{ "type": "bundle", "id": "bundle--af2cb8e5-5d1c-4964-bfe1-75ebc90f8627", "spec_version": "2.0", "objects": [ { "type": "report", "id": "report--af2cb8e5-5d1c-4964-bfe1-75ebc90f8627", "created": "2018-08-03T20:30:50.665Z", "modified": "2020-11-24T16:40:21.680Z", "name": "OilRig", "description": "OilRig is a threat group operating primarily in the Middle East by targeting organizations in this region that are in a variety of different industries; however, this group has occasionally targeted organizations outside of the Middle East as well. It also appears OilRig carries out supply chain attacks, where the threat group leverages the trust relationship between organizations to attack their primary targets.\n\nOilRig is an active and organized threat group, which is evident based on their systematic targeting of specific organizations that appear to be carefully chosen for strategic purposes. Attacks attributed to this group primarily rely on social engineering to exploit the human rather than software vulnerabilities; however, on occasion this group has used recently patched vulnerabilities in the delivery phase of their attacks. The lack of software vulnerability exploitation does not necessarily suggest a lack of sophistication, as OilRig has shown maturity in other aspects of their operations. Such maturities involve:\n\n-Organized evasion testing used the during development of their tools.\n-Use of custom DNS Tunneling protocols for command and control (C2) and data exfiltration.\n-Custom web-shells and backdoors used to persistently access servers.\n\nOilRig relies on stolen account credentials for lateral movement. After OilRig gains access to a system, they use credential dumping tools, such as Mimikatz, to steal credentials to accounts logged into the compromised system. The group uses these credentials to access and to move laterally to other systems on the network. After obtaining credentials from a system, operators in this group prefer to use tools other than their backdoors to access the compromised systems, such as remote desktop and putty. OilRig also uses phishing sites to harvest credentials to individuals at targeted organizations to gain access to internet accessible resources, such as Outlook Web Access.", "published": "2020-11-24T16:40:21.680Z", "object_refs": [ "intrusion-set--8e11eaa4-1964-4b73-85c1-fcfa29159f9b", "report--be414527-0ed6-4b77-b04b-2ffa2cd601eb", "report--e76e88c8-699a-4eeb-a8e5-3645826d6455", "report--418eec9b-ca2d-48d6-92cc-7cf47b159e8c", "report--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec", "report--d6eab405-2a90-4981-bd25-0b161f1bc116" ], "labels": [ "intrusion-set" ] }, { "type": "intrusion-set", "id": "intrusion-set--8e11eaa4-1964-4b73-85c1-fcfa29159f9b", "created": "2018-08-03T20:30:50.665Z", "modified": "2018-08-03T20:30:50.665Z", "name": "OilRig" }, { "type": "attack-pattern", "id": "attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-08-03T19:54:02.821Z", "modified": "2020-07-27T14:54:38.097Z", "name": "T1113: Screen Capture", "description": "Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as CopyFromScreen, xwd, or screencapture.(Citation: CopyFromScreen .NET)(Citation: Antiquated Mac Malware)", "kill_chain_phases": [ { "kill_chain_name": "lockheed", "phase_name": "act-on-objectives" }, { "kill_chain_name": "mitre-attack", "phase_name": "collection" } ], "external_references": [ { "source_name": "Antiquated Mac Malware", "url": "https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/", "description": "Thomas Reed. (2017, January 18). New Mac backdoor using antiquated code. Retrieved July 5, 2017." }, { "source_name": "capec", "url": "https://capec.mitre.org/data/definitions/648.html", "external_id": "CAPEC-648" }, { "source_name": "CopyFromScreen .NET", "url": "https://docs.microsoft.com/en-us/dotnet/api/system.drawing.graphics.copyfromscreen?view=netframework-4.8", "description": "Microsoft. (n.d.). Graphics.CopyFromScreen Method. Retrieved March 24, 2020." }, { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1113", "external_id": "T1113" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": [ "Monitoring for screen capture behavior will depend on the method used to obtain data from the operating system and write output files. Detection methods could include collecting information from unusual processes using API calls used to obtain image data, and monitoring for image files written to disk. The sensor data may need to be correlated with other events to identify malicious activity, depending on the legitimacy of this behavior within a given network environment." ], "x_mitre_platforms": [ "Linux", "Windows", "macOS" ], "x_mitre_data_sources": [ "API monitoring", "File monitoring", "Process monitoring" ], "x_mitre_version": "1.1" }, { "type": "attack-pattern", "id": "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-08-03T19:54:02.821Z", "modified": "2020-07-27T14:54:36.978Z", "name": "T1033: System Owner/User Discovery", "description": "Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nUtilities and commands that acquire this information include whoami. In Mac and Linux, the currently logged in user can be identified with w and who.", "kill_chain_phases": [ { "kill_chain_name": "lockheed", "phase_name": "act-on-objectives" }, { "kill_chain_name": "mitre-attack", "phase_name": "discovery" } ], "external_references": [ { "source_name": "capec", "url": "https://capec.mitre.org/data/definitions/577.html", "external_id": "CAPEC-577" }, { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1033", "external_id": "T1033" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": [ "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001)." ], "x_mitre_platforms": [ "Linux", "Windows", "macOS" ], "x_mitre_data_sources": [ "File monitoring", "Process command-line parameters", "Process monitoring" ], "x_mitre_permissions_required": [ "Administrator", "User" ], "x_mitre_version": "1.2" }, { "type": "attack-pattern", "id": "attack-pattern--0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-08-03T19:54:02.821Z", "modified": "2020-07-27T14:54:36.653Z", "name": "T1003: OS Credential Dumping", "description": "Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and access restricted information.\n\nSeveral of the tools mentioned in associated sub-techniques may be used by both adversaries and professional security testers. Additional custom tools likely exist as well.", "kill_chain_phases": [ { "kill_chain_name": "lockheed", "phase_name": "act-on-objectives" }, { "kill_chain_name": "mitre-attack", "phase_name": "credential-access" } ], "external_references": [ { "source_name": "AdSecurity DCSync Sept 2015", "url": "https://adsecurity.org/?p=1729", "description": "Metcalf, S. (2015, September 25). Mimikatz DCSync Usage, Exploitation, and Detection. Retrieved December 4, 2017." }, { "source_name": "Harmj0y DCSync Sept 2015", "url": "http://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/", "description": "Schroeder, W. (2015, September 22). Mimikatz and DCSync and ExtraSids, Oh My. Retrieved December 4, 2017." }, { "source_name": "Medium Detecting Attempts to Steal Passwords from Memory", "url": "https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-memory-558f16dce4ea", "description": "French, D. (2018, October 2). Detecting Attempts to Steal Passwords from Memory. Retrieved October 11, 2019." }, { "source_name": "Microsoft DRSR Dec 2017", "url": "https://msdn.microsoft.com/library/cc228086.aspx", "description": "Microsoft. (2017, December 1). MS-DRSR Directory Replication Service (DRS) Remote Protocol. Retrieved December 4, 2017." }, { "source_name": "Microsoft GetNCCChanges", "url": "https://msdn.microsoft.com/library/dd207691.aspx", "description": "Microsoft. (n.d.). IDL_DRSGetNCChanges (Opnum 3). Retrieved December 4, 2017." }, { "source_name": "Microsoft NRPC Dec 2017", "url": "https://msdn.microsoft.com/library/cc237008.aspx", "description": "Microsoft. (2017, December 1). MS-NRPC - Netlogon Remote Protocol. Retrieved December 6, 2017." }, { "source_name": "Microsoft SAMR", "url": "https://msdn.microsoft.com/library/cc245496.aspx", "description": "Microsoft. (n.d.). MS-SAMR Security Account Manager (SAM) Remote Protocol (Client-to-Server) - Transport. Retrieved December 4, 2017." }, { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1003", "external_id": "T1003" }, { "source_name": "Powersploit", "url": "https://github.com/mattifestation/PowerSploit", "description": "PowerSploit. (n.d.). Retrieved December 4, 2014." }, { "source_name": "Samba DRSUAPI", "url": "https://wiki.samba.org/index.php/DRSUAPI", "description": "SambaWiki. (n.d.). DRSUAPI. Retrieved December 4, 2017." } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": [ "### Windows\nMonitor for unexpected processes interacting with lsass.exe.(Citation: Medium Detecting Attempts to Steal Passwords from Memory) Common credential dumpers such as [Mimikatz](https://attack.mitre.org/software/S0002) access the LSA Subsystem Service (LSASS) process by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details are stored. Credential dumpers may also use methods for reflective [Process Injection](https://attack.mitre.org/techniques/T1055) to reduce potential indicators of malicious activity.\n\nHash dumpers open the Security Accounts Manager (SAM) on the local file system (%SystemRoot%/system32/config/SAM) or create a dump of the Registry SAM key to access stored account password hashes. Some hash dumpers will open the local file system as a device and parse to the SAM table to avoid file access defenses. Others will make an in-memory copy of the SAM table before reading hashes. Detection of compromised [Valid Accounts](https://attack.mitre.org/techniques/T1078) in-use by adversaries may help as well. \n\nOn Windows 8.1 and Windows Server 2012 R2, monitor Windows Logs for LSASS.exe creation to verify that LSASS started as a protected process.\n\nMonitor processes and command-line arguments for program execution that may be indicative of credential dumping. Remote access tools may contain built-in features or incorporate existing tools like [Mimikatz](https://attack.mitre.org/software/S0002). [PowerShell](https://attack.mitre.org/techniques/T1086) scripts also exist that contain credential dumping functionality, such as PowerSploit's Invoke-Mimikatz module, (Citation: Powersploit) which may require additional logging features to be configured in the operating system to collect necessary information for analysis.\n\nMonitor domain controller logs for replication requests and other unscheduled activity possibly associated with DCSync. (Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) Note: Domain controllers may not log replication requests originating from the default domain controller account. (Citation: Harmj0y DCSync Sept 2015). Also monitor for network protocols (Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft NRPC Dec 2017) and other replication requests (Citation: Microsoft SAMR) from IPs not associated with known domain controllers. (Citation: AdSecurity DCSync Sept 2015)\n\n### Linux\nTo obtain the passwords and hashes stored in memory, processes must open a maps file in the /proc filesystem for the process being analyzed. This file is stored under the path /proc//maps, where the directory is the unique pid of the program being interrogated for such authentication data. The AuditD monitoring tool, which ships stock in many Linux distributions, can be used to watch for hostile processes opening this file in the proc file system, alerting on the pid, process name, and arguments of such programs." ], "x_mitre_platforms": [ "Linux", "Windows", "macOS" ], "x_mitre_data_sources": [ "API monitoring", "PowerShell logs", "Process command-line parameters", "Process monitoring" ], "x_mitre_permissions_required": [ "Administrator", "SYSTEM", "root" ], "x_mitre_contributors": [ "Ed Williams, Trustwave, SpiderLabs", "Vincent Le Toux" ], "x_mitre_version": "2.0" }, { "type": "attack-pattern", "id": "attack-pattern--15dbf668-795c-41e6-8219-f0447c0e64ce", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-08-03T19:54:02.821Z", "modified": "2020-07-27T14:54:37.379Z", "name": "T1069: Permission Groups Discovery", "description": "Adversaries may attempt to find group and permission settings. This information can help adversaries determine which user accounts and groups are available, the membership of users in particular groups, and which users and groups have elevated permissions.", "kill_chain_phases": [ { "kill_chain_name": "lockheed", "phase_name": "act-on-objectives" }, { "kill_chain_name": "mitre-attack", "phase_name": "discovery" } ], "external_references": [ { "source_name": "capec", "url": "https://capec.mitre.org/data/definitions/576.html", "external_id": "CAPEC-576" }, { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1069", "external_id": "T1069" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": [ "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001)." ], "x_mitre_platforms": [ "AWS", "Azure", "Azure AD", "GCP", "Linux", "Office 365", "SaaS", "Windows", "macOS" ], "x_mitre_data_sources": [ "API monitoring", "Azure activity logs", "Office 365 account logs", "Process command-line parameters", "Process monitoring" ], "x_mitre_permissions_required": [ "User" ], "x_mitre_contributors": [ "Microsoft Threat Intelligence Center (MSTIC)" ], "x_mitre_version": "2.1" }, { "type": "attack-pattern", "id": "attack-pattern--2b742742-28c3-4e1b-bab7-8350d6300fa7", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-08-03T19:54:02.821Z", "modified": "2020-07-27T14:54:44.085Z", "name": "T1566.002: Spearphishing Link", "description": "Adversaries may send spearphishing emails with a malicious link in an attempt to elicit sensitive information and/or gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. \n\nAll forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this case, the malicious emails contain links. Generally, the links will be accompanied by social engineering text and require the user to actively click or copy and paste a URL into a browser, leveraging [User Execution](https://attack.mitre.org/techniques/T1204). The visited website may compromise the web browser using an exploit, or the user will be prompted to download applications, documents, zip files, or even executables depending on the pretext for the email in the first place. Adversaries may also include links that are intended to interact directly with an email reader, including embedded images intended to exploit the end system directly or verify the receipt of an email (i.e. web bugs/web beacons). Links may also direct users to malicious applications designed to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s, like OAuth tokens, in order to gain access to protected applications and information.(Citation: Trend Micro Pawn Storm OAuth 2017)", "kill_chain_phases": [ { "kill_chain_name": "lockheed", "phase_name": "delivery" }, { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ], "external_references": [ { "source_name": "capec", "url": "https://capec.mitre.org/data/definitions/163.html", "external_id": "CAPEC-163" }, { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1566/002", "external_id": "T1566.002" }, { "source_name": "Trend Micro Pawn Storm OAuth 2017", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-abuses-open-authentication-advanced-social-engineering-attacks", "description": "Hacquebord, F.. (2017, April 25). Pawn Storm Abuses Open Authentication in Advanced Social Engineering Attacks. Retrieved October 4, 2019." } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": [ "URL inspection within email (including expanding shortened links) can help detect links leading to known malicious sites. Detonation chambers can be used to detect these links and either automatically go to these sites to determine if they're potentially malicious, or wait and capture the content if a user visits the link.\n\nBecause this technique usually involves user interaction on the endpoint, many of the possible detections take place once [User Execution](https://attack.mitre.org/techniques/T1204) occurs." ], "x_mitre_platforms": [ "Linux", "Office 365", "SaaS", "Windows", "macOS" ], "x_mitre_data_sources": [ "DNS records", "Detonation chamber", "Email gateway", "Mail server", "Packet capture", "SSL/TLS inspection", "Web proxy" ], "x_mitre_contributors": [ "Jeff Sakowicz, Microsoft Identity Developer Platform Services (IDPM Services)", "Mark Wee", "Saisha Agrawal, Microsoft Threat Intelligent Center (MSTIC)", "Shailesh Tiwary (Indian Army)" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2019-08-26T15:33:33.158Z", "modified": "2020-09-14T14:57:07.257Z", "name": "T1566.001: Spearphishing Attachment", "description": "Adversaries may send spearphishing emails with a malicious attachment in an attempt to elicit sensitive information and/or gain access to victim systems. Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon [User Execution](https://attack.mitre.org/techniques/T1204) to gain execution.\n\nThere are many options for the attachment such as Microsoft Office documents, executables, PDFs, or archived files. Upon opening the attachment (and potentially clicking past protections), the adversary's payload exploits a vulnerability or directly executes on the user's system. The text of the spearphishing email usually tries to give a plausible reason why the file should be opened, and may explain how to bypass system protections in order to do so. The email may also contain instructions on how to decrypt an attachment, such as a zip file password, in order to evade email boundary defenses. Adversaries frequently manipulate file extensions and icons in order to make attached executables appear to be document files, or files exploiting one application appear to be a file for a different one.", "kill_chain_phases": [ { "kill_chain_name": "lockheed", "phase_name": "delivery" }, { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ], "external_references": [ { "source_name": "capec", "url": "https://capec.mitre.org/data/definitions/163.html", "external_id": "CAPEC-163" }, { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1566/001", "external_id": "T1566.001" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": [ "Network intrusion detection systems and email gateways can be used to detect spearphishing with malicious attachments in transit. Detonation chambers may also be used to identify malicious attachments. Solutions can be signature and behavior based, but adversaries may construct attachments in a way to avoid these systems.\n\nAnti-virus can potentially detect malicious documents and attachments as they're scanned to be stored on the email server or on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the attachment is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning Powershell.exe) for techniques such as [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203) or usage of malicious scripts." ], "x_mitre_platforms": [ "Linux", "Windows", "macOS" ], "x_mitre_data_sources": [ "Detonation chamber", "Email gateway", "File monitoring", "Mail server", "Network intrusion detection system", "Packet capture" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--30208d3e-0d6b-43c8-883e-44462a514619", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-08-03T19:54:02.821Z", "modified": "2020-07-27T14:54:38.097Z", "name": "T1119: Automated Collection", "description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. This functionality could also be built into remote access tools. \n\nThis technique may incorporate use of other techniques such as [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) and [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570) to identify and move files.", "kill_chain_phases": [ { "kill_chain_name": "lockheed", "phase_name": "act-on-objectives" }, { "kill_chain_name": "mitre-attack", "phase_name": "collection" } ], "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1119", "external_id": "T1119" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": [ "Depending on the method used, actions could include common file system commands and parameters on the command-line interface within batch files or scripts. A sequence of actions like this may be unusual, depending on the system and network environment. Automated collection may occur along with other techniques such as [Data Staged](https://attack.mitre.org/techniques/T1074). As such, file access monitoring that shows an unusual process performing sequential file opens and potentially copy actions to another location on the file system for many files at once may indicate automated collection behavior. Remote access tools with built-in features may interact directly with the Windows API to gather data. Data may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001)." ], "x_mitre_platforms": [ "Linux", "Windows", "macOS" ], "x_mitre_data_sources": [ "Data loss prevention", "File monitoring", "Process command-line parameters" ], "x_mitre_permissions_required": [ "User" ], "x_mitre_system_requirements": [ "Permissions to access directories and files that store information of interest." ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-08-03T19:54:02.821Z", "modified": "2020-07-27T14:54:37.764Z", "name": "T1082: System Information Discovery", "description": "An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from [System Information Discovery](https://attack.mitre.org/techniques/T1082) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nTools such as [Systeminfo](https://attack.mitre.org/software/S0096) can be used to gather detailed system information. A breakdown of system data can also be gathered through the macOS systemsetup command, but it requires administrative privileges.\n\nInfrastructure as a Service (IaaS) cloud providers such as AWS, GCP, and Azure allow access to instance and virtual machine information via APIs. Successful authenticated API calls can return data such as the operating system platform and status of a particular instance or the model view of a virtual machine.(Citation: Amazon Describe Instance)(Citation: Google Instances Resource)(Citation: Microsoft Virutal Machine API)", "kill_chain_phases": [ { "kill_chain_name": "lockheed", "phase_name": "act-on-objectives" }, { "kill_chain_name": "mitre-attack", "phase_name": "discovery" } ], "external_references": [ { "source_name": "Amazon Describe Instance", "url": "https://docs.aws.amazon.com/cli/latest/reference/ssm/describe-instance-information.html", "description": "Amazon. (n.d.). describe-instance-information. Retrieved March 3, 2020." }, { "source_name": "capec", "url": "https://capec.mitre.org/data/definitions/312.html", "external_id": "CAPEC-312" }, { "source_name": "Google Instances Resource", "url": "https://cloud.google.com/compute/docs/reference/rest/v1/instances", "description": "Google. (n.d.). Rest Resource: instance. Retrieved March 3, 2020." }, { "source_name": "Microsoft Virutal Machine API", "url": "https://docs.microsoft.com/en-us/rest/api/compute/virtualmachines/get", "description": "Microsoft. (2019, March 1). Virtual Machines - Get. Retrieved October 8, 2019." }, { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1082", "external_id": "T1082" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": [ "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).\n\nIn cloud-based systems, native logging can be used to identify access to certain APIs and dashboards that may contain system information. Depending on how the environment is used, that data alone may not be useful due to benign use during normal operations." ], "x_mitre_platforms": [ "AWS", "Azure", "GCP", "Linux", "Windows", "macOS" ], "x_mitre_data_sources": [ "AWS CloudTrail logs", "Azure activity logs", "Process command-line parameters", "Process monitoring", "Stackdriver logs" ], "x_mitre_permissions_required": [ "User" ], "x_mitre_contributors": [ "Praetorian" ], "x_mitre_version": "2.1" }, { "type": "attack-pattern", "id": "attack-pattern--355be19c-ffc9-46d5-8d50-d6a036c675b6", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-08-03T19:54:02.821Z", "modified": "2020-07-27T14:54:37.379Z", "name": "T1071: Application Layer Protocol", "description": "Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \n\nAdversaries may utilize many different protocols, including those used for web browsing, transferring files, electronic mail, or DNS. For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are SMB, SSH, or RDP.", "kill_chain_phases": [ { "kill_chain_name": "lockheed", "phase_name": "command-and-control" }, { "kill_chain_name": "mitre-attack", "phase_name": "command-and-control" } ], "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1071", "external_id": "T1071" }, { "source_name": "University of Birmingham C2", "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf", "description": "Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016." } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": [ "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect application layer protocols that do not follow the expected protocol standards regarding syntax, structure, or any other variable adversaries could leverage to conceal data.(Citation: University of Birmingham C2)" ], "x_mitre_platforms": [ "Linux", "Windows", "macOS" ], "x_mitre_data_sources": [ "DNS records", "Netflow/Enclave netflow", "Network protocol analysis", "Packet capture", "Process monitoring", "Process use of network" ], "x_mitre_network_requirements": [ "true" ], "x_mitre_version": "2.0" }, { "type": "attack-pattern", "id": "attack-pattern--35dd844a-b219-4e2b-a6bb-efa9a75995a9", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-08-03T19:54:02.821Z", "modified": "2020-07-27T14:54:36.978Z", "name": "T1053: Scheduled Task/Job", "description": "Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)\n\nAdversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges).", "kill_chain_phases": [ { "kill_chain_name": "lockheed", "phase_name": "act-on-objectives" }, { "kill_chain_name": "lockheed", "phase_name": "installation" }, { "kill_chain_name": "mitre-attack", "phase_name": "execution" }, { "kill_chain_name": "mitre-attack", "phase_name": "persistence" }, { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" } ], "external_references": [ { "source_name": "capec", "url": "https://capec.mitre.org/data/definitions/557.html", "external_id": "CAPEC-557" }, { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1053", "external_id": "T1053" }, { "source_name": "TechNet Task Scheduler Security", "url": "https://technet.microsoft.com/en-us/library/cc785125.aspx", "description": "Microsoft. (2005, January 21). Task Scheduler and security. Retrieved June 8, 2016." } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": [ "Monitor scheduled task creation from common utilities using command-line invocation. Legitimate scheduled tasks may be created during installation of new software or through system administration functions. Look for changes to tasks that do not correlate with known software, patch cycles, etc. \n\nSuspicious program execution through scheduled tasks may show up as outlier processes that have not been seen before when compared against historical data. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement." ], "x_mitre_platforms": [ "Linux", "Windows", "macOS" ], "x_mitre_data_sources": [ "File monitoring", "Process command-line parameters", "Process monitoring", "Windows event logs" ], "x_mitre_permissions_required": [ "Administrator", "SYSTEM", "User" ], "x_mitre_effective_permissions": [ "Administrator", "SYSTEM", "User" ], "x_mitre_remote_support": "true", "x_mitre_contributors": [ "Alain Homewood, Insomnia Security", "Leo Loobeek, @leoloobeek", "Prashant Verma, Paladion", "Travis Smith, Tripwire" ], "x_mitre_version": "2.0" }, { "type": "attack-pattern", "id": "attack-pattern--47f2d673-ca62-47e9-929b-1b0be9657611", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-08-03T19:54:02.821Z", "modified": "2020-07-27T14:54:37.379Z", "name": "T1070.006: Timestomp", "description": "Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.\n\nTimestomping may be used along with file name [Masquerading](https://attack.mitre.org/techniques/T1036) to hide malware and tools.(Citation: WindowsIR Anti-Forensic Techniques)", "kill_chain_phases": [ { "kill_chain_name": "lockheed", "phase_name": "installation" }, { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" } ], "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1070/006", "external_id": "T1070.006" }, { "source_name": "WindowsIR Anti-Forensic Techniques", "url": "http://windowsir.blogspot.com/2013/07/howto-determinedetect-use-of-anti.html", "description": "Carvey, H. (2013, July 23). HowTo: Determine/Detect the use of Anti-Forensics Techniques. Retrieved June 3, 2016." } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": [ "Forensic techniques exist to detect aspects of files that have had their timestamps modified. (Citation: WindowsIR Anti-Forensic Techniques) It may be possible to detect timestomping using file modification monitoring that collects information on file handle opens and can compare timestamp values." ], "x_mitre_platforms": [ "Linux", "Windows", "macOS" ], "x_mitre_data_sources": [ "File monitoring", "Process command-line parameters", "Process monitoring" ], "x_mitre_permissions_required": [ "SYSTEM", "User", "root" ], "x_mitre_defense_bypassed": [ "Host forensic analysis" ], "x_mitre_contributors": [ "Romain Dumont, ESET" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--5d0d3609-d06d-49e1-b9c9-b544e0c618cb", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-08-03T19:54:02.821Z", "modified": "2020-07-27T14:54:42.474Z", "name": "T1505.003: Web Shell", "description": "Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to use the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server.\n\nIn addition to a server-side script, a Web shell may have a client interface program that is used to talk to the Web server (ex: [China Chopper](https://attack.mitre.org/software/S0020) Web shell client).(Citation: Lee 2013)", "kill_chain_phases": [ { "kill_chain_name": "lockheed", "phase_name": "installation" }, { "kill_chain_name": "mitre-attack", "phase_name": "persistence" } ], "external_references": [ { "source_name": "Lee 2013", "url": "https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html", "description": "Lee, T., Hanzlik, D., Ahl, I. (2013, August 7). Breaking Down the China Chopper Web Shell - Part I. Retrieved March 27, 2015." }, { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1505/003", "external_id": "T1505.003" }, { "source_name": "US-CERT Alert TA15-314A Web Shells", "url": "https://www.us-cert.gov/ncas/alerts/TA15-314A", "description": "US-CERT. (2015, November 13). Compromised Web Servers and Web Shells - Threat Awareness and Guidance. Retrieved June 8, 2016." } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": [ "Web shells can be difficult to detect. Unlike other forms of persistent remote access, they do not initiate connections. The portion of the Web shell that is on the server may be small and innocuous looking. The PHP version of the China Chopper Web shell, for example, is the following short payload: (Citation: Lee 2013) \n\n<?php @eval($_POST['password']);>\n\nNevertheless, detection mechanisms exist. Process monitoring may be used to detect Web servers that perform suspicious actions such as running cmd.exe or accessing files that are not in the Web directory. File monitoring may be used to detect changes to files in the Web directory of a Web server that do not match with updates to the Web server's content and may indicate implantation of a Web shell script. Log authentication attempts to the server and any unusual traffic patterns to or from the server and internal network. (Citation: US-CERT Alert TA15-314A Web Shells) " ], "x_mitre_platforms": [ "Linux", "Windows", "macOS" ], "x_mitre_data_sources": [ "Authentication logs", "File monitoring", "Netflow/Enclave netflow", "Process monitoring" ], "x_mitre_permissions_required": [ "SYSTEM", "User" ], "x_mitre_system_requirements": [ "Adversary access to Web server with vulnerability or account to upload and serve the Web shell file." ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--6aabc5ec-eae6-422c-8311-38d45ee9838a", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-08-03T19:54:02.821Z", "modified": "2020-03-18T19:43:25.575Z", "name": "T1108: Redundant Access", "description": "Adversaries may use more than one remote access tool with varying command and control protocols or credentialed access to remote services so they can maintain access if an access mechanism is detected or mitigated. \n\nIf one type of tool is detected and blocked or removed as a response but the organization did not gain a full understanding of the adversary's tools and access, then the adversary will be able to retain access to the network. Adversaries may also attempt to gain access to [Valid Accounts](https://attack.mitre.org/techniques/T1078) to use [External Remote Services](https://attack.mitre.org/techniques/T1133) such as external VPNs as a way to maintain access despite interruptions to remote access tools deployed within a target network.(Citation: Mandiant APT1) Adversaries may also retain access through cloud-based infrastructure and applications.\n\nUse of a [Web Shell](https://attack.mitre.org/techniques/T1100) is one such way to maintain access to a network through an externally accessible Web server.", "kill_chain_phases": [ { "kill_chain_name": "lockheed", "phase_name": "installation" }, { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" }, { "kill_chain_name": "mitre-attack", "phase_name": "persistence" } ], "external_references": [ { "source_name": "Mandiant APT1", "url": "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf", "description": "Mandiant. (n.d.). APT1 Exposing One of China\u2019s Cyber Espionage Units. Retrieved July 18, 2016." }, { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1108", "external_id": "T1108" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": [ "Existing methods of detecting remote access tools are helpful. Backup remote access tools or other access points may not have established command and control channels open during an intrusion, so the volume of data transferred may not be as high as the primary channel unless access is lost.\n\nDetection of tools based on beacon traffic, Command and Control protocol, or adversary infrastructure require prior threat intelligence on tools, IP addresses, and/or domains the adversary may use, along with the ability to detect use at the network boundary. Prior knowledge of indicators of compromise may also help detect adversary tools at the endpoint if tools are available to scan for those indicators.\n\nIf an intrusion is in progress and sufficient endpoint data or decoded command and control traffic is collected, then defenders will likely be able to detect additional tools dropped as the adversary is conducting the operation.\n\nFor alternative access using externally accessible VPNs or remote services, follow detection recommendations under [Valid Accounts](https://attack.mitre.org/techniques/T1078) and [External Remote Services](https://attack.mitre.org/techniques/T1133) to collect account use information." ], "x_mitre_platforms": [ "AWS", "Azure", "Azure AD", "GCP", "Linux", "Office 365", "SaaS", "Windows", "macOS" ], "x_mitre_data_sources": [ "AWS CloudTrail logs", "Authentication logs", "Azure activity logs", "Binary file metadata", "File monitoring", "Network protocol analysis", "Office 365 account logs", "Packet capture", "Process monitoring", "Process use of network", "Stackdriver logs" ], "x_mitre_permissions_required": [ "Administrator", "SYSTEM", "User" ], "x_mitre_defense_bypassed": [ "Anti-virus", "Network intrusion detection system" ], "x_mitre_contributors": [ "Praetorian" ], "x_mitre_version": "2.0" }, { "type": "attack-pattern", "id": "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-08-03T19:54:02.821Z", "modified": "2020-07-27T14:54:36.653Z", "name": "T1016: System Network Configuration Discovery", "description": "Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include [Arp](https://attack.mitre.org/software/S0099), [ipconfig](https://attack.mitre.org/software/S0100)/[ifconfig](https://attack.mitre.org/software/S0101), [nbtstat](https://attack.mitre.org/software/S0102), and [route](https://attack.mitre.org/software/S0103).\n\nAdversaries may use the information from [System Network Configuration Discovery](https://attack.mitre.org/techniques/T1016) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.", "kill_chain_phases": [ { "kill_chain_name": "lockheed", "phase_name": "act-on-objectives" }, { "kill_chain_name": "mitre-attack", "phase_name": "discovery" } ], "external_references": [ { "source_name": "capec", "url": "https://capec.mitre.org/data/definitions/309.html", "external_id": "CAPEC-309" }, { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1016", "external_id": "T1016" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": [ "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001)." ], "x_mitre_platforms": [ "Linux", "Windows", "macOS" ], "x_mitre_data_sources": [ "Process command-line parameters", "Process monitoring" ], "x_mitre_permissions_required": [ "User" ], "x_mitre_version": "1.2" }, { "type": "attack-pattern", "id": "attack-pattern--72b74d71-8169-42aa-92e0-e7b04b9f5a08", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-08-03T19:54:02.821Z", "modified": "2020-07-27T14:54:37.764Z", "name": "T1087: Account Discovery", "description": "Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.", "kill_chain_phases": [ { "kill_chain_name": "lockheed", "phase_name": "act-on-objectives" }, { "kill_chain_name": "mitre-attack", "phase_name": "discovery" } ], "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1087", "external_id": "T1087" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": [ "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001)." ], "x_mitre_platforms": [ "AWS", "Azure", "Azure AD", "GCP", "Linux", "Office 365", "SaaS", "Windows", "macOS" ], "x_mitre_data_sources": [ "API monitoring", "Azure activity logs", "Office 365 account logs", "Process command-line parameters", "Process monitoring" ], "x_mitre_permissions_required": [ "User" ], "x_mitre_contributors": [ "Microsoft Threat Intelligence Center (MSTIC)", "Travis Smith, Tripwire" ], "x_mitre_version": "2.1" }, { "type": "attack-pattern", "id": "attack-pattern--7385dfaf-6886-4229-9ecd-6fd678040830", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-08-03T19:54:02.821Z", "modified": "2020-07-27T14:54:37.379Z", "name": "T1059: Command and Scripting Interpreter", "description": "Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of [Unix Shell](https://attack.mitre.org/techniques/T1059/004) while Windows installations include the [Windows Command Shell](https://attack.mitre.org/techniques/T1059/003) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).\n\nThere are also cross-platform interpreters such as [Python](https://attack.mitre.org/techniques/T1059/006), as well as those commonly associated with client applications such as [JavaScript/JScript](https://attack.mitre.org/techniques/T1059/007) and [Visual Basic](https://attack.mitre.org/techniques/T1059/005).\n\nAdversaries may abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in [Initial Access](https://attack.mitre.org/tactics/TA0001) payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. Adversaries may also execute commands through interactive terminals/shells.", "kill_chain_phases": [ { "kill_chain_name": "lockheed", "phase_name": "installation" }, { "kill_chain_name": "mitre-attack", "phase_name": "execution" } ], "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1059", "external_id": "T1059" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": [ "Command-line and scripting activities can be captured through proper logging of process execution with command-line arguments. This information can be useful in gaining additional insight to adversaries' actions through how they use native processes or custom tools. Also monitor for loading of modules associated with specific languages.\n\nIf scripting is restricted for normal users, then any attempt to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.\n\nScripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information discovery, collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script." ], "x_mitre_platforms": [ "Linux", "Windows", "macOS" ], "x_mitre_data_sources": [ "PowerShell logs", "Process command-line parameters", "Process monitoring", "Windows event logs" ], "x_mitre_permissions_required": [ "User" ], "x_mitre_remote_support": "false", "x_mitre_version": "2.0" }, { "type": "attack-pattern", "id": "attack-pattern--7dd95ff6-712e-4056-9626-312ea4ab4c5e", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-08-03T19:54:02.821Z", "modified": "2020-07-27T14:54:37.764Z", "name": "T1074: Data Staged", "description": "Adversaries may stage collected data in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.(Citation: PWC Cloud Hopper April 2017)\n\nIn cloud environments, adversaries may stage data within a particular instance or virtual machine before exfiltration. An adversary may [Create Cloud Instance](https://attack.mitre.org/techniques/T1578/002) and stage data in that instance.(Citation: Mandiant M-Trends 2020)\n\nAdversaries may choose to stage data from a victim network in a centralized location prior to Exfiltration to minimize the number of connections made to their C2 server and better evade detection.", "kill_chain_phases": [ { "kill_chain_name": "lockheed", "phase_name": "act-on-objectives" }, { "kill_chain_name": "mitre-attack", "phase_name": "collection" } ], "external_references": [ { "source_name": "Mandiant M-Trends 2020", "url": "https://content.fireeye.com/m-trends/rpt-m-trends-2020", "description": "FireEye / Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020." }, { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1074", "external_id": "T1074" }, { "source_name": "PWC Cloud Hopper April 2017", "url": "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf", "description": "PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved April 5, 2017." } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": [ "Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.\n\nMonitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001)." ], "x_mitre_platforms": [ "AWS", "Azure", "GCP", "Linux", "Windows", "macOS" ], "x_mitre_data_sources": [ "File monitoring", "Process command-line parameters", "Process monitoring" ], "x_mitre_contributors": [ "Praetorian", "Shane Tully, @securitygypsy" ], "x_mitre_version": "1.2" }, { "type": "attack-pattern", "id": "attack-pattern--8c32eb4d-805f-4fc5-bf60-c4d476c131b5", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-08-03T19:54:02.821Z", "modified": "2020-07-27T14:54:38.428Z", "name": "T1204: User Execution", "description": "An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of [Phishing](https://attack.mitre.org/techniques/T1566).\n\nWhile [User Execution](https://attack.mitre.org/techniques/T1204) frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after [Internal Spearphishing](https://attack.mitre.org/techniques/T1534).", "kill_chain_phases": [ { "kill_chain_name": "lockheed", "phase_name": "installation" }, { "kill_chain_name": "mitre-attack", "phase_name": "execution" } ], "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1204", "external_id": "T1204" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": [ "Monitor the execution of and command-line arguments for applications that may be used by an adversary to gain Initial Access that require user interaction. This includes compression applications, such as those for zip files, that can be used to [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) in payloads.\n\nAnti-virus can potentially detect malicious documents and files that are downloaded and executed on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the file is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning powershell.exe)." ], "x_mitre_platforms": [ "Linux", "Windows", "macOS" ], "x_mitre_data_sources": [ "Anti-virus", "Process command-line parameters", "Process monitoring" ], "x_mitre_permissions_required": [ "User" ], "x_mitre_contributors": [ "Oleg Skulkin, Group-IB" ], "x_mitre_version": "1.2" }, { "type": "attack-pattern", "id": "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-08-03T19:54:02.821Z", "modified": "2020-07-27T14:54:37.379Z", "name": "T1057: Process Discovery", "description": "Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from [Process Discovery](https://attack.mitre.org/techniques/T1057) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nIn Windows environments, adversaries could obtain details on running processes using the [Tasklist](https://attack.mitre.org/software/S0057) utility via [cmd](https://attack.mitre.org/software/S0106) or Get-Process via [PowerShell](https://attack.mitre.org/techniques/T1059/001). Information about processes can also be extracted from the output of [Native API](https://attack.mitre.org/techniques/T1106) calls such as CreateToolhelp32Snapshot. In Mac and Linux, this is accomplished with the ps command. Adversaries may also opt to enumerate processes via /proc.", "kill_chain_phases": [ { "kill_chain_name": "lockheed", "phase_name": "act-on-objectives" }, { "kill_chain_name": "mitre-attack", "phase_name": "discovery" } ], "external_references": [ { "source_name": "capec", "url": "https://capec.mitre.org/data/definitions/573.html", "external_id": "CAPEC-573" }, { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1057", "external_id": "T1057" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": [ "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nNormal, benign system and network events that look like process discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001)." ], "x_mitre_platforms": [ "Linux", "Windows", "macOS" ], "x_mitre_data_sources": [ "API monitoring", "Process command-line parameters", "Process monitoring" ], "x_mitre_permissions_required": [ "Administrator", "SYSTEM", "User" ], "x_mitre_system_requirements": [ "Administrator, SYSTEM may provide better process ownership details" ], "x_mitre_version": "1.2" }, { "type": "attack-pattern", "id": "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-08-03T19:54:02.821Z", "modified": "2020-07-27T14:54:36.978Z", "name": "T1041: Exfiltration Over C2 Channel", "description": "Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications.", "kill_chain_phases": [ { "kill_chain_name": "lockheed", "phase_name": "act-on-objectives" }, { "kill_chain_name": "mitre-attack", "phase_name": "exfiltration" } ], "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1041", "external_id": "T1041" }, { "source_name": "University of Birmingham C2", "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf", "description": "Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016." } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": [ "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)" ], "x_mitre_platforms": [ "Linux", "Windows", "macOS" ], "x_mitre_data_sources": [ "Netflow/Enclave netflow", "Packet capture", "Process monitoring", "Process use of network" ], "x_mitre_network_requirements": [ "true" ], "x_mitre_version": "2.0" }, { "type": "attack-pattern", "id": "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-08-03T19:54:02.821Z", "modified": "2020-09-14T14:57:07.257Z", "name": "T1059.001: PowerShell", "description": "Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).\n\nPowerShell may also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk.\n\nA number of PowerShell-based offensive testing tools are available, including [Empire](https://attack.mitre.org/software/S0363), [PowerSploit](https://attack.mitre.org/software/S0194), [PoshC2](https://attack.mitre.org/software/S0378), and PSAttack.(Citation: Github PSAttack)\n\nPowerShell commands/scripts can also be executed without directly invoking the powershell.exe binary through interfaces to PowerShell's underlying System.Management.Automation assembly DLL exposed through the .NET framework and Windows Common Language Interface (CLI). (Citation: Sixdub PowerPick Jan 2016)(Citation: SilentBreak Offensive PS Dec 2015)(Citation: Microsoft PSfromCsharp APR 2014)", "kill_chain_phases": [ { "kill_chain_name": "lockheed", "phase_name": "installation" }, { "kill_chain_name": "mitre-attack", "phase_name": "execution" } ], "external_references": [ { "source_name": "FireEye PowerShell Logging 2016", "url": "https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html", "description": "Dunwoody, M. (2016, February 11). GREATER VISIBILITY THROUGH POWERSHELL LOGGING. Retrieved February 16, 2016." }, { "source_name": "Github PSAttack", "url": "https://github.com/jaredhaight/PSAttack", "description": "Haight, J. (2016, April 21). PS>Attack. Retrieved June 1, 2016." }, { "source_name": "Malware Archaeology PowerShell Cheat Sheet", "url": "http://www.malwarearchaeology.com/s/Windows-PowerShell-Logging-Cheat-Sheet-ver-June-2016-v2.pdf", "description": "Malware Archaeology. (2016, June). WINDOWS POWERSHELL LOGGING CHEAT SHEET - Win 7/Win 2008 or later. Retrieved June 24, 2016." }, { "source_name": "Microsoft PSfromCsharp APR 2014", "url": "https://blogs.msdn.microsoft.com/kebab/2014/04/28/executing-powershell-scripts-from-c/", "description": "Babinec, K. (2014, April 28). Executing PowerShell scripts from C#. Retrieved April 22, 2019." }, { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1059/001", "external_id": "T1059.001" }, { "source_name": "SilentBreak Offensive PS Dec 2015", "url": "https://silentbreaksecurity.com/powershell-jobs-without-powershell-exe/", "description": "Christensen, L.. (2015, December 28). The Evolution of Offensive PowerShell Invocation. Retrieved December 8, 2018." }, { "source_name": "Sixdub PowerPick Jan 2016", "url": "http://www.sixdub.net/?p=367", "description": "Warner, J.. (2015, January 6). Inexorable PowerShell \u2013 A Red Teamer\u2019s Tale of Overcoming Simple AppLocker Policies. Retrieved December 8, 2018." }, { "source_name": "TechNet PowerShell", "url": "https://technet.microsoft.com/en-us/scriptcenter/dd742419.aspx", "description": "Microsoft. (n.d.). Windows PowerShell Scripting. Retrieved April 28, 2016." } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": [ "If proper execution policy is set, adversaries will likely be able to define their own execution policy if they obtain administrator or system access, either through the Registry or at the command line. This change in policy on a system may be a way to detect malicious use of PowerShell. If PowerShell is not used in an environment, then simply looking for PowerShell execution may detect malicious activity.\n\nMonitor for loading and/or execution of artifacts associated with PowerShell specific assemblies, such as System.Management.Automation.dll (especially to unusual process names/locations).(Citation: Sixdub PowerPick Jan 2016)(Citation: SilentBreak Offensive PS Dec 2015)\n\nIt is also beneficial to turn on PowerShell logging to gain increased fidelity in what occurs during execution (which is applied to .NET invocations). (Citation: Malware Archaeology PowerShell Cheat Sheet) PowerShell 5.0 introduced enhanced logging capabilities, and some of those features have since been added to PowerShell 4.0. Earlier versions of PowerShell do not have many logging features.(Citation: FireEye PowerShell Logging 2016) An organization can gather PowerShell execution details in a data analytic platform to supplement it with other data." ], "x_mitre_platforms": [ "Windows" ], "x_mitre_data_sources": [ "DLL monitoring", "File monitoring", "Loaded DLLs", "PowerShell logs", "Process command-line parameters", "Process monitoring", "Windows event logs" ], "x_mitre_permissions_required": [ "Administrator", "User" ], "x_mitre_remote_support": "true", "x_mitre_contributors": [ "Praetorian" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--a19e86f8-1c0a-4fea-8407-23b73d615776", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-08-03T19:54:02.821Z", "modified": "2020-07-27T14:54:36.978Z", "name": "T1048: Exfiltration Over Alternative Protocol", "description": "Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. \n\nAlternate protocols include FTP, SMTP, HTTP/S, DNS, SMB, or any other network protocol not being used as the main command and control channel. Different protocol channels could also include Web services such as cloud storage. Adversaries may also opt to encrypt and/or obfuscate these alternate channels. \n\n[Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048) can be done using various common operating system utilities such as [Net](https://attack.mitre.org/software/S0039)/SMB or FTP.(Citation: Palo Alto OilRig Oct 2016)", "kill_chain_phases": [ { "kill_chain_name": "lockheed", "phase_name": "act-on-objectives" }, { "kill_chain_name": "mitre-attack", "phase_name": "exfiltration" } ], "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1048", "external_id": "T1048" }, { "source_name": "Palo Alto OilRig Oct 2016", "url": "http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/", "description": "Grunzweig, J. and Falcone, R.. (2016, October 4). OilRig Malware Campaign Updates Toolset and Expands Targets. Retrieved May 3, 2017." }, { "source_name": "University of Birmingham C2", "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf", "description": "Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016." } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": [ "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)" ], "x_mitre_platforms": [ "Linux", "Windows", "macOS" ], "x_mitre_data_sources": [ "Netflow/Enclave netflow", "Network protocol analysis", "Packet capture", "Process monitoring", "Process use of network" ], "x_mitre_network_requirements": [ "true" ], "x_mitre_contributors": [ "Alfredo Abarca" ], "x_mitre_version": "1.2" }, { "type": "attack-pattern", "id": "attack-pattern--ad255bfe-a9e6-4b52-a258-8d3462abe842", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-08-03T19:54:02.821Z", "modified": "2020-07-27T14:54:36.653Z", "name": "T1001: Data Obfuscation", "description": "Adversaries may obfuscate command and control traffic to make it more difficult to detect. Command and control (C2) communications are hidden (but not necessarily encrypted) in an attempt to make the content more difficult to discover or decipher and to make the communication less conspicuous and hide commands from being seen. This encompasses many methods, such as adding junk data to protocol traffic, using steganography, or impersonating legitimate protocols.", "kill_chain_phases": [ { "kill_chain_name": "lockheed", "phase_name": "command-and-control" }, { "kill_chain_name": "mitre-attack", "phase_name": "command-and-control" } ], "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1001", "external_id": "T1001" }, { "source_name": "University of Birmingham C2", "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf", "description": "Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016." } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": [ "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)" ], "x_mitre_platforms": [ "Linux", "Windows", "macOS" ], "x_mitre_data_sources": [ "Network protocol analysis", "Packet capture", "Process monitoring", "Process use of network" ], "x_mitre_network_requirements": [ "true" ], "x_mitre_version": "1.1" }, { "type": "attack-pattern", "id": "attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-08-03T19:54:02.821Z", "modified": "2020-07-27T14:54:37.764Z", "name": "T1078: Valid Accounts", "description": "Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.\n\nThe overlap of permissions for local, domain, and cloud accounts across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) to bypass access controls set within the enterprise. (Citation: TechNet Credential Theft)", "kill_chain_phases": [ { "kill_chain_name": "lockheed", "phase_name": "act-on-objectives" }, { "kill_chain_name": "lockheed", "phase_name": "delivery" }, { "kill_chain_name": "lockheed", "phase_name": "installation" }, { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" }, { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" }, { "kill_chain_name": "mitre-attack", "phase_name": "persistence" }, { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" } ], "external_references": [ { "source_name": "capec", "url": "https://capec.mitre.org/data/definitions/560.html", "external_id": "CAPEC-560" }, { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1078", "external_id": "T1078" }, { "source_name": "TechNet Audit Policy", "url": "https://technet.microsoft.com/en-us/library/dn487457.aspx", "description": "Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved June 3, 2016." }, { "source_name": "TechNet Credential Theft", "url": "https://technet.microsoft.com/en-us/library/dn535501.aspx", "description": "Microsoft. (2016, April 15). Attractive Accounts for Credential Theft. Retrieved June 3, 2016." } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": [ "Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services. (Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).\n\nPerform regular audits of domain and local system accounts to detect accounts that may have been created by an adversary for persistence. Checks on these accounts could also include whether default accounts such as Guest have been activated. These audits should also include checks on any appliances and applications for default credentials or SSH keys, and if any are discovered, they should be updated immediately." ], "x_mitre_platforms": [ "AWS", "Azure", "Azure AD", "GCP", "Linux", "Office 365", "SaaS", "Windows", "macOS" ], "x_mitre_data_sources": [ "AWS CloudTrail logs", "Authentication logs", "Process monitoring", "Stackdriver logs" ], "x_mitre_permissions_required": [ "Administrator", "User" ], "x_mitre_effective_permissions": [ "Administrator", "User" ], "x_mitre_defense_bypassed": [ "Anti-virus", "Application control", "Firewall", "Host intrusion prevention systems", "Network intrusion detection system", "System access controls" ], "x_mitre_contributors": [ "Mark Wee", "Netskope", "Praetorian" ], "x_mitre_version": "2.1" }, { "type": "attack-pattern", "id": "attack-pattern--b200542e-e877-4395-875b-cf1a44537ca4", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-08-03T19:54:02.821Z", "modified": "2020-09-14T14:57:07.257Z", "name": "T1055.012: Process Hollowing", "description": "Adversaries may inject malicious code into suspended and hollowed processes in order to evade process-based defenses. Process hollowing is a method of executing arbitrary code in the address space of a separate live process. \n\nProcess hollowing is commonly performed by creating a process in a suspended state then unmapping/hollowing its memory, which can then be replaced with malicious code. A victim process can be created with native Windows API calls such as CreateProcess, which includes a flag to suspend the processes primary thread. At this point the process can be unmapped using APIs calls such as ZwUnmapViewOfSection or NtUnmapViewOfSection before being written to, realigned to the injected code, and resumed via VirtualAllocEx, WriteProcessMemory, SetThreadContext, then ResumeThread respectively.(Citation: Leitch Hollowing)(Citation: Endgame Process Injection July 2017)\n\nThis is very similar to [Thread Local Storage](https://attack.mitre.org/techniques/T1055/005) but creates a new process rather than targeting an existing process. This behavior will likely not result in elevated privileges since the injected process was spawned from (and thus inherits the security context) of the injecting process. However, execution via process hollowing may also evade detection from security products since the execution is masked under a legitimate process.", "kill_chain_phases": [ { "kill_chain_name": "lockheed", "phase_name": "act-on-objectives" }, { "kill_chain_name": "lockheed", "phase_name": "installation" }, { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" }, { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" } ], "external_references": [ { "source_name": "Endgame Process Injection July 2017", "url": "https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "description": "Hosseini, A. (2017, July 18). Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques. Retrieved December 7, 2017." }, { "source_name": "Leitch Hollowing", "url": "http://www.autosectools.com/process-hollowing.pdf", "description": "Leitch, J. (n.d.). Process Hollowing. Retrieved November 12, 2014." }, { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1055/012", "external_id": "T1055.012" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": [ "Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as CreateRemoteThread, SuspendThread/SetThreadContext/ResumeThread, and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for this technique.(Citation: Endgame Process Injection July 2017)\n\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. " ], "x_mitre_platforms": [ "Windows" ], "x_mitre_data_sources": [ "API monitoring", "Process monitoring" ], "x_mitre_permissions_required": [ "User" ], "x_mitre_defense_bypassed": [ "Anti-virus", "Application control" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--b21c3b2d-02e6-45b1-980b-e69051040839", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-08-03T19:54:02.821Z", "modified": "2020-07-27T14:54:37.379Z", "name": "T1068: Exploitation for Privilege Escalation", "description": "Adversaries may exploit software vulnerabilities in an attempt to collect elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.\n\nWhen initially gaining access to a system, an adversary may be operating within a lower privileged process which will prevent them from accessing certain resources on the system. Vulnerabilities may exist, usually in operating system components and software commonly running at higher permissions, that can be exploited to gain higher levels of access on the system. This could enable someone to move from unprivileged or user level permissions to SYSTEM or root permissions depending on the component that is vulnerable. This may be a necessary step for an adversary compromising a endpoint system that has been properly configured and limits other privilege escalation methods.", "kill_chain_phases": [ { "kill_chain_name": "lockheed", "phase_name": "act-on-objectives" }, { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" } ], "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1068", "external_id": "T1068" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": [ "Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash. Also look for behavior on the endpoint system that might indicate successful compromise, such as abnormal behavior of the processes. This could include suspicious files written to disk, evidence of [Process Injection](https://attack.mitre.org/techniques/T1055) for attempts to hide execution or evidence of Discovery.\n\nHigher privileges are often necessary to perform additional actions such as some methods of [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). Look for additional activity that may indicate an adversary has gained higher privileges." ], "x_mitre_platforms": [ "Linux", "Windows", "macOS" ], "x_mitre_data_sources": [ "Application logs", "Process monitoring", "Windows Error Reporting" ], "x_mitre_permissions_required": [ "User" ], "x_mitre_effective_permissions": [ "User" ], "x_mitre_version": "1.2" }, { "type": "attack-pattern", "id": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-08-03T19:54:02.821Z", "modified": "2020-09-14T14:57:07.257Z", "name": "T1027: Obfuscated Files or Information", "description": "Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses. \n\nPayloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open and [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) for [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016) Adversaries may also used compressed or archived scripts, such as JavaScript. \n\nPortions of files can also be encoded to hide the plain-text strings that would otherwise help defenders with discovery. (Citation: Linux/Cdorked.A We Live Security Analysis) Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled. (Citation: Carbon Black Obfuscation Sept 2016)\n\nAdversaries may also obfuscate commands executed from payloads or directly via a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059). Environment variables, aliases, characters, and other platform/language specific semantics can be used to evade signature based detections and application control mechanisms. (Citation: FireEye Obfuscation June 2017) (Citation: FireEye Revoke-Obfuscation July 2017)(Citation: PaloAlto EncodedCommand March 2017)", "kill_chain_phases": [ { "kill_chain_name": "lockheed", "phase_name": "installation" }, { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" } ], "external_references": [ { "source_name": "capec", "url": "https://capec.mitre.org/data/definitions/267.html", "external_id": "CAPEC-267" }, { "source_name": "Carbon Black Obfuscation Sept 2016", "url": "https://www.carbonblack.com/2016/09/23/security-advisory-variants-well-known-adware-families-discovered-include-sophisticated-obfuscation-techniques-previously-associated-nation-state-attacks/", "description": "Tedesco, B. (2016, September 23). Security Alert Summary. Retrieved February 12, 2018." }, { "source_name": "FireEye Obfuscation June 2017", "url": "https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html", "description": "Bohannon, D. & Carr N. (2017, June 30). Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques. Retrieved February 12, 2018." }, { "source_name": "FireEye Revoke-Obfuscation July 2017", "url": "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/revoke-obfuscation-report.pdf", "description": "Bohannon, D. & Holmes, L. (2017, July 27). Revoke-Obfuscation: PowerShell Obfuscation Detection Using Science. Retrieved February 12, 2018." }, { "source_name": "GitHub Office-Crackros Aug 2016", "url": "https://github.com/itsreallynick/office-crackros", "description": "Carr, N. (2016, August 14). OfficeCrackros. Retrieved February 12, 2018." }, { "source_name": "GitHub Revoke-Obfuscation", "url": "https://github.com/danielbohannon/Revoke-Obfuscation", "description": "Bohannon, D. (2017, July 27). Revoke-Obfuscation. Retrieved February 12, 2018." }, { "source_name": "Linux/Cdorked.A We Live Security Analysis", "url": "https://www.welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/", "description": "Pierre-Marc Bureau. (2013, April 26). Linux/Cdorked.A: New Apache backdoor being used in the wild to serve Blackhole. Retrieved September 10, 2017." }, { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1027", "external_id": "T1027" }, { "source_name": "PaloAlto EncodedCommand March 2017", "url": "https://researchcenter.paloaltonetworks.com/2017/03/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/", "description": "White, J. (2017, March 10). Pulling Back the Curtains on EncodedCommand PowerShell Attacks. Retrieved February 12, 2018." }, { "source_name": "Volexity PowerDuke November 2016", "url": "https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/", "description": "Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017." } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": [ "Detection of file obfuscation is difficult unless artifacts are left behind by the obfuscation process that are uniquely detectable with a signature. If detection of the obfuscation itself is not possible, it may be possible to detect the malicious activity that caused the obfuscated file (for example, the method that was used to write, read, or modify the file on the file system). \n\nFlag and analyze commands containing indicators of obfuscation and known suspicious syntax such as uninterpreted escape characters like '''^''' and '''\"'''. Windows' Sysmon and Event ID 4688 displays command-line arguments for processes. Deobfuscation tools can be used to detect these indicators in files/payloads. (Citation: GitHub Revoke-Obfuscation) (Citation: FireEye Revoke-Obfuscation July 2017) (Citation: GitHub Office-Crackros Aug 2016) \n\nObfuscation used in payloads for Initial Access can be detected at the network. Use network intrusion detection systems and email gateway filtering to identify compressed and encrypted attachments and scripts. Some email attachment detonation systems can open compressed and encrypted attachments. Payloads delivered over an encrypted connection from a website require encrypted network traffic inspection. \n\nThe first detection of a malicious tool may trigger an anti-virus or other security tool alert. Similar events may also occur at the boundary through network IDS, email scanning appliance, etc. The initial detection should be treated as an indication of a potentially more invasive intrusion. The alerting system should be thoroughly investigated beyond that initial alert for activity that was not detected. Adversaries may continue with an operation, assuming that individual events like an anti-virus detect will not be investigated or that an analyst will not be able to conclusively link that event to other activity occurring on the network. " ], "x_mitre_platforms": [ "Linux", "Windows", "macOS" ], "x_mitre_data_sources": [ "Binary file metadata", "Email gateway", "Environment variable", "File monitoring", "Malware reverse engineering", "Network intrusion detection system", "Network protocol analysis", "Process command-line parameters", "Process monitoring", "Process use of network", "SSL/TLS inspection", "Windows event logs" ], "x_mitre_defense_bypassed": [ "Application control", "Application control by file name or path", "Host forensic analysis", "Host intrusion prevention systems", "Log analysis", "Signature-based detection" ], "x_mitre_contributors": [ "Christiaan Beek, @ChristiaanBeek", "Red Canary" ], "x_mitre_version": "1.1" }, { "type": "attack-pattern", "id": "attack-pattern--b8902400-e6c5-4ba2-95aa-2d35b442b118", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-08-03T19:54:02.821Z", "modified": "2020-07-27T14:54:44.085Z", "name": "T1573: Encrypted Channel", "description": "Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.", "kill_chain_phases": [ { "kill_chain_name": "lockheed", "phase_name": "command-and-control" }, { "kill_chain_name": "mitre-attack", "phase_name": "command-and-control" } ], "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1573", "external_id": "T1573" }, { "source_name": "SANS Decrypting SSL", "url": "http://www.sans.org/reading-room/whitepapers/analyst/finding-hidden-threats-decrypting-ssl-34840", "description": "Butler, M. (2013, November). Finding Hidden Threats by Decrypting SSL. Retrieved April 5, 2016." }, { "source_name": "SEI SSL Inspection Risks", "url": "https://insights.sei.cmu.edu/cert/2015/03/the-risks-of-ssl-inspection.html", "description": "Dormann, W. (2015, March 13). The Risks of SSL Inspection. Retrieved April 5, 2016." }, { "source_name": "University of Birmingham C2", "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf", "description": "Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016." } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": [ "SSL/TLS inspection is one way of detecting command and control traffic within some encrypted communication channels.(Citation: SANS Decrypting SSL) SSL/TLS inspection does come with certain risks that should be considered before implementing to avoid potential security issues such as incomplete certificate validation.(Citation: SEI SSL Inspection Risks)\n\nIn general, analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)" ], "x_mitre_platforms": [ "Linux", "Windows", "macOS" ], "x_mitre_data_sources": [ "Malware reverse engineering", "Netflow/Enclave netflow", "Packet capture", "Process monitoring", "Process use of network", "SSL/TLS inspection" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-08-03T19:54:02.821Z", "modified": "2020-07-27T14:54:38.428Z", "name": "T1203: Exploitation for Client Execution", "description": "Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.\n\nSeveral types exist:\n\n### Browser-based Exploitation\n\nWeb browsers are a common target through [Drive-by Compromise](https://attack.mitre.org/techniques/T1189) and [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002). Endpoint systems may be compromised through normal web browsing or from certain users being targeted by links in spearphishing emails to adversary controlled sites used to exploit the web browser. These often do not require an action by the user for the exploit to be executed.\n\n### Office Applications\n\nCommon office and productivity applications such as Microsoft Office are also targeted through [Phishing](https://attack.mitre.org/techniques/T1566). Malicious files will be transmitted directly as attachments or through links to download them. These require the user to open the document or file for the exploit to run.\n\n### Common Third-party Applications\n\nOther applications that are commonly seen or are part of the software deployed in a target network may also be used for exploitation. Applications such as Adobe Reader and Flash, which are common in enterprise environments, have been routinely targeted by adversaries attempting to gain access to systems. Depending on the software and nature of the vulnerability, some may be exploited in the browser or require the user to open a file. For instance, some Flash exploits have been delivered as objects within Microsoft Office documents.", "kill_chain_phases": [ { "kill_chain_name": "lockheed", "phase_name": "installation" }, { "kill_chain_name": "mitre-attack", "phase_name": "execution" } ], "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1203", "external_id": "T1203" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": [ "Detecting software exploitation may be difficult depending on the tools available. Also look for behavior on the endpoint system that might indicate successful compromise, such as abnormal behavior of the browser or Office processes. This could include suspicious files written to disk, evidence of [Process Injection](https://attack.mitre.org/techniques/T1055) for attempts to hide execution, evidence of Discovery, or other unusual network traffic that may indicate additional tools transferred to the system." ], "x_mitre_platforms": [ "Linux", "Windows", "macOS" ], "x_mitre_data_sources": [ "Anti-virus", "Process monitoring", "System calls" ], "x_mitre_system_requirements": [ "Remote exploitation for execution requires a remotely accessible service reachable over the network or other vector of access such as spearphishing or drive-by compromise." ], "x_mitre_remote_support": "true", "x_mitre_version": "1.1" }, { "type": "attack-pattern", "id": "attack-pattern--bf176076-b789-408e-8cba-7275e81c0ada", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-07-27T14:54:36.157Z", "modified": "2020-07-27T14:54:36.157Z", "name": "T1573.002: Asymmetric Cryptography", "description": "Adversaries may employ a known asymmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Asymmetric cryptography, also known as public key cryptography, uses a keypair per party: one public that can be freely distributed, and one private. Due to how the keys are generated, the sender encrypts data with the receiver\u2019s public key and the receiver decrypts the data with their private key. This ensures that only the intended recipient can read the encrypted data. Common public key encryption algorithms include RSA and ElGamal.\n\nFor efficiency, may protocols (including SSL/TLS) use symmetric cryptography once a connection is established, but use asymmetric cryptography to establish or transmit a key. As such, these protocols are classified as [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002).", "kill_chain_phases": [ { "kill_chain_name": "lockheed", "phase_name": "command-and-control" }, { "kill_chain_name": "mitre-attack", "phase_name": "command-and-control" } ], "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1573/002", "external_id": "T1573.002" }, { "source_name": "SANS Decrypting SSL", "url": "http://www.sans.org/reading-room/whitepapers/analyst/finding-hidden-threats-decrypting-ssl-34840", "description": "Butler, M. (2013, November). Finding Hidden Threats by Decrypting SSL. Retrieved April 5, 2016." }, { "source_name": "SEI SSL Inspection Risks", "url": "https://insights.sei.cmu.edu/cert/2015/03/the-risks-of-ssl-inspection.html", "description": "Dormann, W. (2015, March 13). The Risks of SSL Inspection. Retrieved April 5, 2016." }, { "source_name": "University of Birmingham C2", "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf", "description": "Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016." } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": [ "SSL/TLS inspection is one way of detecting command and control traffic within some encrypted communication channels.(Citation: SANS Decrypting SSL) SSL/TLS inspection does come with certain risks that should be considered before implementing to avoid potential security issues such as incomplete certificate validation.(Citation: SEI SSL Inspection Risks)\n\nIn general, analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)" ], "x_mitre_platforms": [ "Linux", "Windows", "macOS" ], "x_mitre_data_sources": [ "Malware reverse engineering", "Netflow/Enclave netflow", "Packet capture", "Process monitoring", "Process use of network" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--c32f7008-9fea-41f7-8366-5eb9b74bd896", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-08-03T19:54:02.821Z", "modified": "2020-07-27T14:54:36.653Z", "name": "T1012: Query Registry", "description": "Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.\n\nThe Registry contains a significant amount of information about the operating system, configuration, software, and security.(Citation: Wikipedia Windows Registry) Information can easily be queried using the [Reg](https://attack.mitre.org/software/S0075) utility, though other means to access the Registry exist. Some of the information may help adversaries to further their operation within a network. Adversaries may use the information from [Query Registry](https://attack.mitre.org/techniques/T1012) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.", "kill_chain_phases": [ { "kill_chain_name": "lockheed", "phase_name": "act-on-objectives" }, { "kill_chain_name": "mitre-attack", "phase_name": "discovery" } ], "external_references": [ { "source_name": "capec", "url": "https://capec.mitre.org/data/definitions/647.html", "external_id": "CAPEC-647" }, { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1012", "external_id": "T1012" }, { "source_name": "Wikipedia Windows Registry", "url": "https://en.wikipedia.org/wiki/Windows_Registry", "description": "Wikipedia. (n.d.). Windows Registry. Retrieved February 2, 2015." } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": [ "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nInteraction with the Windows Registry may come from the command line using utilities such as [Reg](https://attack.mitre.org/software/S0075) or through running malware that may interact with the Registry through an API. Command-line invocation of utilities used to query the Registry may be detected through process and command-line monitoring. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001)." ], "x_mitre_platforms": [ "Windows" ], "x_mitre_data_sources": [ "Process command-line parameters", "Process monitoring", "Windows Registry" ], "x_mitre_permissions_required": [ "Administrator", "SYSTEM", "User" ], "x_mitre_version": "1.2" }, { "type": "attack-pattern", "id": "attack-pattern--cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-08-03T19:54:02.821Z", "modified": "2020-07-27T14:54:38.097Z", "name": "T1132: Data Encoding", "description": "Adversaries may encode data to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system. Use of data encoding may adhere to existing protocol specifications and includes use of ASCII, Unicode, Base64, MIME, or other binary-to-text and character encoding systems.(Citation: Wikipedia Binary-to-text Encoding) (Citation: Wikipedia Character Encoding) Some data encoding systems may also result in data compression, such as gzip.", "kill_chain_phases": [ { "kill_chain_name": "lockheed", "phase_name": "command-and-control" }, { "kill_chain_name": "mitre-attack", "phase_name": "command-and-control" } ], "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1132", "external_id": "T1132" }, { "source_name": "University of Birmingham C2", "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf", "description": "Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016." }, { "source_name": "Wikipedia Binary-to-text Encoding", "url": "https://en.wikipedia.org/wiki/Binary-to-text_encoding", "description": "Wikipedia. (2016, December 26). Binary-to-text encoding. Retrieved March 1, 2017." }, { "source_name": "Wikipedia Character Encoding", "url": "https://en.wikipedia.org/wiki/Character_encoding", "description": "Wikipedia. (2017, February 19). Character Encoding. Retrieved March 1, 2017." } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": [ "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)" ], "x_mitre_platforms": [ "Linux", "Windows", "macOS" ], "x_mitre_data_sources": [ "Network protocol analysis", "Packet capture", "Process monitoring", "Process use of network" ], "x_mitre_permissions_required": [ "User" ], "x_mitre_network_requirements": [ "true" ], "x_mitre_contributors": [ "Itzik Kotler, SafeBreach" ], "x_mitre_version": "1.1" }, { "type": "attack-pattern", "id": "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-08-03T19:54:02.821Z", "modified": "2020-07-27T14:54:37.379Z", "name": "T1070.004: File Deletion", "description": "Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.\n\nThere are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well. Examples include native [cmd](https://attack.mitre.org/software/S0106) functions such as DEL, secure deletion tools such as Windows Sysinternals SDelete, or other third-party file deletion tools. (Citation: Trend Micro APT Attack Tools)", "kill_chain_phases": [ { "kill_chain_name": "lockheed", "phase_name": "installation" }, { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" } ], "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1070/004", "external_id": "T1070.004" }, { "source_name": "Trend Micro APT Attack Tools", "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/in-depth-look-apt-attack-tools-of-the-trade/", "description": "Wilhoit, K. (2013, March 4). In-Depth Look: APT Attack Tools of the Trade. Retrieved December 2, 2015." } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": [ "It may be uncommon for events related to benign command-line functions such as DEL or third-party utilities or tools to be found in an environment, depending on the user base and how systems are typically used. Monitoring for command-line deletion functions to correlate with binaries or other files that an adversary may drop and remove may lead to detection of malicious activity. Another good practice is monitoring for known deletion and secure deletion tools that are not already on systems within an enterprise network that an adversary could introduce. Some monitoring tools may collect command-line arguments, but may not capture DEL commands since DEL is a native function within cmd.exe." ], "x_mitre_platforms": [ "Linux", "Windows", "macOS" ], "x_mitre_data_sources": [ "Binary file metadata", "File monitoring", "Process command-line parameters" ], "x_mitre_permissions_required": [ "User" ], "x_mitre_defense_bypassed": [ "Host forensic analysis" ], "x_mitre_contributors": [ "Walker Johnson" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-08-03T19:54:02.821Z", "modified": "2020-07-27T14:54:37.764Z", "name": "T1105: Ingress Tool Transfer", "description": "Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.", "kill_chain_phases": [ { "kill_chain_name": "lockheed", "phase_name": "command-and-control" }, { "kill_chain_name": "mitre-attack", "phase_name": "command-and-control" } ], "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1105", "external_id": "T1105" }, { "source_name": "University of Birmingham C2", "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf", "description": "Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016." } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": [ "Monitor for file creation and files transferred into the network. Unusual processes with external network connections creating files on-system may be suspicious. Use of utilities, such as FTP, that does not normally occur may also be suspicious.\n\nAnalyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)" ], "x_mitre_platforms": [ "Linux", "Windows", "macOS" ], "x_mitre_data_sources": [ "File monitoring", "Netflow/Enclave netflow", "Network protocol analysis", "Packet capture", "Process command-line parameters", "Process monitoring", "Process use of network" ], "x_mitre_permissions_required": [ "User" ], "x_mitre_version": "2.0" }, { "type": "attack-pattern", "id": "attack-pattern--f24faf46-3b26-4dbb-98f2-63460498e433", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-08-03T19:54:02.821Z", "modified": "2020-07-27T14:54:36.653Z", "name": "T1008: Fallback Channels", "description": "Adversaries may use fallback or alternate communication channels if the primary channel is compromised or inaccessible in order to maintain reliable command and control and to avoid data transfer thresholds.", "kill_chain_phases": [ { "kill_chain_name": "lockheed", "phase_name": "command-and-control" }, { "kill_chain_name": "mitre-attack", "phase_name": "command-and-control" } ], "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1008", "external_id": "T1008" }, { "source_name": "University of Birmingham C2", "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf", "description": "Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016." } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": [ "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)" ], "x_mitre_platforms": [ "Linux", "Windows", "macOS" ], "x_mitre_data_sources": [ "Malware reverse engineering", "Netflow/Enclave netflow", "Packet capture", "Process monitoring", "Process use of network" ], "x_mitre_network_requirements": [ "true" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--f72eb8a8-cd4c-461d-a814-3f862befbf00", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-08-03T19:54:02.821Z", "modified": "2020-03-18T19:43:28.508Z", "name": "T1094: Custom Command and Control Protocol", "description": "Adversaries may communicate using a custom command and control protocol instead of encapsulating commands/data in an existing [Standard Application Layer Protocol](https://attack.mitre.org/techniques/T1071). Implementations include mimicking well-known protocols or developing custom protocols (including raw sockets) on top of fundamental protocols provided by TCP/IP/another standard network stack.", "kill_chain_phases": [ { "kill_chain_name": "lockheed", "phase_name": "command-and-control" }, { "kill_chain_name": "mitre-attack", "phase_name": "command-and-control" } ], "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1094", "external_id": "T1094" }, { "source_name": "University of Birmingham C2", "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf", "description": "Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016." } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": [ "Analyze network traffic for ICMP messages or other protocols that contain abnormal data or are not normally seen within or exiting the network.\n\nAnalyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)\n\nMonitor and investigate API calls to functions associated with enabling and/or utilizing alternative communication channels." ], "x_mitre_platforms": [ "Linux", "Windows", "macOS" ], "x_mitre_data_sources": [ "Host network interface", "Netflow/Enclave netflow", "Network intrusion detection system", "Network protocol analysis", "Packet capture", "Process monitoring", "Process use of network" ], "x_mitre_network_requirements": [ "true" ], "x_mitre_contributors": [ "Ryan Becwar" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-08-03T19:54:02.821Z", "modified": "2020-03-18T19:43:59.299Z", "name": "T1043: Commonly Used Port", "description": "Adversaries may communicate over a commonly used port to bypass firewalls or network detection systems and to blend with normal network activity to avoid more detailed inspection. They may use commonly open ports such as\n\n* TCP:80 (HTTP)\n* TCP:443 (HTTPS)\n* TCP:25 (SMTP)\n* TCP/UDP:53 (DNS)\n\nThey may use the protocol associated with the port or a completely different protocol. \n\nFor connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), examples of common ports are \n\n* TCP/UDP:135 (RPC)\n* TCP/UDP:22 (SSH)\n* TCP/UDP:3389 (RDP)", "kill_chain_phases": [ { "kill_chain_name": "lockheed", "phase_name": "command-and-control" }, { "kill_chain_name": "mitre-attack", "phase_name": "command-and-control" } ], "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1043", "external_id": "T1043" }, { "source_name": "University of Birmingham C2", "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf", "description": "Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016." } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": [ "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)" ], "x_mitre_platforms": [ "Linux", "Windows", "macOS" ], "x_mitre_data_sources": [ "Netflow/Enclave netflow", "Packet capture", "Process monitoring", "Process use of network" ], "x_mitre_network_requirements": [ "true" ], "x_mitre_version": "1.0" }, { "type": "campaign", "id": "campaign--418eec9b-ca2d-48d6-92cc-7cf47b159e8c", "created": "2018-08-03T20:30:50.665Z", "modified": "2019-10-11T20:10:08.765Z", "name": "first", "description": " In May 2016, Unit 42 observed targeted attacks primarily focused on financial institutions and technology organizations within Saudi Arabia. Artifacts identified within the malware samples related to these attacks also suggest the targeting of the defense industry in Saudi Arabia, which appears to be related to an earlier wave of attacks carried out in the fall of 2015. ", "first_seen": "2016-05-04T00:00:00.000Z", "last_seen": "2017-09-26T00:00:00.000Z" }, { "type": "campaign", "id": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec", "created": "2018-08-03T20:30:50.665Z", "modified": "2019-10-11T20:13:34.064Z", "name": "third", "description": "In July 2017, Unit 42 found that Oilrig infrastructure was segregated into different functions for specific malicious objectives. We found some sites that were set up as credential harvesters (likely used in phishing attacks), a compromised system that was used to interact with a TwoFace web shell to hide the actor\u2019s location, and finally systems that interact with TwoFace webshell-compromised systems to provide command and control direction of those compromised systems. ", "first_seen": "2016-05-31T00:00:00.000Z", "last_seen": "2017-08-11T00:00:00.000Z" }, { "type": "campaign", "id": "campaign--be414527-0ed6-4b77-b04b-2ffa2cd601eb", "created": "2018-08-03T20:30:50.665Z", "modified": "2019-10-11T19:45:26.152Z", "name": "second", "description": "In July 2017, Unit 42 observed the OilRig group using a tool they developed called ISMAgent in a new set of targeted attacks. The OilRig group developed ISMAgent as a variant of the ISMDoor Trojan. In August 2017, Unit 42 found this threat group has developed yet another Trojan that they call \u2018Agent Injector\u2019 with the specific purpose of installing the ISMAgent backdoor. Unit 42 is tracking this tool as ISMInjector. It has a sophisticated architecture and contains anti-analysis techniques that have not seen in previous tools developed by this threat group. The complex structure and inclusion of new anti-analysis techniques may suggest that this group is increasing its development efforts in order to evade detection and gain higher efficacy in their attacks. ", "first_seen": "2017-07-23T00:00:00.000Z", "last_seen": "2017-08-29T00:00:00.000Z" }, { "type": "campaign", "id": "campaign--d6eab405-2a90-4981-bd25-0b161f1bc116", "created": "2020-07-08T12:17:34.135Z", "modified": "2020-07-13T13:45:02.008Z", "name": "RDAT", "description": "In May 2020, Symantec published research on the Greenbug group targeting telecommunications organizations in Southeast Asia involving attacks as recently as April 2020. We observed similar tactics and tools associated with attacks on a telecommunications organization in the Middle East, specifically using custom Mimikatz tools, Bitvise, Powershell downloaders and a custom backdoor we track as RDAT. Unit 42 has previously linked Greenbug to a threat group we discovered in 2015 called OilRig.", "first_seen": "2020-03-01T00:00:00.000Z", "last_seen": "2020-04-01T00:00:00.000Z" }, { "type": "campaign", "id": "campaign--e76e88c8-699a-4eeb-a8e5-3645826d6455", "created": "2018-08-03T20:30:50.665Z", "modified": "2019-10-11T19:56:13.483Z", "name": "fourth", "description": " On January 8, 2018, the OilRig threat group sent an email with the subject Beirut Insurance Seminar Invitation to an insurance agency in the Middle East. The OilRig group sent two emails to two different email addresses at the same organization within a six minutes time span. The recipient email addresses suggest they may be the addresses used for specific regional branches of the targeted organization. Both emails originated from the same address. The email address is associated with the Lebanese domain of a major global financial institution. However, based upon the captured session data, it is highly likely the source email address was spoofed. The email contained an attachment named Seminar-Invitation.doc, which is a malicious Microsoft Word document we track as ThreeDollars. Examining this sample of ThreeDollars reveals that it contains a new payload, which we have named OopsIE. ", "first_seen": "2018-01-08T00:00:00.000Z", "last_seen": "2018-02-01T00:00:00.000Z" }, { "type": "course-of-action", "id": "course-of-action--00d97976-e97e-4878-b530-9f37d7a3e2e5", "name": "Deploy XSOAR Playbook - Phishing Investigation - Generic V2", "created": "2020-06-23T19:50:31.722Z", "modified": "2020-09-04T13:59:35.883Z" }, { "type": "course-of-action", "id": "course-of-action--04a2db1c-3e80-43a4-a9c6-3864195bbf73", "name": "Ensure alerts are enabled for malicious files detected by WildFire", "created": "2020-06-23T19:50:31.722Z", "modified": "2020-09-04T13:59:35.882Z", "description": "Configure WildFire to send an alert when a malicious or greyware file is detected. This alert could be sent by whichever means is preferable, including email, SNMP trap, or syslog message.\n\nAlternatively, configure the WildFire cloud to generate alerts for malicious files. The cloud can generate alerts in addition to or instead of the local WildFire implementation. Note that the destination email address of alerts configured in the WildFire cloud portal is tied to the logged in account, and cannot be modified. Also, new systems added to the WildFire cloud portal will not be automatically set to email alerts." }, { "type": "course-of-action", "id": "course-of-action--09cad5e4-8c95-494f-862e-0c640b175348", "name": "Ensure that security policies restrict User-ID Agent traffic from crossing into untrusted zones", "created": "2020-06-23T19:50:31.722Z", "modified": "2020-09-04T13:59:35.882Z", "description": "Create security policies to deny Palo Alto User-ID traffic originating from the interface configured for the UID Agent service that are destined to any untrusted zone." }, { "type": "course-of-action", "id": "course-of-action--0a8741c9-240e-4a87-8d0f-7ced73cbd50d", "name": "Deploy XSOAR Playbook - Cortex XDR - Isolate Endpoint", "created": "2020-06-23T19:50:31.722Z", "modified": "2020-06-26T13:02:55.804Z", "x_panw_coa_u42_id": "x.19", "x_panw_coa_u42_title": "Deploy XSOAR Playbook - Cortex XDR - Isolate Endpoint" }, { "type": "course-of-action", "id": "course-of-action--19313cf2-7b61-4748-ac31-8db430033837", "name": "Configure Malware Security Profile", "created": "2020-06-23T19:50:31.722Z", "modified": "2020-09-04T13:59:35.883Z" }, { "type": "course-of-action", "id": "course-of-action--21ce34c9-4220-41cf-85c7-bc289bb2c79d", "name": "Ensure a Vulnerability Protection Profile is set to block attacks against critical and high vulnerabilities, and set to default on medium, low, and informational vulnerabilities", "created": "2020-06-23T19:50:31.722Z", "modified": "2020-06-26T19:00:11.067Z", "description": "Configure a Vulnerability Protection Profile set to block attacks against any critical or high vulnerabilities, at minimum, and set to default on any medium, low, or informational vulnerabilities. Configuring an alert action for low and informational, instead of default, will produce additional information at the expense of greater log utilization.", "x_panw_coa_bp_section_number": "6", "x_panw_coa_bp_recommendation_number": "6.7", "x_panw_coa_bp_title": "Ensure a Vulnerability Protection Profile is set to block attacks against critical and high vulnerabilities, and set to default on medium, low, and informational vulnerabilities", "x_panw_coa_bp_status": "published", "x_panw_coa_bp_scoring_status": "full", "x_panw_coa_bp_description": "Configure a Vulnerability Protection Profile set to block attacks against any critical or high vulnerabilities, at minimum, and set to default on any medium, low, or informational vulnerabilities. Configuring an alert action for low and informational, instead of default, will produce additional information at the expense of greater log utilization.", "x_panw_coa_bp_rationale_statement": "A Vulnerability Protection Profile helps to protect assets by alerting on, or blocking, network attacks. The default action for attacks against many critical and high vulnerabilities is to only alert on the attack - not to block.", "x_panw_coa_bp_remediation_procedure": "Navigate to `Objects > Security Profiles > Vulnerability Protection`.\n\nSet a Vulnerability Protection Profile to block attacks against any critical or high vulnerabilities (minimum), and to default on attacks against any medium, low, or informational vulnerabilities.", "x_panw_coa_bp_audit_procedure": "Navigate to `Objects > Security Profiles > Vulnerability Protection`.\n\nVerify a Vulnerability Protection Profile is set to block attacks against any critical or high vulnerabilities (minimum), and set to default on attacks against any medium, low, or informational vulnerabilities.", "x_panw_coa_bp_impact_statement": "Not configuring a Vulnerability Protection Profile means that network attacks will not be logged, alerted on or blocked.", "x_panw_coa_bp_cis_controls": [ "TITLE:Deploy Network-based Anti-malware Tools CONTROL:v6 8.5 DESCRIPTION:Use network-based anti-malware tools to identify executables in all network traffic and use techniques other than signature-based detection to identify and filter out malicious content before it arrives at the endpoint.;TITLE:Deploy Network-based IPS Devices To Complement IDS Sensors CONTROL:v6 12.4 DESCRIPTION:Network-based IPS devices should be deployed to complement IDS by blocking known bad signatures or the behavior of potential attacks. As attacks become automated, methods such as IDS typically delay the amount of time it takes for someone to react to an attack. A properly configured network-based IPS can provide automation to block bad traffic. When evaluating network-based IPS products, include those using techniques other than signature-based detection (such as virtual machine or sandbox-based approaches) for consideration.;TITLE:Deploy Network-Based Intrusion Prevention Systems CONTROL:v7 12.7 DESCRIPTION:Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each of the organization's network boundaries.;TITLE:Malware Defenses CONTROL:v7 8 DESCRIPTION:Malware Defenses;TITLE:Deploy Network-based IDS Sensors on DMZ Systems CONTROL:v6 12.3 DESCRIPTION:Deploy network-based IDS sensors on Internet and extranet DMZ systems and networks that look for unusual attack mechanisms and detect compromise of these systems. These network-based IDS sensors may detect attacks through the use of signatures, network behavior analysis, or other mechanisms to analyze traffic.;" ], "x_panw_coa_bp_references": [ "\u201cThreat Prevention Deployment Tech Note\u201d - https://live.paloaltonetworks.com/docs/DOC-3094:\u201cPAN-OS Administrator's Guide 9.0 (English) - Security Profiles\u201d - https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/policy/security-profiles.html" ] }, { "type": "course-of-action", "id": "course-of-action--2c886776-61fb-487c-a880-41f4b7195627", "name": "Ensure that PAN-DB URL Filtering is used", "created": "2020-06-23T19:50:31.722Z", "modified": "2020-06-26T13:02:55.804Z", "description": "Configure the device to use PAN-DB URL Filtering instead of BrightCloud.", "x_panw_coa_bp_section_number": "6", "x_panw_coa_bp_recommendation_number": "6.9", "x_panw_coa_bp_title": "Ensure that PAN-DB URL Filtering is used", "x_panw_coa_bp_status": "published", "x_panw_coa_bp_scoring_status": "full", "x_panw_coa_bp_description": "Configure the device to use PAN-DB URL Filtering instead of BrightCloud.", "x_panw_coa_bp_rationale_statement": "Standard URL filtering provides protection against inappropriate and malicious URLs and IP addresses. PAN-DB URL Filtering is slightly less granular than the BrightCloud URL filtering. However the PAN-DB Filter offers additional malware protection and PAN threat intelligence by using the Wildfire service as an additional input, which is currently not available in the BrightCloud URL Filtering license. This makes the PAN-DB filter more responsive to specific malware 'campaigns'.", "x_panw_coa_bp_remediation_procedure": "Navigate to `Device > Licenses`.\n\nClick on `PAN-DB URL Filtering`.\n\nSet `Active` to `Yes`.", "x_panw_coa_bp_audit_procedure": "Navigate to `Device > Licenses`.\n\nClick on `PAN-DB URL Filtering`.\n\nVerify `Active` is set to `Yes`.", "x_panw_coa_bp_impact_statement": "Not having an effective URL Filtering configuration can leave an organization open to legal action, internal HR issues, non-compliance with regulatory policies or productivity loss.", "x_panw_coa_bp_cis_controls": [ "TITLE:Deploy, Use, And Maintain Network-based URL Filters CONTROL:v6 7.6 DESCRIPTION:The organization shall maintain and enforce network based URL filters that limit a system's ability to connect to websites not approved by the organization. The organization shall subscribe to URL categorization services to ensure that they are up-to-date with the most recent website category definitions available. Uncategorized sites shall be blocked by default. This filtering shall be enforced for each of the organization's systems, whether they are physically at an organization's facilities or not.;TITLE:Maintain and Enforce Network-Based URL Filters CONTROL:v7 7.4 DESCRIPTION:Enforce network-based URL filters that limit a system's ability to connect to websites not approved by the organization. This filtering shall be enforced for each of the organization's systems, whether they are physically at an organization's facilities or not.;TITLE:Subscribe to URL-Categorization service CONTROL:v7 7.5 DESCRIPTION:Subscribe to URL categorization services to ensure that they are up-to-date with the most recent website category definitions available. Uncategorized sites shall be blocked by default.;" ], "x_panw_coa_bp_references": [ "\u201cPAN-OS Administrator's Guide 9.0 (English) - URL Filtering\u201d - https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/url-filtering.html:\u201cPAN-OS Administrator's Guide 9.0 (English) - URL Filtering Best Practices': https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/url-filtering/url-filtering-best-practices.html" ] }, { "type": "course-of-action", "id": "course-of-action--2fd9769c-5e50-4528-985f-a1d117329991", "name": "Ensure that URL Filtering uses the action of \u201cblock\u201d or \u201coverride\u201d on the URL categories", "created": "2020-06-23T19:50:31.722Z", "modified": "2020-06-26T13:02:55.804Z", "description": "Ideally, deciding which URL categories to block, and which to allow, is a joint effort between IT and another entity of authority within an organization\u2014such as the legal department or administration. For most organizations, blocking or requiring an override on the following categories represents a minimum baseline: adult, hacking, command-and-control, copyright-infringement, extremism, malware, phishing, proxy-avoidance-and-anonymizers, and parked. Some organizations may add 'unknown' and 'dynamic-dns' to this list, at the expense of some support calls on those topics.", "x_panw_coa_bp_section_number": "6", "x_panw_coa_bp_recommendation_number": "6.10", "x_panw_coa_bp_title": "Ensure that URL Filtering uses the action of \u201cblock\u201d or \u201coverride\u201d on the URL categories", "x_panw_coa_bp_status": "published", "x_panw_coa_bp_scoring_status": "full", "x_panw_coa_bp_description": "Ideally, deciding which URL categories to block, and which to allow, is a joint effort between IT and another entity of authority within an organization\u2014such as the legal department or administration. For most organizations, blocking or requiring an override on the following categories represents a minimum baseline: adult, hacking, command-and-control, copyright-infringement, extremism, malware, phishing, proxy-avoidance-and-anonymizers, and parked. Some organizations may add 'unknown' and 'dynamic-dns' to this list, at the expense of some support calls on those topics.", "x_panw_coa_bp_rationale_statement": "Certain URL categories pose a technology-centric threat, such as command-and-control, copyright-infringement, extremism, malware, phishing, proxy-avoidance-and-anonymizers, and parked. Users visiting websites in these categories, many times unintentionally, are at greater risk of compromising the security of their system. Other categories, such as adult, may pose a legal liability and will be blocked for those reasons.", "x_panw_coa_bp_remediation_procedure": "Navigate to `Objects > Security Profiles > URL Filtering`.\n\nSet a URL filter so that all URL categories designated by the organization are listed.\nNavigate to the `Actions` tab. \nSet the action to `Block`.", "x_panw_coa_bp_audit_procedure": "Navigate to `Objects > Security Profiles > URL Filtering`.\n\nVerify that all URL categories designated by the organization are listed, and the action is set to `Block`.", "x_panw_coa_bp_impact_statement": "Not having an effective URL Filtering configuration can leave an organization open to legal action, internal HR issues, non-compliance with regulatory policies or productivity loss.", "x_panw_coa_bp_cis_controls": [ "TITLE:Deploy, Use, And Maintain Network-based URL Filters CONTROL:v6 7.6 DESCRIPTION:The organization shall maintain and enforce network based URL filters that limit a system's ability to connect to websites not approved by the organization. The organization shall subscribe to URL categorization services to ensure that they are up-to-date with the most recent website category definitions available. Uncategorized sites shall be blocked by default. This filtering shall be enforced for each of the organization's systems, whether they are physically at an organization's facilities or not.;TITLE:Maintain and Enforce Network-Based URL Filters CONTROL:v7 7.4 DESCRIPTION:Enforce network-based URL filters that limit a system's ability to connect to websites not approved by the organization. This filtering shall be enforced for each of the organization's systems, whether they are physically at an organization's facilities or not.;TITLE:Subscribe to URL-Categorization service CONTROL:v7 7.5 DESCRIPTION:Subscribe to URL categorization services to ensure that they are up-to-date with the most recent website category definitions available. Uncategorized sites shall be blocked by default.;" ], "x_panw_coa_bp_references": [ "\u201cPAN-OS Administrator's Guide 9.0 (English) - Security Profiles\u201d - https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/policy/security-profiles.html:\u201cPAN-OS Administrator's Guide 9.0 (English) - URL Filtering\u201d - https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/url-filtering.html:\u201cPAN-OS Admin Guide 9.0 (English) - URL Filtering Best Practices': https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/url-filtering/url-filtering-best-practices.html" ] }, { "type": "course-of-action", "id": "course-of-action--38519f4f-e6e8-454b-a3f5-b46daef0e316", "name": "Deploy XSOAR Playbook - Block IP", "created": "2020-06-23T19:50:31.722Z", "modified": "2020-06-26T13:02:55.805Z", "x_panw_coa_u42_id": "x.2", "x_panw_coa_u42_title": "Deploy XSOAR Playbook - Block IP" }, { "type": "course-of-action", "id": "course-of-action--39928312-81bb-4445-a269-9f3d0bb88d5c", "name": "Ensure that the User-ID service account does not have interactive logon rights", "created": "2020-06-23T19:50:31.722Z", "modified": "2020-09-04T13:59:35.882Z", "description": "Restrict the User-ID service account from interactively logging on to systems in the Active Directory domain." }, { "type": "course-of-action", "id": "course-of-action--3de85a76-a879-43e6-80ba-38e09e7e2b0c", "name": "Ensure a WildFire Analysis profile is enabled for all security policies", "created": "2020-06-23T19:50:31.722Z", "modified": "2020-09-04T13:59:35.882Z", "description": "Ensure that all files traversing the firewall are inspected by WildFire by setting a Wildfire file blocking profile on all security policies." }, { "type": "course-of-action", "id": "course-of-action--3f6f590f-2752-40d2-8cfa-1e833435bbf6", "name": "Deploy XSOAR - Block Account Generic", "created": "2020-06-23T19:50:31.722Z", "modified": "2020-06-26T13:02:55.804Z", "x_panw_coa_u42_id": "x.20", "x_panw_coa_u42_title": "Deploy XSOAR - Block Account Generic" }, { "type": "course-of-action", "id": "course-of-action--41a5e724-166d-496a-bfa6-5f7d671c733e", "name": "Deploy XSOAR Playbook - Hunting C&C Communication Playbook", "created": "2020-06-23T19:50:31.722Z", "modified": "2020-06-26T13:02:55.805Z", "x_panw_coa_u42_id": "x.22", "x_panw_coa_u42_title": "Deploy XSOAR Playbook - Hunting C&C Communication Playbook" }, { "type": "course-of-action", "id": "course-of-action--44bfcc9e-cb15-499f-b0fe-3c41e2c2655e", "name": "Deploy XSOAR Playbook - Block URL", "created": "2020-06-23T19:50:31.722Z", "modified": "2020-06-26T13:02:55.805Z", "x_panw_coa_u42_id": "x.3", "x_panw_coa_u42_title": "Deploy XSOAR Playbook - Block URL" }, { "type": "course-of-action", "id": "course-of-action--49790670-d365-43f8-a906-8e45c3c80f63", "name": "Ensure a secure Vulnerability Protection Profile is applied to all security rules allowing traffic", "created": "2020-06-23T19:50:31.722Z", "modified": "2020-06-26T19:00:11.067Z", "description": "For any security rule allowing traffic, apply a securely configured Vulnerability Protection Profile. Careful analysis of the target environment should be performed before implementing this configuration, as outlined by PAN\u2019s \u201cThreat Prevention Deployment Tech Note\u201d in the references section.", "x_panw_coa_bp_section_number": "6", "x_panw_coa_bp_recommendation_number": "6.8", "x_panw_coa_bp_title": "Ensure a secure Vulnerability Protection Profile is applied to all security rules allowing traffic", "x_panw_coa_bp_status": "published", "x_panw_coa_bp_scoring_status": "full", "x_panw_coa_bp_description": "For any security rule allowing traffic, apply a securely configured Vulnerability Protection Profile. Careful analysis of the target environment should be performed before implementing this configuration, as outlined by PAN\u2019s \u201cThreat Prevention Deployment Tech Note\u201d in the references section.", "x_panw_coa_bp_rationale_statement": "A Vulnerability Protection Profile helps to protect assets by alerting on, or blocking network attacks. By applying a secure Vulnerability Protection Profile to all security rules permitting traffic, all network traffic traversing the firewall will be inspected for attacks. This protects both organizational assets from attack and organizational reputation from damage.\n\nNote that encrypted sessions do not allow for complete inspection.", "x_panw_coa_bp_remediation_procedure": "Navigate to `Policies > Security`.\n\nFor each Policy, under the `Actions` tab, select `Vulnerability Protection`.\n\nSet it to use either the 'Strict' or the 'Default' profile, or a custom profile that complies with the organization's policies, legal and regulatory requirements.", "x_panw_coa_bp_audit_procedure": "Navigate to `Policies > Security`.\n\nFor each Policy, under the `Actions` tab, select `Vulnerability Protection`.\n\nVerify either the 'Strict' or the 'Default' profile is selected, or a custom profile that complies with the organization's policies, legal and regulatory requirements.", "x_panw_coa_bp_impact_statement": "Not configuring a Vulnerability Protection Profile means that network attacks will not be logged, alerted on or blocked.", "x_panw_coa_bp_cis_controls": [ "TITLE:Deploy Network-based Anti-malware Tools CONTROL:v6 8.5 DESCRIPTION:Use network-based anti-malware tools to identify executables in all network traffic and use techniques other than signature-based detection to identify and filter out malicious content before it arrives at the endpoint.;TITLE:Deploy Network-based IDS Sensors on DMZ Systems CONTROL:v6 12.3 DESCRIPTION:Deploy network-based IDS sensors on Internet and extranet DMZ systems and networks that look for unusual attack mechanisms and detect compromise of these systems. These network-based IDS sensors may detect attacks through the use of signatures, network behavior analysis, or other mechanisms to analyze traffic.;TITLE:Deploy Network-based IDS Sensor CONTROL:v7 12.6 DESCRIPTION:Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack mechanisms and detect compromise of these systems at each of the organization's network boundaries.;TITLE:Malware Defenses CONTROL:v7 8 DESCRIPTION:Malware Defenses;TITLE:Deploy Network-based IPS Devices To Complement IDS Sensors CONTROL:v6 12.4 DESCRIPTION:Network-based IPS devices should be deployed to complement IDS by blocking known bad signatures or the behavior of potential attacks. As attacks become automated, methods such as IDS typically delay the amount of time it takes for someone to react to an attack. A properly configured network-based IPS can provide automation to block bad traffic. When evaluating network-based IPS products, include those using techniques other than signature-based detection (such as virtual machine or sandbox-based approaches) for consideration.;" ], "x_panw_coa_bp_references": [ "\u201cThreat Prevention Deployment Tech Note\u201d - https://live.paloaltonetworks.com/docs/DOC-3094:\u201cPAN-OS Administrator's Guide 9.0 (English) - Security Policies\u201d - https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/policy/security-policy.html:\u201cPAN-OS Administrator's Guide 9.0 (English) - Security Profiles\u201d - https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/policy/security-profiles.html" ] }, { "type": "course-of-action", "id": "course-of-action--49881f38-2571-47a1-a122-26a5968f1137", "name": "Ensure 'Service setting of ANY' in a security policy allowing traffic does not exist", "created": "2020-06-23T19:50:31.722Z", "modified": "2020-09-04T13:59:35.882Z", "description": "Create security policies specifying application-default for the Service setting, in addition to the specific ports desired. The Service setting of `any` should not be used for any policies that allow traffic." }, { "type": "course-of-action", "id": "course-of-action--513f7288-0f4f-49d1-8447-8664f065d798", "name": "Deploy XSOAR Playbook - Block Account Generic", "created": "2020-06-23T19:50:31.722Z", "modified": "2020-06-26T13:02:55.804Z", "x_panw_coa_u42_id": "x.9", "x_panw_coa_u42_title": "Deploy XSOAR Playbook - Block Account Generic" }, { "type": "course-of-action", "id": "course-of-action--51bcc0dd-f051-4786-aa93-429358ea6238", "name": "Deploy XSOAR Playbook Cortex XDR - Isolate Endpoint", "created": "2020-06-23T19:50:31.722Z", "modified": "2020-06-26T19:00:11.067Z", "x_panw_coa_u42_id": "x.4", "x_panw_coa_u42_title": "Deploy XSOAR Playbook Cortex XDR - Isolate Endpoint" }, { "type": "course-of-action", "id": "course-of-action--553711d6-06e4-49e2-a1ad-929d9cce8e39", "name": "Ensure that 'Include/Exclude Networks' is used if User-ID is enabled", "created": "2020-06-23T19:50:31.722Z", "modified": "2020-09-04T13:59:35.882Z", "description": "If User-ID is configured, use the Include/Exclude Networks section to limit the User-ID scope to operate only on trusted networks. There is rarely a legitimate need to allow WMI probing or other User identification on an untrusted network." }, { "type": "course-of-action", "id": "course-of-action--5839cd6c-7897-43c4-82f3-5c03096a51c4", "name": "Ensure passive DNS monitoring is set to enabled on all anti-spyware profiles in use", "created": "2020-06-23T19:50:31.722Z", "modified": "2020-06-26T13:02:55.804Z", "description": "Enable passive DNS monitoring within all anti-spyware profiles in use.", "x_panw_coa_bp_section_number": "6", "x_panw_coa_bp_recommendation_number": "6.5", "x_panw_coa_bp_title": "Ensure passive DNS monitoring is set to enabled on all anti-spyware profiles in use", "x_panw_coa_bp_status": "published", "x_panw_coa_bp_scoring_status": "full", "x_panw_coa_bp_description": "Enable passive DNS monitoring within all anti-spyware profiles in use.", "x_panw_coa_bp_rationale_statement": "Enabling passive DNS monitoring improves PAN\u2019s threat prevention and threat intelligence capabilities. This is performed without source information delivered to PAN to ensure sensitive DNS information of the organization is not compromised.", "x_panw_coa_bp_remediation_procedure": "Navigate to `Device > Setup > Telemetry`. Set `Passive DNS Monitoring` to enabled", "x_panw_coa_bp_audit_procedure": "Navigate to `Device > Setup > Telemetry`. Ensure that `Passive DNS Monitoring` is enabled", "x_panw_coa_bp_cis_controls": [ "TITLE:Enabled DNS Query Logging CONTROL:v6 8.6 DESCRIPTION:Enable domain name system (DNS) query logging to detect hostname lookup for known malicious C2 domains.;TITLE:Deploy Network-based Anti-malware Tools CONTROL:v6 8.5 DESCRIPTION:Use network-based anti-malware tools to identify executables in all network traffic and use techniques other than signature-based detection to identify and filter out malicious content before it arrives at the endpoint.;TITLE:Enable DNS Query Logging CONTROL:v7 8.7 DESCRIPTION:Enable Domain Name System (DNS) query logging to detect hostname lookups for known malicious domains.;TITLE:Malware Defenses CONTROL:v7 8 DESCRIPTION:Malware Defenses;" ], "x_panw_coa_bp_references": [ "\u201cWhat Information is Submitted to the Palo Alto Networks when Enabling the Passive DNS Feature\u201d - https://live.paloaltonetworks.com/docs/DOC-7256:'PAN-OS Administrator's Guide 9.0 (English) - DNS Security' - https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/threat-prevention/dns-security.html#" ] }, { "type": "course-of-action", "id": "course-of-action--58d4b1e7-a7d1-45d8-855b-b5e13ace3dba", "name": "XDR monitors for behavioral events via BIOCs along a causality chain to identify discovery behaviors", "created": "2020-06-23T19:50:31.722Z", "modified": "2020-06-26T13:02:55.805Z", "x_panw_coa_u42_id": "x.27", "x_panw_coa_u42_title": "XDR monitors for behavioral events via BIOCs along a causality chain to identify discovery behaviors" }, { "type": "course-of-action", "id": "course-of-action--5e951942-0565-46f4-b09e-80426812b6b5", "name": "Ensure that access to every URL is logged", "created": "2020-06-23T19:50:31.722Z", "modified": "2020-06-26T13:02:55.804Z", "description": "URL filters should not specify any categories as `Allow Categories`.", "x_panw_coa_bp_section_number": "6", "x_panw_coa_bp_recommendation_number": "6.11", "x_panw_coa_bp_title": "Ensure that access to every URL is logged", "x_panw_coa_bp_status": "published", "x_panw_coa_bp_scoring_status": "full", "x_panw_coa_bp_description": "URL filters should not specify any categories as `Allow Categories`.", "x_panw_coa_bp_rationale_statement": "Setting a URL filter to have one or more entries under Allow Categories will cause no log entries to be produced in the URL Filtering logs for access to URLs in those categories. For forensic, legal, and HR purposes, it is advisable to log access to every URL. In many cases failure to log all URL access is a violation of corporate policy, legal requirements or regulatory requirements.", "x_panw_coa_bp_remediation_procedure": "Navigate to `Objects > Security Profiles > URL Filtering`.\n\nFor each permitted category, set the `Site Access` actioun to `alert`", "x_panw_coa_bp_audit_procedure": "Navigate to `Objects > Security Profiles > URL Filtering`.\n\nVerify that the for all allowed categories, that the `Site Access` action is set to `alert`", "x_panw_coa_bp_impact_statement": "Not having an effective URL Filtering configuration can leave an organization open to legal action, internal HR issues, non-compliance with regulatory policies or productivity loss.", "x_panw_coa_bp_cis_controls": [ "TITLE:Log All URL Requests From Systems CONTROL:v6 7.4 DESCRIPTION:Log all URL requests from each of the organization's systems, whether onsite or a mobile device, in order to identify potentially malicious activity and assist incident handlers with identifying potentially compromised systems.;TITLE:Log all URL requests CONTROL:v7 7.6 DESCRIPTION:Log all URL requests from each of the organization's systems, whether onsite or a mobile device, in order to identify potentially malicious activity and assist incident handlers with identifying potentially compromised systems.;TITLE:Ensure Network Boundary Devices Log Verbosely CONTROL:v6 6.5 DESCRIPTION:Configure network boundary devices, including firewalls, network-based IPS, and inbound and outbound proxies, to verbosely log all traffic (both allowed and blocked) arriving at the device.;TITLE:Activate audit logging CONTROL:v7 6.2 DESCRIPTION:Ensure that local logging has been enabled on all systems and networking devices.;TITLE:Enable Detailed Logging CONTROL:v7 6.3 DESCRIPTION:Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.;" ], "x_panw_coa_bp_references": [ "\u201cPAN-OS Administrator's Guide 9.0 (English) - URL Filtering Best Practices': https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/url-filtering/url-filtering-best-practices.html:\u201cPAN-OS Administrator's Guide 9.0 (English) - URL Filtering\u201d - https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/url-filtering.html" ] }, { "type": "course-of-action", "id": "course-of-action--60e78a97-dcc6-4d67-a310-ed7f16e0218a", "name": "XDR BIOCs / ABIOCs", "created": "2020-06-23T19:50:31.722Z", "modified": "2020-06-26T19:00:11.068Z", "x_panw_coa_u42_id": "x.29", "x_panw_coa_u42_title": "XDR BIOCs / ABIOCs" }, { "type": "course-of-action", "id": "course-of-action--66779efa-ecc3-4e80-91b9-c584b171ebe6", "name": "Ensure that User Credential Submission uses the action of \u201cblock\u201d or \u201ccontinue\u201d on the URL categories", "created": "2020-06-23T19:50:31.722Z", "modified": "2020-06-26T13:02:55.804Z", "description": "Ideally user names and passwords user within an organization are not used with third party sites. Some sanctioned SAS applications may have connections to the corporate domain, in which case they will need to be exempt from the user credential submission policy through a custom URL category.", "x_panw_coa_bp_section_number": "6", "x_panw_coa_bp_recommendation_number": "6.20", "x_panw_coa_bp_title": "Ensure that User Credential Submission uses the action of \u201cblock\u201d or \u201ccontinue\u201d on the URL categories", "x_panw_coa_bp_status": "published", "x_panw_coa_bp_scoring_status": "full", "x_panw_coa_bp_description": "Ideally user names and passwords user within an organization are not used with third party sites. Some sanctioned SAS applications may have connections to the corporate domain, in which case they will need to be exempt from the user credential submission policy through a custom URL category.", "x_panw_coa_bp_rationale_statement": "Preventing users from having the ability to submit their corporate credentials to the Internet could stop credential phishing attacks and the potential that a breach at a site where a user reused credentials could lead to a credential stuffing attack.", "x_panw_coa_bp_remediation_procedure": "Navigate to `Objects > Security Profiles > URL Filtering`.\n\nChoose the `Categories` tab. Set the `User Credential Submitting` action on all enabled URL categories is either `block` or `continue`, as appropriate to your organization and the category.\n\nUnder the `User Credential Detection` tab set the `User Credential Detection` value to a setting appropriate to your organization, any value except `Disabled`. Set the `Log Severity` to a value appropriate to your organization and your logging or SIEM solution.", "x_panw_coa_bp_audit_procedure": "Navigate to `Objects > Security Profiles > URL Filtering`.\n\nChoose the `Categories` tab. Verify that the `User Credential Submitting` action on all enabled URL categories is set to either `block` or `continue`.\n\nUnder the `User Credential Detection` tab ensure the `User Credential Detection` is set to a value appropriate to your organization, and is not set to `Disabled`. Verify that the `Log Severity` value is set to a value appropriate to your organization and your logging or SIEM solution.", "x_panw_coa_bp_impact_statement": "Not preventing users from submitting their corporate credentials to the Internet can leave them open to phishing attacks or allow for credential reuse on unauthorized sites. Using internal email accounts provides malicious actors with intelligence information, which can be used for phishing, credential stuffing and other attacks. Using internal passwords will often provide authenticated access directly to sensitive information. Not only that, but a pattern of credential re-use can expose personal information from multiple online sources.", "x_panw_coa_bp_cis_controls": [ "TITLE:Email and Web Browser Protections CONTROL:v7 7 DESCRIPTION:Email and Web Browser Protections;TITLE:Profile User Account Usage And Monitor For Anomalies CONTROL:v6 16.10 DESCRIPTION:Profile each user\u2019s typical account usage by determining normal time-of-day access and access duration. Reports should be generated that indicate users who have logged in during unusual hours or have exceeded their normal login duration. This includes flagging the use of the user\u2019s credentials from a computer other than computers on which the user generally works.;" ], "x_panw_coa_bp_references": [ "PAN OS 9.0 Admin Guide - URL Filtering / User Credential Detection: https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-web-interface-help/objects/objects-security-profiles-url-filtering/user-credential-detection.html#" ] }, { "type": "course-of-action", "id": "course-of-action--67289170-1bd4-4944-be31-d680954141f5", "name": "Ensure 'WildFire Update Schedule' is set to download and install updates every minute", "created": "2020-06-23T19:50:31.722Z", "modified": "2020-09-04T13:59:35.882Z", "description": "Set the WildFire update schedule to download and install updates every minute." }, { "type": "course-of-action", "id": "course-of-action--68c5676d-ab2f-4e68-a57c-28880a9f5709", "name": "Ensure that the User-ID Agent has minimal permissions if User-ID is enabled", "created": "2020-06-23T19:50:31.722Z", "modified": "2020-09-04T13:59:35.882Z", "description": "If the integrated (on-device) User-ID Agent is utilized, the Active Directory account for the agent should only be a member of the Event Log Readers group, Distributed COM Users group, and Domain Users group. If the Windows User-ID agent is utilized, the Active Directory account for the agent should only be a member of the Event Log Readers group, Server Operators group, and Domain Users group." }, { "type": "course-of-action", "id": "course-of-action--7bbb332f-22cf-48f2-a4a1-5bc9d2b034ca", "name": "Ensure that antivirus profiles are set to block on all decoders except 'imap' and 'pop3'", "created": "2020-06-23T19:50:31.722Z", "modified": "2020-09-04T13:59:35.882Z", "description": "Configure antivirus profiles to a value of 'block' for all decoders except imap and pop3 under both Action and WildFire Action. If required by the organization's email implementation, configure imap and pop3 decoders to 'alert' under both Action and WildFire Action." }, { "type": "course-of-action", "id": "course-of-action--89afe221-157a-48b1-a9b4-830eeba1bd5f", "name": "Deploy XSOAR Playbook - Impossible Traveler", "created": "2020-06-23T19:50:31.722Z", "modified": "2020-06-26T13:02:55.804Z", "x_panw_coa_u42_id": "x.8", "x_panw_coa_u42_title": "Deploy XSOAR Playbook - Impossible Traveler" }, { "type": "course-of-action", "id": "course-of-action--916bf914-3cad-47c6-8651-a1ac92ee84d0", "name": "Setup File Blocking", "created": "2020-06-23T19:50:31.722Z", "modified": "2020-09-04T13:59:35.882Z" }, { "type": "course-of-action", "id": "course-of-action--922b1227-c493-43f6-8b4a-ae6d6963eb8b", "name": "Ensure 'SSL Inbound Inspection' is required for all untrusted traffic destined for servers using SSL or TLS", "created": "2020-06-23T19:50:31.722Z", "modified": "2020-06-26T19:00:11.067Z", "description": "Configure SSL Inbound Inspection for all untrusted traffic destined for servers using SSL or TLS.", "x_panw_coa_bp_section_number": "8", "x_panw_coa_bp_recommendation_number": "8.2", "x_panw_coa_bp_title": "Ensure 'SSL Inbound Inspection' is required for all untrusted traffic destined for servers using SSL or TLS", "x_panw_coa_bp_status": "published", "x_panw_coa_bp_scoring_status": "full", "x_panw_coa_bp_description": "Configure SSL Inbound Inspection for all untrusted traffic destined for servers using SSL or TLS.", "x_panw_coa_bp_rationale_statement": "Without SSL Inbound Inspection, the firewall is not able to protect SSL or TLS-enabled webservers against many threats.", "x_panw_coa_bp_remediation_procedure": "Navigate to `Policies > Decryption`.\n\nSet `SSL Inbound Inspection` appropriately for all untrusted traffic destined for servers using SSL or TLS.\n\nNavigate to `Policies > Decryption`. For each service published to the internet (or other untrusted zones), create a Policy and set the following options:\n- `General` tab: `Name` set to a descriptive name\n- `Source`: `Source Zone` set to the target zone (Internet in many cases). `Source Address` set to the target address space (`Any` for internet traffic)\n- `Destination` tab: `Destination Zone` should be set to the appropriate zone, or `Any`. `Destination Address` set to the target host address\n- `Options` tab: Type set to `SSL Inbound Inspection`", "x_panw_coa_bp_audit_procedure": "Navigate to `Policies > Decryption`.\n\nVerify `SSL Inbound Inspection` is set appropriately for all untrusted traffic destined for servers using SSL or TLS.\n\nNavigate to `Policies > Decryption`. For each service published to the internet (or other untrusted zones), verify the following settings:\n- `General` tab: `Name` set to a descriptive name\n- `Source`: `Source Zone` set to the target zone (Internet in many cases). `Source Address` set to the target address space (`Any` for internet traffic)\n- `Destination` tab: `Destination Zone` should be set to the appropriate zone, or `Any`. `Destination Address` set to the target host address\n- `Options` tab: Type set to `SSL Inbound Inspection`", "x_panw_coa_bp_impact_statement": "Not decrypting inbound traffic to TLS encrypted services means that inspection for many common attacks cannot occur on the firewall. This means that all defenses against these attacks are up to the host.", "x_panw_coa_bp_cis_controls": [ "TITLE:Design Network Perimeters To Leverage Proxy CONTROL:v6 12.5 DESCRIPTION:Design and implement network perimeters so that all outgoing network traffic to the Internet must pass through at least one application layer filtering proxy server. The proxy should support decrypting network traffic, logging individual TCP sessions, blocking specific URLs, domain names, and IP addresses to implement a black list, and applying whitelists of allowed sites that can be accessed through the proxy while blocking all other sites. Organizations should force outbound traffic to the Internet through an authenticated proxy server on the enterprise perimeter.;TITLE:Boundary Defense CONTROL:v6 12 DESCRIPTION:Boundary Defense;TITLE:Deploy Application Layer Filtering Proxy Server CONTROL:v7 12.9 DESCRIPTION:Ensure that all network traffic to or from the Internet passes through an authenticated application layer proxy that is configured to filter unauthorized connections.;TITLE:Decrypt Network Traffic at Proxy CONTROL:v7 12.10 DESCRIPTION:Decrypt all encrypted network traffic at the boundary proxy prior to analyzing the content. However, the organization may use whitelists of allowed sites that can be accessed through the proxy without decrypting the traffic.;TITLE:Boundary Defense CONTROL:v7 12 DESCRIPTION:Boundary Defense;" ], "x_panw_coa_bp_references": [ "\u201cHow to Implement SSL Decryption\u201d - https://live.paloaltonetworks.com/docs/DOC- 1412:\u201cPAN-OS Administrator's Guide 9.0 (English) - Decryption (English)\u201d - https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/decryption.html#" ] }, { "type": "course-of-action", "id": "course-of-action--9352128e-2dbe-4621-8800-9e7cc17336e3", "name": "Enable Anti-Exploit", "created": "2020-06-23T19:50:31.722Z", "modified": "2020-09-04T13:59:35.882Z" }, { "type": "course-of-action", "id": "course-of-action--95432623-8819-4f74-a8f9-b10b9c4118c3", "name": "Ensure forwarding is enabled for all applications and file types in WildFire file blocking profiles", "created": "2020-06-23T19:50:31.722Z", "modified": "2020-09-04T13:59:35.882Z", "description": "Set Applications and File Types fields to any in WildFire file blocking profiles. With a WildFire license, seven file types are supported, while only PE (Portable Executable) files are supported without a license.\nFor the 'web browsing' application, the action 'continue' can be selected. This still forwards the file to the Wildfire service, but also presents the end user with a confirmation message before they receive the file. Selecting 'continue' for any other application will block the file (because the end user will not see the prompt).\nIf there is a 'continue' rule, there should still be an 'any traffic / any application / forward' rule after that in the list." }, { "type": "course-of-action", "id": "course-of-action--a1294d38-0f0d-4973-a949-f38cccbc7469", "name": "Ensure an anti-spyware profile is configured to block on all spyware severity levels, categories, and threats", "created": "2020-06-23T19:50:31.722Z", "modified": "2020-06-26T13:02:55.804Z", "description": "If a single rule exists within the anti-spyware profile, configure it to block on any spyware severity level, any category, and any threat. If multiple rules exist within the anti-spyware profile, ensure all spyware categories, threats, and severity levels are set to be blocked. Additional rules may exist for packet capture or exclusion purposes.", "x_panw_coa_bp_section_number": "6", "x_panw_coa_bp_recommendation_number": "6.3", "x_panw_coa_bp_title": "Ensure an anti-spyware profile is configured to block on all spyware severity levels, categories, and threats", "x_panw_coa_bp_status": "published", "x_panw_coa_bp_scoring_status": "full", "x_panw_coa_bp_description": "If a single rule exists within the anti-spyware profile, configure it to block on any spyware severity level, any category, and any threat. If multiple rules exist within the anti-spyware profile, ensure all spyware categories, threats, and severity levels are set to be blocked. Additional rules may exist for packet capture or exclusion purposes.", "x_panw_coa_bp_rationale_statement": "Requiring a blocking policy for all spyware threats, categories, and severities reduces the risk of spyware traffic from successfully exiting the organization. Without an anti-spyware profile assigned to any potential hostile zone, the first protection in the path against malware is removed, leaving in most cases only the desktop endpoint protection application to detect and remediate any potential spyware.", "x_panw_coa_bp_remediation_procedure": "Navigate to `Objects > Security Profiles > Anti-Spyware`.\n\nSet a rule within the anti-spyware profile that is configured to perform the `Block Action` on `any Severity` level, `any Category`, and `any Threat Name`.", "x_panw_coa_bp_audit_procedure": "Navigate to `Objects > Security Profiles > Anti-Spyware`.\n\nVerify a rule exists within the anti-spyware profile that is configured to perform the `Block Action` on `any Severity` level, `any Category`, and `any Threat Name`.", "x_panw_coa_bp_cis_controls": [ "TITLE:Deploy Network-based Anti-malware Tools CONTROL:v6 8.5 DESCRIPTION:Use network-based anti-malware tools to identify executables in all network traffic and use techniques other than signature-based detection to identify and filter out malicious content before it arrives at the endpoint.;TITLE:Malware Defenses CONTROL:v7 8 DESCRIPTION:Malware Defenses;" ], "x_panw_coa_bp_references": [ "\u201cPAN-OS Administrator's Guide 9.0 (English) - Security Profiles': https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/policy/security-policy.html" ] }, { "type": "course-of-action", "id": "course-of-action--ae18aab6-0a08-4c09-9a97-6c6ef58061a7", "name": "Enable DNS Security in Anti-Spyware profile", "created": "2020-06-23T19:50:31.722Z", "modified": "2020-06-26T13:02:55.804Z", "x_panw_coa_u42_id": "x.1", "x_panw_coa_u42_title": "Enable DNS Security in Anti-Spyware profile" }, { "type": "course-of-action", "id": "course-of-action--b07fe965-d582-4581-aa2f-9676705f5560", "name": "Ensure remote access capabilities for the User-ID service account are forbidden.", "created": "2020-06-23T19:50:31.722Z", "modified": "2020-09-04T13:59:35.882Z", "description": "Restrict the User-ID service account\u2019s ability to gain remote access into the organization. This capability could be made available through a variety of technologies, such as VPN, Citrix GoToMyPC, or TeamViewer. Remote services that integrate authentication with the organization\u2019s Active Directory may unintentionally allow the User-ID service account to gain remote access." }, { "type": "course-of-action", "id": "course-of-action--b1f31bc6-40cd-4c64-805f-1680eda35801", "name": "Ensure 'SSL Forward Proxy Policy' for traffic destined to the Internet is configured", "created": "2020-06-23T19:50:31.722Z", "modified": "2020-06-26T19:00:11.067Z", "description": "Configure SSL Forward Proxy for all traffic destined to the Internet. In most organizations, including all categories except `financial-services`, `government` and `health-and-medicine` is recommended.", "x_panw_coa_bp_section_number": "8", "x_panw_coa_bp_recommendation_number": "8.1", "x_panw_coa_bp_title": "Ensure 'SSL Forward Proxy Policy' for traffic destined to the Internet is configured", "x_panw_coa_bp_status": "published", "x_panw_coa_bp_scoring_status": "full", "x_panw_coa_bp_description": "Configure SSL Forward Proxy for all traffic destined to the Internet. In most organizations, including all categories except `financial-services`, `government` and `health-and-medicine` is recommended.", "x_panw_coa_bp_rationale_statement": "Without SSL inspection, the firewall cannot apply many of its protection features against encrypted traffic. The amount of encrypted malware traffic continues to rise, and legitimate websites using SSL encryption are hacked or tricked into delivering malware on a frequent basis. As encryption on the Internet continues to grow at a rapid rate, SSL inspection is no longer optional as a practical security measure. If proper decryption is not configured, it follows that the majority of traffic is not being fully inspected for malicious content or policy violations. This is a major exposure, allowing delivery of exploits and payloads direct to user desktops.", "x_panw_coa_bp_remediation_procedure": "Navigate to `Policies > Decryption`.\nCreate a Policy for all traffic destined to the Internet. This Policy should include:\n- `Source` tab: The `Source Zone` and/or `Source Address` should include all target internal networks. `Source User` should include all target internal users\n- `Destination` tab: The `Destination Zone` should include the untrusted target zone (usually the `internet`). `Destination Address` is typically `Any` for an internet destination.\n- `Service/URL Category` tab: all `URL Category` entries should be included except `financial-services`, `government` and `health-and-medicine` (this list may vary depending on your organization and its policies).\n- `Options` tab: `Type` set to `SSL Forward Proxy`", "x_panw_coa_bp_audit_procedure": "Navigate to `Policies > Decryption`.\nVerify `SSL Forward Proxy` is set for all traffic destined to the Internet. \n\nVerify each Decryption Policy Rule:\n- `Source` tab: The `Source Zone` and/or `Source Address` should include all target internal networks. `Source User` should include all target internal users\n- `Destination` tab: The `Destination Zone` should include the untrusted target zone (usually the `internet`). `Destination Address` is typically `Any` for an internet destination.\n- `Service/URL Category` tab: Verify that all `URL Category` entries are included except `financial-services`, `government` and `health-and-medicine` (this list may vary depending on your organization and its policies).\n- `Options` tab: Verify that the `Type` is set to `SSL Forward Proxy`", "x_panw_coa_bp_impact_statement": "Failure to decrypt outbound traffic allows attackers to mask attacks, data exfiltration and/or command and control (C2) traffic by simply using standard TLS encryption.\nPrivacy concerns for your organization's users will dictate that some common categories should be exempted from inspection and decryption. Personal banking or healthcare information is almost always exempted, as are interactions with government entities. Exemptions and inclusions to decryption policies should be negotiated internally and governed by published Corporate Policies.", "x_panw_coa_bp_cis_controls": [ "TITLE:Design Network Perimeters To Leverage Proxy CONTROL:v6 12.5 DESCRIPTION:Design and implement network perimeters so that all outgoing network traffic to the Internet must pass through at least one application layer filtering proxy server. The proxy should support decrypting network traffic, logging individual TCP sessions, blocking specific URLs, domain names, and IP addresses to implement a black list, and applying whitelists of allowed sites that can be accessed through the proxy while blocking all other sites. Organizations should force outbound traffic to the Internet through an authenticated proxy server on the enterprise perimeter.;TITLE:Boundary Defense CONTROL:v6 12 DESCRIPTION:Boundary Defense;TITLE:Deploy Application Layer Filtering Proxy Server CONTROL:v7 12.9 DESCRIPTION:Ensure that all network traffic to or from the Internet passes through an authenticated application layer proxy that is configured to filter unauthorized connections.;TITLE:Decrypt Network Traffic at Proxy CONTROL:v7 12.10 DESCRIPTION:Decrypt all encrypted network traffic at the boundary proxy prior to analyzing the content. However, the organization may use whitelists of allowed sites that can be accessed through the proxy without decrypting the traffic.;TITLE:Boundary Defense CONTROL:v7 12 DESCRIPTION:Boundary Defense;" ], "x_panw_coa_bp_references": [ "\u201cHow to Implement SSL Decryption\u201d - https://live.paloaltonetworks.com/docs/DOC- 1412:\u201c\u201cPAN-OS Administrator's Guide 9.0 (English) - Decryption (English)\u201d - https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/decryption.html#" ] }, { "type": "course-of-action", "id": "course-of-action--b4ed79f9-b72c-4423-9a9c-f29134fda870", "name": "Ensure that the Certificate used for Decryption is Trusted", "created": "2020-06-23T19:50:31.722Z", "modified": "2020-06-26T19:00:11.068Z", "description": "The CA Certificate used for in-line HTTP Man in the Middle should be trusted by target users. For `SSL Forward Proxy` configurations, there are classes of users that need to be considered.\n\n1: Users that are members of the organization, users of machines under control of the organization. For these people and machines, ensure that the CA Certificate is in one of the Trusted CA certificate stores. This is easily done in Active Directory, using Group Policies for instance. A MDM (Mobile Device Manager) can be used to accomplish the same task for mobile devices such as telephones or tablets. Other central management or orchestration tools can be used for Linux or 'IoT' (Internet of Things) devices.\n\n2: Users that are not member of the organization - often these are classed as 'Visitors' in the policies of the organization. If a public CA Certificate is a possibility for your organization, then that is one approach. A second approach is to not decrypt affected traffic - this is easily done, but leaves the majority of 'visitor' traffic uninspected and potentially carrying malicious content. The final approach, and the one most commonly seen, is to use the same certificate as is used for the hosting organization. In this last case, visitors will see a certificate warning, but the issuing CA will be the organization that they are visiting.", "x_panw_coa_bp_section_number": "8", "x_panw_coa_bp_recommendation_number": "8.3", "x_panw_coa_bp_title": "Ensure that the Certificate used for Decryption is Trusted", "x_panw_coa_bp_status": "published", "x_panw_coa_bp_scoring_status": "not_scored", "x_panw_coa_bp_description": "The CA Certificate used for in-line HTTP Man in the Middle should be trusted by target users. For `SSL Forward Proxy` configurations, there are classes of users that need to be considered.\n\n1: Users that are members of the organization, users of machines under control of the organization. For these people and machines, ensure that the CA Certificate is in one of the Trusted CA certificate stores. This is easily done in Active Directory, using Group Policies for instance. A MDM (Mobile Device Manager) can be used to accomplish the same task for mobile devices such as telephones or tablets. Other central management or orchestration tools can be used for Linux or 'IoT' (Internet of Things) devices.\n\n2: Users that are not member of the organization - often these are classed as 'Visitors' in the policies of the organization. If a public CA Certificate is a possibility for your organization, then that is one approach. A second approach is to not decrypt affected traffic - this is easily done, but leaves the majority of 'visitor' traffic uninspected and potentially carrying malicious content. The final approach, and the one most commonly seen, is to use the same certificate as is used for the hosting organization. In this last case, visitors will see a certificate warning, but the issuing CA will be the organization that they are visiting.", "x_panw_coa_bp_rationale_statement": "Using a self-signed certificate, or any certificate that generates a warning in the browser, means that members of the organization have no method of determining if they are being presented with a legitimate certificate, or an attacker's 'man in the middle' certificate. It also very rapidly teaches members of the organization to bypass all security warnings of this type.", "x_panw_coa_bp_remediation_procedure": "Set the CA Certificate(s):\n\nNavigate to `Device > Certificate Management > Certificates`. Import the appropriate CA Certificates from any internal Certificate Authorities. \n\nAlternatively, generate a self-signed certificate for an internal CA on the firewall, and then import the root certificate for that CA into the trusted CA list of target clients. In an Active Directory environment this can be facilitated using a Group Policy.\n\nSet the Certificate Profile needed for the SSL Forward Proxy:\n- Navigate to `Device > Certificate Management > Certificate Profile`.\n\nSet the decryption profile to include the settings described in the `SSL Forward Proxy` guidance in this document", "x_panw_coa_bp_audit_procedure": "Verify the CA Certificate(s): \n\nNavigate to `Device > Certificate Management > Certificates`\n- Verify that appropriate internal certificates are imported, and that all certificates in the list are valid. In particular, verify the `Subject`, `Issuer`, `CA`, `Expires`, `Algorithm` and `Usage` fields\n- Alternatively, if an internal CA is implemented on the firewall, verify that target clients have the root certificate for this CA imported into their list of trusted certificate authorities.\n\nVerify the Certificate Profile needed for the SSL Forward Proxy:\n- Navigate to `Device > Certificate Management > Certificate Profile`. Verify that an appropriate profile is created.", "x_panw_coa_bp_cis_controls": [ "TITLE:Design Network Perimeters To Leverage Proxy CONTROL:v6 12.5 DESCRIPTION:Design and implement network perimeters so that all outgoing network traffic to the Internet must pass through at least one application layer filtering proxy server. The proxy should support decrypting network traffic, logging individual TCP sessions, blocking specific URLs, domain names, and IP addresses to implement a black list, and applying whitelists of allowed sites that can be accessed through the proxy while blocking all other sites. Organizations should force outbound traffic to the Internet through an authenticated proxy server on the enterprise perimeter.;TITLE:Deploy Application Layer Filtering Proxy Server CONTROL:v7 12.9 DESCRIPTION:Ensure that all network traffic to or from the Internet passes through an authenticated application layer proxy that is configured to filter unauthorized connections.;TITLE:Decrypt Network Traffic at Proxy CONTROL:v7 12.10 DESCRIPTION:Decrypt all encrypted network traffic at the boundary proxy prior to analyzing the content. However, the organization may use whitelists of allowed sites that can be accessed through the proxy without decrypting the traffic.;TITLE:Boundary Defense CONTROL:v6 12 DESCRIPTION:Boundary Defense;TITLE:Boundary Defense CONTROL:v7 12 DESCRIPTION:Boundary Defense;" ], "x_panw_coa_bp_references": [ "How to Implement and Test SSL Decryption' - https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Implement-and-Test-SSL-Decryption/ta-p/59719:\u201cPAN-OS Administrator's Guide 9.0 (English) - Decryption (English)\u201d - https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/decryption.html#:'SSL Certificates Resource List on Configuring and Troubleshooting' - https://live.paloaltonetworks.com/t5/Management-Articles/SSL-certificates-resource-list/ta-p/53068:'Certificates' - http://palo-alto.wikia.com/wiki/Certificates" ] }, { "type": "course-of-action", "id": "course-of-action--b62423f4-1849-4d9f-88c0-7160a8bed5c2", "name": "Ensure that User-ID is only enabled for internal trusted interfaces", "created": "2020-06-23T19:50:31.722Z", "modified": "2020-09-04T13:59:35.882Z", "description": "Only enable the User-ID option for interfaces that are both internal and trusted. There is rarely a legitimate need to allow WMI probing (or any user-id identification) on an untrusted interface.\nThe exception to this is identification of remote-access VPN users, who are identified as they connect." }, { "type": "course-of-action", "id": "course-of-action--bca382b3-2a97-451f-a849-80f7a4e7edce", "name": "Ensure 'Security Policy' denying any/all traffic to/from IP addresses on Trusted Threat Intelligence Sources Exists", "created": "2020-06-23T19:50:31.722Z", "modified": "2020-09-04T13:59:35.882Z", "description": "Create a pair of security rules at the top of the security policies ruleset to block traffic to and from IP addresses known to be malicious.\n\nNote: This recommendation (as written) requires a Palo Alto 'Active Threat License'. Third Party and Open Source Threat Intelligence Feeds can also be used for this purpose." }, { "type": "course-of-action", "id": "course-of-action--be1d0eb5-a628-4d91-9096-9158e68816cd", "name": "Ensure all WildFire session information settings are enabled", "created": "2020-06-23T19:50:31.722Z", "modified": "2020-09-04T13:59:35.882Z", "description": "Enable all options under Session Information Settings for WildFire." }, { "type": "course-of-action", "id": "course-of-action--c45b79a8-2d29-4d8c-95ab-acea7e478e50", "name": "Ensure DNS sinkholing is configured on all anti-spyware profiles in use", "created": "2020-06-23T19:50:31.722Z", "modified": "2020-06-26T13:02:55.804Z", "description": "Configure DNS sinkholing for all anti-spyware profiles in use. All internal requests to the selected sinkhole IP address must traverse the firewall. Any device attempting to communicate with the DNS sinkhole IP address should be considered infected.", "x_panw_coa_bp_section_number": "6", "x_panw_coa_bp_recommendation_number": "6.4", "x_panw_coa_bp_title": "Ensure DNS sinkholing is configured on all anti-spyware profiles in use", "x_panw_coa_bp_status": "published", "x_panw_coa_bp_scoring_status": "full", "x_panw_coa_bp_description": "Configure DNS sinkholing for all anti-spyware profiles in use. All internal requests to the selected sinkhole IP address must traverse the firewall. Any device attempting to communicate with the DNS sinkhole IP address should be considered infected.", "x_panw_coa_bp_rationale_statement": "DNS sinkholing helps to identify infected clients by spoofing DNS responses for malware domain queries. Without sinkholing, the DNS server itself may be seen as infected, while the truly infected device remains unidentified. In addition, sinkholing also ensures that DNS queries that might be indicators of compromise do not transit the internet, where they could be potentially used to negatively impact the 'ip reputation' of the organization's internet network subnets.", "x_panw_coa_bp_remediation_procedure": "Navigate to `Objects > Security Profiles > Anti-Spyware`.\n\nWithin the each anti-spyware profile, under its `DNS Signatures` tab, set the `DNS Signature Source` List:\n`Palo Alto Networks Content DNS Signatures` should have as its `Action on DNS Queries` set to `sinkhole`\nIf licensed, the `Palo Alto Networks Cloud DNS Security` should have as its `Action on DNS Queries` set to `sinkhole`\n\nVerify the '`Sinkhole IPv4`' IP address is correct. This should be set to `sinkhole.paloaltnetworks.com`, or if an internal host is set then that host IP or FQDN should be in that field\n\nVerify the '`Sinkhole IPv6`' IP address is correct. This should be set to `IPv6 Loopback IP (::1)`, or if an internal DNS Sinkhole host is set then that host IP or FQDN should be in that field\n\nNavigate to `Policies > Security Policies`\nFor each outbound security Policy, in the `Actions` tab, set the `Anti-Spyware` setting to include the Spyware Profile created, either explicitly or as a `Group Profile`", "x_panw_coa_bp_audit_procedure": "Navigate to `Objects > Security Profiles > Anti-Spyware`.\n\nWithin the each anti-spyware profile, under its `DNS Signatures` tab, verify the `DNS Signature Source` List:\n`Palo Alto Networks Content DNS Signatures` should have as its `Action on DNS Queries` set to `sinkhole`\nIf licensed, the `Palo Alto Networks Cloud DNS Security` should have as its `Action on DNS Queries` set to `sinkhole`\n\nVerify the '`Sinkhole IPv4`' IP address is correct. This should be set to `sinkhole.paloaltnetworks.com`, or if an internal host is set then that host IP or FQDN should be in that field\n\nVerify the '`Sinkhole IPv6`' IP address is correct. This should be set to `IPv6 Loopback IP (::1)`, or if an internal DNS Sinkhole host is set then that host IP or FQDN should be in that field\n\nNavigate to `Policies > Security Policies`\nFor each outbound security Policy, in the `Actions` tab, verify that the `Anti-Spyware` setting includes the Spyware Profile created, either explicitly or as a `Group Profile`\n\nTo verify correct operation of DNS Security, from an internal station make a DNS request to each of the following hosts:\n- `test-malware.testpanw.com` to test `Malware` DNS Signature checks\n- `test-c2.testpanw.com` to test `C2` DNS Signature checks\n- `test-dga.testpanw.com` to test `DGA` (Domain Generation Algorithm) DNS attack checks \n- `test-dnstun.testpanw.com` to test `DNS Tunneling` attack checks\nEach of these DNS requests should be redirected to the configured DNS Sinkhole server IP address\nEach of these DNS requests should appear in the firewall logs, under `Monitor > Logs > Threat`. If configured, each of these requests should generate an alert in the organization's SIEM.", "x_panw_coa_bp_cis_controls": [ "TITLE:Enabled DNS Query Logging CONTROL:v6 8.6 DESCRIPTION:Enable domain name system (DNS) query logging to detect hostname lookup for known malicious C2 domains.;TITLE:Deploy Network-based Anti-malware Tools CONTROL:v6 8.5 DESCRIPTION:Use network-based anti-malware tools to identify executables in all network traffic and use techniques other than signature-based detection to identify and filter out malicious content before it arrives at the endpoint.;TITLE:Enable DNS Query Logging CONTROL:v7 8.7 DESCRIPTION:Enable Domain Name System (DNS) query logging to detect hostname lookups for known malicious domains.;TITLE:Malware Defenses CONTROL:v7 8 DESCRIPTION:Malware Defenses;" ], "x_panw_coa_bp_references": [ "\u201cHow to Deal with Conficker using DNS Sinkhole\u201d - https://live.paloaltonetworks.com/docs/DOC-6628:\u201cThreat Prevention Deployment Tech Note\u201d - https://live.paloaltonetworks.com/docs/DOC-3094:'PANOS Administrator's Guide 9.0 (English) - Security Profiles': https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/policy/security-profiles.html:'PAN-OS Administrator's Guide 9.0 (English) - DNS Security' - https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/threat-prevention/dns-security.html#" ] }, { "type": "course-of-action", "id": "course-of-action--c5148c0d-4c4a-4ad6-b2c7-942f9eb91673", "name": "Deploy XSOAR Playbook - PAN-OS Query Logs for Indicators", "created": "2020-06-23T19:50:31.722Z", "modified": "2020-06-26T13:02:55.805Z", "x_panw_coa_u42_id": "x.23", "x_panw_coa_u42_title": "Deploy XSOAR Playbook - PAN-OS Query Logs for Indicators" }, { "type": "course-of-action", "id": "course-of-action--c9efabbf-c21b-4213-a192-6a8e3b3a0905", "name": "Enable Anti-Malware Protection", "created": "2020-06-23T19:50:31.722Z", "modified": "2020-09-04T13:59:35.882Z" }, { "type": "course-of-action", "id": "course-of-action--d84f79f8-219c-43cb-a918-ab7dd235413a", "name": "Ensure a secure anti-spyware profile is applied to all security policies permitting traffic to the Internet", "created": "2020-06-23T19:50:31.722Z", "modified": "2020-06-26T13:02:55.804Z", "description": "Create one or more anti-spyware profiles and collectively apply them to all security policies permitting traffic to the Internet. The anti-spyware profiles may be applied to the security policies directly or through a profile group.", "x_panw_coa_bp_section_number": "6", "x_panw_coa_bp_recommendation_number": "6.6", "x_panw_coa_bp_title": "Ensure a secure anti-spyware profile is applied to all security policies permitting traffic to the Internet", "x_panw_coa_bp_status": "published", "x_panw_coa_bp_scoring_status": "full", "x_panw_coa_bp_description": "Create one or more anti-spyware profiles and collectively apply them to all security policies permitting traffic to the Internet. The anti-spyware profiles may be applied to the security policies directly or through a profile group.", "x_panw_coa_bp_rationale_statement": "By applying secure anti-spyware profiles to all applicable traffic, the threat of sensitive data exfiltration or command-and-control traffic successfully passing through the firewall is greatly reduced. Anti-spyware profiles are not restricted to particular protocols like antivirus profiles, so anti-spyware profiles should be applied to all security policies permitting traffic to the Internet. Assigning an anti-spyware profile to each trusted zone will quickly and easily identify trusted hosts that have been infected with spyware, by identifying the infection from their outbound network traffic. In addition, that outbound network traffic will be blocked by the profile.", "x_panw_coa_bp_remediation_procedure": "Navigate to `Objects > Security Profiles > Anti-Spyware`.\n\nAlso navigate to `Policies > Security`.\n\nSet one or more anti-spyware profiles to collectively apply to all inside to outside traffic from any address to any address and any application and service.", "x_panw_coa_bp_audit_procedure": "Navigate to `Objects > Security Profiles > Anti-Spyware`.\n\nAlso navigate to `Policies > Security`.\n\nVerify there are one or more anti-spyware profiles that collectively apply to all inside to outside traffic from any address to any address and any application and service.", "x_panw_coa_bp_cis_controls": [ "TITLE:Deploy Network-based Anti-malware Tools CONTROL:v6 8.5 DESCRIPTION:Use network-based anti-malware tools to identify executables in all network traffic and use techniques other than signature-based detection to identify and filter out malicious content before it arrives at the endpoint.;TITLE:Malware Defenses CONTROL:v7 8 DESCRIPTION:Malware Defenses;" ], "x_panw_coa_bp_references": [ "\u201cThreat Prevention Deployment Tech Note\u201d - https://live.paloaltonetworks.com/docs/DOC-3094:\u201cPAN-OS Administrator's Guide 9.0 (English) - Security Profiles\u201d - https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/policy/security-profiles.html" ] }, { "type": "course-of-action", "id": "course-of-action--dcd486e6-fcf5-4692-9187-115efdae9694", "name": "Ensure application security policies exist when allowing traffic from an untrusted zone to a more trusted zone", "created": "2020-06-23T19:50:31.722Z", "modified": "2020-09-04T13:59:35.882Z", "description": "When permitting traffic from an untrusted zone, such as the Internet or guest network, to a more trusted zone, such as a DMZ segment, create security policies specifying which specific applications are allowed. \n\n**Enhanced Security Recommendation: **\nRequire specific application policies when allowing `any` traffic, regardless of the trust level of a zone. Do not rely solely on port permissions. This may require SSL interception, and may also not be possible in all environments." }, { "type": "course-of-action", "id": "course-of-action--dfbe8c4c-b5c9-4ac2-a2f4-a43a73d1d621", "name": "Deploy XSOAR Playbook - Access Investigation Playbook", "created": "2020-06-23T19:50:31.722Z", "modified": "2020-06-26T13:02:55.804Z", "x_panw_coa_u42_id": "x.7", "x_panw_coa_u42_title": "Deploy XSOAR Playbook - Access Investigation Playbook" }, { "type": "course-of-action", "id": "course-of-action--dff22e97-a89e-4ff7-b615-0165258bf8d5", "name": "Ensure all HTTP Header Logging options are enabled", "created": "2020-06-23T19:50:31.722Z", "modified": "2020-06-26T13:02:55.804Z", "description": "Enable all options (User-Agent, Referer, and X-Forwarded-For) for HTTP header logging.", "x_panw_coa_bp_section_number": "6", "x_panw_coa_bp_recommendation_number": "6.12", "x_panw_coa_bp_title": "Ensure all HTTP Header Logging options are enabled", "x_panw_coa_bp_status": "published", "x_panw_coa_bp_scoring_status": "full", "x_panw_coa_bp_description": "Enable all options (User-Agent, Referer, and X-Forwarded-For) for HTTP header logging.", "x_panw_coa_bp_rationale_statement": "Logging HTTP header information provides additional information in the URL logs, which may be useful during forensic investigations. The User-Agent option logs which browser was used during the web session, which could provide insight to the vector used for malware retrieval. The Referer option logs the source webpage responsible for referring the user to the logged webpage. The X-Forwarded-For option is useful for preserving the user\u2019s source IP address, such as if a user traverses a proxy server prior to the firewall. Un-checking the Log container page only box produces substantially more information about web activity, with the expense of producing far more entries in the URL logs. If this option remains checked, a URL filter log entry showing details of a malicious file download may not exist.", "x_panw_coa_bp_remediation_procedure": "Navigate to `Objects > Security Profiles > URL Filtering > URL Filtering Profile > URL Filtering Settings`.\n\nSet the following four settings:\n\n a. `Log container page only` box is un-checked\n\n b. Check the `User-Agent` box\n\n c. Check the `Referer` box\n\n d. Check the `X-Forwarded-For` box", "x_panw_coa_bp_audit_procedure": "Navigate to `Objects > Security Profiles > URL Filtering > URL Filtering Profile > URL Filtering Settings`.\n\nVerify these four settings:\n\n a. `Log container page only` box is un-checked\n\n b. `User-Agent` box is checked\n\n c. `Referer` box is checked\n\n d. `X-Forwarded-For` box is checked", "x_panw_coa_bp_impact_statement": "Not having an effective URL Filtering configuration can leave an organization open to legal action, internal HR issues, non-compliance with regulatory policies or productivity loss.", "x_panw_coa_bp_cis_controls": [ "TITLE:Log All URL Requests From Systems CONTROL:v6 7.4 DESCRIPTION:Log all URL requests from each of the organization's systems, whether onsite or a mobile device, in order to identify potentially malicious activity and assist incident handlers with identifying potentially compromised systems.;TITLE:Ensure Network Boundary Devices Log Verbosely CONTROL:v6 6.5 DESCRIPTION:Configure network boundary devices, including firewalls, network-based IPS, and inbound and outbound proxies, to verbosely log all traffic (both allowed and blocked) arriving at the device.;TITLE:Log all URL requests CONTROL:v7 7.6 DESCRIPTION:Log all URL requests from each of the organization's systems, whether onsite or a mobile device, in order to identify potentially malicious activity and assist incident handlers with identifying potentially compromised systems.;TITLE:Activate audit logging CONTROL:v7 6.2 DESCRIPTION:Ensure that local logging has been enabled on all systems and networking devices.;TITLE:Enable Detailed Logging CONTROL:v7 6.3 DESCRIPTION:Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.;" ], "x_panw_coa_bp_references": [ "\u201cPAN-OS Administrator's Guide 9.0 (English) - URL Filtering Best Practices': https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/url-filtering/url-filtering-best-practices.html" ] }, { "type": "course-of-action", "id": "course-of-action--e15f23e0-f6ae-4440-865f-63ac76b93bf5", "name": "Ensure a secure antivirus profile is applied to all relevant security policies", "created": "2020-06-23T19:50:31.722Z", "modified": "2020-09-04T13:59:35.882Z", "description": "Create a secure antivirus profile and apply it to all security policies that could pass HTTP, SMTP, IMAP, POP3, FTP, or SMB traffic. The antivirus profile may be applied to the security policies directly or through a profile group." }, { "type": "course-of-action", "id": "course-of-action--f1a1d494-3463-4067-abc7-a731f7dfb9ff", "name": "Ensure that WildFire file size upload limits are maximized", "created": "2020-06-23T19:50:31.722Z", "modified": "2020-09-04T13:59:35.882Z", "description": "Increase WildFire file size limits to the maximum file size supported by the environment. An organization with bandwidth constraints or heavy usage of unique files under a supported file type may require lower settings.\nThe recommendations account for the CPU load on smaller platforms. If an organization consistently has CPU to spare, it's recommended to set some or all of these values to the maximum." }, { "type": "course-of-action", "id": "course-of-action--f36dcd51-156b-497a-a565-0301a105eb79", "name": "Deploy XSOAR - Endpoint Malware Investigation", "created": "2020-06-23T19:50:31.722Z", "modified": "2020-09-04T13:59:35.883Z" }, { "type": "course-of-action", "id": "course-of-action--f4a8da12-c6f0-4a33-ae42-590c5602be99", "name": "Ensure secure URL filtering is enabled for all security policies allowing traffic to the Internet", "created": "2020-06-23T19:50:31.722Z", "modified": "2020-06-26T13:02:55.804Z", "description": "Apply a secure URL filtering profile to all security policies permitting traffic to the Internet. The URL Filtering profile may be applied to the security policies directly or through a profile group.", "x_panw_coa_bp_section_number": "6", "x_panw_coa_bp_recommendation_number": "6.13", "x_panw_coa_bp_title": "Ensure secure URL filtering is enabled for all security policies allowing traffic to the Internet", "x_panw_coa_bp_status": "published", "x_panw_coa_bp_scoring_status": "full", "x_panw_coa_bp_description": "Apply a secure URL filtering profile to all security policies permitting traffic to the Internet. The URL Filtering profile may be applied to the security policies directly or through a profile group.", "x_panw_coa_bp_rationale_statement": "URL Filtering policies dramatically reduce the risk of users visiting malicious or inappropriate websites. In addition, a complete URL history log for all devices is invaluable when performing forensic analysis in the event of a security incident. Applying complete and approved URL filtering to outbound traffic is a frequent requirement in corporate policies, legal requirements or regulatory requirements.", "x_panw_coa_bp_remediation_procedure": "To Set URL Filtering:\nFor each Security Profile that transits traffic to the internet, navigate to `Policies > Security > Security Profiles > [Policy Name] > Actions`.\n\nSet a URL Filtering profile that complies with the policies of the organization is applied to all Security Policies that transit traffic to the public internet.", "x_panw_coa_bp_audit_procedure": "To Verify URL Filtering:\n\nFor each Security Policy that transits traffic to the public internet, navigate to `Policies > Security > Security Profiles > [Policy Name] > Actions`.\n\nVerify there is a URL Filtering profile that complies with the policies of the organization is applied to all Security Policies that transit traffic to the public internet.", "x_panw_coa_bp_impact_statement": "Not having an effective URL Filtering configuration can leave an organization open to legal action, internal HR issues, non-compliance with regulatory policies or productivity loss.", "x_panw_coa_bp_cis_controls": [ "TITLE:Deploy, Use, And Maintain Network-based URL Filters CONTROL:v6 7.6 DESCRIPTION:The organization shall maintain and enforce network based URL filters that limit a system's ability to connect to websites not approved by the organization. The organization shall subscribe to URL categorization services to ensure that they are up-to-date with the most recent website category definitions available. Uncategorized sites shall be blocked by default. This filtering shall be enforced for each of the organization's systems, whether they are physically at an organization's facilities or not.;TITLE:Maintain and Enforce Network-Based URL Filters CONTROL:v7 7.4 DESCRIPTION:Enforce network-based URL filters that limit a system's ability to connect to websites not approved by the organization. This filtering shall be enforced for each of the organization's systems, whether they are physically at an organization's facilities or not.;TITLE:Subscribe to URL-Categorization service CONTROL:v7 7.5 DESCRIPTION:Subscribe to URL categorization services to ensure that they are up-to-date with the most recent website category definitions available. Uncategorized sites shall be blocked by default.;" ], "x_panw_coa_bp_references": [ "\u201cPAN-OS Administrator's Guide 9.0 (English) - URL Filtering Best Practices': https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/url-filtering/url-filtering-best-practices.html" ] }, { "type": "course-of-action", "id": "course-of-action--fafab9a4-1478-499e-9088-2043c42720d1", "name": "Ensure forwarding of decrypted content to WildFire is enabled", "created": "2020-06-23T19:50:31.722Z", "modified": "2020-09-04T13:59:35.882Z", "description": "Allow the firewall to forward decrypted content to WildFire. Note that SSL Forward-Proxy must also be enabled and configured for this setting to take effect on inside-to-outside traffic flows." }, { "type": "identity", "id": "identity--4d1d54c4-6665-4112-979a-52a56b6272d4", "identity_class": "organization", "name": "Identity (Greenbug)", "created": "2020-07-08T12:21:55.056Z", "modified": "2020-07-13T13:45:02.008Z", "sectors": [ "telecommunications" ] }, { "type": "identity", "id": "identity--5b8b881a-7707-45a2-9f38-e33665844311", "identity_class": "organization", "name": "Identity (second)", "created": "2019-10-08T16:05:31.133Z", "modified": "2019-10-08T18:26:32.830Z", "sectors": [ "government-regional" ], "x_cta_country": [ "AE" ] }, { "type": "identity", "id": "identity--c7dc2a79-4dbe-463b-a58b-24c781041f30", "identity_class": "organization", "name": "Identity (Trips_right__slip_screen)", "created": "2019-10-08T16:11:38.189Z", "modified": "2019-10-08T18:26:32.830Z", "sectors": [ "financial-services", "insurance" ] }, { "type": "identity", "id": "identity--c7e23c62-8c87-4584-9787-2cffec8414ce", "identity_class": "organization", "name": "Identity (first)", "created": "2019-10-08T16:04:43.052Z", "modified": "2019-10-08T18:26:32.830Z", "sectors": [ "financial-services", "technology" ], "x_cta_country": [ "SA" ] }, { "type": "identity", "id": "identity--e407f512-c6e0-4b10-9017-e1f19cef983f", "identity_class": "organization", "name": "Identity (third)", "created": "2019-10-08T16:06:10.298Z", "modified": "2019-10-08T18:26:32.830Z", "sectors": [ "communications", "education", "infrastructure", "technology" ], "x_cta_country": [ "IL" ] }, { "type": "indicator", "id": "indicator--012e2d87-6c15-461a-bbdb-52bdb0d8f803", "created": "2020-07-08T14:52:44.281Z", "modified": "2020-07-13T13:45:02.009Z", "name": "ee32bde60d1175709fde6869daf9c63cd3227155e37f06d45a27a2f45818a3dc", "pattern": "[file:hashes.'SHA-256' = 'ee32bde60d1175709fde6869daf9c63cd3227155e37f06d45a27a2f45818a3dc']", "valid_from": "2020-07-08T14:52:44.281Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--0288c52e-7bd4-476f-9e29-534a122d173f", "created": "2018-08-03T20:30:50.665Z", "modified": "2019-11-06T14:43:10.217Z", "name": "b4be6518b5d47fbaefc68660d54516140b65e36ebc68d309e39ffc15bbbfc70e", "pattern": "[file:hashes.'SHA-256' = 'b4be6518b5d47fbaefc68660d54516140b65e36ebc68d309e39ffc15bbbfc70e']", "valid_from": "2018-08-03T20:30:50.665Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--02a7d94a-1fab-4d16-8d55-597d3ec6379e", "created": "2018-08-03T20:30:50.665Z", "modified": "2018-08-03T20:30:50.665Z", "name": "ConferenceList.aspx", "pattern": "[file:name = 'ConferenceList.aspx']", "valid_from": "2018-08-03T20:30:50.665Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--02e254af-73f9-4630-9a4e-350297d86505", "created": "2018-08-03T20:30:50.665Z", "modified": "2018-08-03T20:30:50.665Z", "name": "pl.exe", "pattern": "[file:name = 'pl.exe']", "valid_from": "2018-08-03T20:30:50.665Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--06aee4da-bcca-4234-8b1a-35741adf2d67", "created": "2020-05-05T13:53:52.048Z", "modified": "2020-06-26T19:00:20.236Z", "name": "[network-traffic:dst_port = '8080' AND network-traffic:protocols = 'tcp']", "pattern": "[network-traffic:dst_port = '8080' AND network-traffic:protocols = 'tcp']", "valid_from": "2020-05-05T13:53:52.048Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--0809240c-9ec9-4002-8846-f30a7915eb4e", "created": "2017-12-21T15:26:09.943Z", "modified": "2019-11-06T14:53:08.522Z", "name": "fd47825d75e3da3e43dc84f425178d6e834a900d6b2fd850ee1083dbb1e5b113", "pattern": "[file:hashes.'SHA-256' = 'fd47825d75e3da3e43dc84f425178d6e834a900d6b2fd850ee1083dbb1e5b113']", "valid_from": "2017-12-21T15:26:09.943Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--0853a871-de52-40f0-90cf-0d8069892c9f", "created": "2017-12-21T15:11:37.195Z", "modified": "2018-08-22T19:56:25.701Z", "name": "91.121.237.227", "pattern": "[ipv4-addr:value = '91.121.237.227']", "valid_from": "2017-12-21T15:11:37.195Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--09a93c5a-e410-4a1d-a3a9-39c5d634b766", "created": "2018-08-03T20:30:50.665Z", "modified": "2018-08-22T19:51:21.715Z", "name": "88.88.88.88", "pattern": "[domain-name:resolves_to_refs[*].value = '88.88.88.88']", "valid_from": "2018-08-03T20:30:50.665Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--0b42f202-10a1-4a5e-b714-e5279164a015", "created": "2020-07-08T14:59:54.132Z", "modified": "2020-07-13T13:45:02.009Z", "name": "kizlarsoroyur.com", "pattern": "[domain-name:value = 'kizlarsoroyur.com']", "valid_from": "2020-07-08T14:59:54.132Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--0d14ac47-7ba7-405e-8639-876bdd341841", "created": "2017-12-21T15:11:50.586Z", "modified": "2019-11-06T16:18:40.803Z", "name": "6ae32cd3b5a8a1dbb5464372ded370f31802fd1f5031795b43d662c64fc5b301", "pattern": "[file:hashes.'SHA-256' = '6ae32cd3b5a8a1dbb5464372ded370f31802fd1f5031795b43d662c64fc5b301']", "valid_from": "2017-12-21T15:11:50.586Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--0e700b7b-764b-4c8a-a57d-f8d686d887f4", "created": "2018-08-03T20:30:50.665Z", "modified": "2018-08-03T20:30:50.665Z", "name": "net group /domain", "pattern": "[process:command_line = 'net group /domain']", "valid_from": "2018-08-03T20:30:50.665Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--0e9934f4-e2df-42f0-9964-0d03836329e1", "created": "2017-10-09T18:03:03.291Z", "modified": "2019-11-06T14:53:08.522Z", "name": "a9c92b29ee05c1522715c7a2f9c543740b60e36373cb47b5620b1f3d8ad96bfa", "pattern": "[file:hashes.'SHA-256' = 'a9c92b29ee05c1522715c7a2f9c543740b60e36373cb47b5620b1f3d8ad96bfa']", "valid_from": "2017-10-09T18:03:03.291Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--0f75c726-1b4a-4eb9-8749-fa89af8f6d2b", "created": "2018-08-03T20:30:50.665Z", "modified": "2018-08-03T20:30:50.665Z", "name": "c:\\\\windows\\\\temp\\\\m64.exe privilege::debug sekurlsa::logonpasswords exit%", "pattern": "[process:command_line LIKE 'c:\\\\windows\\\\temp\\\\m64.exe privilege::debug sekurlsa::logonpasswords exit%']", "valid_from": "2018-08-03T20:30:50.665Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--10a18683-9321-4647-97e7-5ca864d9ecb7", "created": "2018-08-03T20:30:50.665Z", "modified": "2019-11-06T16:03:36.356Z", "name": "9eadfc0fb8cfdb7d3b45060dc9acc97ac430246b7672ee47d0de1fd11ea2c682", "pattern": "[file:hashes.'SHA-256' = '9eadfc0fb8cfdb7d3b45060dc9acc97ac430246b7672ee47d0de1fd11ea2c682']", "valid_from": "2018-08-03T20:30:50.665Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--112bb219-3133-4c6f-9e29-3efd820d9612", "created": "2017-12-21T15:26:09.943Z", "modified": "2018-08-03T20:34:40.945Z", "name": "e33096ab328949af19c290809819034d196445b8ed0406206e7418ec96f66b68", "pattern": "[file:hashes.'SHA-256' = 'e33096ab328949af19c290809819034d196445b8ed0406206e7418ec96f66b68']", "valid_from": "2017-12-21T15:26:09.943Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--131a36f4-f5ce-461c-b633-8f555ec191fb", "created": "2018-05-30T19:51:58.430Z", "modified": "2018-08-03T20:34:40.945Z", "name": "f5a64de9087b138608ccf036b067d91a47302259269fb05b3349964ca4060e7e", "pattern": "[file:hashes.'SHA-256' = 'f5a64de9087b138608ccf036b067d91a47302259269fb05b3349964ca4060e7e']", "valid_from": "2018-05-30T19:51:58.430Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--13776d10-7c53-4f1e-ab29-5415d50486f7", "created": "2018-08-03T20:30:50.665Z", "modified": "2018-08-03T20:30:50.665Z", "name": "PsExec.exe", "pattern": "[file:name = 'PsExec.exe']", "valid_from": "2018-08-03T20:30:50.665Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--13d221b8-4f3c-44d1-a010-a0e849c3fc56", "created": "2017-12-21T15:00:31.140Z", "modified": "2018-08-03T20:34:40.945Z", "name": "my-mailcoil.ml", "pattern": "[domain-name:value = 'my-mailcoil.ml']", "valid_from": "2017-12-21T15:00:31.140Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--1534513c-33cf-4462-b102-7f7ba0a3eda8", "created": "2017-12-21T15:11:50.586Z", "modified": "2018-08-03T20:34:40.945Z", "name": "28a0db561ff5a525bc2696cf98d96f443f528afe63c5097c5e0ccad071fcb8c2", "pattern": "[file:hashes.'SHA-256' = '28a0db561ff5a525bc2696cf98d96f443f528afe63c5097c5e0ccad071fcb8c2']", "valid_from": "2017-12-21T15:11:50.586Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--15905560-f7fc-4a6b-a9d8-c5df9bf3b17b", "created": "2018-08-03T20:30:50.665Z", "modified": "2018-08-03T20:30:50.665Z", "name": "z64.exe", "pattern": "[file:name = 'z64.exe']", "valid_from": "2018-08-03T20:30:50.665Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--175fda21-0fe8-4cc0-a276-8ef03b099d8d", "created": "2017-12-21T15:26:09.943Z", "modified": "2018-08-03T20:34:40.945Z", "name": "0a77e28e6d0d7bd057167ca8a63da867397f1619a38d5c713027ebb22b784d4f", "pattern": "[file:hashes.'SHA-256' = '0a77e28e6d0d7bd057167ca8a63da867397f1619a38d5c713027ebb22b784d4f']", "valid_from": "2017-12-21T15:26:09.943Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--182761bb-1d21-4ed8-909c-a0b6a2e09ce4", "created": "2018-08-03T20:30:50.665Z", "modified": "2018-08-03T20:30:50.665Z", "name": "%Public%\\\\Libraries\\\\tp", "pattern": "[directory:path = '%Public%\\\\\\\\Libraries\\\\\\\\tp']", "valid_from": "2018-08-03T20:30:50.665Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--1a6d1c72-b27c-40e2-813a-fb8395b800b5", "created": "2018-08-03T20:30:50.665Z", "modified": "2018-08-03T20:30:50.665Z", "name": "iishandler6.dll", "pattern": "[file:name = 'iishandler6.dll']", "valid_from": "2018-08-03T20:30:50.665Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--1b6c1677-d260-41b2-b11c-7db4b1f402c1", "created": "2018-08-03T20:30:50.665Z", "modified": "2018-08-03T20:30:50.665Z", "name": "HttpParser.dll", "pattern": "[file:name = 'HttpParser.dll']", "valid_from": "2018-08-03T20:30:50.665Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--1cda5ec5-3f45-4ca4-86fb-406cccce75a0", "created": "2018-08-03T20:30:50.665Z", "modified": "2018-08-03T20:30:50.665Z", "name": "kb-11.exe", "pattern": "[file:name = 'kb-11.exe']", "valid_from": "2018-08-03T20:30:50.665Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--1d8f709a-12fb-4ee6-928b-921a7eccc2f6", "created": "2018-08-03T20:30:50.665Z", "modified": "2018-08-03T20:30:50.665Z", "name": "ipconfig /all", "pattern": "[process:command_line = 'ipconfig /all']", "valid_from": "2018-08-03T20:30:50.665Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--1da4e7ce-10ab-47ec-ad5a-673887f15f01", "created": "2017-12-21T15:11:37.195Z", "modified": "2018-08-22T19:55:44.632Z", "name": "51.254.50.153", "pattern": "[ipv4-addr:value = '51.254.50.153']", "valid_from": "2017-12-21T15:11:37.195Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--1dd724ec-3747-4a81-bbb4-bb5fab167487", "created": "2017-12-21T15:11:37.195Z", "modified": "2018-08-03T20:34:40.945Z", "name": "92.222.209.48", "pattern": "[ipv4-addr:value = '92.222.209.48']", "valid_from": "2017-12-21T15:11:37.195Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--20903cd9-29c1-4a41-9202-c1b473f1855e", "created": "2020-07-08T14:59:10.736Z", "modified": "2020-07-13T13:45:02.009Z", "name": "tprs-servers.eu", "pattern": "[domain-name:value = 'tprs-servers.eu']", "valid_from": "2020-07-08T14:59:10.736Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--2115ea65-8275-49bf-bbf9-d3d7e4d204d5", "created": "2018-08-03T20:30:50.665Z", "modified": "2018-08-03T20:30:50.665Z", "name": "net group Exchange Trusted Subsystem /domain", "pattern": "[process:command_line = 'net group Exchange Trusted Subsystem /domain']", "valid_from": "2018-08-03T20:30:50.665Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--21afa13a-d6e4-46ec-8539-68ec5c723ed5", "created": "2017-12-21T15:26:09.943Z", "modified": "2018-08-03T20:34:40.945Z", "name": "c116f078a0b9ea25c5fdb2e72914c3446c46f22d9f2b37c582600162ed711b69", "pattern": "[file:hashes.'SHA-256' = 'c116f078a0b9ea25c5fdb2e72914c3446c46f22d9f2b37c582600162ed711b69']", "valid_from": "2017-12-21T15:26:09.943Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--21b40f68-e0e8-4497-bc7f-63f7b7b9c9dd", "created": "2018-08-03T20:30:50.665Z", "modified": "2018-08-03T20:30:50.665Z", "name": "getidtoken.aspx", "pattern": "[file:name = 'getidtoken.aspx']", "valid_from": "2018-08-03T20:30:50.665Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--2464959e-820d-47c4-9785-d982888376ec", "created": "2020-07-08T13:22:11.985Z", "modified": "2020-07-13T13:45:02.008Z", "name": "tacsent.com", "pattern": "[domain-name:value = 'tacsent.com']", "valid_from": "2020-07-08T13:22:11.985Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--2560de5f-2375-49de-9d4a-47dc1f5f067b", "created": "2018-01-26T16:53:32.415Z", "modified": "2018-08-03T20:34:40.945Z", "name": "ec3f55cac3e8257d6d48e5d543db758fed7d267f14f63a6a5d98ba7a0fab6870", "pattern": "[file:hashes.'SHA-256' = 'ec3f55cac3e8257d6d48e5d543db758fed7d267f14f63a6a5d98ba7a0fab6870']", "valid_from": "2018-01-26T16:53:32.415Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--272c2c5d-1779-49a1-8990-c8fdfe2d2bb2", "created": "2018-08-03T20:30:50.665Z", "modified": "2018-08-03T20:30:50.665Z", "name": "[directory:path = 'c:\\\\windows\\\\temp' AND file:name = '01.txt']", "pattern": "[directory:path = 'c:\\\\windows\\\\temp' AND file:name = '01.txt']", "valid_from": "2018-08-03T20:30:50.665Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--289251cb-2cff-4cbc-9e19-995310c5d8c0", "created": "2020-07-08T14:52:22.778Z", "modified": "2020-07-13T13:45:02.009Z", "name": "fcabb86331cd5e2fa9edb53c4282dfcb16cc3d2cae85aabf1ee3c0c0007e508c", "pattern": "[file:hashes.'SHA-256' = 'fcabb86331cd5e2fa9edb53c4282dfcb16cc3d2cae85aabf1ee3c0c0007e508c']", "valid_from": "2020-07-08T14:52:22.778Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--28ddd8f2-72d0-4c05-a72b-4927f9b4a3ef", "created": "2020-07-08T14:50:22.661Z", "modified": "2020-07-13T13:45:02.009Z", "name": "8120849fbe85179a16882dd1a12a09fdd3ff97e30c3dfe52b43dd2ba7ed33c2a", "pattern": "[file:hashes.'SHA-256' = '8120849fbe85179a16882dd1a12a09fdd3ff97e30c3dfe52b43dd2ba7ed33c2a']", "valid_from": "2020-07-08T14:50:22.661Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--2bc55d71-48a5-4921-854e-351f762e24aa", "created": "2018-08-03T20:30:50.665Z", "modified": "2018-08-03T20:30:50.665Z", "name": "http://www.msoffice-cdn.com/updatecdnsrv/prelocated/owa/auth/template.rtf", "pattern": "[url:value = 'http://www.msoffice-cdn.com/updatecdnsrv/prelocated/owa/auth/template.rtf']", "valid_from": "2018-08-03T20:30:50.665Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--2bd3da7e-748b-4727-bc61-23e4582ff60f", "created": "2020-07-08T12:43:34.123Z", "modified": "2020-07-13T13:45:02.008Z", "name": "wwmal.com", "pattern": "[domain-name:value = 'wwmal.com']", "valid_from": "2020-07-08T12:43:34.123Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--2c461e83-a8d2-444e-9480-a2516a1f87c8", "created": "2018-08-03T20:30:50.665Z", "modified": "2018-08-03T20:30:50.665Z", "name": "n.n.c.%.cdnmsnupdate.com", "pattern": "[domain-name:value LIKE 'n.n.c.%.cdnmsnupdate.com']", "valid_from": "2018-08-03T20:30:50.665Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--2d6903fb-e4f1-4b0e-a657-e3937fe89861", "created": "2018-08-03T20:30:50.665Z", "modified": "2018-08-03T20:30:50.665Z", "name": "net user /domain", "pattern": "[process:command_line = 'net user /domain']", "valid_from": "2018-08-03T20:30:50.665Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--30745f2a-676c-4f48-8677-7382d24ed21d", "created": "2020-07-08T14:53:50.347Z", "modified": "2020-07-13T13:45:02.009Z", "name": "6322cacf839b9c863f09c8ad9fd0e091501c9ba354730ab4809bb4c076610006", "pattern": "[file:hashes.'SHA-256' = '6322cacf839b9c863f09c8ad9fd0e091501c9ba354730ab4809bb4c076610006']", "valid_from": "2020-07-08T14:53:50.347Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--337a0d8f-efa1-4e2e-9956-c7fd385bc136", "created": "2018-08-03T20:30:50.665Z", "modified": "2019-08-23T16:47:26.190Z", "name": "[http-request-ext:request_method = 'get' AND (http-request-ext:request_value LIKE '%/resp?%' AND http-request-ext:request_value LIKE '%AAZ3C2046696C65204E6F7420466F756E64203E')]", "pattern": "[http-request-ext:request_method = 'get' AND (http-request-ext:request_value LIKE '%/resp?%' AND http-request-ext:request_value LIKE '%AAZ3C2046696C65204E6F7420466F756E64203E')]", "valid_from": "2018-08-03T20:30:50.665Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--3a30e2d8-c1d8-4211-ae3f-cd7fe280c890", "created": "2017-12-21T15:11:37.195Z", "modified": "2018-08-03T20:34:40.945Z", "name": "5.39.59.97", "pattern": "[ipv4-addr:value = '5.39.59.97']", "valid_from": "2017-12-21T15:11:37.195Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--3c52b486-9d0f-4197-890f-615001e6df35", "created": "2017-12-21T15:11:37.195Z", "modified": "2018-08-03T20:34:40.945Z", "name": "91.121.237.224", "pattern": "[ipv4-addr:value = '91.121.237.224']", "valid_from": "2017-12-21T15:11:37.195Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--3c8cabfa-1b3b-4662-8f96-e873fe6188fe", "created": "2017-10-17T12:27:09.978Z", "modified": "2020-07-13T13:45:02.009Z", "name": "7395a3ada245df6c8ff1d66fcb54b96ae12961d5fd9b6a57c43a3e7ab83f3cc2", "pattern": "[file:hashes.'SHA-256' = '7395a3ada245df6c8ff1d66fcb54b96ae12961d5fd9b6a57c43a3e7ab83f3cc2']", "valid_from": "2017-10-17T12:27:09.978Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--3d8472f1-c641-4428-8f57-6af5b8ac4d42", "created": "2018-08-03T20:30:50.665Z", "modified": "2018-08-03T20:30:50.665Z", "name": "[http-request-ext:request_method = 'get' AND (http-request-ext:request_value LIKE '%/resp?%' AND http-request-ext:request_value LIKE '%AAZ46696C652055706C6F61646564')]", "pattern": "[http-request-ext:request_method = 'get' AND (http-request-ext:request_value LIKE '%/resp?%' AND http-request-ext:request_value LIKE '%AAZ46696C652055706C6F61646564')]", "valid_from": "2018-08-03T20:30:50.665Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--4536e0b1-c2e6-42c2-bcf5-000f0df72eea", "created": "2018-08-03T20:30:50.665Z", "modified": "2018-08-03T20:30:50.665Z", "name": "[file:name = 'ReportSample.xls' AND email:subject = 'FW: MOI Registration - alrajhi application [Report Form]']", "pattern": "[file:name = 'ReportSample.xls' AND email:subject = 'FW: MOI Registration - alrajhi application [Report Form]']", "valid_from": "2018-08-03T20:30:50.665Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--45680f4c-a738-4515-ac9a-7b9852526159", "created": "2018-08-03T20:30:50.665Z", "modified": "2018-08-03T20:30:50.665Z", "name": "O64.exe", "pattern": "[file:name = 'O64.exe']", "valid_from": "2018-08-03T20:30:50.665Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--49bbfc5d-0cfb-4d7b-9051-3067ad34723f", "created": "2020-07-08T14:52:35.660Z", "modified": "2020-07-13T13:45:02.009Z", "name": "7b5042d3f0e9f077ef2b1a55b5fffab9f07cc856622bf79d56fc752e4dc04b28", "pattern": "[file:hashes.'SHA-256' = '7b5042d3f0e9f077ef2b1a55b5fffab9f07cc856622bf79d56fc752e4dc04b28']", "valid_from": "2020-07-08T14:52:35.660Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--4a43354a-b58b-41e0-b2b6-d2a8e97bf54d", "created": "2017-12-21T15:11:37.195Z", "modified": "2018-08-03T20:34:40.945Z", "name": "92.222.209.51", "pattern": "[ipv4-addr:value = '92.222.209.51']", "valid_from": "2017-12-21T15:11:37.195Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--4b396d52-fb1d-4681-a6e1-a4b7f43dfb5a", "created": "2018-08-03T20:30:50.665Z", "modified": "2018-08-03T20:30:50.665Z", "name": "mom64.exe", "pattern": "[file:name = 'mom64.exe']", "valid_from": "2018-08-03T20:30:50.665Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--4d3e6511-ccc5-467e-a2be-ac608ee49374", "created": "2018-08-03T20:30:50.665Z", "modified": "2018-08-03T20:30:50.665Z", "name": "systeminfo", "pattern": "[process:command_line = 'systeminfo']", "valid_from": "2018-08-03T20:30:50.665Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--5134cbd0-890e-46e9-912e-2eb2e7c71356", "created": "2020-07-08T14:15:35.598Z", "modified": "2020-07-13T13:45:02.008Z", "name": "kopilkaorukov.com", "pattern": "[domain-name:value = 'kopilkaorukov.com']", "valid_from": "2020-07-08T14:15:35.598Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--5162b82b-ad9e-42fa-8fca-1ce50fb2db3a", "created": "2017-12-21T15:11:50.586Z", "modified": "2019-11-06T14:45:50.556Z", "name": "bb9b4e088eb99100156f56bbd35a21ff7e96981ffe78ca9132781e9b3f064f44", "pattern": "[file:hashes.'SHA-256' = 'bb9b4e088eb99100156f56bbd35a21ff7e96981ffe78ca9132781e9b3f064f44']", "valid_from": "2017-12-21T15:11:50.586Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--52139071-3ddd-4025-85a2-515004370eb1", "created": "2017-12-21T15:00:31.140Z", "modified": "2018-08-03T20:34:40.945Z", "name": "webmail-tidhar-co-il.ml", "pattern": "[domain-name:value = 'webmail-tidhar-co-il.ml']", "valid_from": "2017-12-21T15:00:31.140Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--53176466-cbfb-47ab-a2ad-a7653da9ab1b", "created": "2018-08-03T20:30:50.665Z", "modified": "2018-08-03T20:30:50.665Z", "name": "O6.exe", "pattern": "[file:name = 'O6.exe']", "valid_from": "2018-08-03T20:30:50.665Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--5580c978-1497-40a4-bdc3-756b841776b1", "created": "2018-08-03T20:30:50.665Z", "modified": "2018-08-03T20:30:50.665Z", "name": "[http-request-ext:request_header.'Cookie' LIKE '%#tfil#=#c:\\\\windows\\\\temp\\\\Exchange.aspx#|#ttar#=#d:\\\\Program+Files\\\\Microsoft\\\\Exchange+Server\\\\V14\\\\ClientAccess\\\\exchweb\\\\ews\\\\exchange.asmx#|#ttim#=#%']", "pattern": "[http-request-ext:request_header.'Cookie' LIKE '%#tfil#=#c:\\\\windows\\\\temp\\\\Exchange.aspx#|#ttar#=#d:\\\\Program+Files\\\\Microsoft\\\\Exchange+Server\\\\V14\\\\ClientAccess\\\\exchweb\\\\ews\\\\exchange.asmx#|#ttim#=#%']", "valid_from": "2018-08-03T20:30:50.665Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--559172a7-fc70-4d25-8ffe-803ce24929a5", "created": "2018-08-03T20:30:50.665Z", "modified": "2018-08-03T20:30:50.665Z", "name": "[http-request-ext:request_method = 'get' AND http-request-ext:request_value = '/action2/']", "pattern": "[http-request-ext:request_method = 'get' AND http-request-ext:request_value = '/action2/']", "valid_from": "2018-08-03T20:30:50.665Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--565c1a62-b4f0-4e2f-a4de-83944dfc8c10", "created": "2017-10-09T17:38:51.286Z", "modified": "2019-10-11T16:07:13.703Z", "name": "119c64a8b35bd626b3ea5f630d533b2e0e7852a4c59694125ff08f9965b5f9cc", "pattern": "[file:hashes.'SHA-256' = '119c64a8b35bd626b3ea5f630d533b2e0e7852a4c59694125ff08f9965b5f9cc']", "valid_from": "2017-10-09T17:38:51.286Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--59424cdc-40b1-4137-bc2b-9fe18decf7ca", "created": "2018-08-03T20:30:50.665Z", "modified": "2018-08-03T20:30:50.665Z", "name": "[http-request-ext:request_header.'Cookie' LIKE 'data=pro#=##|#cmd#=##%']", "pattern": "[http-request-ext:request_header.'Cookie' LIKE 'data=pro#=##|#cmd#=##%']", "valid_from": "2018-08-03T20:30:50.665Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--5fcecf74-b682-4781-904d-f261f101282b", "created": "2018-08-03T20:30:50.665Z", "modified": "2019-11-06T14:53:08.522Z", "name": "481dae0dd9522a3de3f93ee4e54b48bc81e564f31cb11c643890dcee1671dfa9", "pattern": "[file:hashes.'SHA-256' = '481dae0dd9522a3de3f93ee4e54b48bc81e564f31cb11c643890dcee1671dfa9']", "valid_from": "2018-08-03T20:30:50.665Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--6016872c-11c6-459c-ac21-9692adcdcca0", "created": "2017-10-09T18:02:28.711Z", "modified": "2018-08-03T20:34:40.945Z", "name": "497e6965120a7ca6644da9b8291c65901e78d302139d221fcf0a3ec6c5cf9de3", "pattern": "[file:hashes.'SHA-256' = '497e6965120a7ca6644da9b8291c65901e78d302139d221fcf0a3ec6c5cf9de3']", "valid_from": "2017-10-09T18:02:28.711Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--605e63fe-aa3a-490d-b71b-936fca21dc3d", "created": "2018-08-03T20:30:50.665Z", "modified": "2018-08-03T20:30:50.665Z", "name": "S64.exe", "pattern": "[file:name = 'S64.exe']", "valid_from": "2018-08-03T20:30:50.665Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--605f4247-c18d-407d-bf86-9973adf2995f", "created": "2018-08-03T20:30:50.665Z", "modified": "2018-08-03T20:30:50.665Z", "name": "kb.exe", "pattern": "[file:name = 'kb.exe']", "valid_from": "2018-08-03T20:30:50.665Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--60c48c35-8820-413b-84a9-fd76ce45b951", "created": "2020-07-08T15:00:12.254Z", "modified": "2020-07-13T13:45:02.009Z", "name": "intelligent-finance.site", "pattern": "[domain-name:value = 'intelligent-finance.site']", "valid_from": "2020-07-08T15:00:12.254Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--61701bc9-c9d8-44fa-a452-c9fbe15dcf88", "created": "2018-08-03T20:30:50.665Z", "modified": "2019-11-06T14:47:30.699Z", "name": "668020e32d1cd7a3a475ed73e44aea46d3e986c2b29fcde144eabd242fcafe3a", "pattern": "[file:hashes.'SHA-256' = '668020e32d1cd7a3a475ed73e44aea46d3e986c2b29fcde144eabd242fcafe3a']", "valid_from": "2018-08-03T20:30:50.665Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--62a8dbd4-adfd-443f-9042-8f92e7ea0384", "created": "2018-08-03T20:30:50.665Z", "modified": "2018-08-03T20:30:50.665Z", "name": "ManageContent1.aspx", "pattern": "[file:name = 'ManageContent1.aspx']", "valid_from": "2018-08-03T20:30:50.665Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--63c6b5e5-c5ce-4572-bad6-002f8f82d242", "created": "2017-10-24T15:50:43.490Z", "modified": "2020-07-13T13:45:02.008Z", "name": "allsecpackupdater.com", "pattern": "[domain-name:value = 'allsecpackupdater.com']", "valid_from": "2017-10-24T15:50:43.490Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--685a33e8-a147-4a60-8e7e-9e3e6855ca43", "created": "2017-12-21T15:11:50.586Z", "modified": "2018-08-03T20:34:40.945Z", "name": "450ebd66ba67bb46bf18d122823ff07ef4a7b11afe63b6f269aec9236a1790cd", "pattern": "[file:hashes.'SHA-256' = '450ebd66ba67bb46bf18d122823ff07ef4a7b11afe63b6f269aec9236a1790cd']", "valid_from": "2017-12-21T15:11:50.586Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--6928ee56-805a-4f47-a428-9f41fb9faa6c", "created": "2020-07-08T14:50:13.041Z", "modified": "2020-07-13T13:45:02.009Z", "name": "8f943bc5b20517fea08b2d0acc9afe8990703e9d4f7015b98489703ca51da7eb", "pattern": "[file:hashes.'SHA-256' = '8f943bc5b20517fea08b2d0acc9afe8990703e9d4f7015b98489703ca51da7eb']", "valid_from": "2020-07-08T14:50:13.041Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--6ab420c2-4bed-4281-9da4-790bf0065e81", "created": "2018-08-03T20:30:50.665Z", "modified": "2018-08-03T20:30:50.665Z", "name": "net accounts /domain", "pattern": "[process:command_line = 'net accounts /domain']", "valid_from": "2018-08-03T20:30:50.665Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--6c121823-7ad4-4766-8e22-d9966c43cf69", "created": "2020-07-08T14:59:28.704Z", "modified": "2020-07-13T13:45:02.009Z", "name": "oudax.com", "pattern": "[domain-name:value = 'oudax.com']", "valid_from": "2020-07-08T14:59:28.704Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--6dfbe1f5-d102-4fde-b97d-c05776a41b78", "created": "2020-07-08T14:58:52.171Z", "modified": "2020-07-13T13:45:02.009Z", "name": "digi.shanx.icu", "pattern": "[domain-name:value = 'digi.shanx.icu']", "valid_from": "2020-07-08T14:58:52.171Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--6eb198da-c5e6-460f-b504-7dbf5003eb1d", "created": "2020-07-08T14:50:41.507Z", "modified": "2020-07-13T13:45:02.008Z", "name": "bcdb63b3520e34992f292bf9a38498f49a9ca045b7b40caab5302c76ca10f035", "pattern": "[file:hashes.'SHA-256' = 'bcdb63b3520e34992f292bf9a38498f49a9ca045b7b40caab5302c76ca10f035']", "valid_from": "2020-07-08T14:50:41.507Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--70b13368-9612-437e-a2fe-206b51ccdce4", "created": "2017-12-21T15:11:37.195Z", "modified": "2018-08-03T20:34:40.945Z", "name": "89.163.206.0", "pattern": "[ipv4-addr:value = '89.163.206.0']", "valid_from": "2017-12-21T15:11:37.195Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--793e3414-7023-4bd6-8d03-def9852cee0f", "created": "2017-12-21T15:11:50.586Z", "modified": "2018-08-03T20:34:40.945Z", "name": "5b7eb534a852c187eee7eb729056082eec7a028819191fc2bc3ba4d1127fbd12", "pattern": "[file:hashes.'SHA-256' = '5b7eb534a852c187eee7eb729056082eec7a028819191fc2bc3ba4d1127fbd12']", "valid_from": "2017-12-21T15:11:50.586Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--7bd90223-3f43-4831-b065-363c883bc015", "created": "2020-07-08T14:52:55.534Z", "modified": "2020-07-13T13:45:02.009Z", "name": "de3f1cc2d4aac54fbdebd5bd05c9df59b938eb79bda427ae26dedef4309c55a9", "pattern": "[file:hashes.'SHA-256' = 'de3f1cc2d4aac54fbdebd5bd05c9df59b938eb79bda427ae26dedef4309c55a9']", "valid_from": "2020-07-08T14:52:55.534Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--7c357da2-f901-49a3-b52f-1cd4b968caf9", "created": "2018-08-03T20:30:50.665Z", "modified": "2018-08-03T20:30:50.665Z", "name": "\\\\\\\\Temp\\\\\\\\runlog%.tmp", "pattern": "[file:name LIKE '\\\\\\\\Temp\\\\\\\\runlog%.tmp']", "valid_from": "2018-08-03T20:30:50.665Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--87112435-30e8-4465-9793-06d406cf5e44", "created": "2020-07-08T14:12:28.196Z", "modified": "2020-07-13T13:45:02.008Z", "name": "rdmsi.com", "pattern": "[domain-name:value = 'rdmsi.com']", "valid_from": "2020-07-08T14:12:28.196Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--8795c03c-3d57-4402-8ae5-4de697194f90", "created": "2018-08-03T20:30:50.665Z", "modified": "2018-08-03T20:30:50.665Z", "name": "sc query", "pattern": "[process:command_line = 'sc query']", "valid_from": "2018-08-03T20:30:50.665Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--882830ad-a601-4405-bab1-54a28ab4bc86", "created": "2018-08-03T20:30:50.665Z", "modified": "2018-08-03T20:30:50.665Z", "name": "[(file:name = 'Issue-doc.zip' OR file:name = 'Issue-doc1.zip') AND (email:subject = 'Importan Issue' OR email:subject = 'Important Issue')]", "pattern": "[(file:name = 'Issue-doc.zip' OR file:name = 'Issue-doc1.zip') AND (email:subject = 'Importan Issue' OR email:subject = 'Important Issue')]", "valid_from": "2018-08-03T20:30:50.665Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--8a03e9a0-15ea-40cd-9473-c5cd35d7f285", "created": "2017-12-21T15:11:50.586Z", "modified": "2018-08-03T20:34:40.945Z", "name": "744e0ce108598aaa8994f211e00769ac8a3f05324d3f07f7705277b9af7a7497", "pattern": "[file:hashes.'SHA-256' = '744e0ce108598aaa8994f211e00769ac8a3f05324d3f07f7705277b9af7a7497']", "valid_from": "2017-12-21T15:11:50.586Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--8a419fc6-b0dd-466b-a2d7-23e5c30f1707", "created": "2018-01-18T22:10:16.875Z", "modified": "2020-06-01T16:52:42.419Z", "name": "231115a614c99e8ddade4cf4c88472bd3801c5c289595fc068e51b77c2c8563f", "pattern": "[file:hashes.'SHA-256' = '231115a614c99e8ddade4cf4c88472bd3801c5c289595fc068e51b77c2c8563f']", "valid_from": "2018-01-18T22:10:16.875Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--8aba6285-00ba-4a83-a366-8c634228c80f", "created": "2017-12-21T15:11:37.195Z", "modified": "2018-08-03T20:34:40.945Z", "name": "212.16.80.102", "pattern": "[ipv4-addr:value = '212.16.80.102']", "valid_from": "2017-12-21T15:11:37.195Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--8cdb8bc6-bcf7-480e-aab5-b4e403d5e9a9", "created": "2020-07-08T14:12:17.463Z", "modified": "2020-07-13T13:45:02.008Z", "name": "rsshay.com", "pattern": "[domain-name:value = 'rsshay.com']", "valid_from": "2020-07-08T14:12:17.463Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--8e3da953-ff61-4520-893f-afefe7d145e9", "created": "2018-08-03T20:30:50.665Z", "modified": "2018-08-03T20:30:50.665Z", "name": "[process:command_line LIKE 'SchTasks /Create /SC MINUTE /MO 1 /TN%' AND process:command_line LIKE '%cmd.exe /c Certutil -decode %appdata%\\\\Base.txt%']", "pattern": "[process:command_line LIKE 'SchTasks /Create /SC MINUTE /MO 1 /TN%' AND process:command_line LIKE '%cmd.exe /c Certutil -decode %appdata%\\\\Base.txt%']", "valid_from": "2018-08-03T20:30:50.665Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--8e5578f7-39c9-4fb4-af27-4c1b3d09bc8a", "created": "2020-07-08T14:53:29.076Z", "modified": "2020-07-13T13:45:02.009Z", "name": "55282007716b2b987a84a790eb1c9867e23ed8b5b89ef1a836cbedaf32982358", "pattern": "[file:hashes.'SHA-256' = '55282007716b2b987a84a790eb1c9867e23ed8b5b89ef1a836cbedaf32982358']", "valid_from": "2020-07-08T14:53:29.076Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--8e7b95cc-58c0-4f3b-8118-c11a85d90044", "created": "2017-12-21T15:11:50.586Z", "modified": "2019-11-06T14:53:08.522Z", "name": "caf5f9791ab3049811e16971b4673ec6d4baf35ffaadd7486ea4c5e318d10696", "pattern": "[file:hashes.'SHA-256' = 'caf5f9791ab3049811e16971b4673ec6d4baf35ffaadd7486ea4c5e318d10696']", "valid_from": "2017-12-21T15:11:50.586Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--8fa6a942-6241-4133-b68a-ebe195ff7901", "created": "2020-07-08T14:52:11.222Z", "modified": "2020-07-13T13:45:02.009Z", "name": "f42c2b40574dc837b33c1012f7b6f41fcccc5ebf740a2b0af64e2c530418e9e0", "pattern": "[file:hashes.'SHA-256' = 'f42c2b40574dc837b33c1012f7b6f41fcccc5ebf740a2b0af64e2c530418e9e0']", "valid_from": "2020-07-08T14:52:11.222Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--90b9a557-b2f4-4076-b760-fd7ed5da29d1", "created": "2018-08-03T20:30:50.665Z", "modified": "2018-08-03T20:30:50.665Z", "name": "i64.exe", "pattern": "[file:name = 'i64.exe']", "valid_from": "2018-08-03T20:30:50.665Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--91afba2e-8721-4751-abb5-89e4ea75d771", "created": "2018-08-03T20:30:50.665Z", "modified": "2018-08-03T20:30:50.665Z", "name": "[http-request-ext:request_method = 'get' AND (http-request-ext:request_value LIKE '%/resp?%' AND http-request-ext:request_value LIKE '%ABZFinish' )]", "pattern": "[http-request-ext:request_method = 'get' AND (http-request-ext:request_value LIKE '%/resp?%' AND http-request-ext:request_value LIKE '%ABZFinish' )]", "valid_from": "2018-08-03T20:30:50.665Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--9340dbc2-1b6d-46bc-a669-3fdaf13579cc", "created": "2020-07-08T13:34:54.943Z", "modified": "2020-07-13T13:45:02.008Z", "name": "476b40796be68a5ee349677274e438aeda3817f99ba9832172d81a2c64b0d4ae", "pattern": "[file:hashes.'SHA-256' = '476b40796be68a5ee349677274e438aeda3817f99ba9832172d81a2c64b0d4ae']", "valid_from": "2020-07-08T13:34:54.943Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--9c4ebb07-7590-498a-91f0-ceeb677eb21e", "created": "2017-12-21T15:00:31.140Z", "modified": "2018-08-03T20:34:40.945Z", "name": "logn-micrsftonine-con.ml", "pattern": "[domain-name:value = 'logn-micrsftonine-con.ml']", "valid_from": "2017-12-21T15:00:31.140Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--9d97724a-638b-4b7f-bfae-c3eb74b02a0a", "created": "2017-12-21T15:11:50.586Z", "modified": "2018-08-03T20:34:40.945Z", "name": "3b08535b4add194f5661e1131c8e81af373ca322cf669674cf1272095e5cab95", "pattern": "[file:hashes.'SHA-256' = '3b08535b4add194f5661e1131c8e81af373ca322cf669674cf1272095e5cab95']", "valid_from": "2017-12-21T15:11:50.586Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--9daeba2e-bb3e-443b-95d1-fbc0428932a9", "created": "2018-08-03T20:30:50.665Z", "modified": "2018-08-03T20:30:50.665Z", "name": "reg query HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Terminal Server Client\\\\Default", "pattern": "[process:command_line = 'reg query HKEY_CURRENT_USER\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Terminal Server Client\\\\\\\\Default']", "valid_from": "2018-08-03T20:30:50.665Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--9fcb8551-97e9-4335-a63c-91ca5156efd0", "created": "2018-08-03T20:30:50.665Z", "modified": "2018-08-03T20:30:50.665Z", "name": "[domain-name:value = 'www.msoffice365cdn.com' AND (http-request-ext:request_method = 'get' AND (http-request-ext:request_value LIKE '/what?' OR http-request-ext:request_value LIKE '/chk?'))]", "pattern": "[domain-name:value = 'www.msoffice365cdn.com' AND (http-request-ext:request_method = 'get' AND (http-request-ext:request_value LIKE '/what?' OR http-request-ext:request_value LIKE '/chk?'))]", "valid_from": "2018-08-03T20:30:50.665Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--a0012b87-ad05-4c74-a014-9957d1795397", "created": "2018-08-03T20:30:50.665Z", "modified": "2018-08-03T20:30:50.665Z", "name": "[file:name = 'Seminar-Invitation.doc' AND email:subject = 'Beirut Insurance Seminar Invitation']", "pattern": "[file:name = 'Seminar-Invitation.doc' AND email:subject = 'Beirut Insurance Seminar Invitation']", "valid_from": "2018-08-03T20:30:50.665Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--a21f7d93-f44b-4b89-9577-570c5281d5c4", "created": "2018-08-03T20:30:50.665Z", "modified": "2018-08-03T20:30:50.665Z", "name": "Local.exe", "pattern": "[file:name = 'Local.exe']", "valid_from": "2018-08-03T20:30:50.665Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--a748b2fb-cef6-449a-9884-4d3342467796", "created": "2017-12-21T15:11:37.195Z", "modified": "2018-08-03T20:34:40.945Z", "name": "94.23.172.49", "pattern": "[ipv4-addr:value = '94.23.172.49']", "valid_from": "2017-12-21T15:11:37.195Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--a8e8ca2f-328e-4f45-af78-9281957f7739", "created": "2017-12-21T15:11:37.195Z", "modified": "2018-08-03T20:34:40.945Z", "name": "138.201.209.162", "pattern": "[ipv4-addr:value = '138.201.209.162']", "valid_from": "2017-12-21T15:11:37.195Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--a91d113f-f89f-4a43-af44-57266ba0d07c", "created": "2020-07-08T14:53:07.890Z", "modified": "2020-07-13T13:45:02.009Z", "name": "4ea6da6b35c4cdc6043c3b93bd6b61ea225fd5e1ec072330cb746104d0b0a4ec", "pattern": "[file:hashes.'SHA-256' = '4ea6da6b35c4cdc6043c3b93bd6b61ea225fd5e1ec072330cb746104d0b0a4ec']", "valid_from": "2020-07-08T14:53:07.890Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--a9337ac8-cfe0-44db-8211-018b5a5f396d", "created": "2017-12-21T15:11:37.195Z", "modified": "2018-08-22T19:54:58.868Z", "name": "138.201.209.182", "pattern": "[ipv4-addr:value = '138.201.209.182']", "valid_from": "2017-12-21T15:11:37.195Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--aaa55127-74e3-41c9-b1c6-7d9726372e18", "created": "2018-08-03T20:30:50.665Z", "modified": "2019-11-06T16:04:53.978Z", "name": "499ff5f8fa3a58307142eb0c1794414cdee0ef326a0fc2d1d93d72de1c3e8021", "pattern": "[file:hashes.'SHA-256' = '499ff5f8fa3a58307142eb0c1794414cdee0ef326a0fc2d1d93d72de1c3e8021']", "valid_from": "2018-08-03T20:30:50.665Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--adb01a10-e1b9-4724-88fe-d6758d2254c6", "created": "2020-07-08T13:48:12.613Z", "modified": "2020-07-13T13:45:02.008Z", "name": "e53cc5e62ba15e43877ca2fc1bee16061b4468545d5cc1515cb38000e22dd060", "pattern": "[file:hashes.'SHA-256' = 'e53cc5e62ba15e43877ca2fc1bee16061b4468545d5cc1515cb38000e22dd060']", "valid_from": "2020-07-08T13:48:12.613Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--b1e04bb9-945d-4b87-98b8-e411f16a74d4", "created": "2017-12-21T15:11:50.586Z", "modified": "2019-11-06T14:45:50.556Z", "name": "6e623311768f1c419b3f755248a3b3d4bf80d26606a74ed4cfd25547a67734c7", "pattern": "[file:hashes.'SHA-256' = '6e623311768f1c419b3f755248a3b3d4bf80d26606a74ed4cfd25547a67734c7']", "valid_from": "2017-12-21T15:11:50.586Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--b20d9819-1488-4156-aef4-02234af0f67f", "created": "2017-12-21T15:11:50.586Z", "modified": "2018-08-03T20:34:40.945Z", "name": "5ead94f12c307438e6475e49f02bedaee0cd09ce6cebb7939f9a2830f913212c", "pattern": "[file:hashes.'SHA-256' = '5ead94f12c307438e6475e49f02bedaee0cd09ce6cebb7939f9a2830f913212c']", "valid_from": "2017-12-21T15:11:50.586Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--b32af739-cdbf-4b43-938c-eaaa89bf5010", "created": "2018-08-03T20:30:50.665Z", "modified": "2019-11-06T15:34:03.457Z", "name": "81230c13aeaccc4a1b1b514559525ba6239834773c0cc4cafd88e1e06b9b6e3c", "pattern": "[file:hashes.'SHA-256' = '81230c13aeaccc4a1b1b514559525ba6239834773c0cc4cafd88e1e06b9b6e3c']", "valid_from": "2018-08-03T20:30:50.665Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--b4743bb8-5c61-4399-b281-c2345abd410b", "created": "2020-07-08T12:59:44.295Z", "modified": "2020-07-13T13:45:02.008Z", "name": "koko@acrlee.com", "pattern": "[email-addr:value = 'koko@acrlee.com']", "valid_from": "2020-07-08T12:59:44.295Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--b6fc5d18-1bf3-46b2-a793-d15ac7ef2b57", "created": "2017-12-21T15:00:31.140Z", "modified": "2018-08-03T20:34:40.945Z", "name": "webmaiil-tau-ac-il.ml", "pattern": "[domain-name:value = 'webmaiil-tau-ac-il.ml']", "valid_from": "2017-12-21T15:00:31.140Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--bf094398-e075-4b6d-99df-2dbcee3ef39d", "created": "2018-08-03T20:30:50.665Z", "modified": "2018-08-03T20:30:50.665Z", "name": "whoami", "pattern": "[process:command_line = 'whoami']", "valid_from": "2018-08-03T20:30:50.665Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--bf7a082f-e2a6-45d6-b8dd-bf056888f36e", "created": "2017-12-21T15:26:09.943Z", "modified": "2018-08-03T20:34:40.945Z", "name": "818ac924fd8f7bc1b6062a8ef456226a47c4c59d2f9e38eda89fff463253942f", "pattern": "[file:hashes.'SHA-256' = '818ac924fd8f7bc1b6062a8ef456226a47c4c59d2f9e38eda89fff463253942f']", "valid_from": "2017-12-21T15:26:09.943Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--c06f2a71-5b4d-4c0a-bce3-95ba1e7851d1", "created": "2020-07-08T14:53:18.617Z", "modified": "2020-07-13T13:45:02.009Z", "name": "acb50b02ab0ca846025e7ad6c795a80dc6f61c4426704d0f1dd7e195143f5323", "pattern": "[file:hashes.'SHA-256' = 'acb50b02ab0ca846025e7ad6c795a80dc6f61c4426704d0f1dd7e195143f5323']", "valid_from": "2020-07-08T14:53:18.617Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--c1bb11ca-f3ed-45cd-8083-ee166fb72aa0", "created": "2018-08-03T20:30:50.665Z", "modified": "2018-08-03T20:30:50.665Z", "name": "ea1e957381f58efdcdb4e246c36128bf685277adf3a3b8f0bbea329ed3f53c4f", "pattern": "[file:hashes.'SHA-256' = 'ea1e957381f58efdcdb4e246c36128bf685277adf3a3b8f0bbea329ed3f53c4f']", "valid_from": "2018-08-03T20:30:50.665Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--c258f33d-57c8-458d-9d77-7cd8bf1e264a", "created": "2018-08-03T20:30:50.665Z", "modified": "2018-08-03T20:30:50.665Z", "name": "%.go0gIe.com", "pattern": "[domain-name:value LIKE '%.go0gIe.com']", "valid_from": "2018-08-03T20:30:50.665Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--c501abd1-62f0-4da6-91ee-bd6ef9391fdc", "created": "2017-12-21T15:26:09.943Z", "modified": "2018-08-03T20:34:40.945Z", "name": "54c8bfa0be1d1419bf0770d49e937b284b52df212df19551576f73653a7d061f", "pattern": "[file:hashes.'SHA-256' = '54c8bfa0be1d1419bf0770d49e937b284b52df212df19551576f73653a7d061f']", "valid_from": "2017-12-21T15:26:09.943Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--c649ab0f-4fc3-487c-96b7-72f0f7baae11", "created": "2018-08-03T20:30:50.665Z", "modified": "2018-08-03T20:30:50.665Z", "name": "postinfo.aspx", "pattern": "[file:name = 'postinfo.aspx']", "valid_from": "2018-08-03T20:30:50.665Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--c7bfb666-66af-4dfb-9489-8e0d8fde3859", "created": "2018-08-03T20:30:50.665Z", "modified": "2018-08-03T20:30:50.665Z", "name": "c:\\\\windows\\\\temp\\\\MicrosoftUpdate.exe p::d s::l q%", "pattern": "[process:command_line LIKE 'c:\\\\windows\\\\temp\\\\MicrosoftUpdate.exe p::d s::l q%']", "valid_from": "2018-08-03T20:30:50.665Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--c9cd916e-49ff-4e7a-96e8-c204b7a50750", "created": "2017-12-21T15:09:47.517Z", "modified": "2018-08-03T20:34:40.945Z", "name": "so-cc-hujii-ac-il.ml", "pattern": "[domain-name:value = 'so-cc-hujii-ac-il.ml']", "valid_from": "2017-12-21T15:09:47.517Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--cd2409a1-079a-45d6-bba7-e26ec1b6465b", "created": "2018-08-03T20:30:50.665Z", "modified": "2018-08-03T20:30:50.665Z", "name": "net user", "pattern": "[process:command_line = 'net user']", "valid_from": "2018-08-03T20:30:50.665Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--cd473c0f-1c24-4b67-800d-7447aec8079a", "created": "2018-08-03T20:30:50.665Z", "modified": "2018-08-03T20:30:50.665Z", "name": "schtasks.exe /create /F /sc minute /mo 3 /tn GoogleUpdateTaskMachineUI /tr Users\\\\Public\\\\Libraries\\\\update.vbs", "pattern": "[process:command_line = 'schtasks.exe /create /F /sc minute /mo 3 /tn GoogleUpdateTaskMachineUI /tr Users\\\\\\\\Public\\\\\\\\Libraries\\\\\\\\update.vbs']", "valid_from": "2018-08-03T20:30:50.665Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--cff4fa97-3f63-4a68-83b0-4eb3f81be9de", "created": "2018-08-03T20:30:50.665Z", "modified": "2018-08-03T20:30:50.665Z", "name": "netstat -an", "pattern": "[process:command_line = 'netstat -an']", "valid_from": "2018-08-03T20:30:50.665Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--d1d3c0e5-cfa5-4388-a2c8-32a019951bf3", "created": "2017-12-21T15:11:37.195Z", "modified": "2018-08-22T19:57:07.269Z", "name": "176.9.164.252", "pattern": "[ipv4-addr:value = '176.9.164.252']", "valid_from": "2017-12-21T15:11:37.195Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--d2258707-dbd9-4407-b6b8-5401e4c59b74", "created": "2017-12-21T15:26:09.943Z", "modified": "2018-08-03T20:34:40.945Z", "name": "8f0419493da5ba201429503e53c9ccb8f8170ab73141bdc6ae6b9771512ad84b", "pattern": "[file:hashes.'SHA-256' = '8f0419493da5ba201429503e53c9ccb8f8170ab73141bdc6ae6b9771512ad84b']", "valid_from": "2017-12-21T15:26:09.943Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--d2a60762-9fb2-442e-a7d2-6f86b06cb970", "created": "2018-08-03T20:30:50.665Z", "modified": "2019-11-06T14:53:08.522Z", "name": "ea4efb8148146f546d45f02fdee48d429540bba608233ff95e52e8ea7f6994e8", "pattern": "[file:hashes.'SHA-256' = 'ea4efb8148146f546d45f02fdee48d429540bba608233ff95e52e8ea7f6994e8']", "valid_from": "2018-08-03T20:30:50.665Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--d3df5939-91b1-4042-9ab8-d4843028a60c", "created": "2018-08-03T20:30:50.665Z", "modified": "2018-08-03T20:30:50.665Z", "name": "tasklist", "pattern": "[process:command_line = 'tasklist']", "valid_from": "2018-08-03T20:30:50.665Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--d4cc0533-2a26-4678-912e-e3ddb2c2abe6", "created": "2018-08-03T20:30:50.665Z", "modified": "2019-11-06T14:47:30.699Z", "name": "edd7420f1bacdcce650511284a7bef522151e0eb6b5786fae02ba82b167aa75b", "pattern": "[file:hashes.'SHA-256' = 'edd7420f1bacdcce650511284a7bef522151e0eb6b5786fae02ba82b167aa75b']", "valid_from": "2018-08-03T20:30:50.665Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--d7bdf4a0-0509-43de-895e-793994de8a0e", "created": "2018-08-03T20:30:50.665Z", "modified": "2018-08-03T20:30:50.665Z", "name": "ErrorEE.aspx", "pattern": "[file:name = 'ErrorEE.aspx']", "valid_from": "2018-08-03T20:30:50.665Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--db032d1a-c929-4c03-9099-fc08a6b1d1f7", "created": "2018-08-03T20:30:50.665Z", "modified": "2018-08-03T20:30:50.665Z", "name": "[directory:path = 'c:\\\\windows\\\\temp' AND file:name = 'mic.txt']", "pattern": "[directory:path = 'c:\\\\windows\\\\temp' AND file:name = 'mic.txt']", "valid_from": "2018-08-03T20:30:50.665Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--dd45ed80-44ee-4d88-b122-e6a9a863b5f9", "created": "2018-08-03T20:30:50.665Z", "modified": "2018-08-03T20:30:50.665Z", "name": "[http-request-ext:request_method = 'get' AND http-request-ext:request_value LIKE '/sysupdate.aspx?req=' AND http-request-ext:request_value LIKE '%5Cbat&m=d']", "pattern": "[http-request-ext:request_method = 'get' AND http-request-ext:request_value LIKE '/sysupdate.aspx?req=' AND http-request-ext:request_value LIKE '%5Cbat&m=d']", "valid_from": "2018-08-03T20:30:50.665Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--df6e4110-8f96-4388-a418-8f8418e107ba", "created": "2018-01-18T22:17:37.829Z", "modified": "2018-08-03T20:34:40.945Z", "name": "www.msoffice365cdn.com", "pattern": "[domain-name:value = 'www.msoffice365cdn.com']", "valid_from": "2018-01-18T22:17:37.829Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--e0300bff-605a-4969-a37f-01e1cd22a05b", "created": "2017-10-09T17:39:22.052Z", "modified": "2019-10-14T14:34:42.538Z", "name": "33c187cfd9e3b68c3089c27ac64a519ccc951ccb3c74d75179c520f54f11f647", "pattern": "[file:hashes.'SHA-256' = '33c187cfd9e3b68c3089c27ac64a519ccc951ccb3c74d75179c520f54f11f647']", "valid_from": "2017-10-09T17:39:22.052Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--e0350011-872e-42e4-97e6-a82a419291ee", "created": "2020-07-08T13:37:01.591Z", "modified": "2020-07-13T13:45:02.008Z", "name": "78584dadde1489a5dca0e307318b3d2d49e39eb3987de52e288f9882527078d5", "pattern": "[file:hashes.'SHA-256' = '78584dadde1489a5dca0e307318b3d2d49e39eb3987de52e288f9882527078d5']", "valid_from": "2020-07-08T13:37:01.591Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--e12c095d-899f-415b-a29b-eeb6f630db70", "created": "2018-08-03T20:30:50.665Z", "modified": "2018-08-03T20:30:50.665Z", "name": "a67d:db8:85a3:4325:7654:8a2a:370:7334", "pattern": "[domain-name:resolves_to_refs[*].value = 'a67d:db8:85a3:4325:7654:8a2a:370:7334']", "valid_from": "2018-08-03T20:30:50.665Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--e19046c0-47db-42fb-a076-c7f2f3c112d4", "created": "2018-08-03T20:30:50.665Z", "modified": "2018-08-03T20:30:50.665Z", "name": "[http-request-ext:request_header.'Cookie' LIKE 'pwd=RmVlZE1lIQ==;%']", "pattern": "[http-request-ext:request_header.'Cookie' LIKE 'pwd=RmVlZE1lIQ==;%']", "valid_from": "2018-08-03T20:30:50.665Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--e1b441cf-0d08-4711-80e3-7f1724e3a88d", "created": "2020-07-08T14:53:39.830Z", "modified": "2020-07-13T13:45:02.009Z", "name": "ba380e589261781898b1a54c2889f3360db09c61b9155607d7b4d11fcd85bd9d", "pattern": "[file:hashes.'SHA-256' = 'ba380e589261781898b1a54c2889f3360db09c61b9155607d7b4d11fcd85bd9d']", "valid_from": "2020-07-08T14:53:39.830Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--e28ef3f2-c14f-4890-bd68-16bc1e44e502", "created": "2020-07-08T12:43:34.123Z", "modified": "2020-07-13T13:45:02.008Z", "name": "sharjatv.com", "pattern": "[domain-name:value = 'sharjatv.com']", "valid_from": "2020-07-08T12:43:34.123Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--e28f89fe-377d-44cf-a486-e8b84af20737", "created": "2018-08-03T20:30:50.665Z", "modified": "2018-08-03T20:30:50.665Z", "name": "[process:command_line LIKE 'SchTasks /Create /SC MINUTE /MO 2 /TN%' AND process:command_line LIKE '%wscript %appdata%\\\\chkSrv.vbs%']", "pattern": "[process:command_line LIKE 'SchTasks /Create /SC MINUTE /MO 2 /TN%' AND process:command_line LIKE '%wscript %appdata%\\\\chkSrv.vbs%']", "valid_from": "2018-08-03T20:30:50.665Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--e2f1938f-2ba5-4175-9d9c-e6d7ff6fe9fd", "created": "2018-08-03T20:30:50.665Z", "modified": "2019-11-06T16:03:36.356Z", "name": "43280264f6db0875c681f0d99796c886b3c5dc5ee08bf2bb25276a7c3f8a1ff8", "pattern": "[file:hashes.'SHA-256' = '43280264f6db0875c681f0d99796c886b3c5dc5ee08bf2bb25276a7c3f8a1ff8']", "valid_from": "2018-08-03T20:30:50.665Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--e33849ee-529f-4c5a-ad26-96a190327682", "created": "2018-08-03T20:30:50.665Z", "modified": "2018-08-03T20:30:50.665Z", "name": "kbs.exe", "pattern": "[file:name = 'kbs.exe']", "valid_from": "2018-08-03T20:30:50.665Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--e4589569-a46b-4cc1-99e7-41199f8d579f", "created": "2018-08-03T20:30:50.665Z", "modified": "2019-11-06T16:21:55.808Z", "name": "a342bdcbfd2c1065f4315a63de55fac3347ac24a1e23354a796367f8b09bb34f", "pattern": "[file:hashes.'SHA-256' = 'a342bdcbfd2c1065f4315a63de55fac3347ac24a1e23354a796367f8b09bb34f']", "valid_from": "2018-08-03T20:30:50.665Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--e6bc70bc-2221-4ae7-a19b-ef53115f6174", "created": "2017-10-09T17:41:26.546Z", "modified": "2019-10-14T14:34:42.539Z", "name": "74f61b6ff0eb58d76f4cacfb1504cb6b72684d0d0980d42cba364c6ef28223a8", "pattern": "[file:hashes.'SHA-256' = '74f61b6ff0eb58d76f4cacfb1504cb6b72684d0d0980d42cba364c6ef28223a8']", "valid_from": "2017-10-09T17:41:26.546Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--e9544c85-bc9c-48ff-8f6c-df64ed98073a", "created": "2017-12-21T15:00:31.140Z", "modified": "2018-08-03T20:34:40.945Z", "name": "owa-insss-org-ill-owa-authen.ml", "pattern": "[domain-name:value = 'owa-insss-org-ill-owa-authen.ml']", "valid_from": "2017-12-21T15:00:31.140Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--ec689de0-d752-476f-bbce-7055b192d5fd", "created": "2018-08-03T20:30:50.665Z", "modified": "2018-08-03T20:30:50.665Z", "name": "net group domain admins /domain", "pattern": "[process:command_line = 'net group domain admins /domain']", "valid_from": "2018-08-03T20:30:50.665Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--ec7ec6dd-2d36-4ec1-aada-134c4670845b", "created": "2018-08-03T20:30:50.665Z", "modified": "2019-11-06T16:04:53.978Z", "name": "3d0bb0426048334501fb6be5200d702120bf8a960709a1d67eb1928ea44b2df2", "pattern": "[file:hashes.'SHA-256' = '3d0bb0426048334501fb6be5200d702120bf8a960709a1d67eb1928ea44b2df2']", "valid_from": "2018-08-03T20:30:50.665Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--ed7365d8-f542-444a-8224-60221233acfe", "created": "2018-01-18T22:10:07.315Z", "modified": "2020-06-01T16:52:42.419Z", "name": "9a040cdd7c9fcde337b2c3daa2a7208e225735747dd1366e6c0fcbc56815a07f", "pattern": "[file:hashes.'SHA-256' = '9a040cdd7c9fcde337b2c3daa2a7208e225735747dd1366e6c0fcbc56815a07f']", "valid_from": "2018-01-18T22:10:07.315Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--f119cf69-6230-4cea-ba31-9768f647b81a", "created": "2018-08-03T20:30:50.665Z", "modified": "2019-11-06T14:47:30.699Z", "name": "c4eb1c6d0cf51a2fa0b0574fd1e78e80bf69662bb11016f6f2a527a0d6d8e0fc", "pattern": "[file:hashes.'SHA-256' = 'c4eb1c6d0cf51a2fa0b0574fd1e78e80bf69662bb11016f6f2a527a0d6d8e0fc']", "valid_from": "2018-08-03T20:30:50.665Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--f2a66702-33c8-42ad-87f4-2abcec5ee996", "created": "2020-07-08T13:00:02.138Z", "modified": "2020-07-13T13:45:02.008Z", "name": "h76y@acrlee.com", "pattern": "[email-addr:value = 'h76y@acrlee.com']", "valid_from": "2020-07-08T13:00:02.138Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--f52a5188-5bdb-4530-83c2-4bbc1c1cb741", "created": "2017-12-21T15:11:50.586Z", "modified": "2018-08-03T20:34:40.945Z", "name": "d3b03c0da854102802c21c0fa8736910ea039bbe93a140c09689fc802435ea31", "pattern": "[file:hashes.'SHA-256' = 'd3b03c0da854102802c21c0fa8736910ea039bbe93a140c09689fc802435ea31']", "valid_from": "2017-12-21T15:11:50.586Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--f54a9d8f-46bb-4338-97ed-19921f2ac82b", "created": "2018-08-03T20:30:50.665Z", "modified": "2018-08-03T20:30:50.665Z", "name": "137.59.229.231", "pattern": "[ipv4-addr:value = '137.59.229.231']", "valid_from": "2018-08-03T20:30:50.665Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--f8a60d12-0bb9-4424-bacd-5d2628f72cd3", "created": "2018-08-03T20:30:50.665Z", "modified": "2018-08-03T20:30:50.665Z", "name": "error2.aspx", "pattern": "[file:name = 'error2.aspx']", "valid_from": "2018-08-03T20:30:50.665Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--fab07434-d3df-437c-95ef-b1b3d3c8d1e3", "created": "2018-08-03T20:30:50.665Z", "modified": "2018-08-03T20:30:50.665Z", "name": "tmperror4.aspx", "pattern": "[file:name = 'tmperror4.aspx']", "valid_from": "2018-08-03T20:30:50.665Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--fb13e76a-0266-4b12-99f0-1599532c2f3c", "created": "2017-12-21T15:26:09.943Z", "modified": "2019-11-06T16:18:40.803Z", "name": "79c9a2a2b596f8270b32f30f3e03882b00b87102e65de00a325b64d30051da4e", "pattern": "[file:hashes.'SHA-256' = '79c9a2a2b596f8270b32f30f3e03882b00b87102e65de00a325b64d30051da4e']", "valid_from": "2017-12-21T15:26:09.943Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--fc65ae3e-1860-4bba-a2f4-f86f180ffebc", "created": "2017-12-21T15:02:26.003Z", "modified": "2018-08-22T19:53:31.086Z", "name": "137.74.131.208", "pattern": "[ipv4-addr:value = '137.74.131.208']", "valid_from": "2017-12-21T15:02:26.003Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--fdc86d39-670c-4eb9-945a-daef21d35bea", "created": "2018-08-03T20:30:50.665Z", "modified": "2018-08-03T20:30:50.665Z", "name": "News1.aspx", "pattern": "[file:name = 'News1.aspx']", "valid_from": "2018-08-03T20:30:50.665Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--fe57191c-11cb-47b6-aeeb-f2b5d01ee788", "created": "2017-12-21T15:00:31.140Z", "modified": "2018-08-03T20:34:40.945Z", "name": "mail-macroadvisorypartners.ml", "pattern": "[domain-name:value = 'mail-macroadvisorypartners.ml']", "valid_from": "2017-12-21T15:00:31.140Z", "labels": [ "malicious-activity" ] }, { "type": "indicator", "id": "indicator--ffb49010-2a49-474f-8e10-81c129a94997", "created": "2018-08-03T20:30:50.665Z", "modified": "2018-08-03T20:30:50.665Z", "name": "TrafficHandler.dll", "pattern": "[file:name = 'TrafficHandler.dll']", "valid_from": "2018-08-03T20:30:50.665Z", "labels": [ "malicious-activity" ] }, { "type": "malware", "id": "malware--3f0d13a9-3ff6-4d48-8060-55b6f1e6bedb", "name": "Helminth", "labels": [ "backdoor" ], "created": "2019-10-11T20:07:05.432Z", "modified": "2019-10-14T14:34:42.539Z", "description": " \nExecutable and VBScript/Powershell Trojan that uses HTTP and DNS to send and receive data from its C2 server. This Trojan was used in targeted attacks on Saudi Arabian organizations." }, { "type": "malware", "id": "malware--5246bc7d-be84-4c5b-8e05-6790cd81568e", "name": "ISMInjector", "labels": [ "trojan" ], "created": "2019-10-11T19:50:26.495Z", "modified": "2019-10-14T14:34:42.539Z", "description": " \nISMInjector is a Trojan that is responsible for injecting a Trojan into another process. The payload embedded within the known ISMInjector samples were variants of the ISMAgent backdoor. ISMInjector injects the ISMAgent payload into the legitimate \"RegAsm.exe\" application, which is part of the .NET Framework." }, { "type": "malware", "id": "malware--a233f5c3-53d4-4196-a1a3-a74151abd524", "name": "Clayslide", "labels": [ "dropper" ], "created": "2019-10-11T20:06:09.070Z", "modified": "2019-10-14T14:34:42.539Z" }, { "type": "malware", "id": "malware--a933d627-2a1a-499c-9dad-be8cc2e04dd6", "name": "OopsIE", "labels": [ "remote-access-trojan" ], "created": "2019-10-11T19:59:04.200Z", "modified": "2019-10-14T14:34:42.539Z", "description": " A .NET Trojan delivered using the ThreeDollars delivery document by the OilRig threat group. " }, { "type": "malware", "id": "malware--c56fd492-b07a-4de7-9d74-0b5136cd9a77", "name": "ISMAgent", "labels": [ "backdoor", "dropper" ], "created": "2019-10-11T19:48:28.830Z", "modified": "2019-10-14T14:34:42.539Z", "description": " ISMAgent is a payload used in targeted attacks on organizations in Saudi Arabia and has been linked to the OilRig attack campaign. ISMAgent uses the same DNS tunneling protocol to communicate with its C2 server as recent ISMDoor variants. Due to considerable differences between the previous ISMDoor samples and the newly discovered variant, in addition to evidence of potentially different authors of the tools, we will be tracking this new variant as ISMAgent. " }, { "type": "malware", "id": "malware--d62bf08d-2145-42a9-ad32-e2a5c82d3c2d", "name": "ThreeDollars", "labels": [ "dropper" ], "created": "2019-10-11T19:52:48.055Z", "modified": "2019-10-14T14:34:42.539Z" }, { "type": "relationship", "id": "relationship--0021f86a-b604-4cbf-b48d-ad778ce6fcf0", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.075Z", "relationship_type": "mitigates", "source_ref": "course-of-action--c5148c0d-4c4a-4ad6-b2c7-942f9eb91673", "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", "x_panw_coa_u42_panw_product": [ "XSOAR" ] }, { "type": "relationship", "id": "relationship--002543e5-d85d-441c-99a3-c9be12e4f321", "created": "2020-06-08T16:19:37.692Z", "modified": "2020-06-10T20:29:03.408Z", "relationship_type": "uses", "description": "bb9b4e088eb99100156f56bbd35a21ff7e96981ffe78ca9132781e9b3f064f44", "source_ref": "indicator--5162b82b-ad9e-42fa-8fca-1ce50fb2db3a", "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" }, { "type": "relationship", "id": "relationship--002a932b-d4c7-46b0-91ae-3cb2fa6a8c96", "created": "2018-08-03T20:30:53.040Z", "modified": "2020-06-24T16:21:04.243Z", "relationship_type": "uses", "description": "TwoFace contains the functional webshell in encrypted form", "source_ref": "indicator--fb13e76a-0266-4b12-99f0-1599532c2f3c", "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" }, { "type": "relationship", "id": "relationship--003fce1d-6a57-40d4-96c9-dcdfa14582b8", "created": "2020-06-08T16:18:35.184Z", "modified": "2020-06-10T20:29:03.409Z", "relationship_type": "uses", "description": "webmail-tidhar-co-il.ml", "source_ref": "indicator--52139071-3ddd-4025-85a2-515004370eb1", "target_ref": "attack-pattern--2b742742-28c3-4e1b-bab7-8350d6300fa7" }, { "type": "relationship", "id": "relationship--008da2c6-0d38-449c-8a36-3d7b0d815ac0", "created": "2018-08-03T20:30:53.040Z", "modified": "2020-06-24T16:21:04.243Z", "relationship_type": "uses", "description": "Uses HTTP for C2", "source_ref": "indicator--df6e4110-8f96-4388-a418-8f8418e107ba", "target_ref": "attack-pattern--355be19c-ffc9-46d5-8d50-d6a036c675b6" }, { "type": "relationship", "id": "relationship--00961737-3288-4c1f-a743-45fff7952105", "created": "2020-06-08T16:19:37.692Z", "modified": "2020-06-10T20:29:03.409Z", "relationship_type": "uses", "description": "89.163.206.0", "source_ref": "indicator--70b13368-9612-437e-a2fe-206b51ccdce4", "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" }, { "type": "relationship", "id": "relationship--025263b6-efac-4cb4-a211-d3565a08157d", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.079Z", "relationship_type": "mitigates", "source_ref": "course-of-action--04a2db1c-3e80-43a4-a9c6-3864195bbf73", "target_ref": "attack-pattern--5d0d3609-d06d-49e1-b9c9-b544e0c618cb", "x_panw_coa_u42_panw_product": [ "Wildfire" ] }, { "type": "relationship", "id": "relationship--0259baeb-9f63-4c69-bf10-eb038c390688", "created": "2020-07-08T12:17:34.135Z", "modified": "2020-07-13T13:45:02.008Z", "relationship_type": "uses", "source_ref": "campaign--d6eab405-2a90-4981-bd25-0b161f1bc116", "target_ref": "attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688" }, { "type": "relationship", "id": "relationship--02c46d2a-3676-4929-ae28-b10cc3cf258b", "created": "2019-10-11T20:06:16.194Z", "modified": "2019-10-14T14:34:42.542Z", "relationship_type": "indicates", "source_ref": "indicator--131a36f4-f5ce-461c-b633-8f555ec191fb", "target_ref": "malware--a233f5c3-53d4-4196-a1a3-a74151abd524" }, { "type": "relationship", "id": "relationship--02c91cc9-6b95-43bb-a40a-7cf3075f93a4", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.076Z", "relationship_type": "mitigates", "source_ref": "course-of-action--b4ed79f9-b72c-4423-9a9c-f29134fda870", "target_ref": "attack-pattern--f24faf46-3b26-4dbb-98f2-63460498e433", "x_panw_coa_u42_panw_product": [ "NGFW" ] }, { "type": "relationship", "id": "relationship--03d7999c-1f4c-42cc-8373-e7690d318104", "created": "2018-08-03T20:30:50.665Z", "modified": "2019-10-11T20:10:08.765Z", "relationship_type": "uses", "source_ref": "campaign--418eec9b-ca2d-48d6-92cc-7cf47b159e8c", "target_ref": "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104" }, { "type": "relationship", "id": "relationship--0438cf83-ee23-4963-8764-0152de9ffa2b", "created": "2019-10-08T16:05:33.633Z", "modified": "2019-10-08T18:26:32.830Z", "relationship_type": "targets", "source_ref": "campaign--be414527-0ed6-4b77-b04b-2ffa2cd601eb", "target_ref": "identity--5b8b881a-7707-45a2-9f38-e33665844311" }, { "type": "relationship", "id": "relationship--04dd51c4-aaa5-4128-bf07-1e8ebfa23681", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.075Z", "relationship_type": "mitigates", "source_ref": "course-of-action--dcd486e6-fcf5-4692-9187-115efdae9694", "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", "x_panw_coa_u42_panw_product": [ "NGFW" ] }, { "type": "relationship", "id": "relationship--04e50a95-1d68-4e11-abce-8325c7a70b57", "created": "2020-06-08T16:14:51.935Z", "modified": "2020-06-10T20:29:03.409Z", "relationship_type": "uses", "description": "119c64a8b35bd626b3ea5f630d533b2e0e7852a4c59694125ff08f9965b5f9cc", "source_ref": "indicator--565c1a62-b4f0-4e2f-a4de-83944dfc8c10", "target_ref": "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597" }, { "type": "relationship", "id": "relationship--055e43b5-638c-4525-94f6-5a31d078f563", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.079Z", "relationship_type": "mitigates", "source_ref": "course-of-action--dff22e97-a89e-4ff7-b615-0165258bf8d5", "target_ref": "attack-pattern--355be19c-ffc9-46d5-8d50-d6a036c675b6", "x_panw_coa_u42_panw_product": [ "URL Filtering" ] }, { "type": "relationship", "id": "relationship--05889549-3c49-4443-a33a-e33b89653774", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--ffb49010-2a49-474f-8e10-81c129a94997", "target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec" }, { "type": "relationship", "id": "relationship--05f41c44-8180-4a23-9eb5-db4551ea4090", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T13:02:55.809Z", "relationship_type": "mitigates", "source_ref": "course-of-action--49881f38-2571-47a1-a122-26a5968f1137", "target_ref": "attack-pattern--f72eb8a8-cd4c-461d-a814-3f862befbf00", "x_panw_coa_u42_panw_product": [ "NGFW" ] }, { "type": "relationship", "id": "relationship--062079ac-7bd7-45b5-bc97-b234e4d84fc4", "created": "2018-08-03T20:30:53.040Z", "modified": "2020-06-24T16:21:04.243Z", "relationship_type": "uses", "description": "Uses HTTP and DNS for C2", "source_ref": "indicator--559172a7-fc70-4d25-8ffe-803ce24929a5", "target_ref": "attack-pattern--355be19c-ffc9-46d5-8d50-d6a036c675b6" }, { "type": "relationship", "id": "relationship--068ee331-72ba-45b0-9dc5-e785e116fdb4", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.076Z", "relationship_type": "mitigates", "source_ref": "course-of-action--b1f31bc6-40cd-4c64-805f-1680eda35801", "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", "x_panw_coa_u42_panw_product": [ "NGFW" ] }, { "type": "relationship", "id": "relationship--06abb6c9-7048-4047-89b3-f941c455a4d5", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T13:02:55.808Z", "relationship_type": "mitigates", "source_ref": "course-of-action--b62423f4-1849-4d9f-88c0-7160a8bed5c2", "target_ref": "attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81", "x_panw_coa_u42_panw_product": [ "NGFW" ] }, { "type": "relationship", "id": "relationship--06cafa2f-85d6-43bb-8527-ede8377c0860", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "uses", "source_ref": "campaign--be414527-0ed6-4b77-b04b-2ffa2cd601eb", "target_ref": "attack-pattern--b200542e-e877-4395-875b-cf1a44537ca4" }, { "type": "relationship", "id": "relationship--075303bf-f6f4-4baa-a393-7af277914e55", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:12.606Z", "relationship_type": "mitigates", "source_ref": "course-of-action--f4a8da12-c6f0-4a33-ae42-590c5602be99", "target_ref": "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e", "x_panw_coa_u42_panw_product": [ "URL Filtering" ] }, { "type": "relationship", "id": "relationship--075e72ca-b0dc-4d70-b68d-cfd4e478d017", "created": "2019-10-11T20:07:19.943Z", "modified": "2019-10-14T14:34:42.542Z", "relationship_type": "indicates", "source_ref": "indicator--131a36f4-f5ce-461c-b633-8f555ec191fb", "target_ref": "malware--3f0d13a9-3ff6-4d48-8060-55b6f1e6bedb" }, { "type": "relationship", "id": "relationship--076d5ade-2e17-4fac-9884-78e285587a0b", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.077Z", "relationship_type": "mitigates", "source_ref": "course-of-action--60e78a97-dcc6-4d67-a310-ed7f16e0218a", "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", "x_panw_coa_u42_panw_product": [ "Cortex XDR Prevent" ] }, { "type": "relationship", "id": "relationship--07adbd5d-12a8-46f2-b38b-772754668b90", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T13:02:55.808Z", "relationship_type": "mitigates", "source_ref": "course-of-action--553711d6-06e4-49e2-a1ad-929d9cce8e39", "target_ref": "attack-pattern--8c32eb4d-805f-4fc5-bf60-c4d476c131b5", "x_panw_coa_u42_panw_product": [ "NGFW" ] }, { "type": "relationship", "id": "relationship--07d1feb5-6575-40ac-8df0-9b7c169a2b29", "created": "2018-08-03T20:30:53.040Z", "modified": "2020-06-24T16:21:04.243Z", "relationship_type": "uses", "description": "Tasks created by Clayslide to automatically run Helminth every n minutes.", "source_ref": "indicator--cd473c0f-1c24-4b67-800d-7447aec8079a", "target_ref": "attack-pattern--35dd844a-b219-4e2b-a6bb-efa9a75995a9" }, { "type": "relationship", "id": "relationship--07e0d758-6ce5-4f41-b4bc-7e85aa1c3d08", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.078Z", "relationship_type": "mitigates", "source_ref": "course-of-action--49881f38-2571-47a1-a122-26a5968f1137", "target_ref": "attack-pattern--2b742742-28c3-4e1b-bab7-8350d6300fa7", "x_panw_coa_u42_panw_product": [ "NGFW" ] }, { "type": "relationship", "id": "relationship--082e36ee-bea7-4c54-a1ed-d58934bffbeb", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T13:02:55.808Z", "relationship_type": "mitigates", "source_ref": "course-of-action--7bbb332f-22cf-48f2-a4a1-5bc9d2b034ca", "target_ref": "attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81", "x_panw_coa_u42_panw_product": [ "Threat Prevention" ] }, { "type": "relationship", "id": "relationship--08678c64-6347-4a01-9b9c-542d6e8f95d7", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.080Z", "relationship_type": "mitigates", "source_ref": "course-of-action--bca382b3-2a97-451f-a849-80f7a4e7edce", "target_ref": "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d", "x_panw_coa_u42_panw_product": [ "NGFW" ] }, { "type": "relationship", "id": "relationship--08784c53-dee3-4228-9e73-26b1af341316", "created": "2020-07-08T14:53:50.909Z", "modified": "2020-07-13T13:45:02.010Z", "relationship_type": "indicates", "source_ref": "indicator--30745f2a-676c-4f48-8677-7382d24ed21d", "target_ref": "campaign--d6eab405-2a90-4981-bd25-0b161f1bc116" }, { "type": "relationship", "id": "relationship--08d568cf-cade-4f97-ad20-2ce0d976011d", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.079Z", "relationship_type": "mitigates", "source_ref": "course-of-action--5839cd6c-7897-43c4-82f3-5c03096a51c4", "target_ref": "attack-pattern--355be19c-ffc9-46d5-8d50-d6a036c675b6", "x_panw_coa_u42_panw_product": [ "Threat Prevention" ] }, { "type": "relationship", "id": "relationship--0940af0b-5578-4e51-b4a1-3d4b3b1b9544", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--e2f1938f-2ba5-4175-9d9c-e6d7ff6fe9fd", "target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec" }, { "type": "relationship", "id": "relationship--098b5e44-9cf7-4fe6-9bab-cb443e7d352e", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--bf094398-e075-4b6d-99df-2dbcee3ef39d", "target_ref": "campaign--418eec9b-ca2d-48d6-92cc-7cf47b159e8c" }, { "type": "relationship", "id": "relationship--09c48684-c0c0-44e8-9106-a363824aeda1", "created": "2020-07-08T13:00:03.107Z", "modified": "2020-07-13T13:45:02.010Z", "relationship_type": "uses", "description": "RDAT uses email for a C2 channel by interacting with the local Exchange server with the Exchange Web Services (EWS) API.", "source_ref": "indicator--f2a66702-33c8-42ad-87f4-2abcec5ee996", "target_ref": "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d" }, { "type": "relationship", "id": "relationship--0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "created": "2020-07-08T12:17:34.135Z", "modified": "2020-07-13T13:45:02.008Z", "relationship_type": "uses", "source_ref": "campaign--d6eab405-2a90-4981-bd25-0b161f1bc116", "target_ref": "attack-pattern--0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" }, { "type": "relationship", "id": "relationship--0aaba814-33a9-4dad-a654-b32d87ab907e", "created": "2019-10-11T20:07:38.153Z", "modified": "2019-10-14T14:34:42.539Z", "relationship_type": "uses", "source_ref": "campaign--418eec9b-ca2d-48d6-92cc-7cf47b159e8c", "target_ref": "attack-pattern--8c32eb4d-805f-4fc5-bf60-c4d476c131b5" }, { "type": "relationship", "id": "relationship--0b30e016-6bfd-4f60-aaed-15df952f29f7", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.075Z", "relationship_type": "mitigates", "source_ref": "course-of-action--49881f38-2571-47a1-a122-26a5968f1137", "target_ref": "attack-pattern--b8902400-e6c5-4ba2-95aa-2d35b442b118", "x_panw_coa_u42_panw_product": [ "NGFW" ] }, { "type": "relationship", "id": "relationship--0b3a0467-4773-434a-9707-44b930eb54e6", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T13:02:55.808Z", "relationship_type": "mitigates", "source_ref": "course-of-action--e15f23e0-f6ae-4440-865f-63ac76b93bf5", "target_ref": "attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81", "x_panw_coa_u42_panw_product": [ "Threat Prevention" ] }, { "type": "relationship", "id": "relationship--0b54c0c8-6a54-4f1c-bafa-1f81e5c68418", "created": "2020-07-08T14:53:29.531Z", "modified": "2020-07-13T13:45:02.011Z", "relationship_type": "uses", "description": "RDAT uses steganography to hide and exfiltrate data. ", "source_ref": "indicator--8e5578f7-39c9-4fb4-af27-4c1b3d09bc8a", "target_ref": "attack-pattern--ad255bfe-a9e6-4b52-a258-8d3462abe842" }, { "type": "relationship", "id": "relationship--0b783e46-b83a-44ef-a7cf-fdf7b1495244", "created": "2020-07-08T14:58:52.667Z", "modified": "2020-07-13T13:45:02.010Z", "relationship_type": "indicates", "source_ref": "indicator--6dfbe1f5-d102-4fde-b97d-c05776a41b78", "target_ref": "campaign--d6eab405-2a90-4981-bd25-0b161f1bc116" }, { "type": "relationship", "id": "relationship--0bcb6a87-86d8-408f-bd39-9a1696d3959a", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.074Z", "relationship_type": "mitigates", "source_ref": "course-of-action--39928312-81bb-4445-a269-9f3d0bb88d5c", "target_ref": "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c", "x_panw_coa_u42_panw_product": [ "NGFW" ] }, { "type": "relationship", "id": "relationship--0c5dd13e-ad1c-423e-89fa-2b8010d11288", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--b6fc5d18-1bf3-46b2-a793-d15ac7ef2b57", "target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec" }, { "type": "relationship", "id": "relationship--0ce5baf6-ec27-48bd-a626-3169b4bef839", "created": "2020-07-08T13:00:03.107Z", "modified": "2020-07-13T13:45:02.010Z", "relationship_type": "indicates", "source_ref": "indicator--f2a66702-33c8-42ad-87f4-2abcec5ee996", "target_ref": "campaign--d6eab405-2a90-4981-bd25-0b161f1bc116" }, { "type": "relationship", "id": "relationship--0d246a3a-aa03-41d8-b994-6ae14ffecd4f", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.074Z", "relationship_type": "mitigates", "source_ref": "course-of-action--c9efabbf-c21b-4213-a192-6a8e3b3a0905", "target_ref": "attack-pattern--be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "x_panw_coa_u42_panw_product": [ "Cortex XDR Prevent" ] }, { "type": "relationship", "id": "relationship--0d69a54f-2c9f-42d6-a328-55131ba7a328", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--02a7d94a-1fab-4d16-8d55-597d3ec6379e", "target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec" }, { "type": "relationship", "id": "relationship--0d8a7165-6460-4b0b-a779-21cb5a1f6a14", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:12.606Z", "relationship_type": "mitigates", "source_ref": "course-of-action--5e951942-0565-46f4-b09e-80426812b6b5", "target_ref": "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e", "x_panw_coa_u42_panw_product": [ "URL Filtering" ] }, { "type": "relationship", "id": "relationship--0d9d317c-9e3b-4704-bc54-afa916b9a478", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:18.110Z", "relationship_type": "mitigates", "source_ref": "course-of-action--44bfcc9e-cb15-499f-b0fe-3c41e2c2655e", "target_ref": "attack-pattern--ad255bfe-a9e6-4b52-a258-8d3462abe842", "x_panw_coa_u42_panw_product": [ "XSOAR" ] }, { "type": "relationship", "id": "relationship--0dc9fe6a-99e9-43e8-8d62-163a06324b15", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--aaa55127-74e3-41c9-b1c6-7d9726372e18", "target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec" }, { "type": "relationship", "id": "relationship--0e1b995e-27c8-40f6-84a8-3b1095dcd0bf", "created": "2019-10-11T19:57:11.603Z", "modified": "2019-10-14T14:34:42.539Z", "relationship_type": "uses", "source_ref": "campaign--e76e88c8-699a-4eeb-a8e5-3645826d6455", "target_ref": "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597" }, { "type": "relationship", "id": "relationship--0ee5ee72-1073-4158-bbd2-41f835d67a13", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.074Z", "relationship_type": "mitigates", "source_ref": "course-of-action--c9efabbf-c21b-4213-a192-6a8e3b3a0905", "target_ref": "attack-pattern--7385dfaf-6886-4229-9ecd-6fd678040830", "x_panw_coa_u42_panw_product": [ "Cortex XDR Prevent" ] }, { "type": "relationship", "id": "relationship--0f2d8d9e-b04e-4f9b-bde0-993b8c50b013", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--59424cdc-40b1-4137-bc2b-9fe18decf7ca", "target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec" }, { "type": "relationship", "id": "relationship--0f653c28-3ff7-4d1e-96ca-edb4cf632a29", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T13:02:55.808Z", "relationship_type": "mitigates", "source_ref": "course-of-action--7bbb332f-22cf-48f2-a4a1-5bc9d2b034ca", "target_ref": "attack-pattern--8c32eb4d-805f-4fc5-bf60-c4d476c131b5", "x_panw_coa_u42_panw_product": [ "Threat Prevention" ] }, { "type": "relationship", "id": "relationship--1013f916-605c-4203-ae25-b1701b4f94ae", "created": "2018-08-03T20:30:53.040Z", "modified": "2020-06-24T16:21:04.243Z", "relationship_type": "uses", "description": "Operators use mimikatz to dump credentials", "source_ref": "indicator--0f75c726-1b4a-4eb9-8749-fa89af8f6d2b", "target_ref": "attack-pattern--0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" }, { "type": "relationship", "id": "relationship--102c9f05-756e-412f-9fc2-d59a2f055e47", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--2c461e83-a8d2-444e-9480-a2516a1f87c8", "target_ref": "campaign--be414527-0ed6-4b77-b04b-2ffa2cd601eb" }, { "type": "relationship", "id": "relationship--11ae589e-a755-491d-8374-5b5def0389cb", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.079Z", "relationship_type": "mitigates", "source_ref": "course-of-action--bca382b3-2a97-451f-a849-80f7a4e7edce", "target_ref": "attack-pattern--355be19c-ffc9-46d5-8d50-d6a036c675b6", "x_panw_coa_u42_panw_product": [ "NGFW" ] }, { "type": "relationship", "id": "relationship--127390be-0ff7-4f80-8a26-6bcac47581f5", "created": "2018-08-03T20:30:53.040Z", "modified": "2020-06-24T16:21:04.243Z", "relationship_type": "uses", "description": "Helminth checks registry to see if RDP is enabled on the system", "source_ref": "indicator--9daeba2e-bb3e-443b-95d1-fbc0428932a9", "target_ref": "attack-pattern--c32f7008-9fea-41f7-8366-5eb9b74bd896" }, { "type": "relationship", "id": "relationship--12c3b9ac-e5a8-4c3b-9ade-46a50941a67f", "created": "2019-10-11T19:58:04.738Z", "modified": "2019-10-14T14:34:42.539Z", "relationship_type": "indicates", "source_ref": "indicator--8a419fc6-b0dd-466b-a2d7-23e5c30f1707", "target_ref": "campaign--e76e88c8-699a-4eeb-a8e5-3645826d6455" }, { "type": "relationship", "id": "relationship--12f06656-19c7-4a0b-aafc-fa164959980c", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-12-17T00:56:22.465Z", "relationship_type": "mitigates", "source_ref": "course-of-action--fafab9a4-1478-499e-9088-2043c42720d1", "target_ref": "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736", "x_panw_coa_u42_panw_product": [ "Wildfire" ] }, { "type": "relationship", "id": "relationship--131b0239-0613-4260-a513-42cbe643063a", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--5162b82b-ad9e-42fa-8fca-1ce50fb2db3a", "target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec" }, { "type": "relationship", "id": "relationship--13c938b2-52a0-45b2-a1df-3c67c2b8f410", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--c501abd1-62f0-4da6-91ee-bd6ef9391fdc", "target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec" }, { "type": "relationship", "id": "relationship--1461951b-7965-4607-b0c7-df32e59ad494", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.078Z", "relationship_type": "mitigates", "source_ref": "course-of-action--66779efa-ecc3-4e80-91b9-c584b171ebe6", "target_ref": "attack-pattern--2b742742-28c3-4e1b-bab7-8350d6300fa7", "x_panw_coa_u42_panw_product": [ "Threat Prevention" ] }, { "type": "relationship", "id": "relationship--14b468db-564c-4656-b180-aae331fcaa37", "created": "2020-07-08T13:23:29.623Z", "modified": "2020-07-13T13:45:02.010Z", "relationship_type": "uses", "description": "The HTTP C2 channel uses HTTP POST requests to transmit data to the C2 server.", "source_ref": "indicator--2464959e-820d-47c4-9785-d982888376ec", "target_ref": "attack-pattern--355be19c-ffc9-46d5-8d50-d6a036c675b6" }, { "type": "relationship", "id": "relationship--14dd4dda-0e14-4da7-9be8-21b763b11ebb", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.076Z", "relationship_type": "mitigates", "source_ref": "course-of-action--44bfcc9e-cb15-499f-b0fe-3c41e2c2655e", "target_ref": "attack-pattern--cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", "x_panw_coa_u42_panw_product": [ "XSOAR" ] }, { "type": "relationship", "id": "relationship--14e32a01-2916-4348-a7a4-e6ab999cf24e", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--793e3414-7023-4bd6-8d03-def9852cee0f", "target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec" }, { "type": "relationship", "id": "relationship--15515310-419b-452d-8040-1f59b9443ae1", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.075Z", "relationship_type": "mitigates", "source_ref": "course-of-action--fafab9a4-1478-499e-9088-2043c42720d1", "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", "x_panw_coa_u42_panw_product": [ "Wildfire" ] }, { "type": "relationship", "id": "relationship--15dbf668-795c-41e6-8219-f0447c0e64ce", "created": "2018-08-03T20:30:50.665Z", "modified": "2019-10-11T20:10:08.765Z", "relationship_type": "uses", "source_ref": "campaign--418eec9b-ca2d-48d6-92cc-7cf47b159e8c", "target_ref": "attack-pattern--15dbf668-795c-41e6-8219-f0447c0e64ce" }, { "type": "relationship", "id": "relationship--160ed6e7-b00c-4d8d-88ad-f6e807480ba4", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.079Z", "relationship_type": "mitigates", "source_ref": "course-of-action--c45b79a8-2d29-4d8c-95ab-acea7e478e50", "target_ref": "attack-pattern--355be19c-ffc9-46d5-8d50-d6a036c675b6", "x_panw_coa_u42_panw_product": [ "Threat Prevention" ] }, { "type": "relationship", "id": "relationship--1649785c-1541-41b2-a7e3-3ba214681eea", "created": "2019-10-08T16:11:40.339Z", "modified": "2019-10-08T18:26:32.830Z", "relationship_type": "targets", "source_ref": "campaign--e76e88c8-699a-4eeb-a8e5-3645826d6455", "target_ref": "identity--c7dc2a79-4dbe-463b-a58b-24c781041f30" }, { "type": "relationship", "id": "relationship--16532c2c-6c6e-499b-a4d2-7068198b63d7", "created": "2020-07-08T14:15:36.358Z", "modified": "2020-07-13T13:45:02.011Z", "relationship_type": "uses", "description": "RDAT C2 Domain.", "source_ref": "indicator--5134cbd0-890e-46e9-912e-2eb2e7c71356", "target_ref": "attack-pattern--355be19c-ffc9-46d5-8d50-d6a036c675b6" }, { "type": "relationship", "id": "relationship--166ef948-ae30-49f5-bd31-5d7cea1e53ad", "created": "2020-07-08T14:53:40.300Z", "modified": "2020-07-13T13:45:02.011Z", "relationship_type": "uses", "description": "RDAT uses steganography to hide and exfiltrate data. ", "source_ref": "indicator--e1b441cf-0d08-4711-80e3-7f1724e3a88d", "target_ref": "attack-pattern--ad255bfe-a9e6-4b52-a258-8d3462abe842" }, { "type": "relationship", "id": "relationship--1689721a-39e5-414d-ac1b-20bd084fa72d", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--62a8dbd4-adfd-443f-9042-8f92e7ea0384", "target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec" }, { "type": "relationship", "id": "relationship--1753a9b0-9ce7-40f2-abfc-9cbdd111c1a9", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--4d3e6511-ccc5-467e-a2be-ac608ee49374", "target_ref": "campaign--418eec9b-ca2d-48d6-92cc-7cf47b159e8c" }, { "type": "relationship", "id": "relationship--175f1636-a51e-4c1c-bcee-1a87d8791791", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.075Z", "relationship_type": "mitigates", "source_ref": "course-of-action--5e951942-0565-46f4-b09e-80426812b6b5", "target_ref": "attack-pattern--b8902400-e6c5-4ba2-95aa-2d35b442b118", "x_panw_coa_u42_panw_product": [ "URL Filtering" ] }, { "type": "relationship", "id": "relationship--176f8da5-e078-4cb7-867c-0a807281b7e6", "created": "2018-08-03T20:30:53.040Z", "modified": "2020-06-24T16:21:04.243Z", "relationship_type": "uses", "description": "ISMAgent C2 checks local users and groups via the net application", "source_ref": "indicator--2d6903fb-e4f1-4b0e-a657-e3937fe89861", "target_ref": "attack-pattern--15dbf668-795c-41e6-8219-f0447c0e64ce" }, { "type": "relationship", "id": "relationship--17ab2b13-a831-4bc6-9994-4cbedf31698d", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T13:02:55.808Z", "relationship_type": "mitigates", "source_ref": "course-of-action--553711d6-06e4-49e2-a1ad-929d9cce8e39", "target_ref": "attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81", "x_panw_coa_u42_panw_product": [ "NGFW" ] }, { "type": "relationship", "id": "relationship--17e8782b-ed62-4d33-901d-e023b2b1b946", "created": "2018-08-03T20:30:53.040Z", "modified": "2020-06-24T16:21:04.243Z", "relationship_type": "uses", "description": "Tasks created by malicious macro to automatically run OopsIE every n minutes.", "source_ref": "indicator--8e3da953-ff61-4520-893f-afefe7d145e9", "target_ref": "attack-pattern--35dd844a-b219-4e2b-a6bb-efa9a75995a9" }, { "type": "relationship", "id": "relationship--18984045-bb93-45ac-b8d5-2895044e3b01", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "uses", "source_ref": "campaign--e76e88c8-699a-4eeb-a8e5-3645826d6455", "target_ref": "attack-pattern--b8902400-e6c5-4ba2-95aa-2d35b442b118" }, { "type": "relationship", "id": "relationship--19ce8250-86e1-4279-b023-cbb787365eeb", "created": "2018-08-03T20:30:53.040Z", "modified": "2020-06-24T16:21:04.243Z", "relationship_type": "uses", "description": "Uses HTTP for C2", "source_ref": "indicator--9fcb8551-97e9-4335-a63c-91ca5156efd0", "target_ref": "attack-pattern--355be19c-ffc9-46d5-8d50-d6a036c675b6" }, { "type": "relationship", "id": "relationship--19f310d3-6ddd-4aa0-9a34-9c691dc3facf", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "uses", "source_ref": "campaign--418eec9b-ca2d-48d6-92cc-7cf47b159e8c", "target_ref": "attack-pattern--30208d3e-0d6b-43c8-883e-44462a514619" }, { "type": "relationship", "id": "relationship--1b53eec4-bef9-44e7-9b55-7d0b2d84f82e", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:12.605Z", "relationship_type": "mitigates", "source_ref": "course-of-action--49881f38-2571-47a1-a122-26a5968f1137", "target_ref": "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e", "x_panw_coa_u42_panw_product": [ "NGFW" ] }, { "type": "relationship", "id": "relationship--1bf22461-d9e5-4976-aaef-98b7fc7c69e0", "created": "2020-06-08T16:19:37.692Z", "modified": "2020-06-10T20:29:03.409Z", "relationship_type": "uses", "description": "caf5f9791ab3049811e16971b4673ec6d4baf35ffaadd7486ea4c5e318d10696", "source_ref": "indicator--8e7b95cc-58c0-4f3b-8118-c11a85d90044", "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" }, { "type": "relationship", "id": "relationship--1bf349c7-b572-4d9c-b2cf-12f6bd9e980d", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--685a33e8-a147-4a60-8e7e-9e3e6855ca43", "target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec" }, { "type": "relationship", "id": "relationship--1c47ce45-2ecb-4985-80e1-adc61b0671ef", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.078Z", "relationship_type": "mitigates", "source_ref": "course-of-action--5839cd6c-7897-43c4-82f3-5c03096a51c4", "target_ref": "attack-pattern--6aabc5ec-eae6-422c-8311-38d45ee9838a", "x_panw_coa_u42_panw_product": [ "Threat Prevention" ] }, { "type": "relationship", "id": "relationship--1cd465d4-05d9-463e-9036-433a7af716d6", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:18.110Z", "relationship_type": "mitigates", "source_ref": "course-of-action--41a5e724-166d-496a-bfa6-5f7d671c733e", "target_ref": "attack-pattern--ad255bfe-a9e6-4b52-a258-8d3462abe842", "x_panw_coa_u42_panw_product": [ "XSOAR" ] }, { "type": "relationship", "id": "relationship--1d0caee9-876e-4c4e-91af-c709788cbaef", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-12-17T01:04:57.291Z", "relationship_type": "mitigates", "source_ref": "course-of-action--67289170-1bd4-4944-be31-d680954141f5", "target_ref": "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597", "x_panw_coa_u42_panw_product": [ "Wildfire" ] }, { "type": "relationship", "id": "relationship--1d6a734e-37af-4531-81c1-479410d3af12", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-12-17T01:12:24.265Z", "relationship_type": "mitigates", "source_ref": "course-of-action--be1d0eb5-a628-4d91-9096-9158e68816cd", "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "x_panw_coa_u42_panw_product": [ "Wildfire" ] }, { "type": "relationship", "id": "relationship--1d79f0ca-e426-4cd2-bf79-7c77fc05ce05", "created": "2020-07-08T14:12:55.557Z", "modified": "2020-07-13T13:45:02.011Z", "relationship_type": "uses", "description": "RDAT C2 Domains.", "source_ref": "indicator--2bd3da7e-748b-4727-bc61-23e4582ff60f", "target_ref": "attack-pattern--355be19c-ffc9-46d5-8d50-d6a036c675b6" }, { "type": "relationship", "id": "relationship--1f7cadc7-e1c3-47cd-afb0-b98c93ccb965", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--559172a7-fc70-4d25-8ffe-803ce24929a5", "target_ref": "campaign--be414527-0ed6-4b77-b04b-2ffa2cd601eb" }, { "type": "relationship", "id": "relationship--1fc0d5c4-9e6e-4d3e-82f1-cbf7d04cc79c", "created": "2020-07-08T12:59:45.190Z", "modified": "2020-07-13T13:45:02.010Z", "relationship_type": "indicates", "source_ref": "indicator--b4743bb8-5c61-4399-b281-c2345abd410b", "target_ref": "campaign--d6eab405-2a90-4981-bd25-0b161f1bc116" }, { "type": "relationship", "id": "relationship--20610904-7759-4410-94c7-4e7366846573", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--d2258707-dbd9-4407-b6b8-5401e4c59b74", "target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec" }, { "type": "relationship", "id": "relationship--2071703f-96fb-4e5b-9406-958e1d153b8b", "created": "2020-07-08T14:52:56.128Z", "modified": "2020-07-13T13:45:02.010Z", "relationship_type": "indicates", "source_ref": "indicator--7bd90223-3f43-4831-b065-363c883bc015", "target_ref": "campaign--d6eab405-2a90-4981-bd25-0b161f1bc116" }, { "type": "relationship", "id": "relationship--20abd688-0b68-4930-90d4-512505ab640d", "created": "2019-10-11T20:02:59.591Z", "modified": "2019-10-14T14:34:42.542Z", "relationship_type": "uses", "description": "Attachment names and email subjects", "source_ref": "indicator--882830ad-a601-4405-bab1-54a28ab4bc86", "target_ref": "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597" }, { "type": "relationship", "id": "relationship--20d2c714-b041-48c3-a3a3-20d9b9f7d1ba", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T13:02:55.808Z", "relationship_type": "mitigates", "source_ref": "course-of-action--09cad5e4-8c95-494f-862e-0c640b175348", "target_ref": "attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81", "x_panw_coa_u42_panw_product": [ "NGFW" ] }, { "type": "relationship", "id": "relationship--210fb88a-27b3-417d-93c6-66f75a5a81b6", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.075Z", "relationship_type": "mitigates", "source_ref": "course-of-action--44bfcc9e-cb15-499f-b0fe-3c41e2c2655e", "target_ref": "attack-pattern--b8902400-e6c5-4ba2-95aa-2d35b442b118", "x_panw_coa_u42_panw_product": [ "XSOAR" ] }, { "type": "relationship", "id": "relationship--211ad95c-8339-4f13-8d3c-0bc89af1245e", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:39.449Z", "relationship_type": "mitigates", "source_ref": "course-of-action--38519f4f-e6e8-454b-a3f5-b46daef0e316", "target_ref": "attack-pattern--a19e86f8-1c0a-4fea-8407-23b73d615776", "x_panw_coa_u42_panw_product": [ "XSOAR" ] }, { "type": "relationship", "id": "relationship--21675b90-de06-4e3c-9d53-5c1bea947222", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.074Z", "relationship_type": "mitigates", "source_ref": "course-of-action--21ce34c9-4220-41cf-85c7-bc289bb2c79d", "target_ref": "attack-pattern--be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "x_panw_coa_u42_panw_product": [ "Threat Prevention" ] }, { "type": "relationship", "id": "relationship--22a6c66b-08b3-49ff-a5e3-af9063a2d609", "created": "2018-08-03T20:30:53.040Z", "modified": "2020-06-24T16:21:04.243Z", "relationship_type": "uses", "description": "Standard Application Layer Protocol", "source_ref": "indicator--dd45ed80-44ee-4d88-b122-e6a9a863b5f9", "target_ref": "attack-pattern--355be19c-ffc9-46d5-8d50-d6a036c675b6" }, { "type": "relationship", "id": "relationship--22b09015-9ae3-4b16-8a89-954ab6a065ce", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--a0012b87-ad05-4c74-a014-9957d1795397", "target_ref": "campaign--e76e88c8-699a-4eeb-a8e5-3645826d6455" }, { "type": "relationship", "id": "relationship--22cc20f5-87d2-493f-b4c6-21a8f35e270f", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.080Z", "relationship_type": "mitigates", "source_ref": "course-of-action--44bfcc9e-cb15-499f-b0fe-3c41e2c2655e", "target_ref": "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d", "x_panw_coa_u42_panw_product": [ "XSOAR" ] }, { "type": "relationship", "id": "relationship--23252e05-4ae9-49b1-95d1-8346434481fa", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.078Z", "relationship_type": "mitigates", "source_ref": "course-of-action--2c886776-61fb-487c-a880-41f4b7195627", "target_ref": "attack-pattern--6aabc5ec-eae6-422c-8311-38d45ee9838a", "x_panw_coa_u42_panw_product": [ "URL Filtering" ] }, { "type": "relationship", "id": "relationship--2379ab55-92b4-45a8-aa89-5da8f302d1a9", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.076Z", "relationship_type": "mitigates", "source_ref": "course-of-action--dff22e97-a89e-4ff7-b615-0165258bf8d5", "target_ref": "attack-pattern--f24faf46-3b26-4dbb-98f2-63460498e433", "x_panw_coa_u42_panw_product": [ "URL Filtering" ] }, { "type": "relationship", "id": "relationship--237cd050-242a-4745-8b86-645a7df117ac", "created": "2018-08-03T20:30:53.040Z", "modified": "2020-06-24T16:21:04.243Z", "relationship_type": "uses", "description": "TwoFace contains the functional webshell in encrypted form", "source_ref": "indicator--10a18683-9321-4647-97e7-5ca864d9ecb7", "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" }, { "type": "relationship", "id": "relationship--2394f246-58a7-44de-b7b2-b37ff0b3750b", "created": "2018-08-03T20:30:53.040Z", "modified": "2020-06-24T16:21:04.243Z", "relationship_type": "uses", "description": "TwoFace contains the functional webshell in encrypted form", "source_ref": "indicator--62a8dbd4-adfd-443f-9042-8f92e7ea0384", "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" }, { "type": "relationship", "id": "relationship--245e3eb9-2ac3-45a3-9500-930b2ef97dac", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:12.605Z", "relationship_type": "mitigates", "source_ref": "course-of-action--bca382b3-2a97-451f-a849-80f7a4e7edce", "target_ref": "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e", "x_panw_coa_u42_panw_product": [ "NGFW" ] }, { "type": "relationship", "id": "relationship--25937292-8d4a-47e5-ad8c-88ebfb948b1c", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--5580c978-1497-40a4-bdc3-756b841776b1", "target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec" }, { "type": "relationship", "id": "relationship--25f09f89-4384-4840-853f-0a2f67a505b6", "created": "2019-10-11T19:46:00.046Z", "modified": "2019-10-14T14:34:42.541Z", "relationship_type": "uses", "description": "Malicious Attachment.", "source_ref": "indicator--b32af739-cdbf-4b43-938c-eaaa89bf5010", "target_ref": "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597" }, { "type": "relationship", "id": "relationship--262bc6f7-1167-4b5f-8f0d-622e9c38ce02", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.077Z", "relationship_type": "mitigates", "source_ref": "course-of-action--f4a8da12-c6f0-4a33-ae42-590c5602be99", "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", "x_panw_coa_u42_panw_product": [ "URL Filtering" ] }, { "type": "relationship", "id": "relationship--279fb95d-05a7-449d-9ded-c66215063621", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--b1e04bb9-945d-4b87-98b8-e411f16a74d4", "target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec" }, { "type": "relationship", "id": "relationship--27c8933d-2eff-4304-beab-76004e389345", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-12-17T01:16:48.567Z", "relationship_type": "mitigates", "source_ref": "course-of-action--3de85a76-a879-43e6-80ba-38e09e7e2b0c", "target_ref": "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597", "x_panw_coa_u42_panw_product": [ "Wildfire" ] }, { "type": "relationship", "id": "relationship--27d8b631-caec-4897-a402-36d35c0d3b22", "created": "2020-07-08T14:59:54.974Z", "modified": "2020-07-13T13:45:02.010Z", "relationship_type": "indicates", "source_ref": "indicator--0b42f202-10a1-4a5e-b714-e5279164a015", "target_ref": "campaign--d6eab405-2a90-4981-bd25-0b161f1bc116" }, { "type": "relationship", "id": "relationship--2877930e-7351-4e4a-b14b-13b465bb1ebd", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-12-17T01:04:50.332Z", "relationship_type": "mitigates", "source_ref": "course-of-action--67289170-1bd4-4944-be31-d680954141f5", "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "x_panw_coa_u42_panw_product": [ "Wildfire" ] }, { "type": "relationship", "id": "relationship--28a5a536-2f5f-415b-a268-79bb7b2d7a1c", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T13:02:55.808Z", "relationship_type": "mitigates", "source_ref": "course-of-action--c9efabbf-c21b-4213-a192-6a8e3b3a0905", "target_ref": "attack-pattern--8c32eb4d-805f-4fc5-bf60-c4d476c131b5", "x_panw_coa_u42_panw_product": [ "Cortex XDR Prevent" ] }, { "type": "relationship", "id": "relationship--2a7da7d8-a8c1-4131-b206-e4f9442eb3e5", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--10a18683-9321-4647-97e7-5ca864d9ecb7", "target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec" }, { "type": "relationship", "id": "relationship--2b3b6a2d-c8af-4ad2-8a67-5114108156a5", "created": "2019-10-08T16:04:45.491Z", "modified": "2019-10-08T18:26:32.830Z", "relationship_type": "targets", "source_ref": "campaign--418eec9b-ca2d-48d6-92cc-7cf47b159e8c", "target_ref": "identity--c7e23c62-8c87-4584-9787-2cffec8414ce" }, { "type": "relationship", "id": "relationship--2b4fb546-289c-4752-bf3d-21557d77c3ce", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:39.449Z", "relationship_type": "mitigates", "source_ref": "course-of-action--2c886776-61fb-487c-a880-41f4b7195627", "target_ref": "attack-pattern--a19e86f8-1c0a-4fea-8407-23b73d615776", "x_panw_coa_u42_panw_product": [ "URL Filtering" ] }, { "type": "relationship", "id": "relationship--2b742742-28c3-4e1b-bab7-8350d6300fa7", "created": "2018-08-03T20:30:50.665Z", "modified": "2019-10-11T20:13:34.064Z", "relationship_type": "uses", "source_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec", "target_ref": "attack-pattern--2b742742-28c3-4e1b-bab7-8350d6300fa7" }, { "type": "relationship", "id": "relationship--2bf462e4-2582-4923-a47c-7626405833b3", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-12-17T01:16:41.571Z", "relationship_type": "mitigates", "source_ref": "course-of-action--3de85a76-a879-43e6-80ba-38e09e7e2b0c", "target_ref": "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736", "x_panw_coa_u42_panw_product": [ "Wildfire" ] }, { "type": "relationship", "id": "relationship--2c729486-d56e-43a6-9eab-e8908209ab67", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.075Z", "relationship_type": "mitigates", "source_ref": "course-of-action--e15f23e0-f6ae-4440-865f-63ac76b93bf5", "target_ref": "attack-pattern--b8902400-e6c5-4ba2-95aa-2d35b442b118", "x_panw_coa_u42_panw_product": [ "Threat Prevention" ] }, { "type": "relationship", "id": "relationship--2c99b67f-666b-41af-b4e4-2346360bcb11", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.075Z", "relationship_type": "mitigates", "source_ref": "course-of-action--f4a8da12-c6f0-4a33-ae42-590c5602be99", "target_ref": "attack-pattern--b8902400-e6c5-4ba2-95aa-2d35b442b118", "x_panw_coa_u42_panw_product": [ "URL Filtering" ] }, { "type": "relationship", "id": "relationship--2cf0b18b-55cb-44c8-9ea5-b792a1a6ddb2", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.075Z", "relationship_type": "mitigates", "source_ref": "course-of-action--bca382b3-2a97-451f-a849-80f7a4e7edce", "target_ref": "attack-pattern--b8902400-e6c5-4ba2-95aa-2d35b442b118", "x_panw_coa_u42_panw_product": [ "NGFW" ] }, { "type": "relationship", "id": "relationship--2d20727f-27d9-4526-8c81-31095614a6c9", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:12.606Z", "relationship_type": "mitigates", "source_ref": "course-of-action--44bfcc9e-cb15-499f-b0fe-3c41e2c2655e", "target_ref": "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e", "x_panw_coa_u42_panw_product": [ "XSOAR" ] }, { "type": "relationship", "id": "relationship--2deaa2ab-2c27-42af-bcd6-ca6931c6ed07", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--45680f4c-a738-4515-ac9a-7b9852526159", "target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec" }, { "type": "relationship", "id": "relationship--2e34237d-8574-43f6-aace-ae2915de8597", "created": "2018-08-03T20:30:50.665Z", "modified": "2019-10-11T20:10:08.765Z", "relationship_type": "uses", "source_ref": "campaign--418eec9b-ca2d-48d6-92cc-7cf47b159e8c", "target_ref": "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597" }, { "type": "relationship", "id": "relationship--2e74e182-c3cd-4e58-91dd-a0873839cb98", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--4b396d52-fb1d-4681-a6e1-a4b7f43dfb5a", "target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec" }, { "type": "relationship", "id": "relationship--2ebd1237-4d0b-4f29-9f82-634286bd03a3", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.078Z", "relationship_type": "mitigates", "source_ref": "course-of-action--a1294d38-0f0d-4973-a949-f38cccbc7469", "target_ref": "attack-pattern--6aabc5ec-eae6-422c-8311-38d45ee9838a", "x_panw_coa_u42_panw_product": [ "Threat Prevention" ] }, { "type": "relationship", "id": "relationship--2ed033ff-baa0-4465-ac9c-5ada1d746ad5", "created": "2020-06-08T16:18:35.184Z", "modified": "2020-06-10T20:29:03.409Z", "relationship_type": "uses", "description": "mail-macroadvisorypartners.ml", "source_ref": "indicator--fe57191c-11cb-47b6-aeeb-f2b5d01ee788", "target_ref": "attack-pattern--2b742742-28c3-4e1b-bab7-8350d6300fa7" }, { "type": "relationship", "id": "relationship--2f7f4894-d070-4eaa-b6c8-0bafcb02b284", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.080Z", "relationship_type": "mitigates", "source_ref": "course-of-action--c45b79a8-2d29-4d8c-95ab-acea7e478e50", "target_ref": "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d", "x_panw_coa_u42_panw_product": [ "Threat Prevention" ] }, { "type": "relationship", "id": "relationship--2fe3a209-7517-4247-96b4-b99cf3bad10f", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.080Z", "relationship_type": "mitigates", "source_ref": "course-of-action--a1294d38-0f0d-4973-a949-f38cccbc7469", "target_ref": "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d", "x_panw_coa_u42_panw_product": [ "Threat Prevention" ] }, { "type": "relationship", "id": "relationship--2fe72a9c-2bed-4f6b-8fcc-a19cb266e8b9", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T13:02:55.809Z", "relationship_type": "mitigates", "source_ref": "course-of-action--a1294d38-0f0d-4973-a949-f38cccbc7469", "target_ref": "attack-pattern--f72eb8a8-cd4c-461d-a814-3f862befbf00", "x_panw_coa_u42_panw_product": [ "Threat Prevention" ] }, { "type": "relationship", "id": "relationship--30208d3e-0d6b-43c8-883e-44462a514619", "created": "2018-08-03T20:30:50.665Z", "modified": "2019-10-11T20:10:08.765Z", "relationship_type": "uses", "source_ref": "campaign--418eec9b-ca2d-48d6-92cc-7cf47b159e8c", "target_ref": "attack-pattern--30208d3e-0d6b-43c8-883e-44462a514619" }, { "type": "relationship", "id": "relationship--302d533a-d8d4-454e-b5c1-8252d7c71f02", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T13:02:55.809Z", "relationship_type": "mitigates", "source_ref": "course-of-action--bca382b3-2a97-451f-a849-80f7a4e7edce", "target_ref": "attack-pattern--f72eb8a8-cd4c-461d-a814-3f862befbf00", "x_panw_coa_u42_panw_product": [ "NGFW" ] }, { "type": "relationship", "id": "relationship--30979464-94ff-4da9-99ff-c24795cf9929", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--f52a5188-5bdb-4530-83c2-4bbc1c1cb741", "target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec" }, { "type": "relationship", "id": "relationship--309a33e6-9ccb-4190-8de5-a9e16df2fda6", "created": "2020-07-08T15:00:12.734Z", "modified": "2020-07-13T13:45:02.010Z", "relationship_type": "indicates", "source_ref": "indicator--60c48c35-8820-413b-84a9-fd76ce45b951", "target_ref": "campaign--d6eab405-2a90-4981-bd25-0b161f1bc116" }, { "type": "relationship", "id": "relationship--3153a4d5-b2a3-4330-8090-6b10f0ede286", "created": "2018-08-03T20:30:53.040Z", "modified": "2020-06-24T16:21:04.243Z", "relationship_type": "uses", "description": "TwoFace contains the functional webshell in encrypted form", "source_ref": "indicator--0809240c-9ec9-4002-8846-f30a7915eb4e", "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" }, { "type": "relationship", "id": "relationship--32b52767-3115-426f-9cb8-7df30149261b", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:12.606Z", "relationship_type": "mitigates", "source_ref": "course-of-action--dff22e97-a89e-4ff7-b615-0165258bf8d5", "target_ref": "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e", "x_panw_coa_u42_panw_product": [ "URL Filtering" ] }, { "type": "relationship", "id": "relationship--3382938c-fb1d-4d5b-971f-25420e84134f", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:18.110Z", "relationship_type": "mitigates", "source_ref": "course-of-action--bca382b3-2a97-451f-a849-80f7a4e7edce", "target_ref": "attack-pattern--ad255bfe-a9e6-4b52-a258-8d3462abe842", "x_panw_coa_u42_panw_product": [ "NGFW" ] }, { "type": "relationship", "id": "relationship--33f9b7e1-14b2-4e9e-a83d-d2463093ebef", "created": "2019-10-11T19:59:38.866Z", "modified": "2019-10-14T14:34:42.542Z", "relationship_type": "indicates", "source_ref": "indicator--ed7365d8-f542-444a-8224-60221233acfe", "target_ref": "malware--a933d627-2a1a-499c-9dad-be8cc2e04dd6" }, { "type": "relationship", "id": "relationship--345337e3-a082-44a4-aaea-12d1e06747bd", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--13d221b8-4f3c-44d1-a010-a0e849c3fc56", "target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec" }, { "type": "relationship", "id": "relationship--354a7f88-63fb-41b5-a801-ce3b377b36f1", "created": "2018-08-03T20:30:50.665Z", "modified": "2019-10-11T20:10:08.765Z", "relationship_type": "uses", "source_ref": "campaign--418eec9b-ca2d-48d6-92cc-7cf47b159e8c", "target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" }, { "type": "relationship", "id": "relationship--355be19c-ffc9-46d5-8d50-d6a036c675b6", "created": "2020-07-08T12:17:34.135Z", "modified": "2020-07-13T13:45:02.008Z", "relationship_type": "uses", "source_ref": "campaign--d6eab405-2a90-4981-bd25-0b161f1bc116", "target_ref": "attack-pattern--355be19c-ffc9-46d5-8d50-d6a036c675b6" }, { "type": "relationship", "id": "relationship--3563da55-300f-46e8-bc8a-fd9d910e4aed", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--09a93c5a-e410-4a1d-a3a9-39c5d634b766", "target_ref": "campaign--418eec9b-ca2d-48d6-92cc-7cf47b159e8c" }, { "type": "relationship", "id": "relationship--35dd844a-b219-4e2b-a6bb-efa9a75995a9", "created": "2018-08-03T20:30:50.665Z", "modified": "2019-10-11T20:10:08.765Z", "relationship_type": "uses", "source_ref": "campaign--418eec9b-ca2d-48d6-92cc-7cf47b159e8c", "target_ref": "attack-pattern--35dd844a-b219-4e2b-a6bb-efa9a75995a9" }, { "type": "relationship", "id": "relationship--36239699-f2ea-4131-9154-656ab8f94788", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.076Z", "relationship_type": "mitigates", "source_ref": "course-of-action--7bbb332f-22cf-48f2-a4a1-5bc9d2b034ca", "target_ref": "attack-pattern--f24faf46-3b26-4dbb-98f2-63460498e433", "x_panw_coa_u42_panw_product": [ "Threat Prevention" ] }, { "type": "relationship", "id": "relationship--3654e0f4-2dd0-47dc-858b-3de3acc37c44", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T13:02:55.808Z", "relationship_type": "mitigates", "source_ref": "course-of-action--e15f23e0-f6ae-4440-865f-63ac76b93bf5", "target_ref": "attack-pattern--8c32eb4d-805f-4fc5-bf60-c4d476c131b5", "x_panw_coa_u42_panw_product": [ "Threat Prevention" ] }, { "type": "relationship", "id": "relationship--365e252d-d64f-477d-9f21-e171ff5c6485", "created": "2018-08-03T20:30:53.040Z", "modified": "2020-06-24T16:21:04.243Z", "relationship_type": "uses", "description": "Helminth C2 reports back system information", "source_ref": "indicator--8795c03c-3d57-4402-8ae5-4de697194f90", "target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" }, { "type": "relationship", "id": "relationship--3675a4d6-d1bd-4f11-b4a6-8b61e4155996", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--1dd724ec-3747-4a81-bbb4-bb5fab167487", "target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec" }, { "type": "relationship", "id": "relationship--36c01cdc-0150-400f-b650-ccdbe3219e0e", "created": "2018-08-03T20:30:53.040Z", "modified": "2020-06-24T16:21:04.243Z", "relationship_type": "uses", "description": "Actors install webshell onto webservers to gain access to network ", "source_ref": "indicator--d7bdf4a0-0509-43de-895e-793994de8a0e", "target_ref": "attack-pattern--5d0d3609-d06d-49e1-b9c9-b544e0c618cb" }, { "type": "relationship", "id": "relationship--36c10fc6-545f-431c-8f83-5a675dd7b812", "created": "2020-07-08T14:52:36.153Z", "modified": "2020-07-13T13:45:02.011Z", "relationship_type": "uses", "description": "RDAT uses steganography to hide and exfiltrate data. ", "source_ref": "indicator--49bbfc5d-0cfb-4d7b-9051-3067ad34723f", "target_ref": "attack-pattern--ad255bfe-a9e6-4b52-a258-8d3462abe842" }, { "type": "relationship", "id": "relationship--36e32d47-d235-4e47-849b-6846dc8506d9", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--70b13368-9612-437e-a2fe-206b51ccdce4", "target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec" }, { "type": "relationship", "id": "relationship--3701777f-6995-4031-82d8-b160a3ea8f9c", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:18.110Z", "relationship_type": "mitigates", "source_ref": "course-of-action--38519f4f-e6e8-454b-a3f5-b46daef0e316", "target_ref": "attack-pattern--ad255bfe-a9e6-4b52-a258-8d3462abe842", "x_panw_coa_u42_panw_product": [ "XSOAR" ] }, { "type": "relationship", "id": "relationship--3706ccb0-5dbe-426c-82c1-6f4565a6357b", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:39.449Z", "relationship_type": "mitigates", "source_ref": "course-of-action--dff22e97-a89e-4ff7-b615-0165258bf8d5", "target_ref": "attack-pattern--a19e86f8-1c0a-4fea-8407-23b73d615776", "x_panw_coa_u42_panw_product": [ "URL Filtering" ] }, { "type": "relationship", "id": "relationship--376609da-e365-4dcd-89eb-addcaf73040b", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--8aba6285-00ba-4a83-a366-8c634228c80f", "target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec" }, { "type": "relationship", "id": "relationship--379e84b6-d424-412b-80bc-e0246073fd70", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.075Z", "relationship_type": "mitigates", "source_ref": "course-of-action--38519f4f-e6e8-454b-a3f5-b46daef0e316", "target_ref": "attack-pattern--b8902400-e6c5-4ba2-95aa-2d35b442b118", "x_panw_coa_u42_panw_product": [ "XSOAR" ] }, { "type": "relationship", "id": "relationship--380efc20-d11f-48c3-b5c8-8cf98841cef2", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.079Z", "relationship_type": "mitigates", "source_ref": "course-of-action--ae18aab6-0a08-4c09-9a97-6c6ef58061a7", "target_ref": "attack-pattern--355be19c-ffc9-46d5-8d50-d6a036c675b6", "x_panw_coa_u42_panw_product": [ "DNS Security" ] }, { "type": "relationship", "id": "relationship--38160abc-41d1-4b26-b37f-f0e513328703", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:39.449Z", "relationship_type": "mitigates", "source_ref": "course-of-action--bca382b3-2a97-451f-a849-80f7a4e7edce", "target_ref": "attack-pattern--a19e86f8-1c0a-4fea-8407-23b73d615776", "x_panw_coa_u42_panw_product": [ "NGFW" ] }, { "type": "relationship", "id": "relationship--38276b27-0ed5-45a0-be2c-c2ec6128d811", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.076Z", "relationship_type": "mitigates", "source_ref": "course-of-action--a1294d38-0f0d-4973-a949-f38cccbc7469", "target_ref": "attack-pattern--cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", "x_panw_coa_u42_panw_product": [ "Threat Prevention" ] }, { "type": "relationship", "id": "relationship--388a380d-18d0-4be4-81fb-c1a0b4486120", "created": "2020-07-08T14:50:13.817Z", "modified": "2020-07-13T13:45:02.011Z", "relationship_type": "uses", "description": "RDAT uses steganography to hide and exfiltrate data. ", "source_ref": "indicator--6928ee56-805a-4f47-a428-9f41fb9faa6c", "target_ref": "attack-pattern--ad255bfe-a9e6-4b52-a258-8d3462abe842" }, { "type": "relationship", "id": "relationship--38f20f69-6786-445a-a582-8624b6bc4d9e", "created": "2018-08-03T20:30:53.040Z", "modified": "2020-06-24T16:21:04.243Z", "relationship_type": "uses", "description": "TwoFace contains the functional webshell in encrypted form", "source_ref": "indicator--ec7ec6dd-2d36-4ec1-aada-134c4670845b", "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" }, { "type": "relationship", "id": "relationship--3922ea85-cf50-4d3e-becc-01d0c1efc307", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T13:02:55.808Z", "relationship_type": "mitigates", "source_ref": "course-of-action--ae18aab6-0a08-4c09-9a97-6c6ef58061a7", "target_ref": "attack-pattern--8c32eb4d-805f-4fc5-bf60-c4d476c131b5", "x_panw_coa_u42_panw_product": [ "DNS Security" ] }, { "type": "relationship", "id": "relationship--3950e32e-d243-4f21-8cce-7938d4f3c9ed", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.075Z", "relationship_type": "mitigates", "source_ref": "course-of-action--3de85a76-a879-43e6-80ba-38e09e7e2b0c", "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", "x_panw_coa_u42_panw_product": [ "Wildfire" ] }, { "type": "relationship", "id": "relationship--39551803-96ad-4ce1-be61-1794292ceaf5", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:12.605Z", "relationship_type": "mitigates", "source_ref": "course-of-action--dcd486e6-fcf5-4692-9187-115efdae9694", "target_ref": "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e", "x_panw_coa_u42_panw_product": [ "NGFW" ] }, { "type": "relationship", "id": "relationship--396c688c-a3ca-40f5-b0eb-1fc73898f178", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.076Z", "relationship_type": "mitigates", "source_ref": "course-of-action--d84f79f8-219c-43cb-a918-ab7dd235413a", "target_ref": "attack-pattern--cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", "x_panw_coa_u42_panw_product": [ "Threat Prevention" ] }, { "type": "relationship", "id": "relationship--39949868-2ae1-4934-88c9-cf743827aab8", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.075Z", "relationship_type": "mitigates", "source_ref": "course-of-action--e15f23e0-f6ae-4440-865f-63ac76b93bf5", "target_ref": "attack-pattern--cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", "x_panw_coa_u42_panw_product": [ "Threat Prevention" ] }, { "type": "relationship", "id": "relationship--39e9bcea-563f-465e-bb6c-5b3e336822d5", "created": "2018-08-03T20:30:53.040Z", "modified": "2020-06-24T16:21:04.243Z", "relationship_type": "uses", "description": "TwoFace contains the functional webshell in encrypted form", "source_ref": "indicator--d2a60762-9fb2-442e-a7d2-6f86b06cb970", "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" }, { "type": "relationship", "id": "relationship--3a2707a4-e5a4-4974-b2eb-39ebda7eb01b", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T13:02:55.808Z", "relationship_type": "mitigates", "source_ref": "course-of-action--513f7288-0f4f-49d1-8447-8664f065d798", "target_ref": "attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81", "x_panw_coa_u42_panw_product": [ "XSOAR" ] }, { "type": "relationship", "id": "relationship--3a3f4a27-177e-4128-be8c-a54f7535e6bf", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--dd45ed80-44ee-4d88-b122-e6a9a863b5f9", "target_ref": "campaign--418eec9b-ca2d-48d6-92cc-7cf47b159e8c" }, { "type": "relationship", "id": "relationship--3abed9e3-31c2-47da-9967-482c8f6bf2e4", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--c258f33d-57c8-458d-9d77-7cd8bf1e264a", "target_ref": "campaign--418eec9b-ca2d-48d6-92cc-7cf47b159e8c" }, { "type": "relationship", "id": "relationship--3aff7d45-5158-4e28-ba65-fefe292f7286", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T13:02:55.808Z", "relationship_type": "mitigates", "source_ref": "course-of-action--68c5676d-ab2f-4e68-a57c-28880a9f5709", "target_ref": "attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81", "x_panw_coa_u42_panw_product": [ "NGFW" ] }, { "type": "relationship", "id": "relationship--3b4a4bd3-bf20-426b-bf9d-930963fa731d", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T13:02:55.809Z", "relationship_type": "mitigates", "source_ref": "course-of-action--5e951942-0565-46f4-b09e-80426812b6b5", "target_ref": "attack-pattern--f72eb8a8-cd4c-461d-a814-3f862befbf00", "x_panw_coa_u42_panw_product": [ "URL Filtering" ] }, { "type": "relationship", "id": "relationship--3b4d3dd1-df77-4267-8fff-9eda563fe60e", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T13:02:55.808Z", "relationship_type": "mitigates", "source_ref": "course-of-action--5e951942-0565-46f4-b09e-80426812b6b5", "target_ref": "attack-pattern--8c32eb4d-805f-4fc5-bf60-c4d476c131b5", "x_panw_coa_u42_panw_product": [ "URL Filtering" ] }, { "type": "relationship", "id": "relationship--3bc00052-beee-4988-ab84-d16640a20c88", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.078Z", "relationship_type": "mitigates", "source_ref": "course-of-action--d84f79f8-219c-43cb-a918-ab7dd235413a", "target_ref": "attack-pattern--6aabc5ec-eae6-422c-8311-38d45ee9838a", "x_panw_coa_u42_panw_product": [ "Threat Prevention" ] }, { "type": "relationship", "id": "relationship--3c3c1a59-cd2b-4292-b91d-8437022c0576", "created": "2019-10-11T19:51:00.446Z", "modified": "2019-10-14T14:34:42.541Z", "relationship_type": "indicates", "source_ref": "indicator--e0300bff-605a-4969-a37f-01e1cd22a05b", "target_ref": "malware--5246bc7d-be84-4c5b-8e05-6790cd81568e" }, { "type": "relationship", "id": "relationship--3c86430c-b50a-4841-b720-33ed783fa150", "created": "2020-06-08T16:19:37.692Z", "modified": "2020-06-10T20:29:03.408Z", "relationship_type": "uses", "description": "212.16.80.102", "source_ref": "indicator--8aba6285-00ba-4a83-a366-8c634228c80f", "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" }, { "type": "relationship", "id": "relationship--3cade3ef-8857-4f8e-9b26-896a82ba14a9", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:39.449Z", "relationship_type": "mitigates", "source_ref": "course-of-action--49881f38-2571-47a1-a122-26a5968f1137", "target_ref": "attack-pattern--a19e86f8-1c0a-4fea-8407-23b73d615776", "x_panw_coa_u42_panw_product": [ "NGFW" ] }, { "type": "relationship", "id": "relationship--3cb00f22-8efd-4b4c-9737-cc31667e85d6", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-12-17T01:14:50.730Z", "relationship_type": "mitigates", "source_ref": "course-of-action--95432623-8819-4f74-a8f9-b10b9c4118c3", "target_ref": "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736", "x_panw_coa_u42_panw_product": [ "Wildfire" ] }, { "type": "relationship", "id": "relationship--3cb11971-cc25-4210-9bfc-98d4ee0ab07c", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:39.449Z", "relationship_type": "mitigates", "source_ref": "course-of-action--d84f79f8-219c-43cb-a918-ab7dd235413a", "target_ref": "attack-pattern--a19e86f8-1c0a-4fea-8407-23b73d615776", "x_panw_coa_u42_panw_product": [ "Threat Prevention" ] }, { "type": "relationship", "id": "relationship--3cb61524-aff1-4690-852c-69b94bf739b9", "created": "2020-06-08T16:19:37.692Z", "modified": "2020-06-10T20:29:03.409Z", "relationship_type": "uses", "description": "91.121.237.224", "source_ref": "indicator--3c52b486-9d0f-4197-890f-615001e6df35", "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" }, { "type": "relationship", "id": "relationship--3d17a550-380d-4fe0-9089-de0d0c7cb96b", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.074Z", "relationship_type": "mitigates", "source_ref": "course-of-action--09cad5e4-8c95-494f-862e-0c640b175348", "target_ref": "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c", "x_panw_coa_u42_panw_product": [ "NGFW" ] }, { "type": "relationship", "id": "relationship--3d79c27e-b192-410d-806c-f53e79599518", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.075Z", "relationship_type": "mitigates", "source_ref": "course-of-action--d84f79f8-219c-43cb-a918-ab7dd235413a", "target_ref": "attack-pattern--b8902400-e6c5-4ba2-95aa-2d35b442b118", "x_panw_coa_u42_panw_product": [ "Threat Prevention" ] }, { "type": "relationship", "id": "relationship--3d924f97-d12f-4cb6-b163-08aac65a84e7", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.075Z", "relationship_type": "mitigates", "source_ref": "course-of-action--bca382b3-2a97-451f-a849-80f7a4e7edce", "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", "x_panw_coa_u42_panw_product": [ "NGFW" ] }, { "type": "relationship", "id": "relationship--3d957e59-d370-45ab-9304-cb6f1c92f49d", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--175fda21-0fe8-4cc0-a276-8ef03b099d8d", "target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec" }, { "type": "relationship", "id": "relationship--3dbc226d-7b19-49f5-bc48-7ac52ef535f0", "created": "2020-07-08T14:12:28.645Z", "modified": "2020-07-13T13:45:02.011Z", "relationship_type": "uses", "description": "RDAT C2 Domains.", "source_ref": "indicator--87112435-30e8-4465-9793-06d406cf5e44", "target_ref": "attack-pattern--355be19c-ffc9-46d5-8d50-d6a036c675b6" }, { "type": "relationship", "id": "relationship--3ded4025-95d1-4532-a2e0-3ae6d16a439f", "created": "2018-08-03T20:30:53.040Z", "modified": "2020-06-24T16:21:04.243Z", "relationship_type": "uses", "description": "TwoFace contains the functional webshell in encrypted form", "source_ref": "indicator--c649ab0f-4fc3-487c-96b7-72f0f7baae11", "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" }, { "type": "relationship", "id": "relationship--3e109704-122f-40cb-8733-94c97abbf78a", "created": "2020-06-08T16:19:37.692Z", "modified": "2020-06-10T20:29:03.409Z", "relationship_type": "uses", "description": "138.201.209.162", "source_ref": "indicator--a8e8ca2f-328e-4f45-af78-9281957f7739", "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" }, { "type": "relationship", "id": "relationship--3e6874a1-1144-4054-9097-7221832eab70", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--1da4e7ce-10ab-47ec-ad5a-673887f15f01", "target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec" }, { "type": "relationship", "id": "relationship--3e7d830d-8acc-4c71-9592-72e75c537c61", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-12-17T01:14:44.723Z", "relationship_type": "mitigates", "source_ref": "course-of-action--95432623-8819-4f74-a8f9-b10b9c4118c3", "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "x_panw_coa_u42_panw_product": [ "Wildfire" ] }, { "type": "relationship", "id": "relationship--3edbe17b-a073-45b9-800e-a653c91e9cb7", "created": "2020-06-09T12:08:55.835Z", "modified": "2020-06-10T20:29:03.408Z", "relationship_type": "uses", "source_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec", "target_ref": "attack-pattern--be2dcee9-a7a7-4e38-afd6-21b31ecc3d63" }, { "type": "relationship", "id": "relationship--3f09d478-8ab3-4438-ba45-cc863a830d93", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T13:02:55.809Z", "relationship_type": "mitigates", "source_ref": "course-of-action--58d4b1e7-a7d1-45d8-855b-b5e13ace3dba", "target_ref": "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "x_panw_coa_u42_panw_product": [ "Cortex XDR Prevent" ] }, { "type": "relationship", "id": "relationship--3f762506-8417-46d7-b1ed-5234376537c2", "created": "2020-07-08T12:21:55.726Z", "modified": "2020-07-13T13:45:02.010Z", "relationship_type": "targets", "source_ref": "campaign--d6eab405-2a90-4981-bd25-0b161f1bc116", "target_ref": "identity--4d1d54c4-6665-4112-979a-52a56b6272d4" }, { "type": "relationship", "id": "relationship--3f93cfb2-b920-453d-8660-3da132ebc45a", "created": "2018-08-03T20:30:53.040Z", "modified": "2020-06-24T16:21:04.243Z", "relationship_type": "uses", "description": "TwoFace contains the functional webshell in encrypted form", "source_ref": "indicator--21afa13a-d6e4-46ec-8539-68ec5c723ed5", "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" }, { "type": "relationship", "id": "relationship--40100c96-0a05-4d7b-87a5-42a94fb090ea", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:18.110Z", "relationship_type": "mitigates", "source_ref": "course-of-action--e15f23e0-f6ae-4440-865f-63ac76b93bf5", "target_ref": "attack-pattern--ad255bfe-a9e6-4b52-a258-8d3462abe842", "x_panw_coa_u42_panw_product": [ "Threat Prevention" ] }, { "type": "relationship", "id": "relationship--406f16d7-17ac-4736-be4c-481a56e43d9c", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-12-17T00:56:15.266Z", "relationship_type": "mitigates", "source_ref": "course-of-action--fafab9a4-1478-499e-9088-2043c42720d1", "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "x_panw_coa_u42_panw_product": [ "Wildfire" ] }, { "type": "relationship", "id": "relationship--40813dcd-5d8f-438d-ae5d-c1192e4251fa", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--15905560-f7fc-4a6b-a9d8-c5df9bf3b17b", "target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec" }, { "type": "relationship", "id": "relationship--40d6b506-800d-4621-b25b-0c8fa5c313c1", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:18.110Z", "relationship_type": "mitigates", "source_ref": "course-of-action--c5148c0d-4c4a-4ad6-b2c7-942f9eb91673", "target_ref": "attack-pattern--ad255bfe-a9e6-4b52-a258-8d3462abe842", "x_panw_coa_u42_panw_product": [ "XSOAR" ] }, { "type": "relationship", "id": "relationship--416774c3-cb83-461f-9f25-ab6d5fa6543b", "created": "2019-10-11T19:45:51.360Z", "modified": "2019-10-14T14:34:42.540Z", "relationship_type": "uses", "description": "Malicious Attachment.", "source_ref": "indicator--5fcecf74-b682-4781-904d-f261f101282b", "target_ref": "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597" }, { "type": "relationship", "id": "relationship--418eec9b-ca2d-48d6-92cc-7cf47b159e8c", "created": "2018-08-03T20:30:50.665Z", "modified": "2019-10-11T20:10:08.765Z", "relationship_type": "attributed-to", "source_ref": "campaign--418eec9b-ca2d-48d6-92cc-7cf47b159e8c", "target_ref": "intrusion-set--8e11eaa4-1964-4b73-85c1-fcfa29159f9b" }, { "type": "relationship", "id": "relationship--41cfa6d4-6593-48aa-b742-332a5e45658e", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.078Z", "relationship_type": "mitigates", "source_ref": "course-of-action--dcd486e6-fcf5-4692-9187-115efdae9694", "target_ref": "attack-pattern--5d0d3609-d06d-49e1-b9c9-b544e0c618cb", "x_panw_coa_u42_panw_product": [ "NGFW" ] }, { "type": "relationship", "id": "relationship--41efb691-eea7-4f15-9c25-d9dbdb7e991e", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--4d3e6511-ccc5-467e-a2be-ac608ee49374", "target_ref": "campaign--be414527-0ed6-4b77-b04b-2ffa2cd601eb" }, { "type": "relationship", "id": "relationship--41f4f1b7-c79f-49ab-9a17-9ef02bcb1689", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--d1d3c0e5-cfa5-4388-a2c8-32a019951bf3", "target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec" }, { "type": "relationship", "id": "relationship--41fabc5f-1954-4819-8e3a-18f796bc7a72", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--fb13e76a-0266-4b12-99f0-1599532c2f3c", "target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec" }, { "type": "relationship", "id": "relationship--4289f0a3-65c7-4733-9743-09ed517283d4", "created": "2020-07-08T14:53:29.531Z", "modified": "2020-07-13T13:45:02.010Z", "relationship_type": "indicates", "source_ref": "indicator--8e5578f7-39c9-4fb4-af27-4c1b3d09bc8a", "target_ref": "campaign--d6eab405-2a90-4981-bd25-0b161f1bc116" }, { "type": "relationship", "id": "relationship--43382c84-b63a-4f6d-950f-e838645aa6a8", "created": "2020-07-08T14:50:42.520Z", "modified": "2020-07-13T13:45:02.010Z", "relationship_type": "indicates", "source_ref": "indicator--6eb198da-c5e6-460f-b504-7dbf5003eb1d", "target_ref": "campaign--d6eab405-2a90-4981-bd25-0b161f1bc116" }, { "type": "relationship", "id": "relationship--439af09f-4105-4246-9e8f-af81fd51cdd2", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.074Z", "relationship_type": "mitigates", "source_ref": "course-of-action--b07fe965-d582-4581-aa2f-9676705f5560", "target_ref": "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c", "x_panw_coa_u42_panw_product": [ "NGFW" ] }, { "type": "relationship", "id": "relationship--43eafced-45a2-4c58-b197-aa9b49a04891", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.075Z", "relationship_type": "mitigates", "source_ref": "course-of-action--bca382b3-2a97-451f-a849-80f7a4e7edce", "target_ref": "attack-pattern--cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", "x_panw_coa_u42_panw_product": [ "NGFW" ] }, { "type": "relationship", "id": "relationship--450c6745-0fa7-4773-8a98-4d7f982a9209", "created": "2018-08-03T20:30:53.040Z", "modified": "2020-06-24T16:21:04.243Z", "relationship_type": "uses", "description": "net user", "source_ref": "indicator--cd2409a1-079a-45d6-bba7-e26ec1b6465b", "target_ref": "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104" }, { "type": "relationship", "id": "relationship--4528c0cc-704b-4da9-b9dd-4d75fd85cfc9", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:12.606Z", "relationship_type": "mitigates", "source_ref": "course-of-action--38519f4f-e6e8-454b-a3f5-b46daef0e316", "target_ref": "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e", "x_panw_coa_u42_panw_product": [ "XSOAR" ] }, { "type": "relationship", "id": "relationship--456ad893-84d7-4b0e-aca9-84ee81a31b08", "created": "2020-06-08T16:19:37.692Z", "modified": "2020-06-10T20:29:03.409Z", "relationship_type": "uses", "description": "O64.exe", "source_ref": "indicator--45680f4c-a738-4515-ac9a-7b9852526159", "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" }, { "type": "relationship", "id": "relationship--45c0877b-9b85-433e-b9fe-1505dd7735a4", "created": "2019-10-11T19:58:04.738Z", "modified": "2019-10-14T14:34:42.541Z", "relationship_type": "uses", "description": "Malicious attachment dropped.", "source_ref": "indicator--ed7365d8-f542-444a-8224-60221233acfe", "target_ref": "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597" }, { "type": "relationship", "id": "relationship--45ef6ecc-e1b6-4b37-a9e4-0d32e04bbe96", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-12-17T01:20:35.148Z", "relationship_type": "mitigates", "source_ref": "course-of-action--9352128e-2dbe-4621-8800-9e7cc17336e3", "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "x_panw_coa_u42_panw_product": [ "Cortex XDR Prevent" ] }, { "type": "relationship", "id": "relationship--45fd70e0-0e7a-42f0-acdf-950e23cc4b70", "created": "2020-06-08T16:18:35.184Z", "modified": "2020-06-10T20:29:03.409Z", "relationship_type": "uses", "description": "my-mailcoil.ml", "source_ref": "indicator--13d221b8-4f3c-44d1-a010-a0e849c3fc56", "target_ref": "attack-pattern--2b742742-28c3-4e1b-bab7-8350d6300fa7" }, { "type": "relationship", "id": "relationship--470c322a-59d2-4659-8d15-58a73ec8353d", "created": "2020-06-23T19:50:42.481Z", "modified": "2021-01-06T19:15:42.456Z", "relationship_type": "mitigates", "source_ref": "course-of-action--916bf914-3cad-47c6-8651-a1ac92ee84d0", "target_ref": "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597", "x_panw_coa_u42_panw_product": [ "NGFW" ] }, { "type": "relationship", "id": "relationship--4733c6d7-b135-47da-8396-5b1063285d06", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-12-17T01:12:38.167Z", "relationship_type": "mitigates", "source_ref": "course-of-action--be1d0eb5-a628-4d91-9096-9158e68816cd", "target_ref": "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736", "x_panw_coa_u42_panw_product": [ "Wildfire" ] }, { "type": "relationship", "id": "relationship--47f2d673-ca62-47e9-929b-1b0be9657611", "created": "2018-08-03T20:30:50.665Z", "modified": "2019-10-11T20:13:34.064Z", "relationship_type": "uses", "source_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec", "target_ref": "attack-pattern--47f2d673-ca62-47e9-929b-1b0be9657611" }, { "type": "relationship", "id": "relationship--4886e73d-48eb-4ebe-b234-bad694db5357", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.078Z", "relationship_type": "mitigates", "source_ref": "course-of-action--bca382b3-2a97-451f-a849-80f7a4e7edce", "target_ref": "attack-pattern--5d0d3609-d06d-49e1-b9c9-b544e0c618cb", "x_panw_coa_u42_panw_product": [ "NGFW" ] }, { "type": "relationship", "id": "relationship--49429187-47ff-4b3c-a54e-12c976af7e6c", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--f119cf69-6230-4cea-ba31-9768f647b81a", "target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec" }, { "type": "relationship", "id": "relationship--49b0fe85-3493-4c1c-a2f0-fa2734863fef", "created": "2018-08-03T20:30:53.040Z", "modified": "2020-06-24T16:21:04.243Z", "relationship_type": "uses", "description": "Actors install webshell onto webservers to gain access to network ", "source_ref": "indicator--f8a60d12-0bb9-4424-bacd-5d2628f72cd3", "target_ref": "attack-pattern--5d0d3609-d06d-49e1-b9c9-b544e0c618cb" }, { "type": "relationship", "id": "relationship--4a0c67e6-098f-48e4-b92a-c09fc554c8af", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--fab07434-d3df-437c-95ef-b1b3d3c8d1e3", "target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec" }, { "type": "relationship", "id": "relationship--4a353e98-35b0-42c0-827d-2032f0b6ea46", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T13:02:55.809Z", "relationship_type": "mitigates", "source_ref": "course-of-action--2fd9769c-5e50-4528-985f-a1d117329991", "target_ref": "attack-pattern--f72eb8a8-cd4c-461d-a814-3f862befbf00", "x_panw_coa_u42_panw_product": [ "URL Filtering" ] }, { "type": "relationship", "id": "relationship--4a4eef49-e1e4-454d-83de-4b00a87ecaf0", "created": "2018-08-03T20:30:53.040Z", "modified": "2020-06-24T16:21:04.243Z", "relationship_type": "uses", "description": "TwoFace contains the functional webshell in encrypted form", "source_ref": "indicator--f119cf69-6230-4cea-ba31-9768f647b81a", "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" }, { "type": "relationship", "id": "relationship--4a731c53-d7f8-444f-8a04-af2b60b097c5", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.076Z", "relationship_type": "mitigates", "source_ref": "course-of-action--49881f38-2571-47a1-a122-26a5968f1137", "target_ref": "attack-pattern--f24faf46-3b26-4dbb-98f2-63460498e433", "x_panw_coa_u42_panw_product": [ "NGFW" ] }, { "type": "relationship", "id": "relationship--4a7439e7-4d43-47ee-8a39-f38519ee1f54", "created": "2020-06-08T16:19:37.692Z", "modified": "2020-06-10T20:29:03.409Z", "relationship_type": "uses", "description": "6e623311768f1c419b3f755248a3b3d4bf80d26606a74ed4cfd25547a67734c7", "source_ref": "indicator--b1e04bb9-945d-4b87-98b8-e411f16a74d4", "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" }, { "type": "relationship", "id": "relationship--4a93b203-f7db-4a72-8a2a-1337678e9a58", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.076Z", "relationship_type": "mitigates", "source_ref": "course-of-action--c5148c0d-4c4a-4ad6-b2c7-942f9eb91673", "target_ref": "attack-pattern--cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", "x_panw_coa_u42_panw_product": [ "XSOAR" ] }, { "type": "relationship", "id": "relationship--4af5387c-a480-4c80-8063-883579fa81da", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.078Z", "relationship_type": "mitigates", "source_ref": "course-of-action--49790670-d365-43f8-a906-8e45c3c80f63", "target_ref": "attack-pattern--6aabc5ec-eae6-422c-8311-38d45ee9838a", "x_panw_coa_u42_panw_product": [ "Threat Prevention" ] }, { "type": "relationship", "id": "relationship--4b1db881-eed3-4815-b396-eb1fa7816ff4", "created": "2020-06-08T16:19:37.692Z", "modified": "2020-06-10T20:29:03.409Z", "relationship_type": "uses", "description": "138.201.209.182", "source_ref": "indicator--a9337ac8-cfe0-44db-8211-018b5a5f396d", "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" }, { "type": "relationship", "id": "relationship--4b274066-c8ce-4094-9bdf-623cef6fe84c", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T13:02:55.809Z", "relationship_type": "mitigates", "source_ref": "course-of-action--e15f23e0-f6ae-4440-865f-63ac76b93bf5", "target_ref": "attack-pattern--f72eb8a8-cd4c-461d-a814-3f862befbf00", "x_panw_coa_u42_panw_product": [ "Threat Prevention" ] }, { "type": "relationship", "id": "relationship--4b67d5ee-8d2c-4bc1-93e9-f7a2c4a64fdd", "created": "2020-06-08T16:14:51.935Z", "modified": "2020-06-10T20:29:03.409Z", "relationship_type": "uses", "description": "74f61b6ff0eb58d76f4cacfb1504cb6b72684d0d0980d42cba364c6ef28223a8", "source_ref": "indicator--e6bc70bc-2221-4ae7-a19b-ef53115f6174", "target_ref": "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597" }, { "type": "relationship", "id": "relationship--4b914c99-5397-4d89-b99c-39eeeea96349", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--a21f7d93-f44b-4b89-9577-570c5281d5c4", "target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec" }, { "type": "relationship", "id": "relationship--4c4507f1-7c51-4b5e-9bbd-67c51d66fc96", "created": "2018-08-03T20:30:53.040Z", "modified": "2020-06-24T16:21:04.243Z", "relationship_type": "uses", "description": "ISMAgent C2 runs the tasklist command", "source_ref": "indicator--d3df5939-91b1-4042-9ab8-d4843028a60c", "target_ref": "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580" }, { "type": "relationship", "id": "relationship--4c931c47-5d1c-4654-85e7-65b36a0493b4", "created": "2018-08-03T20:30:53.040Z", "modified": "2020-06-24T16:21:04.243Z", "relationship_type": "uses", "description": "TwoFace contains the functional webshell in encrypted form", "source_ref": "indicator--112bb219-3133-4c6f-9e29-3efd820d9612", "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" }, { "type": "relationship", "id": "relationship--4ca0ff4d-5ff1-4285-a1e6-ba8c1b9d7d32", "created": "2020-07-08T14:50:23.304Z", "modified": "2020-07-13T13:45:02.010Z", "relationship_type": "indicates", "source_ref": "indicator--28ddd8f2-72d0-4c05-a72b-4927f9b4a3ef", "target_ref": "campaign--d6eab405-2a90-4981-bd25-0b161f1bc116" }, { "type": "relationship", "id": "relationship--4cb378a1-9fa6-499e-bcbf-8b7d48ab8e51", "created": "2018-08-03T20:30:53.040Z", "modified": "2020-06-24T16:21:04.243Z", "relationship_type": "uses", "description": "Operators use mimikatz to dump credentials", "source_ref": "indicator--c7bfb666-66af-4dfb-9489-8e0d8fde3859", "target_ref": "attack-pattern--0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" }, { "type": "relationship", "id": "relationship--4ce02538-c986-46b2-a440-bcef6bf02450", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T13:02:55.808Z", "relationship_type": "mitigates", "source_ref": "course-of-action--a1294d38-0f0d-4973-a949-f38cccbc7469", "target_ref": "attack-pattern--8c32eb4d-805f-4fc5-bf60-c4d476c131b5", "x_panw_coa_u42_panw_product": [ "Threat Prevention" ] }, { "type": "relationship", "id": "relationship--4d66db34-db66-4644-8327-ba77168e30f1", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-12-17T01:15:35.619Z", "relationship_type": "mitigates", "source_ref": "course-of-action--04a2db1c-3e80-43a4-a9c6-3864195bbf73", "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "x_panw_coa_u42_panw_product": [ "Wildfire" ] }, { "type": "relationship", "id": "relationship--4db2c40f-18cd-440d-b849-3005efab7a98", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--ec7ec6dd-2d36-4ec1-aada-134c4670845b", "target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec" }, { "type": "relationship", "id": "relationship--4dec9710-a380-4824-bb71-ca9b8c16d183", "created": "2020-07-08T13:28:33.449Z", "modified": "2020-07-13T13:45:02.010Z", "relationship_type": "uses", "source_ref": "campaign--d6eab405-2a90-4981-bd25-0b161f1bc116", "target_ref": "attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688" }, { "type": "relationship", "id": "relationship--4e502b39-2e6e-4038-9359-d3e6ecf38ec7", "created": "2018-08-03T20:30:53.040Z", "modified": "2020-06-24T16:21:04.243Z", "relationship_type": "uses", "description": "Exploits CVE-2017-0199", "source_ref": "indicator--2bc55d71-48a5-4921-854e-351f762e24aa", "target_ref": "attack-pattern--b21c3b2d-02e6-45b1-980b-e69051040839" }, { "type": "relationship", "id": "relationship--4e60ba1f-b3b5-43e6-b253-c1b4e3d7cf6f", "created": "2020-06-08T16:19:37.692Z", "modified": "2020-06-10T20:29:03.409Z", "relationship_type": "uses", "description": "S64.exe", "source_ref": "indicator--605e63fe-aa3a-490d-b71b-936fca21dc3d", "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" }, { "type": "relationship", "id": "relationship--4eeb79d6-f779-4cf6-9901-8ce3ba3d9a16", "created": "2018-08-03T20:30:53.040Z", "modified": "2020-06-24T16:21:04.243Z", "relationship_type": "uses", "description": "Exfiltrates data to C2 over HTTP channel", "source_ref": "indicator--3d8472f1-c641-4428-8f57-6af5b8ac4d42", "target_ref": "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d" }, { "type": "relationship", "id": "relationship--4ff1f6b5-25dd-4c09-b535-2f18965eb7e2", "created": "2020-06-08T16:19:37.692Z", "modified": "2020-06-10T20:29:03.409Z", "relationship_type": "uses", "description": "O6.exe", "source_ref": "indicator--53176466-cbfb-47ab-a2ad-a7653da9ab1b", "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" }, { "type": "relationship", "id": "relationship--500045d8-9326-4c5e-89a0-b8d33413999f", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.080Z", "relationship_type": "mitigates", "source_ref": "course-of-action--e15f23e0-f6ae-4440-865f-63ac76b93bf5", "target_ref": "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d", "x_panw_coa_u42_panw_product": [ "Threat Prevention" ] }, { "type": "relationship", "id": "relationship--51372409-6c33-4b17-a5fb-1193c80b15a9", "created": "2018-08-03T20:30:53.040Z", "modified": "2020-06-24T16:21:04.243Z", "relationship_type": "uses", "description": "Exfiltrates data to C2 over HTTP channel", "source_ref": "indicator--91afba2e-8721-4751-abb5-89e4ea75d771", "target_ref": "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d" }, { "type": "relationship", "id": "relationship--516d842c-508c-4032-a6e0-0b72ccaa0ae3", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-12-17T01:15:48.171Z", "relationship_type": "mitigates", "source_ref": "course-of-action--04a2db1c-3e80-43a4-a9c6-3864195bbf73", "target_ref": "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597", "x_panw_coa_u42_panw_product": [ "Wildfire" ] }, { "type": "relationship", "id": "relationship--51c8fc0a-a1a2-4279-8cb1-4a2b6611750a", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--bf7a082f-e2a6-45d6-b8dd-bf056888f36e", "target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec" }, { "type": "relationship", "id": "relationship--51ce57cc-33c5-43ba-879a-32a32ed09d72", "created": "2018-08-03T20:30:53.040Z", "modified": "2020-06-24T16:21:04.243Z", "relationship_type": "uses", "description": "ISMAgent saves files to a specific directory that contain data to exfil to C2", "source_ref": "indicator--7c357da2-f901-49a3-b52f-1cd4b968caf9", "target_ref": "attack-pattern--7dd95ff6-712e-4056-9626-312ea4ab4c5e" }, { "type": "relationship", "id": "relationship--51d3fb1f-2eed-49c8-9eaf-d1082b0a3777", "created": "2020-07-08T14:53:19.061Z", "modified": "2020-07-13T13:45:02.011Z", "relationship_type": "uses", "description": "RDAT uses steganography to hide and exfiltrate data. ", "source_ref": "indicator--c06f2a71-5b4d-4c0a-bce3-95ba1e7851d1", "target_ref": "attack-pattern--ad255bfe-a9e6-4b52-a258-8d3462abe842" }, { "type": "relationship", "id": "relationship--522ee958-3194-404c-9e03-3e254c597e11", "created": "2019-10-08T16:06:11.704Z", "modified": "2019-10-08T18:26:32.830Z", "relationship_type": "targets", "source_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec", "target_ref": "identity--e407f512-c6e0-4b10-9017-e1f19cef983f" }, { "type": "relationship", "id": "relationship--52582b6e-d1e9-4787-bafb-9cf118fd0721", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.078Z", "relationship_type": "mitigates", "source_ref": "course-of-action--f4a8da12-c6f0-4a33-ae42-590c5602be99", "target_ref": "attack-pattern--2b742742-28c3-4e1b-bab7-8350d6300fa7", "x_panw_coa_u42_panw_product": [ "URL Filtering" ] }, { "type": "relationship", "id": "relationship--52727246-b6a9-45bc-9f6b-115c898a1374", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--a748b2fb-cef6-449a-9884-4d3342467796", "target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec" }, { "type": "relationship", "id": "relationship--535c8c72-10b3-4437-bf1a-1f035cdbf19e", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--8a03e9a0-15ea-40cd-9473-c5cd35d7f285", "target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec" }, { "type": "relationship", "id": "relationship--5376ad6c-639d-48bf-ae9d-00b5a785d736", "created": "2020-07-08T14:12:18.254Z", "modified": "2020-07-13T13:45:02.010Z", "relationship_type": "indicates", "source_ref": "indicator--8cdb8bc6-bcf7-480e-aab5-b4e403d5e9a9", "target_ref": "campaign--d6eab405-2a90-4981-bd25-0b161f1bc116" }, { "type": "relationship", "id": "relationship--5406f85b-9f3d-407e-b755-6b9fdc6358f9", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.078Z", "relationship_type": "mitigates", "source_ref": "course-of-action--d84f79f8-219c-43cb-a918-ab7dd235413a", "target_ref": "attack-pattern--5d0d3609-d06d-49e1-b9c9-b544e0c618cb", "x_panw_coa_u42_panw_product": [ "Threat Prevention" ] }, { "type": "relationship", "id": "relationship--541c5046-022a-435c-bf80-f7eb54e3d407", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.080Z", "relationship_type": "mitigates", "source_ref": "course-of-action--5e951942-0565-46f4-b09e-80426812b6b5", "target_ref": "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d", "x_panw_coa_u42_panw_product": [ "URL Filtering" ] }, { "type": "relationship", "id": "relationship--55192a67-dc22-4f61-beae-8dae931000c0", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:39.449Z", "relationship_type": "mitigates", "source_ref": "course-of-action--5e951942-0565-46f4-b09e-80426812b6b5", "target_ref": "attack-pattern--a19e86f8-1c0a-4fea-8407-23b73d615776", "x_panw_coa_u42_panw_product": [ "URL Filtering" ] }, { "type": "relationship", "id": "relationship--55d7b65e-8aed-49ff-9cec-dbad10e62c76", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.078Z", "relationship_type": "mitigates", "source_ref": "course-of-action--2fd9769c-5e50-4528-985f-a1d117329991", "target_ref": "attack-pattern--2b742742-28c3-4e1b-bab7-8350d6300fa7", "x_panw_coa_u42_panw_product": [ "URL Filtering" ] }, { "type": "relationship", "id": "relationship--561c2626-a140-4da4-8ae6-a5e65a09ccfa", "created": "2020-06-23T19:50:42.481Z", "modified": "2021-01-06T19:13:23.205Z", "relationship_type": "mitigates", "source_ref": "course-of-action--f36dcd51-156b-497a-a565-0301a105eb79", "target_ref": "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597", "x_panw_coa_u42_panw_product": [ "XSOAR" ] }, { "type": "relationship", "id": "relationship--565dc9d8-d654-4d34-ba0e-8e2806ffe829", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:39.449Z", "relationship_type": "mitigates", "source_ref": "course-of-action--7bbb332f-22cf-48f2-a4a1-5bc9d2b034ca", "target_ref": "attack-pattern--a19e86f8-1c0a-4fea-8407-23b73d615776", "x_panw_coa_u42_panw_product": [ "Threat Prevention" ] }, { "type": "relationship", "id": "relationship--56cb8cf6-6fb9-4159-9ec5-fe8aa33a769c", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.078Z", "relationship_type": "mitigates", "source_ref": "course-of-action--21ce34c9-4220-41cf-85c7-bc289bb2c79d", "target_ref": "attack-pattern--6aabc5ec-eae6-422c-8311-38d45ee9838a", "x_panw_coa_u42_panw_product": [ "Threat Prevention" ] }, { "type": "relationship", "id": "relationship--58576c8b-7e2f-4c83-b18e-8fc144ceda40", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.074Z", "relationship_type": "mitigates", "source_ref": "course-of-action--9352128e-2dbe-4621-8800-9e7cc17336e3", "target_ref": "attack-pattern--7385dfaf-6886-4229-9ecd-6fd678040830", "x_panw_coa_u42_panw_product": [ "Cortex XDR Prevent" ] }, { "type": "relationship", "id": "relationship--58915020-0e11-4255-acf9-a5777553b0aa", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--0f75c726-1b4a-4eb9-8749-fa89af8f6d2b", "target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec" }, { "type": "relationship", "id": "relationship--58eb7e95-bc30-4658-a50c-eb9d044bc4d4", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--cff4fa97-3f63-4a68-83b0-4eb3f81be9de", "target_ref": "campaign--418eec9b-ca2d-48d6-92cc-7cf47b159e8c" }, { "type": "relationship", "id": "relationship--59fb94fd-a2ac-4df8-ae7d-8a96f07d65d4", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "uses", "source_ref": "campaign--e76e88c8-699a-4eeb-a8e5-3645826d6455", "target_ref": "attack-pattern--cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f" }, { "type": "relationship", "id": "relationship--5a0f3bae-f669-4fb8-8151-1f9f7752f8ac", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.074Z", "relationship_type": "mitigates", "source_ref": "course-of-action--dcd486e6-fcf5-4692-9187-115efdae9694", "target_ref": "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c", "x_panw_coa_u42_panw_product": [ "NGFW" ] }, { "type": "relationship", "id": "relationship--5b23ee0a-5073-45f0-b493-9ab6f0f33ff9", "created": "2019-10-11T19:56:55.386Z", "modified": "2019-10-14T14:34:42.539Z", "relationship_type": "uses", "source_ref": "campaign--e76e88c8-699a-4eeb-a8e5-3645826d6455", "target_ref": "attack-pattern--8c32eb4d-805f-4fc5-bf60-c4d476c131b5" }, { "type": "relationship", "id": "relationship--5b65f703-079a-45ae-b6c3-96f623f60576", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-12-17T01:21:45.842Z", "relationship_type": "mitigates", "source_ref": "course-of-action--c9efabbf-c21b-4213-a192-6a8e3b3a0905", "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "x_panw_coa_u42_panw_product": [ "Cortex XDR Prevent" ] }, { "type": "relationship", "id": "relationship--5b751821-2cf5-4aba-953c-fd7b86826555", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.076Z", "relationship_type": "mitigates", "source_ref": "course-of-action--dcd486e6-fcf5-4692-9187-115efdae9694", "target_ref": "attack-pattern--f24faf46-3b26-4dbb-98f2-63460498e433", "x_panw_coa_u42_panw_product": [ "NGFW" ] }, { "type": "relationship", "id": "relationship--5c01dc39-8b88-48b9-a8b6-bcc45947b13d", "created": "2020-07-08T14:58:52.667Z", "modified": "2020-07-13T13:45:02.011Z", "relationship_type": "uses", "description": "Related infrastructure.", "source_ref": "indicator--6dfbe1f5-d102-4fde-b97d-c05776a41b78", "target_ref": "attack-pattern--355be19c-ffc9-46d5-8d50-d6a036c675b6" }, { "type": "relationship", "id": "relationship--5c5f025b-db8e-4085-80c0-73c2e095d9a2", "created": "2020-07-08T15:08:36.948Z", "modified": "2020-07-13T13:45:02.010Z", "relationship_type": "uses", "source_ref": "campaign--d6eab405-2a90-4981-bd25-0b161f1bc116", "target_ref": "attack-pattern--7385dfaf-6886-4229-9ecd-6fd678040830" }, { "type": "relationship", "id": "relationship--5c91db08-13d9-4413-842e-9d2cf4abd589", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--0809240c-9ec9-4002-8846-f30a7915eb4e", "target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec" }, { "type": "relationship", "id": "relationship--5d0d3609-d06d-49e1-b9c9-b544e0c618cb", "created": "2018-08-03T20:30:50.665Z", "modified": "2019-10-11T20:13:34.064Z", "relationship_type": "uses", "source_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec", "target_ref": "attack-pattern--5d0d3609-d06d-49e1-b9c9-b544e0c618cb" }, { "type": "relationship", "id": "relationship--5d22d838-1cb1-4204-9e1a-a55a754ffe59", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.075Z", "relationship_type": "mitigates", "source_ref": "course-of-action--38519f4f-e6e8-454b-a3f5-b46daef0e316", "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", "x_panw_coa_u42_panw_product": [ "XSOAR" ] }, { "type": "relationship", "id": "relationship--5d4f1e76-26ce-46d3-8831-9200cfbc08cc", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.075Z", "relationship_type": "mitigates", "source_ref": "course-of-action--c5148c0d-4c4a-4ad6-b2c7-942f9eb91673", "target_ref": "attack-pattern--b8902400-e6c5-4ba2-95aa-2d35b442b118", "x_panw_coa_u42_panw_product": [ "XSOAR" ] }, { "type": "relationship", "id": "relationship--5d8c7c15-3ce4-46a2-8f8e-0a8609e9c55d", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T13:02:55.808Z", "relationship_type": "mitigates", "source_ref": "course-of-action--00d97976-e97e-4878-b530-9f37d7a3e2e5", "target_ref": "attack-pattern--8c32eb4d-805f-4fc5-bf60-c4d476c131b5", "x_panw_coa_u42_panw_product": [ "XSOAR" ] }, { "type": "relationship", "id": "relationship--5db030f7-a8b2-457e-bd71-174b5af772dc", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.080Z", "relationship_type": "mitigates", "source_ref": "course-of-action--38519f4f-e6e8-454b-a3f5-b46daef0e316", "target_ref": "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d", "x_panw_coa_u42_panw_product": [ "XSOAR" ] }, { "type": "relationship", "id": "relationship--5e5ebce5-219d-4b25-b272-8dff82ba5039", "created": "2020-06-23T19:50:42.481Z", "modified": "2021-01-06T19:41:07.626Z", "relationship_type": "mitigates", "source_ref": "course-of-action--19313cf2-7b61-4748-ac31-8db430033837", "target_ref": "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597", "x_panw_coa_u42_panw_product": [ "Cortex XDR Prevent" ] }, { "type": "relationship", "id": "relationship--5e7ac4c9-46d4-42ed-b479-1d0b89c85cc1", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-12-17T01:16:35.550Z", "relationship_type": "mitigates", "source_ref": "course-of-action--3de85a76-a879-43e6-80ba-38e09e7e2b0c", "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "x_panw_coa_u42_panw_product": [ "Wildfire" ] }, { "type": "relationship", "id": "relationship--5e99bd2b-db13-40a1-9a21-ab96a7550beb", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.076Z", "relationship_type": "mitigates", "source_ref": "course-of-action--2c886776-61fb-487c-a880-41f4b7195627", "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", "x_panw_coa_u42_panw_product": [ "URL Filtering" ] }, { "type": "relationship", "id": "relationship--5ed807c7-29cb-4c7a-a59c-4dee9973d679", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T13:02:55.808Z", "relationship_type": "mitigates", "source_ref": "course-of-action--fafab9a4-1478-499e-9088-2043c42720d1", "target_ref": "attack-pattern--8c32eb4d-805f-4fc5-bf60-c4d476c131b5", "x_panw_coa_u42_panw_product": [ "Wildfire" ] }, { "type": "relationship", "id": "relationship--5f30bbb9-42a6-4885-89a1-812411565d88", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.078Z", "relationship_type": "mitigates", "source_ref": "course-of-action--44bfcc9e-cb15-499f-b0fe-3c41e2c2655e", "target_ref": "attack-pattern--2b742742-28c3-4e1b-bab7-8350d6300fa7", "x_panw_coa_u42_panw_product": [ "XSOAR" ] }, { "type": "relationship", "id": "relationship--6179156f-7bc3-4d4d-bde3-700ede4075a7", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--f54a9d8f-46bb-4338-97ed-19921f2ac82b", "target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec" }, { "type": "relationship", "id": "relationship--631f6c5b-6df4-40a4-a481-2d4e63699c84", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.075Z", "relationship_type": "mitigates", "source_ref": "course-of-action--2fd9769c-5e50-4528-985f-a1d117329991", "target_ref": "attack-pattern--b8902400-e6c5-4ba2-95aa-2d35b442b118", "x_panw_coa_u42_panw_product": [ "URL Filtering" ] }, { "type": "relationship", "id": "relationship--6339b9fc-6595-4da0-98de-171d86decc16", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "uses", "source_ref": "campaign--be414527-0ed6-4b77-b04b-2ffa2cd601eb", "target_ref": "attack-pattern--f24faf46-3b26-4dbb-98f2-63460498e433" }, { "type": "relationship", "id": "relationship--64faa5c9-2cf9-409a-b751-4960f7eb6714", "created": "2020-07-08T14:52:36.153Z", "modified": "2020-07-13T13:45:02.010Z", "relationship_type": "indicates", "source_ref": "indicator--49bbfc5d-0cfb-4d7b-9051-3067ad34723f", "target_ref": "campaign--d6eab405-2a90-4981-bd25-0b161f1bc116" }, { "type": "relationship", "id": "relationship--65334b6b-c08b-4ff8-9a35-cdcb93a5c4aa", "created": "2020-06-08T16:19:37.692Z", "modified": "2020-06-10T20:29:03.409Z", "relationship_type": "uses", "description": "kb-11.exe", "source_ref": "indicator--1cda5ec5-3f45-4ca4-86fb-406cccce75a0", "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" }, { "type": "relationship", "id": "relationship--65470772-4268-48dd-a35a-5e42c321f1e9", "created": "2020-07-08T14:59:29.188Z", "modified": "2020-07-13T13:45:02.011Z", "relationship_type": "uses", "description": "Related infrastructure.", "source_ref": "indicator--6c121823-7ad4-4766-8e22-d9966c43cf69", "target_ref": "attack-pattern--355be19c-ffc9-46d5-8d50-d6a036c675b6" }, { "type": "relationship", "id": "relationship--658aa6f8-f50f-47f1-9ba2-1bb3aa56b990", "created": "2020-06-08T16:19:37.692Z", "modified": "2020-06-10T20:29:03.409Z", "relationship_type": "uses", "description": "137.59.229.231", "source_ref": "indicator--f54a9d8f-46bb-4338-97ed-19921f2ac82b", "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" }, { "type": "relationship", "id": "relationship--6605649a-eaf7-4025-99e1-bc9caa718b89", "created": "2020-06-08T16:18:35.184Z", "modified": "2020-06-10T20:29:03.409Z", "relationship_type": "uses", "description": "logn-micrsftonine-con.ml", "source_ref": "indicator--9c4ebb07-7590-498a-91f0-ceeb677eb21e", "target_ref": "attack-pattern--2b742742-28c3-4e1b-bab7-8350d6300fa7" }, { "type": "relationship", "id": "relationship--66370308-0954-48a5-9724-f1b7c1afb131", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--02e254af-73f9-4630-9a4e-350297d86505", "target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec" }, { "type": "relationship", "id": "relationship--6638f553-1c27-4f9e-8794-39255ffef883", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--605f4247-c18d-407d-bf86-9973adf2995f", "target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec" }, { "type": "relationship", "id": "relationship--668255ab-8f2c-4ea7-af6f-8ac4f1101a71", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.076Z", "relationship_type": "mitigates", "source_ref": "course-of-action--5839cd6c-7897-43c4-82f3-5c03096a51c4", "target_ref": "attack-pattern--f24faf46-3b26-4dbb-98f2-63460498e433", "x_panw_coa_u42_panw_product": [ "Threat Prevention" ] }, { "type": "relationship", "id": "relationship--66c7f1b0-7e4b-4bcb-90fb-fcbc1bb431f2", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.079Z", "relationship_type": "mitigates", "source_ref": "course-of-action--e15f23e0-f6ae-4440-865f-63ac76b93bf5", "target_ref": "attack-pattern--355be19c-ffc9-46d5-8d50-d6a036c675b6", "x_panw_coa_u42_panw_product": [ "Threat Prevention" ] }, { "type": "relationship", "id": "relationship--67574375-12d6-4f45-8971-466d8ab2b6fa", "created": "2018-08-03T20:30:53.040Z", "modified": "2020-06-24T16:21:04.243Z", "relationship_type": "uses", "description": "Adversary uploads and installs IIS backdoor (RGDoor) via webshell", "source_ref": "indicator--1b6c1677-d260-41b2-b11c-7db4b1f402c1", "target_ref": "attack-pattern--6aabc5ec-eae6-422c-8311-38d45ee9838a" }, { "type": "relationship", "id": "relationship--67ef5657-7e22-48b0-a313-d00695cdc39c", "created": "2020-06-08T16:19:37.692Z", "modified": "2020-06-10T20:29:03.408Z", "relationship_type": "uses", "description": "5.39.59.97", "source_ref": "indicator--3a30e2d8-c1d8-4211-ae3f-cd7fe280c890", "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" }, { "type": "relationship", "id": "relationship--6846ada7-0a47-48ac-89f6-df9deb5d00b4", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--cd2409a1-079a-45d6-bba7-e26ec1b6465b", "target_ref": "campaign--418eec9b-ca2d-48d6-92cc-7cf47b159e8c" }, { "type": "relationship", "id": "relationship--685d35a9-5470-4234-a3af-39167a958782", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.076Z", "relationship_type": "mitigates", "source_ref": "course-of-action--b4ed79f9-b72c-4423-9a9c-f29134fda870", "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", "x_panw_coa_u42_panw_product": [ "NGFW" ] }, { "type": "relationship", "id": "relationship--68b5aa49-18a7-41e4-a9d2-d5e27817e0ad", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.075Z", "relationship_type": "mitigates", "source_ref": "course-of-action--c45b79a8-2d29-4d8c-95ab-acea7e478e50", "target_ref": "attack-pattern--b8902400-e6c5-4ba2-95aa-2d35b442b118", "x_panw_coa_u42_panw_product": [ "Threat Prevention" ] }, { "type": "relationship", "id": "relationship--6a5ff5bb-8171-4eda-89c2-6ea5fe93aef5", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T13:02:55.809Z", "relationship_type": "mitigates", "source_ref": "course-of-action--2c886776-61fb-487c-a880-41f4b7195627", "target_ref": "attack-pattern--f72eb8a8-cd4c-461d-a814-3f862befbf00", "x_panw_coa_u42_panw_product": [ "URL Filtering" ] }, { "type": "relationship", "id": "relationship--6a64d167-f04e-49de-a274-ea457e0b303c", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-12-17T01:04:42.247Z", "relationship_type": "mitigates", "source_ref": "course-of-action--67289170-1bd4-4944-be31-d680954141f5", "target_ref": "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736", "x_panw_coa_u42_panw_product": [ "Wildfire" ] }, { "type": "relationship", "id": "relationship--6a652326-3b3b-40e3-a5d3-18fbe111732e", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.078Z", "relationship_type": "mitigates", "source_ref": "course-of-action--3de85a76-a879-43e6-80ba-38e09e7e2b0c", "target_ref": "attack-pattern--2b742742-28c3-4e1b-bab7-8350d6300fa7", "x_panw_coa_u42_panw_product": [ "Wildfire" ] }, { "type": "relationship", "id": "relationship--6aabc5ec-eae6-422c-8311-38d45ee9838a", "created": "2018-08-03T20:30:50.665Z", "modified": "2019-10-11T20:13:34.064Z", "relationship_type": "uses", "source_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec", "target_ref": "attack-pattern--6aabc5ec-eae6-422c-8311-38d45ee9838a" }, { "type": "relationship", "id": "relationship--6ab3a547-6afb-4ae2-b4c7-9ab9c45de5e0", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T13:02:55.808Z", "relationship_type": "mitigates", "source_ref": "course-of-action--04a2db1c-3e80-43a4-a9c6-3864195bbf73", "target_ref": "attack-pattern--8c32eb4d-805f-4fc5-bf60-c4d476c131b5", "x_panw_coa_u42_panw_product": [ "Wildfire" ] }, { "type": "relationship", "id": "relationship--6b0aac9d-ed96-4c55-a3d4-e903992eac3a", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:18.110Z", "relationship_type": "mitigates", "source_ref": "course-of-action--dcd486e6-fcf5-4692-9187-115efdae9694", "target_ref": "attack-pattern--ad255bfe-a9e6-4b52-a258-8d3462abe842", "x_panw_coa_u42_panw_product": [ "NGFW" ] }, { "type": "relationship", "id": "relationship--6b34c0cf-32cb-4d30-93cd-5d20e77bd905", "created": "2018-08-03T20:30:53.040Z", "modified": "2020-06-24T16:21:04.243Z", "relationship_type": "uses", "description": "Actors install webshell onto webservers to gain access to network ", "source_ref": "indicator--59424cdc-40b1-4137-bc2b-9fe18decf7ca", "target_ref": "attack-pattern--5d0d3609-d06d-49e1-b9c9-b544e0c618cb" }, { "type": "relationship", "id": "relationship--6b5c6ed2-0c80-41c1-9d34-b94750849f00", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.075Z", "relationship_type": "mitigates", "source_ref": "course-of-action--dcd486e6-fcf5-4692-9187-115efdae9694", "target_ref": "attack-pattern--b8902400-e6c5-4ba2-95aa-2d35b442b118", "x_panw_coa_u42_panw_product": [ "NGFW" ] }, { "type": "relationship", "id": "relationship--6b79d243-3344-486a-856b-9c80bbc9d7bd", "created": "2018-08-03T20:30:53.040Z", "modified": "2020-06-24T16:21:04.243Z", "relationship_type": "uses", "description": "TwoFace contains the functional webshell in encrypted form", "source_ref": "indicator--d4cc0533-2a26-4678-912e-e3ddb2c2abe6", "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" }, { "type": "relationship", "id": "relationship--6bf9f309-42d8-4690-8828-0e4943ec6114", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.076Z", "relationship_type": "mitigates", "source_ref": "course-of-action--2c886776-61fb-487c-a880-41f4b7195627", "target_ref": "attack-pattern--f24faf46-3b26-4dbb-98f2-63460498e433", "x_panw_coa_u42_panw_product": [ "URL Filtering" ] }, { "type": "relationship", "id": "relationship--6c6ca1f0-9d52-4014-885b-17fde4d4ec90", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T13:02:55.808Z", "relationship_type": "mitigates", "source_ref": "course-of-action--39928312-81bb-4445-a269-9f3d0bb88d5c", "target_ref": "attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81", "x_panw_coa_u42_panw_product": [ "NGFW" ] }, { "type": "relationship", "id": "relationship--6c958735-1024-4591-b576-88c65538f763", "created": "2020-07-08T12:59:45.190Z", "modified": "2020-07-13T13:45:02.010Z", "relationship_type": "uses", "description": "RDAT uses email for a C2 channel by interacting with the local Exchange server with the Exchange Web Services (EWS) API.", "source_ref": "indicator--b4743bb8-5c61-4399-b281-c2345abd410b", "target_ref": "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d" }, { "type": "relationship", "id": "relationship--6dd2e037-e5ac-462c-ad42-732853fe1a16", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.080Z", "relationship_type": "mitigates", "source_ref": "course-of-action--f4a8da12-c6f0-4a33-ae42-590c5602be99", "target_ref": "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d", "x_panw_coa_u42_panw_product": [ "URL Filtering" ] }, { "type": "relationship", "id": "relationship--6e8b68d8-b954-49ba-b96f-af4537633457", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--cd2409a1-079a-45d6-bba7-e26ec1b6465b", "target_ref": "campaign--be414527-0ed6-4b77-b04b-2ffa2cd601eb" }, { "type": "relationship", "id": "relationship--6f2c0b6a-9ab0-4714-8279-e6a11e3c0637", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.078Z", "relationship_type": "mitigates", "source_ref": "course-of-action--be1d0eb5-a628-4d91-9096-9158e68816cd", "target_ref": "attack-pattern--2b742742-28c3-4e1b-bab7-8350d6300fa7", "x_panw_coa_u42_panw_product": [ "Wildfire" ] }, { "type": "relationship", "id": "relationship--6ff2cea4-4f39-480a-93da-9c3ef14adcb1", "created": "2020-07-08T14:12:18.254Z", "modified": "2020-07-13T13:45:02.011Z", "relationship_type": "uses", "description": "RDAT C2 Domains.", "source_ref": "indicator--8cdb8bc6-bcf7-480e-aab5-b4e403d5e9a9", "target_ref": "attack-pattern--355be19c-ffc9-46d5-8d50-d6a036c675b6" }, { "type": "relationship", "id": "relationship--707399d6-ab3e-4963-9315-d9d3818cd6a0", "created": "2018-08-03T20:30:50.665Z", "modified": "2019-10-11T20:10:08.765Z", "relationship_type": "uses", "source_ref": "campaign--418eec9b-ca2d-48d6-92cc-7cf47b159e8c", "target_ref": "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0" }, { "type": "relationship", "id": "relationship--70893e8f-6c9e-4e7f-a424-4e7df9eea046", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "uses", "source_ref": "campaign--e76e88c8-699a-4eeb-a8e5-3645826d6455", "target_ref": "attack-pattern--7385dfaf-6886-4229-9ecd-6fd678040830" }, { "type": "relationship", "id": "relationship--70ce103c-4360-4c8a-abde-63591527c5a1", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--df6e4110-8f96-4388-a418-8f8418e107ba", "target_ref": "campaign--e76e88c8-699a-4eeb-a8e5-3645826d6455" }, { "type": "relationship", "id": "relationship--712ba8e0-b0d5-4866-b66e-14ea23116924", "created": "2018-08-03T20:30:53.040Z", "modified": "2020-06-24T16:21:04.243Z", "relationship_type": "uses", "description": "TwoFace contains the functional webshell in encrypted form", "source_ref": "indicator--e4589569-a46b-4cc1-99e7-41199f8d579f", "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" }, { "type": "relationship", "id": "relationship--72020d0d-b6dd-4369-85b6-a294fde2b922", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--6ab420c2-4bed-4281-9da4-790bf0065e81", "target_ref": "campaign--418eec9b-ca2d-48d6-92cc-7cf47b159e8c" }, { "type": "relationship", "id": "relationship--720c7526-9483-4918-bca0-b924d7f4aa8b", "created": "2019-10-11T19:49:02.672Z", "modified": "2019-10-14T14:34:42.541Z", "relationship_type": "indicates", "source_ref": "indicator--e6bc70bc-2221-4ae7-a19b-ef53115f6174", "target_ref": "malware--c56fd492-b07a-4de7-9d74-0b5136cd9a77" }, { "type": "relationship", "id": "relationship--723d3c99-a17b-4767-9dd8-701270f67443", "created": "2018-08-03T20:30:53.040Z", "modified": "2020-06-24T16:21:04.243Z", "relationship_type": "uses", "description": "Actors install webshell onto webservers to gain access to network ", "source_ref": "indicator--fdc86d39-670c-4eb9-945a-daef21d35bea", "target_ref": "attack-pattern--5d0d3609-d06d-49e1-b9c9-b544e0c618cb" }, { "type": "relationship", "id": "relationship--72b74d71-8169-42aa-92e0-e7b04b9f5a08", "created": "2018-08-03T20:30:50.665Z", "modified": "2019-10-11T20:10:08.765Z", "relationship_type": "uses", "source_ref": "campaign--418eec9b-ca2d-48d6-92cc-7cf47b159e8c", "target_ref": "attack-pattern--72b74d71-8169-42aa-92e0-e7b04b9f5a08" }, { "type": "relationship", "id": "relationship--7305e104-a7a9-4b02-8b14-b52d730aee8b", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--d7bdf4a0-0509-43de-895e-793994de8a0e", "target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec" }, { "type": "relationship", "id": "relationship--7385dfaf-6886-4229-9ecd-6fd678040830", "created": "2020-07-08T12:17:34.135Z", "modified": "2020-07-13T13:45:02.008Z", "relationship_type": "uses", "source_ref": "campaign--d6eab405-2a90-4981-bd25-0b161f1bc116", "target_ref": "attack-pattern--7385dfaf-6886-4229-9ecd-6fd678040830" }, { "type": "relationship", "id": "relationship--741c9fc7-da67-4f53-82bd-74876ab07ebb", "created": "2018-08-03T20:30:53.040Z", "modified": "2020-06-24T16:21:04.243Z", "relationship_type": "uses", "description": "Helminth C2 checks for the local admin group domain admin group and exchange trusted subsystem group", "source_ref": "indicator--ec689de0-d752-476f-bbce-7055b192d5fd", "target_ref": "attack-pattern--15dbf668-795c-41e6-8219-f0447c0e64ce" }, { "type": "relationship", "id": "relationship--742a1fa0-c425-4972-83d5-603f56dd7932", "created": "2018-08-03T20:30:53.040Z", "modified": "2020-06-24T16:21:04.243Z", "relationship_type": "uses", "description": "ISMAgent C2 checks local users and groups via the net application", "source_ref": "indicator--2d6903fb-e4f1-4b0e-a657-e3937fe89861", "target_ref": "attack-pattern--72b74d71-8169-42aa-92e0-e7b04b9f5a08" }, { "type": "relationship", "id": "relationship--74600180-26d3-43d6-bf4f-686aa5365eea", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--d4cc0533-2a26-4678-912e-e3ddb2c2abe6", "target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec" }, { "type": "relationship", "id": "relationship--74abc122-8d08-431d-947e-59ad1af5b87c", "created": "2018-08-03T20:30:53.040Z", "modified": "2020-06-24T16:21:04.243Z", "relationship_type": "uses", "description": "TwoFace contains the functional webshell in encrypted form", "source_ref": "indicator--e2f1938f-2ba5-4175-9d9c-e6d7ff6fe9fd", "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" }, { "type": "relationship", "id": "relationship--752f7494-bf73-4a92-9a5f-d2300928354a", "created": "2020-06-08T16:19:37.692Z", "modified": "2020-06-10T20:29:03.408Z", "relationship_type": "uses", "description": "3b08535b4add194f5661e1131c8e81af373ca322cf669674cf1272095e5cab95", "source_ref": "indicator--9d97724a-638b-4b7f-bfae-c3eb74b02a0a", "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" }, { "type": "relationship", "id": "relationship--75565046-3fdb-4d19-a368-231d564f8072", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.079Z", "relationship_type": "mitigates", "source_ref": "course-of-action--fafab9a4-1478-499e-9088-2043c42720d1", "target_ref": "attack-pattern--5d0d3609-d06d-49e1-b9c9-b544e0c618cb", "x_panw_coa_u42_panw_product": [ "Wildfire" ] }, { "type": "relationship", "id": "relationship--7638658b-68c4-4786-aa80-3ecd52710bb3", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--90b9a557-b2f4-4076-b760-fd7ed5da29d1", "target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec" }, { "type": "relationship", "id": "relationship--7661613d-2a2e-49fb-b783-6253ccf05a87", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.080Z", "relationship_type": "mitigates", "source_ref": "course-of-action--5839cd6c-7897-43c4-82f3-5c03096a51c4", "target_ref": "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d", "x_panw_coa_u42_panw_product": [ "Threat Prevention" ] }, { "type": "relationship", "id": "relationship--76c8e37a-4ed8-4609-a555-dd0280d8e54c", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--2560de5f-2375-49de-9d4a-47dc1f5f067b", "target_ref": "campaign--e76e88c8-699a-4eeb-a8e5-3645826d6455" }, { "type": "relationship", "id": "relationship--770bd929-dd09-49d5-a21b-72495d1b2f0d", "created": "2018-08-03T20:30:53.040Z", "modified": "2020-06-24T16:21:04.243Z", "relationship_type": "uses", "description": "ISMAgent C2 checks local users and groups via the net application", "source_ref": "indicator--cd2409a1-079a-45d6-bba7-e26ec1b6465b", "target_ref": "attack-pattern--72b74d71-8169-42aa-92e0-e7b04b9f5a08" }, { "type": "relationship", "id": "relationship--77586b2f-7b6a-4316-848f-85fa5f30dc74", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--1a6d1c72-b27c-40e2-813a-fb8395b800b5", "target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec" }, { "type": "relationship", "id": "relationship--77f01a6f-1042-4503-bcf6-005a26b1aeb5", "created": "2020-06-08T16:19:37.692Z", "modified": "2020-06-10T20:29:03.408Z", "relationship_type": "uses", "description": "176.9.164.252", "source_ref": "indicator--d1d3c0e5-cfa5-4388-a2c8-32a019951bf3", "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" }, { "type": "relationship", "id": "relationship--77f1a790-84f8-4b21-b295-2130c8eaa7d1", "created": "2020-07-08T14:52:23.279Z", "modified": "2020-07-13T13:45:02.011Z", "relationship_type": "uses", "description": "RDAT uses steganography to hide and exfiltrate data. ", "source_ref": "indicator--289251cb-2cff-4cbc-9e19-995310c5d8c0", "target_ref": "attack-pattern--ad255bfe-a9e6-4b52-a258-8d3462abe842" }, { "type": "relationship", "id": "relationship--7877f6f7-f6ff-4142-ada6-3b05b8825738", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.076Z", "relationship_type": "mitigates", "source_ref": "course-of-action--5839cd6c-7897-43c4-82f3-5c03096a51c4", "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", "x_panw_coa_u42_panw_product": [ "Threat Prevention" ] }, { "type": "relationship", "id": "relationship--78ac3d60-829f-4cb1-9b4b-80405cd87c41", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--1b6c1677-d260-41b2-b11c-7db4b1f402c1", "target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec" }, { "type": "relationship", "id": "relationship--790040a0-6238-4ab7-b861-a0254cb6c25e", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--c9cd916e-49ff-4e7a-96e8-c204b7a50750", "target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec" }, { "type": "relationship", "id": "relationship--791df76d-2cbe-48d1-b49a-a4297d5c0a4e", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:39.449Z", "relationship_type": "mitigates", "source_ref": "course-of-action--f4a8da12-c6f0-4a33-ae42-590c5602be99", "target_ref": "attack-pattern--a19e86f8-1c0a-4fea-8407-23b73d615776", "x_panw_coa_u42_panw_product": [ "URL Filtering" ] }, { "type": "relationship", "id": "relationship--798d3fdd-590b-4b01-a440-ba27c6d20f0d", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.077Z", "relationship_type": "mitigates", "source_ref": "course-of-action--dff22e97-a89e-4ff7-b615-0165258bf8d5", "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", "x_panw_coa_u42_panw_product": [ "URL Filtering" ] }, { "type": "relationship", "id": "relationship--799e79ab-38e8-4eb6-9155-17c058541f6f", "created": "2018-08-03T20:30:53.040Z", "modified": "2020-06-24T16:21:04.243Z", "relationship_type": "uses", "description": "TwoFace contains the functional webshell in encrypted form", "source_ref": "indicator--d2258707-dbd9-4407-b6b8-5401e4c59b74", "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" }, { "type": "relationship", "id": "relationship--7a090b7e-66a8-49b1-8b83-41ba7f9474ee", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--9daeba2e-bb3e-443b-95d1-fbc0428932a9", "target_ref": "campaign--418eec9b-ca2d-48d6-92cc-7cf47b159e8c" }, { "type": "relationship", "id": "relationship--7a3c7b51-e2d1-41e3-ba09-0ccb3f29a5db", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.076Z", "relationship_type": "mitigates", "source_ref": "course-of-action--b1f31bc6-40cd-4c64-805f-1680eda35801", "target_ref": "attack-pattern--f24faf46-3b26-4dbb-98f2-63460498e433", "x_panw_coa_u42_panw_product": [ "NGFW" ] }, { "type": "relationship", "id": "relationship--7b302a7f-7c59-4f91-853a-720de0ce8193", "created": "2020-07-08T14:50:13.817Z", "modified": "2020-07-13T13:45:02.010Z", "relationship_type": "indicates", "source_ref": "indicator--6928ee56-805a-4f47-a428-9f41fb9faa6c", "target_ref": "campaign--d6eab405-2a90-4981-bd25-0b161f1bc116" }, { "type": "relationship", "id": "relationship--7b553b26-a4d6-4463-bc2c-956c587cf54d", "created": "2018-08-03T20:30:53.040Z", "modified": "2020-06-24T16:21:04.243Z", "relationship_type": "uses", "description": "Adversary uploads and installs IIS backdoor (RGDoor) via webshell", "source_ref": "indicator--0e9934f4-e2df-42f0-9964-0d03836329e1", "target_ref": "attack-pattern--6aabc5ec-eae6-422c-8311-38d45ee9838a" }, { "type": "relationship", "id": "relationship--7b7ee3dd-a6be-46f4-9c5a-68a56311c924", "created": "2018-08-03T20:30:53.040Z", "modified": "2020-06-24T16:21:04.243Z", "relationship_type": "uses", "description": "TwoFace contains the functional webshell in encrypted form", "source_ref": "indicator--0288c52e-7bd4-476f-9e29-534a122d173f", "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" }, { "type": "relationship", "id": "relationship--7b80f151-7338-4946-94dc-6f1fae4294db", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.076Z", "relationship_type": "mitigates", "source_ref": "course-of-action--38519f4f-e6e8-454b-a3f5-b46daef0e316", "target_ref": "attack-pattern--cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", "x_panw_coa_u42_panw_product": [ "XSOAR" ] }, { "type": "relationship", "id": "relationship--7be13991-f221-48d4-b64d-ef1f343660db", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.075Z", "relationship_type": "mitigates", "source_ref": "course-of-action--67289170-1bd4-4944-be31-d680954141f5", "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", "x_panw_coa_u42_panw_product": [ "Wildfire" ] }, { "type": "relationship", "id": "relationship--7c514ee6-0bc6-437a-840c-a2abd6a5bf5d", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--112bb219-3133-4c6f-9e29-3efd820d9612", "target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec" }, { "type": "relationship", "id": "relationship--7c725ea9-4bd5-40f9-8b20-6e9734a3f761", "created": "2020-06-08T16:18:35.184Z", "modified": "2020-06-10T20:29:03.409Z", "relationship_type": "uses", "description": "137.74.131.208", "source_ref": "indicator--fc65ae3e-1860-4bba-a2f4-f86f180ffebc", "target_ref": "attack-pattern--2b742742-28c3-4e1b-bab7-8350d6300fa7" }, { "type": "relationship", "id": "relationship--7c78b490-5275-4de6-8983-5a8c7672eead", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.075Z", "relationship_type": "mitigates", "source_ref": "course-of-action--be1d0eb5-a628-4d91-9096-9158e68816cd", "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", "x_panw_coa_u42_panw_product": [ "Wildfire" ] }, { "type": "relationship", "id": "relationship--7cf3b3c7-a098-4e98-9071-c7cb2b657191", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T13:02:55.809Z", "relationship_type": "mitigates", "source_ref": "course-of-action--c45b79a8-2d29-4d8c-95ab-acea7e478e50", "target_ref": "attack-pattern--f72eb8a8-cd4c-461d-a814-3f862befbf00", "x_panw_coa_u42_panw_product": [ "Threat Prevention" ] }, { "type": "relationship", "id": "relationship--7d0693b6-74c5-4004-adbb-0f81caad40c3", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.078Z", "relationship_type": "mitigates", "source_ref": "course-of-action--dff22e97-a89e-4ff7-b615-0165258bf8d5", "target_ref": "attack-pattern--2b742742-28c3-4e1b-bab7-8350d6300fa7", "x_panw_coa_u42_panw_product": [ "URL Filtering" ] }, { "type": "relationship", "id": "relationship--7d35e1e9-fa37-4840-82ba-76445d4f2440", "created": "2020-06-08T16:19:37.692Z", "modified": "2020-06-10T20:29:03.409Z", "relationship_type": "uses", "description": "d3b03c0da854102802c21c0fa8736910ea039bbe93a140c09689fc802435ea31", "source_ref": "indicator--f52a5188-5bdb-4530-83c2-4bbc1c1cb741", "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" }, { "type": "relationship", "id": "relationship--7dd95ff6-712e-4056-9626-312ea4ab4c5e", "created": "2018-08-03T20:30:50.665Z", "modified": "2019-10-11T20:13:34.064Z", "relationship_type": "uses", "source_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec", "target_ref": "attack-pattern--7dd95ff6-712e-4056-9626-312ea4ab4c5e" }, { "type": "relationship", "id": "relationship--7e3ab41f-4fae-42a7-b8bc-f776c1411b6b", "created": "2020-07-08T14:59:11.264Z", "modified": "2020-07-13T13:45:02.010Z", "relationship_type": "indicates", "source_ref": "indicator--20903cd9-29c1-4a41-9202-c1b473f1855e", "target_ref": "campaign--d6eab405-2a90-4981-bd25-0b161f1bc116" }, { "type": "relationship", "id": "relationship--7fda3c46-13ab-4d57-872e-9562fec78f32", "created": "2019-10-11T19:52:15.184Z", "modified": "2019-10-14T14:34:42.539Z", "relationship_type": "indicates", "source_ref": "indicator--565c1a62-b4f0-4e2f-a4de-83944dfc8c10", "target_ref": "campaign--be414527-0ed6-4b77-b04b-2ffa2cd601eb" }, { "type": "relationship", "id": "relationship--8120ab39-c19d-4f07-a867-97302f0f6952", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.074Z", "relationship_type": "mitigates", "source_ref": "course-of-action--f36dcd51-156b-497a-a565-0301a105eb79", "target_ref": "attack-pattern--be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "x_panw_coa_u42_panw_product": [ "XSOAR" ] }, { "type": "relationship", "id": "relationship--81a1034e-9b48-4567-8fd6-d86d1b926c41", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T13:02:55.808Z", "relationship_type": "mitigates", "source_ref": "course-of-action--9352128e-2dbe-4621-8800-9e7cc17336e3", "target_ref": "attack-pattern--35dd844a-b219-4e2b-a6bb-efa9a75995a9", "x_panw_coa_u42_panw_product": [ "Cortex XDR Prevent" ] }, { "type": "relationship", "id": "relationship--824184a6-259e-4aca-81a6-d66bf2962918", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.075Z", "relationship_type": "mitigates", "source_ref": "course-of-action--7bbb332f-22cf-48f2-a4a1-5bc9d2b034ca", "target_ref": "attack-pattern--b8902400-e6c5-4ba2-95aa-2d35b442b118", "x_panw_coa_u42_panw_product": [ "Threat Prevention" ] }, { "type": "relationship", "id": "relationship--828a7d43-0e73-42ec-8edf-64aa679c3208", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.075Z", "relationship_type": "mitigates", "source_ref": "course-of-action--04a2db1c-3e80-43a4-a9c6-3864195bbf73", "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", "x_panw_coa_u42_panw_product": [ "Wildfire" ] }, { "type": "relationship", "id": "relationship--831d5bf3-1bc3-46f3-8aaf-dc1a9ad15736", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:12.606Z", "relationship_type": "mitigates", "source_ref": "course-of-action--c5148c0d-4c4a-4ad6-b2c7-942f9eb91673", "target_ref": "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e", "x_panw_coa_u42_panw_product": [ "XSOAR" ] }, { "type": "relationship", "id": "relationship--832a5d5b-6e8a-4ff4-b320-08ea09b6fc5c", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--7c357da2-f901-49a3-b52f-1cd4b968caf9", "target_ref": "campaign--be414527-0ed6-4b77-b04b-2ffa2cd601eb" }, { "type": "relationship", "id": "relationship--83556ba2-cd6f-4f22-b1d1-c69aa48cff49", "created": "2019-10-11T19:57:48.275Z", "modified": "2019-10-14T14:34:42.541Z", "relationship_type": "indicates", "source_ref": "indicator--2560de5f-2375-49de-9d4a-47dc1f5f067b", "target_ref": "malware--d62bf08d-2145-42a9-ad32-e2a5c82d3c2d" }, { "type": "relationship", "id": "relationship--83f16acf-7aed-47e9-b0ff-00859af381c5", "created": "2018-08-03T20:30:53.040Z", "modified": "2020-06-24T16:21:04.243Z", "relationship_type": "uses", "description": "Webshells requires authentication via adversary specified password. ", "source_ref": "indicator--e19046c0-47db-42fb-a076-c7f2f3c112d4", "target_ref": "attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81" }, { "type": "relationship", "id": "relationship--84b58393-1a52-4a76-96a8-4b3e3d75574a", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.080Z", "relationship_type": "mitigates", "source_ref": "course-of-action--41a5e724-166d-496a-bfa6-5f7d671c733e", "target_ref": "attack-pattern--355be19c-ffc9-46d5-8d50-d6a036c675b6", "x_panw_coa_u42_panw_product": [ "XSOAR" ] }, { "type": "relationship", "id": "relationship--84fd2836-5718-4384-9379-ee114f3ed422", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--fdc86d39-670c-4eb9-945a-daef21d35bea", "target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec" }, { "type": "relationship", "id": "relationship--850d6f45-7b76-4b1f-bf93-0fa011691b87", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.076Z", "relationship_type": "mitigates", "source_ref": "course-of-action--922b1227-c493-43f6-8b4a-ae6d6963eb8b", "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", "x_panw_coa_u42_panw_product": [ "NGFW" ] }, { "type": "relationship", "id": "relationship--85143f31-cafa-4a4f-a320-5474d1d89f84", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--6016872c-11c6-459c-ac21-9692adcdcca0", "target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec" }, { "type": "relationship", "id": "relationship--85766ad7-7ae1-4a10-a65b-6987ce46dc60", "created": "2020-07-08T13:23:07.158Z", "modified": "2020-07-13T13:45:02.010Z", "relationship_type": "indicates", "source_ref": "indicator--63c6b5e5-c5ce-4572-bad6-002f8f82d242", "target_ref": "campaign--d6eab405-2a90-4981-bd25-0b161f1bc116" }, { "type": "relationship", "id": "relationship--85aea0e7-9db0-489d-b034-558e9fd22e37", "created": "2020-07-08T14:52:12.252Z", "modified": "2020-07-13T13:45:02.011Z", "relationship_type": "uses", "description": "RDAT uses steganography to hide and exfiltrate data. ", "source_ref": "indicator--8fa6a942-6241-4133-b68a-ebe195ff7901", "target_ref": "attack-pattern--ad255bfe-a9e6-4b52-a258-8d3462abe842" }, { "type": "relationship", "id": "relationship--85b2df26-1dfc-4438-bc83-211c9a614b7e", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-12-17T01:14:55.902Z", "relationship_type": "mitigates", "source_ref": "course-of-action--95432623-8819-4f74-a8f9-b10b9c4118c3", "target_ref": "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597", "x_panw_coa_u42_panw_product": [ "Wildfire" ] }, { "type": "relationship", "id": "relationship--86a8ccb0-e97a-41be-9d51-a192692ad0a2", "created": "2020-07-08T14:53:40.300Z", "modified": "2020-07-13T13:45:02.010Z", "relationship_type": "indicates", "source_ref": "indicator--e1b441cf-0d08-4711-80e3-7f1724e3a88d", "target_ref": "campaign--d6eab405-2a90-4981-bd25-0b161f1bc116" }, { "type": "relationship", "id": "relationship--874395b6-5a6f-49b1-ad27-1680a6566919", "created": "2018-08-03T20:30:53.040Z", "modified": "2020-06-24T16:21:04.243Z", "relationship_type": "uses", "description": "ISMAgent C2 check host network configuration", "source_ref": "indicator--cff4fa97-3f63-4a68-83b0-4eb3f81be9de", "target_ref": "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0" }, { "type": "relationship", "id": "relationship--877e437e-a9d2-46c5-9594-b63b51ff95d1", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.076Z", "relationship_type": "mitigates", "source_ref": "course-of-action--f4a8da12-c6f0-4a33-ae42-590c5602be99", "target_ref": "attack-pattern--f24faf46-3b26-4dbb-98f2-63460498e433", "x_panw_coa_u42_panw_product": [ "URL Filtering" ] }, { "type": "relationship", "id": "relationship--8819613a-5346-4fba-aec9-fc1d95298e7c", "created": "2020-06-08T16:18:35.184Z", "modified": "2020-06-10T20:29:03.409Z", "relationship_type": "uses", "description": "webmaiil-tau-ac-il.ml", "source_ref": "indicator--b6fc5d18-1bf3-46b2-a793-d15ac7ef2b57", "target_ref": "attack-pattern--2b742742-28c3-4e1b-bab7-8350d6300fa7" }, { "type": "relationship", "id": "relationship--89696ae6-9dc7-4ce0-a8e1-77c0f110f793", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--cff4fa97-3f63-4a68-83b0-4eb3f81be9de", "target_ref": "campaign--be414527-0ed6-4b77-b04b-2ffa2cd601eb" }, { "type": "relationship", "id": "relationship--898d677b-d728-44ad-a13a-a27b6267ec4a", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--8e7b95cc-58c0-4f3b-8118-c11a85d90044", "target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec" }, { "type": "relationship", "id": "relationship--89db064f-cdd4-4fed-bf21-6e66650939af", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:18.110Z", "relationship_type": "mitigates", "source_ref": "course-of-action--7bbb332f-22cf-48f2-a4a1-5bc9d2b034ca", "target_ref": "attack-pattern--ad255bfe-a9e6-4b52-a258-8d3462abe842", "x_panw_coa_u42_panw_product": [ "Threat Prevention" ] }, { "type": "relationship", "id": "relationship--89df8ee0-e474-4d19-a893-888f5d2be96e", "created": "2020-07-08T14:53:19.061Z", "modified": "2020-07-13T13:45:02.010Z", "relationship_type": "indicates", "source_ref": "indicator--c06f2a71-5b4d-4c0a-bce3-95ba1e7851d1", "target_ref": "campaign--d6eab405-2a90-4981-bd25-0b161f1bc116" }, { "type": "relationship", "id": "relationship--8a1a1a65-1121-4549-ad81-ee11fac08c99", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.079Z", "relationship_type": "mitigates", "source_ref": "course-of-action--58d4b1e7-a7d1-45d8-855b-b5e13ace3dba", "target_ref": "attack-pattern--72b74d71-8169-42aa-92e0-e7b04b9f5a08", "x_panw_coa_u42_panw_product": [ "Cortex XDR Prevent" ] }, { "type": "relationship", "id": "relationship--8a229436-835d-4d5f-90ed-d26c4517c835", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--2bc55d71-48a5-4921-854e-351f762e24aa", "target_ref": "campaign--be414527-0ed6-4b77-b04b-2ffa2cd601eb" }, { "type": "relationship", "id": "relationship--8a56ef58-be60-407a-9643-eed90eae2920", "created": "2020-07-08T14:49:45.428Z", "modified": "2020-07-13T13:45:02.010Z", "relationship_type": "indicates", "source_ref": "indicator--3c8cabfa-1b3b-4662-8f96-e873fe6188fe", "target_ref": "campaign--d6eab405-2a90-4981-bd25-0b161f1bc116" }, { "type": "relationship", "id": "relationship--8a7f1679-bd76-4ef0-bcf5-9e596bcd4ae6", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "uses", "source_ref": "campaign--418eec9b-ca2d-48d6-92cc-7cf47b159e8c", "target_ref": "attack-pattern--f24faf46-3b26-4dbb-98f2-63460498e433" }, { "type": "relationship", "id": "relationship--8a83132d-0a30-4cae-aa27-88feef4e229a", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.080Z", "relationship_type": "mitigates", "source_ref": "course-of-action--44bfcc9e-cb15-499f-b0fe-3c41e2c2655e", "target_ref": "attack-pattern--355be19c-ffc9-46d5-8d50-d6a036c675b6", "x_panw_coa_u42_panw_product": [ "XSOAR" ] }, { "type": "relationship", "id": "relationship--8afda0a0-8acc-4c9a-a422-2b083024addc", "created": "2020-06-08T16:19:37.692Z", "modified": "2020-06-10T20:29:03.409Z", "relationship_type": "uses", "description": "5b7eb534a852c187eee7eb729056082eec7a028819191fc2bc3ba4d1127fbd12", "source_ref": "indicator--793e3414-7023-4bd6-8d03-def9852cee0f", "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" }, { "type": "relationship", "id": "relationship--8b221b67-e765-4bfb-81d0-fea9a458519e", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--a8e8ca2f-328e-4f45-af78-9281957f7739", "target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec" }, { "type": "relationship", "id": "relationship--8c32eb4d-805f-4fc5-bf60-c4d476c131b5", "created": "2018-08-03T20:30:50.665Z", "modified": "2019-10-11T20:10:08.765Z", "relationship_type": "uses", "source_ref": "campaign--418eec9b-ca2d-48d6-92cc-7cf47b159e8c", "target_ref": "attack-pattern--8c32eb4d-805f-4fc5-bf60-c4d476c131b5" }, { "type": "relationship", "id": "relationship--8c3a203a-c8a0-41cc-9301-8dc44b850b0b", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T13:02:55.808Z", "relationship_type": "mitigates", "source_ref": "course-of-action--9352128e-2dbe-4621-8800-9e7cc17336e3", "target_ref": "attack-pattern--8c32eb4d-805f-4fc5-bf60-c4d476c131b5", "x_panw_coa_u42_panw_product": [ "Cortex XDR Prevent" ] }, { "type": "relationship", "id": "relationship--8c7819b0-d3b4-4a0a-be71-e6ed6c230513", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "uses", "source_ref": "campaign--e76e88c8-699a-4eeb-a8e5-3645826d6455", "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" }, { "type": "relationship", "id": "relationship--8c7826d9-965a-43e5-9f4e-a1b5df1cc2e1", "created": "2020-07-08T14:52:23.279Z", "modified": "2020-07-13T13:45:02.010Z", "relationship_type": "indicates", "source_ref": "indicator--289251cb-2cff-4cbc-9e19-995310c5d8c0", "target_ref": "campaign--d6eab405-2a90-4981-bd25-0b161f1bc116" }, { "type": "relationship", "id": "relationship--8d09c69f-a197-4070-8f6d-65389b15606a", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.076Z", "relationship_type": "mitigates", "source_ref": "course-of-action--922b1227-c493-43f6-8b4a-ae6d6963eb8b", "target_ref": "attack-pattern--f24faf46-3b26-4dbb-98f2-63460498e433", "x_panw_coa_u42_panw_product": [ "NGFW" ] }, { "type": "relationship", "id": "relationship--8d26f640-acf7-46e3-b1cb-e11c277dc101", "created": "2020-07-08T14:12:28.645Z", "modified": "2020-07-13T13:45:02.010Z", "relationship_type": "indicates", "source_ref": "indicator--87112435-30e8-4465-9793-06d406cf5e44", "target_ref": "campaign--d6eab405-2a90-4981-bd25-0b161f1bc116" }, { "type": "relationship", "id": "relationship--8d386405-9c06-4b06-b6ef-83442ee79235", "created": "2020-07-08T14:59:29.188Z", "modified": "2020-07-13T13:45:02.010Z", "relationship_type": "indicates", "source_ref": "indicator--6c121823-7ad4-4766-8e22-d9966c43cf69", "target_ref": "campaign--d6eab405-2a90-4981-bd25-0b161f1bc116" }, { "type": "relationship", "id": "relationship--8e293418-fbe5-4ebe-894a-320391c18c11", "created": "2018-08-03T20:30:53.040Z", "modified": "2020-06-24T16:21:04.243Z", "relationship_type": "uses", "description": "ISMAgent C2 checks the current user's domain account and group", "source_ref": "indicator--0e700b7b-764b-4c8a-a57d-f8d686d887f4", "target_ref": "attack-pattern--15dbf668-795c-41e6-8219-f0447c0e64ce" }, { "type": "relationship", "id": "relationship--8e9da3e8-ff65-4f2c-b5eb-53b4c20ec677", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.075Z", "relationship_type": "mitigates", "source_ref": "course-of-action--7bbb332f-22cf-48f2-a4a1-5bc9d2b034ca", "target_ref": "attack-pattern--cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", "x_panw_coa_u42_panw_product": [ "Threat Prevention" ] }, { "type": "relationship", "id": "relationship--8eea338a-5ef1-461a-890d-7e14f860b296", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.075Z", "relationship_type": "mitigates", "source_ref": "course-of-action--49881f38-2571-47a1-a122-26a5968f1137", "target_ref": "attack-pattern--cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", "x_panw_coa_u42_panw_product": [ "NGFW" ] }, { "type": "relationship", "id": "relationship--8f1b3064-da4d-4c3d-8158-df4a0dda0b24", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-12-17T01:17:21.771Z", "relationship_type": "mitigates", "source_ref": "course-of-action--f1a1d494-3463-4067-abc7-a731f7dfb9ff", "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "x_panw_coa_u42_panw_product": [ "Wildfire" ] }, { "type": "relationship", "id": "relationship--8f25d6a9-08cf-43bd-89e3-35133e5dd385", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--21afa13a-d6e4-46ec-8539-68ec5c723ed5", "target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec" }, { "type": "relationship", "id": "relationship--8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "created": "2018-08-03T20:30:50.665Z", "modified": "2019-10-11T20:10:08.765Z", "relationship_type": "uses", "source_ref": "campaign--418eec9b-ca2d-48d6-92cc-7cf47b159e8c", "target_ref": "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580" }, { "type": "relationship", "id": "relationship--8f69deef-fe37-44e8-b7b6-f268900dabf4", "created": "2020-06-08T16:19:37.692Z", "modified": "2020-06-10T20:29:03.409Z", "relationship_type": "uses", "description": "5ead94f12c307438e6475e49f02bedaee0cd09ce6cebb7939f9a2830f913212c", "source_ref": "indicator--b20d9819-1488-4156-aef4-02234af0f67f", "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" }, { "type": "relationship", "id": "relationship--8ffcfda6-33ef-4fcd-ba11-afce2a26b2b3", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T13:02:55.808Z", "relationship_type": "mitigates", "source_ref": "course-of-action--f4a8da12-c6f0-4a33-ae42-590c5602be99", "target_ref": "attack-pattern--8c32eb4d-805f-4fc5-bf60-c4d476c131b5", "x_panw_coa_u42_panw_product": [ "URL Filtering" ] }, { "type": "relationship", "id": "relationship--9067bdd5-17af-4865-9288-f4abecd91519", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--9c4ebb07-7590-498a-91f0-ceeb677eb21e", "target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec" }, { "type": "relationship", "id": "relationship--906e0a78-c364-47f8-9795-94b53b6175bf", "created": "2020-07-08T13:23:29.623Z", "modified": "2020-07-13T13:45:02.010Z", "relationship_type": "indicates", "source_ref": "indicator--2464959e-820d-47c4-9785-d982888376ec", "target_ref": "campaign--d6eab405-2a90-4981-bd25-0b161f1bc116" }, { "type": "relationship", "id": "relationship--915f1e1d-f8c4-4c19-b52b-4a574d94dadc", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.076Z", "relationship_type": "mitigates", "source_ref": "course-of-action--c45b79a8-2d29-4d8c-95ab-acea7e478e50", "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", "x_panw_coa_u42_panw_product": [ "Threat Prevention" ] }, { "type": "relationship", "id": "relationship--918285f7-353a-436e-82f6-748281d7695b", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.075Z", "relationship_type": "mitigates", "source_ref": "course-of-action--5839cd6c-7897-43c4-82f3-5c03096a51c4", "target_ref": "attack-pattern--b8902400-e6c5-4ba2-95aa-2d35b442b118", "x_panw_coa_u42_panw_product": [ "Threat Prevention" ] }, { "type": "relationship", "id": "relationship--91b32542-ec28-4df5-8c6f-e1e7024d974b", "created": "2018-08-03T20:30:53.040Z", "modified": "2020-06-24T16:21:04.243Z", "relationship_type": "uses", "description": "Helminth C2 checks for the local admin group domain admin group and exchange trusted subsystem group", "source_ref": "indicator--2115ea65-8275-49bf-bbf9-d3d7e4d204d5", "target_ref": "attack-pattern--15dbf668-795c-41e6-8219-f0447c0e64ce" }, { "type": "relationship", "id": "relationship--923ab233-67f6-490b-b50b-e4850d179ba4", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-12-17T01:12:44.458Z", "relationship_type": "mitigates", "source_ref": "course-of-action--be1d0eb5-a628-4d91-9096-9158e68816cd", "target_ref": "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597", "x_panw_coa_u42_panw_product": [ "Wildfire" ] }, { "type": "relationship", "id": "relationship--92525cb2-624a-4619-855f-7023a440b81f", "created": "2018-08-03T20:30:53.040Z", "modified": "2020-06-24T16:21:04.243Z", "relationship_type": "uses", "description": "Adversary uploads and installs IIS backdoor (RGDoor) via webshell", "source_ref": "indicator--1a6d1c72-b27c-40e2-813a-fb8395b800b5", "target_ref": "attack-pattern--6aabc5ec-eae6-422c-8311-38d45ee9838a" }, { "type": "relationship", "id": "relationship--92a95493-fa51-4321-9cfb-135e69b3191a", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.079Z", "relationship_type": "mitigates", "source_ref": "course-of-action--7bbb332f-22cf-48f2-a4a1-5bc9d2b034ca", "target_ref": "attack-pattern--355be19c-ffc9-46d5-8d50-d6a036c675b6", "x_panw_coa_u42_panw_product": [ "Threat Prevention" ] }, { "type": "relationship", "id": "relationship--92d7da27-2d91-488e-a00c-059dc162766d", "created": "2020-07-08T12:17:34.135Z", "modified": "2020-07-13T13:45:02.008Z", "relationship_type": "uses", "source_ref": "campaign--d6eab405-2a90-4981-bd25-0b161f1bc116", "target_ref": "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d" }, { "type": "relationship", "id": "relationship--92e8c67e-50af-4459-ba32-3dafbee2ee6a", "created": "2021-01-05T10:58:25.684Z", "modified": "2021-01-07T19:38:17.428Z", "relationship_type": "indicates", "source_ref": "indicator--9340dbc2-1b6d-46bc-a669-3fdaf13579cc", "target_ref": "campaign--d6eab405-2a90-4981-bd25-0b161f1bc116" }, { "type": "relationship", "id": "relationship--931398d5-ff3b-4626-a64a-58fdd9862a3f", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--2d6903fb-e4f1-4b0e-a657-e3937fe89861", "target_ref": "campaign--be414527-0ed6-4b77-b04b-2ffa2cd601eb" }, { "type": "relationship", "id": "relationship--939816fc-b86e-44fe-9025-73d17feffd25", "created": "2020-07-08T14:13:04.902Z", "modified": "2020-07-13T13:45:02.011Z", "relationship_type": "uses", "description": "RDAT C2 Domains.", "source_ref": "indicator--e28ef3f2-c14f-4890-bd68-16bc1e44e502", "target_ref": "attack-pattern--355be19c-ffc9-46d5-8d50-d6a036c675b6" }, { "type": "relationship", "id": "relationship--93c396d7-44b0-4218-bf2d-24c6299ec27b", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.076Z", "relationship_type": "mitigates", "source_ref": "course-of-action--c45b79a8-2d29-4d8c-95ab-acea7e478e50", "target_ref": "attack-pattern--cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", "x_panw_coa_u42_panw_product": [ "Threat Prevention" ] }, { "type": "relationship", "id": "relationship--93fbb9c8-df84-466a-940a-55d0b1526c99", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--f8a60d12-0bb9-4424-bacd-5d2628f72cd3", "target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec" }, { "type": "relationship", "id": "relationship--9445bf8c-218b-4585-be8e-c64fef63277f", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:12.606Z", "relationship_type": "mitigates", "source_ref": "course-of-action--2fd9769c-5e50-4528-985f-a1d117329991", "target_ref": "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e", "x_panw_coa_u42_panw_product": [ "URL Filtering" ] }, { "type": "relationship", "id": "relationship--94df8915-193d-4b00-b530-7ec3b4f0dd7c", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T13:02:55.809Z", "relationship_type": "mitigates", "source_ref": "course-of-action--d84f79f8-219c-43cb-a918-ab7dd235413a", "target_ref": "attack-pattern--f72eb8a8-cd4c-461d-a814-3f862befbf00", "x_panw_coa_u42_panw_product": [ "Threat Prevention" ] }, { "type": "relationship", "id": "relationship--958dc63d-aafa-4696-be3f-e6781ed6c7c7", "created": "2020-06-08T16:19:37.692Z", "modified": "2020-06-10T20:29:03.409Z", "relationship_type": "uses", "description": "137.74.131.208", "source_ref": "indicator--fc65ae3e-1860-4bba-a2f4-f86f180ffebc", "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" }, { "type": "relationship", "id": "relationship--9639cfd6-c065-4df8-b100-91074c5f5d9b", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T13:02:55.808Z", "relationship_type": "mitigates", "source_ref": "course-of-action--b07fe965-d582-4581-aa2f-9676705f5560", "target_ref": "attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81", "x_panw_coa_u42_panw_product": [ "NGFW" ] }, { "type": "relationship", "id": "relationship--96cec984-85ac-4a83-aa3a-fc1e7ecd09db", "created": "2020-06-08T16:19:37.692Z", "modified": "2020-06-10T20:29:03.409Z", "relationship_type": "uses", "description": "HttpParser.dll", "source_ref": "indicator--1b6c1677-d260-41b2-b11c-7db4b1f402c1", "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" }, { "type": "relationship", "id": "relationship--9706197d-53cb-43eb-baa1-6f32a7f41fa0", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "uses", "source_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec", "target_ref": "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c" }, { "type": "relationship", "id": "relationship--970a3432-3237-47ad-bcca-7d8cbb217736", "created": "2020-07-08T12:17:34.135Z", "modified": "2020-07-13T13:45:02.008Z", "relationship_type": "uses", "source_ref": "campaign--d6eab405-2a90-4981-bd25-0b161f1bc116", "target_ref": "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736" }, { "type": "relationship", "id": "relationship--972a8c19-2c44-4c52-a6db-171280d18880", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--d2a60762-9fb2-442e-a7d2-6f86b06cb970", "target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec" }, { "type": "relationship", "id": "relationship--974a0043-f8cc-4d27-9153-5e6a9cf4ef8e", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.078Z", "relationship_type": "mitigates", "source_ref": "course-of-action--f1a1d494-3463-4067-abc7-a731f7dfb9ff", "target_ref": "attack-pattern--2b742742-28c3-4e1b-bab7-8350d6300fa7", "x_panw_coa_u42_panw_product": [ "Wildfire" ] }, { "type": "relationship", "id": "relationship--98857351-247b-4a37-825f-d339b4c8bf4f", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--5fcecf74-b682-4781-904d-f261f101282b", "target_ref": "campaign--be414527-0ed6-4b77-b04b-2ffa2cd601eb" }, { "type": "relationship", "id": "relationship--989ee6d4-a36d-4add-9694-3b6333e58c0a", "created": "2020-06-08T16:19:37.692Z", "modified": "2020-06-10T20:29:03.409Z", "relationship_type": "uses", "description": "91.121.237.227", "source_ref": "indicator--0853a871-de52-40f0-90cf-0d8069892c9f", "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" }, { "type": "relationship", "id": "relationship--98f45185-6e7b-46a7-a556-7d485db554c9", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.078Z", "relationship_type": "mitigates", "source_ref": "course-of-action--49881f38-2571-47a1-a122-26a5968f1137", "target_ref": "attack-pattern--5d0d3609-d06d-49e1-b9c9-b544e0c618cb", "x_panw_coa_u42_panw_product": [ "NGFW" ] }, { "type": "relationship", "id": "relationship--990c5f1c-9af7-43ae-9787-a0728607969e", "created": "2018-08-03T20:30:53.040Z", "modified": "2020-06-24T16:21:04.243Z", "relationship_type": "uses", "description": "Actors save output of their commands to \"c:\\windows\\temp\".", "source_ref": "indicator--db032d1a-c929-4c03-9099-fc08a6b1d1f7", "target_ref": "attack-pattern--7dd95ff6-712e-4056-9626-312ea4ab4c5e" }, { "type": "relationship", "id": "relationship--9938dad8-9983-4224-afba-d5ac0cf9da95", "created": "2020-07-08T14:17:45.504Z", "modified": "2020-07-13T13:45:02.011Z", "relationship_type": "uses", "description": "Domain used for DNS Tunneling.", "source_ref": "indicator--8cdb8bc6-bcf7-480e-aab5-b4e403d5e9a9", "target_ref": "attack-pattern--a19e86f8-1c0a-4fea-8407-23b73d615776" }, { "type": "relationship", "id": "relationship--99550ca1-e3eb-4b67-a6c6-cc04247f6b2f", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.079Z", "relationship_type": "mitigates", "source_ref": "course-of-action--c9efabbf-c21b-4213-a192-6a8e3b3a0905", "target_ref": "attack-pattern--b21c3b2d-02e6-45b1-980b-e69051040839", "x_panw_coa_u42_panw_product": [ "Cortex XDR Prevent" ] }, { "type": "relationship", "id": "relationship--999beab6-61c4-4381-b89c-c00fdb9fb815", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:18.110Z", "relationship_type": "mitigates", "source_ref": "course-of-action--d84f79f8-219c-43cb-a918-ab7dd235413a", "target_ref": "attack-pattern--ad255bfe-a9e6-4b52-a258-8d3462abe842", "x_panw_coa_u42_panw_product": [ "Threat Prevention" ] }, { "type": "relationship", "id": "relationship--99a1cd92-4f63-47ca-9a91-5e2bbda6cb0e", "created": "2020-06-08T16:19:37.692Z", "modified": "2020-06-10T20:29:03.408Z", "relationship_type": "uses", "description": "450ebd66ba67bb46bf18d122823ff07ef4a7b11afe63b6f269aec9236a1790cd", "source_ref": "indicator--685a33e8-a147-4a60-8e7e-9e3e6855ca43", "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" }, { "type": "relationship", "id": "relationship--9a2fca24-140f-4a53-8b74-a2f6d7e793b4", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.080Z", "relationship_type": "mitigates", "source_ref": "course-of-action--2fd9769c-5e50-4528-985f-a1d117329991", "target_ref": "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d", "x_panw_coa_u42_panw_product": [ "URL Filtering" ] }, { "type": "relationship", "id": "relationship--9af6030f-9528-489b-b02a-2257eec56b6b", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:12.606Z", "relationship_type": "mitigates", "source_ref": "course-of-action--a1294d38-0f0d-4973-a949-f38cccbc7469", "target_ref": "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e", "x_panw_coa_u42_panw_product": [ "Threat Prevention" ] }, { "type": "relationship", "id": "relationship--9b983f39-267e-47b5-b147-b361a0c61613", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.080Z", "relationship_type": "mitigates", "source_ref": "course-of-action--41a5e724-166d-496a-bfa6-5f7d671c733e", "target_ref": "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d", "x_panw_coa_u42_panw_product": [ "XSOAR" ] }, { "type": "relationship", "id": "relationship--9bcf537b-eb03-44bd-a8d9-0cf2ed107068", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:39.449Z", "relationship_type": "mitigates", "source_ref": "course-of-action--5839cd6c-7897-43c4-82f3-5c03096a51c4", "target_ref": "attack-pattern--a19e86f8-1c0a-4fea-8407-23b73d615776", "x_panw_coa_u42_panw_product": [ "Threat Prevention" ] }, { "type": "relationship", "id": "relationship--9bd7f071-ba3a-408f-83b4-6419e6a1fae6", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:18.110Z", "relationship_type": "mitigates", "source_ref": "course-of-action--a1294d38-0f0d-4973-a949-f38cccbc7469", "target_ref": "attack-pattern--ad255bfe-a9e6-4b52-a258-8d3462abe842", "x_panw_coa_u42_panw_product": [ "Threat Prevention" ] }, { "type": "relationship", "id": "relationship--9bf6bc64-514b-4062-923a-e7d0c913a764", "created": "2020-07-08T14:52:56.128Z", "modified": "2020-07-13T13:45:02.011Z", "relationship_type": "uses", "description": "RDAT uses steganography to hide and exfiltrate data. ", "source_ref": "indicator--7bd90223-3f43-4831-b065-363c883bc015", "target_ref": "attack-pattern--ad255bfe-a9e6-4b52-a258-8d3462abe842" }, { "type": "relationship", "id": "relationship--9c48c02f-d047-4dc5-b386-4e034ce10b7a", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:39.449Z", "relationship_type": "mitigates", "source_ref": "course-of-action--ae18aab6-0a08-4c09-9a97-6c6ef58061a7", "target_ref": "attack-pattern--a19e86f8-1c0a-4fea-8407-23b73d615776", "x_panw_coa_u42_panw_product": [ "DNS Security" ] }, { "type": "relationship", "id": "relationship--9c4be733-7835-474c-931f-2c85adb4a3d2", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:12.606Z", "relationship_type": "mitigates", "source_ref": "course-of-action--5839cd6c-7897-43c4-82f3-5c03096a51c4", "target_ref": "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e", "x_panw_coa_u42_panw_product": [ "Threat Prevention" ] }, { "type": "relationship", "id": "relationship--9c58ac73-6e8f-40e1-a54d-323805ba0a22", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--9d97724a-638b-4b7f-bfae-c3eb74b02a0a", "target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec" }, { "type": "relationship", "id": "relationship--9c64967b-5144-4eed-9a82-4ed956ffebd5", "created": "2019-10-11T19:59:30.244Z", "modified": "2019-10-14T14:34:42.542Z", "relationship_type": "indicates", "source_ref": "indicator--8a419fc6-b0dd-466b-a2d7-23e5c30f1707", "target_ref": "malware--a933d627-2a1a-499c-9dad-be8cc2e04dd6" }, { "type": "relationship", "id": "relationship--9c9f3116-36f9-4e50-831d-731861fe1332", "created": "2019-10-11T19:47:13.633Z", "modified": "2019-10-14T14:34:42.539Z", "relationship_type": "indicates", "source_ref": "indicator--e6bc70bc-2221-4ae7-a19b-ef53115f6174", "target_ref": "campaign--be414527-0ed6-4b77-b04b-2ffa2cd601eb" }, { "type": "relationship", "id": "relationship--9cceda2a-532e-419c-bdbc-448bbddb9632", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.078Z", "relationship_type": "mitigates", "source_ref": "course-of-action--fafab9a4-1478-499e-9088-2043c42720d1", "target_ref": "attack-pattern--2b742742-28c3-4e1b-bab7-8350d6300fa7", "x_panw_coa_u42_panw_product": [ "Wildfire" ] }, { "type": "relationship", "id": "relationship--9cec34a5-ab91-490e-8bbb-8482cfb6e8f1", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--9fcb8551-97e9-4335-a63c-91ca5156efd0", "target_ref": "campaign--e76e88c8-699a-4eeb-a8e5-3645826d6455" }, { "type": "relationship", "id": "relationship--9d3bfb47-df55-41dc-9e73-978bd6c2d815", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--53176466-cbfb-47ab-a2ad-a7653da9ab1b", "target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec" }, { "type": "relationship", "id": "relationship--9d7f6452-2793-40cb-ab38-966196d1b12b", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T13:02:55.808Z", "relationship_type": "mitigates", "source_ref": "course-of-action--d84f79f8-219c-43cb-a918-ab7dd235413a", "target_ref": "attack-pattern--8c32eb4d-805f-4fc5-bf60-c4d476c131b5", "x_panw_coa_u42_panw_product": [ "Threat Prevention" ] }, { "type": "relationship", "id": "relationship--9d9548b4-5ee8-435a-b0cc-94387fc7634d", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--3a30e2d8-c1d8-4211-ae3f-cd7fe280c890", "target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec" }, { "type": "relationship", "id": "relationship--9dd1066b-d388-4c09-8a2b-748e8452c87c", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T13:02:55.808Z", "relationship_type": "mitigates", "source_ref": "course-of-action--dfbe8c4c-b5c9-4ac2-a2f4-a43a73d1d621", "target_ref": "attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81", "x_panw_coa_u42_panw_product": [ "XSOAR" ] }, { "type": "relationship", "id": "relationship--9e2a3eea-7282-4a01-b4c6-936533794579", "created": "2020-06-08T16:19:37.692Z", "modified": "2020-06-10T20:29:03.409Z", "relationship_type": "uses", "description": "mom64.exe", "source_ref": "indicator--4b396d52-fb1d-4681-a6e1-a4b7f43dfb5a", "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" }, { "type": "relationship", "id": "relationship--9e93dff3-1f55-4656-8f84-1f0f60734925", "created": "2020-07-08T13:23:07.158Z", "modified": "2020-07-13T13:45:02.011Z", "relationship_type": "uses", "description": "Potential artifact from previous version of RDAT. ", "source_ref": "indicator--63c6b5e5-c5ce-4572-bad6-002f8f82d242", "target_ref": "attack-pattern--355be19c-ffc9-46d5-8d50-d6a036c675b6" }, { "type": "relationship", "id": "relationship--9ed809cb-6ffa-4edc-8914-97ae7e43c75f", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T13:02:55.808Z", "relationship_type": "mitigates", "source_ref": "course-of-action--68c5676d-ab2f-4e68-a57c-28880a9f5709", "target_ref": "attack-pattern--8c32eb4d-805f-4fc5-bf60-c4d476c131b5", "x_panw_coa_u42_panw_product": [ "NGFW" ] }, { "type": "relationship", "id": "relationship--9f3246bb-dab4-4722-add7-40fa0cc722df", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T13:02:55.809Z", "relationship_type": "mitigates", "source_ref": "course-of-action--7bbb332f-22cf-48f2-a4a1-5bc9d2b034ca", "target_ref": "attack-pattern--f72eb8a8-cd4c-461d-a814-3f862befbf00", "x_panw_coa_u42_panw_product": [ "Threat Prevention" ] }, { "type": "relationship", "id": "relationship--9fdf5952-e551-403b-aa07-83132074b447", "created": "2018-08-03T20:30:53.040Z", "modified": "2020-06-24T16:21:04.243Z", "relationship_type": "uses", "description": "TwoFace contains the functional webshell in encrypted form", "source_ref": "indicator--fab07434-d3df-437c-95ef-b1b3d3c8d1e3", "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" }, { "type": "relationship", "id": "relationship--a0086f27-655d-4854-a033-ab9500419d1f", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.080Z", "relationship_type": "mitigates", "source_ref": "course-of-action--ae18aab6-0a08-4c09-9a97-6c6ef58061a7", "target_ref": "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d", "x_panw_coa_u42_panw_product": [ "DNS Security" ] }, { "type": "relationship", "id": "relationship--a154b83d-b6cc-40a5-ba75-8dc10e7b5164", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.075Z", "relationship_type": "mitigates", "source_ref": "course-of-action--ae18aab6-0a08-4c09-9a97-6c6ef58061a7", "target_ref": "attack-pattern--b8902400-e6c5-4ba2-95aa-2d35b442b118", "x_panw_coa_u42_panw_product": [ "DNS Security" ] }, { "type": "relationship", "id": "relationship--a19e86f8-1c0a-4fea-8407-23b73d615776", "created": "2020-07-08T12:17:34.135Z", "modified": "2020-07-13T13:45:02.008Z", "relationship_type": "uses", "source_ref": "campaign--d6eab405-2a90-4981-bd25-0b161f1bc116", "target_ref": "attack-pattern--a19e86f8-1c0a-4fea-8407-23b73d615776" }, { "type": "relationship", "id": "relationship--a1a1e92e-7e0c-465e-8991-d196f5c519f1", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.075Z", "relationship_type": "mitigates", "source_ref": "course-of-action--49881f38-2571-47a1-a122-26a5968f1137", "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", "x_panw_coa_u42_panw_product": [ "NGFW" ] }, { "type": "relationship", "id": "relationship--a1fa4f6f-35b5-4deb-b8e8-0608fd090d7a", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.078Z", "relationship_type": "mitigates", "source_ref": "course-of-action--7bbb332f-22cf-48f2-a4a1-5bc9d2b034ca", "target_ref": "attack-pattern--2b742742-28c3-4e1b-bab7-8350d6300fa7", "x_panw_coa_u42_panw_product": [ "Threat Prevention" ] }, { "type": "relationship", "id": "relationship--a278e596-0170-4be2-8c10-99ec8ef8a9e9", "created": "2019-10-11T19:50:48.429Z", "modified": "2019-10-14T14:34:42.539Z", "relationship_type": "indicates", "source_ref": "indicator--e0300bff-605a-4969-a37f-01e1cd22a05b", "target_ref": "campaign--be414527-0ed6-4b77-b04b-2ffa2cd601eb" }, { "type": "relationship", "id": "relationship--a30567ca-29b2-45f0-bdf9-d0f3f7f2e4ba", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T13:02:55.808Z", "relationship_type": "mitigates", "source_ref": "course-of-action--c9efabbf-c21b-4213-a192-6a8e3b3a0905", "target_ref": "attack-pattern--35dd844a-b219-4e2b-a6bb-efa9a75995a9", "x_panw_coa_u42_panw_product": [ "Cortex XDR Prevent" ] }, { "type": "relationship", "id": "relationship--a32dbf7c-3d72-475d-a4d9-525b9d8399d8", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T13:02:55.809Z", "relationship_type": "mitigates", "source_ref": "course-of-action--41a5e724-166d-496a-bfa6-5f7d671c733e", "target_ref": "attack-pattern--f72eb8a8-cd4c-461d-a814-3f862befbf00", "x_panw_coa_u42_panw_product": [ "XSOAR" ] }, { "type": "relationship", "id": "relationship--a3510d8d-8626-4b13-a179-f21c9897de13", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.078Z", "relationship_type": "mitigates", "source_ref": "course-of-action--5839cd6c-7897-43c4-82f3-5c03096a51c4", "target_ref": "attack-pattern--5d0d3609-d06d-49e1-b9c9-b544e0c618cb", "x_panw_coa_u42_panw_product": [ "Threat Prevention" ] }, { "type": "relationship", "id": "relationship--a35f6dfe-1a4c-44e5-af0d-4371543d3062", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.076Z", "relationship_type": "mitigates", "source_ref": "course-of-action--5839cd6c-7897-43c4-82f3-5c03096a51c4", "target_ref": "attack-pattern--cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", "x_panw_coa_u42_panw_product": [ "Threat Prevention" ] }, { "type": "relationship", "id": "relationship--a41f0737-5a35-4ffb-9600-0150b80e28c7", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.076Z", "relationship_type": "mitigates", "source_ref": "course-of-action--916bf914-3cad-47c6-8651-a1ac92ee84d0", "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", "x_panw_coa_u42_panw_product": [ "NGFW" ] }, { "type": "relationship", "id": "relationship--a43c3575-2529-46b0-980d-b733d836f4d9", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.078Z", "relationship_type": "mitigates", "source_ref": "course-of-action--a1294d38-0f0d-4973-a949-f38cccbc7469", "target_ref": "attack-pattern--5d0d3609-d06d-49e1-b9c9-b544e0c618cb", "x_panw_coa_u42_panw_product": [ "Threat Prevention" ] }, { "type": "relationship", "id": "relationship--a4ae9bcb-1340-4e18-a0ac-0194d56d7384", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.079Z", "relationship_type": "mitigates", "source_ref": "course-of-action--5e951942-0565-46f4-b09e-80426812b6b5", "target_ref": "attack-pattern--355be19c-ffc9-46d5-8d50-d6a036c675b6", "x_panw_coa_u42_panw_product": [ "URL Filtering" ] }, { "type": "relationship", "id": "relationship--a4dbfcdf-ad9e-4a53-ad31-0a01fb73046f", "created": "2020-07-08T14:15:36.358Z", "modified": "2020-07-13T13:45:02.010Z", "relationship_type": "indicates", "source_ref": "indicator--5134cbd0-890e-46e9-912e-2eb2e7c71356", "target_ref": "campaign--d6eab405-2a90-4981-bd25-0b161f1bc116" }, { "type": "relationship", "id": "relationship--a4e52bd1-2d4d-4b5e-8350-3daf6646a02f", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.078Z", "relationship_type": "mitigates", "source_ref": "course-of-action--bca382b3-2a97-451f-a849-80f7a4e7edce", "target_ref": "attack-pattern--2b742742-28c3-4e1b-bab7-8350d6300fa7", "x_panw_coa_u42_panw_product": [ "NGFW" ] }, { "type": "relationship", "id": "relationship--a5337583-4e1c-4984-9a93-da0cbb07d19d", "created": "2020-06-08T16:19:37.692Z", "modified": "2020-06-10T20:29:03.408Z", "relationship_type": "uses", "description": "z64.exe", "source_ref": "indicator--15905560-f7fc-4a6b-a9d8-c5df9bf3b17b", "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" }, { "type": "relationship", "id": "relationship--a553c146-1b1d-4cdc-863e-dcd19e7f5674", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.079Z", "relationship_type": "mitigates", "source_ref": "course-of-action--d84f79f8-219c-43cb-a918-ab7dd235413a", "target_ref": "attack-pattern--355be19c-ffc9-46d5-8d50-d6a036c675b6", "x_panw_coa_u42_panw_product": [ "Threat Prevention" ] }, { "type": "relationship", "id": "relationship--a564b76e-5f03-48e6-9758-eca9cde3e49f", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.079Z", "relationship_type": "mitigates", "source_ref": "course-of-action--49790670-d365-43f8-a906-8e45c3c80f63", "target_ref": "attack-pattern--5d0d3609-d06d-49e1-b9c9-b544e0c618cb", "x_panw_coa_u42_panw_product": [ "Threat Prevention" ] }, { "type": "relationship", "id": "relationship--a5fb3c94-62f2-4328-8376-d3063cca9d12", "created": "2020-06-08T16:19:37.692Z", "modified": "2020-06-10T20:29:03.408Z", "relationship_type": "uses", "description": "92.222.209.48", "source_ref": "indicator--1dd724ec-3747-4a81-bbb4-bb5fab167487", "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" }, { "type": "relationship", "id": "relationship--a6220edc-b057-4a8b-b6ae-c62b203fd172", "created": "2020-06-23T19:50:42.481Z", "modified": "2021-01-06T19:29:47.272Z", "relationship_type": "mitigates", "source_ref": "course-of-action--7bbb332f-22cf-48f2-a4a1-5bc9d2b034ca", "target_ref": "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597", "x_panw_coa_u42_panw_product": [ "Threat Prevention" ] }, { "type": "relationship", "id": "relationship--a62f8427-ef1e-4a80-b681-105699970adc", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:39.449Z", "relationship_type": "mitigates", "source_ref": "course-of-action--c5148c0d-4c4a-4ad6-b2c7-942f9eb91673", "target_ref": "attack-pattern--a19e86f8-1c0a-4fea-8407-23b73d615776", "x_panw_coa_u42_panw_product": [ "XSOAR" ] }, { "type": "relationship", "id": "relationship--a73255d7-18a9-4ba5-b3dd-242f539cf250", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:12.606Z", "relationship_type": "mitigates", "source_ref": "course-of-action--7bbb332f-22cf-48f2-a4a1-5bc9d2b034ca", "target_ref": "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e", "x_panw_coa_u42_panw_product": [ "Threat Prevention" ] }, { "type": "relationship", "id": "relationship--a76b95e8-4523-4f85-bdc7-1a140db6eb18", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.079Z", "relationship_type": "mitigates", "source_ref": "course-of-action--be1d0eb5-a628-4d91-9096-9158e68816cd", "target_ref": "attack-pattern--5d0d3609-d06d-49e1-b9c9-b544e0c618cb", "x_panw_coa_u42_panw_product": [ "Wildfire" ] }, { "type": "relationship", "id": "relationship--a7f21a7d-072c-48ff-96e2-4e14b98e01c3", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T13:02:55.808Z", "relationship_type": "mitigates", "source_ref": "course-of-action--2c886776-61fb-487c-a880-41f4b7195627", "target_ref": "attack-pattern--8c32eb4d-805f-4fc5-bf60-c4d476c131b5", "x_panw_coa_u42_panw_product": [ "URL Filtering" ] }, { "type": "relationship", "id": "relationship--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec", "created": "2018-08-03T20:30:50.665Z", "modified": "2019-10-11T20:13:34.064Z", "relationship_type": "attributed-to", "source_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec", "target_ref": "intrusion-set--8e11eaa4-1964-4b73-85c1-fcfa29159f9b" }, { "type": "relationship", "id": "relationship--a8d215ec-0d80-4257-959e-e5f7eafe8afc", "created": "2018-08-03T20:30:53.040Z", "modified": "2020-06-24T16:21:04.243Z", "relationship_type": "uses", "description": "Adversary uploads and installs IIS backdoor (RGDoor) via webshell", "source_ref": "indicator--ffb49010-2a49-474f-8e10-81c129a94997", "target_ref": "attack-pattern--6aabc5ec-eae6-422c-8311-38d45ee9838a" }, { "type": "relationship", "id": "relationship--a8ead479-ce2b-4104-9222-33139ecf1c10", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T13:02:55.808Z", "relationship_type": "mitigates", "source_ref": "course-of-action--89afe221-157a-48b1-a9b4-830eeba1bd5f", "target_ref": "attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81", "x_panw_coa_u42_panw_product": [ "XSOAR" ] }, { "type": "relationship", "id": "relationship--a92d4175-c63f-4e67-89a0-ed605b6267b5", "created": "2020-07-08T14:13:04.902Z", "modified": "2020-07-13T13:45:02.010Z", "relationship_type": "indicates", "source_ref": "indicator--e28ef3f2-c14f-4890-bd68-16bc1e44e502", "target_ref": "campaign--d6eab405-2a90-4981-bd25-0b161f1bc116" }, { "type": "relationship", "id": "relationship--a9553839-6864-4037-bb49-226450e4ff76", "created": "2020-07-08T14:52:12.252Z", "modified": "2020-07-13T13:45:02.010Z", "relationship_type": "indicates", "source_ref": "indicator--8fa6a942-6241-4133-b68a-ebe195ff7901", "target_ref": "campaign--d6eab405-2a90-4981-bd25-0b161f1bc116" }, { "type": "relationship", "id": "relationship--aa4142d5-200e-44b0-98bf-22b33181cde4", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.078Z", "relationship_type": "mitigates", "source_ref": "course-of-action--f4a8da12-c6f0-4a33-ae42-590c5602be99", "target_ref": "attack-pattern--6aabc5ec-eae6-422c-8311-38d45ee9838a", "x_panw_coa_u42_panw_product": [ "URL Filtering" ] }, { "type": "relationship", "id": "relationship--ab0a9e07-5e5d-44a1-9f2d-5e0d2674ef44", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.076Z", "relationship_type": "mitigates", "source_ref": "course-of-action--2fd9769c-5e50-4528-985f-a1d117329991", "target_ref": "attack-pattern--f24faf46-3b26-4dbb-98f2-63460498e433", "x_panw_coa_u42_panw_product": [ "URL Filtering" ] }, { "type": "relationship", "id": "relationship--ac822827-616f-4833-850b-45353f6d3a02", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--e4589569-a46b-4cc1-99e7-41199f8d579f", "target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec" }, { "type": "relationship", "id": "relationship--ac9399c6-5d08-4fe1-aa9f-929ffec9c6a7", "created": "2020-06-08T16:19:37.692Z", "modified": "2020-06-10T20:29:03.409Z", "relationship_type": "uses", "description": "kb.exe", "source_ref": "indicator--605f4247-c18d-407d-bf86-9973adf2995f", "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" }, { "type": "relationship", "id": "relationship--ac9794e9-4f47-483b-9ff7-d829f33cf3f2", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.080Z", "relationship_type": "mitigates", "source_ref": "course-of-action--d84f79f8-219c-43cb-a918-ab7dd235413a", "target_ref": "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d", "x_panw_coa_u42_panw_product": [ "Threat Prevention" ] }, { "type": "relationship", "id": "relationship--ad0aadbf-b691-4bf3-b26f-c5e505a553d0", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--2115ea65-8275-49bf-bbf9-d3d7e4d204d5", "target_ref": "campaign--418eec9b-ca2d-48d6-92cc-7cf47b159e8c" }, { "type": "relationship", "id": "relationship--ad255bfe-a9e6-4b52-a258-8d3462abe842", "created": "2020-07-08T12:17:34.135Z", "modified": "2020-07-13T13:45:02.008Z", "relationship_type": "uses", "source_ref": "campaign--d6eab405-2a90-4981-bd25-0b161f1bc116", "target_ref": "attack-pattern--ad255bfe-a9e6-4b52-a258-8d3462abe842" }, { "type": "relationship", "id": "relationship--ad2e5183-af39-47af-9f77-607c32bce492", "created": "2018-08-03T20:30:53.040Z", "modified": "2020-06-24T16:21:04.243Z", "relationship_type": "uses", "description": "Actors save output of their commands to \"c:\\windows\\temp\".", "source_ref": "indicator--272c2c5d-1779-49a1-8990-c8fdfe2d2bb2", "target_ref": "attack-pattern--7dd95ff6-712e-4056-9626-312ea4ab4c5e" }, { "type": "relationship", "id": "relationship--ad42f1ee-2fc2-4741-a9c2-224074c9d080", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T13:02:55.808Z", "relationship_type": "mitigates", "source_ref": "course-of-action--2fd9769c-5e50-4528-985f-a1d117329991", "target_ref": "attack-pattern--8c32eb4d-805f-4fc5-bf60-c4d476c131b5", "x_panw_coa_u42_panw_product": [ "URL Filtering" ] }, { "type": "relationship", "id": "relationship--adb4673d-a9e7-4984-ab1d-1701fa2362c1", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.079Z", "relationship_type": "mitigates", "source_ref": "course-of-action--38519f4f-e6e8-454b-a3f5-b46daef0e316", "target_ref": "attack-pattern--355be19c-ffc9-46d5-8d50-d6a036c675b6", "x_panw_coa_u42_panw_product": [ "XSOAR" ] }, { "type": "relationship", "id": "relationship--adf368c8-b965-4554-943c-291e77a226cb", "created": "2018-08-03T20:30:53.040Z", "modified": "2020-06-24T16:21:04.243Z", "relationship_type": "uses", "description": "Uses DNS tunneling", "source_ref": "indicator--c258f33d-57c8-458d-9d77-7cd8bf1e264a", "target_ref": "attack-pattern--f72eb8a8-cd4c-461d-a814-3f862befbf00" }, { "type": "relationship", "id": "relationship--ae33522b-59ca-42d5-9cd0-28a61362d146", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T13:02:55.808Z", "relationship_type": "mitigates", "source_ref": "course-of-action--b62423f4-1849-4d9f-88c0-7160a8bed5c2", "target_ref": "attack-pattern--8c32eb4d-805f-4fc5-bf60-c4d476c131b5", "x_panw_coa_u42_panw_product": [ "NGFW" ] }, { "type": "relationship", "id": "relationship--ae7ad065-af7b-4d68-9ca9-746db8957179", "created": "2021-01-05T10:58:25.684Z", "modified": "2021-01-07T19:38:17.428Z", "relationship_type": "uses", "description": "Bitvie client suspected to create SSH tunnels.", "source_ref": "indicator--9340dbc2-1b6d-46bc-a669-3fdaf13579cc", "target_ref": "attack-pattern--bf176076-b789-408e-8cba-7275e81c0ada" }, { "type": "relationship", "id": "relationship--ae847f0d-c6e0-4344-abe4-3a14d7c4e818", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--131a36f4-f5ce-461c-b633-8f555ec191fb", "target_ref": "campaign--418eec9b-ca2d-48d6-92cc-7cf47b159e8c" }, { "type": "relationship", "id": "relationship--af207ed1-0aef-43d0-b440-84278d5c06d9", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--0288c52e-7bd4-476f-9e29-534a122d173f", "target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec" }, { "type": "relationship", "id": "relationship--af2cb8e5-5d1c-4964-bfe1-75ebc90f8627", "created": "2018-08-03T20:30:50.665Z", "modified": "2020-11-24T16:40:21.680Z", "relationship_type": "attributed-to", "source_ref": "report--af2cb8e5-5d1c-4964-bfe1-75ebc90f8627", "target_ref": "intrusion-set--8e11eaa4-1964-4b73-85c1-fcfa29159f9b" }, { "type": "relationship", "id": "relationship--af44a46b-84ce-4b3a-bede-d889c35c4499", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T13:02:55.808Z", "relationship_type": "mitigates", "source_ref": "course-of-action--67289170-1bd4-4944-be31-d680954141f5", "target_ref": "attack-pattern--8c32eb4d-805f-4fc5-bf60-c4d476c131b5", "x_panw_coa_u42_panw_product": [ "Wildfire" ] }, { "type": "relationship", "id": "relationship--afd71914-e3ef-4ee1-b358-2388d8124165", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.076Z", "relationship_type": "mitigates", "source_ref": "course-of-action--d84f79f8-219c-43cb-a918-ab7dd235413a", "target_ref": "attack-pattern--f24faf46-3b26-4dbb-98f2-63460498e433", "x_panw_coa_u42_panw_product": [ "Threat Prevention" ] }, { "type": "relationship", "id": "relationship--b01b2fc2-4743-4292-b48e-d6c9e04388d0", "created": "2018-08-03T20:30:53.040Z", "modified": "2020-06-24T16:21:04.243Z", "relationship_type": "uses", "description": "TwoFace contains the functional webshell in encrypted form", "source_ref": "indicator--175fda21-0fe8-4cc0-a276-8ef03b099d8d", "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" }, { "type": "relationship", "id": "relationship--b07a1eb9-56a0-4fa0-b7e6-c98ff4f0a3a4", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.074Z", "relationship_type": "mitigates", "source_ref": "course-of-action--bca382b3-2a97-451f-a849-80f7a4e7edce", "target_ref": "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c", "x_panw_coa_u42_panw_product": [ "NGFW" ] }, { "type": "relationship", "id": "relationship--b0c9f423-990f-48c9-92e7-0cae81480a0c", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T13:02:55.809Z", "relationship_type": "mitigates", "source_ref": "course-of-action--3f6f590f-2752-40d2-8cfa-1e833435bbf6", "target_ref": "attack-pattern--8c32eb4d-805f-4fc5-bf60-c4d476c131b5", "x_panw_coa_u42_panw_product": [ "XSOAR" ] }, { "type": "relationship", "id": "relationship--b1038a10-9cab-45c9-b80d-cca8877a61c7", "created": "2019-10-11T19:57:26.685Z", "modified": "2019-10-14T14:34:42.541Z", "relationship_type": "uses", "description": "Malicious attachment dropped.", "source_ref": "indicator--2560de5f-2375-49de-9d4a-47dc1f5f067b", "target_ref": "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597" }, { "type": "relationship", "id": "relationship--b17a1a56-e99c-403c-8948-561df0cffe81", "created": "2018-08-03T20:30:50.665Z", "modified": "2019-10-11T20:13:34.064Z", "relationship_type": "uses", "source_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec", "target_ref": "attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81" }, { "type": "relationship", "id": "relationship--b200542e-e877-4395-875b-cf1a44537ca4", "created": "2018-08-03T20:30:50.665Z", "modified": "2019-10-11T19:45:26.152Z", "relationship_type": "uses", "source_ref": "campaign--be414527-0ed6-4b77-b04b-2ffa2cd601eb", "target_ref": "attack-pattern--b200542e-e877-4395-875b-cf1a44537ca4" }, { "type": "relationship", "id": "relationship--b21c3b2d-02e6-45b1-980b-e69051040839", "created": "2018-08-03T20:30:50.665Z", "modified": "2019-10-11T19:45:26.152Z", "relationship_type": "uses", "source_ref": "campaign--be414527-0ed6-4b77-b04b-2ffa2cd601eb", "target_ref": "attack-pattern--b21c3b2d-02e6-45b1-980b-e69051040839" }, { "type": "relationship", "id": "relationship--b22d96f0-fa4d-4614-ad7e-340076eb2047", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-12-17T00:56:34.806Z", "relationship_type": "mitigates", "source_ref": "course-of-action--fafab9a4-1478-499e-9088-2043c42720d1", "target_ref": "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597", "x_panw_coa_u42_panw_product": [ "Wildfire" ] }, { "type": "relationship", "id": "relationship--b3a74588-3273-4d8d-9751-06e0548d7269", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--e12c095d-899f-415b-a29b-eeb6f630db70", "target_ref": "campaign--be414527-0ed6-4b77-b04b-2ffa2cd601eb" }, { "type": "relationship", "id": "relationship--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "created": "2018-08-03T20:30:50.665Z", "modified": "2019-10-11T20:13:34.064Z", "relationship_type": "uses", "source_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec", "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" }, { "type": "relationship", "id": "relationship--b3dff383-7bf8-4d0b-a336-388a86bae4f4", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:39.449Z", "relationship_type": "mitigates", "source_ref": "course-of-action--44bfcc9e-cb15-499f-b0fe-3c41e2c2655e", "target_ref": "attack-pattern--a19e86f8-1c0a-4fea-8407-23b73d615776", "x_panw_coa_u42_panw_product": [ "XSOAR" ] }, { "type": "relationship", "id": "relationship--b44cf25b-0fd8-4c4d-b571-4fc61d595ea9", "created": "2020-07-08T14:12:55.557Z", "modified": "2020-07-13T13:45:02.010Z", "relationship_type": "indicates", "source_ref": "indicator--2bd3da7e-748b-4727-bc61-23e4582ff60f", "target_ref": "campaign--d6eab405-2a90-4981-bd25-0b161f1bc116" }, { "type": "relationship", "id": "relationship--b44f392a-0db4-4f4e-900a-4cbbfd41238b", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.079Z", "relationship_type": "mitigates", "source_ref": "course-of-action--49881f38-2571-47a1-a122-26a5968f1137", "target_ref": "attack-pattern--355be19c-ffc9-46d5-8d50-d6a036c675b6", "x_panw_coa_u42_panw_product": [ "NGFW" ] }, { "type": "relationship", "id": "relationship--b48ee271-dba9-481c-9834-8678689dbdca", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.079Z", "relationship_type": "mitigates", "source_ref": "course-of-action--3de85a76-a879-43e6-80ba-38e09e7e2b0c", "target_ref": "attack-pattern--5d0d3609-d06d-49e1-b9c9-b544e0c618cb", "x_panw_coa_u42_panw_product": [ "Wildfire" ] }, { "type": "relationship", "id": "relationship--b4b946f2-16bd-4866-908d-08e6fa26df50", "created": "2020-06-08T16:19:37.692Z", "modified": "2020-06-10T20:29:03.408Z", "relationship_type": "uses", "description": "28a0db561ff5a525bc2696cf98d96f443f528afe63c5097c5e0ccad071fcb8c2", "source_ref": "indicator--1534513c-33cf-4462-b102-7f7ba0a3eda8", "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" }, { "type": "relationship", "id": "relationship--b5781372-3677-4d71-a433-12abd5aa1faa", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--b20d9819-1488-4156-aef4-02234af0f67f", "target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec" }, { "type": "relationship", "id": "relationship--b58ba438-7d8e-411b-a445-b5ff60dcf2aa", "created": "2020-07-08T14:50:42.520Z", "modified": "2020-07-13T13:45:02.011Z", "relationship_type": "uses", "description": "RDAT uses steganography to hide and exfiltrate data. ", "source_ref": "indicator--6eb198da-c5e6-460f-b504-7dbf5003eb1d", "target_ref": "attack-pattern--ad255bfe-a9e6-4b52-a258-8d3462abe842" }, { "type": "relationship", "id": "relationship--b5fc7aa1-06a2-4462-9f60-26b3eb4789e7", "created": "2020-07-08T14:59:54.974Z", "modified": "2020-07-13T13:45:02.011Z", "relationship_type": "uses", "description": "Related infrastructure.", "source_ref": "indicator--0b42f202-10a1-4a5e-b714-e5279164a015", "target_ref": "attack-pattern--355be19c-ffc9-46d5-8d50-d6a036c675b6" }, { "type": "relationship", "id": "relationship--b6080c1b-48c1-49f7-8b1e-11fade37f627", "created": "2018-08-03T20:30:53.040Z", "modified": "2020-06-24T16:21:04.243Z", "relationship_type": "uses", "description": "Uses DNS tunneling", "source_ref": "indicator--09a93c5a-e410-4a1d-a3a9-39c5d634b766", "target_ref": "attack-pattern--f72eb8a8-cd4c-461d-a814-3f862befbf00" }, { "type": "relationship", "id": "relationship--b6594e0e-b8bb-4c69-8294-ecec1aa164b2", "created": "2019-10-11T19:52:54.449Z", "modified": "2019-10-14T14:34:42.541Z", "relationship_type": "indicates", "source_ref": "indicator--565c1a62-b4f0-4e2f-a4de-83944dfc8c10", "target_ref": "malware--d62bf08d-2145-42a9-ad32-e2a5c82d3c2d" }, { "type": "relationship", "id": "relationship--b7ccf9fa-f415-4ad1-b31e-c4f775d0f767", "created": "2019-10-11T19:58:04.738Z", "modified": "2019-10-14T14:34:42.541Z", "relationship_type": "uses", "description": "Malicious attachment dropped.", "source_ref": "indicator--8a419fc6-b0dd-466b-a2d7-23e5c30f1707", "target_ref": "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597" }, { "type": "relationship", "id": "relationship--b821961f-c079-4c4a-867b-77f9be241ee9", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T13:02:55.809Z", "relationship_type": "mitigates", "source_ref": "course-of-action--38519f4f-e6e8-454b-a3f5-b46daef0e316", "target_ref": "attack-pattern--f72eb8a8-cd4c-461d-a814-3f862befbf00", "x_panw_coa_u42_panw_product": [ "XSOAR" ] }, { "type": "relationship", "id": "relationship--b84ec3be-1e4b-4d1b-91a1-53a9a50f01ab", "created": "2020-06-08T16:19:37.692Z", "modified": "2020-06-10T20:29:03.409Z", "relationship_type": "uses", "description": "6ae32cd3b5a8a1dbb5464372ded370f31802fd1f5031795b43d662c64fc5b301", "source_ref": "indicator--0d14ac47-7ba7-405e-8639-876bdd341841", "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" }, { "type": "relationship", "id": "relationship--b8902400-e6c5-4ba2-95aa-2d35b442b118", "created": "2018-08-03T20:30:50.665Z", "modified": "2019-10-11T19:56:13.483Z", "relationship_type": "uses", "source_ref": "campaign--e76e88c8-699a-4eeb-a8e5-3645826d6455", "target_ref": "attack-pattern--b8902400-e6c5-4ba2-95aa-2d35b442b118" }, { "type": "relationship", "id": "relationship--b896bb36-1b06-4132-8891-debfbc93ccb2", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--a9337ac8-cfe0-44db-8211-018b5a5f396d", "target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec" }, { "type": "relationship", "id": "relationship--b8a257e1-0b93-4e73-8bb0-6ff31591cffc", "created": "2020-07-08T14:49:45.428Z", "modified": "2020-07-13T13:45:02.011Z", "relationship_type": "uses", "description": "RDAT uses steganography to hide and exfiltrate data. ", "source_ref": "indicator--3c8cabfa-1b3b-4662-8f96-e873fe6188fe", "target_ref": "attack-pattern--ad255bfe-a9e6-4b52-a258-8d3462abe842" }, { "type": "relationship", "id": "relationship--b8f24ca0-e44a-4755-8d50-7226e2f01fb5", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.074Z", "relationship_type": "mitigates", "source_ref": "course-of-action--b62423f4-1849-4d9f-88c0-7160a8bed5c2", "target_ref": "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c", "x_panw_coa_u42_panw_product": [ "NGFW" ] }, { "type": "relationship", "id": "relationship--b8f35421-49bc-44fb-8fbd-4102b74dd833", "created": "2018-08-03T20:30:53.040Z", "modified": "2020-06-24T16:21:04.243Z", "relationship_type": "uses", "description": "TwoFace contains the functional webshell in encrypted form", "source_ref": "indicator--c501abd1-62f0-4da6-91ee-bd6ef9391fdc", "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" }, { "type": "relationship", "id": "relationship--b924249f-1ca8-4ea6-897d-db5187addc93", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T13:02:55.808Z", "relationship_type": "mitigates", "source_ref": "course-of-action--95432623-8819-4f74-a8f9-b10b9c4118c3", "target_ref": "attack-pattern--8c32eb4d-805f-4fc5-bf60-c4d476c131b5", "x_panw_coa_u42_panw_product": [ "Wildfire" ] }, { "type": "relationship", "id": "relationship--b927d998-8bf8-4871-b615-ef7217344f96", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--4a43354a-b58b-41e0-b2b6-d2a8e97bf54d", "target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec" }, { "type": "relationship", "id": "relationship--b99c7a27-ba87-42ca-9af6-7d29be9274df", "created": "2018-08-03T20:30:53.040Z", "modified": "2020-06-24T16:21:04.243Z", "relationship_type": "uses", "description": "Helminth C2 checks local users and groups via the net application", "source_ref": "indicator--6ab420c2-4bed-4281-9da4-790bf0065e81", "target_ref": "attack-pattern--72b74d71-8169-42aa-92e0-e7b04b9f5a08" }, { "type": "relationship", "id": "relationship--b9bd9d7a-aad7-4ea0-9670-2c475c7ed4c0", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:12.606Z", "relationship_type": "mitigates", "source_ref": "course-of-action--2c886776-61fb-487c-a880-41f4b7195627", "target_ref": "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e", "x_panw_coa_u42_panw_product": [ "URL Filtering" ] }, { "type": "relationship", "id": "relationship--ba47022e-220d-4024-9238-84c72bd103f0", "created": "2020-05-05T13:53:52.836Z", "modified": "2020-07-08T14:10:01.415Z", "relationship_type": "uses", "description": "Uses HTTP-alternate port ", "source_ref": "indicator--06aee4da-bcca-4234-8b1a-35741adf2d67", "target_ref": "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e" }, { "type": "relationship", "id": "relationship--ba508fce-3c98-4f1b-af65-d14a5dc07f95", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.078Z", "relationship_type": "mitigates", "source_ref": "course-of-action--21ce34c9-4220-41cf-85c7-bc289bb2c79d", "target_ref": "attack-pattern--5d0d3609-d06d-49e1-b9c9-b544e0c618cb", "x_panw_coa_u42_panw_product": [ "Threat Prevention" ] }, { "type": "relationship", "id": "relationship--bad2a4cf-769a-485a-97a1-5fb5a72eee41", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.078Z", "relationship_type": "mitigates", "source_ref": "course-of-action--67289170-1bd4-4944-be31-d680954141f5", "target_ref": "attack-pattern--2b742742-28c3-4e1b-bab7-8350d6300fa7", "x_panw_coa_u42_panw_product": [ "Wildfire" ] }, { "type": "relationship", "id": "relationship--bb4797cb-ebb7-4ea0-9c83-47cb6f14cdc8", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.077Z", "relationship_type": "mitigates", "source_ref": "course-of-action--2fd9769c-5e50-4528-985f-a1d117329991", "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", "x_panw_coa_u42_panw_product": [ "URL Filtering" ] }, { "type": "relationship", "id": "relationship--bb592a95-96c8-47cd-a7ae-db4c98c274c4", "created": "2020-07-08T15:00:12.734Z", "modified": "2020-07-13T13:45:02.011Z", "relationship_type": "uses", "description": "Related infrastructure.", "source_ref": "indicator--60c48c35-8820-413b-84a9-fd76ce45b951", "target_ref": "attack-pattern--355be19c-ffc9-46d5-8d50-d6a036c675b6" }, { "type": "relationship", "id": "relationship--bc22b40c-ad02-4aa2-81ec-073af2b6efac", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.076Z", "relationship_type": "mitigates", "source_ref": "course-of-action--a1294d38-0f0d-4973-a949-f38cccbc7469", "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", "x_panw_coa_u42_panw_product": [ "Threat Prevention" ] }, { "type": "relationship", "id": "relationship--bcf18721-0db0-4b01-96aa-50e0007cabac", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-12-17T01:17:31.197Z", "relationship_type": "mitigates", "source_ref": "course-of-action--f1a1d494-3463-4067-abc7-a731f7dfb9ff", "target_ref": "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597", "x_panw_coa_u42_panw_product": [ "Wildfire" ] }, { "type": "relationship", "id": "relationship--be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "created": "2018-08-03T20:30:50.665Z", "modified": "2019-10-11T20:13:34.064Z", "relationship_type": "uses", "source_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec", "target_ref": "attack-pattern--be2dcee9-a7a7-4e38-afd6-21b31ecc3d63" }, { "type": "relationship", "id": "relationship--be414527-0ed6-4b77-b04b-2ffa2cd601eb", "created": "2018-08-03T20:30:50.665Z", "modified": "2019-10-11T19:45:26.152Z", "relationship_type": "attributed-to", "source_ref": "campaign--be414527-0ed6-4b77-b04b-2ffa2cd601eb", "target_ref": "intrusion-set--8e11eaa4-1964-4b73-85c1-fcfa29159f9b" }, { "type": "relationship", "id": "relationship--be9e4f9a-236f-4dc0-b4ea-e980228d58c7", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.078Z", "relationship_type": "mitigates", "source_ref": "course-of-action--95432623-8819-4f74-a8f9-b10b9c4118c3", "target_ref": "attack-pattern--2b742742-28c3-4e1b-bab7-8350d6300fa7", "x_panw_coa_u42_panw_product": [ "Wildfire" ] }, { "type": "relationship", "id": "relationship--bf176076-b789-408e-8cba-7275e81c0ada", "created": "2020-07-08T12:17:34.135Z", "modified": "2020-07-13T13:45:02.008Z", "relationship_type": "uses", "source_ref": "campaign--d6eab405-2a90-4981-bd25-0b161f1bc116", "target_ref": "attack-pattern--bf176076-b789-408e-8cba-7275e81c0ada" }, { "type": "relationship", "id": "relationship--bf4d19f5-2ca2-4c6d-942e-ae85d56f3b0a", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T13:02:55.809Z", "relationship_type": "mitigates", "source_ref": "course-of-action--c5148c0d-4c4a-4ad6-b2c7-942f9eb91673", "target_ref": "attack-pattern--f72eb8a8-cd4c-461d-a814-3f862befbf00", "x_panw_coa_u42_panw_product": [ "XSOAR" ] }, { "type": "relationship", "id": "relationship--bfa67af9-15d1-4325-a166-4b9d3c3dd239", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:12.606Z", "relationship_type": "mitigates", "source_ref": "course-of-action--41a5e724-166d-496a-bfa6-5f7d671c733e", "target_ref": "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e", "x_panw_coa_u42_panw_product": [ "XSOAR" ] }, { "type": "relationship", "id": "relationship--bfdb3cb8-37be-4184-8e68-1811735b16f7", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.079Z", "relationship_type": "mitigates", "source_ref": "course-of-action--9352128e-2dbe-4621-8800-9e7cc17336e3", "target_ref": "attack-pattern--b21c3b2d-02e6-45b1-980b-e69051040839", "x_panw_coa_u42_panw_product": [ "Cortex XDR Prevent" ] }, { "type": "relationship", "id": "relationship--bfe0d7a3-2ff3-499c-80e4-2d160a411385", "created": "2020-06-08T16:18:35.184Z", "modified": "2020-06-10T20:29:03.409Z", "relationship_type": "uses", "description": "owa-insss-org-ill-owa-authen.ml", "source_ref": "indicator--e9544c85-bc9c-48ff-8f6c-df64ed98073a", "target_ref": "attack-pattern--2b742742-28c3-4e1b-bab7-8350d6300fa7" }, { "type": "relationship", "id": "relationship--c01d8b5d-221f-44f4-88de-5517bb183454", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:39.449Z", "relationship_type": "mitigates", "source_ref": "course-of-action--a1294d38-0f0d-4973-a949-f38cccbc7469", "target_ref": "attack-pattern--a19e86f8-1c0a-4fea-8407-23b73d615776", "x_panw_coa_u42_panw_product": [ "Threat Prevention" ] }, { "type": "relationship", "id": "relationship--c0f12c46-47dd-4b9e-ae58-9a1ca3cba58e", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.075Z", "relationship_type": "mitigates", "source_ref": "course-of-action--44bfcc9e-cb15-499f-b0fe-3c41e2c2655e", "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", "x_panw_coa_u42_panw_product": [ "XSOAR" ] }, { "type": "relationship", "id": "relationship--c113e24b-80f7-411b-9732-463e23b1c1c5", "created": "2020-07-08T15:08:05.149Z", "modified": "2020-07-13T13:45:02.010Z", "relationship_type": "uses", "source_ref": "campaign--d6eab405-2a90-4981-bd25-0b161f1bc116", "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" }, { "type": "relationship", "id": "relationship--c199c78b-12f0-4937-960a-1c02930c15e4", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:39.449Z", "relationship_type": "mitigates", "source_ref": "course-of-action--c45b79a8-2d29-4d8c-95ab-acea7e478e50", "target_ref": "attack-pattern--a19e86f8-1c0a-4fea-8407-23b73d615776", "x_panw_coa_u42_panw_product": [ "Threat Prevention" ] }, { "type": "relationship", "id": "relationship--c1bcd7e8-889e-4fa1-8f1d-294232de6c09", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--8e3da953-ff61-4520-893f-afefe7d145e9", "target_ref": "campaign--e76e88c8-699a-4eeb-a8e5-3645826d6455" }, { "type": "relationship", "id": "relationship--c32f7008-9fea-41f7-8366-5eb9b74bd896", "created": "2018-08-03T20:30:50.665Z", "modified": "2019-10-11T20:10:08.765Z", "relationship_type": "uses", "source_ref": "campaign--418eec9b-ca2d-48d6-92cc-7cf47b159e8c", "target_ref": "attack-pattern--c32f7008-9fea-41f7-8366-5eb9b74bd896" }, { "type": "relationship", "id": "relationship--c350640d-2bb8-40cd-88bc-fce4fd13a9cb", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--0d14ac47-7ba7-405e-8639-876bdd341841", "target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec" }, { "type": "relationship", "id": "relationship--c4311d62-e32b-4c24-aa4d-bc4dabd55c03", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.074Z", "relationship_type": "mitigates", "source_ref": "course-of-action--9352128e-2dbe-4621-8800-9e7cc17336e3", "target_ref": "attack-pattern--be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "x_panw_coa_u42_panw_product": [ "Cortex XDR Prevent" ] }, { "type": "relationship", "id": "relationship--c46b87b5-c3ea-49d9-939d-815481c454f4", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T13:02:55.809Z", "relationship_type": "mitigates", "source_ref": "course-of-action--dff22e97-a89e-4ff7-b615-0165258bf8d5", "target_ref": "attack-pattern--f72eb8a8-cd4c-461d-a814-3f862befbf00", "x_panw_coa_u42_panw_product": [ "URL Filtering" ] }, { "type": "relationship", "id": "relationship--c471d28a-8edf-497e-8905-217fe67b0c5b", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.074Z", "relationship_type": "mitigates", "source_ref": "course-of-action--dfbe8c4c-b5c9-4ac2-a2f4-a43a73d1d621", "target_ref": "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c", "x_panw_coa_u42_panw_product": [ "XSOAR" ] }, { "type": "relationship", "id": "relationship--c5cc4f05-5afd-487f-8c82-f41bc8dcd43f", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.079Z", "relationship_type": "mitigates", "source_ref": "course-of-action--f4a8da12-c6f0-4a33-ae42-590c5602be99", "target_ref": "attack-pattern--355be19c-ffc9-46d5-8d50-d6a036c675b6", "x_panw_coa_u42_panw_product": [ "URL Filtering" ] }, { "type": "relationship", "id": "relationship--c6086e1b-106b-457b-ae90-fbed7c725714", "created": "2018-08-03T20:30:53.040Z", "modified": "2020-06-24T16:21:04.243Z", "relationship_type": "uses", "description": "TwoFace allows actor\u00a0to set the file times of any file on the system to a specific time, or to match any file on the system. ", "source_ref": "indicator--5580c978-1497-40a4-bdc3-756b841776b1", "target_ref": "attack-pattern--47f2d673-ca62-47e9-929b-1b0be9657611" }, { "type": "relationship", "id": "relationship--c62a7356-6f6c-46db-93a5-f818fd65f2c3", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.079Z", "relationship_type": "mitigates", "source_ref": "course-of-action--9352128e-2dbe-4621-8800-9e7cc17336e3", "target_ref": "attack-pattern--0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "x_panw_coa_u42_panw_product": [ "Cortex XDR Prevent" ] }, { "type": "relationship", "id": "relationship--c6ac9803-adbf-490a-936d-f21d91d18018", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "uses", "source_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec", "target_ref": "attack-pattern--7385dfaf-6886-4229-9ecd-6fd678040830" }, { "type": "relationship", "id": "relationship--c6fea36e-2019-451c-ab42-06e30a121300", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T13:02:55.809Z", "relationship_type": "mitigates", "source_ref": "course-of-action--5839cd6c-7897-43c4-82f3-5c03096a51c4", "target_ref": "attack-pattern--f72eb8a8-cd4c-461d-a814-3f862befbf00", "x_panw_coa_u42_panw_product": [ "Threat Prevention" ] }, { "type": "relationship", "id": "relationship--c78ecf30-d3a5-4e72-bd4d-877c91146d08", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T13:02:55.809Z", "relationship_type": "mitigates", "source_ref": "course-of-action--dcd486e6-fcf5-4692-9187-115efdae9694", "target_ref": "attack-pattern--f72eb8a8-cd4c-461d-a814-3f862befbf00", "x_panw_coa_u42_panw_product": [ "NGFW" ] }, { "type": "relationship", "id": "relationship--c85c4505-5cb7-44bf-b3ac-82665de957f0", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.078Z", "relationship_type": "mitigates", "source_ref": "course-of-action--2c886776-61fb-487c-a880-41f4b7195627", "target_ref": "attack-pattern--2b742742-28c3-4e1b-bab7-8350d6300fa7", "x_panw_coa_u42_panw_product": [ "URL Filtering" ] }, { "type": "relationship", "id": "relationship--c928c66a-c17b-48e9-a88b-d3958a0a3a09", "created": "2018-08-03T20:30:53.040Z", "modified": "2020-06-24T16:21:04.243Z", "relationship_type": "uses", "description": "Uses DNS tunneling", "source_ref": "indicator--e12c095d-899f-415b-a29b-eeb6f630db70", "target_ref": "attack-pattern--f72eb8a8-cd4c-461d-a814-3f862befbf00" }, { "type": "relationship", "id": "relationship--c97a139d-18fe-4902-a46b-686002573966", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--0e700b7b-764b-4c8a-a57d-f8d686d887f4", "target_ref": "campaign--be414527-0ed6-4b77-b04b-2ffa2cd601eb" }, { "type": "relationship", "id": "relationship--c9c52d19-7e21-4de2-8e63-968b8ef51f9b", "created": "2018-08-03T20:30:53.040Z", "modified": "2020-06-24T16:21:04.243Z", "relationship_type": "uses", "description": "Exfiltrates data to C2 over HTTP channel", "source_ref": "indicator--337a0d8f-efa1-4e2e-9956-c7fd385bc136", "target_ref": "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d" }, { "type": "relationship", "id": "relationship--ca2f70ae-7fa0-4817-8291-c7076e2b2803", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:39.449Z", "relationship_type": "mitigates", "source_ref": "course-of-action--e15f23e0-f6ae-4440-865f-63ac76b93bf5", "target_ref": "attack-pattern--a19e86f8-1c0a-4fea-8407-23b73d615776", "x_panw_coa_u42_panw_product": [ "Threat Prevention" ] }, { "type": "relationship", "id": "relationship--ca49a799-3db5-41e7-b529-d3f3442ab388", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.075Z", "relationship_type": "mitigates", "source_ref": "course-of-action--f1a1d494-3463-4067-abc7-a731f7dfb9ff", "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", "x_panw_coa_u42_panw_product": [ "Wildfire" ] }, { "type": "relationship", "id": "relationship--ca74c75e-b861-4b54-b4f2-812d39e92c5e", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--d3df5939-91b1-4042-9ab8-d4843028a60c", "target_ref": "campaign--be414527-0ed6-4b77-b04b-2ffa2cd601eb" }, { "type": "relationship", "id": "relationship--ca859310-a720-4389-9193-5a46b1173814", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--c649ab0f-4fc3-487c-96b7-72f0f7baae11", "target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec" }, { "type": "relationship", "id": "relationship--cae45069-8bb3-4ea2-813a-c1b427818397", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--db032d1a-c929-4c03-9099-fc08a6b1d1f7", "target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec" }, { "type": "relationship", "id": "relationship--caead389-4ef7-40a1-80f2-0501b3f88a63", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:12.606Z", "relationship_type": "mitigates", "source_ref": "course-of-action--d84f79f8-219c-43cb-a918-ab7dd235413a", "target_ref": "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e", "x_panw_coa_u42_panw_product": [ "Threat Prevention" ] }, { "type": "relationship", "id": "relationship--cb22c44c-e830-4f52-b42a-b52fd2fe4a1b", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T13:02:55.808Z", "relationship_type": "mitigates", "source_ref": "course-of-action--0a8741c9-240e-4a87-8d0f-7ced73cbd50d", "target_ref": "attack-pattern--8c32eb4d-805f-4fc5-bf60-c4d476c131b5", "x_panw_coa_u42_panw_product": [ "XSOAR" ] }, { "type": "relationship", "id": "relationship--cb25d6b0-4953-4854-9937-eef5828d23fc", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--b32af739-cdbf-4b43-938c-eaaa89bf5010", "target_ref": "campaign--be414527-0ed6-4b77-b04b-2ffa2cd601eb" }, { "type": "relationship", "id": "relationship--cc047262-8b10-4f88-910b-bd2b83f2cdfc", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:39.449Z", "relationship_type": "mitigates", "source_ref": "course-of-action--41a5e724-166d-496a-bfa6-5f7d671c733e", "target_ref": "attack-pattern--a19e86f8-1c0a-4fea-8407-23b73d615776", "x_panw_coa_u42_panw_product": [ "XSOAR" ] }, { "type": "relationship", "id": "relationship--cc683d05-c44c-4898-821b-cff15009a508", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--e9544c85-bc9c-48ff-8f6c-df64ed98073a", "target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec" }, { "type": "relationship", "id": "relationship--cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", "created": "2020-07-08T12:17:34.135Z", "modified": "2020-07-13T13:45:02.008Z", "relationship_type": "uses", "source_ref": "campaign--d6eab405-2a90-4981-bd25-0b161f1bc116", "target_ref": "attack-pattern--cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f" }, { "type": "relationship", "id": "relationship--cd05d39c-63af-4795-8a46-301be042fd5d", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.079Z", "relationship_type": "mitigates", "source_ref": "course-of-action--f1a1d494-3463-4067-abc7-a731f7dfb9ff", "target_ref": "attack-pattern--5d0d3609-d06d-49e1-b9c9-b544e0c618cb", "x_panw_coa_u42_panw_product": [ "Wildfire" ] }, { "type": "relationship", "id": "relationship--cd661a6d-47c3-4a99-9e5e-cddfd0c4bfa2", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.075Z", "relationship_type": "mitigates", "source_ref": "course-of-action--41a5e724-166d-496a-bfa6-5f7d671c733e", "target_ref": "attack-pattern--b8902400-e6c5-4ba2-95aa-2d35b442b118", "x_panw_coa_u42_panw_product": [ "XSOAR" ] }, { "type": "relationship", "id": "relationship--cd8fb397-3250-41a9-b1a8-bb93cbd8999f", "created": "2020-06-08T16:18:35.184Z", "modified": "2020-06-10T20:29:03.409Z", "relationship_type": "uses", "description": "so-cc-hujii-ac-il.ml", "source_ref": "indicator--c9cd916e-49ff-4e7a-96e8-c204b7a50750", "target_ref": "attack-pattern--2b742742-28c3-4e1b-bab7-8350d6300fa7" }, { "type": "relationship", "id": "relationship--ceff985d-163b-4f1d-aef9-f2f253a01e06", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T13:02:55.808Z", "relationship_type": "mitigates", "source_ref": "course-of-action--66779efa-ecc3-4e80-91b9-c584b171ebe6", "target_ref": "attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81", "x_panw_coa_u42_panw_product": [ "Threat Prevention" ] }, { "type": "relationship", "id": "relationship--cf02351a-64f3-48df-a8ea-a5d433b32548", "created": "2020-07-08T14:52:45.350Z", "modified": "2020-07-13T13:45:02.010Z", "relationship_type": "indicates", "source_ref": "indicator--012e2d87-6c15-461a-bbdb-52bdb0d8f803", "target_ref": "campaign--d6eab405-2a90-4981-bd25-0b161f1bc116" }, { "type": "relationship", "id": "relationship--cf1c7aee-2def-4d8d-9f9a-d10c65a33fd8", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--91afba2e-8721-4751-abb5-89e4ea75d771", "target_ref": "campaign--e76e88c8-699a-4eeb-a8e5-3645826d6455" }, { "type": "relationship", "id": "relationship--cfa2f5ea-addd-4d3b-acb9-e480e5f9f0cd", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.080Z", "relationship_type": "mitigates", "source_ref": "course-of-action--dff22e97-a89e-4ff7-b615-0165258bf8d5", "target_ref": "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d", "x_panw_coa_u42_panw_product": [ "URL Filtering" ] }, { "type": "relationship", "id": "relationship--d0618c38-8036-4f51-964a-0162cd2132e6", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--ec689de0-d752-476f-bbce-7055b192d5fd", "target_ref": "campaign--418eec9b-ca2d-48d6-92cc-7cf47b159e8c" }, { "type": "relationship", "id": "relationship--d1372eec-de9b-41a7-8106-a1968ae1fa9b", "created": "2019-10-11T20:03:22.770Z", "modified": "2019-10-14T14:34:42.542Z", "relationship_type": "uses", "description": "Malicious Excel file", "source_ref": "indicator--131a36f4-f5ce-461c-b633-8f555ec191fb", "target_ref": "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597" }, { "type": "relationship", "id": "relationship--d18784d8-8b03-4db3-b7cb-1bbe55c07f1c", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.074Z", "relationship_type": "mitigates", "source_ref": "course-of-action--513f7288-0f4f-49d1-8447-8664f065d798", "target_ref": "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c", "x_panw_coa_u42_panw_product": [ "XSOAR" ] }, { "type": "relationship", "id": "relationship--d2156f81-8329-40ba-8b8e-51d33d655d29", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--3c52b486-9d0f-4197-890f-615001e6df35", "target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec" }, { "type": "relationship", "id": "relationship--d23e7be7-f451-4d56-886c-09a71992a7c4", "created": "2020-06-08T16:19:37.692Z", "modified": "2020-06-10T20:29:03.408Z", "relationship_type": "uses", "description": "kbs.exe", "source_ref": "indicator--e33849ee-529f-4c5a-ad26-96a190327682", "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" }, { "type": "relationship", "id": "relationship--d3239375-4ff0-4635-add2-233a25657d04", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T13:02:55.808Z", "relationship_type": "mitigates", "source_ref": "course-of-action--be1d0eb5-a628-4d91-9096-9158e68816cd", "target_ref": "attack-pattern--8c32eb4d-805f-4fc5-bf60-c4d476c131b5", "x_panw_coa_u42_panw_product": [ "Wildfire" ] }, { "type": "relationship", "id": "relationship--d39f4a91-0c51-4589-8050-7703e5ab5843", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T13:02:55.809Z", "relationship_type": "mitigates", "source_ref": "course-of-action--f4a8da12-c6f0-4a33-ae42-590c5602be99", "target_ref": "attack-pattern--f72eb8a8-cd4c-461d-a814-3f862befbf00", "x_panw_coa_u42_panw_product": [ "URL Filtering" ] }, { "type": "relationship", "id": "relationship--d3b4ab75-10fd-4373-9a46-1ebe9a13800b", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--1d8f709a-12fb-4ee6-928b-921a7eccc2f6", "target_ref": "campaign--be414527-0ed6-4b77-b04b-2ffa2cd601eb" }, { "type": "relationship", "id": "relationship--d3d75b51-02f7-4af6-8b42-3c0f73fc4ee3", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--1cda5ec5-3f45-4ca4-86fb-406cccce75a0", "target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec" }, { "type": "relationship", "id": "relationship--d3ea4e66-7802-4f40-bd25-48931b5a516b", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.077Z", "relationship_type": "mitigates", "source_ref": "course-of-action--5e951942-0565-46f4-b09e-80426812b6b5", "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", "x_panw_coa_u42_panw_product": [ "URL Filtering" ] }, { "type": "relationship", "id": "relationship--d42ad05e-6207-4fff-9c76-480a9c3d954b", "created": "2020-07-08T12:32:54.144Z", "modified": "2020-07-13T13:45:02.010Z", "relationship_type": "uses", "source_ref": "campaign--d6eab405-2a90-4981-bd25-0b161f1bc116", "target_ref": "attack-pattern--cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f" }, { "type": "relationship", "id": "relationship--d48116e3-9a46-41f4-8896-7ac344dd0374", "created": "2020-06-08T16:19:37.692Z", "modified": "2020-06-10T20:29:03.408Z", "relationship_type": "uses", "description": "i64.exe", "source_ref": "indicator--90b9a557-b2f4-4076-b760-fd7ed5da29d1", "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" }, { "type": "relationship", "id": "relationship--d48b71f3-d8c2-4777-9603-4074e119027a", "created": "2018-08-03T20:30:53.040Z", "modified": "2020-06-24T16:21:04.243Z", "relationship_type": "uses", "description": "TwoFace contains the functional webshell in encrypted form", "source_ref": "indicator--c1bb11ca-f3ed-45cd-8083-ee166fb72aa0", "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" }, { "type": "relationship", "id": "relationship--d493a676-6071-4796-9d64-75d5b4b092ed", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.079Z", "relationship_type": "mitigates", "source_ref": "course-of-action--dcd486e6-fcf5-4692-9187-115efdae9694", "target_ref": "attack-pattern--355be19c-ffc9-46d5-8d50-d6a036c675b6", "x_panw_coa_u42_panw_product": [ "NGFW" ] }, { "type": "relationship", "id": "relationship--d5099dc9-b04a-4d8a-9326-59bc90512bbb", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--52139071-3ddd-4025-85a2-515004370eb1", "target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec" }, { "type": "relationship", "id": "relationship--d51cdbbb-2c99-4f69-9ecd-edf897914d5a", "created": "2019-10-11T19:58:04.738Z", "modified": "2019-10-14T14:34:42.539Z", "relationship_type": "indicates", "source_ref": "indicator--ed7365d8-f542-444a-8224-60221233acfe", "target_ref": "campaign--e76e88c8-699a-4eeb-a8e5-3645826d6455" }, { "type": "relationship", "id": "relationship--d56c43a6-f2e7-4423-bf4f-c06037c99854", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T13:02:55.809Z", "relationship_type": "mitigates", "source_ref": "course-of-action--44bfcc9e-cb15-499f-b0fe-3c41e2c2655e", "target_ref": "attack-pattern--f72eb8a8-cd4c-461d-a814-3f862befbf00", "x_panw_coa_u42_panw_product": [ "XSOAR" ] }, { "type": "relationship", "id": "relationship--d5759b48-4fc5-4ae3-be70-ad24cea62cf3", "created": "2020-06-08T16:19:37.692Z", "modified": "2020-06-10T20:29:03.409Z", "relationship_type": "uses", "description": "Local.exe", "source_ref": "indicator--a21f7d93-f44b-4b89-9577-570c5281d5c4", "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" }, { "type": "relationship", "id": "relationship--d61fdf00-8d63-4903-8e29-76f9648e53f3", "created": "2020-07-08T13:48:13.333Z", "modified": "2020-07-13T13:45:02.011Z", "relationship_type": "uses", "description": "Custom Mimikatz sample used for dumping credentials.", "source_ref": "indicator--adb01a10-e1b9-4724-88fe-d6758d2254c6", "target_ref": "attack-pattern--0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" }, { "type": "relationship", "id": "relationship--d63a3fb8-9452-4e9d-a60a-54be68d5998c", "created": "2018-08-03T20:30:50.665Z", "modified": "2019-10-11T20:13:34.064Z", "relationship_type": "uses", "source_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec", "target_ref": "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c" }, { "type": "relationship", "id": "relationship--d6eab405-2a90-4981-bd25-0b161f1bc116", "created": "2020-07-08T12:17:34.135Z", "modified": "2020-07-13T13:45:02.008Z", "relationship_type": "attributed-to", "source_ref": "campaign--d6eab405-2a90-4981-bd25-0b161f1bc116", "target_ref": "intrusion-set--8e11eaa4-1964-4b73-85c1-fcfa29159f9b" }, { "type": "relationship", "id": "relationship--d6f9da53-fe2a-499f-9471-1df1eed38cc6", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.078Z", "relationship_type": "mitigates", "source_ref": "course-of-action--5e951942-0565-46f4-b09e-80426812b6b5", "target_ref": "attack-pattern--2b742742-28c3-4e1b-bab7-8350d6300fa7", "x_panw_coa_u42_panw_product": [ "URL Filtering" ] }, { "type": "relationship", "id": "relationship--d721d21e-9965-4a73-8ebe-003d4a5fae81", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T13:02:55.808Z", "relationship_type": "mitigates", "source_ref": "course-of-action--09cad5e4-8c95-494f-862e-0c640b175348", "target_ref": "attack-pattern--8c32eb4d-805f-4fc5-bf60-c4d476c131b5", "x_panw_coa_u42_panw_product": [ "NGFW" ] }, { "type": "relationship", "id": "relationship--d72ff809-76e2-4d25-bbfc-14a6a1610eff", "created": "2020-07-08T14:53:08.383Z", "modified": "2020-07-13T13:45:02.011Z", "relationship_type": "uses", "description": "RDAT uses steganography to hide and exfiltrate data. ", "source_ref": "indicator--a91d113f-f89f-4a43-af44-57266ba0d07c", "target_ref": "attack-pattern--ad255bfe-a9e6-4b52-a258-8d3462abe842" }, { "type": "relationship", "id": "relationship--d7d92773-75a6-4553-82db-3bccded96f4e", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.076Z", "relationship_type": "mitigates", "source_ref": "course-of-action--a1294d38-0f0d-4973-a949-f38cccbc7469", "target_ref": "attack-pattern--f24faf46-3b26-4dbb-98f2-63460498e433", "x_panw_coa_u42_panw_product": [ "Threat Prevention" ] }, { "type": "relationship", "id": "relationship--d7de275c-da2c-4fce-bc7a-a4e1ffca15b1", "created": "2018-08-03T20:30:53.040Z", "modified": "2020-06-24T16:21:04.243Z", "relationship_type": "uses", "description": "Adversary uploads and installs IIS backdoor (RGDoor) via webshell", "source_ref": "indicator--6016872c-11c6-459c-ac21-9692adcdcca0", "target_ref": "attack-pattern--6aabc5ec-eae6-422c-8311-38d45ee9838a" }, { "type": "relationship", "id": "relationship--d8581b07-931f-4399-8cb1-dd9accd45def", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:12.606Z", "relationship_type": "mitigates", "source_ref": "course-of-action--c45b79a8-2d29-4d8c-95ab-acea7e478e50", "target_ref": "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e", "x_panw_coa_u42_panw_product": [ "Threat Prevention" ] }, { "type": "relationship", "id": "relationship--d88a9aba-3c00-4189-a2ca-5ca7e5577365", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--21b40f68-e0e8-4497-bc7f-63f7b7b9c9dd", "target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec" }, { "type": "relationship", "id": "relationship--d91a7927-dfd6-4ef8-8f19-9a6726e40cab", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.078Z", "relationship_type": "mitigates", "source_ref": "course-of-action--dff22e97-a89e-4ff7-b615-0165258bf8d5", "target_ref": "attack-pattern--6aabc5ec-eae6-422c-8311-38d45ee9838a", "x_panw_coa_u42_panw_product": [ "URL Filtering" ] }, { "type": "relationship", "id": "relationship--d93d0119-2d8e-41d6-ac29-015dfbf07bd9", "created": "2019-10-11T20:03:10.413Z", "modified": "2019-10-14T14:34:42.542Z", "relationship_type": "uses", "description": "Attachment names and email subjects", "source_ref": "indicator--4536e0b1-c2e6-42c2-bcf5-000f0df72eea", "target_ref": "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597" }, { "type": "relationship", "id": "relationship--d950846d-047e-4d7b-9a4b-65544c339f78", "created": "2020-06-23T19:50:42.481Z", "modified": "2021-01-06T19:30:31.512Z", "relationship_type": "mitigates", "source_ref": "course-of-action--e15f23e0-f6ae-4440-865f-63ac76b93bf5", "target_ref": "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597", "x_panw_coa_u42_panw_product": [ "Threat Prevention" ] }, { "type": "relationship", "id": "relationship--d9764754-3b10-4097-8a3b-e1b8a0d1d8dc", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--fc65ae3e-1860-4bba-a2f4-f86f180ffebc", "target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec" }, { "type": "relationship", "id": "relationship--d97d8d18-4a5f-4e76-9ae7-54b14b5d3b1f", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--882830ad-a601-4405-bab1-54a28ab4bc86", "target_ref": "campaign--418eec9b-ca2d-48d6-92cc-7cf47b159e8c" }, { "type": "relationship", "id": "relationship--d9f1147f-d336-467e-a7d2-40fc8fbcb818", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--4536e0b1-c2e6-42c2-bcf5-000f0df72eea", "target_ref": "campaign--418eec9b-ca2d-48d6-92cc-7cf47b159e8c" }, { "type": "relationship", "id": "relationship--da77a138-b0fb-4cc6-9ca5-84115a76d59b", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.075Z", "relationship_type": "mitigates", "source_ref": "course-of-action--a1294d38-0f0d-4973-a949-f38cccbc7469", "target_ref": "attack-pattern--b8902400-e6c5-4ba2-95aa-2d35b442b118", "x_panw_coa_u42_panw_product": [ "Threat Prevention" ] }, { "type": "relationship", "id": "relationship--db3724b7-a80a-4d65-b0e9-94456775365a", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.075Z", "relationship_type": "mitigates", "source_ref": "course-of-action--dcd486e6-fcf5-4692-9187-115efdae9694", "target_ref": "attack-pattern--cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", "x_panw_coa_u42_panw_product": [ "NGFW" ] }, { "type": "relationship", "id": "relationship--db8fd0d3-52d8-4f70-96c6-9a9a460851f3", "created": "2020-07-08T14:50:23.304Z", "modified": "2020-07-13T13:45:02.011Z", "relationship_type": "uses", "description": "RDAT uses steganography to hide and exfiltrate data. ", "source_ref": "indicator--28ddd8f2-72d0-4c05-a72b-4927f9b4a3ef", "target_ref": "attack-pattern--ad255bfe-a9e6-4b52-a258-8d3462abe842" }, { "type": "relationship", "id": "relationship--dbf0d2b5-634c-4a8a-b63a-d54c83ff4f6d", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.080Z", "relationship_type": "mitigates", "source_ref": "course-of-action--dcd486e6-fcf5-4692-9187-115efdae9694", "target_ref": "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d", "x_panw_coa_u42_panw_product": [ "NGFW" ] }, { "type": "relationship", "id": "relationship--dc089360-5c0a-4e02-a752-a966b11c6b98", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.076Z", "relationship_type": "mitigates", "source_ref": "course-of-action--bca382b3-2a97-451f-a849-80f7a4e7edce", "target_ref": "attack-pattern--f24faf46-3b26-4dbb-98f2-63460498e433", "x_panw_coa_u42_panw_product": [ "NGFW" ] }, { "type": "relationship", "id": "relationship--dc247510-7fa0-4a04-ab32-52e4a30d0054", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.078Z", "relationship_type": "mitigates", "source_ref": "course-of-action--2fd9769c-5e50-4528-985f-a1d117329991", "target_ref": "attack-pattern--6aabc5ec-eae6-422c-8311-38d45ee9838a", "x_panw_coa_u42_panw_product": [ "URL Filtering" ] }, { "type": "relationship", "id": "relationship--dc6520e6-8e84-480e-b99b-a3a514d61cf2", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.074Z", "relationship_type": "mitigates", "source_ref": "course-of-action--49790670-d365-43f8-a906-8e45c3c80f63", "target_ref": "attack-pattern--be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "x_panw_coa_u42_panw_product": [ "Threat Prevention" ] }, { "type": "relationship", "id": "relationship--dd20c1bf-2766-4e8b-bfe4-591e10f596fc", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.080Z", "relationship_type": "mitigates", "source_ref": "course-of-action--c5148c0d-4c4a-4ad6-b2c7-942f9eb91673", "target_ref": "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d", "x_panw_coa_u42_panw_product": [ "XSOAR" ] }, { "type": "relationship", "id": "relationship--dda1c44e-6c76-4857-b193-d6af9e734b44", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.078Z", "relationship_type": "mitigates", "source_ref": "course-of-action--00d97976-e97e-4878-b530-9f37d7a3e2e5", "target_ref": "attack-pattern--2b742742-28c3-4e1b-bab7-8350d6300fa7", "x_panw_coa_u42_panw_product": [ "XSOAR" ] }, { "type": "relationship", "id": "relationship--de0567ed-904f-4040-a5d0-5c4565d5e4dc", "created": "2020-06-08T16:14:51.935Z", "modified": "2020-06-10T20:29:03.409Z", "relationship_type": "uses", "description": "33c187cfd9e3b68c3089c27ac64a519ccc951ccb3c74d75179c520f54f11f647", "source_ref": "indicator--e0300bff-605a-4969-a37f-01e1cd22a05b", "target_ref": "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597" }, { "type": "relationship", "id": "relationship--de68c70f-1e7b-4188-889d-adc0c03c6122", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "uses", "source_ref": "campaign--be414527-0ed6-4b77-b04b-2ffa2cd601eb", "target_ref": "attack-pattern--35dd844a-b219-4e2b-a6bb-efa9a75995a9" }, { "type": "relationship", "id": "relationship--de8e6a5f-70cd-4f01-9604-a9cfd6f6e5bc", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.076Z", "relationship_type": "mitigates", "source_ref": "course-of-action--d84f79f8-219c-43cb-a918-ab7dd235413a", "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", "x_panw_coa_u42_panw_product": [ "Threat Prevention" ] }, { "type": "relationship", "id": "relationship--de97227d-28fe-4018-a09b-d25d2faeebe8", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.075Z", "relationship_type": "mitigates", "source_ref": "course-of-action--95432623-8819-4f74-a8f9-b10b9c4118c3", "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", "x_panw_coa_u42_panw_product": [ "Wildfire" ] }, { "type": "relationship", "id": "relationship--df77937a-4b4b-4ffb-90d8-7a548a869923", "created": "2020-07-08T13:48:53.808Z", "modified": "2020-07-13T13:45:02.011Z", "relationship_type": "uses", "description": "Powershell Downloader", "source_ref": "indicator--e0350011-872e-42e4-97e6-a82a419291ee", "target_ref": "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736" }, { "type": "relationship", "id": "relationship--dfcd4fbd-1c9f-4955-8237-0c863dd576a7", "created": "2018-08-06T23:12:07.007Z", "modified": "2020-06-24T16:21:04.243Z", "relationship_type": "uses", "description": "ISMAgent C2 check host network configuration", "source_ref": "indicator--1d8f709a-12fb-4ee6-928b-921a7eccc2f6", "target_ref": "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0" }, { "type": "relationship", "id": "relationship--dff31701-7901-4b3d-b101-fa3f535c90eb", "created": "2020-07-08T14:53:50.909Z", "modified": "2020-07-13T13:45:02.011Z", "relationship_type": "uses", "description": "RDAT uses steganography to hide and exfiltrate data. ", "source_ref": "indicator--30745f2a-676c-4f48-8677-7382d24ed21d", "target_ref": "attack-pattern--ad255bfe-a9e6-4b52-a258-8d3462abe842" }, { "type": "relationship", "id": "relationship--e0224fd2-3ee7-450c-a37d-1511ab34d917", "created": "2018-08-03T20:30:53.040Z", "modified": "2020-06-24T16:21:04.243Z", "relationship_type": "uses", "description": "TwoFace contains the functional webshell in encrypted form", "source_ref": "indicator--21b40f68-e0e8-4497-bc7f-63f7b7b9c9dd", "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" }, { "type": "relationship", "id": "relationship--e06080e5-b96b-4dd9-99e6-a50daecd14b3", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--13776d10-7c53-4f1e-ab29-5415d50486f7", "target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec" }, { "type": "relationship", "id": "relationship--e0869000-4bb8-4018-9abc-f63dec086ec2", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.078Z", "relationship_type": "mitigates", "source_ref": "course-of-action--c45b79a8-2d29-4d8c-95ab-acea7e478e50", "target_ref": "attack-pattern--5d0d3609-d06d-49e1-b9c9-b544e0c618cb", "x_panw_coa_u42_panw_product": [ "Threat Prevention" ] }, { "type": "relationship", "id": "relationship--e0aa4771-9c3a-4996-97dc-a3a763b6d9e0", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.076Z", "relationship_type": "mitigates", "source_ref": "course-of-action--41a5e724-166d-496a-bfa6-5f7d671c733e", "target_ref": "attack-pattern--cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", "x_panw_coa_u42_panw_product": [ "XSOAR" ] }, { "type": "relationship", "id": "relationship--e118cfb8-0e30-45e2-a1fd-e42b476c4682", "created": "2018-08-03T20:30:53.040Z", "modified": "2020-06-24T16:21:04.243Z", "relationship_type": "uses", "description": "TwoFace contains the functional webshell in encrypted form", "source_ref": "indicator--02a7d94a-1fab-4d16-8d55-597d3ec6379e", "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" }, { "type": "relationship", "id": "relationship--e1a0b9cf-3611-48f1-bfa0-1100f585fe8a", "created": "2020-07-08T13:48:13.333Z", "modified": "2020-07-13T13:45:02.010Z", "relationship_type": "indicates", "source_ref": "indicator--adb01a10-e1b9-4724-88fe-d6758d2254c6", "target_ref": "campaign--d6eab405-2a90-4981-bd25-0b161f1bc116" }, { "type": "relationship", "id": "relationship--e1c4ed76-8448-4b84-800a-515ddd3b1f43", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.080Z", "relationship_type": "mitigates", "source_ref": "course-of-action--2c886776-61fb-487c-a880-41f4b7195627", "target_ref": "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d", "x_panw_coa_u42_panw_product": [ "URL Filtering" ] }, { "type": "relationship", "id": "relationship--e21c2996-8c3e-4973-8d61-9488387fa9e0", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T13:02:55.808Z", "relationship_type": "mitigates", "source_ref": "course-of-action--f1a1d494-3463-4067-abc7-a731f7dfb9ff", "target_ref": "attack-pattern--8c32eb4d-805f-4fc5-bf60-c4d476c131b5", "x_panw_coa_u42_panw_product": [ "Wildfire" ] }, { "type": "relationship", "id": "relationship--e2d3f2df-996f-42a3-b698-f90274a51e1f", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--e19046c0-47db-42fb-a076-c7f2f3c112d4", "target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec" }, { "type": "relationship", "id": "relationship--e35a2886-fa3b-454a-827d-67b76ebf2e1b", "created": "2020-06-09T12:08:13.839Z", "modified": "2020-06-10T20:29:03.408Z", "relationship_type": "uses", "source_ref": "campaign--be414527-0ed6-4b77-b04b-2ffa2cd601eb", "target_ref": "attack-pattern--8c32eb4d-805f-4fc5-bf60-c4d476c131b5" }, { "type": "relationship", "id": "relationship--e4a35d4e-1942-4dd8-a5bc-4908c4ff5649", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--d3df5939-91b1-4042-9ab8-d4843028a60c", "target_ref": "campaign--418eec9b-ca2d-48d6-92cc-7cf47b159e8c" }, { "type": "relationship", "id": "relationship--e508a10c-5f36-4c8e-8499-5f6137b285b2", "created": "2020-06-08T16:19:37.692Z", "modified": "2020-06-10T20:29:03.409Z", "relationship_type": "uses", "description": "51.254.50.153", "source_ref": "indicator--1da4e7ce-10ab-47ec-ad5a-673887f15f01", "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" }, { "type": "relationship", "id": "relationship--e536e5bb-9af5-4b28-85e6-5e988f4619a5", "created": "2020-06-08T16:19:37.692Z", "modified": "2020-06-10T20:29:03.408Z", "relationship_type": "uses", "description": "94.23.172.49", "source_ref": "indicator--a748b2fb-cef6-449a-9884-4d3342467796", "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" }, { "type": "relationship", "id": "relationship--e53951fc-4302-403f-bf90-9d566d9dad2d", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:18.110Z", "relationship_type": "mitigates", "source_ref": "course-of-action--c45b79a8-2d29-4d8c-95ab-acea7e478e50", "target_ref": "attack-pattern--ad255bfe-a9e6-4b52-a258-8d3462abe842", "x_panw_coa_u42_panw_product": [ "Threat Prevention" ] }, { "type": "relationship", "id": "relationship--e540b61d-c40c-4c19-bb4f-19ab06d2df28", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--e33849ee-529f-4c5a-ad26-96a190327682", "target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec" }, { "type": "relationship", "id": "relationship--e57c011f-57bf-4dd9-b419-e96d79914c3e", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T13:02:55.808Z", "relationship_type": "mitigates", "source_ref": "course-of-action--b07fe965-d582-4581-aa2f-9676705f5560", "target_ref": "attack-pattern--8c32eb4d-805f-4fc5-bf60-c4d476c131b5", "x_panw_coa_u42_panw_product": [ "NGFW" ] }, { "type": "relationship", "id": "relationship--e5b8cb25-3d59-42b8-a3bc-5a943abb087a", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.080Z", "relationship_type": "mitigates", "source_ref": "course-of-action--49881f38-2571-47a1-a122-26a5968f1137", "target_ref": "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d", "x_panw_coa_u42_panw_product": [ "NGFW" ] }, { "type": "relationship", "id": "relationship--e5cde892-87b2-46cf-87a8-6d0108179688", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--1534513c-33cf-4462-b102-7f7ba0a3eda8", "target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec" }, { "type": "relationship", "id": "relationship--e6217985-61f4-48b3-a618-6c47cc5f682c", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.079Z", "relationship_type": "mitigates", "source_ref": "course-of-action--2fd9769c-5e50-4528-985f-a1d117329991", "target_ref": "attack-pattern--355be19c-ffc9-46d5-8d50-d6a036c675b6", "x_panw_coa_u42_panw_product": [ "URL Filtering" ] }, { "type": "relationship", "id": "relationship--e68f72a9-ea79-4ba2-a1a3-ed11671c1427", "created": "2020-07-08T14:53:08.383Z", "modified": "2020-07-13T13:45:02.010Z", "relationship_type": "indicates", "source_ref": "indicator--a91d113f-f89f-4a43-af44-57266ba0d07c", "target_ref": "campaign--d6eab405-2a90-4981-bd25-0b161f1bc116" }, { "type": "relationship", "id": "relationship--e6919abc-99f9-4c6c-95a5-14761e7b2add", "created": "2020-07-08T12:17:34.135Z", "modified": "2020-07-13T13:45:02.008Z", "relationship_type": "uses", "source_ref": "campaign--d6eab405-2a90-4981-bd25-0b161f1bc116", "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" }, { "type": "relationship", "id": "relationship--e697b87f-6c84-4447-b34b-47d98e63f2ba", "created": "2020-07-08T14:08:46.136Z", "modified": "2020-07-13T13:45:02.010Z", "relationship_type": "indicates", "source_ref": "indicator--06aee4da-bcca-4234-8b1a-35741adf2d67", "target_ref": "campaign--d6eab405-2a90-4981-bd25-0b161f1bc116" }, { "type": "relationship", "id": "relationship--e6ac508a-9dce-4f28-be0e-02252de0c763", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--272c2c5d-1779-49a1-8990-c8fdfe2d2bb2", "target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec" }, { "type": "relationship", "id": "relationship--e76e88c8-699a-4eeb-a8e5-3645826d6455", "created": "2018-08-03T20:30:50.665Z", "modified": "2019-10-11T19:56:13.483Z", "relationship_type": "attributed-to", "source_ref": "campaign--e76e88c8-699a-4eeb-a8e5-3645826d6455", "target_ref": "intrusion-set--8e11eaa4-1964-4b73-85c1-fcfa29159f9b" }, { "type": "relationship", "id": "relationship--e777e1ca-7852-4827-9024-a8a4dfd7c05b", "created": "2018-08-03T20:30:53.040Z", "modified": "2020-06-24T16:21:04.243Z", "relationship_type": "uses", "description": "Helminth C2 checks local users and groups via the net application", "source_ref": "indicator--bf094398-e075-4b6d-99df-2dbcee3ef39d", "target_ref": "attack-pattern--72b74d71-8169-42aa-92e0-e7b04b9f5a08" }, { "type": "relationship", "id": "relationship--e77e7044-d492-4e54-a6ec-db96f7407579", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.076Z", "relationship_type": "mitigates", "source_ref": "course-of-action--7bbb332f-22cf-48f2-a4a1-5bc9d2b034ca", "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", "x_panw_coa_u42_panw_product": [ "Threat Prevention" ] }, { "type": "relationship", "id": "relationship--e793a5f2-02d9-41fd-a0b1-b96ad9926ab6", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-12-17T01:17:26.139Z", "relationship_type": "mitigates", "source_ref": "course-of-action--f1a1d494-3463-4067-abc7-a731f7dfb9ff", "target_ref": "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736", "x_panw_coa_u42_panw_product": [ "Wildfire" ] }, { "type": "relationship", "id": "relationship--e7d9db31-76d3-42f3-9bf5-7e82f04c597d", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.079Z", "relationship_type": "mitigates", "source_ref": "course-of-action--67289170-1bd4-4944-be31-d680954141f5", "target_ref": "attack-pattern--5d0d3609-d06d-49e1-b9c9-b544e0c618cb", "x_panw_coa_u42_panw_product": [ "Wildfire" ] }, { "type": "relationship", "id": "relationship--e85122c4-bae0-4edc-9627-648d203a69da", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--0e9934f4-e2df-42f0-9964-0d03836329e1", "target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec" }, { "type": "relationship", "id": "relationship--e886c2be-b2d0-44b8-9fd0-3f7810a8fed1", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--e28f89fe-377d-44cf-a486-e8b84af20737", "target_ref": "campaign--e76e88c8-699a-4eeb-a8e5-3645826d6455" }, { "type": "relationship", "id": "relationship--e89a861a-f916-4552-81f5-22a894efa1d0", "created": "2020-06-08T16:19:37.692Z", "modified": "2020-06-10T20:29:03.409Z", "relationship_type": "uses", "description": "PsExec.exe", "source_ref": "indicator--13776d10-7c53-4f1e-ab29-5415d50486f7", "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" }, { "type": "relationship", "id": "relationship--e8cc7686-6f82-4c3f-ad8b-d8a030312d28", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.078Z", "relationship_type": "mitigates", "source_ref": "course-of-action--04a2db1c-3e80-43a4-a9c6-3864195bbf73", "target_ref": "attack-pattern--2b742742-28c3-4e1b-bab7-8350d6300fa7", "x_panw_coa_u42_panw_product": [ "Wildfire" ] }, { "type": "relationship", "id": "relationship--ea19efd2-14d6-44c2-a0de-309de3ca1fb4", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.078Z", "relationship_type": "mitigates", "source_ref": "course-of-action--5e951942-0565-46f4-b09e-80426812b6b5", "target_ref": "attack-pattern--6aabc5ec-eae6-422c-8311-38d45ee9838a", "x_panw_coa_u42_panw_product": [ "URL Filtering" ] }, { "type": "relationship", "id": "relationship--ea30ae8f-b7f4-496b-b29d-477e6b22e56e", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--c1bb11ca-f3ed-45cd-8083-ee166fb72aa0", "target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec" }, { "type": "relationship", "id": "relationship--ea85612a-c20a-4d37-8240-a38c9940feb8", "created": "2018-08-03T20:30:53.040Z", "modified": "2020-06-24T16:21:04.243Z", "relationship_type": "uses", "description": "TwoFace contains the functional webshell in encrypted form", "source_ref": "indicator--61701bc9-c9d8-44fa-a452-c9fbe15dcf88", "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" }, { "type": "relationship", "id": "relationship--ea9fbaed-5cd1-4fdb-999f-a3980c43c506", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--cd473c0f-1c24-4b67-800d-7447aec8079a", "target_ref": "campaign--418eec9b-ca2d-48d6-92cc-7cf47b159e8c" }, { "type": "relationship", "id": "relationship--eb3230f0-a4c8-41b9-a054-86543fef0e4d", "created": "2020-06-23T19:50:42.481Z", "modified": "2021-01-06T19:31:07.530Z", "relationship_type": "mitigates", "source_ref": "course-of-action--00d97976-e97e-4878-b530-9f37d7a3e2e5", "target_ref": "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597", "x_panw_coa_u42_panw_product": [ "XSOAR" ] }, { "type": "relationship", "id": "relationship--eb487ab1-ef76-41bf-a00b-bf1af8994de7", "created": "2020-07-08T14:52:45.350Z", "modified": "2020-07-13T13:45:02.011Z", "relationship_type": "uses", "description": "RDAT uses steganography to hide and exfiltrate data. ", "source_ref": "indicator--012e2d87-6c15-461a-bbdb-52bdb0d8f803", "target_ref": "attack-pattern--ad255bfe-a9e6-4b52-a258-8d3462abe842" }, { "type": "relationship", "id": "relationship--ebc231e8-2c5e-4fe7-9d9f-4ed63cf7ae86", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.076Z", "relationship_type": "mitigates", "source_ref": "course-of-action--ae18aab6-0a08-4c09-9a97-6c6ef58061a7", "target_ref": "attack-pattern--f24faf46-3b26-4dbb-98f2-63460498e433", "x_panw_coa_u42_panw_product": [ "DNS Security" ] }, { "type": "relationship", "id": "relationship--ec541cc1-362b-42a9-8f52-354709506a10", "created": "2020-06-08T16:19:37.692Z", "modified": "2020-06-10T20:29:03.409Z", "relationship_type": "uses", "description": "744e0ce108598aaa8994f211e00769ac8a3f05324d3f07f7705277b9af7a7497", "source_ref": "indicator--8a03e9a0-15ea-40cd-9473-c5cd35d7f285", "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" }, { "type": "relationship", "id": "relationship--ece9acf9-34a3-4dd8-b434-a294a086ce3a", "created": "2018-08-03T20:30:53.040Z", "modified": "2020-06-24T16:21:04.243Z", "relationship_type": "uses", "description": "Helminth saves files to a specific directory that contain data to exfil to C2", "source_ref": "indicator--182761bb-1d21-4ed8-909c-a0b6a2e09ce4", "target_ref": "attack-pattern--7dd95ff6-712e-4056-9626-312ea4ab4c5e" }, { "type": "relationship", "id": "relationship--ed0a8d3a-3efd-480f-94e0-497266cacf8b", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.074Z", "relationship_type": "mitigates", "source_ref": "course-of-action--68c5676d-ab2f-4e68-a57c-28880a9f5709", "target_ref": "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c", "x_panw_coa_u42_panw_product": [ "NGFW" ] }, { "type": "relationship", "id": "relationship--ed11bc15-c9d0-47ec-bd9e-d9047044e3b3", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T13:02:55.808Z", "relationship_type": "mitigates", "source_ref": "course-of-action--3de85a76-a879-43e6-80ba-38e09e7e2b0c", "target_ref": "attack-pattern--8c32eb4d-805f-4fc5-bf60-c4d476c131b5", "x_panw_coa_u42_panw_product": [ "Wildfire" ] }, { "type": "relationship", "id": "relationship--ed7c1bda-808e-4af0-b998-13c509e5d942", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--c7bfb666-66af-4dfb-9489-8e0d8fde3859", "target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec" }, { "type": "relationship", "id": "relationship--ed8b1668-7a2d-4537-a24a-99ae0faee4ab", "created": "2018-08-03T20:30:53.040Z", "modified": "2020-06-24T16:21:04.243Z", "relationship_type": "uses", "description": "Tasks created by malicious macro to automatically run OopsIE every n minutes.", "source_ref": "indicator--e28f89fe-377d-44cf-a486-e8b84af20737", "target_ref": "attack-pattern--35dd844a-b219-4e2b-a6bb-efa9a75995a9" }, { "type": "relationship", "id": "relationship--ee18d2b5-5598-48ee-903d-69ca858626d7", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:18.110Z", "relationship_type": "mitigates", "source_ref": "course-of-action--49881f38-2571-47a1-a122-26a5968f1137", "target_ref": "attack-pattern--ad255bfe-a9e6-4b52-a258-8d3462abe842", "x_panw_coa_u42_panw_product": [ "NGFW" ] }, { "type": "relationship", "id": "relationship--ef02aa8d-cf3d-4426-881b-6a4d6ed07a82", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--3d8472f1-c641-4428-8f57-6af5b8ac4d42", "target_ref": "campaign--e76e88c8-699a-4eeb-a8e5-3645826d6455" }, { "type": "relationship", "id": "relationship--ef3dabcc-b1de-4d09-a35a-68b197909056", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.075Z", "relationship_type": "mitigates", "source_ref": "course-of-action--41a5e724-166d-496a-bfa6-5f7d671c733e", "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", "x_panw_coa_u42_panw_product": [ "XSOAR" ] }, { "type": "relationship", "id": "relationship--ef625e99-8820-41c6-a87d-751fdcb78cef", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.079Z", "relationship_type": "mitigates", "source_ref": "course-of-action--a1294d38-0f0d-4973-a949-f38cccbc7469", "target_ref": "attack-pattern--355be19c-ffc9-46d5-8d50-d6a036c675b6", "x_panw_coa_u42_panw_product": [ "Threat Prevention" ] }, { "type": "relationship", "id": "relationship--efbc10dd-778a-4f84-9c78-b62ce3fadf64", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-12-17T01:15:42.233Z", "relationship_type": "mitigates", "source_ref": "course-of-action--04a2db1c-3e80-43a4-a9c6-3864195bbf73", "target_ref": "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736", "x_panw_coa_u42_panw_product": [ "Wildfire" ] }, { "type": "relationship", "id": "relationship--eff1e78a-dcae-4ba9-ad24-6bd832e1844d", "created": "2020-06-08T16:19:37.692Z", "modified": "2020-06-10T20:29:03.408Z", "relationship_type": "uses", "description": "pl.exe", "source_ref": "indicator--02e254af-73f9-4630-9a4e-350297d86505", "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" }, { "type": "relationship", "id": "relationship--f0026eb9-bfad-4036-b310-47d882260c23", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--605e63fe-aa3a-490d-b71b-936fca21dc3d", "target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec" }, { "type": "relationship", "id": "relationship--f0a81c5b-9be4-4471-a400-e25558aa6c84", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--8795c03c-3d57-4402-8ae5-4de697194f90", "target_ref": "campaign--418eec9b-ca2d-48d6-92cc-7cf47b159e8c" }, { "type": "relationship", "id": "relationship--f174d81d-7b57-4996-9617-765692b22593", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.075Z", "relationship_type": "mitigates", "source_ref": "course-of-action--dff22e97-a89e-4ff7-b615-0165258bf8d5", "target_ref": "attack-pattern--b8902400-e6c5-4ba2-95aa-2d35b442b118", "x_panw_coa_u42_panw_product": [ "URL Filtering" ] }, { "type": "relationship", "id": "relationship--f24faf46-3b26-4dbb-98f2-63460498e433", "created": "2018-08-03T20:30:50.665Z", "modified": "2019-10-11T20:10:08.765Z", "relationship_type": "uses", "source_ref": "campaign--418eec9b-ca2d-48d6-92cc-7cf47b159e8c", "target_ref": "attack-pattern--f24faf46-3b26-4dbb-98f2-63460498e433" }, { "type": "relationship", "id": "relationship--f2d8ff20-ffc1-4e1e-b2b0-19ccc5f8c74b", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.074Z", "relationship_type": "mitigates", "source_ref": "course-of-action--49881f38-2571-47a1-a122-26a5968f1137", "target_ref": "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c", "x_panw_coa_u42_panw_product": [ "NGFW" ] }, { "type": "relationship", "id": "relationship--f35e4352-9493-4ad7-9f48-f2a270e3dbc1", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:39.449Z", "relationship_type": "mitigates", "source_ref": "course-of-action--dcd486e6-fcf5-4692-9187-115efdae9694", "target_ref": "attack-pattern--a19e86f8-1c0a-4fea-8407-23b73d615776", "x_panw_coa_u42_panw_product": [ "NGFW" ] }, { "type": "relationship", "id": "relationship--f37081eb-70dc-4915-87da-5a8e26b5add3", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.076Z", "relationship_type": "mitigates", "source_ref": "course-of-action--c45b79a8-2d29-4d8c-95ab-acea7e478e50", "target_ref": "attack-pattern--f24faf46-3b26-4dbb-98f2-63460498e433", "x_panw_coa_u42_panw_product": [ "Threat Prevention" ] }, { "type": "relationship", "id": "relationship--f389d990-2355-45bf-bf0f-cbd4886728d1", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--fe57191c-11cb-47b6-aeeb-f2b5d01ee788", "target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec" }, { "type": "relationship", "id": "relationship--f56e50ec-bd65-47f2-9fb9-b6778c6305ba", "created": "2020-07-08T14:59:11.264Z", "modified": "2020-07-13T13:45:02.011Z", "relationship_type": "uses", "description": "Related infrastructure.", "source_ref": "indicator--20903cd9-29c1-4a41-9202-c1b473f1855e", "target_ref": "attack-pattern--355be19c-ffc9-46d5-8d50-d6a036c675b6" }, { "type": "relationship", "id": "relationship--f67f22a3-508c-448c-a8f7-976d066d32bf", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T13:02:55.808Z", "relationship_type": "mitigates", "source_ref": "course-of-action--c45b79a8-2d29-4d8c-95ab-acea7e478e50", "target_ref": "attack-pattern--8c32eb4d-805f-4fc5-bf60-c4d476c131b5", "x_panw_coa_u42_panw_product": [ "Threat Prevention" ] }, { "type": "relationship", "id": "relationship--f6cec54d-6e32-4c30-a2c2-fc83d1a35fca", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.076Z", "relationship_type": "mitigates", "source_ref": "course-of-action--5e951942-0565-46f4-b09e-80426812b6b5", "target_ref": "attack-pattern--f24faf46-3b26-4dbb-98f2-63460498e433", "x_panw_coa_u42_panw_product": [ "URL Filtering" ] }, { "type": "relationship", "id": "relationship--f723e75f-9ec3-4d19-b16f-473839dbd5bf", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T13:02:55.808Z", "relationship_type": "mitigates", "source_ref": "course-of-action--dff22e97-a89e-4ff7-b615-0165258bf8d5", "target_ref": "attack-pattern--8c32eb4d-805f-4fc5-bf60-c4d476c131b5", "x_panw_coa_u42_panw_product": [ "URL Filtering" ] }, { "type": "relationship", "id": "relationship--f72eb8a8-cd4c-461d-a814-3f862befbf00", "created": "2018-08-03T20:30:50.665Z", "modified": "2019-10-11T20:10:08.765Z", "relationship_type": "uses", "source_ref": "campaign--418eec9b-ca2d-48d6-92cc-7cf47b159e8c", "target_ref": "attack-pattern--f72eb8a8-cd4c-461d-a814-3f862befbf00" }, { "type": "relationship", "id": "relationship--f77a4f46-691d-443b-a928-f70b8ce58f88", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.079Z", "relationship_type": "mitigates", "source_ref": "course-of-action--2c886776-61fb-487c-a880-41f4b7195627", "target_ref": "attack-pattern--355be19c-ffc9-46d5-8d50-d6a036c675b6", "x_panw_coa_u42_panw_product": [ "URL Filtering" ] }, { "type": "relationship", "id": "relationship--f77acdaf-e8b7-4911-837b-ceb035f70889", "created": "2020-06-08T16:19:37.692Z", "modified": "2020-06-10T20:29:03.409Z", "relationship_type": "uses", "description": "92.222.209.51", "source_ref": "indicator--4a43354a-b58b-41e0-b2b6-d2a8e97bf54d", "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" }, { "type": "relationship", "id": "relationship--f82cc0ac-100f-438d-b4f0-c7f1a0478477", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.078Z", "relationship_type": "mitigates", "source_ref": "course-of-action--dcd486e6-fcf5-4692-9187-115efdae9694", "target_ref": "attack-pattern--2b742742-28c3-4e1b-bab7-8350d6300fa7", "x_panw_coa_u42_panw_product": [ "NGFW" ] }, { "type": "relationship", "id": "relationship--f85a48f8-cc16-4676-bf61-27934057174f", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--182761bb-1d21-4ed8-909c-a0b6a2e09ce4", "target_ref": "campaign--418eec9b-ca2d-48d6-92cc-7cf47b159e8c" }, { "type": "relationship", "id": "relationship--f8704bfe-566b-4a4b-8b83-7290ed8a2a97", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T13:02:55.809Z", "relationship_type": "mitigates", "source_ref": "course-of-action--ae18aab6-0a08-4c09-9a97-6c6ef58061a7", "target_ref": "attack-pattern--f72eb8a8-cd4c-461d-a814-3f862befbf00", "x_panw_coa_u42_panw_product": [ "DNS Security" ] }, { "type": "relationship", "id": "relationship--f879d51c-5476-431c-aedf-f14d207e4d1e", "created": "2020-07-08T12:17:34.135Z", "modified": "2020-07-13T13:45:02.008Z", "relationship_type": "uses", "source_ref": "campaign--d6eab405-2a90-4981-bd25-0b161f1bc116", "target_ref": "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e" }, { "type": "relationship", "id": "relationship--f90f0fdd-df33-4c66-8c22-d44c774e783c", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.074Z", "relationship_type": "mitigates", "source_ref": "course-of-action--553711d6-06e4-49e2-a1ad-929d9cce8e39", "target_ref": "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c", "x_panw_coa_u42_panw_product": [ "NGFW" ] }, { "type": "relationship", "id": "relationship--f911034d-d086-442f-b7eb-c4c298b8b9e3", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.079Z", "relationship_type": "mitigates", "source_ref": "course-of-action--c9efabbf-c21b-4213-a192-6a8e3b3a0905", "target_ref": "attack-pattern--0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "x_panw_coa_u42_panw_product": [ "Cortex XDR Prevent" ] }, { "type": "relationship", "id": "relationship--f933464c-3714-4e46-9db5-0b0c4aee2536", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:12.606Z", "relationship_type": "mitigates", "source_ref": "course-of-action--e15f23e0-f6ae-4440-865f-63ac76b93bf5", "target_ref": "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e", "x_panw_coa_u42_panw_product": [ "Threat Prevention" ] }, { "type": "relationship", "id": "relationship--fa3ddbb1-4ca1-45f5-b671-092e185f27ce", "created": "2019-10-11T20:01:42.652Z", "modified": "2019-10-14T14:34:42.542Z", "relationship_type": "uses", "description": "Decoy document", "source_ref": "indicator--a0012b87-ad05-4c74-a014-9957d1795397", "target_ref": "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597" }, { "type": "relationship", "id": "relationship--fa674092-f74f-4c98-bd92-638b6a389467", "created": "2018-08-03T20:30:53.040Z", "modified": "2020-06-24T16:21:04.243Z", "relationship_type": "uses", "description": "TwoFace contains the functional webshell in encrypted form", "source_ref": "indicator--aaa55127-74e3-41c9-b1c6-7d9726372e18", "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" }, { "type": "relationship", "id": "relationship--fb2588e8-7aa5-4f5a-9eee-6fb8d7cd4f04", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--0853a871-de52-40f0-90cf-0d8069892c9f", "target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec" }, { "type": "relationship", "id": "relationship--fb470946-bb6c-4b44-8b12-3719b44be6a0", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.078Z", "relationship_type": "mitigates", "source_ref": "course-of-action--e15f23e0-f6ae-4440-865f-63ac76b93bf5", "target_ref": "attack-pattern--2b742742-28c3-4e1b-bab7-8350d6300fa7", "x_panw_coa_u42_panw_product": [ "Threat Prevention" ] }, { "type": "relationship", "id": "relationship--fb67941d-e8c0-48e1-a553-9ea87c850994", "created": "2018-08-03T20:30:53.040Z", "modified": "2020-06-24T16:21:04.243Z", "relationship_type": "uses", "description": "Uses DNS tunneling", "source_ref": "indicator--2c461e83-a8d2-444e-9480-a2516a1f87c8", "target_ref": "attack-pattern--f72eb8a8-cd4c-461d-a814-3f862befbf00" }, { "type": "relationship", "id": "relationship--fbdbc7a5-242c-4f8b-9345-2f2f1a438451", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.074Z", "relationship_type": "mitigates", "source_ref": "course-of-action--51bcc0dd-f051-4786-aa93-429358ea6238", "target_ref": "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c", "x_panw_coa_u42_panw_product": [ "XSOAR" ] }, { "type": "relationship", "id": "relationship--fbe527ff-39ba-4332-a324-bf9aff873f46", "created": "2020-06-08T16:19:37.692Z", "modified": "2020-06-10T20:29:03.408Z", "relationship_type": "uses", "description": "497e6965120a7ca6644da9b8291c65901e78d302139d221fcf0a3ec6c5cf9de3", "source_ref": "indicator--6016872c-11c6-459c-ac21-9692adcdcca0", "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" }, { "type": "relationship", "id": "relationship--fd03c24c-7334-472f-8f8a-2941e34a7e47", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--337a0d8f-efa1-4e2e-9956-c7fd385bc136", "target_ref": "campaign--e76e88c8-699a-4eeb-a8e5-3645826d6455" }, { "type": "relationship", "id": "relationship--fd37acab-8903-45ae-8194-47ee81cd0681", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T13:02:55.808Z", "relationship_type": "mitigates", "source_ref": "course-of-action--39928312-81bb-4445-a269-9f3d0bb88d5c", "target_ref": "attack-pattern--8c32eb4d-805f-4fc5-bf60-c4d476c131b5", "x_panw_coa_u42_panw_product": [ "NGFW" ] }, { "type": "relationship", "id": "relationship--fd532071-ef74-46cb-bb46-c7df4102b3e9", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.076Z", "relationship_type": "mitigates", "source_ref": "course-of-action--e15f23e0-f6ae-4440-865f-63ac76b93bf5", "target_ref": "attack-pattern--f24faf46-3b26-4dbb-98f2-63460498e433", "x_panw_coa_u42_panw_product": [ "Threat Prevention" ] }, { "type": "relationship", "id": "relationship--fd706729-53ad-4aa0-ad40-c5ff4470e61a", "created": "2018-08-03T20:30:53.040Z", "modified": "2018-08-22T12:34:11.223Z", "relationship_type": "indicates", "source_ref": "indicator--61701bc9-c9d8-44fa-a452-c9fbe15dcf88", "target_ref": "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec" }, { "type": "relationship", "id": "relationship--fe120dbc-2812-4e78-aaf2-c4ef5fbfea69", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.079Z", "relationship_type": "mitigates", "source_ref": "course-of-action--95432623-8819-4f74-a8f9-b10b9c4118c3", "target_ref": "attack-pattern--5d0d3609-d06d-49e1-b9c9-b544e0c618cb", "x_panw_coa_u42_panw_product": [ "Wildfire" ] }, { "type": "relationship", "id": "relationship--fe9303d8-250d-4cc0-9dc1-64663569dcb5", "created": "2020-07-08T14:05:07.254Z", "modified": "2020-07-13T13:45:02.010Z", "relationship_type": "indicates", "source_ref": "indicator--e0350011-872e-42e4-97e6-a82a419291ee", "target_ref": "campaign--d6eab405-2a90-4981-bd25-0b161f1bc116" }, { "type": "relationship", "id": "relationship--febf391a-1d95-4d2d-83d6-876b2a7529a8", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.076Z", "relationship_type": "mitigates", "source_ref": "course-of-action--e15f23e0-f6ae-4440-865f-63ac76b93bf5", "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", "x_panw_coa_u42_panw_product": [ "Threat Prevention" ] }, { "type": "relationship", "id": "relationship--fed2cb9b-d85b-4ed8-aaac-9b18d8486e5f", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:39.449Z", "relationship_type": "mitigates", "source_ref": "course-of-action--2fd9769c-5e50-4528-985f-a1d117329991", "target_ref": "attack-pattern--a19e86f8-1c0a-4fea-8407-23b73d615776", "x_panw_coa_u42_panw_product": [ "URL Filtering" ] }, { "type": "relationship", "id": "relationship--fedefb69-e8ba-4c75-9790-d1d7711572ba", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:18.110Z", "relationship_type": "mitigates", "source_ref": "course-of-action--5839cd6c-7897-43c4-82f3-5c03096a51c4", "target_ref": "attack-pattern--ad255bfe-a9e6-4b52-a258-8d3462abe842", "x_panw_coa_u42_panw_product": [ "Threat Prevention" ] }, { "type": "relationship", "id": "relationship--fef6f410-1d0b-4cf0-8b94-1f2ac468c05f", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T13:02:55.808Z", "relationship_type": "mitigates", "source_ref": "course-of-action--5839cd6c-7897-43c4-82f3-5c03096a51c4", "target_ref": "attack-pattern--8c32eb4d-805f-4fc5-bf60-c4d476c131b5", "x_panw_coa_u42_panw_product": [ "Threat Prevention" ] }, { "type": "relationship", "id": "relationship--ff20c82a-9245-4464-bdc8-4044f8bd9cbb", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.080Z", "relationship_type": "mitigates", "source_ref": "course-of-action--7bbb332f-22cf-48f2-a4a1-5bc9d2b034ca", "target_ref": "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d", "x_panw_coa_u42_panw_product": [ "Threat Prevention" ] }, { "type": "relationship", "id": "relationship--ff4b1594-350f-42f4-97e2-db922fbb461d", "created": "2018-08-03T20:30:53.040Z", "modified": "2020-06-24T16:21:04.243Z", "relationship_type": "uses", "description": "TwoFace contains the functional webshell in encrypted form", "source_ref": "indicator--bf7a082f-e2a6-45d6-b8dd-bf056888f36e", "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" }, { "type": "relationship", "id": "relationship--ffb0ef55-8441-40e9-998b-1da68705b412", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.075Z", "relationship_type": "mitigates", "source_ref": "course-of-action--2c886776-61fb-487c-a880-41f4b7195627", "target_ref": "attack-pattern--b8902400-e6c5-4ba2-95aa-2d35b442b118", "x_panw_coa_u42_panw_product": [ "URL Filtering" ] }, { "type": "relationship", "id": "relationship--ffc4eff3-45b8-4bbd-ae4c-52bfdc9d8f4c", "created": "2018-08-03T20:30:53.040Z", "modified": "2020-06-24T16:21:04.243Z", "relationship_type": "uses", "description": "ISMAgent C2 reports back system information ", "source_ref": "indicator--4d3e6511-ccc5-467e-a2be-ac608ee49374", "target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" }, { "type": "relationship", "id": "relationship--ffe10911-b111-486d-93b0-a3f55ee553f4", "created": "2020-06-23T19:50:42.481Z", "modified": "2020-06-26T19:00:11.078Z", "relationship_type": "mitigates", "source_ref": "course-of-action--c45b79a8-2d29-4d8c-95ab-acea7e478e50", "target_ref": "attack-pattern--6aabc5ec-eae6-422c-8311-38d45ee9838a", "x_panw_coa_u42_panw_product": [ "Threat Prevention" ] }, { "type": "report", "id": "report--418eec9b-ca2d-48d6-92cc-7cf47b159e8c", "created": "2018-08-03T20:30:50.665Z", "modified": "2019-10-11T20:10:08.765Z", "name": "first", "published": "2019-10-11T20:10:08.765Z", "object_refs": [ "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104", "attack-pattern--15dbf668-795c-41e6-8219-f0447c0e64ce", "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597", "attack-pattern--30208d3e-0d6b-43c8-883e-44462a514619", "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1", "attack-pattern--355be19c-ffc9-46d5-8d50-d6a036c675b6", "attack-pattern--35dd844a-b219-4e2b-a6bb-efa9a75995a9", "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0", "attack-pattern--72b74d71-8169-42aa-92e0-e7b04b9f5a08", "attack-pattern--7dd95ff6-712e-4056-9626-312ea4ab4c5e", "attack-pattern--8c32eb4d-805f-4fc5-bf60-c4d476c131b5", "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "attack-pattern--c32f7008-9fea-41f7-8366-5eb9b74bd896", "attack-pattern--f24faf46-3b26-4dbb-98f2-63460498e433", "attack-pattern--f72eb8a8-cd4c-461d-a814-3f862befbf00", "campaign--418eec9b-ca2d-48d6-92cc-7cf47b159e8c", "course-of-action--00d97976-e97e-4878-b530-9f37d7a3e2e5", "course-of-action--04a2db1c-3e80-43a4-a9c6-3864195bbf73", "course-of-action--09cad5e4-8c95-494f-862e-0c640b175348", "course-of-action--0a8741c9-240e-4a87-8d0f-7ced73cbd50d", "course-of-action--19313cf2-7b61-4748-ac31-8db430033837", "course-of-action--2c886776-61fb-487c-a880-41f4b7195627", "course-of-action--2fd9769c-5e50-4528-985f-a1d117329991", "course-of-action--38519f4f-e6e8-454b-a3f5-b46daef0e316", "course-of-action--39928312-81bb-4445-a269-9f3d0bb88d5c", "course-of-action--3de85a76-a879-43e6-80ba-38e09e7e2b0c", "course-of-action--3f6f590f-2752-40d2-8cfa-1e833435bbf6", "course-of-action--41a5e724-166d-496a-bfa6-5f7d671c733e", "course-of-action--44bfcc9e-cb15-499f-b0fe-3c41e2c2655e", "course-of-action--49881f38-2571-47a1-a122-26a5968f1137", "course-of-action--553711d6-06e4-49e2-a1ad-929d9cce8e39", "course-of-action--5839cd6c-7897-43c4-82f3-5c03096a51c4", "course-of-action--58d4b1e7-a7d1-45d8-855b-b5e13ace3dba", "course-of-action--5e951942-0565-46f4-b09e-80426812b6b5", "course-of-action--67289170-1bd4-4944-be31-d680954141f5", "course-of-action--68c5676d-ab2f-4e68-a57c-28880a9f5709", "course-of-action--7bbb332f-22cf-48f2-a4a1-5bc9d2b034ca", "course-of-action--916bf914-3cad-47c6-8651-a1ac92ee84d0", "course-of-action--922b1227-c493-43f6-8b4a-ae6d6963eb8b", "course-of-action--9352128e-2dbe-4621-8800-9e7cc17336e3", "course-of-action--95432623-8819-4f74-a8f9-b10b9c4118c3", "course-of-action--a1294d38-0f0d-4973-a949-f38cccbc7469", "course-of-action--ae18aab6-0a08-4c09-9a97-6c6ef58061a7", "course-of-action--b07fe965-d582-4581-aa2f-9676705f5560", "course-of-action--b1f31bc6-40cd-4c64-805f-1680eda35801", "course-of-action--b4ed79f9-b72c-4423-9a9c-f29134fda870", "course-of-action--b62423f4-1849-4d9f-88c0-7160a8bed5c2", "course-of-action--bca382b3-2a97-451f-a849-80f7a4e7edce", "course-of-action--be1d0eb5-a628-4d91-9096-9158e68816cd", "course-of-action--c45b79a8-2d29-4d8c-95ab-acea7e478e50", "course-of-action--c5148c0d-4c4a-4ad6-b2c7-942f9eb91673", "course-of-action--c9efabbf-c21b-4213-a192-6a8e3b3a0905", "course-of-action--d84f79f8-219c-43cb-a918-ab7dd235413a", "course-of-action--dcd486e6-fcf5-4692-9187-115efdae9694", "course-of-action--dff22e97-a89e-4ff7-b615-0165258bf8d5", "course-of-action--e15f23e0-f6ae-4440-865f-63ac76b93bf5", "course-of-action--f1a1d494-3463-4067-abc7-a731f7dfb9ff", "course-of-action--f36dcd51-156b-497a-a565-0301a105eb79", "course-of-action--f4a8da12-c6f0-4a33-ae42-590c5602be99", "course-of-action--fafab9a4-1478-499e-9088-2043c42720d1", "identity--c7e23c62-8c87-4584-9787-2cffec8414ce", "indicator--09a93c5a-e410-4a1d-a3a9-39c5d634b766", "indicator--131a36f4-f5ce-461c-b633-8f555ec191fb", "indicator--182761bb-1d21-4ed8-909c-a0b6a2e09ce4", "indicator--2115ea65-8275-49bf-bbf9-d3d7e4d204d5", "indicator--4536e0b1-c2e6-42c2-bcf5-000f0df72eea", "indicator--4d3e6511-ccc5-467e-a2be-ac608ee49374", "indicator--6ab420c2-4bed-4281-9da4-790bf0065e81", "indicator--8795c03c-3d57-4402-8ae5-4de697194f90", "indicator--882830ad-a601-4405-bab1-54a28ab4bc86", "indicator--9daeba2e-bb3e-443b-95d1-fbc0428932a9", "indicator--bf094398-e075-4b6d-99df-2dbcee3ef39d", "indicator--c258f33d-57c8-458d-9d77-7cd8bf1e264a", "indicator--cd2409a1-079a-45d6-bba7-e26ec1b6465b", "indicator--cd473c0f-1c24-4b67-800d-7447aec8079a", "indicator--cff4fa97-3f63-4a68-83b0-4eb3f81be9de", "indicator--d3df5939-91b1-4042-9ab8-d4843028a60c", "indicator--dd45ed80-44ee-4d88-b122-e6a9a863b5f9", "indicator--ec689de0-d752-476f-bbce-7055b192d5fd", "intrusion-set--8e11eaa4-1964-4b73-85c1-fcfa29159f9b", "malware--3f0d13a9-3ff6-4d48-8060-55b6f1e6bedb", "malware--a233f5c3-53d4-4196-a1a3-a74151abd524", "relationship--02c46d2a-3676-4929-ae28-b10cc3cf258b", "relationship--02c91cc9-6b95-43bb-a40a-7cf3075f93a4", "relationship--03d7999c-1f4c-42cc-8373-e7690d318104", "relationship--055e43b5-638c-4525-94f6-5a31d078f563", "relationship--05f41c44-8180-4a23-9eb5-db4551ea4090", "relationship--075e72ca-b0dc-4d70-b68d-cfd4e478d017", "relationship--07adbd5d-12a8-46f2-b38b-772754668b90", "relationship--07d1feb5-6575-40ac-8df0-9b7c169a2b29", "relationship--08d568cf-cade-4f97-ad20-2ce0d976011d", "relationship--098b5e44-9cf7-4fe6-9bab-cb443e7d352e", "relationship--0aaba814-33a9-4dad-a654-b32d87ab907e", "relationship--0f653c28-3ff7-4d1e-96ca-edb4cf632a29", "relationship--11ae589e-a755-491d-8374-5b5def0389cb", "relationship--127390be-0ff7-4f80-8a26-6bcac47581f5", "relationship--15dbf668-795c-41e6-8219-f0447c0e64ce", "relationship--160ed6e7-b00c-4d8d-88ad-f6e807480ba4", "relationship--1753a9b0-9ce7-40f2-abfc-9cbdd111c1a9", "relationship--19f310d3-6ddd-4aa0-9a34-9c691dc3facf", "relationship--1d0caee9-876e-4c4e-91af-c709788cbaef", "relationship--20abd688-0b68-4930-90d4-512505ab640d", "relationship--22a6c66b-08b3-49ff-a5e3-af9063a2d609", "relationship--2379ab55-92b4-45a8-aa89-5da8f302d1a9", "relationship--27c8933d-2eff-4304-beab-76004e389345", "relationship--28a5a536-2f5f-415b-a268-79bb7b2d7a1c", "relationship--2b3b6a2d-c8af-4ad2-8a67-5114108156a5", "relationship--2e34237d-8574-43f6-aace-ae2915de8597", "relationship--2fe72a9c-2bed-4f6b-8fcc-a19cb266e8b9", "relationship--30208d3e-0d6b-43c8-883e-44462a514619", "relationship--302d533a-d8d4-454e-b5c1-8252d7c71f02", "relationship--354a7f88-63fb-41b5-a801-ce3b377b36f1", "relationship--355be19c-ffc9-46d5-8d50-d6a036c675b6", "relationship--3563da55-300f-46e8-bc8a-fd9d910e4aed", "relationship--35dd844a-b219-4e2b-a6bb-efa9a75995a9", "relationship--36239699-f2ea-4131-9154-656ab8f94788", "relationship--3654e0f4-2dd0-47dc-858b-3de3acc37c44", "relationship--365e252d-d64f-477d-9f21-e171ff5c6485", "relationship--380efc20-d11f-48c3-b5c8-8cf98841cef2", "relationship--3922ea85-cf50-4d3e-becc-01d0c1efc307", "relationship--3a3f4a27-177e-4128-be8c-a54f7535e6bf", "relationship--3abed9e3-31c2-47da-9967-482c8f6bf2e4", "relationship--3b4a4bd3-bf20-426b-bf9d-930963fa731d", "relationship--3b4d3dd1-df77-4267-8fff-9eda563fe60e", "relationship--3f09d478-8ab3-4438-ba45-cc863a830d93", "relationship--418eec9b-ca2d-48d6-92cc-7cf47b159e8c", "relationship--450c6745-0fa7-4773-8a98-4d7f982a9209", "relationship--470c322a-59d2-4659-8d15-58a73ec8353d", "relationship--4a353e98-35b0-42c0-827d-2032f0b6ea46", "relationship--4a731c53-d7f8-444f-8a04-af2b60b097c5", "relationship--4b274066-c8ce-4094-9bdf-623cef6fe84c", "relationship--4c4507f1-7c51-4b5e-9bbd-67c51d66fc96", "relationship--4ce02538-c986-46b2-a440-bcef6bf02450", "relationship--516d842c-508c-4032-a6e0-0b72ccaa0ae3", "relationship--561c2626-a140-4da4-8ae6-a5e65a09ccfa", "relationship--58eb7e95-bc30-4658-a50c-eb9d044bc4d4", "relationship--5b751821-2cf5-4aba-953c-fd7b86826555", "relationship--5d8c7c15-3ce4-46a2-8f8e-0a8609e9c55d", "relationship--5e5ebce5-219d-4b25-b272-8dff82ba5039", "relationship--5ed807c7-29cb-4c7a-a59c-4dee9973d679", "relationship--668255ab-8f2c-4ea7-af6f-8ac4f1101a71", "relationship--66c7f1b0-7e4b-4bcb-90fb-fcbc1bb431f2", "relationship--6846ada7-0a47-48ac-89f6-df9deb5d00b4", "relationship--6a5ff5bb-8171-4eda-89c2-6ea5fe93aef5", "relationship--6ab3a547-6afb-4ae2-b4c7-9ab9c45de5e0", "relationship--6bf9f309-42d8-4690-8828-0e4943ec6114", "relationship--707399d6-ab3e-4963-9315-d9d3818cd6a0", "relationship--72020d0d-b6dd-4369-85b6-a294fde2b922", "relationship--72b74d71-8169-42aa-92e0-e7b04b9f5a08", "relationship--741c9fc7-da67-4f53-82bd-74876ab07ebb", "relationship--770bd929-dd09-49d5-a21b-72495d1b2f0d", "relationship--7a090b7e-66a8-49b1-8b83-41ba7f9474ee", "relationship--7a3c7b51-e2d1-41e3-ba09-0ccb3f29a5db", "relationship--7cf3b3c7-a098-4e98-9071-c7cb2b657191", "relationship--7dd95ff6-712e-4056-9626-312ea4ab4c5e", "relationship--81a1034e-9b48-4567-8fd6-d86d1b926c41", "relationship--84b58393-1a52-4a76-96a8-4b3e3d75574a", "relationship--85b2df26-1dfc-4438-bc83-211c9a614b7e", "relationship--874395b6-5a6f-49b1-ad27-1680a6566919", "relationship--877e437e-a9d2-46c5-9594-b63b51ff95d1", "relationship--8a1a1a65-1121-4549-ad81-ee11fac08c99", "relationship--8a7f1679-bd76-4ef0-bcf5-9e596bcd4ae6", "relationship--8a83132d-0a30-4cae-aa27-88feef4e229a", "relationship--8c32eb4d-805f-4fc5-bf60-c4d476c131b5", "relationship--8c3a203a-c8a0-41cc-9301-8dc44b850b0b", "relationship--8d09c69f-a197-4070-8f6d-65389b15606a", "relationship--8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "relationship--8ffcfda6-33ef-4fcd-ba11-afce2a26b2b3", "relationship--91b32542-ec28-4df5-8c6f-e1e7024d974b", "relationship--923ab233-67f6-490b-b50b-e4850d179ba4", "relationship--92a95493-fa51-4321-9cfb-135e69b3191a", "relationship--94df8915-193d-4b00-b530-7ec3b4f0dd7c", "relationship--9d7f6452-2793-40cb-ab38-966196d1b12b", "relationship--9ed809cb-6ffa-4edc-8914-97ae7e43c75f", "relationship--9f3246bb-dab4-4722-add7-40fa0cc722df", "relationship--a30567ca-29b2-45f0-bdf9-d0f3f7f2e4ba", "relationship--a32dbf7c-3d72-475d-a4d9-525b9d8399d8", "relationship--a4ae9bcb-1340-4e18-a0ac-0194d56d7384", "relationship--a553c146-1b1d-4cdc-863e-dcd19e7f5674", "relationship--a6220edc-b057-4a8b-b6ae-c62b203fd172", "relationship--a7f21a7d-072c-48ff-96e2-4e14b98e01c3", "relationship--ab0a9e07-5e5d-44a1-9f2d-5e0d2674ef44", "relationship--ad0aadbf-b691-4bf3-b26f-c5e505a553d0", "relationship--ad42f1ee-2fc2-4741-a9c2-224074c9d080", "relationship--adb4673d-a9e7-4984-ab1d-1701fa2362c1", "relationship--adf368c8-b965-4554-943c-291e77a226cb", "relationship--ae33522b-59ca-42d5-9cd0-28a61362d146", "relationship--ae847f0d-c6e0-4344-abe4-3a14d7c4e818", "relationship--af44a46b-84ce-4b3a-bede-d889c35c4499", "relationship--afd71914-e3ef-4ee1-b358-2388d8124165", "relationship--b0c9f423-990f-48c9-92e7-0cae81480a0c", "relationship--b22d96f0-fa4d-4614-ad7e-340076eb2047", "relationship--b44f392a-0db4-4f4e-900a-4cbbfd41238b", "relationship--b6080c1b-48c1-49f7-8b1e-11fade37f627", "relationship--b821961f-c079-4c4a-867b-77f9be241ee9", "relationship--b924249f-1ca8-4ea6-897d-db5187addc93", "relationship--b99c7a27-ba87-42ca-9af6-7d29be9274df", "relationship--bcf18721-0db0-4b01-96aa-50e0007cabac", "relationship--bf4d19f5-2ca2-4c6d-942e-ae85d56f3b0a", "relationship--c32f7008-9fea-41f7-8366-5eb9b74bd896", "relationship--c46b87b5-c3ea-49d9-939d-815481c454f4", "relationship--c5cc4f05-5afd-487f-8c82-f41bc8dcd43f", "relationship--c6fea36e-2019-451c-ab42-06e30a121300", "relationship--c78ecf30-d3a5-4e72-bd4d-877c91146d08", "relationship--cb22c44c-e830-4f52-b42a-b52fd2fe4a1b", "relationship--d0618c38-8036-4f51-964a-0162cd2132e6", "relationship--d1372eec-de9b-41a7-8106-a1968ae1fa9b", "relationship--d3239375-4ff0-4635-add2-233a25657d04", "relationship--d39f4a91-0c51-4589-8050-7703e5ab5843", "relationship--d493a676-6071-4796-9d64-75d5b4b092ed", "relationship--d56c43a6-f2e7-4423-bf4f-c06037c99854", "relationship--d721d21e-9965-4a73-8ebe-003d4a5fae81", "relationship--d7d92773-75a6-4553-82db-3bccded96f4e", "relationship--d93d0119-2d8e-41d6-ac29-015dfbf07bd9", "relationship--d950846d-047e-4d7b-9a4b-65544c339f78", "relationship--d97d8d18-4a5f-4e76-9ae7-54b14b5d3b1f", "relationship--d9f1147f-d336-467e-a7d2-40fc8fbcb818", "relationship--dc089360-5c0a-4e02-a752-a966b11c6b98", "relationship--e21c2996-8c3e-4973-8d61-9488387fa9e0", "relationship--e4a35d4e-1942-4dd8-a5bc-4908c4ff5649", "relationship--e57c011f-57bf-4dd9-b419-e96d79914c3e", "relationship--e6217985-61f4-48b3-a618-6c47cc5f682c", "relationship--e777e1ca-7852-4827-9024-a8a4dfd7c05b", "relationship--ea9fbaed-5cd1-4fdb-999f-a3980c43c506", "relationship--eb3230f0-a4c8-41b9-a054-86543fef0e4d", "relationship--ebc231e8-2c5e-4fe7-9d9f-4ed63cf7ae86", "relationship--ece9acf9-34a3-4dd8-b434-a294a086ce3a", "relationship--ed11bc15-c9d0-47ec-bd9e-d9047044e3b3", "relationship--ef625e99-8820-41c6-a87d-751fdcb78cef", "relationship--f0a81c5b-9be4-4471-a400-e25558aa6c84", "relationship--f24faf46-3b26-4dbb-98f2-63460498e433", "relationship--f37081eb-70dc-4915-87da-5a8e26b5add3", "relationship--f67f22a3-508c-448c-a8f7-976d066d32bf", "relationship--f6cec54d-6e32-4c30-a2c2-fc83d1a35fca", "relationship--f723e75f-9ec3-4d19-b16f-473839dbd5bf", "relationship--f72eb8a8-cd4c-461d-a814-3f862befbf00", "relationship--f77a4f46-691d-443b-a928-f70b8ce58f88", "relationship--f85a48f8-cc16-4676-bf61-27934057174f", "relationship--f8704bfe-566b-4a4b-8b83-7290ed8a2a97", "relationship--fd37acab-8903-45ae-8194-47ee81cd0681", "relationship--fd532071-ef74-46cb-bb46-c7df4102b3e9", "relationship--fef6f410-1d0b-4cf0-8b94-1f2ac468c05f", "relationship--ffc4eff3-45b8-4bbd-ae4c-52bfdc9d8f4c" ], "labels": [ "campaign" ] }, { "type": "report", "id": "report--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec", "created": "2018-08-03T20:30:50.665Z", "modified": "2019-10-11T20:13:34.064Z", "name": "third", "published": "2019-10-11T20:13:34.064Z", "object_refs": [ "attack-pattern--0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "attack-pattern--2b742742-28c3-4e1b-bab7-8350d6300fa7", "attack-pattern--47f2d673-ca62-47e9-929b-1b0be9657611", "attack-pattern--5d0d3609-d06d-49e1-b9c9-b544e0c618cb", "attack-pattern--6aabc5ec-eae6-422c-8311-38d45ee9838a", "attack-pattern--7385dfaf-6886-4229-9ecd-6fd678040830", "attack-pattern--7dd95ff6-712e-4056-9626-312ea4ab4c5e", "attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81", "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "attack-pattern--be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c", "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", "campaign--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec", "course-of-action--00d97976-e97e-4878-b530-9f37d7a3e2e5", "course-of-action--04a2db1c-3e80-43a4-a9c6-3864195bbf73", "course-of-action--09cad5e4-8c95-494f-862e-0c640b175348", "course-of-action--21ce34c9-4220-41cf-85c7-bc289bb2c79d", "course-of-action--2c886776-61fb-487c-a880-41f4b7195627", "course-of-action--2fd9769c-5e50-4528-985f-a1d117329991", "course-of-action--38519f4f-e6e8-454b-a3f5-b46daef0e316", "course-of-action--39928312-81bb-4445-a269-9f3d0bb88d5c", "course-of-action--3de85a76-a879-43e6-80ba-38e09e7e2b0c", "course-of-action--41a5e724-166d-496a-bfa6-5f7d671c733e", "course-of-action--44bfcc9e-cb15-499f-b0fe-3c41e2c2655e", "course-of-action--49790670-d365-43f8-a906-8e45c3c80f63", "course-of-action--49881f38-2571-47a1-a122-26a5968f1137", "course-of-action--513f7288-0f4f-49d1-8447-8664f065d798", "course-of-action--51bcc0dd-f051-4786-aa93-429358ea6238", "course-of-action--553711d6-06e4-49e2-a1ad-929d9cce8e39", "course-of-action--5839cd6c-7897-43c4-82f3-5c03096a51c4", "course-of-action--5e951942-0565-46f4-b09e-80426812b6b5", "course-of-action--60e78a97-dcc6-4d67-a310-ed7f16e0218a", "course-of-action--66779efa-ecc3-4e80-91b9-c584b171ebe6", "course-of-action--67289170-1bd4-4944-be31-d680954141f5", "course-of-action--68c5676d-ab2f-4e68-a57c-28880a9f5709", "course-of-action--7bbb332f-22cf-48f2-a4a1-5bc9d2b034ca", "course-of-action--89afe221-157a-48b1-a9b4-830eeba1bd5f", "course-of-action--916bf914-3cad-47c6-8651-a1ac92ee84d0", "course-of-action--922b1227-c493-43f6-8b4a-ae6d6963eb8b", "course-of-action--9352128e-2dbe-4621-8800-9e7cc17336e3", "course-of-action--95432623-8819-4f74-a8f9-b10b9c4118c3", "course-of-action--a1294d38-0f0d-4973-a949-f38cccbc7469", "course-of-action--b07fe965-d582-4581-aa2f-9676705f5560", "course-of-action--b1f31bc6-40cd-4c64-805f-1680eda35801", "course-of-action--b4ed79f9-b72c-4423-9a9c-f29134fda870", "course-of-action--b62423f4-1849-4d9f-88c0-7160a8bed5c2", "course-of-action--bca382b3-2a97-451f-a849-80f7a4e7edce", "course-of-action--be1d0eb5-a628-4d91-9096-9158e68816cd", "course-of-action--c45b79a8-2d29-4d8c-95ab-acea7e478e50", "course-of-action--c5148c0d-4c4a-4ad6-b2c7-942f9eb91673", "course-of-action--c9efabbf-c21b-4213-a192-6a8e3b3a0905", "course-of-action--d84f79f8-219c-43cb-a918-ab7dd235413a", "course-of-action--dcd486e6-fcf5-4692-9187-115efdae9694", "course-of-action--dfbe8c4c-b5c9-4ac2-a2f4-a43a73d1d621", "course-of-action--dff22e97-a89e-4ff7-b615-0165258bf8d5", "course-of-action--e15f23e0-f6ae-4440-865f-63ac76b93bf5", "course-of-action--f1a1d494-3463-4067-abc7-a731f7dfb9ff", "course-of-action--f36dcd51-156b-497a-a565-0301a105eb79", "course-of-action--f4a8da12-c6f0-4a33-ae42-590c5602be99", "course-of-action--fafab9a4-1478-499e-9088-2043c42720d1", "identity--e407f512-c6e0-4b10-9017-e1f19cef983f", "indicator--0288c52e-7bd4-476f-9e29-534a122d173f", "indicator--02a7d94a-1fab-4d16-8d55-597d3ec6379e", "indicator--02e254af-73f9-4630-9a4e-350297d86505", "indicator--0809240c-9ec9-4002-8846-f30a7915eb4e", "indicator--0853a871-de52-40f0-90cf-0d8069892c9f", "indicator--0d14ac47-7ba7-405e-8639-876bdd341841", "indicator--0e9934f4-e2df-42f0-9964-0d03836329e1", "indicator--0f75c726-1b4a-4eb9-8749-fa89af8f6d2b", "indicator--10a18683-9321-4647-97e7-5ca864d9ecb7", "indicator--112bb219-3133-4c6f-9e29-3efd820d9612", "indicator--13776d10-7c53-4f1e-ab29-5415d50486f7", "indicator--13d221b8-4f3c-44d1-a010-a0e849c3fc56", "indicator--1534513c-33cf-4462-b102-7f7ba0a3eda8", "indicator--15905560-f7fc-4a6b-a9d8-c5df9bf3b17b", "indicator--175fda21-0fe8-4cc0-a276-8ef03b099d8d", "indicator--1a6d1c72-b27c-40e2-813a-fb8395b800b5", "indicator--1b6c1677-d260-41b2-b11c-7db4b1f402c1", "indicator--1cda5ec5-3f45-4ca4-86fb-406cccce75a0", "indicator--1da4e7ce-10ab-47ec-ad5a-673887f15f01", "indicator--1dd724ec-3747-4a81-bbb4-bb5fab167487", "indicator--21afa13a-d6e4-46ec-8539-68ec5c723ed5", "indicator--21b40f68-e0e8-4497-bc7f-63f7b7b9c9dd", "indicator--272c2c5d-1779-49a1-8990-c8fdfe2d2bb2", "indicator--3a30e2d8-c1d8-4211-ae3f-cd7fe280c890", "indicator--3c52b486-9d0f-4197-890f-615001e6df35", "indicator--45680f4c-a738-4515-ac9a-7b9852526159", "indicator--4a43354a-b58b-41e0-b2b6-d2a8e97bf54d", "indicator--4b396d52-fb1d-4681-a6e1-a4b7f43dfb5a", "indicator--5162b82b-ad9e-42fa-8fca-1ce50fb2db3a", "indicator--52139071-3ddd-4025-85a2-515004370eb1", "indicator--53176466-cbfb-47ab-a2ad-a7653da9ab1b", "indicator--5580c978-1497-40a4-bdc3-756b841776b1", "indicator--59424cdc-40b1-4137-bc2b-9fe18decf7ca", "indicator--6016872c-11c6-459c-ac21-9692adcdcca0", "indicator--605e63fe-aa3a-490d-b71b-936fca21dc3d", "indicator--605f4247-c18d-407d-bf86-9973adf2995f", "indicator--61701bc9-c9d8-44fa-a452-c9fbe15dcf88", "indicator--62a8dbd4-adfd-443f-9042-8f92e7ea0384", "indicator--685a33e8-a147-4a60-8e7e-9e3e6855ca43", "indicator--70b13368-9612-437e-a2fe-206b51ccdce4", "indicator--793e3414-7023-4bd6-8d03-def9852cee0f", "indicator--8a03e9a0-15ea-40cd-9473-c5cd35d7f285", "indicator--8aba6285-00ba-4a83-a366-8c634228c80f", "indicator--8e7b95cc-58c0-4f3b-8118-c11a85d90044", "indicator--90b9a557-b2f4-4076-b760-fd7ed5da29d1", "indicator--9c4ebb07-7590-498a-91f0-ceeb677eb21e", "indicator--9d97724a-638b-4b7f-bfae-c3eb74b02a0a", "indicator--a21f7d93-f44b-4b89-9577-570c5281d5c4", "indicator--a748b2fb-cef6-449a-9884-4d3342467796", "indicator--a8e8ca2f-328e-4f45-af78-9281957f7739", "indicator--a9337ac8-cfe0-44db-8211-018b5a5f396d", "indicator--aaa55127-74e3-41c9-b1c6-7d9726372e18", "indicator--b1e04bb9-945d-4b87-98b8-e411f16a74d4", "indicator--b20d9819-1488-4156-aef4-02234af0f67f", "indicator--b6fc5d18-1bf3-46b2-a793-d15ac7ef2b57", "indicator--bf7a082f-e2a6-45d6-b8dd-bf056888f36e", "indicator--c1bb11ca-f3ed-45cd-8083-ee166fb72aa0", "indicator--c501abd1-62f0-4da6-91ee-bd6ef9391fdc", "indicator--c649ab0f-4fc3-487c-96b7-72f0f7baae11", "indicator--c7bfb666-66af-4dfb-9489-8e0d8fde3859", "indicator--c9cd916e-49ff-4e7a-96e8-c204b7a50750", "indicator--d1d3c0e5-cfa5-4388-a2c8-32a019951bf3", "indicator--d2258707-dbd9-4407-b6b8-5401e4c59b74", "indicator--d2a60762-9fb2-442e-a7d2-6f86b06cb970", "indicator--d4cc0533-2a26-4678-912e-e3ddb2c2abe6", "indicator--d7bdf4a0-0509-43de-895e-793994de8a0e", "indicator--db032d1a-c929-4c03-9099-fc08a6b1d1f7", "indicator--e19046c0-47db-42fb-a076-c7f2f3c112d4", "indicator--e2f1938f-2ba5-4175-9d9c-e6d7ff6fe9fd", "indicator--e33849ee-529f-4c5a-ad26-96a190327682", "indicator--e4589569-a46b-4cc1-99e7-41199f8d579f", "indicator--e9544c85-bc9c-48ff-8f6c-df64ed98073a", "indicator--ec7ec6dd-2d36-4ec1-aada-134c4670845b", "indicator--f119cf69-6230-4cea-ba31-9768f647b81a", "indicator--f52a5188-5bdb-4530-83c2-4bbc1c1cb741", "indicator--f54a9d8f-46bb-4338-97ed-19921f2ac82b", "indicator--f8a60d12-0bb9-4424-bacd-5d2628f72cd3", "indicator--fab07434-d3df-437c-95ef-b1b3d3c8d1e3", "indicator--fb13e76a-0266-4b12-99f0-1599532c2f3c", "indicator--fc65ae3e-1860-4bba-a2f4-f86f180ffebc", "indicator--fdc86d39-670c-4eb9-945a-daef21d35bea", "indicator--fe57191c-11cb-47b6-aeeb-f2b5d01ee788", "indicator--ffb49010-2a49-474f-8e10-81c129a94997", "intrusion-set--8e11eaa4-1964-4b73-85c1-fcfa29159f9b", "relationship--0021f86a-b604-4cbf-b48d-ad778ce6fcf0", "relationship--002543e5-d85d-441c-99a3-c9be12e4f321", "relationship--002a932b-d4c7-46b0-91ae-3cb2fa6a8c96", "relationship--003fce1d-6a57-40d4-96c9-dcdfa14582b8", "relationship--00961737-3288-4c1f-a743-45fff7952105", "relationship--025263b6-efac-4cb4-a211-d3565a08157d", "relationship--04dd51c4-aaa5-4128-bf07-1e8ebfa23681", "relationship--05889549-3c49-4443-a33a-e33b89653774", "relationship--068ee331-72ba-45b0-9dc5-e785e116fdb4", "relationship--06abb6c9-7048-4047-89b3-f941c455a4d5", "relationship--076d5ade-2e17-4fac-9884-78e285587a0b", "relationship--07e0d758-6ce5-4f41-b4bc-7e85aa1c3d08", "relationship--082e36ee-bea7-4c54-a1ed-d58934bffbeb", "relationship--0940af0b-5578-4e51-b4a1-3d4b3b1b9544", "relationship--0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "relationship--0b3a0467-4773-434a-9707-44b930eb54e6", "relationship--0bcb6a87-86d8-408f-bd39-9a1696d3959a", "relationship--0c5dd13e-ad1c-423e-89fa-2b8010d11288", "relationship--0d246a3a-aa03-41d8-b994-6ae14ffecd4f", "relationship--0d69a54f-2c9f-42d6-a328-55131ba7a328", "relationship--0dc9fe6a-99e9-43e8-8d62-163a06324b15", "relationship--0ee5ee72-1073-4158-bbd2-41f835d67a13", "relationship--0f2d8d9e-b04e-4f9b-bde0-993b8c50b013", "relationship--1013f916-605c-4203-ae25-b1701b4f94ae", "relationship--131b0239-0613-4260-a513-42cbe643063a", "relationship--13c938b2-52a0-45b2-a1df-3c67c2b8f410", "relationship--1461951b-7965-4607-b0c7-df32e59ad494", "relationship--14e32a01-2916-4348-a7a4-e6ab999cf24e", "relationship--15515310-419b-452d-8040-1f59b9443ae1", "relationship--1689721a-39e5-414d-ac1b-20bd084fa72d", "relationship--17ab2b13-a831-4bc6-9994-4cbedf31698d", "relationship--1bf22461-d9e5-4976-aaef-98b7fc7c69e0", "relationship--1bf349c7-b572-4d9c-b2cf-12f6bd9e980d", "relationship--1c47ce45-2ecb-4985-80e1-adc61b0671ef", "relationship--1d6a734e-37af-4531-81c1-479410d3af12", "relationship--20610904-7759-4410-94c7-4e7366846573", "relationship--20d2c714-b041-48c3-a3a3-20d9b9f7d1ba", "relationship--21675b90-de06-4e3c-9d53-5c1bea947222", "relationship--23252e05-4ae9-49b1-95d1-8346434481fa", "relationship--237cd050-242a-4745-8b86-645a7df117ac", "relationship--2394f246-58a7-44de-b7b2-b37ff0b3750b", "relationship--25937292-8d4a-47e5-ad8c-88ebfb948b1c", "relationship--262bc6f7-1167-4b5f-8f0d-622e9c38ce02", "relationship--279fb95d-05a7-449d-9ded-c66215063621", "relationship--2877930e-7351-4e4a-b14b-13b465bb1ebd", "relationship--2a7da7d8-a8c1-4131-b206-e4f9442eb3e5", "relationship--2b742742-28c3-4e1b-bab7-8350d6300fa7", "relationship--2deaa2ab-2c27-42af-bcd6-ca6931c6ed07", "relationship--2e74e182-c3cd-4e58-91dd-a0873839cb98", "relationship--2ebd1237-4d0b-4f29-9f82-634286bd03a3", "relationship--2ed033ff-baa0-4465-ac9c-5ada1d746ad5", "relationship--30979464-94ff-4da9-99ff-c24795cf9929", "relationship--3153a4d5-b2a3-4330-8090-6b10f0ede286", "relationship--345337e3-a082-44a4-aaea-12d1e06747bd", "relationship--3675a4d6-d1bd-4f11-b4a6-8b61e4155996", "relationship--36c01cdc-0150-400f-b650-ccdbe3219e0e", "relationship--36e32d47-d235-4e47-849b-6846dc8506d9", "relationship--376609da-e365-4dcd-89eb-addcaf73040b", "relationship--38f20f69-6786-445a-a582-8624b6bc4d9e", "relationship--3950e32e-d243-4f21-8cce-7938d4f3c9ed", "relationship--39e9bcea-563f-465e-bb6c-5b3e336822d5", "relationship--3a2707a4-e5a4-4974-b2eb-39ebda7eb01b", "relationship--3aff7d45-5158-4e28-ba65-fefe292f7286", "relationship--3bc00052-beee-4988-ab84-d16640a20c88", "relationship--3c86430c-b50a-4841-b720-33ed783fa150", "relationship--3cb61524-aff1-4690-852c-69b94bf739b9", "relationship--3d17a550-380d-4fe0-9089-de0d0c7cb96b", "relationship--3d924f97-d12f-4cb6-b163-08aac65a84e7", "relationship--3d957e59-d370-45ab-9304-cb6f1c92f49d", "relationship--3ded4025-95d1-4532-a2e0-3ae6d16a439f", "relationship--3e109704-122f-40cb-8733-94c97abbf78a", "relationship--3e6874a1-1144-4054-9097-7221832eab70", "relationship--3e7d830d-8acc-4c71-9592-72e75c537c61", "relationship--3edbe17b-a073-45b9-800e-a653c91e9cb7", "relationship--3f93cfb2-b920-453d-8660-3da132ebc45a", "relationship--406f16d7-17ac-4736-be4c-481a56e43d9c", "relationship--40813dcd-5d8f-438d-ae5d-c1192e4251fa", "relationship--41cfa6d4-6593-48aa-b742-332a5e45658e", "relationship--41f4f1b7-c79f-49ab-9a17-9ef02bcb1689", "relationship--41fabc5f-1954-4819-8e3a-18f796bc7a72", "relationship--439af09f-4105-4246-9e8f-af81fd51cdd2", "relationship--456ad893-84d7-4b0e-aca9-84ee81a31b08", "relationship--45ef6ecc-e1b6-4b37-a9e4-0d32e04bbe96", "relationship--45fd70e0-0e7a-42f0-acdf-950e23cc4b70", "relationship--47f2d673-ca62-47e9-929b-1b0be9657611", "relationship--4886e73d-48eb-4ebe-b234-bad694db5357", "relationship--49429187-47ff-4b3c-a54e-12c976af7e6c", "relationship--49b0fe85-3493-4c1c-a2f0-fa2734863fef", "relationship--4a0c67e6-098f-48e4-b92a-c09fc554c8af", "relationship--4a4eef49-e1e4-454d-83de-4b00a87ecaf0", "relationship--4a7439e7-4d43-47ee-8a39-f38519ee1f54", "relationship--4af5387c-a480-4c80-8063-883579fa81da", "relationship--4b1db881-eed3-4815-b396-eb1fa7816ff4", "relationship--4b914c99-5397-4d89-b99c-39eeeea96349", "relationship--4c931c47-5d1c-4654-85e7-65b36a0493b4", "relationship--4cb378a1-9fa6-499e-bcbf-8b7d48ab8e51", "relationship--4d66db34-db66-4644-8327-ba77168e30f1", "relationship--4db2c40f-18cd-440d-b849-3005efab7a98", "relationship--4e60ba1f-b3b5-43e6-b253-c1b4e3d7cf6f", "relationship--4ff1f6b5-25dd-4c09-b535-2f18965eb7e2", "relationship--51c8fc0a-a1a2-4279-8cb1-4a2b6611750a", "relationship--522ee958-3194-404c-9e03-3e254c597e11", "relationship--52582b6e-d1e9-4787-bafb-9cf118fd0721", "relationship--52727246-b6a9-45bc-9f6b-115c898a1374", "relationship--535c8c72-10b3-4437-bf1a-1f035cdbf19e", "relationship--5406f85b-9f3d-407e-b755-6b9fdc6358f9", "relationship--55d7b65e-8aed-49ff-9cec-dbad10e62c76", "relationship--56cb8cf6-6fb9-4159-9ec5-fe8aa33a769c", "relationship--58576c8b-7e2f-4c83-b18e-8fc144ceda40", "relationship--58915020-0e11-4255-acf9-a5777553b0aa", "relationship--5a0f3bae-f669-4fb8-8151-1f9f7752f8ac", "relationship--5b65f703-079a-45ae-b6c3-96f623f60576", "relationship--5c91db08-13d9-4413-842e-9d2cf4abd589", "relationship--5d0d3609-d06d-49e1-b9c9-b544e0c618cb", "relationship--5d22d838-1cb1-4204-9e1a-a55a754ffe59", "relationship--5e7ac4c9-46d4-42ed-b479-1d0b89c85cc1", "relationship--5e99bd2b-db13-40a1-9a21-ab96a7550beb", "relationship--5f30bbb9-42a6-4885-89a1-812411565d88", "relationship--6179156f-7bc3-4d4d-bde3-700ede4075a7", "relationship--65334b6b-c08b-4ff8-9a35-cdcb93a5c4aa", "relationship--658aa6f8-f50f-47f1-9ba2-1bb3aa56b990", "relationship--6605649a-eaf7-4025-99e1-bc9caa718b89", "relationship--66370308-0954-48a5-9724-f1b7c1afb131", "relationship--6638f553-1c27-4f9e-8794-39255ffef883", "relationship--67574375-12d6-4f45-8971-466d8ab2b6fa", "relationship--67ef5657-7e22-48b0-a313-d00695cdc39c", "relationship--685d35a9-5470-4234-a3af-39167a958782", "relationship--6a652326-3b3b-40e3-a5d3-18fbe111732e", "relationship--6aabc5ec-eae6-422c-8311-38d45ee9838a", "relationship--6b34c0cf-32cb-4d30-93cd-5d20e77bd905", "relationship--6b79d243-3344-486a-856b-9c80bbc9d7bd", "relationship--6c6ca1f0-9d52-4014-885b-17fde4d4ec90", "relationship--6f2c0b6a-9ab0-4714-8279-e6a11e3c0637", "relationship--712ba8e0-b0d5-4866-b66e-14ea23116924", "relationship--723d3c99-a17b-4767-9dd8-701270f67443", "relationship--7305e104-a7a9-4b02-8b14-b52d730aee8b", "relationship--7385dfaf-6886-4229-9ecd-6fd678040830", "relationship--74600180-26d3-43d6-bf4f-686aa5365eea", "relationship--74abc122-8d08-431d-947e-59ad1af5b87c", "relationship--752f7494-bf73-4a92-9a5f-d2300928354a", "relationship--75565046-3fdb-4d19-a368-231d564f8072", "relationship--7638658b-68c4-4786-aa80-3ecd52710bb3", "relationship--77586b2f-7b6a-4316-848f-85fa5f30dc74", "relationship--77f01a6f-1042-4503-bcf6-005a26b1aeb5", "relationship--7877f6f7-f6ff-4142-ada6-3b05b8825738", "relationship--78ac3d60-829f-4cb1-9b4b-80405cd87c41", "relationship--790040a0-6238-4ab7-b861-a0254cb6c25e", "relationship--798d3fdd-590b-4b01-a440-ba27c6d20f0d", "relationship--799e79ab-38e8-4eb6-9155-17c058541f6f", "relationship--7b553b26-a4d6-4463-bc2c-956c587cf54d", "relationship--7b7ee3dd-a6be-46f4-9c5a-68a56311c924", "relationship--7be13991-f221-48d4-b64d-ef1f343660db", "relationship--7c514ee6-0bc6-437a-840c-a2abd6a5bf5d", "relationship--7c725ea9-4bd5-40f9-8b20-6e9734a3f761", "relationship--7c78b490-5275-4de6-8983-5a8c7672eead", "relationship--7d0693b6-74c5-4004-adbb-0f81caad40c3", "relationship--7d35e1e9-fa37-4840-82ba-76445d4f2440", "relationship--7dd95ff6-712e-4056-9626-312ea4ab4c5e", "relationship--8120ab39-c19d-4f07-a867-97302f0f6952", "relationship--828a7d43-0e73-42ec-8edf-64aa679c3208", "relationship--83f16acf-7aed-47e9-b0ff-00859af381c5", "relationship--84fd2836-5718-4384-9379-ee114f3ed422", "relationship--850d6f45-7b76-4b1f-bf93-0fa011691b87", "relationship--85143f31-cafa-4a4f-a320-5474d1d89f84", "relationship--8819613a-5346-4fba-aec9-fc1d95298e7c", "relationship--898d677b-d728-44ad-a13a-a27b6267ec4a", "relationship--8afda0a0-8acc-4c9a-a422-2b083024addc", "relationship--8b221b67-e765-4bfb-81d0-fea9a458519e", "relationship--8f1b3064-da4d-4c3d-8158-df4a0dda0b24", "relationship--8f25d6a9-08cf-43bd-89e3-35133e5dd385", "relationship--8f69deef-fe37-44e8-b7b6-f268900dabf4", "relationship--9067bdd5-17af-4865-9288-f4abecd91519", "relationship--915f1e1d-f8c4-4c19-b52b-4a574d94dadc", "relationship--92525cb2-624a-4619-855f-7023a440b81f", "relationship--93fbb9c8-df84-466a-940a-55d0b1526c99", "relationship--958dc63d-aafa-4696-be3f-e6781ed6c7c7", "relationship--9639cfd6-c065-4df8-b100-91074c5f5d9b", "relationship--96cec984-85ac-4a83-aa3a-fc1e7ecd09db", "relationship--9706197d-53cb-43eb-baa1-6f32a7f41fa0", "relationship--972a8c19-2c44-4c52-a6db-171280d18880", "relationship--974a0043-f8cc-4d27-9153-5e6a9cf4ef8e", "relationship--989ee6d4-a36d-4add-9694-3b6333e58c0a", "relationship--98f45185-6e7b-46a7-a556-7d485db554c9", "relationship--990c5f1c-9af7-43ae-9787-a0728607969e", "relationship--99a1cd92-4f63-47ca-9a91-5e2bbda6cb0e", "relationship--9c58ac73-6e8f-40e1-a54d-323805ba0a22", "relationship--9cceda2a-532e-419c-bdbc-448bbddb9632", "relationship--9d3bfb47-df55-41dc-9e73-978bd6c2d815", "relationship--9d9548b4-5ee8-435a-b0cc-94387fc7634d", "relationship--9dd1066b-d388-4c09-8a2b-748e8452c87c", "relationship--9e2a3eea-7282-4a01-b4c6-936533794579", "relationship--9fdf5952-e551-403b-aa07-83132074b447", "relationship--a1a1e92e-7e0c-465e-8991-d196f5c519f1", "relationship--a1fa4f6f-35b5-4deb-b8e8-0608fd090d7a", "relationship--a3510d8d-8626-4b13-a179-f21c9897de13", "relationship--a41f0737-5a35-4ffb-9600-0150b80e28c7", "relationship--a43c3575-2529-46b0-980d-b733d836f4d9", "relationship--a4e52bd1-2d4d-4b5e-8350-3daf6646a02f", "relationship--a5337583-4e1c-4984-9a93-da0cbb07d19d", "relationship--a564b76e-5f03-48e6-9758-eca9cde3e49f", "relationship--a5fb3c94-62f2-4328-8376-d3063cca9d12", "relationship--a76b95e8-4523-4f85-bdc7-1a140db6eb18", "relationship--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec", "relationship--a8d215ec-0d80-4257-959e-e5f7eafe8afc", "relationship--a8ead479-ce2b-4104-9222-33139ecf1c10", "relationship--aa4142d5-200e-44b0-98bf-22b33181cde4", "relationship--ac822827-616f-4833-850b-45353f6d3a02", "relationship--ac9399c6-5d08-4fe1-aa9f-929ffec9c6a7", "relationship--ad2e5183-af39-47af-9f77-607c32bce492", "relationship--af207ed1-0aef-43d0-b440-84278d5c06d9", "relationship--b01b2fc2-4743-4292-b48e-d6c9e04388d0", "relationship--b07a1eb9-56a0-4fa0-b7e6-c98ff4f0a3a4", "relationship--b17a1a56-e99c-403c-8948-561df0cffe81", "relationship--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "relationship--b48ee271-dba9-481c-9834-8678689dbdca", "relationship--b4b946f2-16bd-4866-908d-08e6fa26df50", "relationship--b5781372-3677-4d71-a433-12abd5aa1faa", "relationship--b84ec3be-1e4b-4d1b-91a1-53a9a50f01ab", "relationship--b896bb36-1b06-4132-8891-debfbc93ccb2", "relationship--b8f24ca0-e44a-4755-8d50-7226e2f01fb5", "relationship--b8f35421-49bc-44fb-8fbd-4102b74dd833", "relationship--b927d998-8bf8-4871-b615-ef7217344f96", "relationship--ba508fce-3c98-4f1b-af65-d14a5dc07f95", "relationship--bad2a4cf-769a-485a-97a1-5fb5a72eee41", "relationship--bb4797cb-ebb7-4ea0-9c83-47cb6f14cdc8", "relationship--bc22b40c-ad02-4aa2-81ec-073af2b6efac", "relationship--be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "relationship--be9e4f9a-236f-4dc0-b4ea-e980228d58c7", "relationship--bfe0d7a3-2ff3-499c-80e4-2d160a411385", "relationship--c0f12c46-47dd-4b9e-ae58-9a1ca3cba58e", "relationship--c350640d-2bb8-40cd-88bc-fce4fd13a9cb", "relationship--c4311d62-e32b-4c24-aa4d-bc4dabd55c03", "relationship--c471d28a-8edf-497e-8905-217fe67b0c5b", "relationship--c6086e1b-106b-457b-ae90-fbed7c725714", "relationship--c62a7356-6f6c-46db-93a5-f818fd65f2c3", "relationship--c6ac9803-adbf-490a-936d-f21d91d18018", "relationship--c85c4505-5cb7-44bf-b3ac-82665de957f0", "relationship--ca49a799-3db5-41e7-b529-d3f3442ab388", "relationship--ca859310-a720-4389-9193-5a46b1173814", "relationship--cae45069-8bb3-4ea2-813a-c1b427818397", "relationship--cc683d05-c44c-4898-821b-cff15009a508", "relationship--cd05d39c-63af-4795-8a46-301be042fd5d", "relationship--cd8fb397-3250-41a9-b1a8-bb93cbd8999f", "relationship--ceff985d-163b-4f1d-aef9-f2f253a01e06", "relationship--d18784d8-8b03-4db3-b7cb-1bbe55c07f1c", "relationship--d2156f81-8329-40ba-8b8e-51d33d655d29", "relationship--d23e7be7-f451-4d56-886c-09a71992a7c4", "relationship--d3d75b51-02f7-4af6-8b42-3c0f73fc4ee3", "relationship--d3ea4e66-7802-4f40-bd25-48931b5a516b", "relationship--d48116e3-9a46-41f4-8896-7ac344dd0374", "relationship--d48b71f3-d8c2-4777-9603-4074e119027a", "relationship--d5099dc9-b04a-4d8a-9326-59bc90512bbb", "relationship--d5759b48-4fc5-4ae3-be70-ad24cea62cf3", "relationship--d63a3fb8-9452-4e9d-a60a-54be68d5998c", "relationship--d6f9da53-fe2a-499f-9471-1df1eed38cc6", "relationship--d7de275c-da2c-4fce-bc7a-a4e1ffca15b1", "relationship--d88a9aba-3c00-4189-a2ca-5ca7e5577365", "relationship--d91a7927-dfd6-4ef8-8f19-9a6726e40cab", "relationship--d9764754-3b10-4097-8a3b-e1b8a0d1d8dc", "relationship--dc247510-7fa0-4a04-ab32-52e4a30d0054", "relationship--dc6520e6-8e84-480e-b99b-a3a514d61cf2", "relationship--dda1c44e-6c76-4857-b193-d6af9e734b44", "relationship--de8e6a5f-70cd-4f01-9604-a9cfd6f6e5bc", "relationship--de97227d-28fe-4018-a09b-d25d2faeebe8", "relationship--e0224fd2-3ee7-450c-a37d-1511ab34d917", "relationship--e06080e5-b96b-4dd9-99e6-a50daecd14b3", "relationship--e0869000-4bb8-4018-9abc-f63dec086ec2", "relationship--e118cfb8-0e30-45e2-a1fd-e42b476c4682", "relationship--e2d3f2df-996f-42a3-b698-f90274a51e1f", "relationship--e508a10c-5f36-4c8e-8499-5f6137b285b2", "relationship--e536e5bb-9af5-4b28-85e6-5e988f4619a5", "relationship--e540b61d-c40c-4c19-bb4f-19ab06d2df28", "relationship--e5cde892-87b2-46cf-87a8-6d0108179688", "relationship--e6919abc-99f9-4c6c-95a5-14761e7b2add", "relationship--e6ac508a-9dce-4f28-be0e-02252de0c763", "relationship--e77e7044-d492-4e54-a6ec-db96f7407579", "relationship--e7d9db31-76d3-42f3-9bf5-7e82f04c597d", "relationship--e85122c4-bae0-4edc-9627-648d203a69da", "relationship--e89a861a-f916-4552-81f5-22a894efa1d0", "relationship--e8cc7686-6f82-4c3f-ad8b-d8a030312d28", "relationship--ea19efd2-14d6-44c2-a0de-309de3ca1fb4", "relationship--ea30ae8f-b7f4-496b-b29d-477e6b22e56e", "relationship--ea85612a-c20a-4d37-8240-a38c9940feb8", "relationship--ec541cc1-362b-42a9-8f52-354709506a10", "relationship--ed0a8d3a-3efd-480f-94e0-497266cacf8b", "relationship--ed7c1bda-808e-4af0-b998-13c509e5d942", "relationship--ef3dabcc-b1de-4d09-a35a-68b197909056", "relationship--eff1e78a-dcae-4ba9-ad24-6bd832e1844d", "relationship--f0026eb9-bfad-4036-b310-47d882260c23", "relationship--f2d8ff20-ffc1-4e1e-b2b0-19ccc5f8c74b", "relationship--f389d990-2355-45bf-bf0f-cbd4886728d1", "relationship--f77acdaf-e8b7-4911-837b-ceb035f70889", "relationship--f82cc0ac-100f-438d-b4f0-c7f1a0478477", "relationship--f90f0fdd-df33-4c66-8c22-d44c774e783c", "relationship--f911034d-d086-442f-b7eb-c4c298b8b9e3", "relationship--fa674092-f74f-4c98-bd92-638b6a389467", "relationship--fb2588e8-7aa5-4f5a-9eee-6fb8d7cd4f04", "relationship--fb470946-bb6c-4b44-8b12-3719b44be6a0", "relationship--fbdbc7a5-242c-4f8b-9345-2f2f1a438451", "relationship--fbe527ff-39ba-4332-a324-bf9aff873f46", "relationship--fd706729-53ad-4aa0-ad40-c5ff4470e61a", "relationship--fe120dbc-2812-4e78-aaf2-c4ef5fbfea69", "relationship--febf391a-1d95-4d2d-83d6-876b2a7529a8", "relationship--ff4b1594-350f-42f4-97e2-db922fbb461d", "relationship--ffe10911-b111-486d-93b0-a3f55ee553f4" ], "labels": [ "campaign" ] }, { "type": "report", "id": "report--be414527-0ed6-4b77-b04b-2ffa2cd601eb", "created": "2018-08-03T20:30:50.665Z", "modified": "2019-10-11T19:45:26.152Z", "name": "second", "published": "2019-10-11T19:45:26.152Z", "object_refs": [ "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104", "attack-pattern--15dbf668-795c-41e6-8219-f0447c0e64ce", "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597", "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1", "attack-pattern--355be19c-ffc9-46d5-8d50-d6a036c675b6", "attack-pattern--35dd844a-b219-4e2b-a6bb-efa9a75995a9", "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0", "attack-pattern--72b74d71-8169-42aa-92e0-e7b04b9f5a08", "attack-pattern--7dd95ff6-712e-4056-9626-312ea4ab4c5e", "attack-pattern--8c32eb4d-805f-4fc5-bf60-c4d476c131b5", "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "attack-pattern--b200542e-e877-4395-875b-cf1a44537ca4", "attack-pattern--b21c3b2d-02e6-45b1-980b-e69051040839", "attack-pattern--f24faf46-3b26-4dbb-98f2-63460498e433", "attack-pattern--f72eb8a8-cd4c-461d-a814-3f862befbf00", "campaign--be414527-0ed6-4b77-b04b-2ffa2cd601eb", "course-of-action--00d97976-e97e-4878-b530-9f37d7a3e2e5", "course-of-action--04a2db1c-3e80-43a4-a9c6-3864195bbf73", "course-of-action--09cad5e4-8c95-494f-862e-0c640b175348", "course-of-action--0a8741c9-240e-4a87-8d0f-7ced73cbd50d", "course-of-action--19313cf2-7b61-4748-ac31-8db430033837", "course-of-action--2c886776-61fb-487c-a880-41f4b7195627", "course-of-action--2fd9769c-5e50-4528-985f-a1d117329991", "course-of-action--38519f4f-e6e8-454b-a3f5-b46daef0e316", "course-of-action--39928312-81bb-4445-a269-9f3d0bb88d5c", "course-of-action--3de85a76-a879-43e6-80ba-38e09e7e2b0c", "course-of-action--3f6f590f-2752-40d2-8cfa-1e833435bbf6", "course-of-action--41a5e724-166d-496a-bfa6-5f7d671c733e", "course-of-action--44bfcc9e-cb15-499f-b0fe-3c41e2c2655e", "course-of-action--49881f38-2571-47a1-a122-26a5968f1137", "course-of-action--553711d6-06e4-49e2-a1ad-929d9cce8e39", "course-of-action--5839cd6c-7897-43c4-82f3-5c03096a51c4", "course-of-action--58d4b1e7-a7d1-45d8-855b-b5e13ace3dba", "course-of-action--5e951942-0565-46f4-b09e-80426812b6b5", "course-of-action--67289170-1bd4-4944-be31-d680954141f5", "course-of-action--68c5676d-ab2f-4e68-a57c-28880a9f5709", "course-of-action--7bbb332f-22cf-48f2-a4a1-5bc9d2b034ca", "course-of-action--916bf914-3cad-47c6-8651-a1ac92ee84d0", "course-of-action--922b1227-c493-43f6-8b4a-ae6d6963eb8b", "course-of-action--9352128e-2dbe-4621-8800-9e7cc17336e3", "course-of-action--95432623-8819-4f74-a8f9-b10b9c4118c3", "course-of-action--a1294d38-0f0d-4973-a949-f38cccbc7469", "course-of-action--ae18aab6-0a08-4c09-9a97-6c6ef58061a7", "course-of-action--b07fe965-d582-4581-aa2f-9676705f5560", "course-of-action--b1f31bc6-40cd-4c64-805f-1680eda35801", "course-of-action--b4ed79f9-b72c-4423-9a9c-f29134fda870", "course-of-action--b62423f4-1849-4d9f-88c0-7160a8bed5c2", "course-of-action--bca382b3-2a97-451f-a849-80f7a4e7edce", "course-of-action--be1d0eb5-a628-4d91-9096-9158e68816cd", "course-of-action--c45b79a8-2d29-4d8c-95ab-acea7e478e50", "course-of-action--c5148c0d-4c4a-4ad6-b2c7-942f9eb91673", "course-of-action--c9efabbf-c21b-4213-a192-6a8e3b3a0905", "course-of-action--d84f79f8-219c-43cb-a918-ab7dd235413a", "course-of-action--dcd486e6-fcf5-4692-9187-115efdae9694", "course-of-action--dff22e97-a89e-4ff7-b615-0165258bf8d5", "course-of-action--e15f23e0-f6ae-4440-865f-63ac76b93bf5", "course-of-action--f1a1d494-3463-4067-abc7-a731f7dfb9ff", "course-of-action--f36dcd51-156b-497a-a565-0301a105eb79", "course-of-action--f4a8da12-c6f0-4a33-ae42-590c5602be99", "course-of-action--fafab9a4-1478-499e-9088-2043c42720d1", "identity--5b8b881a-7707-45a2-9f38-e33665844311", "indicator--0e700b7b-764b-4c8a-a57d-f8d686d887f4", "indicator--1d8f709a-12fb-4ee6-928b-921a7eccc2f6", "indicator--2bc55d71-48a5-4921-854e-351f762e24aa", "indicator--2c461e83-a8d2-444e-9480-a2516a1f87c8", "indicator--2d6903fb-e4f1-4b0e-a657-e3937fe89861", "indicator--4d3e6511-ccc5-467e-a2be-ac608ee49374", "indicator--559172a7-fc70-4d25-8ffe-803ce24929a5", "indicator--565c1a62-b4f0-4e2f-a4de-83944dfc8c10", "indicator--5fcecf74-b682-4781-904d-f261f101282b", "indicator--7c357da2-f901-49a3-b52f-1cd4b968caf9", "indicator--b32af739-cdbf-4b43-938c-eaaa89bf5010", "indicator--cd2409a1-079a-45d6-bba7-e26ec1b6465b", "indicator--cff4fa97-3f63-4a68-83b0-4eb3f81be9de", "indicator--d3df5939-91b1-4042-9ab8-d4843028a60c", "indicator--e0300bff-605a-4969-a37f-01e1cd22a05b", "indicator--e12c095d-899f-415b-a29b-eeb6f630db70", "indicator--e6bc70bc-2221-4ae7-a19b-ef53115f6174", "intrusion-set--8e11eaa4-1964-4b73-85c1-fcfa29159f9b", "malware--5246bc7d-be84-4c5b-8e05-6790cd81568e", "malware--c56fd492-b07a-4de7-9d74-0b5136cd9a77", "malware--d62bf08d-2145-42a9-ad32-e2a5c82d3c2d", "relationship--02c91cc9-6b95-43bb-a40a-7cf3075f93a4", "relationship--03d7999c-1f4c-42cc-8373-e7690d318104", "relationship--0438cf83-ee23-4963-8764-0152de9ffa2b", "relationship--04e50a95-1d68-4e11-abce-8325c7a70b57", "relationship--055e43b5-638c-4525-94f6-5a31d078f563", "relationship--05f41c44-8180-4a23-9eb5-db4551ea4090", "relationship--062079ac-7bd7-45b5-bc97-b234e4d84fc4", "relationship--06cafa2f-85d6-43bb-8527-ede8377c0860", "relationship--07adbd5d-12a8-46f2-b38b-772754668b90", "relationship--08d568cf-cade-4f97-ad20-2ce0d976011d", "relationship--0f653c28-3ff7-4d1e-96ca-edb4cf632a29", "relationship--102c9f05-756e-412f-9fc2-d59a2f055e47", "relationship--11ae589e-a755-491d-8374-5b5def0389cb", "relationship--15dbf668-795c-41e6-8219-f0447c0e64ce", "relationship--160ed6e7-b00c-4d8d-88ad-f6e807480ba4", "relationship--176f8da5-e078-4cb7-867c-0a807281b7e6", "relationship--1d0caee9-876e-4c4e-91af-c709788cbaef", "relationship--1f7cadc7-e1c3-47cd-afb0-b98c93ccb965", "relationship--2379ab55-92b4-45a8-aa89-5da8f302d1a9", "relationship--25f09f89-4384-4840-853f-0a2f67a505b6", "relationship--27c8933d-2eff-4304-beab-76004e389345", "relationship--28a5a536-2f5f-415b-a268-79bb7b2d7a1c", "relationship--2e34237d-8574-43f6-aace-ae2915de8597", "relationship--2fe72a9c-2bed-4f6b-8fcc-a19cb266e8b9", "relationship--302d533a-d8d4-454e-b5c1-8252d7c71f02", "relationship--354a7f88-63fb-41b5-a801-ce3b377b36f1", "relationship--355be19c-ffc9-46d5-8d50-d6a036c675b6", "relationship--35dd844a-b219-4e2b-a6bb-efa9a75995a9", "relationship--36239699-f2ea-4131-9154-656ab8f94788", "relationship--3654e0f4-2dd0-47dc-858b-3de3acc37c44", "relationship--380efc20-d11f-48c3-b5c8-8cf98841cef2", "relationship--3922ea85-cf50-4d3e-becc-01d0c1efc307", "relationship--3b4a4bd3-bf20-426b-bf9d-930963fa731d", "relationship--3b4d3dd1-df77-4267-8fff-9eda563fe60e", "relationship--3c3c1a59-cd2b-4292-b91d-8437022c0576", "relationship--3f09d478-8ab3-4438-ba45-cc863a830d93", "relationship--416774c3-cb83-461f-9f25-ab6d5fa6543b", "relationship--41efb691-eea7-4f15-9c25-d9dbdb7e991e", "relationship--450c6745-0fa7-4773-8a98-4d7f982a9209", "relationship--470c322a-59d2-4659-8d15-58a73ec8353d", "relationship--4a353e98-35b0-42c0-827d-2032f0b6ea46", "relationship--4a731c53-d7f8-444f-8a04-af2b60b097c5", "relationship--4b274066-c8ce-4094-9bdf-623cef6fe84c", "relationship--4b67d5ee-8d2c-4bc1-93e9-f7a2c4a64fdd", "relationship--4c4507f1-7c51-4b5e-9bbd-67c51d66fc96", "relationship--4ce02538-c986-46b2-a440-bcef6bf02450", "relationship--4e502b39-2e6e-4038-9359-d3e6ecf38ec7", "relationship--516d842c-508c-4032-a6e0-0b72ccaa0ae3", "relationship--51ce57cc-33c5-43ba-879a-32a32ed09d72", "relationship--561c2626-a140-4da4-8ae6-a5e65a09ccfa", "relationship--5b751821-2cf5-4aba-953c-fd7b86826555", "relationship--5d8c7c15-3ce4-46a2-8f8e-0a8609e9c55d", "relationship--5e5ebce5-219d-4b25-b272-8dff82ba5039", "relationship--5ed807c7-29cb-4c7a-a59c-4dee9973d679", "relationship--6339b9fc-6595-4da0-98de-171d86decc16", "relationship--668255ab-8f2c-4ea7-af6f-8ac4f1101a71", "relationship--66c7f1b0-7e4b-4bcb-90fb-fcbc1bb431f2", "relationship--6a5ff5bb-8171-4eda-89c2-6ea5fe93aef5", "relationship--6ab3a547-6afb-4ae2-b4c7-9ab9c45de5e0", "relationship--6bf9f309-42d8-4690-8828-0e4943ec6114", "relationship--6e8b68d8-b954-49ba-b96f-af4537633457", "relationship--707399d6-ab3e-4963-9315-d9d3818cd6a0", "relationship--720c7526-9483-4918-bca0-b924d7f4aa8b", "relationship--72b74d71-8169-42aa-92e0-e7b04b9f5a08", "relationship--742a1fa0-c425-4972-83d5-603f56dd7932", "relationship--770bd929-dd09-49d5-a21b-72495d1b2f0d", "relationship--7a3c7b51-e2d1-41e3-ba09-0ccb3f29a5db", "relationship--7cf3b3c7-a098-4e98-9071-c7cb2b657191", "relationship--7dd95ff6-712e-4056-9626-312ea4ab4c5e", "relationship--7fda3c46-13ab-4d57-872e-9562fec78f32", "relationship--81a1034e-9b48-4567-8fd6-d86d1b926c41", "relationship--832a5d5b-6e8a-4ff4-b320-08ea09b6fc5c", "relationship--84b58393-1a52-4a76-96a8-4b3e3d75574a", "relationship--85b2df26-1dfc-4438-bc83-211c9a614b7e", "relationship--874395b6-5a6f-49b1-ad27-1680a6566919", "relationship--877e437e-a9d2-46c5-9594-b63b51ff95d1", "relationship--89696ae6-9dc7-4ce0-a8e1-77c0f110f793", "relationship--8a1a1a65-1121-4549-ad81-ee11fac08c99", "relationship--8a229436-835d-4d5f-90ed-d26c4517c835", "relationship--8a83132d-0a30-4cae-aa27-88feef4e229a", "relationship--8c32eb4d-805f-4fc5-bf60-c4d476c131b5", "relationship--8c3a203a-c8a0-41cc-9301-8dc44b850b0b", "relationship--8d09c69f-a197-4070-8f6d-65389b15606a", "relationship--8e293418-fbe5-4ebe-894a-320391c18c11", "relationship--8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "relationship--8ffcfda6-33ef-4fcd-ba11-afce2a26b2b3", "relationship--923ab233-67f6-490b-b50b-e4850d179ba4", "relationship--92a95493-fa51-4321-9cfb-135e69b3191a", "relationship--931398d5-ff3b-4626-a64a-58fdd9862a3f", "relationship--94df8915-193d-4b00-b530-7ec3b4f0dd7c", "relationship--98857351-247b-4a37-825f-d339b4c8bf4f", "relationship--99550ca1-e3eb-4b67-a6c6-cc04247f6b2f", "relationship--9c9f3116-36f9-4e50-831d-731861fe1332", "relationship--9d7f6452-2793-40cb-ab38-966196d1b12b", "relationship--9ed809cb-6ffa-4edc-8914-97ae7e43c75f", "relationship--9f3246bb-dab4-4722-add7-40fa0cc722df", "relationship--a278e596-0170-4be2-8c10-99ec8ef8a9e9", "relationship--a30567ca-29b2-45f0-bdf9-d0f3f7f2e4ba", "relationship--a32dbf7c-3d72-475d-a4d9-525b9d8399d8", "relationship--a4ae9bcb-1340-4e18-a0ac-0194d56d7384", "relationship--a553c146-1b1d-4cdc-863e-dcd19e7f5674", "relationship--a6220edc-b057-4a8b-b6ae-c62b203fd172", "relationship--a7f21a7d-072c-48ff-96e2-4e14b98e01c3", "relationship--ab0a9e07-5e5d-44a1-9f2d-5e0d2674ef44", "relationship--ad42f1ee-2fc2-4741-a9c2-224074c9d080", "relationship--adb4673d-a9e7-4984-ab1d-1701fa2362c1", "relationship--ae33522b-59ca-42d5-9cd0-28a61362d146", "relationship--af44a46b-84ce-4b3a-bede-d889c35c4499", "relationship--afd71914-e3ef-4ee1-b358-2388d8124165", "relationship--b0c9f423-990f-48c9-92e7-0cae81480a0c", "relationship--b200542e-e877-4395-875b-cf1a44537ca4", "relationship--b21c3b2d-02e6-45b1-980b-e69051040839", "relationship--b22d96f0-fa4d-4614-ad7e-340076eb2047", "relationship--b3a74588-3273-4d8d-9751-06e0548d7269", "relationship--b44f392a-0db4-4f4e-900a-4cbbfd41238b", "relationship--b6594e0e-b8bb-4c69-8294-ecec1aa164b2", "relationship--b821961f-c079-4c4a-867b-77f9be241ee9", "relationship--b924249f-1ca8-4ea6-897d-db5187addc93", "relationship--bcf18721-0db0-4b01-96aa-50e0007cabac", "relationship--be414527-0ed6-4b77-b04b-2ffa2cd601eb", "relationship--bf4d19f5-2ca2-4c6d-942e-ae85d56f3b0a", "relationship--bfdb3cb8-37be-4184-8e68-1811735b16f7", "relationship--c46b87b5-c3ea-49d9-939d-815481c454f4", "relationship--c5cc4f05-5afd-487f-8c82-f41bc8dcd43f", "relationship--c6fea36e-2019-451c-ab42-06e30a121300", "relationship--c78ecf30-d3a5-4e72-bd4d-877c91146d08", "relationship--c928c66a-c17b-48e9-a88b-d3958a0a3a09", "relationship--c97a139d-18fe-4902-a46b-686002573966", "relationship--ca74c75e-b861-4b54-b4f2-812d39e92c5e", "relationship--cb22c44c-e830-4f52-b42a-b52fd2fe4a1b", "relationship--cb25d6b0-4953-4854-9937-eef5828d23fc", "relationship--d3239375-4ff0-4635-add2-233a25657d04", "relationship--d39f4a91-0c51-4589-8050-7703e5ab5843", "relationship--d3b4ab75-10fd-4373-9a46-1ebe9a13800b", "relationship--d493a676-6071-4796-9d64-75d5b4b092ed", "relationship--d56c43a6-f2e7-4423-bf4f-c06037c99854", "relationship--d721d21e-9965-4a73-8ebe-003d4a5fae81", "relationship--d7d92773-75a6-4553-82db-3bccded96f4e", "relationship--d950846d-047e-4d7b-9a4b-65544c339f78", "relationship--dc089360-5c0a-4e02-a752-a966b11c6b98", "relationship--de0567ed-904f-4040-a5d0-5c4565d5e4dc", "relationship--de68c70f-1e7b-4188-889d-adc0c03c6122", "relationship--dfcd4fbd-1c9f-4955-8237-0c863dd576a7", "relationship--e21c2996-8c3e-4973-8d61-9488387fa9e0", "relationship--e35a2886-fa3b-454a-827d-67b76ebf2e1b", "relationship--e57c011f-57bf-4dd9-b419-e96d79914c3e", "relationship--e6217985-61f4-48b3-a618-6c47cc5f682c", "relationship--eb3230f0-a4c8-41b9-a054-86543fef0e4d", "relationship--ebc231e8-2c5e-4fe7-9d9f-4ed63cf7ae86", "relationship--ed11bc15-c9d0-47ec-bd9e-d9047044e3b3", "relationship--ef625e99-8820-41c6-a87d-751fdcb78cef", "relationship--f24faf46-3b26-4dbb-98f2-63460498e433", "relationship--f37081eb-70dc-4915-87da-5a8e26b5add3", "relationship--f67f22a3-508c-448c-a8f7-976d066d32bf", "relationship--f6cec54d-6e32-4c30-a2c2-fc83d1a35fca", "relationship--f723e75f-9ec3-4d19-b16f-473839dbd5bf", "relationship--f72eb8a8-cd4c-461d-a814-3f862befbf00", "relationship--f77a4f46-691d-443b-a928-f70b8ce58f88", "relationship--f8704bfe-566b-4a4b-8b83-7290ed8a2a97", "relationship--fb67941d-e8c0-48e1-a553-9ea87c850994", "relationship--fd37acab-8903-45ae-8194-47ee81cd0681", "relationship--fd532071-ef74-46cb-bb46-c7df4102b3e9", "relationship--fef6f410-1d0b-4cf0-8b94-1f2ac468c05f", "relationship--ffc4eff3-45b8-4bbd-ae4c-52bfdc9d8f4c" ], "labels": [ "campaign" ] }, { "type": "report", "id": "report--d6eab405-2a90-4981-bd25-0b161f1bc116", "created": "2020-07-08T12:17:34.135Z", "modified": "2020-07-13T13:45:02.008Z", "name": "RDAT", "published": "2020-07-13T13:45:02.008Z", "object_refs": [ "attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688", "attack-pattern--0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "attack-pattern--355be19c-ffc9-46d5-8d50-d6a036c675b6", "attack-pattern--7385dfaf-6886-4229-9ecd-6fd678040830", "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d", "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736", "attack-pattern--a19e86f8-1c0a-4fea-8407-23b73d615776", "attack-pattern--ad255bfe-a9e6-4b52-a258-8d3462abe842", "attack-pattern--bf176076-b789-408e-8cba-7275e81c0ada", "attack-pattern--cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e", "campaign--d6eab405-2a90-4981-bd25-0b161f1bc116", "course-of-action--04a2db1c-3e80-43a4-a9c6-3864195bbf73", "course-of-action--2c886776-61fb-487c-a880-41f4b7195627", "course-of-action--2fd9769c-5e50-4528-985f-a1d117329991", "course-of-action--38519f4f-e6e8-454b-a3f5-b46daef0e316", "course-of-action--3de85a76-a879-43e6-80ba-38e09e7e2b0c", "course-of-action--41a5e724-166d-496a-bfa6-5f7d671c733e", "course-of-action--44bfcc9e-cb15-499f-b0fe-3c41e2c2655e", "course-of-action--49881f38-2571-47a1-a122-26a5968f1137", "course-of-action--5839cd6c-7897-43c4-82f3-5c03096a51c4", "course-of-action--5e951942-0565-46f4-b09e-80426812b6b5", "course-of-action--60e78a97-dcc6-4d67-a310-ed7f16e0218a", "course-of-action--67289170-1bd4-4944-be31-d680954141f5", "course-of-action--7bbb332f-22cf-48f2-a4a1-5bc9d2b034ca", "course-of-action--916bf914-3cad-47c6-8651-a1ac92ee84d0", "course-of-action--922b1227-c493-43f6-8b4a-ae6d6963eb8b", "course-of-action--9352128e-2dbe-4621-8800-9e7cc17336e3", "course-of-action--95432623-8819-4f74-a8f9-b10b9c4118c3", "course-of-action--a1294d38-0f0d-4973-a949-f38cccbc7469", "course-of-action--ae18aab6-0a08-4c09-9a97-6c6ef58061a7", "course-of-action--b1f31bc6-40cd-4c64-805f-1680eda35801", "course-of-action--b4ed79f9-b72c-4423-9a9c-f29134fda870", "course-of-action--bca382b3-2a97-451f-a849-80f7a4e7edce", "course-of-action--be1d0eb5-a628-4d91-9096-9158e68816cd", "course-of-action--c45b79a8-2d29-4d8c-95ab-acea7e478e50", "course-of-action--c5148c0d-4c4a-4ad6-b2c7-942f9eb91673", "course-of-action--c9efabbf-c21b-4213-a192-6a8e3b3a0905", "course-of-action--d84f79f8-219c-43cb-a918-ab7dd235413a", "course-of-action--dcd486e6-fcf5-4692-9187-115efdae9694", "course-of-action--dff22e97-a89e-4ff7-b615-0165258bf8d5", "course-of-action--e15f23e0-f6ae-4440-865f-63ac76b93bf5", "course-of-action--f1a1d494-3463-4067-abc7-a731f7dfb9ff", "course-of-action--f4a8da12-c6f0-4a33-ae42-590c5602be99", "course-of-action--fafab9a4-1478-499e-9088-2043c42720d1", "identity--4d1d54c4-6665-4112-979a-52a56b6272d4", "indicator--012e2d87-6c15-461a-bbdb-52bdb0d8f803", "indicator--06aee4da-bcca-4234-8b1a-35741adf2d67", "indicator--0b42f202-10a1-4a5e-b714-e5279164a015", "indicator--20903cd9-29c1-4a41-9202-c1b473f1855e", "indicator--2464959e-820d-47c4-9785-d982888376ec", "indicator--289251cb-2cff-4cbc-9e19-995310c5d8c0", "indicator--28ddd8f2-72d0-4c05-a72b-4927f9b4a3ef", "indicator--2bd3da7e-748b-4727-bc61-23e4582ff60f", "indicator--30745f2a-676c-4f48-8677-7382d24ed21d", "indicator--3c8cabfa-1b3b-4662-8f96-e873fe6188fe", "indicator--49bbfc5d-0cfb-4d7b-9051-3067ad34723f", "indicator--5134cbd0-890e-46e9-912e-2eb2e7c71356", "indicator--60c48c35-8820-413b-84a9-fd76ce45b951", "indicator--63c6b5e5-c5ce-4572-bad6-002f8f82d242", "indicator--6928ee56-805a-4f47-a428-9f41fb9faa6c", "indicator--6c121823-7ad4-4766-8e22-d9966c43cf69", "indicator--6dfbe1f5-d102-4fde-b97d-c05776a41b78", "indicator--6eb198da-c5e6-460f-b504-7dbf5003eb1d", "indicator--7bd90223-3f43-4831-b065-363c883bc015", "indicator--87112435-30e8-4465-9793-06d406cf5e44", "indicator--8cdb8bc6-bcf7-480e-aab5-b4e403d5e9a9", "indicator--8e5578f7-39c9-4fb4-af27-4c1b3d09bc8a", "indicator--8fa6a942-6241-4133-b68a-ebe195ff7901", "indicator--9340dbc2-1b6d-46bc-a669-3fdaf13579cc", "indicator--a91d113f-f89f-4a43-af44-57266ba0d07c", "indicator--adb01a10-e1b9-4724-88fe-d6758d2254c6", "indicator--b4743bb8-5c61-4399-b281-c2345abd410b", "indicator--c06f2a71-5b4d-4c0a-bce3-95ba1e7851d1", "indicator--e0350011-872e-42e4-97e6-a82a419291ee", "indicator--e1b441cf-0d08-4711-80e3-7f1724e3a88d", "indicator--e28ef3f2-c14f-4890-bd68-16bc1e44e502", "indicator--f2a66702-33c8-42ad-87f4-2abcec5ee996", "intrusion-set--8e11eaa4-1964-4b73-85c1-fcfa29159f9b", "relationship--0021f86a-b604-4cbf-b48d-ad778ce6fcf0", "relationship--0259baeb-9f63-4c69-bf10-eb038c390688", "relationship--04dd51c4-aaa5-4128-bf07-1e8ebfa23681", "relationship--055e43b5-638c-4525-94f6-5a31d078f563", "relationship--068ee331-72ba-45b0-9dc5-e785e116fdb4", "relationship--075303bf-f6f4-4baa-a393-7af277914e55", "relationship--076d5ade-2e17-4fac-9884-78e285587a0b", "relationship--08678c64-6347-4a01-9b9c-542d6e8f95d7", "relationship--08784c53-dee3-4228-9e73-26b1af341316", "relationship--08d568cf-cade-4f97-ad20-2ce0d976011d", "relationship--09c48684-c0c0-44e8-9106-a363824aeda1", "relationship--0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "relationship--0b54c0c8-6a54-4f1c-bafa-1f81e5c68418", "relationship--0b783e46-b83a-44ef-a7cf-fdf7b1495244", "relationship--0ce5baf6-ec27-48bd-a626-3169b4bef839", "relationship--0d8a7165-6460-4b0b-a779-21cb5a1f6a14", "relationship--0d9d317c-9e3b-4704-bc54-afa916b9a478", "relationship--0ee5ee72-1073-4158-bbd2-41f835d67a13", "relationship--11ae589e-a755-491d-8374-5b5def0389cb", "relationship--12f06656-19c7-4a0b-aafc-fa164959980c", "relationship--14b468db-564c-4656-b180-aae331fcaa37", "relationship--14dd4dda-0e14-4da7-9be8-21b763b11ebb", "relationship--15515310-419b-452d-8040-1f59b9443ae1", "relationship--160ed6e7-b00c-4d8d-88ad-f6e807480ba4", "relationship--16532c2c-6c6e-499b-a4d2-7068198b63d7", "relationship--166ef948-ae30-49f5-bd31-5d7cea1e53ad", "relationship--1b53eec4-bef9-44e7-9b55-7d0b2d84f82e", "relationship--1cd465d4-05d9-463e-9036-433a7af716d6", "relationship--1d79f0ca-e426-4cd2-bf79-7c77fc05ce05", "relationship--1fc0d5c4-9e6e-4d3e-82f1-cbf7d04cc79c", "relationship--2071703f-96fb-4e5b-9406-958e1d153b8b", "relationship--211ad95c-8339-4f13-8d3c-0bc89af1245e", "relationship--22cc20f5-87d2-493f-b4c6-21a8f35e270f", "relationship--245e3eb9-2ac3-45a3-9500-930b2ef97dac", "relationship--262bc6f7-1167-4b5f-8f0d-622e9c38ce02", "relationship--27d8b631-caec-4897-a402-36d35c0d3b22", "relationship--2b4fb546-289c-4752-bf3d-21557d77c3ce", "relationship--2bf462e4-2582-4923-a47c-7626405833b3", "relationship--2d20727f-27d9-4526-8c81-31095614a6c9", "relationship--2f7f4894-d070-4eaa-b6c8-0bafcb02b284", "relationship--2fe3a209-7517-4247-96b4-b99cf3bad10f", "relationship--309a33e6-9ccb-4190-8de5-a9e16df2fda6", "relationship--32b52767-3115-426f-9cb8-7df30149261b", "relationship--3382938c-fb1d-4d5b-971f-25420e84134f", "relationship--355be19c-ffc9-46d5-8d50-d6a036c675b6", "relationship--36c10fc6-545f-431c-8f83-5a675dd7b812", "relationship--3701777f-6995-4031-82d8-b160a3ea8f9c", "relationship--3706ccb0-5dbe-426c-82c1-6f4565a6357b", "relationship--380efc20-d11f-48c3-b5c8-8cf98841cef2", "relationship--38160abc-41d1-4b26-b37f-f0e513328703", "relationship--38276b27-0ed5-45a0-be2c-c2ec6128d811", "relationship--388a380d-18d0-4be4-81fb-c1a0b4486120", "relationship--3950e32e-d243-4f21-8cce-7938d4f3c9ed", "relationship--39551803-96ad-4ce1-be61-1794292ceaf5", "relationship--396c688c-a3ca-40f5-b0eb-1fc73898f178", "relationship--39949868-2ae1-4934-88c9-cf743827aab8", "relationship--3cade3ef-8857-4f8e-9b26-896a82ba14a9", "relationship--3cb00f22-8efd-4b4c-9737-cc31667e85d6", "relationship--3cb11971-cc25-4210-9bfc-98d4ee0ab07c", "relationship--3d924f97-d12f-4cb6-b163-08aac65a84e7", "relationship--3dbc226d-7b19-49f5-bc48-7ac52ef535f0", "relationship--3f762506-8417-46d7-b1ed-5234376537c2", "relationship--40100c96-0a05-4d7b-87a5-42a94fb090ea", "relationship--40d6b506-800d-4621-b25b-0c8fa5c313c1", "relationship--4289f0a3-65c7-4733-9743-09ed517283d4", "relationship--43382c84-b63a-4f6d-950f-e838645aa6a8", "relationship--43eafced-45a2-4c58-b197-aa9b49a04891", "relationship--4528c0cc-704b-4da9-b9dd-4d75fd85cfc9", "relationship--4733c6d7-b135-47da-8396-5b1063285d06", "relationship--4a93b203-f7db-4a72-8a2a-1337678e9a58", "relationship--4ca0ff4d-5ff1-4285-a1e6-ba8c1b9d7d32", "relationship--4dec9710-a380-4824-bb71-ca9b8c16d183", "relationship--500045d8-9326-4c5e-89a0-b8d33413999f", "relationship--51d3fb1f-2eed-49c8-9eaf-d1082b0a3777", "relationship--5376ad6c-639d-48bf-ae9d-00b5a785d736", "relationship--541c5046-022a-435c-bf80-f7eb54e3d407", "relationship--55192a67-dc22-4f61-beae-8dae931000c0", "relationship--565dc9d8-d654-4d34-ba0e-8e2806ffe829", "relationship--58576c8b-7e2f-4c83-b18e-8fc144ceda40", "relationship--5c01dc39-8b88-48b9-a8b6-bcc45947b13d", "relationship--5c5f025b-db8e-4085-80c0-73c2e095d9a2", "relationship--5d22d838-1cb1-4204-9e1a-a55a754ffe59", "relationship--5db030f7-a8b2-457e-bd71-174b5af772dc", "relationship--5e99bd2b-db13-40a1-9a21-ab96a7550beb", "relationship--64faa5c9-2cf9-409a-b751-4960f7eb6714", "relationship--65470772-4268-48dd-a35a-5e42c321f1e9", "relationship--66c7f1b0-7e4b-4bcb-90fb-fcbc1bb431f2", "relationship--685d35a9-5470-4234-a3af-39167a958782", "relationship--6a64d167-f04e-49de-a274-ea457e0b303c", "relationship--6b0aac9d-ed96-4c55-a3d4-e903992eac3a", "relationship--6c958735-1024-4591-b576-88c65538f763", "relationship--6dd2e037-e5ac-462c-ad42-732853fe1a16", "relationship--6ff2cea4-4f39-480a-93da-9c3ef14adcb1", "relationship--7385dfaf-6886-4229-9ecd-6fd678040830", "relationship--7661613d-2a2e-49fb-b783-6253ccf05a87", "relationship--77f1a790-84f8-4b21-b295-2130c8eaa7d1", "relationship--7877f6f7-f6ff-4142-ada6-3b05b8825738", "relationship--791df76d-2cbe-48d1-b49a-a4297d5c0a4e", "relationship--798d3fdd-590b-4b01-a440-ba27c6d20f0d", "relationship--7b302a7f-7c59-4f91-853a-720de0ce8193", "relationship--7b80f151-7338-4946-94dc-6f1fae4294db", "relationship--7be13991-f221-48d4-b64d-ef1f343660db", "relationship--7c78b490-5275-4de6-8983-5a8c7672eead", "relationship--7e3ab41f-4fae-42a7-b8bc-f776c1411b6b", "relationship--828a7d43-0e73-42ec-8edf-64aa679c3208", "relationship--831d5bf3-1bc3-46f3-8aaf-dc1a9ad15736", "relationship--84b58393-1a52-4a76-96a8-4b3e3d75574a", "relationship--850d6f45-7b76-4b1f-bf93-0fa011691b87", "relationship--85766ad7-7ae1-4a10-a65b-6987ce46dc60", "relationship--85aea0e7-9db0-489d-b034-558e9fd22e37", "relationship--86a8ccb0-e97a-41be-9d51-a192692ad0a2", "relationship--89db064f-cdd4-4fed-bf21-6e66650939af", "relationship--89df8ee0-e474-4d19-a893-888f5d2be96e", "relationship--8a56ef58-be60-407a-9643-eed90eae2920", "relationship--8a83132d-0a30-4cae-aa27-88feef4e229a", "relationship--8c7826d9-965a-43e5-9f4e-a1b5df1cc2e1", "relationship--8d26f640-acf7-46e3-b1cb-e11c277dc101", "relationship--8d386405-9c06-4b06-b6ef-83442ee79235", "relationship--8e9da3e8-ff65-4f2c-b5eb-53b4c20ec677", "relationship--8eea338a-5ef1-461a-890d-7e14f860b296", "relationship--906e0a78-c364-47f8-9795-94b53b6175bf", "relationship--915f1e1d-f8c4-4c19-b52b-4a574d94dadc", "relationship--92a95493-fa51-4321-9cfb-135e69b3191a", "relationship--92d7da27-2d91-488e-a00c-059dc162766d", "relationship--92e8c67e-50af-4459-ba32-3dafbee2ee6a", "relationship--939816fc-b86e-44fe-9025-73d17feffd25", "relationship--93c396d7-44b0-4218-bf2d-24c6299ec27b", "relationship--9445bf8c-218b-4585-be8e-c64fef63277f", "relationship--970a3432-3237-47ad-bcca-7d8cbb217736", "relationship--9938dad8-9983-4224-afba-d5ac0cf9da95", "relationship--999beab6-61c4-4381-b89c-c00fdb9fb815", "relationship--9a2fca24-140f-4a53-8b74-a2f6d7e793b4", "relationship--9af6030f-9528-489b-b02a-2257eec56b6b", "relationship--9b983f39-267e-47b5-b147-b361a0c61613", "relationship--9bcf537b-eb03-44bd-a8d9-0cf2ed107068", "relationship--9bd7f071-ba3a-408f-83b4-6419e6a1fae6", "relationship--9bf6bc64-514b-4062-923a-e7d0c913a764", "relationship--9c48c02f-d047-4dc5-b386-4e034ce10b7a", "relationship--9c4be733-7835-474c-931f-2c85adb4a3d2", "relationship--9e93dff3-1f55-4656-8f84-1f0f60734925", "relationship--a0086f27-655d-4854-a033-ab9500419d1f", "relationship--a19e86f8-1c0a-4fea-8407-23b73d615776", "relationship--a1a1e92e-7e0c-465e-8991-d196f5c519f1", "relationship--a35f6dfe-1a4c-44e5-af0d-4371543d3062", "relationship--a41f0737-5a35-4ffb-9600-0150b80e28c7", "relationship--a4ae9bcb-1340-4e18-a0ac-0194d56d7384", "relationship--a4dbfcdf-ad9e-4a53-ad31-0a01fb73046f", "relationship--a553c146-1b1d-4cdc-863e-dcd19e7f5674", "relationship--a62f8427-ef1e-4a80-b681-105699970adc", "relationship--a73255d7-18a9-4ba5-b3dd-242f539cf250", "relationship--a92d4175-c63f-4e67-89a0-ed605b6267b5", "relationship--a9553839-6864-4037-bb49-226450e4ff76", "relationship--ac9794e9-4f47-483b-9ff7-d829f33cf3f2", "relationship--ad255bfe-a9e6-4b52-a258-8d3462abe842", "relationship--adb4673d-a9e7-4984-ab1d-1701fa2362c1", "relationship--ae7ad065-af7b-4d68-9ca9-746db8957179", "relationship--b3dff383-7bf8-4d0b-a336-388a86bae4f4", "relationship--b44cf25b-0fd8-4c4d-b571-4fc61d595ea9", "relationship--b44f392a-0db4-4f4e-900a-4cbbfd41238b", "relationship--b58ba438-7d8e-411b-a445-b5ff60dcf2aa", "relationship--b5fc7aa1-06a2-4462-9f60-26b3eb4789e7", "relationship--b8a257e1-0b93-4e73-8bb0-6ff31591cffc", "relationship--b9bd9d7a-aad7-4ea0-9670-2c475c7ed4c0", "relationship--ba47022e-220d-4024-9238-84c72bd103f0", "relationship--bb4797cb-ebb7-4ea0-9c83-47cb6f14cdc8", "relationship--bb592a95-96c8-47cd-a7ae-db4c98c274c4", "relationship--bc22b40c-ad02-4aa2-81ec-073af2b6efac", "relationship--bf176076-b789-408e-8cba-7275e81c0ada", "relationship--bfa67af9-15d1-4325-a166-4b9d3c3dd239", "relationship--c01d8b5d-221f-44f4-88de-5517bb183454", "relationship--c0f12c46-47dd-4b9e-ae58-9a1ca3cba58e", "relationship--c113e24b-80f7-411b-9732-463e23b1c1c5", "relationship--c199c78b-12f0-4937-960a-1c02930c15e4", "relationship--c5cc4f05-5afd-487f-8c82-f41bc8dcd43f", "relationship--c62a7356-6f6c-46db-93a5-f818fd65f2c3", "relationship--ca2f70ae-7fa0-4817-8291-c7076e2b2803", "relationship--ca49a799-3db5-41e7-b529-d3f3442ab388", "relationship--caead389-4ef7-40a1-80f2-0501b3f88a63", "relationship--cc047262-8b10-4f88-910b-bd2b83f2cdfc", "relationship--cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", "relationship--cf02351a-64f3-48df-a8ea-a5d433b32548", "relationship--cfa2f5ea-addd-4d3b-acb9-e480e5f9f0cd", "relationship--d3ea4e66-7802-4f40-bd25-48931b5a516b", "relationship--d42ad05e-6207-4fff-9c76-480a9c3d954b", "relationship--d493a676-6071-4796-9d64-75d5b4b092ed", "relationship--d61fdf00-8d63-4903-8e29-76f9648e53f3", "relationship--d6eab405-2a90-4981-bd25-0b161f1bc116", "relationship--d72ff809-76e2-4d25-bbfc-14a6a1610eff", "relationship--d8581b07-931f-4399-8cb1-dd9accd45def", "relationship--db3724b7-a80a-4d65-b0e9-94456775365a", "relationship--db8fd0d3-52d8-4f70-96c6-9a9a460851f3", "relationship--dbf0d2b5-634c-4a8a-b63a-d54c83ff4f6d", "relationship--dd20c1bf-2766-4e8b-bfe4-591e10f596fc", "relationship--de8e6a5f-70cd-4f01-9604-a9cfd6f6e5bc", "relationship--de97227d-28fe-4018-a09b-d25d2faeebe8", "relationship--df77937a-4b4b-4ffb-90d8-7a548a869923", "relationship--dff31701-7901-4b3d-b101-fa3f535c90eb", "relationship--e0aa4771-9c3a-4996-97dc-a3a763b6d9e0", "relationship--e1a0b9cf-3611-48f1-bfa0-1100f585fe8a", "relationship--e1c4ed76-8448-4b84-800a-515ddd3b1f43", "relationship--e53951fc-4302-403f-bf90-9d566d9dad2d", "relationship--e5b8cb25-3d59-42b8-a3bc-5a943abb087a", "relationship--e6217985-61f4-48b3-a618-6c47cc5f682c", "relationship--e68f72a9-ea79-4ba2-a1a3-ed11671c1427", "relationship--e6919abc-99f9-4c6c-95a5-14761e7b2add", "relationship--e697b87f-6c84-4447-b34b-47d98e63f2ba", "relationship--e77e7044-d492-4e54-a6ec-db96f7407579", "relationship--e793a5f2-02d9-41fd-a0b1-b96ad9926ab6", "relationship--eb487ab1-ef76-41bf-a00b-bf1af8994de7", "relationship--ee18d2b5-5598-48ee-903d-69ca858626d7", "relationship--ef3dabcc-b1de-4d09-a35a-68b197909056", "relationship--ef625e99-8820-41c6-a87d-751fdcb78cef", "relationship--efbc10dd-778a-4f84-9c78-b62ce3fadf64", "relationship--f35e4352-9493-4ad7-9f48-f2a270e3dbc1", "relationship--f56e50ec-bd65-47f2-9fb9-b6778c6305ba", "relationship--f77a4f46-691d-443b-a928-f70b8ce58f88", "relationship--f879d51c-5476-431c-aedf-f14d207e4d1e", "relationship--f911034d-d086-442f-b7eb-c4c298b8b9e3", "relationship--f933464c-3714-4e46-9db5-0b0c4aee2536", "relationship--fe9303d8-250d-4cc0-9dc1-64663569dcb5", "relationship--febf391a-1d95-4d2d-83d6-876b2a7529a8", "relationship--fed2cb9b-d85b-4ed8-aaac-9b18d8486e5f", "relationship--fedefb69-e8ba-4c75-9790-d1d7711572ba", "relationship--ff20c82a-9245-4464-bdc8-4044f8bd9cbb" ], "labels": [ "campaign" ] }, { "type": "report", "id": "report--e76e88c8-699a-4eeb-a8e5-3645826d6455", "created": "2018-08-03T20:30:50.665Z", "modified": "2019-10-11T19:56:13.483Z", "name": "fourth", "published": "2019-10-11T19:56:13.483Z", "object_refs": [ "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597", "attack-pattern--355be19c-ffc9-46d5-8d50-d6a036c675b6", "attack-pattern--35dd844a-b219-4e2b-a6bb-efa9a75995a9", "attack-pattern--7385dfaf-6886-4229-9ecd-6fd678040830", "attack-pattern--8c32eb4d-805f-4fc5-bf60-c4d476c131b5", "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d", "attack-pattern--b8902400-e6c5-4ba2-95aa-2d35b442b118", "attack-pattern--cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", "campaign--e76e88c8-699a-4eeb-a8e5-3645826d6455", "course-of-action--00d97976-e97e-4878-b530-9f37d7a3e2e5", "course-of-action--04a2db1c-3e80-43a4-a9c6-3864195bbf73", "course-of-action--09cad5e4-8c95-494f-862e-0c640b175348", "course-of-action--0a8741c9-240e-4a87-8d0f-7ced73cbd50d", "course-of-action--19313cf2-7b61-4748-ac31-8db430033837", "course-of-action--2c886776-61fb-487c-a880-41f4b7195627", "course-of-action--2fd9769c-5e50-4528-985f-a1d117329991", "course-of-action--38519f4f-e6e8-454b-a3f5-b46daef0e316", "course-of-action--39928312-81bb-4445-a269-9f3d0bb88d5c", "course-of-action--3de85a76-a879-43e6-80ba-38e09e7e2b0c", "course-of-action--3f6f590f-2752-40d2-8cfa-1e833435bbf6", "course-of-action--41a5e724-166d-496a-bfa6-5f7d671c733e", "course-of-action--44bfcc9e-cb15-499f-b0fe-3c41e2c2655e", "course-of-action--49881f38-2571-47a1-a122-26a5968f1137", "course-of-action--553711d6-06e4-49e2-a1ad-929d9cce8e39", "course-of-action--5839cd6c-7897-43c4-82f3-5c03096a51c4", "course-of-action--5e951942-0565-46f4-b09e-80426812b6b5", "course-of-action--60e78a97-dcc6-4d67-a310-ed7f16e0218a", "course-of-action--67289170-1bd4-4944-be31-d680954141f5", "course-of-action--68c5676d-ab2f-4e68-a57c-28880a9f5709", "course-of-action--7bbb332f-22cf-48f2-a4a1-5bc9d2b034ca", "course-of-action--916bf914-3cad-47c6-8651-a1ac92ee84d0", "course-of-action--922b1227-c493-43f6-8b4a-ae6d6963eb8b", "course-of-action--9352128e-2dbe-4621-8800-9e7cc17336e3", "course-of-action--95432623-8819-4f74-a8f9-b10b9c4118c3", "course-of-action--a1294d38-0f0d-4973-a949-f38cccbc7469", "course-of-action--ae18aab6-0a08-4c09-9a97-6c6ef58061a7", "course-of-action--b07fe965-d582-4581-aa2f-9676705f5560", "course-of-action--b1f31bc6-40cd-4c64-805f-1680eda35801", "course-of-action--b4ed79f9-b72c-4423-9a9c-f29134fda870", "course-of-action--b62423f4-1849-4d9f-88c0-7160a8bed5c2", "course-of-action--bca382b3-2a97-451f-a849-80f7a4e7edce", "course-of-action--be1d0eb5-a628-4d91-9096-9158e68816cd", "course-of-action--c45b79a8-2d29-4d8c-95ab-acea7e478e50", "course-of-action--c5148c0d-4c4a-4ad6-b2c7-942f9eb91673", "course-of-action--c9efabbf-c21b-4213-a192-6a8e3b3a0905", "course-of-action--d84f79f8-219c-43cb-a918-ab7dd235413a", "course-of-action--dcd486e6-fcf5-4692-9187-115efdae9694", "course-of-action--dff22e97-a89e-4ff7-b615-0165258bf8d5", "course-of-action--e15f23e0-f6ae-4440-865f-63ac76b93bf5", "course-of-action--f1a1d494-3463-4067-abc7-a731f7dfb9ff", "course-of-action--f36dcd51-156b-497a-a565-0301a105eb79", "course-of-action--f4a8da12-c6f0-4a33-ae42-590c5602be99", "course-of-action--fafab9a4-1478-499e-9088-2043c42720d1", "identity--c7dc2a79-4dbe-463b-a58b-24c781041f30", "indicator--2560de5f-2375-49de-9d4a-47dc1f5f067b", "indicator--337a0d8f-efa1-4e2e-9956-c7fd385bc136", "indicator--3d8472f1-c641-4428-8f57-6af5b8ac4d42", "indicator--8a419fc6-b0dd-466b-a2d7-23e5c30f1707", "indicator--8e3da953-ff61-4520-893f-afefe7d145e9", "indicator--91afba2e-8721-4751-abb5-89e4ea75d771", "indicator--9fcb8551-97e9-4335-a63c-91ca5156efd0", "indicator--a0012b87-ad05-4c74-a014-9957d1795397", "indicator--df6e4110-8f96-4388-a418-8f8418e107ba", "indicator--e28f89fe-377d-44cf-a486-e8b84af20737", "indicator--ed7365d8-f542-444a-8224-60221233acfe", "intrusion-set--8e11eaa4-1964-4b73-85c1-fcfa29159f9b", "malware--a933d627-2a1a-499c-9dad-be8cc2e04dd6", "malware--d62bf08d-2145-42a9-ad32-e2a5c82d3c2d", "relationship--0021f86a-b604-4cbf-b48d-ad778ce6fcf0", "relationship--008da2c6-0d38-449c-8a36-3d7b0d815ac0", "relationship--04dd51c4-aaa5-4128-bf07-1e8ebfa23681", "relationship--055e43b5-638c-4525-94f6-5a31d078f563", "relationship--068ee331-72ba-45b0-9dc5-e785e116fdb4", "relationship--076d5ade-2e17-4fac-9884-78e285587a0b", "relationship--07adbd5d-12a8-46f2-b38b-772754668b90", "relationship--08678c64-6347-4a01-9b9c-542d6e8f95d7", "relationship--08d568cf-cade-4f97-ad20-2ce0d976011d", "relationship--0b30e016-6bfd-4f60-aaed-15df952f29f7", "relationship--0e1b995e-27c8-40f6-84a8-3b1095dcd0bf", "relationship--0ee5ee72-1073-4158-bbd2-41f835d67a13", "relationship--0f653c28-3ff7-4d1e-96ca-edb4cf632a29", "relationship--11ae589e-a755-491d-8374-5b5def0389cb", "relationship--12c3b9ac-e5a8-4c3b-9ade-46a50941a67f", "relationship--14dd4dda-0e14-4da7-9be8-21b763b11ebb", "relationship--15515310-419b-452d-8040-1f59b9443ae1", "relationship--160ed6e7-b00c-4d8d-88ad-f6e807480ba4", "relationship--1649785c-1541-41b2-a7e3-3ba214681eea", "relationship--175f1636-a51e-4c1c-bcee-1a87d8791791", "relationship--17e8782b-ed62-4d33-901d-e023b2b1b946", "relationship--18984045-bb93-45ac-b8d5-2895044e3b01", "relationship--19ce8250-86e1-4279-b023-cbb787365eeb", "relationship--1d0caee9-876e-4c4e-91af-c709788cbaef", "relationship--210fb88a-27b3-417d-93c6-66f75a5a81b6", "relationship--22b09015-9ae3-4b16-8a89-954ab6a065ce", "relationship--22cc20f5-87d2-493f-b4c6-21a8f35e270f", "relationship--262bc6f7-1167-4b5f-8f0d-622e9c38ce02", "relationship--27c8933d-2eff-4304-beab-76004e389345", "relationship--28a5a536-2f5f-415b-a268-79bb7b2d7a1c", "relationship--2c729486-d56e-43a6-9eab-e8908209ab67", "relationship--2c99b67f-666b-41af-b4e4-2346360bcb11", "relationship--2cf0b18b-55cb-44c8-9ea5-b792a1a6ddb2", "relationship--2e34237d-8574-43f6-aace-ae2915de8597", "relationship--2f7f4894-d070-4eaa-b6c8-0bafcb02b284", "relationship--2fe3a209-7517-4247-96b4-b99cf3bad10f", "relationship--33f9b7e1-14b2-4e9e-a83d-d2463093ebef", "relationship--355be19c-ffc9-46d5-8d50-d6a036c675b6", "relationship--35dd844a-b219-4e2b-a6bb-efa9a75995a9", "relationship--3654e0f4-2dd0-47dc-858b-3de3acc37c44", "relationship--379e84b6-d424-412b-80bc-e0246073fd70", "relationship--380efc20-d11f-48c3-b5c8-8cf98841cef2", "relationship--38276b27-0ed5-45a0-be2c-c2ec6128d811", "relationship--3922ea85-cf50-4d3e-becc-01d0c1efc307", "relationship--3950e32e-d243-4f21-8cce-7938d4f3c9ed", "relationship--396c688c-a3ca-40f5-b0eb-1fc73898f178", "relationship--39949868-2ae1-4934-88c9-cf743827aab8", "relationship--3b4d3dd1-df77-4267-8fff-9eda563fe60e", "relationship--3d79c27e-b192-410d-806c-f53e79599518", "relationship--3d924f97-d12f-4cb6-b163-08aac65a84e7", "relationship--43eafced-45a2-4c58-b197-aa9b49a04891", "relationship--45c0877b-9b85-433e-b9fe-1505dd7735a4", "relationship--470c322a-59d2-4659-8d15-58a73ec8353d", "relationship--4a93b203-f7db-4a72-8a2a-1337678e9a58", "relationship--4ce02538-c986-46b2-a440-bcef6bf02450", "relationship--4eeb79d6-f779-4cf6-9901-8ce3ba3d9a16", "relationship--500045d8-9326-4c5e-89a0-b8d33413999f", "relationship--51372409-6c33-4b17-a5fb-1193c80b15a9", "relationship--516d842c-508c-4032-a6e0-0b72ccaa0ae3", "relationship--541c5046-022a-435c-bf80-f7eb54e3d407", "relationship--561c2626-a140-4da4-8ae6-a5e65a09ccfa", "relationship--58576c8b-7e2f-4c83-b18e-8fc144ceda40", "relationship--59fb94fd-a2ac-4df8-ae7d-8a96f07d65d4", "relationship--5b23ee0a-5073-45f0-b493-9ab6f0f33ff9", "relationship--5d22d838-1cb1-4204-9e1a-a55a754ffe59", "relationship--5d4f1e76-26ce-46d3-8831-9200cfbc08cc", "relationship--5d8c7c15-3ce4-46a2-8f8e-0a8609e9c55d", "relationship--5db030f7-a8b2-457e-bd71-174b5af772dc", "relationship--5e5ebce5-219d-4b25-b272-8dff82ba5039", "relationship--5e99bd2b-db13-40a1-9a21-ab96a7550beb", "relationship--5ed807c7-29cb-4c7a-a59c-4dee9973d679", "relationship--631f6c5b-6df4-40a4-a481-2d4e63699c84", "relationship--66c7f1b0-7e4b-4bcb-90fb-fcbc1bb431f2", "relationship--685d35a9-5470-4234-a3af-39167a958782", "relationship--68b5aa49-18a7-41e4-a9d2-d5e27817e0ad", "relationship--6ab3a547-6afb-4ae2-b4c7-9ab9c45de5e0", "relationship--6b5c6ed2-0c80-41c1-9d34-b94750849f00", "relationship--6dd2e037-e5ac-462c-ad42-732853fe1a16", "relationship--70893e8f-6c9e-4e7f-a424-4e7df9eea046", "relationship--70ce103c-4360-4c8a-abde-63591527c5a1", "relationship--7385dfaf-6886-4229-9ecd-6fd678040830", "relationship--7661613d-2a2e-49fb-b783-6253ccf05a87", "relationship--76c8e37a-4ed8-4609-a555-dd0280d8e54c", "relationship--7877f6f7-f6ff-4142-ada6-3b05b8825738", "relationship--798d3fdd-590b-4b01-a440-ba27c6d20f0d", "relationship--7b80f151-7338-4946-94dc-6f1fae4294db", "relationship--7be13991-f221-48d4-b64d-ef1f343660db", "relationship--7c78b490-5275-4de6-8983-5a8c7672eead", "relationship--81a1034e-9b48-4567-8fd6-d86d1b926c41", "relationship--824184a6-259e-4aca-81a6-d66bf2962918", "relationship--828a7d43-0e73-42ec-8edf-64aa679c3208", "relationship--83556ba2-cd6f-4f22-b1d1-c69aa48cff49", "relationship--84b58393-1a52-4a76-96a8-4b3e3d75574a", "relationship--850d6f45-7b76-4b1f-bf93-0fa011691b87", "relationship--85b2df26-1dfc-4438-bc83-211c9a614b7e", "relationship--8a83132d-0a30-4cae-aa27-88feef4e229a", "relationship--8c32eb4d-805f-4fc5-bf60-c4d476c131b5", "relationship--8c3a203a-c8a0-41cc-9301-8dc44b850b0b", "relationship--8c7819b0-d3b4-4a0a-be71-e6ed6c230513", "relationship--8e9da3e8-ff65-4f2c-b5eb-53b4c20ec677", "relationship--8eea338a-5ef1-461a-890d-7e14f860b296", "relationship--8ffcfda6-33ef-4fcd-ba11-afce2a26b2b3", "relationship--915f1e1d-f8c4-4c19-b52b-4a574d94dadc", "relationship--918285f7-353a-436e-82f6-748281d7695b", "relationship--923ab233-67f6-490b-b50b-e4850d179ba4", "relationship--92a95493-fa51-4321-9cfb-135e69b3191a", "relationship--92d7da27-2d91-488e-a00c-059dc162766d", "relationship--93c396d7-44b0-4218-bf2d-24c6299ec27b", "relationship--9a2fca24-140f-4a53-8b74-a2f6d7e793b4", "relationship--9b983f39-267e-47b5-b147-b361a0c61613", "relationship--9c64967b-5144-4eed-9a82-4ed956ffebd5", "relationship--9cec34a5-ab91-490e-8bbb-8482cfb6e8f1", "relationship--9d7f6452-2793-40cb-ab38-966196d1b12b", "relationship--9ed809cb-6ffa-4edc-8914-97ae7e43c75f", "relationship--a0086f27-655d-4854-a033-ab9500419d1f", "relationship--a154b83d-b6cc-40a5-ba75-8dc10e7b5164", "relationship--a1a1e92e-7e0c-465e-8991-d196f5c519f1", "relationship--a30567ca-29b2-45f0-bdf9-d0f3f7f2e4ba", "relationship--a35f6dfe-1a4c-44e5-af0d-4371543d3062", "relationship--a41f0737-5a35-4ffb-9600-0150b80e28c7", "relationship--a4ae9bcb-1340-4e18-a0ac-0194d56d7384", "relationship--a553c146-1b1d-4cdc-863e-dcd19e7f5674", "relationship--a6220edc-b057-4a8b-b6ae-c62b203fd172", "relationship--a7f21a7d-072c-48ff-96e2-4e14b98e01c3", "relationship--ac9794e9-4f47-483b-9ff7-d829f33cf3f2", "relationship--ad42f1ee-2fc2-4741-a9c2-224074c9d080", "relationship--adb4673d-a9e7-4984-ab1d-1701fa2362c1", "relationship--ae33522b-59ca-42d5-9cd0-28a61362d146", "relationship--af44a46b-84ce-4b3a-bede-d889c35c4499", "relationship--b0c9f423-990f-48c9-92e7-0cae81480a0c", "relationship--b1038a10-9cab-45c9-b80d-cca8877a61c7", "relationship--b22d96f0-fa4d-4614-ad7e-340076eb2047", "relationship--b44f392a-0db4-4f4e-900a-4cbbfd41238b", "relationship--b7ccf9fa-f415-4ad1-b31e-c4f775d0f767", "relationship--b8902400-e6c5-4ba2-95aa-2d35b442b118", "relationship--b924249f-1ca8-4ea6-897d-db5187addc93", "relationship--bb4797cb-ebb7-4ea0-9c83-47cb6f14cdc8", "relationship--bc22b40c-ad02-4aa2-81ec-073af2b6efac", "relationship--bcf18721-0db0-4b01-96aa-50e0007cabac", "relationship--c0f12c46-47dd-4b9e-ae58-9a1ca3cba58e", "relationship--c1bcd7e8-889e-4fa1-8f1d-294232de6c09", "relationship--c5cc4f05-5afd-487f-8c82-f41bc8dcd43f", "relationship--c9c52d19-7e21-4de2-8e63-968b8ef51f9b", "relationship--ca49a799-3db5-41e7-b529-d3f3442ab388", "relationship--cb22c44c-e830-4f52-b42a-b52fd2fe4a1b", "relationship--cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", "relationship--cd661a6d-47c3-4a99-9e5e-cddfd0c4bfa2", "relationship--cf1c7aee-2def-4d8d-9f9a-d10c65a33fd8", "relationship--cfa2f5ea-addd-4d3b-acb9-e480e5f9f0cd", "relationship--d3239375-4ff0-4635-add2-233a25657d04", "relationship--d3ea4e66-7802-4f40-bd25-48931b5a516b", "relationship--d493a676-6071-4796-9d64-75d5b4b092ed", "relationship--d51cdbbb-2c99-4f69-9ecd-edf897914d5a", "relationship--d721d21e-9965-4a73-8ebe-003d4a5fae81", "relationship--d950846d-047e-4d7b-9a4b-65544c339f78", "relationship--da77a138-b0fb-4cc6-9ca5-84115a76d59b", "relationship--db3724b7-a80a-4d65-b0e9-94456775365a", "relationship--dbf0d2b5-634c-4a8a-b63a-d54c83ff4f6d", "relationship--dd20c1bf-2766-4e8b-bfe4-591e10f596fc", "relationship--de8e6a5f-70cd-4f01-9604-a9cfd6f6e5bc", "relationship--de97227d-28fe-4018-a09b-d25d2faeebe8", "relationship--e0aa4771-9c3a-4996-97dc-a3a763b6d9e0", "relationship--e1c4ed76-8448-4b84-800a-515ddd3b1f43", "relationship--e21c2996-8c3e-4973-8d61-9488387fa9e0", "relationship--e57c011f-57bf-4dd9-b419-e96d79914c3e", "relationship--e5b8cb25-3d59-42b8-a3bc-5a943abb087a", "relationship--e6217985-61f4-48b3-a618-6c47cc5f682c", "relationship--e6919abc-99f9-4c6c-95a5-14761e7b2add", "relationship--e76e88c8-699a-4eeb-a8e5-3645826d6455", "relationship--e77e7044-d492-4e54-a6ec-db96f7407579", "relationship--e886c2be-b2d0-44b8-9fd0-3f7810a8fed1", "relationship--eb3230f0-a4c8-41b9-a054-86543fef0e4d", "relationship--ed11bc15-c9d0-47ec-bd9e-d9047044e3b3", "relationship--ed8b1668-7a2d-4537-a24a-99ae0faee4ab", "relationship--ef02aa8d-cf3d-4426-881b-6a4d6ed07a82", "relationship--ef3dabcc-b1de-4d09-a35a-68b197909056", "relationship--ef625e99-8820-41c6-a87d-751fdcb78cef", "relationship--f174d81d-7b57-4996-9617-765692b22593", "relationship--f67f22a3-508c-448c-a8f7-976d066d32bf", "relationship--f723e75f-9ec3-4d19-b16f-473839dbd5bf", "relationship--f77a4f46-691d-443b-a928-f70b8ce58f88", "relationship--fa3ddbb1-4ca1-45f5-b671-092e185f27ce", "relationship--fd03c24c-7334-472f-8f8a-2941e34a7e47", "relationship--fd37acab-8903-45ae-8194-47ee81cd0681", "relationship--febf391a-1d95-4d2d-83d6-876b2a7529a8", "relationship--fef6f410-1d0b-4cf0-8b94-1f2ac468c05f", "relationship--ff20c82a-9245-4464-bdc8-4044f8bd9cbb", "relationship--ffb0ef55-8441-40e9-998b-1da68705b412" ], "labels": [ "campaign" ] } ] }