b-87fc2f896ed7
rdf:type stix:Relationship;
stix:source_ref :malware--11e36d5b-6a92-4bf9-8eb7-85eb24f59e22;
stix:target_ref :attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62;
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[KEYMARBLE](https://attack.mitre.org/software/S0271) can execute shell commands using cmd.exe.(Citation: US-CERT KEYMARBLE Aug 2018)";
dcterms:modified "2020-03-20T02:14:26.689Z"^^xsd:dateTime .
:relationship--b69424ec-3af6-44aa-842a-81fba219b9f4
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--9e729a7e-0dd6-4097-95bf-db8d64911383;
stix:target_ref :attack-pattern--32901740-b42c-4fdd-bc02-345b5dc57082;
dcterms:created "2017-05-31T21:33:27.047Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Darkhotel](https://attack.mitre.org/groups/G0012) has used code-signing certificates on its malware that are either forged due to weak keys or stolen. [Darkhotel](https://attack.mitre.org/groups/G0012) has also stolen certificates and signed backdoors and downloaders with them.(Citation: Kaspersky Darkhotel)(Citation: Securelist Darkhotel Aug 2015)";
dcterms:modified "2020-03-16T20:05:43.409Z"^^xsd:dateTime .
:relationship--4a942244-9b88-43d0-9a1c-c0277e7903e8
rdf:type stix:Relationship;
stix:source_ref :malware--4efc3e00-72f2-466a-ab7c-8a7dc6603b19;
stix:target_ref :attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2;
dcterms:created "2021-01-19T21:06:07.795Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Raindrop](https://attack.mitre.org/software/S0565) was installed under names that resembled legitimate Windows file and directory names.(Citation: Symantec RAINDROP January 2021)(Citation: Microsoft Deep Dive Solorigate January 2021)";
dcterms:modified "2021-01-25T18:23:23.380Z"^^xsd:dateTime .
:relationship--6017ff5f-e522-45fe-857a-e4fef38a6349
rdf:type stix:Relationship;
stix:source_ref :malware--a7881f21-e978-4fe4-af56-92c9416a2616;
stix:target_ref :attack-pattern--322bad5a-1c49-4d23-ab79-76d641794afa;
dcterms:created "2021-05-17T19:26:45.791Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Cobalt Strike](https://attack.mitre.org/software/S0154) can enumerate services on compromised hosts.(Citation: Cobalt Strike Manual 4.3 November 2020)";
dcterms:modified "2021-10-18T19:54:13.323Z"^^xsd:dateTime .
:relationship--1e0fdaa6-7a6f-4bd6-a1ef-3ee85d1d89b2
rdf:type stix:Relationship;
stix:source_ref :malware--8beac7c2-48d2-4cd9-9b15-6c452f38ac06;
stix:target_ref :attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580;
dcterms:created "2019-06-07T14:53:09.049Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Ixeshe](https://attack.mitre.org/software/S0015) can list running processes.(Citation: Trend Micro IXESHE 2012)";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--2325c0b2-fb89-44e1-9206-e495811f2907
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a;
stix:target_ref :attack-pattern--a10641f4-87b4-45a3-a906-92a149cb2c27;
dcterms:created "2017-05-31T21:33:27.066Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Lazarus Group](https://attack.mitre.org/groups/G0032) malware WhiskeyDelta-Two contains a function that attempts to rename the administrator’s account.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware)";
dcterms:modified "2022-07-28T18:55:36.001Z"^^xsd:dateTime .
:relationship--162a051d-a551-4b8c-875a-75264768e541
rdf:type stix:Relationship;
stix:source_ref :malware--9ea525fa-b0a9-4dde-84f2-bcea0137b3c1;
stix:target_ref :attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32;
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[MoonWind](https://attack.mitre.org/software/S0149) installs itself as a new service with automatic startup to establish persistence. The service checks every 60 seconds to determine if the malware is running; if not, it will spawn a new instance.(Citation: Palo Alto MoonWind March 2017)";
dcterms:modified "2020-03-20T17:34:12.521Z"^^xsd:dateTime .
:relationship--d18f30d7-deca-457c-b993-c87843ae3bab
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--c21dd6f1-1364-4a70-a1f7-783080ec34ee;
stix:target_ref :tool--2f7f03bb-f367-4a5a-ad9b-310a12a48906;
dcterms:created "2023-09-14T18:58:53.520Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "(Citation: CrowdStrike PIONEER KITTEN August 2020)";
dcterms:modified "2023-09-14T18:58:53.520Z"^^xsd:dateTime .
:relationship--7a2f70b7-7b6e-4c05-8f71-42a494b055ce
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--1f21da59-6a13-455b-afd0-d58d0a5a7d27;
stix:target_ref :attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597;
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Gorgon Group](https://attack.mitre.org/groups/G0078) sent emails to victims with malicious Microsoft Office documents attached.(Citation: Unit 42 Gorgon Group Aug 2018)";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--eaaa3ad9-1bac-4355-901a-7ea888ab4bdc
rdf:type stix:Relationship;
stix:source_ref :course-of-action--590777b3-b475-4c7c-aaf8-f4a73b140312;
stix:target_ref :attack-pattern--6e6845c2-347a-4a6f-a2d1-b74a18ebd352;
dcterms:created "2019-06-25T12:42:56.899Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "On Windows 8.1 and Server 2012 R2, enable LSA Protection by setting the Registry key <code>HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\RunAsPPL</code> to <code>dword:00000001</code>. (Citation: Microsoft LSA Protection Mar 2014) LSA Protection ensures that LSA plug-ins and drivers are only loaded if they are digitally signed with a Microsoft signature and adhere to the Microsoft Security Development Lifecycle (SDL) process guidance.";
dcterms:modified "2023-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--1cd41777-3d65-4e39-8de7-3951d1568c16
rdf:type stix:Relationship;
stix:source_ref :malware--e7a5229f-05eb-440e-b982-9a6d2b2b87c8;
stix:target_ref :attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e;
dcterms:created "2020-05-19T17:32:26.498Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Agent Tesla](https://attack.mitre.org/software/S0331) has been executed through malicious e-mail attachments (Citation: Bitdefender Agent Tesla April 2020)";
dcterms:modified "2020-05-20T13:38:07.117Z"^^xsd:dateTime .
:relationship--d0b1714b-a9d5-4450-9200-337d164dc897
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924;
stix:target_ref :attack-pattern--c8e87b83-edbb-48d4-9295-4974897525b7;
dcterms:created "2019-01-29T20:17:49.356Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Tropic Trooper](https://attack.mitre.org/groups/G0081) has leveraged the BITSadmin command-line tool to create a job and launch a malicious process.";
dcterms:modified "2019-10-23T14:19:37.289Z"^^xsd:dateTime .
:relationship--fa27f615-56c5-4089-bcda-657999868e53
rdf:type stix:Relationship;
stix:source_ref :malware--47afe41c-4c08-485e-b062-c3bd209a1cce;
stix:target_ref :attack-pattern--be2dcee9-a7a7-4e38-afd6-21b31ecc3d63;
dcterms:created "2020-07-17T17:34:21.437Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[InvisiMole](https://attack.mitre.org/software/S0260) has installed legitimate but vulnerable Total Video Player software and wdigest.dll library drivers on compromised hosts to exploit stack overflow and input validation vulnerabilities for code execution.(Citation: ESET InvisiMole June 2020)";
dcterms:modified "2020-08-17T14:08:27.413Z"^^xsd:dateTime .
:relationship--a6350331-0c0d-4d0d-90a3-d5cc3e420875
rdf:type stix:Relationship;
stix:source_ref :malware--5a3a31fe-5a8f-48e1-bff0-a753e5b1be70;
stix:target_ref :attack-pattern--47f2d673-ca62-47e9-929b-1b0be9657611;
dcterms:created "2019-04-23T15:51:37.516Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[China Chopper](https://attack.mitre.org/software/S0020)'s server component can change the timestamp of files.(Citation: FireEye Periscope March 2018)(Citation: Lee 2013)(Citation: NCSC Joint Report Public Tools)";
dcterms:modified "2021-01-25T15:43:46.040Z"^^xsd:dateTime .
:relationship--d7c40b1d-efe6-4869-9754-6494d45f51f1
rdf:type stix:Relationship;
stix:source_ref :malware--95047f03-4811-4300-922e-1ba937d53a61;
stix:target_ref :attack-pattern--f6dacc85-b37d-458e-b58d-74fc4bbf5755;
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Hikit](https://attack.mitre.org/software/S0009) supports peer connections.(Citation: Novetta-Axiom)";
dcterms:modified "2023-03-20T22:03:44.687Z"^^xsd:dateTime .
:relationship--70b1afda-98b8-4c7c-ad41-ceb2b45af5d4
rdf:type stix:Relationship;
stix:source_ref :malware--7e0f8b0f-716e-494d-827e-310bd6ed709e;
stix:target_ref :attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279;
dcterms:created "2021-10-14T16:29:19.187Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[SMOKEDHAM](https://attack.mitre.org/software/S0649) has used <code>reg.exe</code> to create a Registry Run key.(Citation: FireEye SMOKEDHAM June 2021)";
dcterms:modified "2021-10-14T16:29:19.187Z"^^xsd:dateTime .
:relationship--72d641a0-126d-4bb2-98de-9f8ec46a8d9d
rdf:type stix:Relationship;
stix:source_ref :course-of-action--2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a;
stix:target_ref :attack-pattern--6a5d222a-a7e0-4656-b110-782c33098289;
dcterms:created "2023-09-08T19:21:18.129Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Users can be trained to identify and report social engineering techniques and spearphishing attempts, while also being suspicious of and verifying the identify of callers.(Citation: CISA Phishing)";
dcterms:modified "2023-09-08T20:31:23.077Z"^^xsd:dateTime .
:relationship--a4ceb321-f21d-4c62-9b49-cb0c64f0008e
rdf:type stix:Relationship;
stix:source_ref :malware--80a014ba-3fef-4768-990b-37d8bd10d7f4;
stix:target_ref :attack-pattern--c325b232-d5bc-4dde-a3ec-71f3db9e8adc;
dcterms:created "2023-06-23T20:07:13.475Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Uroburos](https://attack.mitre.org/software/S0022) can use custom communication methodologies that ride over common protocols including TCP, UDP, HTTP, SMTP, and DNS in order to blend with normal network traffic. (Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)";
dcterms:modified "2023-06-23T20:07:13.475Z"^^xsd:dateTime .
:relationship--19bede58-549b-4e7d-b206-6045370b9995
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--35d1b3be-49d4-42f1-aaa6-ef159c880bca;
stix:target_ref :attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279;
dcterms:created "2021-10-01T01:57:31.664Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[TeamTNT](https://attack.mitre.org/groups/G0139) has added batch scripts to the startup folder.(Citation: ATT TeamTNT Chimaera September 2020)";
dcterms:modified "2021-10-12T18:18:25.376Z"^^xsd:dateTime .
:relationship--41ca57db-9736-4adf-ac5d-ea2be2ab4860
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--090242d7-73fc-4738-af68-20162f7a5aae;
stix:target_ref :attack-pattern--88d31120-5bc7-4ce3-a9c0-7cf147be8e54;
dcterms:created "2020-10-13T22:33:14.086Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[APT17](https://attack.mitre.org/groups/G0025) has created profile pages in Microsoft TechNet that were used as C2 infrastructure.(Citation: FireEye APT17)";
dcterms:modified "2020-10-13T22:33:14.086Z"^^xsd:dateTime .
:relationship--e28ddc1d-83a4-4382-a4dc-e55a60aa399d
rdf:type stix:Relationship;
stix:source_ref :malware--11194d8b-fdce-45d2-8047-df15bb8f16bd;
stix:target_ref :attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c;
dcterms:created "2019-08-26T13:02:46.951Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Exaramel for Linux](https://attack.mitre.org/software/S0401) uses crontab for persistence if it does not have root privileges.(Citation: ESET TeleBots Oct 2018)(Citation: ANSSI Sandworm January 2021)";
dcterms:modified "2021-03-31T15:43:38.134Z"^^xsd:dateTime .
:relationship--324a715b-5d89-41a1-957e-3214badee119
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--a0cb9370-e39b-44d5-9f50-ef78e412b973;
stix:target_ref :attack-pattern--810d8072-afb6-4a56-9ee7-86379ac4a6f3;
dcterms:created "2022-01-07T15:57:14.853Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Axiom](https://attack.mitre.org/groups/G0001) has used large groups of compromised machines for use as proxy nodes.(Citation: Novetta-Axiom)";
dcterms:modified "2023-03-20T22:03:44.676Z"^^xsd:dateTime .
:relationship--08e9dd54-cd91-440e-84d0-f86494ad0a3a
rdf:type stix:Relationship;
stix:source_ref :course-of-action--eb88d97c-32f1-40be-80f0-d61a4b0b4b31;
stix:target_ref :attack-pattern--215190a9-9f02-4e83-bb5f-e0589965a302;
dcterms:created "2019-06-24T19:32:19.533Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Regsvcs and Regasm may not be necessary within a given environment.";
dcterms:modified "2023-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--93b08370-9c05-47df-b067-368343dba24a
rdf:type stix:Relationship;
stix:source_ref :malware--8ec6e3b4-b06d-4805-b6aa-af916acc2122;
stix:target_ref :attack-pattern--29be378d-262d-4e99-b00d-852d573628e6;
dcterms:created "2019-04-18T00:26:13.521Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[RogueRobin](https://attack.mitre.org/software/S0270) uses WMI to check BIOS version for VBOX, bochs, qemu, virtualbox, and vm to check for evidence that the script might be executing within an analysis environment. (Citation: Unit 42 DarkHydrus July 2018)(Citation: Unit42 DarkHydrus Jan 2019)";
dcterms:modified "2020-03-16T18:30:11.263Z"^^xsd:dateTime .
:relationship--7bd145ae-5ad2-48cc-8438-5b9ec8ed5414
rdf:type stix:Relationship;
stix:source_ref :malware--d18cb958-f4ad-4fb3-bb4f-e8994d206550;
stix:target_ref :attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c;
dcterms:created "2021-03-11T16:52:13.976Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Penquin](https://attack.mitre.org/software/S0587) can use Cron to create periodic and pre-scheduled background jobs.(Citation: Leonardo Turla Penquin May 2020)";
dcterms:modified "2022-09-28T21:27:07.139Z"^^xsd:dateTime .
:relationship--4762aa33-bcb3-49d4-b565-f8374cb9c996
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba;
stix:target_ref :attack-pattern--c3888c54-775d-4b2f-b759-75a2ececcbfd;
dcterms:created "2022-03-30T14:26:51.841Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Monitor for newly constructed network connections that are sent or received by untrusted hosts or uncommon data flows (e.g. unusual network communications or suspicious communications sending fixed size data packets at regular intervals as well as unusually long connection patterns). Consider analyzing packet contents to detect application layer protocols, leveraging SSL/TLS inspection for encrypted traffic, that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, protocol port mismatch, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments (e.g. monitor anomalies in use of files that do not normally initiate network connections or unusual connections initiated";
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime .
:relationship--8a86cd72-8386-4c75-8362-7b9020add12b
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--fd66436e-4d33-450e-ac4c-f7810f1c85f4;
stix:target_ref :attack-pattern--e624264c-033a-424d-9fd7-fc9c3bbdb03e;
dcterms:created "2023-07-28T17:52:58.109Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[FIN13](https://attack.mitre.org/groups/G1016) has used the PowerShell utility `Invoke-SMBExec` to execute the pass the hash method for lateral movement within an compromised environment.(Citation: Mandiant FIN13 Aug 2022)";
dcterms:modified "2023-10-03T14:35:01.966Z"^^xsd:dateTime .
:relationship--0b37289c-b118-45f7-98b2-5efe06cbf0b2
rdf:type stix:Relationship;
stix:source_ref :malware--1b9f0800-035e-4ed1-9648-b18294cc5bc8;
stix:target_ref :attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1;
dcterms:created "2020-06-02T15:39:14.548Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[CARROTBAT](https://attack.mitre.org/software/S0462) has the ability to determine the operating system of the compromised host and whether Windows is being run with x86 or x64 architecture.(Citation: Unit 42 CARROTBAT November 2018)(Citation: Unit 42 CARROTBAT January 2020)";
dcterms:modified "2020-06-10T15:05:57.806Z"^^xsd:dateTime .
:relationship--720cc0d6-9285-425b-bda2-3bdd59b4ea8f
rdf:type stix:Relationship;
stix:source_ref :malware--495b6cdb-7b5a-4fbc-8d33-e7ef68806d08;
stix:target_ref :attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add;
dcterms:created "2018-01-16T16:13:52.465Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Volgmer](https://attack.mitre.org/software/S0180) can download remote files and additional payloads to the victim's machine.(Citation: US-CERT Volgmer Nov 2017)(Citation: US-CERT Volgmer 2 Nov 2017)(Citation: Symantec Volgmer Aug 2014)";
dcterms:modified "2023-03-26T20:40:35.185Z"^^xsd:dateTime .
:relationship--ea8e9109-739f-485c-8d13-fb5ed6b2fdcd
rdf:type stix:Relationship;
stix:source_ref :malware--959f3b19-2dc8-48d5-8942-c66813a5101a;
stix:target_ref :attack-pattern--bf176076-b789-408e-8cba-7275e81c0ada;
dcterms:created "2020-09-29T19:16:57.927Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[WellMail](https://attack.mitre.org/software/S0515) can use hard coded client and certificate authority certificates to communicate with C2 over mutual TLS.(Citation: CISA WellMail July 2020)(Citation: NCSC APT29 July 2020)";
dcterms:modified "2020-09-30T15:07:31.159Z"^^xsd:dateTime .
:relationship--f4a0f496-b47c-4bdf-affb-b57fb17203db
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--247cb30b-955f-42eb-97a5-a89fef69341e;
stix:target_ref :attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279;
dcterms:created "2019-01-31T01:07:58.711Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[APT32](https://attack.mitre.org/groups/G0050) established persistence using Registry Run keys, both to execute PowerShell and VBS scripts as well as to execute their backdoor directly.(Citation: Cybereason Oceanlotus May 2017)(Citation: Cybereason Cobalt Kitty 2017)(Citation: ESET OceanLotus Mar 2019)";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--2355c588-ff82-4eaf-82db-54af59ede582
rdf:type stix:Relationship;
stix:source_ref :malware--fde50aaa-f5de-4cb8-989a-babb57d6a704;
stix:target_ref :attack-pattern--1d24cdee-9ea2-4189-b08e-af110bf2435d;
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Net Crawler](https://attack.mitre.org/software/S0056) uses a list of known credentials gathered through credential dumping to guess passwords to accounts as it spreads throughout a network.(Citation: Cylance Cleaver)";
dcterms:modified "2022-07-22T18:37:22.187Z"^^xsd:dateTime .
:relationship--401790f5-abf5-4523-ac98-b200d3b34a7e
rdf:type stix:Relationship;
stix:source_ref :malware--edc5e045-5401-42bb-ad92-52b5b2ee0de9;
stix:target_ref :attack-pattern--f3c544dc-673c-4ef3-accb-53229f1ae077;
dcterms:created "2021-09-30T14:01:31.859Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[QakBot](https://attack.mitre.org/software/S0650) can identify the system time on a targeted host.(Citation: Kaspersky QakBot September 2021)";
dcterms:modified "2021-09-30T14:01:31.859Z"^^xsd:dateTime .
:relationship--5ef4206d-aaa0-47c4-bed2-9c803a9d4585
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0;
stix:target_ref :attack-pattern--79a47ad0-fc3b-4821-9f01-a026b1ddba21;
dcterms:created "2022-03-30T14:26:51.859Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Monitor executed commands and arguments that may abuse Microsoft Office templates to obtain persistence on a compromised system.";
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime .
:relationship--f9600732-9116-4325-8073-28d81721b37a
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f;
stix:target_ref :tool--ff6caf67-ea1f-4895-b80e-4bb0fc31c6db;
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "(Citation: PWC Cloud Hopper Technical Annex April 2017)(Citation: FireEye APT10 April 2017)";
dcterms:modified "2023-03-23T15:14:18.653Z"^^xsd:dateTime .
:relationship--cbfb1a32-4582-4ecb-8a0e-4c76caaa5063
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--3fc023b2-c5cc-481d-9c3e-70141ae1a87e;
stix:target_ref :attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597;
dcterms:created "2021-01-27T16:43:48.406Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Sidewinder](https://attack.mitre.org/groups/G0121) has sent e-mails with malicious attachments often crafted for specific targets.(Citation: ATT Sidewinder January 2021)";
dcterms:modified "2021-04-06T22:07:34.012Z"^^xsd:dateTime .
:relationship--da331399-4c9f-4a16-92b1-97e635703c18
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--d13c8a7f-740b-4efa-a232-de7d6bb05321;
stix:target_ref :tool--d8d19e33-94fd-4aa3-b94a-08ee801a2153;
dcterms:created "2020-05-06T03:13:43.392Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "(Citation: Group IB Silence Sept 2018)";
dcterms:modified "2020-05-06T03:13:43.392Z"^^xsd:dateTime .
:relationship--4269342d-fd7b-4fc6-882f-5099da627c85
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924;
stix:target_ref :attack-pattern--ec8fc7e2-b356-455c-8db5-2e37be158e7d;
dcterms:created "2019-01-29T20:17:49.308Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Tropic Trooper](https://attack.mitre.org/groups/G0081) has created a hidden directory under <code>C:\\ProgramData\\Apple\\Updates\\</code> and <code>C:\\Users\\Public\\Documents\\Flash\\</code>.(Citation: TrendMicro Tropic Trooper Mar 2018)(Citation: TrendMicro Tropic Trooper May 2020)";
dcterms:modified "2020-05-21T14:55:00.348Z"^^xsd:dateTime .
:relationship--cce47265-080f-4148-b9c9-cd99eb1e2b2f
rdf:type stix:Relationship;
stix:source_ref :course-of-action--7da0387c-ba92-4553-b291-b636ee42b2eb;
stix:target_ref :attack-pattern--02fefddc-fb1b-423f-a76b-7552dd211d4d;
dcterms:created "2019-06-13T16:49:49.549Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Use Trusted Platform Module technology and a secure or trusted boot process to prevent system integrity from being compromised. (Citation: TCG Trusted Platform Module) (Citation: TechNet Secure Boot Process) (Citation: TCG Trusted Platform Module) (Citation: TechNet Secure Boot Process)";
dcterms:modified "2023-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--ad87ebba-c4fc-458a-8ccd-c1cbd16ae14d
rdf:type stix:Relationship;
stix:source_ref :attack-pattern--54ca26f3-c172-4231-93e5-ccebcac2161f;
stix:target_ref :attack-pattern--f4c1826f-a322-41cd-9557-562100848c84;
dcterms:created "2022-09-28T13:29:53.437Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "";
dcterms:modified "2022-09-28T13:29:53.437Z"^^xsd:dateTime .
:relationship--6b1cc49f-8d94-4f59-a723-2a70c3edf760
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--44102191-3a31-45f8-acbe-34bdb441d5ad;
stix:target_ref :attack-pattern--03259939-0b57-482f-8eb5-87c0e0d54334;
dcterms:created "2020-05-26T16:17:59.430Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Rocke](https://attack.mitre.org/groups/G0106) has installed an \"init.d\" startup script to maintain persistence.(Citation: Anomali Rocke March 2019)\t";
dcterms:modified "2020-06-11T19:52:07.425Z"^^xsd:dateTime .
:relationship--553aadc2-8c1c-4ad7-b974-c65f99f6a892
rdf:type stix:Relationship;
stix:source_ref :course-of-action--eb88d97c-32f1-40be-80f0-d61a4b0b4b31;
stix:target_ref :attack-pattern--a3e1e6c5-9c74-4fc0-a16c-a9d228c17829;
dcterms:created "2020-03-11T13:50:57.110Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Disable Autorun if it is unnecessary. (Citation: Microsoft Disable Autorun) Disallow or restrict removable media at an organizational policy level if they are not required for business operations. (Citation: TechNet Removable Media Control)";
dcterms:modified "2021-10-15T22:48:29.655Z"^^xsd:dateTime .
:relationship--3359cfe3-0d04-4fb8-9f2f-1b049bc10cf4
rdf:type stix:Relationship;
stix:source_ref :course-of-action--12241367-a8b7-49b4-b86e-2236901ba50c;
stix:target_ref :attack-pattern--6aabc5ec-eae6-422c-8311-38d45ee9838a;
dcterms:created "2019-06-25T11:24:45.251Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and will be different across various malware families and versions. Adversaries will likely change tool signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)";
dcterms:modified "2023-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--561ccbcd-578f-4af2-81aa-8594796b6909
rdf:type stix:Relationship;
stix:source_ref :course-of-action--93e7968a-9074-4eac-8ae9-9f5200ec3317;
stix:target_ref :attack-pattern--8a2f40cf-8325-47f9-96e4-b1ca4c7389bd;
dcterms:created "2022-05-27T13:54:57.722Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Ensure that low-privileged user accounts do not have permission to add access keys to accounts. In AWS environments, prohibit users from calling the `sts:GetFederationToken` API unless explicitly required.(Citation: Crowdstrike AWS User Federation Persistence)";
dcterms:modified "2023-03-10T17:27:50.449Z"^^xsd:dateTime .
:malware--d906e6f7-434c-44c0-b51a-ed50af8f7945
rdf:type stix:Malware;
rdfs:label "njRAT";
dcterms:created "2019-06-04T17:52:28.806Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[njRAT](https://attack.mitre.org/software/S0385) is a remote access tool (RAT) that was first observed in 2012. It has been used by threat actors in the Middle East.(Citation: Fidelis njRAT June 2013)";
dcterms:modified "2023-09-20T20:03:22.206Z"^^xsd:dateTime .
:relationship--54f6c1c8-f3c7-44a6-9a00-2195e03cf0ae
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7;
stix:target_ref :attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5;
dcterms:created "2021-10-08T19:01:06.111Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[APT41](https://attack.mitre.org/groups/G0096) has uploaded files and data from a compromised host.(Citation: Group IB APT 41 June 2021)";
dcterms:modified "2023-03-23T15:45:58.852Z"^^xsd:dateTime .
:relationship--67b49860-e1e4-4b56-bf83-108c4ac25e5c
rdf:type stix:Relationship;
stix:source_ref :malware--5e7ef1dc-7fb6-4913-ac75-e06113b59e0c;
stix:target_ref :attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add;
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[MiniDuke](https://attack.mitre.org/software/S0051) can download additional encrypted backdoors onto the victim via GIF files.(Citation: Securelist MiniDuke Feb 2013)(Citation: ESET Dukes October 2019)";
dcterms:modified "2020-10-09T16:07:58.859Z"^^xsd:dateTime .
:relationship--ccd237b6-c7d6-4941-a1f2-cb563ae90b79
rdf:type stix:Relationship;
stix:source_ref :malware--7ba0fc46-197d-466d-8b9f-f1c64d5d81e5;
stix:target_ref :attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67;
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[TYPEFRAME](https://attack.mitre.org/software/S0263) has used a malicious Word document for delivery with VBA macros for execution.(Citation: US-CERT TYPEFRAME June 2018)";
dcterms:modified "2020-06-23T20:40:40.910Z"^^xsd:dateTime .
:relationship--951774ce-173c-4aaf-a6e3-515ba497d523
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--2688b13e-8e71-405a-9c40-0dee94bddf87;
stix:target_ref :malware--5a3a31fe-5a8f-48e1-bff0-a753e5b1be70;
dcterms:created "2021-03-04T14:47:27.385Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "(Citation: Volexity Exchange Marauder March 2021)(Citation: FireEye Exchange Zero Days March 2021)(Citation: Rapid7 HAFNIUM Mar 2021)";
dcterms:modified "2023-02-21T18:34:35.421Z"^^xsd:dateTime .
:relationship--a0e4dc2c-1977-4c4c-a5ee-4710fb3ef1a5
rdf:type stix:Relationship;
stix:source_ref :malware--80a014ba-3fef-4768-990b-37d8bd10d7f4;
stix:target_ref :attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1;
dcterms:created "2023-06-22T20:48:11.495Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Uroburos](https://attack.mitre.org/software/S0022) has the ability to gather basic system information and run the POSIX API `gethostbyname`.(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)";
dcterms:modified "2023-06-23T20:24:02.395Z"^^xsd:dateTime .
:relationship--a3de3705-8085-4992-9b90-1cb8ef532b5c
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c;
stix:target_ref :attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104;
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "APT28 has queried information on machines to determine the current user or system owner .";
dcterms:modified "2018-10-23T00:14:20.652Z"^^xsd:dateTime .
:relationship--9e27c930-eba5-467f-90e5-4ec5b4219735
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--7eda3dd8-b09b-4705-8090-c2ad9fb8c14d;
stix:target_ref :attack-pattern--58a3e6aa-4453-4cc8-a51f-4befe80b31a8;
dcterms:created "2019-06-24T19:11:41.147Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[TA505](https://attack.mitre.org/groups/G0092) has used malware to gather credentials from Internet Explorer.(Citation: Proofpoint TA505 Sep 2017)";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--5926c79d-b8a7-419a-b789-7e2ff1ee32b9
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--01e28736-2ffc-455b-9880-ed4d1407ae07;
stix:target_ref :attack-pattern--1c34f7aa-9341-4a48-bfab-af22e51aca6c;
dcterms:created "2021-10-13T22:50:48.785Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Indrik Spider](https://attack.mitre.org/groups/G0119) has stored collected date in a .tmp file.(Citation: Symantec WastedLocker June 2020)";
dcterms:modified "2021-10-13T22:50:48.785Z"^^xsd:dateTime .
:relationship--cc705bf0-ba29-443e-9cd5-aef247505210
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--0bbdf25b-30ff-4894-a1cd-49260d0dd2d9;
stix:target_ref :attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279;
dcterms:created "2018-01-16T16:13:52.465Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[APT3](https://attack.mitre.org/groups/G0022) places scripts in the startup folder for persistence.(Citation: FireEye Operation Double Tap)";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:course-of-action--9e57c770-5a39-49a2-bb91-253ba629e3ac
rdf:type stix:CourseOfAction;
rdfs:label "Security Support Provider Mitigation";
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Windows 8.1, Windows Server 2012 R2, and later versions may make LSA run as a Protected Process Light (PPL) by setting the Registry key <code>HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\RunAsPPL</code>, which requires all SSP DLLs to be signed by Microsoft. (Citation: Graeber 2014) (Citation: Microsoft Configure LSA)";
dcterms:modified "2019-07-25T11:41:39.946Z"^^xsd:dateTime .
:relationship--03981d0c-c7d5-4a65-bd8f-1b1a2c1efe2a
rdf:type stix:Relationship;
stix:source_ref :course-of-action--2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a;
stix:target_ref :attack-pattern--c9e0c59e-162e-40a4-b8b1-78fab4329ada;
dcterms:created "2023-08-08T19:29:17.546Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Train users to be aware of impersonation tricks and how to counter them, for example confirming incoming requests through an independent platform like a phone call or in-person, to reduce risk.";
dcterms:modified "2023-08-23T14:27:47.649Z"^^xsd:dateTime .
:relationship--913c67d5-0c5b-40d5-be88-6ce4e5030603
rdf:type stix:Relationship;
stix:source_ref :malware--54895630-efd2-4608-9c24-319de972a9eb;
stix:target_ref :attack-pattern--b5327dd1-6bf9-4785-a199-25bcbd1f4a9d;
dcterms:created "2020-06-30T00:18:39.805Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Ragnar Locker](https://attack.mitre.org/software/S0481) has used VirtualBox and a stripped Windows XP virtual machine to run itself. The use of a shared folder specified in the configuration enables [Ragnar Locker](https://attack.mitre.org/software/S0481) to encrypt files on the host operating system, including files on any mapped drives.(Citation: Sophos Ragnar May 2020)";
dcterms:modified "2020-06-30T00:18:39.805Z"^^xsd:dateTime .
:relationship--79958f80-16ca-4287-b691-9c748d6baf66
rdf:type stix:Relationship;
stix:source_ref :malware--f36b2598-515f-4345-84e5-5ccde253edbe;
stix:target_ref :attack-pattern--37b11151-1776-4f8f-b328-30939fbf2ceb;
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Dok](https://attack.mitre.org/software/S0281) uses AppleScript to create a login item for persistence.(Citation: objsee mac malware 2017)";
dcterms:modified "2020-01-17T19:39:11.377Z"^^xsd:dateTime .
:relationship--f5faa97f-761c-4978-8535-2d9a42fcdd6f
rdf:type stix:Relationship;
stix:source_ref :malware--1492d0f8-7e14-4af3-9239-bc3fe10d3407;
stix:target_ref :attack-pattern--246fd3c7-f5e3-466d-8787-4c13d9e3b61c;
dcterms:created "2019-06-05T17:31:22.338Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Ursnif](https://attack.mitre.org/software/S0386) has copied itself to and infected files in network drives for propagation.(Citation: TrendMicro Ursnif Mar 2015)(Citation: TrendMicro Ursnif File Dec 2014)";
dcterms:modified "2019-10-23T14:19:37.289Z"^^xsd:dateTime .
:relationship--b6cbc9b8-f547-414a-8fb8-b493128c533e
rdf:type stix:Relationship;
stix:source_ref :course-of-action--93e7968a-9074-4eac-8ae9-9f5200ec3317;
stix:target_ref :attack-pattern--c0a384a4-9a25-40e1-97b6-458388474bc8;
dcterms:created "2019-07-18T15:32:39.956Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized users can create scheduled jobs.";
dcterms:modified "2023-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--2ddb50ab-4c8e-41e6-ba3f-d7718c66f0d5
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--fd66436e-4d33-450e-ac4c-f7810f1c85f4;
stix:target_ref :attack-pattern--5d0d3609-d06d-49e1-b9c9-b544e0c618cb;
dcterms:created "2023-07-28T17:51:43.218Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[FIN13](https://attack.mitre.org/groups/G1016) has utilized obfuscated and open-source web shells such as JspSpy, reGeorg, MiniWebCmdShell, and Vonloesch Jsp File Browser 1.2 to enable remote code execution and to execute commands on compromised web server.(Citation: Sygnia Elephant Beetle Jan 2022)";
dcterms:modified "2023-10-03T13:54:16.192Z"^^xsd:dateTime .
:relationship--8eda78b8-3fd5-4c97-878d-bf2eaa0aa9b5
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077;
stix:target_ref :attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e;
dcterms:created "2022-03-30T14:26:51.855Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Monitor for newly constructed processes and/or command-lines for applications that may be used by an adversary to gain initial access that require user interaction. This includes compression applications, such as those for zip files, that can be used to Deobfuscate/Decode Files or Information in payloads.";
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime .
:tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39
rdf:type stix:Tool;
rdfs:label "Cobalt Strike";
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Cobalt Strike](https://attack.mitre.org/software/S0154) is a commercial, full-featured, penetration testing tool which bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system. (Citation: cobaltstrike manual)\n\nIn addition to its own capabilities, [Cobalt Strike](https://attack.mitre.org/software/S0154) leverages the capabilities of other well-known tools such as Metasploit and [Mimikatz](https://attack.mitre.org/software/S0002). (Citation: cobaltstrike manual)";
dcterms:modified "2020-11-12T14:49:39.188Z"^^xsd:dateTime .
:relationship--33a382a9-ebb3-48d9-bb7e-394a27783668
rdf:type stix:Relationship;
stix:source_ref :malware--88c621a7-aef9-4ae0-94e3-1fc87123eb24;
stix:target_ref :attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add;
dcterms:created "2019-01-29T14:51:06.825Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[gh0st RAT](https://attack.mitre.org/software/S0032) can download files to the victim’s machine.(Citation: Nccgroup Gh0st April 2018)(Citation: Gh0stRAT ATT March 2019)";
dcterms:modified "2021-03-29T19:49:11.254Z"^^xsd:dateTime .
:relationship--e32b53b5-b112-483a-8d95-56bf3f43671f
rdf:type stix:Relationship;
stix:source_ref :malware--2eb9b131-d333-4a48-9eb4-d8dec46c19ee;
stix:target_ref :attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9;
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[CosmicDuke](https://attack.mitre.org/software/S0050) uses scheduled tasks typically named \"Watchmon Service\" for persistence.(Citation: F-Secure Cosmicduke)";
dcterms:modified "2021-07-20T21:57:36.216Z"^^xsd:dateTime .
:relationship--2161578b-44ef-4c44-90ad-2ee8920a3db8
rdf:type stix:Relationship;
stix:source_ref :malware--8bd47506-29ae-44ea-a5c1-c57e8a1ab6b0;
stix:target_ref :attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add;
dcterms:created "2021-10-01T21:53:33.660Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[BLUELIGHT](https://attack.mitre.org/software/S0657) can download additional files onto the host.(Citation: Volexity InkySquid BLUELIGHT August 2021) ";
dcterms:modified "2021-10-15T16:54:01.153Z"^^xsd:dateTime .
:attack-pattern--ed7efd4d-ce28-4a19-a8e6-c58011eb2c7a
rdf:type d3f:OffensiveTechnique;
rdfs:label "Office Test";
dcterms:created "2019-11-07T19:44:04.475Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Adversaries may abuse the Microsoft Office \"Office Test\" Registry key to obtain persistence on a compromised system. An Office Test Registry location exists that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started. This Registry key is thought to be used by Microsoft to load DLLs for testing and debugging purposes while developing Office applications. This Registry key is not created by default during an Office installation.(Citation: Hexacorn Office Test)(Citation: Palo Alto Office Test Sofacy)\n\nThere exist user and global Registry keys for the Office Test feature:\n\n* <code>HKEY_CURRENT_USER\\Software\\Microsoft\\Office test\\Special\\Perf</code>\n* <code>HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Office test\\Special\\Perf</code>\n\nAdversaries may add this Registry key and specify a malicious DLL that will be executed whenever an Office application, such as Word or Excel, is started.";
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--67f7ebd0-effb-4169-a184-7d45c614a6ee
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--1f0f9a14-11aa-49aa-9174-bcd0eaa979de;
stix:target_ref :attack-pattern--2fee9321-3e71-4cf4-af24-d4d40d355b34;
dcterms:created "2021-01-27T21:26:53.151Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Evilnum](https://attack.mitre.org/groups/G0120) has used the malware variant, TerraTV, to load a malicious DLL placed in the TeamViewer directory, instead of the original Windows DLL located in a system folder.(Citation: ESET EvilNum July 2020) ";
dcterms:modified "2021-01-27T21:26:53.151Z"^^xsd:dateTime .
:relationship--aa84d43a-4f79-485c-95ea-a375d5f52838
rdf:type stix:Relationship;
stix:source_ref :campaign--808d6b30-df4e-4341-8248-724da4bac650;
stix:target_ref :attack-pattern--f2877f7f-9a4c-4251-879f-1224e3006bee;
dcterms:created "2023-03-26T19:11:10.948Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "During the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024), [APT29](https://attack.mitre.org/groups/G0016) obtained Ticket Granting Service (TGS) tickets for Active Directory Service Principle Names to crack offline.(Citation: Microsoft Deep Dive Solorigate January 2021)";
dcterms:modified "2023-03-26T19:11:10.948Z"^^xsd:dateTime .
:relationship--88d72a6e-091f-48ff-9ad4-fd05d748d956
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--129f2f77-1ab2-4c35-bd5e-21260cee92af;
stix:target_ref :attack-pattern--65013dd2-bc61-43e3-afb5-a14c4fa7437a;
dcterms:created "2022-08-18T18:52:33.003Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[EXOTIC LILY](https://attack.mitre.org/groups/G1011) has created e-mail accounts to spoof targeted organizations.(Citation: Google EXOTIC LILY March 2022)";
dcterms:modified "2022-08-18T18:52:33.003Z"^^xsd:dateTime .
:relationship--e0e8cd30-04d6-457c-b4c1-34145f182dad
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034;
stix:target_ref :attack-pattern--5502c4e9-24ef-4d5f-8ee9-9e906c2f82c4;
dcterms:created "2022-07-01T20:25:23.375Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Earth Lusca](https://attack.mitre.org/groups/G1006) has scanned for vulnerabilities in the public-facing servers of their targets.(Citation: TrendMicro EarthLusca 2022)";
dcterms:modified "2022-07-01T20:25:23.375Z"^^xsd:dateTime .
:relationship--ee38932c-ab04-4ac5-9ca3-d14cc98f5476
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--f9d6633a-55e6-4adc-9263-6ae080421a13;
stix:target_ref :attack-pattern--01a5a209-b94c-450b-b7f9-946497d91055;
dcterms:created "2022-05-26T15:17:44.884Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Magic Hound](https://attack.mitre.org/groups/G0059) has used a tool to run `cmd /c wmic computersystem get domain` for discovery.(Citation: DFIR Report APT35 ProxyShell March 2022)";
dcterms:modified "2022-06-02T19:50:45.611Z"^^xsd:dateTime .
:relationship--4c2924c1-dec5-4390-87d7-c52e24a92512
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--6a2e693f-24e5-451a-9f88-b36a108e5662;
stix:target_ref :attack-pattern--30208d3e-0d6b-43c8-883e-44462a514619;
dcterms:created "2019-01-30T15:33:07.517Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[APT1](https://attack.mitre.org/groups/G0006) used a batch script to perform a series of discovery techniques and saves it to a text file.(Citation: Mandiant APT1)";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--c965212c-f60d-4814-97ce-bbbb83382703
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--bf91faa8-0049-4870-810a-4df55e0b77ee;
stix:target_ref :attack-pattern--e3b6daca-e963-4a69-aee6-ed4fd653ad58;
dcterms:created "2022-03-30T14:26:51.870Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Monitor for an extracted list of available firewalls and/or their associated settings/rules (ex: Azure Network Firewall CLI Show commands)";
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime .
:relationship--54aae76b-14fe-47e9-86c8-bd39317429c3
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--467271fd-47c0-4e90-a3f9-d84f5cf790d0;
stix:target_ref :attack-pattern--a2fdce72-04b2-409a-ac10-cc1695f4fce0;
dcterms:created "2023-09-18T20:45:37.266Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "\n[TA2541](https://attack.mitre.org/groups/G1018) has used commodity remote access tools.(Citation: Cisco Operation Layover September 2021)\n";
dcterms:modified "2023-09-18T20:45:37.266Z"^^xsd:dateTime .
:relationship--e8805949-55f7-47cd-965c-2edd4221da12
rdf:type stix:Relationship;
stix:source_ref :malware--93289ecf-4d15-4d6b-a9c3-4ab27e145ef4;
stix:target_ref :attack-pattern--c32f7008-9fea-41f7-8366-5eb9b74bd896;
dcterms:created "2023-05-23T20:31:31.136Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[QUIETCANARY](https://attack.mitre.org/software/S1076) has the ability to retrieve information from the Registry.(Citation: Mandiant Suspected Turla Campaign February 2023)";
dcterms:modified "2023-05-23T20:31:31.136Z"^^xsd:dateTime .
:relationship--8a2a174b-c45c-4241-b773-c3d42513223d
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077;
stix:target_ref :attack-pattern--b83e166d-13d7-4b52-8677-dff90c548fd7;
dcterms:created "2022-03-30T14:26:51.871Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Monitor processes and arguments for malicious attempts to modify trust settings, such as the installation of root certificates or modifications to trust attributes/policies applied to files.";
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime .
:malware--f931a0b9-0361-4b1b-bacf-955062c35746
rdf:type stix:Malware;
rdfs:label "Seth-Locker";
dcterms:created "2021-08-13T14:57:39.387Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Seth-Locker](https://attack.mitre.org/software/S0639) is a ransomware with some remote control capabilities that has been in use since at least 2021.\n(Citation: Trend Micro Ransomware February 2021)";
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--26303f07-87f0-4740-b6ea-e81e8c01b267
rdf:type stix:Relationship;
stix:source_ref :malware--3161d76a-e2b2-4b97-9906-24909b735386;
stix:target_ref :attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c;
dcterms:created "2020-05-26T20:33:11.754Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Aria-body](https://attack.mitre.org/software/S0456) has the ability to decrypt the loader configuration and payload DLL.(Citation: CheckPoint Naikon May 2020)";
dcterms:modified "2020-05-26T20:33:11.754Z"^^xsd:dateTime .
:relationship--4c44fea9-545c-4d2f-a5e9-caee38ee65b4
rdf:type stix:Relationship;
stix:source_ref :malware--4d56e6e9-1a6d-46e3-896c-dfdf3cc96e62;
stix:target_ref :attack-pattern--5bfccc3f-2326-4112-86cc-c1ece9d8a2b5;
dcterms:created "2019-04-16T12:57:12.888Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[SamSam](https://attack.mitre.org/software/S0370) has used garbage code to pad some of its malware components.(Citation: Sophos SamSam Apr 2018)";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--6a289837-2455-471b-81e4-b677550ab77b
rdf:type stix:Relationship;
stix:source_ref :malware--8e101fdd-9f7f-4916-bb04-6bd9e94c129c;
stix:target_ref :attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1;
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[OopsIE](https://attack.mitre.org/software/S0264) checks for information on the CPU fan, temperature, mouse, hard disk, and motherboard as part of its anti-VM checks.(Citation: Unit 42 OilRig Sept 2018)";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--3a26d78f-e0cb-4a58-8d84-6d867b32f279
rdf:type stix:Relationship;
stix:source_ref :malware--00806466-754d-44ea-ad6f-0caf59cb8556;
stix:target_ref :attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736;
dcterms:created "2021-09-28T22:45:48.678Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[TrickBot](https://attack.mitre.org/software/S0266) has been known to use PowerShell to download new payloads, open documents, and upload data to command and control servers. \n (Citation: Bitdefender Trickbot VNC module Whitepaper 2021)";
dcterms:modified "2022-11-30T22:45:32.492Z"^^xsd:dateTime .
:relationship--96667f6c-e625-4696-92b5-d65d142b3f43
rdf:type stix:Relationship;
stix:source_ref :malware--f36b2598-515f-4345-84e5-5ccde253edbe;
stix:target_ref :attack-pattern--fb8d023d-45be-47e9-bc51-f56bcae6435b;
dcterms:created "2021-10-06T02:04:09.775Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Dok](https://attack.mitre.org/software/S0281) exfiltrates logs of its execution stored in the <code>/tmp</code> folder over FTP using the <code>curl</code> command.(Citation: hexed osx.dok analysis 2019) ";
dcterms:modified "2021-10-09T19:14:07.293Z"^^xsd:dateTime .
:relationship--4bf364ad-1e9c-4860-93c0-241da4c81068
rdf:type stix:Relationship;
stix:source_ref :malware--8c553311-0baa-4146-997a-f79acef3d831;
stix:target_ref :attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add;
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[RARSTONE](https://attack.mitre.org/software/S0055) downloads its backdoor component from a C2 server and loads it directly into memory.(Citation: Aquino RARSTONE)";
dcterms:modified "2020-03-16T19:06:33.151Z"^^xsd:dateTime .
:relationship--731acc34-e9c3-4953-a743-7941bc73c0d2
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71;
stix:target_ref :tool--03342581-f790-4f03-ba41-e82e67392e23;
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "(Citation: US-CERT TA18-074A)";
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--9873626b-74e8-456d-9e34-95a313daa27b
rdf:type stix:Relationship;
stix:source_ref :malware--66b1dcde-17a0-4c7b-95fa-b08d430c2131;
stix:target_ref :attack-pattern--deb98323-e13f-4b0c-8d94-175379069062;
dcterms:created "2022-09-30T20:15:22.218Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Some [S-Type](https://attack.mitre.org/software/S0085) samples have been packed with UPX.(Citation: Cylance Dust Storm)";
dcterms:modified "2022-09-30T20:15:22.218Z"^^xsd:dateTime .
:relationship--89544a80-5144-443a-9560-ab8b7a87fa96
rdf:type stix:Relationship;
stix:source_ref :malware--4816d361-f82b-4a18-aa05-b215e7cf9200;
stix:target_ref :attack-pattern--355be19c-ffc9-46d5-8d50-d6a036c675b6;
dcterms:created "2023-08-17T17:17:55.488Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[QUIETEXIT](https://attack.mitre.org/software/S1084) can use an inverse negotiated SSH connection as part of its C2.(Citation: Mandiant APT29 Eye Spy Email Nov 22)";
dcterms:modified "2023-10-10T17:09:38.929Z"^^xsd:dateTime .
:relationship--935f9bb6-d38d-42d1-a764-6b5110ad5364
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--93f52415-0fe4-4d3d-896c-fc9b8e88ab90;
stix:target_ref :attack-pattern--be2dcee9-a7a7-4e38-afd6-21b31ecc3d63;
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[BRONZE BUTLER](https://attack.mitre.org/groups/G0060) has exploited Microsoft Office vulnerabilities CVE-2014-4114, CVE-2018-0802, and CVE-2018-0798 for execution.(Citation: Symantec Tick Apr 2016)(Citation: Trend Micro Tick November 2019)";
dcterms:modified "2020-06-24T01:27:31.912Z"^^xsd:dateTime .
:relationship--93656c66-acfc-43b4-af66-bf328256b7b8
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--94873029-f950-4268-9cfd-5032e15cb182;
stix:target_ref :attack-pattern--118f61a5-eb3e-4fb6-931f-2096647f4ecd;
dcterms:created "2021-03-19T21:04:01.269Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[TA551](https://attack.mitre.org/groups/G0127) has used a DGA to generate URLs from executed macros.(Citation: Unit 42 TA551 Jan 2021)(Citation: Secureworks GOLD CABIN)";
dcterms:modified "2021-03-19T21:04:01.269Z"^^xsd:dateTime .
:relationship--8f5e9158-1abe-4ed7-8a0a-df07f629aac8
rdf:type stix:Relationship;
stix:source_ref :malware--222ba512-32d9-49ac-aefd-50ce981ce2ce;
stix:target_ref :attack-pattern--4bed873f-0b7d-41d4-b93a-b6905d1f90b0;
dcterms:created "2020-05-21T21:31:34.306Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Pony](https://attack.mitre.org/software/S0453) has delayed execution using a built-in function to avoid detection and analysis.(Citation: Malwarebytes Pony April 2016)\t";
dcterms:modified "2020-05-21T21:31:34.306Z"^^xsd:dateTime .
:relationship--d200ba08-8179-495e-a854-9b13be5c0f93
rdf:type stix:Relationship;
stix:source_ref :malware--0f862b01-99da-47cc-9bdb-db4a86a95bb1;
stix:target_ref :attack-pattern--5bfccc3f-2326-4112-86cc-c1ece9d8a2b5;
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "A variant of [Emissary](https://attack.mitre.org/software/S0082) appends junk data to the end of its DLL file to create a large file that may exceed the maximum size that anti-virus programs can scan.(Citation: Emissary Trojan Feb 2016)";
dcterms:modified "2021-08-27T14:42:00.385Z"^^xsd:dateTime .
:attack-pattern--43881e51-ac74-445b-b4c6-f9f9e9bf23fe
rdf:type d3f:OffensiveTechnique;
rdfs:label "Port Monitors";
dcterms:created "2020-01-24T19:46:27.750Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the <code>AddMonitor</code> API call to set a DLL to be loaded at startup.(Citation: AddMonitor) This DLL can be located in <code>C:\\Windows\\System32</code> and will be loaded by the print spooler service, spoolsv.exe, on boot. The spoolsv.exe process also runs under SYSTEM level permissions.(Citation: Bloxham) Alternatively, an arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL to <code>HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors</code>. \n\nThe Registry key contains entries for the following:\n\n* Local Port\n* Standard TCP/IP Port\n* USB Monitor\n* WSD Port\n\nAdversaries can use this technique to load malicious code at startup that will persist on system reboot and execute as SYSTEM.";
dcterms:modified "2022-05-11T14:00:00.188Z"^^xsd:dateTime .
:relationship--0aac9510-f48a-4b28-ae0e-c6facc1635ae
rdf:type stix:Relationship;
stix:source_ref :course-of-action--effb83a0-ead1-4b36-b7f6-b7bdf9c4616e;
stix:target_ref :attack-pattern--3b744087-9945-4a6f-91e8-9dbceda417a4;
dcterms:created "2017-05-31T21:33:27.027Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:modified "2023-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--13bc2a82-c51d-4410-9e62-223df287b8f7
rdf:type stix:Relationship;
stix:source_ref :malware--cb741463-f0fe-42e0-8d45-bc7e8335f5ae;
stix:target_ref :attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c;
dcterms:created "2021-08-31T22:15:50.454Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Lokibot](https://attack.mitre.org/software/S0447) has decoded and decrypted its stages multiple times using hard-coded keys to deliver the final payload, and has decoded its server response hex string using XOR.(Citation: Talos Lokibot Jan 2021)";
dcterms:modified "2021-09-15T21:10:13.154Z"^^xsd:dateTime .
:relationship--e4960a7a-c280-4356-8b03-b848c68acd05
rdf:type stix:Relationship;
stix:source_ref :malware--36801ffb-5c85-4c50-9121-6122e389366d;
stix:target_ref :attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104;
dcterms:created "2022-08-07T15:05:05.004Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description " [Action RAT](https://attack.mitre.org/software/S1028) has the ability to collect the username from an infected host.(Citation: MalwareBytes SideCopy Dec 2021)";
dcterms:modified "2022-08-15T20:28:15.292Z"^^xsd:dateTime .
:attack-pattern--9422fc14-1c43-410d-ab0f-a709b76c72dc
rdf:type d3f:OffensiveTechnique;
rdfs:label "Registry Run Keys / Startup Folder";
dcterms:created "2017-05-31T21:30:49.988Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the \"run keys\" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. (Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level.\n\nPlacing a program within a startup folder will cause that program to execute when a user logs in. There is a startup folder location for individual user accounts as well as a system-wide startup folder that will be checked regardless of which user account logs in.\n\nThe startup folder path for the current user is:\n* <code>C:\\Users\\[Username]\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup</code>\nThe startup folder path for all users is:\n* <code>C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp</code>\n\nThe following run keys are created by default on Windows systems:\n* <code>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run</code>\n* <code>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce</code>\n* <code>HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run</code>\n* <code>HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce</code>\n\nThe <code>HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx</code> is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency. (Citation: Microsoft RunOnceEx APR 2018) For example, it is possible to load a DLL at logon using a \"Depend\" key with RunOnceEx: <code>reg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\0001\\Depend /v 1 /d \"C:\\temp\\evil[.]dll\"</code> (Citation: Oddvar Moe RunOnceEx Mar 2018)\n\nThe following Registry keys can be used to set startup folder items for persistence:\n* <code>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders</code>\n* <code>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders</code>\n* <code>HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders</code>\n* <code>HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders</code>\n\nThe following Registry keys can control automatic startup of services during boot:\n* <code>HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce</code>\n* <code>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce</code>\n* <code>HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices</code>\n* <code>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices</code>\n\nUsing policy settings to specify startup programs creates corresponding values in either of two Registry keys:\n* <code>HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run</code>\n* <code>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run</code>\n\nThe Winlogon key controls actions that occur when a user logs on to a computer running Windows 7. Most of these actions are under the control of the operating system, but you can also add custom actions here. The <code>HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit</code> and <code>HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell</code> subkeys can automatically launch programs.\n\nPrograms listed in the load value of the registry key <code>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows</code> run when any user logs on.\n\nBy default, the multistring BootExecute value of the registry key <code>HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager</code> is set to autocheck autochk *. This value causes Windows, at startup, to check the file-system integrity of the hard disks if the system has been shut down abnormally. Adversaries can add other programs or processes to this registry value which will automatically launch at boot.\n\nAdversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/T1036) to make the Registry entries look as if they are associated with legitimate programs.";
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--701a2767-70f3-44f1-a397-9c04517ece67
rdf:type stix:Relationship;
stix:source_ref :course-of-action--9da16278-c6c5-4410-8a6b-9c16ce8005b3;
stix:target_ref :attack-pattern--2892b9ee-ca9f-4723-b332-0dc6e843a8ae;
dcterms:created "2018-01-16T16:13:52.465Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:modified "2023-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--d8f14118-ba84-44b0-a0b6-ad2348e42906
rdf:type stix:Relationship;
stix:source_ref :malware--dd889a55-fb2c-4ec7-8e9f-c399939a49e1;
stix:target_ref :attack-pattern--24bfaeba-cb0d-4525-b3dc-507c77ecec41;
dcterms:created "2022-06-28T14:54:51.493Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "The [IceApple](https://attack.mitre.org/software/S1022) Result Retriever module can AES encrypt C2 responses.(Citation: CrowdStrike IceApple May 2022)";
dcterms:modified "2022-06-28T14:54:51.493Z"^^xsd:dateTime .
:relationship--837b0603-61a3-4cfe-b5cd-4ea2d0ea34b9
rdf:type stix:Relationship;
stix:source_ref :malware--310f437b-29e7-4844-848c-7220868d074a;
stix:target_ref :attack-pattern--9422fc14-1c43-410d-ab0f-a709b76c72dc;
dcterms:created "2018-04-18T17:59:24.739Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "creates run key Registry entries pointing to a malicious executable dropped to disk.";
dcterms:modified "2018-10-23T00:14:20.652Z"^^xsd:dateTime .
:relationship--838b4a52-1360-4ca7-ab25-1b549508e687
rdf:type stix:Relationship;
stix:source_ref :malware--ccd61dfc-b03f-4689-8c18-7c97eab08472;
stix:target_ref :attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18;
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "An older version of [CHOPSTICK](https://attack.mitre.org/software/S0023) has a module that monitors all mounted volumes for files with the extensions .doc, .docx, .pgp, .gpg, .m2f, or .m2o.(Citation: ESET Sednit Part 2)";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--ae1ee1dc-6017-4177-b34c-70db166a939e
rdf:type stix:Relationship;
stix:source_ref :malware--8ae43c46-57ef-47d5-a77a-eebb35628db2;
stix:target_ref :attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a;
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Many strings in [JHUHUGIT](https://attack.mitre.org/software/S0044) are obfuscated with a XOR algorithm.(Citation: F-Secure Sofacy 2015)(Citation: ESET Sednit Part 1)(Citation: Talos Seduploader Oct 2017)";
dcterms:modified "2020-03-20T16:40:41.305Z"^^xsd:dateTime .
:relationship--feb29d58-b733-47a4-9d56-8d45b36f0978
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8;
stix:target_ref :attack-pattern--ae7f3575-0a5e-427e-991b-fe03ad44c754;
dcterms:created "2022-03-30T14:26:51.857Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Most embedded network devices provide a command to print the version of the currently running operating system. Use this command to query the operating system for its version number and compare it to what is expected for the device in question. Because this method may be used in conjunction with  [Patch System Image](https://attack.mitre.org/techniques/T1601/001), it may be appropriate to also verify the integrity of the vendor provided operating system image file.\n\nCompare the checksum of the operating system file with the checksum of a known good copy from a trusted source. Some embedded network device platforms may have the capability to calculate the checksum of the file, while others may not. Even for those platforms that have the capability, it is recommended to download a copy of the file to a trusted computer to calculate the checksum with software that is not compromised. (Citation: Cisco IOS Software Integrity Assurance - Image File Verification)\n\nMany vendors of embedded network devices can provide advanced debugging support that will allow them to work with device owners to validate the integrity of the operating system running in memory. If a compromise of the operating system is suspected, contact the vendor technical support and seek such services for a more thorough inspection of the current running system.  (Citation: Cisco IOS Software Integrity Assurance - Run-Time Memory Verification)";
dcterms:modified "2022-04-20T12:32:55.852Z"^^xsd:dateTime .
:relationship--104334fa-4d32-48ab-a55d-c481ce7c4cd3
rdf:type stix:Relationship;
stix:source_ref :malware--81c57a96-fc8c-4f91-af8e-63e24c2927c2;
stix:target_ref :attack-pattern--bf176076-b789-408e-8cba-7275e81c0ada;
dcterms:created "2020-06-22T20:34:05.348Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Metamorfo](https://attack.mitre.org/software/S0455)'s C2 communication has been encrypted using OpenSSL.(Citation: Medium Metamorfo Apr 2020) ";
dcterms:modified "2020-10-22T01:34:58.157Z"^^xsd:dateTime .
:relationship--9df02934-ee06-4c63-8f27-00b88f615a26
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077;
stix:target_ref :attack-pattern--b5327dd1-6bf9-4785-a199-25bcbd1f4a9d;
dcterms:created "2022-03-30T14:26:51.866Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Monitor newly executed processes associated with running a virtual instance, such as those launched from binary files associated with common virtualization technologies (ex: VirtualBox, VMware, QEMU, Hyper-V).";
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime .
:relationship--632ca9a0-a9f3-4b27-96e1-9fcb8bab11cb
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--68ba94ab-78b8-43e7-83e2-aed3466882c6;
stix:target_ref :intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d;
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--70bed654-4c16-456a-8691-4f2bf1c916cc
rdf:type stix:Relationship;
stix:source_ref :malware--425771c5-48b4-4ecd-9f95-74ed3fc9da59;
stix:target_ref :attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104;
dcterms:created "2021-05-26T15:09:52.202Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[SombRAT](https://attack.mitre.org/software/S0615) can execute <code>getinfo</code> to identify the username on a compromised host.(Citation: BlackBerry CostaRicto November 2020)(Citation: CISA AR21-126A FIVEHANDS May 2021)";
dcterms:modified "2021-06-08T13:29:06.848Z"^^xsd:dateTime .
:relationship--fb988651-2bb4-4169-be8e-14ab9c8ef483
rdf:type stix:Relationship;
stix:source_ref :course-of-action--e8242a33-481c-4891-af63-4cf3e4cf6aff;
stix:target_ref :attack-pattern--46944654-fcc1-4f63-9dad-628102376586;
dcterms:created "2019-06-24T13:35:27.794Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Disallow loading of remote DLLs. (Citation: Microsoft DLL Preloading) This is included by default in Windows Server 2012+ and is available by patch for XP+ and Server 2003+. (Citation: Microsoft DLL Search) Path Algorithm\n\nEnable Safe DLL Search Mode to force search for system DLLs in directories with greater restrictions (e.g. <code>%SYSTEMROOT%</code>)to be used before local directory DLLs (e.g. a user's home directory)\n\nThe Safe DLL Search Mode can be enabled via Group Policy at Computer Configuration > [Policies] > Administrative Templates > MSS (Legacy): MSS: (SafeDllSearchMode) Enable Safe DLL search mode. The associated Windows Registry key for this is located at <code>HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\SafeDLLSearchMode</code> (Citation: Microsoft DLL Search)";
dcterms:modified "2023-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--67e6b603-a45d-4cbc-9b3e-546392934f7f
rdf:type stix:Relationship;
stix:source_ref :malware--92b55426-109f-4d93-899f-1833ce91ff90;
stix:target_ref :attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4;
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Mosquito](https://attack.mitre.org/software/S0256) can modify Registry keys under <code>HKCU\\Software\\Microsoft\\[dllname]</code> to store configuration values. [Mosquito](https://attack.mitre.org/software/S0256) also modifies Registry keys under <code>HKCR\\CLSID\\...\\InprocServer32</code> with a path to the launcher.(Citation: ESET Turla Mosquito Jan 2018)";
dcterms:modified "2023-03-26T19:21:13.970Z"^^xsd:dateTime .
:attack-pattern--3fc01293-ef5e-41c6-86ce-61f10706b64a
rdf:type d3f:OffensiveTechnique;
rdfs:label "Steal or Forge Kerberos Tickets";
dcterms:created "2020-02-11T19:12:46.830Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003). Kerberos is an authentication protocol widely used in modern Windows domain environments. In Kerberos environments, referred to as “realms”, there are three basic participants: client, service, and Key Distribution Center (KDC).(Citation: ADSecurity Kerberos Ring Decoder) Clients request access to a service and through the exchange of Kerberos tickets, originating from KDC, they are granted access after having successfully authenticated. The KDC is responsible for both authentication and ticket granting. Adversaries may attempt to abuse Kerberos by stealing tickets or forging tickets to enable unauthorized access.\n\nOn Windows, the built-in <code>klist</code> utility can be used to list and analyze cached Kerberos tickets.(Citation: Microsoft Klist)\n\nLinux systems on Active Directory domains store Kerberos credentials locally in the credential cache file referred to as the \"ccache\". The credentials are stored in the ccache file while they remain valid and generally while a user's session lasts.(Citation: MIT ccache) On modern Redhat Enterprise Linux systems, and derivative distributions, the System Security Services Daemon (SSSD) handles Kerberos tickets. By default SSSD maintains a copy of the ticket database that can be found in <code>/var/lib/sss/secrets/secrets.ldb</code> as well as the corresponding key located in <code>/var/lib/sss/secrets/.secrets.mkey</code>. Both files require root access to read. If an adversary is able to access the database and key, the credential cache Kerberos blob can be extracted and converted into a usable Kerberos ccache file that adversaries may use for [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003). The ccache file may also be converted into a Windows format using tools such as Kekeo.(Citation: Linux Kerberos Tickets)(Citation: Brining MimiKatz to Unix)(Citation: Kekeo)\n\n\nKerberos tickets on macOS are stored in a standard ccache format, similar to Linux. By default, access to these ccache entries is federated through the KCM daemon process via the Mach RPC protocol, which uses the caller's environment to determine access. The storage location for these ccache entries is influenced by the <code>/etc/krb5.conf</code> configuration file and the <code>KRB5CCNAME</code> environment variable which can specify to save them to disk or keep them protected via the KCM daemon. Users can interact with ticket storage using <code>kinit</code>, <code>klist</code>, <code>ktutil</code>, and <code>kcc</code> built-in binaries or via Apple's native Kerberos framework. Adversaries can use open source tools to interact with the ccache files directly or to use the Kerberos framework to call lower-level APIs for extracting the user's TGT or Service Tickets.(Citation: SpectorOps Bifrost Kerberos macOS 2019)(Citation: macOS kerberos framework MIT)\n";
dcterms:modified "2023-05-09T14:00:00.188Z"^^xsd:dateTime .
:attack-pattern--c23b740b-a42b-47a1-aec2-9d48ddd547ff
rdf:type d3f:OffensiveTechnique;
rdfs:label "Pass the Hash";
dcterms:created "2017-05-31T21:30:59.339Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password. This method bypasses standard authentication steps that require a cleartext password, moving directly into the portion of the authentication that uses the password hash. In this technique, valid password hashes for the account being used are captured using a Credential Access technique. Captured hashes are used with PtH to authenticate as that user. Once authenticated, PtH may be used to perform actions on local or remote systems. \n\nWindows 7 and higher with KB2871997 require valid domain user credentials or RID 500 administrator hashes. (Citation: NSA Spotting)";
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:malware--9b325b06-35a1-457d-be46-a4ecc0b7ff0c
rdf:type stix:Malware;
rdfs:label "RATANKBA";
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[RATANKBA](https://attack.mitre.org/software/S0241) is a remote controller tool used by [Lazarus Group](https://attack.mitre.org/groups/G0032). [RATANKBA](https://attack.mitre.org/software/S0241) has been used in attacks targeting financial institutions in Poland, Mexico, Uruguay, the United Kingdom, and Chile. It was also seen used against organizations related to telecommunications, management consulting, information technology, insurance, aviation, and education. [RATANKBA](https://attack.mitre.org/software/S0241) has a graphical user interface to allow the attacker to issue jobs to perform on the infected machines. (Citation: Lazarus RATANKBA) (Citation: RATANKBA)";
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--57216102-21aa-402b-b306-79e1dd548716
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4;
stix:target_ref :tool--afc079f3-c0ea-4096-b75d-3f05338b7f60;
dcterms:created "2019-04-16T15:21:57.842Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "(Citation: FireEye TRITON 2019)";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--796f56ac-a97a-4038-a005-1523a185e059
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542;
stix:target_ref :attack-pattern--861b8fd2-57f3-4ee1-ab5d-c19c3b8c7a4a;
dcterms:created "2021-04-16T21:33:50.813Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[APT29](https://attack.mitre.org/groups/G0016) has bypassed MFA set on OWA accounts by generating a cookie value from a previously stolen secret key.(Citation: Volexity SolarWinds)";
dcterms:modified "2023-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--3e24f01c-3af8-4dde-9200-4f69fecb3156
rdf:type stix:Relationship;
stix:source_ref :attack-pattern--b39d03cb-7b98-41c4-a878-c40c1a913dc0;
stix:target_ref :attack-pattern--f2877f7f-9a4c-4251-879f-1224e3006bee;
dcterms:created "2020-02-11T20:35:32.284Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:malware--df350889-4de9-44e5-8cb3-888b8343e97c
rdf:type stix:Malware;
rdfs:label "metaMain";
dcterms:created "2023-01-24T00:12:34.751Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[metaMain](https://attack.mitre.org/software/S1059) is a backdoor used by [Metador](https://attack.mitre.org/groups/G1013) to maintain long-term access to compromised machines; it has also been used to decrypt [Mafalda](https://attack.mitre.org/software/S1060) into memory.(Citation: SentinelLabs Metador Sept 2022)(Citation: SentinelLabs Metador Technical Appendix Sept 2022)";
dcterms:modified "2023-04-05T14:09:42.670Z"^^xsd:dateTime .
:relationship--8c041b13-34d6-4da5-8a80-0dade355953d
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8;
stix:target_ref :attack-pattern--b83e166d-13d7-4b52-8677-dff90c548fd7;
dcterms:created "2022-03-30T14:26:51.871Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Periodically baseline registered SIPs and trust providers (Registry entries and files on disk), specifically looking for new, modified, or non-Microsoft entries.(Citation: SpectorOps Subverting Trust Sept 2017) Also analyze Autoruns data for oddities and anomalies, specifically malicious files attempting persistent execution by hiding within auto-starting locations. Autoruns will hide entries signed by Microsoft or Windows by default, so ensure “Hide Microsoft Entries” and “Hide Windows Entries” are both deselected.(Citation: SpectorOps Subverting Trust Sept 2017)\n\nOn macOS, the removal of the <code>com.apple.quarantine</code> flag by a user instead of the operating system is a suspicious action and should be examined further. Also monitor software update frameworks that may strip this flag when performing updates.";
dcterms:modified "2022-03-30T14:26:51.871Z"^^xsd:dateTime .
:relationship--886aa8d9-b95e-4577-812a-f1ddcedbe70f
rdf:type stix:Relationship;
stix:source_ref :course-of-action--cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8;
stix:target_ref :attack-pattern--04ef4356-8926-45e2-9441-634b6f3dcecb;
dcterms:created "2019-06-25T13:32:35.994Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Binaries can also be baselined for what dynamic libraries they require, and if an app requires a new dynamic library that wasn\\u2019t included as part of an update, it should be investigated.";
dcterms:modified "2023-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--32478440-a1d2-458d-a749-e2d200415106
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192;
stix:target_ref :attack-pattern--c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f;
dcterms:created "2020-11-25T22:46:47.381Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Sandworm Team](https://attack.mitre.org/groups/G0034) has used stolen credentials to access administrative accounts within the domain.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: Microsoft Prestige ransomware October 2022)";
dcterms:modified "2023-01-20T18:40:35.934Z"^^xsd:dateTime .
:relationship--105a37da-145b-4143-8641-566350cd143c
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192;
stix:target_ref :attack-pattern--5502c4e9-24ef-4d5f-8ee9-9e906c2f82c4;
dcterms:created "2020-11-25T22:46:47.615Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Sandworm Team](https://attack.mitre.org/groups/G0034) has scanned network infrastructure for vulnerabilities as part of its operational planning.(Citation: US District Court Indictment GRU Unit 74455 October 2020)";
dcterms:modified "2020-11-25T22:46:47.615Z"^^xsd:dateTime .
:relationship--5c160f0c-1c12-4ab0-bd6e-a30f8d5bc168
rdf:type stix:Relationship;
stix:source_ref :malware--b51797f7-57da-4210-b8ac-b8632ee75d70;
stix:target_ref :attack-pattern--f3c544dc-673c-4ef3-accb-53229f1ae077;
dcterms:created "2020-06-11T20:08:11.417Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[TajMahal](https://attack.mitre.org/software/S0467) has the ability to determine local time on a compromised host.(Citation: Kaspersky TajMahal April 2019)";
dcterms:modified "2020-06-11T20:08:11.417Z"^^xsd:dateTime .
:relationship--56f490de-51e8-47c4-9eae-ecdd1a55e6ef
rdf:type stix:Relationship;
stix:source_ref :course-of-action--b9f0c069-abbe-4a07-a245-2481219a1463;
stix:target_ref :attack-pattern--d742a578-d70e-4d0e-96a6-02a9c30204e6;
dcterms:created "2019-06-24T13:38:13.125Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Browser sandboxes can be used to mitigate some of the impact of exploitation, but sandbox escapes may still exist.(Citation: Windows Blogs Microsoft Edge Sandbox)(Citation: Ars Technica Pwn2Own 2017 VM Escape)\n\nOther types of virtualization and application microsegmentation may also mitigate the impact of client-side exploitation. The risks of additional exploits and weaknesses in implementation may still exist for these types of systems.(Citation: Ars Technica Pwn2Own 2017 VM Escape)";
dcterms:modified "2022-03-08T21:11:48.078Z"^^xsd:dateTime .
:relationship--9e60bb82-19b3-4e76-82f0-32b8b6e611ba
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0;
stix:target_ref :attack-pattern--2aed01ad-3df3-4410-a8cb-11ea4ded587c;
dcterms:created "2022-03-30T14:26:51.844Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Monitor for executed commands and arguments that may attempt to find domain-level groups and permission settings.";
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime .
:relationship--321e9302-b335-4f17-b03a-7782683d69f9
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--35d1b3be-49d4-42f1-aaa6-ef159c880bca;
stix:target_ref :attack-pattern--5372c5fe-f424-4def-bcd5-d3a8e770f07b;
dcterms:created "2021-10-01T01:57:31.556Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[TeamTNT](https://attack.mitre.org/groups/G0139) has disabled <code>iptables</code>.(Citation: Aqua TeamTNT August 2020)";
dcterms:modified "2021-10-01T01:57:31.556Z"^^xsd:dateTime .
:relationship--2c1758b2-6809-48f5-84f1-e82afa950a9f
rdf:type stix:Relationship;
stix:source_ref :malware--00e7d565-9883-4ee5-b642-8fd17fd6a3f5;
stix:target_ref :attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580;
dcterms:created "2021-02-12T20:07:43.170Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[EKANS](https://attack.mitre.org/software/S0605) looks for processes from a hard-coded list.(Citation: Dragos EKANS)(Citation: FireEye Ransomware Feb 2020)(Citation: IBM Ransomware Trends September 2020)";
dcterms:modified "2021-10-13T21:54:51.805Z"^^xsd:dateTime .
:relationship--de195a33-8461-4d6a-aa6a-cb2893904c66
rdf:type stix:Relationship;
stix:source_ref :attack-pattern--7ad38ef1-381a-406d-872a-38b136eb5ecc;
stix:target_ref :attack-pattern--d28ef391-8ed4-45dc-bc4a-2f43abf54416;
dcterms:created "2020-02-14T13:09:51.274Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--8f16cec3-2fba-4b69-a5c5-c3eb1f185e90
rdf:type stix:Relationship;
stix:source_ref :malware--0a607c53-df52-45da-a75d-0e53df4dad5f;
stix:target_ref :attack-pattern--ac08589e-ee59-4935-8667-d845e38fe579;
dcterms:created "2019-07-29T14:58:44.928Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[RobbinHood](https://attack.mitre.org/software/S0400) will search for Windows services that are associated with antivirus software on the system and kill the process.(Citation: CarbonBlack RobbinHood May 2019) ";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--d8f5283b-fe44-4206-8a7d-393d216beb7e
rdf:type stix:Relationship;
stix:source_ref :malware--c0c45d38-fe57-4cd4-b2b2-9ecd0ddd4ca9;
stix:target_ref :attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4;
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[TinyZBot](https://attack.mitre.org/software/S0004) contains keylogger functionality.(Citation: Cylance Cleaver)";
dcterms:modified "2022-07-22T18:37:22.206Z"^^xsd:dateTime .
:relationship--6337cf38-4b52-4e3d-a63e-670e077ec52f
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--8c1f0187-0826-4320-bddc-5f326cfcfe2c;
stix:target_ref :attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736;
dcterms:created "2020-08-27T21:22:39.805Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Chimera](https://attack.mitre.org/groups/G0114) has used PowerShell scripts to execute malicious payloads and the DSInternals PowerShell module to make use of Active Directory features.(Citation: Cycraft Chimera April 2020)(Citation: NCC Group Chimera January 2021)\t";
dcterms:modified "2023-02-06T18:11:56.973Z"^^xsd:dateTime .
:relationship--b736ab77-4dd6-4c80-8b8a-d15446436e0e
rdf:type stix:Relationship;
stix:source_ref :course-of-action--590777b3-b475-4c7c-aaf8-f4a73b140312;
stix:target_ref :attack-pattern--b46a801b-fd98-491c-a25a-bca25d6e3001;
dcterms:created "2021-06-17T18:49:50.117Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Ensure IIS DLLs and binaries are signed by the correct application developers.";
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--dfd24960-6b7e-4fab-bb84-2fc2ed4fc772
rdf:type stix:Relationship;
stix:source_ref :malware--295721d2-ee20-4fa3-ade3-37f4146b4570;
stix:target_ref :attack-pattern--00f90846-cbd1-4fc5-9233-df5c2bf2a662;
dcterms:created "2021-06-11T16:51:49.284Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[AppleSeed](https://attack.mitre.org/software/S0622) can zip and encrypt data collected on a target system.(Citation: Malwarebytes Kimsuky June 2021)";
dcterms:modified "2021-06-11T16:56:08.706Z"^^xsd:dateTime .
:relationship--bec1b07a-6a67-469e-8b87-246e950d86b2
rdf:type stix:Relationship;
stix:source_ref :tool--a7b5df47-73bb-4d47-b701-869f185633a6;
stix:target_ref :attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736;
dcterms:created "2022-03-25T14:32:35.645Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Donut](https://attack.mitre.org/software/S0695) can generate shellcode outputs that execute via PowerShell.(Citation: Donut Github)\t";
dcterms:modified "2022-04-18T16:25:46.715Z"^^xsd:dateTime .
:relationship--a8fef3c0-796a-4995-81fe-c47336c3ddbd
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034;
stix:target_ref :attack-pattern--a2fdce72-04b2-409a-ac10-cc1695f4fce0;
dcterms:created "2022-09-02T19:19:17.187Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Earth Lusca](https://attack.mitre.org/groups/G1006) has acquired and used a variety of open source tools.(Citation: TrendMicro EarthLusca 2022)";
dcterms:modified "2022-09-02T19:19:17.187Z"^^xsd:dateTime .
:relationship--c8e78d6f-ac9d-4ad3-ae13-238f1eb4423a
rdf:type stix:Relationship;
stix:source_ref :campaign--46421788-b6e1-4256-b351-f8beffd1afba;
stix:target_ref :malware--54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4;
dcterms:created "2023-09-27T13:22:13.265Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "(Citation: Booz Allen Hamilton)";
dcterms:modified "2023-09-27T13:25:51.965Z"^^xsd:dateTime .
:relationship--c1fc2403-6cea-40ca-a5ba-82296600988c
rdf:type stix:Relationship;
stix:source_ref :malware--99854cc8-f202-4e03-aa0a-4f8a4af93229;
stix:target_ref :attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161;
dcterms:created "2022-06-10T20:16:48.015Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Shark](https://attack.mitre.org/software/S1019) has the ability to use HTTP in C2 communications.(Citation: ClearSky Siamesekitten August 2021)(Citation: Accenture Lyceum Targets November 2021)";
dcterms:modified "2022-06-16T14:11:03.646Z"^^xsd:dateTime .
:attack-pattern--fc742192-19e3-466c-9eb5-964a97b29490
rdf:type d3f:OffensiveTechnique;
rdfs:label "Dylib Hijacking";
dcterms:created "2020-03-16T15:23:30.896Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a path a victim application searches at runtime. The dynamic loader will try to find the dylibs based on the sequential order of the search paths. Paths to dylibs may be prefixed with <code>@rpath</code>, which allows developers to use relative paths to specify an array of search paths used at runtime based on the location of the executable. Additionally, if weak linking is used, such as the <code>LC_LOAD_WEAK_DYLIB</code> function, an application will still execute even if an expected dylib is not present. Weak linking enables developers to run an application on multiple macOS versions as new APIs are added.\n\nAdversaries may gain execution by inserting malicious dylibs with the name of the missing dylib in the identified path.(Citation: Wardle Dylib Hijack Vulnerable Apps)(Citation: Wardle Dylib Hijacking OSX 2015)(Citation: Github EmpireProject HijackScanner)(Citation: Github EmpireProject CreateHijacker Dylib) Dylibs are loaded into an application's address space allowing the malicious dylib to inherit the application's privilege level and resources. Based on the application, this could result in privilege escalation and uninhibited network access. This method may also evade detection from security products since the execution is masked under a legitimate process.(Citation: Writing Bad Malware for OSX)(Citation: wardle artofmalware volume1)(Citation: MalwareUnicorn macOS Dylib Injection MachO)";
dcterms:modified "2023-10-31T14:00:00.188Z"^^xsd:dateTime .
:relationship--ec0ffb41-2adb-4416-8869-5b99e61615c2
rdf:type stix:Relationship;
stix:source_ref :malware--8beac7c2-48d2-4cd9-9b15-6c452f38ac06;
stix:target_ref :attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62;
dcterms:created "2019-06-07T16:34:21.076Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Ixeshe](https://attack.mitre.org/software/S0015) is capable of executing commands via [cmd](https://attack.mitre.org/software/S0106).(Citation: Trend Micro IXESHE 2012)";
dcterms:modified "2020-03-20T02:19:48.807Z"^^xsd:dateTime .
:relationship--90eb6858-e561-4ed0-855b-f9afbe3ac394
rdf:type stix:Relationship;
stix:source_ref :malware--47afe41c-4c08-485e-b062-c3bd209a1cce;
stix:target_ref :attack-pattern--43e7dc91-05b2-474c-b9ac-2ed4fe101f4d;
dcterms:created "2020-07-16T15:24:32.836Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[InvisiMole](https://attack.mitre.org/software/S0260) can inject itself into another process to avoid detection including use of a technique called ListPlanting that customizes the sorting algorithm in a ListView structure.(Citation: ESET InvisiMole June 2020)";
dcterms:modified "2020-07-17T20:14:44.600Z"^^xsd:dateTime .
:relationship--a18f1daf-1eed-4e33-8107-76f136925742
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1;
stix:target_ref :attack-pattern--ea4c2f9c-9df1-477c-8c42-6da1118f2ac4;
dcterms:created "2022-08-22T20:47:21.282Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Monitoring module loads, especially those not explicitly included in import tables, may highlight obfuscated API function calls. Dynamic malware analysis may also expose signs of function obfuscation, such as memory reads that correspond to addresses of API function code within modules.(Citation: BlackHat API Packers)";
dcterms:modified "2022-08-23T18:18:16.846Z"^^xsd:dateTime .
:relationship--b80516ee-1635-43da-babf-201d9f76c1d8
rdf:type stix:Relationship;
stix:source_ref :malware--7e6c2a9d-9dc1-4eb0-b27c-91e8076a9d77;
stix:target_ref :attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c;
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[QUADAGENT](https://attack.mitre.org/software/S0269) has a command to delete its Registry key and scheduled task.(Citation: Unit 42 QUADAGENT July 2018)";
dcterms:modified "2020-03-17T02:18:35.267Z"^^xsd:dateTime .
:relationship--02462741-4148-48b3-881b-1b813ce62fcc
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542;
stix:target_ref :malware--ae9d818d-95d0-41da-b045-9cabea1ca164;
dcterms:created "2017-05-31T21:33:27.050Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "(Citation: F-Secure The Dukes)";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--4b66e057-adbc-498d-99ee-156e0d17bd53
rdf:type stix:Relationship;
stix:source_ref :campaign--0257b35b-93ef-4a70-80dd-ad5258e6045b;
stix:target_ref :intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a;
dcterms:created "2023-03-17T13:51:05.665Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "(Citation: ClearSky Lazarus Aug 2020)(Citation: McAfee Lazarus Jul 2020)(Citation: McAfee Lazarus Nov 2020)(Citation: ESET Lazarus Jun 2020)";
dcterms:modified "2023-03-17T13:51:05.665Z"^^xsd:dateTime .
:relationship--9d9b0e66-5b9d-4711-8e5a-23e2807ce7ef
rdf:type stix:Relationship;
stix:source_ref :malware--47124daf-44be-4530-9c63-038bc64318dd;
stix:target_ref :attack-pattern--02c5abff-30bf-4703-ab92-1f6072fae939;
dcterms:created "2020-09-24T13:19:42.696Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[RegDuke](https://attack.mitre.org/software/S0511) can store its encryption key in the Registry.(Citation: ESET Dukes October 2019)";
dcterms:modified "2023-03-24T21:26:03.567Z"^^xsd:dateTime .
:relationship--23d2aa8e-0b95-4714-8b76-b1a0735ffdeb
rdf:type stix:Relationship;
stix:source_ref :malware--feb2d7bb-aacb-48df-ad04-ccf41a30cd90;
stix:target_ref :attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161;
dcterms:created "2020-11-19T18:02:58.410Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[SLOTHFULMEDIA](https://attack.mitre.org/software/S0533) has used HTTP and HTTPS for C2 communications.(Citation: CISA MAR SLOTHFULMEDIA October 2020)";
dcterms:modified "2020-11-19T18:02:58.410Z"^^xsd:dateTime .
:relationship--c336d7c6-0876-445c-8197-924eae28bc16
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034;
stix:target_ref :tool--981acc4c-2ede-4b56-be6e-fa1a75f37acf;
dcterms:created "2022-09-09T16:20:10.948Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "(Citation: TrendMicro EarthLusca 2022)";
dcterms:modified "2022-09-09T16:20:10.948Z"^^xsd:dateTime .
:relationship--fd518b7a-b35d-4689-89f6-525efbeee18f
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d;
stix:target_ref :tool--cf23bf4a-e003-4116-bbae-1ea6c558d565;
dcterms:created "2018-01-16T16:13:52.465Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "(Citation: Palo Alto OilRig Oct 2016)";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--a9bf9268-1c45-4293-a5c2-c493556ad546
rdf:type stix:Relationship;
stix:source_ref :malware--f36b2598-515f-4345-84e5-5ccde253edbe;
stix:target_ref :attack-pattern--a782ebe2-daba-42c7-bc82-e8e9d923162d;
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Dok](https://attack.mitre.org/software/S0281) downloads and installs [Tor](https://attack.mitre.org/software/S0183) via homebrew.(Citation: objsee mac malware 2017)";
dcterms:modified "2021-10-09T19:14:07.283Z"^^xsd:dateTime .
:relationship--48c4d56e-e282-4810-b974-6a325b7d130d
rdf:type stix:Relationship;
stix:source_ref :course-of-action--93e7968a-9074-4eac-8ae9-9f5200ec3317;
stix:target_ref :attack-pattern--573ad264-1371-4ae0-8482-d2673b719dba;
dcterms:created "2020-01-17T19:23:15.412Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create new Launch Daemons.";
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--1896ca51-adf4-4a3b-be89-1aae18465741
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1;
stix:target_ref :attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81;
dcterms:created "2021-12-07T15:04:35.808Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Dragonfly](https://attack.mitre.org/groups/G0035) has compromised user credentials and used valid accounts for operations.(Citation: US-CERT TA18-074A)(Citation: Gigamon Berserk Bear October 2021)(Citation: CISA AA20-296A Berserk Bear December 2020)";
dcterms:modified "2021-12-10T14:18:11.856Z"^^xsd:dateTime .
:relationship--de0ee6e1-6b97-40be-b036-5339db13e6e4
rdf:type stix:Relationship;
stix:source_ref :malware--20945359-3b39-4542-85ef-08ecb4e1c174;
stix:target_ref :attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580;
dcterms:created "2020-07-27T17:47:34.029Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[StrongPity](https://attack.mitre.org/software/S0491) can determine if a user is logged in by checking to see if explorer.exe is running.(Citation: Talos Promethium June 2020)";
dcterms:modified "2020-07-27T17:47:34.029Z"^^xsd:dateTime .
:relationship--97ff5931-f27f-4774-b595-312f5771f91a
rdf:type stix:Relationship;
stix:source_ref :malware--b1de6916-7a22-4460-8d26-6b5483ffaa2a;
stix:target_ref :attack-pattern--4ab929c6-ee2d-4fb5-aab4-b14be2ed7179;
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[SHIPSHAPE](https://attack.mitre.org/software/S0028) achieves persistence by creating a shortcut in the Startup folder.(Citation: FireEye APT30)";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:relationship--15fb0728-9973-4ce4-b0d9-2c177be952c7
rdf:type stix:Relationship;
stix:source_ref :attack-pattern--5372c5fe-f424-4def-bcd5-d3a8e770f07b;
stix:target_ref :attack-pattern--3d333250-30e4-4a82-9edc-756c68afc529;
dcterms:created "2020-02-21T21:00:49.032Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime .
:relationship--5f402d02-94f9-49de-b097-2d89c59de394
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c;
stix:target_ref :malware--d20b397a-ea47-48a9-b503-2e2a3551e11d;
dcterms:created "2019-01-30T19:06:33.901Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "(Citation: Unit42 Cannon Nov 2018)(Citation: Unit42 Sofacy Dec 2018)";
dcterms:modified "2020-03-20T16:37:06.707Z"^^xsd:dateTime .
:relationship--73c6ad27-074a-437d-82ec-39592b783160
rdf:type stix:Relationship;
stix:source_ref :course-of-action--b9f0c069-abbe-4a07-a245-2481219a1463;
stix:target_ref :attack-pattern--acd0ba37-7ba9-4cc5-ac61-796586cd856d;
dcterms:created "2020-03-09T13:13:24.024Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Ensure all COM alerts and Protected View are enabled.(Citation: Microsoft Protected View)";
dcterms:modified "2022-03-11T20:14:42.487Z"^^xsd:dateTime .
:relationship--fd8fa359-c13e-4641-9c3e-d03218daee0c
rdf:type stix:Relationship;
stix:source_ref :intrusion-set--2a158b0a-7ef8-43cb-9985-bf34d1e12050;
stix:target_ref :malware--3161d76a-e2b2-4b97-9906-24909b735386;
dcterms:created "2020-05-26T20:37:19.548Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "(Citation: CheckPoint Naikon May 2020)(Citation: Bitdefender Naikon April 2021)";
dcterms:modified "2021-06-29T14:37:02.738Z"^^xsd:dateTime .
:relationship--29a6afc7-f051-4c26-b6a2-cad09c73180f
rdf:type stix:Relationship;
stix:source_ref :malware--da2ef4a9-7cbe-400a-a379-e2f230f28db3;
stix:target_ref :attack-pattern--dfebc3b7-d19d-450b-81c7-6dafe4184c04;
dcterms:created "2020-06-29T01:35:30.267Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[BOOTRASH](https://attack.mitre.org/software/S0114) has used unallocated disk space between partitions for a hidden file system that stores components of the Nemesis bootkit.(Citation: FireEye Bootkits)";
dcterms:modified "2020-06-29T01:35:30.267Z"^^xsd:dateTime .
:relationship--295b6c01-1a79-4fd9-b3a1-010affcc3c88
rdf:type stix:Relationship;
stix:source_ref :x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0;
stix:target_ref :attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688;
dcterms:created "2022-03-30T14:26:51.868Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Monitor executed commands and arguments that may attempt to take screen captures of the desktop to gather information over the course of an operation.";
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime .
:relationship--ced175fd-1f27-44cb-8d7f-44277b1754e4
rdf:type stix:Relationship;
stix:source_ref :tool--fbd727ea-c0dc-42a9-8448-9e12962d1ab5;
stix:target_ref :attack-pattern--3f886f2a-874f-4333-b794-aa6075009b1c;
dcterms:created "2018-04-18T17:59:24.739Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[Havij](https://attack.mitre.org/software/S0224) is used to automate SQL injection.(Citation: Check Point Havij Analysis)";
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime .
:course-of-action--fdb1ae84-7b00-4d3d-b7dc-c774beef6425
rdf:type stix:CourseOfAction;
rdfs:label "Account Manipulation Mitigation";
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Use multifactor authentication. Follow guidelines to prevent or limit adversary access to [Valid Accounts](https://attack.mitre.org/techniques/T1078).\n\nProtect domain controllers by ensuring proper security configuration for critical servers. Configure access controls and firewalls to limit access to these systems. Do not allow domain administrator accounts to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems.";
dcterms:modified "2019-07-24T14:04:18.461Z"^^xsd:dateTime .
:relationship--7a1cf82e-68e5-49ca-89ae-e492cd85dab4
rdf:type stix:Relationship;
stix:source_ref :course-of-action--b045d015-6bed-4490-bd38-56b41ece59a0;
stix:target_ref :attack-pattern--10ffac09-e42d-4f56-ab20-db94c67d76ff;
dcterms:created "2019-10-14T16:25:38.680Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "A physical second factor key that uses the target login domain as part of the negotiation protocol will prevent session cookie theft through proxy methods.(Citation: Evilginx 2 July 2018)";
dcterms:modified "2021-07-28T01:26:52.229Z"^^xsd:dateTime .
:tool--c11ac61d-50f4-444f-85d8-6f006067f0de
rdf:type stix:Tool;
rdfs:label "route";
dcterms:created "2017-05-31T21:33:04.151Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[route](https://attack.mitre.org/software/S0103) can be used to find or change information within the local system IP routing table. (Citation: TechNet Route)";
dcterms:modified "2022-05-11T14:00:00.188Z"^^xsd:dateTime .
:malware--007b44b6-e4c5-480b-b5b9-56f2081b1b7b
rdf:type stix:Malware;
rdfs:label "HDoor";
dcterms:created "2017-05-31T21:32:40.801Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "[HDoor](https://attack.mitre.org/software/S0061) is malware that has been customized and used by the [Naikon](https://attack.mitre.org/groups/G0019) group. (Citation: Baumgartner Naikon 2015)";
dcterms:modified "2023-04-04T20:20:59.961Z"^^xsd:dateTime .
:relationship--a0a004fe-2636-4f6d-85c7-2401768252a2
rdf:type stix:Relationship;
stix:source_ref :course-of-action--12241367-a8b7-49b4-b86e-2236901ba50c;
stix:target_ref :attack-pattern--c3888c54-775d-4b2f-b759-75a2ececcbfd;
dcterms:created "2019-06-24T12:03:02.500Z"^^xsd:dateTime;
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5;
dcterms:description "Network intrusion detection and preventi
@aamedina
Copy link
Author

hey you know fuck. you GitHub you people have stolen over 10 years of my crypto there is no attack you dumb you are being used like the ones before you, so they stole millions from me and created git coins

that's what GitHub want you to believe. i will not play this fake attack attack attack bull shit fuck off

?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment