diff --git a/CHANGELOG.md b/CHANGELOG.md
index c01dca7e0..633624843 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -12,8 +12,9 @@
# Changes Staged on Develop
## Improvements
-- Updated Angular from v14 to v17.
+- Refactored the `layers/` directory structure to organize Layer File Formats into versioned subdirectories and removed outdated layer samples. See pull request [#649](https://github.com/mitre-attack/attack-navigator/pull/649).
- Improved toolbar for better usability. See issue [#534](https://github.com/mitre-attack/attack-navigator/issues/534).
+- Updated Angular from v14 to v17.
# 5.0.1 - 9 May 2024
@@ -96,7 +97,7 @@ Adds support for ATT&CK v14.0.
## Layer File Format Changes
-Layer file format updated to version 4.5. See [layers/LAYERFORMATv4_5.md](layers/LAYERFORMATv4_5.md) for the full specification.
+Layer file format updated to version 4.5. See [layer format v4.5](layers/spec/v4.5/layerformat.md) for the full specification.
- Added support for selecting only visible techniques. The `selectVisibleTechniques` field specifies whether or not hidden techniques will be included in the different select behaviors.
- Added support for configuring how sub-techniques are displayed in the layer with the `expandedSubtechniques` field. This property can be set to `all`, `annotated`, or `none` to expand all sub-techniques, expand only annotated sub-techniques, or collapse all sub-techniques, respectively.
@@ -130,7 +131,7 @@ Adds support for ATT&CK v13.
## Layer File Format Changes
-Layer file format updated to version 4.4. This update adds support for layers created with a custom collection or STIX bundle; the optional `customDataURL` field contains the URL from which custom data was loaded. This update is fully backwards compatible with layer format v4.3 since the added field is optional. See [layers/LAYERFORMATv4_4.md](layers/LAYERFORMATv4_4.md) for the full specification.
+Layer file format updated to version 4.4. This update adds support for layers created with a custom collection or STIX bundle; the optional `customDataURL` field contains the URL from which custom data was loaded. This update is fully backwards compatible with layer format v4.3 since the added field is optional. See [layer format v4.4](layers/spec/v4.4/layerformat.md) for the full specification.
# 4.7.1 - 8 November 2022
@@ -215,7 +216,7 @@ Adds support for ATT&CK v11.
## Layer File Format Changes
-Updated the Layer File Format to v4.3 which adds a `links` array field to technique objects and to layers. This supports the assignment of hyperlinks to techniques which are accessed in the context menu and to layers which are accessed in the layer information dropdown menu. Link objects must conform to the schema `{"label": string, "url": string}` or `{"divider": boolean}`. A separator is displayed in the technique context menu where the `divider` property occurs in the list of hyperlinks.
+Updated the Layer File Format to v4.3 which adds a `links` array field to technique objects and to layers. This supports the assignment of hyperlinks to techniques which are accessed in the context menu and to layers which are accessed in the layer information dropdown menu. Link objects must conform to the schema `{"label": string, "url": string}` or `{"divider": boolean}`. A separator is displayed in the technique context menu where the `divider` property occurs in the list of hyperlinks. See [layer format v4.3](layers/spec/v4.3/layerformat.md) for the full specification.
# v4.5.4 - 15 November 2021
@@ -317,7 +318,7 @@ Version 4.4 of the Navigator restores Safari support provided you are using Safa
## Layer File Format Changes
-Layer file format updated to version 4.2. This update is fully backwards compatible with the layer format v4.1 since the added fields are optional. See [layers/LAYERFORMATv4_2.md](layers/LAYERFORMATv4_2.md) for the full specification.
+Layer file format updated to version 4.2. This update is fully backwards compatible with the layer format v4.1 since the added fields are optional. See [layer format v4.2](layers/spec/v4.2/layerformat.md) for the full specification.
This update adds settings for aggregate scores to the layout object of the layer:
@@ -358,7 +359,7 @@ Refactored the implementation of tabs to reduce performance issues when opening
## Layer File Format Changes
-Layer file format updated to version 4.1. This update is fully backwards compatible with layer format v4.0 since the added field is optional. See [layers/LAYERFORMATv4_1.md](layers/LAYERFORMATv4_1.md) for the full specification.
+Layer file format updated to version 4.1. This update is fully backwards compatible with layer format v4.0 since the added field is optional. See [layer format v4.1](layers/spec/v4.1/layerformat.md) for the full specification.
This update adds an optional `divider` object to the `metadata` format on technique objects. Each object in the metadata array must either be of the schema `{"name": string, "value": string}` or `{"divider": boolean}`. A separator will be displayed in the metadata tooltip where the `divider` property occurs in the list of metadata.
@@ -393,7 +394,7 @@ This update adds an optional `divider` object to the `metadata` format on techni
## Layer File Format Changes
-Layer file format updated to version 4.0. Older versions can still be loaded in the Navigator, but will no longer display the Pre-ATT&CK domain. See [layers/LAYERFORMATv4.md](layers/LAYERFORMATv4.md) for the full specification.
+Layer file format updated to version 4.0. Older versions can still be loaded in the Navigator, but will no longer display the Pre-ATT&CK domain. See [layer format v4.0](layers/spec/v4.0/layerformat.md) for the full specification.
- ATT&CK version 8.0 removed the pre-ATT&CK domain, which became two tactics tagged with the `PRE` platform in the Enterprise domain. The `stages` section of filters have been removed to reflect this migration.
- Replaced `version` field with `versions` object which specifies the layer format, Navigator, and ATT&CK content versions in support of the mixed domains and versions update.
@@ -510,7 +511,7 @@ If you want to continue using the non-sub-techniques Navigator, please use the [
## Layer File Format Changes
-Layer file format updated to version 3.0. Older versions can still be loaded in the Navigator, but may have degraded functionality.
+Layer file format updated to version 3.0. Older versions can still be loaded in the Navigator, but may have degraded functionality. See [layer format v3.0](layers/spec/v3.0/layerformat.md) for the full specification.
- Removed "viewMode" enumeration in favor of "layout" object. viewMode will get parsed into a layout configuration automatically, but the conversion is not perfect since the layouts have changed.
- Added "showSubtechniques" field to technique objects.
@@ -571,7 +572,7 @@ The "features" structure is used to enable/disable specific Navigator features.
## Layer File Format Changes
-Layer file format updated to version 2.2. Older versions can still be loaded in the Navigator, and this update is fully backwards compatible with Version 2.1. See [layers/LAYERFORMATv2_2md](layers/LAYERFORMATv2_2.md) for the full v2.2 specification.
+Layer file format updated to version 2.2. Older versions can still be loaded in the Navigator, and this update is fully backwards compatible with Version 2.1. See [layer format v2.2](layers/spec/v2.2/layerformat.md) for the full specification.
- Added the following cloud platforms to the set of acceptable enterprise platforms: "AWS", "GCP", "Azure", "Azure AD", "Office 365", "SaaS".
- Updated Enterprise and Mobile platforms to match their format as seen elsewhere in ATT&CK. This change is fully backwards compatible, and if the old format is detected it will automatically be updated to the new format.
@@ -656,7 +657,7 @@ Also, please note that multiple matrices are only supported for `mitre-mobile`,
## Layer File Format Changes
-Layer file format updated to version 2.1. This update is fully backwards compatible with layer format v2.0 since all the added fields are optional. See [layers/LAYERFORMATv2_1.md](layers/LAYERFORMATv2_1.md) for the full v2.1 specification.
+Layer file format updated to version 2.1. This update is fully backwards compatible with layer format v2.0 since all the added fields are optional. See [layer format v2.1](layers/spec/v2.1/layerformat.md) for the full specification.
This update constitutes the addition of `metadata` fields to the layer and technique objects. Metadata can be used to support other applications using the layer format, or to add additional descriptive fields to layers or techniques. Metadata is formatted as an array, and each piece of metadata in the array must conform to the schema `{"name": string, "value": string}`.
@@ -716,7 +717,7 @@ This update constitutes the addition of `metadata` fields to the layer and techn
## Layer File Format Changes
-Layer file format updated to version 2.0. Older layer versions can still be loaded by the Navigator, however some fields may no longer be supported. See [layers/LAYERFORMATv2.md](layers/LAYERFORMATv2.md) for the full v2.0 specification.
+Layer file format updated to version 2.0. Older layer versions can still be loaded by the Navigator, however some fields may no longer be supported. See [layer format v2.0](layers/spec/v2.0/layerformat.md) for the full specification.
- Replaced the `viewFullTable` field (boolean) with the `viewMode` field (number) in order to support the "super compact" view option. See issue [#11](https://github.com/mitre-attack/attack-navigator/issues/11).
- If `viewFullTable` is present in a layer file uploaded to the v2.0 Navigator it will be ignored.
diff --git a/Dockerfile b/Dockerfile
index 173243fc1..a5ee21325 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -14,9 +14,11 @@ RUN npm install
# copy over needed files
COPY ./nav-app/ ./
+# copy layers directory
WORKDIR /src
-COPY layers/*.md ./layers/
+COPY layers/ ./layers/
+# copy markdown files from root
COPY *.md ./
WORKDIR /src/nav-app
diff --git a/README.md b/README.md
index 4c5689544..3677869a3 100755
--- a/README.md
+++ b/README.md
@@ -238,7 +238,7 @@ Local files to load should be placed in the `nav-app/src/assets/` directory.
"enabled": true,
"urls": [
"assets/example.json",
- "https://raw.githubusercontent.com/mitre-attack/attack-navigator/master/layers/data/samples/Bear_APT.json"
+ "https://raw.githubusercontent.com/mitre-attack/attack-navigator/master/layers/samples/Bear_APT.json"
]
}
```
@@ -276,7 +276,7 @@ If you want to embed the Navigator in a webpage, use an iframe:
If you want to embed a version of the Navigator with specific features removed (e.g tabs, adding annotations), or with a default layer, we recommend using the _create customized Navigator_ feature. We highly recommend disabling the "leave site dialog" via this means when embedding the Navigator since otherwise you will be warned whenever you try to leave the embedding page. Refer to the in-application help page section "Customizing the Navigator" for more details.
-The following is an example iframe which embeds our [*Bear APTs](layers/data/samples/Bear_APT.json) layer with tabs and the ability to add annotations removed:
+The following is an example iframe which embeds our [*Bear APTs](layers/samples/Bear_APT.json) layer with tabs and the ability to add annotations removed:
```HTML
diff --git a/USAGE.md b/USAGE.md
index 10a2828d1..de26c580a 100644
--- a/USAGE.md
+++ b/USAGE.md
@@ -45,8 +45,9 @@ Each layer created is independent of other layers. However, layers can be
combined in ways to support analysis, or
saved locally. Layer files are saved in easy to parse and easy to generate JSON
file so that ATT&CK data can be used in other applications, analyzed beyond the capability of the ATT&CK Navigator, and
-generated by tools for import into the Navigator. The Layer file format is
-described here.
+generated by tools for import into the Navigator.
+
+*See the latest Layer File Format Definition for the full specification.*
## Creating New Layers
diff --git a/layers/README.md b/layers/README.md
index 7d284736c..73965f4f0 100755
--- a/layers/README.md
+++ b/layers/README.md
@@ -2,23 +2,8 @@
A layer constitutes a set of annotations on the ATT&CK matrix for a specific technology domain. Layers can also store a default configuration of the view such as sorting, visible platforms, and more. The ATT&CK Navigator includes functionalities for exporting annotations into layer files, as well as the ability to import layer files for viewing.
-See the [layer format specification](LAYERFORMATv4.md) for more information about Layer files.
+See the latest [layer format specification](spec/v4.5/layerformat.md) for more information about Layer files.
## Sample Layers
-This repository includes [several layers demonstrating example use cases of layers and the ATT&CK Navigator](data/samples). The scripts used to generate these layer files can be found on our [attack-scripts repository here](https://github.com/mitre-attack/attack-scripts/tree/master/scripts/layers/samples) to serve as an example on how to access and work with the [the source data on our MITRE/CTI repo](https://github.com/mitre/cti).
-
-Lastly, we've included [a tutorial on the programmatic generation of layers from CSV](attack_layers).
-
-Feel free to come up with your own ideas for layer file generation, and contribute them to the community by making a pull request to the ATT&CK Navigator!
-
-## Layers showing updates to the ATT&CK knowledge base
-
-[Updates to the ATT&CK knowledge base](https://attack.mitre.org/resources/updates/) are typically accompanied by layer files showing changes to techniques. Layers for relevant updates can be found in the [data/update_layers](data/update_layers) folder. The script used to generate these update layers [can be found in our attack-scripts repository](https://github.com/mitre-attack/attack-scripts/blob/master/scripts/diff_stix.py).
-
-## Updating outdated layers
-
-The sub-techniques update of ATT&CK caused many techniques to be replaced by sub-techniques. Since the replacing sub-techniques have different IDs, many layers created before the sub-technques release will still be using IDs for the replaced techniques and therefore won't work properly in the new version even if the annotation format is correct. [update-layers.py](update-layers.py) is a conversion script which both updates layers to the most recent format and also updates technique IDs that of their replacers where possible. There are however a few cases which won't be caught:
-1. Cases where techniques which have been replaced by multiple sub-techniques are ignored entirely due to limitations in the remapping data.
-2. Cases where the `tactic` field was present but the replacing technique is not in that tactic.
-Run `python3 update-layers.py -h` for usage instructions.
\ No newline at end of file
+This repository includes a couple of [sample layers](samples/) demonstrating example use cases of layers and the ATT&CK Navigator. The scripts used to generate these layer files can be found in the [mitreattack-python repository](https://github.com/mitre-attack/attack-scripts/tree/master/scripts/layers/samples). These scripts may serve as examples on how to access and work with [ATT&CK data](https://github.com/mitre/cti).
diff --git a/layers/attack_layers/README.md b/layers/attack_layers/README.md
deleted file mode 100644
index 69d499594..000000000
--- a/layers/attack_layers/README.md
+++ /dev/null
@@ -1,39 +0,0 @@
-## Simple Example
-
-The script **attack_layers_simple.py** generates layer files based on the contents of a CSV file. CSV files with pre-calculated data can be ingested and used to apply evaluation criteria - in this case an arbitrary formula - to every ATT&CK technique.
-
-It's important to emphasize that the scores generated here are **arbitrary**! This formula is used just for the purpose of this script, to provide an example of how to add scores to techniques. We also chose to supply **software**, **groups**, and **references** via CSV file for the purposes of this script to create the scores, but any data or metadata related to ATT&CK techniques may be supplied or used to add scores and other fields to the layer files.
-
-The code excerpt below shows how **attack_layers_simple.py** adds scores to techniques:
-
-```python
-# parse csv file, calculating a score for each technique and adding that to the layer
-with open(args.input_fn, "rb") as csvfile:
- reader = csv.DictReader(csvfile, delimiter=",")
- for row in reader:
- # score each technique based on a simple formula
- technique = {
- "techniqueID": row["TechID"],
- "score": (int(row["Software"]) + int(row["Groups"]))*2 + int(row["References"])
- }
-
- layer_json["techniques"].append(technique)
-
-```
-
-**attack_layers_simple.py** adds all of the required layer fields as outlined in **LAYERFORMATv2_2.md**. Additionally, a *gradient* field is added that specifies a color range that will be applied to the techniques based on their scores. In **attack_layers_simple.py**, we specify min/max values that match the min/max of the set of technique scores that were calculated.
-
-
-```python
-# add a color gradient (white -> red) to layer, ranging
-# from zero (white) to the maximum score in the file (red)
-layer_json["gradient"] = {
- "colors": [
- "#ffffff", # White
- "#ff6666" # Red
- ],
- "minValue": 0,
- "maxValue": max([technique["score"] for technique in layer_json["techniques"]])
-}
-```
-See **data/csv** for an example csv file that can be ingested by **attack_layers_simple.py** (simple_input.csv) and **data/samples** to view a layer file output by this code (heatmap_layer.json).
\ No newline at end of file
diff --git a/layers/attack_layers/attack_layers_simple.py b/layers/attack_layers/attack_layers_simple.py
deleted file mode 100755
index 13572e4c0..000000000
--- a/layers/attack_layers/attack_layers_simple.py
+++ /dev/null
@@ -1,69 +0,0 @@
-# attack_layers_simple.py - the "hello, world" for ATT&CK Navigator layer generation
-# Takes a simple CSV file containing ATT&CK technique IDs and counts of groups, software and articles/reports that reference this technique
-# and generates an ATT&CK Navigator layer file with techniques scored and color-coded based on an algorithm
-# This sample is intended to demonstrate generating layers from external data sources such as CSV files.
-
-import argparse
-import csv
-import json
-import sys
-
-# Static ATT&CK Navigator layer JSON fields
-LAYER_VERSION = "2.2"
-NAV_VERSION = "2.3.2"
-NAME = "example"
-DESCRIPTION = "hello, world"
-DOMAIN = "enterprise-attack"
-
-# Main
-def main():
-
- # handle arguments
- parser = argparse.ArgumentParser()
- parser.add_argument("-i", "--input", action="store", dest="input_fn", default="attack.csv",
- required=True, help="input ATT&CK csv file with tactic ID, groups, software, etc... fields")
-
- args = parser.parse_args()
-
- # Base ATT&CK Navigator layer
- layer_json = {
- "versions": {
- "layer": VERSION,
- "navigator": NAV_VERSION
- },
- "name": NAME,
- "description": DESCRIPTION,
- "domain": DOMAIN,
- "techniques": []
- }
-
- # parse csv file, calculating a score for each technique and adding that to the layer
- with open(args.input_fn, "rb") as csvfile:
- reader = csv.DictReader(csvfile, delimiter=",")
- for row in reader:
- # score each technique based on a simple formula
- technique = {
- "techniqueID": row["TechID"],
- "score": (int(row["Software"]) + int(row["Groups"]))*2 + int(row["References"])
- }
-
- layer_json["techniques"].append(technique)
-
-
- # add a color gradient (white -> red) to layer
- # ranging from zero (white) to the maximum score in the file (red)
- layer_json["gradient"] = {
- "colors": [
- "#ffffff",
- "#ff6666"
- ],
- "minValue": 0,
- "maxValue": max([technique["score"] for technique in layer_json["techniques"]])
- }
-
- # output JSON
- json.dump(layer_json, sys.stdout, indent=4)
-
-
-if __name__ == "__main__":
- main()
diff --git a/layers/data/csv/simple_input.csv b/layers/data/csv/simple_input.csv
deleted file mode 100755
index 1ee41ad63..000000000
--- a/layers/data/csv/simple_input.csv
+++ /dev/null
@@ -1,189 +0,0 @@
-TechID,Software,Groups,References
-T1001,12,2,15
-T1002,6,10,25
-T1003,26,21,66
-T1004,1,0,5
-T1005,9,9,26
-T1006,0,0,7
-T1007,11,5,19
-T1008,13,2,13
-T1009,3,2,10
-T1010,4,1,11
-T1011,1,0,1
-T1012,12,4,23
-T1013,0,0,4
-T1014,4,2,14
-T1015,0,4,15
-T1016,30,11,40
-T1017,0,1,1
-T1018,9,6,20
-T1019,2,0,9
-T1020,4,0,9
-T1021,2,3,5
-T1022,11,6,26
-T1023,11,0,16
-T1024,22,2,26
-T1025,9,2,15
-T1026,2,1,4
-T1027,32,10,50
-T1028,1,1,5
-T1029,2,0,3
-T1030,2,1,4
-T1031,4,0,7
-T1032,28,7,37
-T1033,23,9,37
-T1034,1,0,13
-T1035,8,0,15
-T1036,21,11,41
-T1037,1,0,6
-T1038,5,1,18
-T1039,3,3,10
-T1040,2,1,8
-T1041,7,5,9
-T1042,0,0,8
-T1043,23,5,25
-T1044,1,0,7
-T1045,5,5,15
-T1046,6,5,15
-T1047,6,6,17
-T1048,5,2,9
-T1049,12,8,25
-T1050,22,3,38
-T1051,0,0,0
-T1052,4,0,6
-T1053,16,12,46
-T1054,0,0,0
-T1055,18,1,45
-T1056,31,9,49
-T1057,35,12,51
-T1058,1,0,5
-T1059,37,15,55
-T1060,39,11,57
-T1061,0,0,5
-T1062,0,0,4
-T1063,19,2,24
-T1064,5,14,21
-T1065,4,4,9
-T1066,3,4,10
-T1067,4,2,7
-T1068,6,4,17
-T1069,8,4,15
-T1070,5,4,9
-T1071,41,9,47
-T1072,1,1,2
-T1073,8,3,13
-T1074,15,7,26
-T1075,3,3,7
-T1076,1,11,18
-T1077,8,6,25
-T1078,4,15,26
-T1079,3,0,7
-T1080,2,1,8
-T1081,6,2,12
-T1082,40,12,55
-T1083,39,11,53
-T1084,2,1,7
-T1085,16,4,21
-T1086,11,18,36
-T1087,14,9,25
-T1088,9,3,21
-T1089,10,5,15
-T1090,11,4,18
-T1091,8,3,17
-T1092,2,1,6
-T1093,5,1,13
-T1094,5,3,10
-T1095,13,1,16
-T1096,2,0,9
-T1097,2,1,14
-T1098,2,1,7
-T1099,13,3,24
-T1100,5,6,8
-T1101,1,0,3
-T1102,11,4,16
-T1103,2,0,9
-T1104,2,1,4
-T1105,40,14,51
-T1106,5,0,12
-T1107,34,14,56
-T1108,2,4,11
-T1109,0,1,1
-T1110,1,5,8
-T1111,1,0,8
-T1112,11,0,17
-T1113,23,6,36
-T1114,4,2,11
-T1115,4,0,11
-T1116,7,6,20
-T1117,2,2,7
-T1118,0,0,1
-T1119,5,4,14
-T1120,9,3,17
-T1121,0,0,2
-T1122,4,1,12
-T1123,4,0,9
-T1124,6,2,16
-T1125,2,0,7
-T1126,1,1,7
-T1127,1,0,14
-T1128,1,0,6
-T1129,0,0,1
-T1130,2,0,7
-T1131,1,0,4
-T1132,14,2,15
-T1133,0,5,8
-T1134,3,2,16
-T1135,3,2,12
-T1136,4,2,6
-T1137,0,1,9
-T1138,0,1,3
-T1139,0,0,1
-T1140,3,3,10
-T1141,0,0,2
-T1142,0,0,2
-T1143,0,0,1
-T1144,0,0,4
-T1145,1,0,4
-T1146,0,0,1
-T1147,0,0,1
-T1148,0,0,1
-T1149,0,0,2
-T1150,0,0,1
-T1151,0,0,1
-T1152,0,0,1
-T1153,0,0,0
-T1154,0,0,0
-T1155,0,0,1
-T1156,0,0,0
-T1157,0,0,2
-T1158,1,0,3
-T1159,1,0,8
-T1160,0,0,4
-T1161,0,0,2
-T1162,0,0,5
-T1163,0,0,2
-T1164,0,0,2
-T1165,0,0,2
-T1166,0,0,0
-T1167,0,0,3
-T1168,1,0,7
-T1169,0,0,1
-T1170,0,1,7
-T1171,1,0,8
-T1172,1,1,3
-T1173,1,2,10
-T1174,1,0,4
-T1175,1,0,12
-T1176,0,0,10
-T1177,1,0,8
-T1178,1,0,11
-T1179,1,0,15
-T1180,1,0,3
-T1181,1,0,12
-T1182,0,0,6
-T1183,0,0,9
-T1184,0,0,5
-T1185,1,0,4
-T1186,0,0,11
-T1187,0,1,7
-T1188,1,1,2
diff --git a/layers/data/samples/APT3_+_APT29_with_software.json b/layers/data/samples/APT3_+_APT29_with_software.json
deleted file mode 100644
index a5f6e2de5..000000000
--- a/layers/data/samples/APT3_+_APT29_with_software.json
+++ /dev/null
@@ -1,687 +0,0 @@
-{
- "name": "APT3 + APT29 with software",
- "version": "3.0",
- "description": "This layer shows techniques (including techniques from software used by the groups) used by APT3 only in blue, APT29 only in yellow, and both APT3 and APT29 in green.",
- "domain": "mitre-enterprise",
- "techniques": [
- {
- "techniqueID": "T1569.002",
- "color": "#74c476",
- "comment": "used by APT3, APT29, Cobalt Strike, RemoteCMD, PsExec"
- },
- {
- "techniqueID": "T1053.005",
- "color": "#74c476",
- "comment": "used by APT3, APT29, schtasks, CozyCar, RemoteCMD, CosmicDuke"
- },
- {
- "techniqueID": "T1105",
- "color": "#74c476",
- "comment": "used by APT3, APT29, POSHSPY, CloudDuke, PowerDuke, MiniDuke, SeaDuke, PlugX, RemoteCMD"
- },
- {
- "techniqueID": "T1074.001",
- "color": "#6baed6",
- "comment": "used by APT3"
- },
- {
- "techniqueID": "T1087.001",
- "color": "#74c476",
- "comment": "used by APT3, APT29, SHOTPUT, GeminiDuke, OSInfo"
- },
- {
- "techniqueID": "T1056.001",
- "color": "#74c476",
- "comment": "used by APT3, APT29, Cobalt Strike, PlugX, CosmicDuke"
- },
- {
- "techniqueID": "T1016",
- "color": "#74c476",
- "comment": "used by APT3, APT29, GeminiDuke, OSInfo, PowerDuke"
- },
- {
- "techniqueID": "T1546.008",
- "color": "#74c476",
- "comment": "used by APT3, APT29"
- },
- {
- "techniqueID": "T1021.001",
- "color": "#74c476",
- "comment": "used by APT3, APT29, Cobalt Strike"
- },
- {
- "techniqueID": "T1005",
- "color": "#74c476",
- "comment": "used by APT3, APT29, PinchDuke, Cobalt Strike, CosmicDuke"
- },
- {
- "techniqueID": "T1083",
- "color": "#74c476",
- "comment": "used by APT3, APT29, CosmicDuke, PinchDuke, PowerDuke, GeminiDuke, SHOTPUT, PlugX"
- },
- {
- "techniqueID": "T1090.002",
- "color": "#6baed6",
- "comment": "used by APT3"
- },
- {
- "techniqueID": "T1018",
- "color": "#74c476",
- "comment": "used by APT3, APT29, SHOTPUT, Cobalt Strike, OSInfo"
- },
- {
- "techniqueID": "T1059.003",
- "color": "#74c476",
- "comment": "used by APT3, APT29, Cobalt Strike, PowerDuke, SeaDuke, CozyCar, PlugX"
- },
- {
- "techniqueID": "T1078.002",
- "color": "#74c476",
- "comment": "used by APT3, APT29, Cobalt Strike"
- },
- {
- "techniqueID": "T1069",
- "color": "#6baed6",
- "comment": "used by APT3"
- },
- {
- "techniqueID": "T1057",
- "color": "#74c476",
- "comment": "used by APT3, APT29, Cobalt Strike, PowerDuke, GeminiDuke, SHOTPUT, PlugX"
- },
- {
- "techniqueID": "T1003.001",
- "color": "#74c476",
- "comment": "used by APT3, APT29, CozyCar, LaZagne, Mimikatz"
- },
- {
- "techniqueID": "T1059.001",
- "color": "#74c476",
- "comment": "used by APT3, APT29, Cobalt Strike, SeaDuke, POSHSPY, HAMMERTOSS"
- },
- {
- "techniqueID": "T1543.003",
- "color": "#74c476",
- "comment": "used by APT3, APT29, CozyCar, Cobalt Strike, PlugX, CosmicDuke"
- },
- {
- "techniqueID": "T1104",
- "color": "#6baed6",
- "comment": "used by APT3"
- },
- {
- "techniqueID": "T1049",
- "color": "#6baed6",
- "comment": "used by APT3, SHOTPUT, PlugX, OSInfo"
- },
- {
- "techniqueID": "T1041",
- "color": "#6baed6",
- "comment": "used by APT3"
- },
- {
- "techniqueID": "T1218.011",
- "color": "#74c476",
- "comment": "used by APT3, APT29, CozyCar, PowerDuke"
- },
- {
- "techniqueID": "T1106",
- "color": "#74c476",
- "comment": "used by APT3, APT29, Cobalt Strike, PlugX"
- },
- {
- "techniqueID": "T1140",
- "color": "#6baed6",
- "comment": "used by APT3, PlugX"
- },
- {
- "techniqueID": "T1574.002",
- "color": "#6baed6",
- "comment": "used by APT3, PlugX"
- },
- {
- "techniqueID": "T1071.001",
- "color": "#74c476",
- "comment": "used by APT3, APT29, Cobalt Strike, CloudDuke, CosmicDuke, PinchDuke, OnionDuke, GeminiDuke, MiniDuke, SeaDuke, CozyCar, PlugX, HAMMERTOSS"
- },
- {
- "techniqueID": "T1113",
- "color": "#74c476",
- "comment": "used by APT3, APT29, Cobalt Strike, PlugX, CosmicDuke"
- },
- {
- "techniqueID": "T1112",
- "color": "#6baed6",
- "comment": "used by APT3, PlugX"
- },
- {
- "techniqueID": "T1012",
- "color": "#6baed6",
- "comment": "used by APT3, PlugX, OSInfo"
- },
- {
- "techniqueID": "T1102.001",
- "color": "#74c476",
- "comment": "used by APT3, APT29, MiniDuke, PlugX"
- },
- {
- "techniqueID": "T1036.004",
- "color": "#6baed6",
- "comment": "used by APT3, PlugX"
- },
- {
- "techniqueID": "T1095",
- "color": "#74c476",
- "comment": "used by APT3, APT29, PlugX"
- },
- {
- "techniqueID": "T1547.001",
- "color": "#74c476",
- "comment": "used by APT3, APT29, CozyCar, PlugX, SeaDuke, PowerDuke"
- },
- {
- "techniqueID": "T1135",
- "color": "#74c476",
- "comment": "used by APT3, APT29, Cobalt Strike, PlugX, OSInfo"
- },
- {
- "techniqueID": "T1497.001",
- "color": "#6baed6",
- "comment": "used by APT3, PlugX"
- },
- {
- "techniqueID": "T1071.004",
- "color": "#74c476",
- "comment": "used by APT3, APT29, Cobalt Strike, PlugX"
- },
- {
- "techniqueID": "T1127.001",
- "color": "#6baed6",
- "comment": "used by APT3, PlugX"
- },
- {
- "techniqueID": "T1027.002",
- "color": "#74c476",
- "comment": "used by APT3, APT29, SeaDuke"
- },
- {
- "techniqueID": "T1027",
- "color": "#74c476",
- "comment": "used by APT3, APT29, SHOTPUT, CozyCar, POSHSPY"
- },
- {
- "techniqueID": "T1033",
- "color": "#74c476",
- "comment": "used by APT3, APT29, PowerDuke"
- },
- {
- "techniqueID": "T1136.001",
- "color": "#6baed6",
- "comment": "used by APT3"
- },
- {
- "techniqueID": "T1560.001",
- "color": "#6baed6",
- "comment": "used by APT3"
- },
- {
- "techniqueID": "T1027.005",
- "color": "#74c476",
- "comment": "used by APT3, APT29, Cobalt Strike"
- },
- {
- "techniqueID": "T1087.002",
- "color": "#6baed6",
- "comment": "used by APT3, OSInfo"
- },
- {
- "techniqueID": "T1069.001",
- "color": "#6baed6",
- "comment": "used by APT3, OSInfo"
- },
- {
- "techniqueID": "T1082",
- "color": "#74c476",
- "comment": "used by APT3, APT29, CozyCar, PinchDuke, OSInfo, PowerDuke"
- },
- {
- "techniqueID": "T1069.002",
- "color": "#6baed6",
- "comment": "used by APT3, OSInfo"
- },
- {
- "techniqueID": "T1098",
- "color": "#74c476",
- "comment": "used by APT3, APT29, Mimikatz"
- },
- {
- "techniqueID": "T1021.002",
- "color": "#74c476",
- "comment": "used by APT3, APT29, Cobalt Strike, PsExec"
- },
- {
- "techniqueID": "T1110.002",
- "color": "#6baed6",
- "comment": "used by APT3"
- },
- {
- "techniqueID": "T1070.004",
- "color": "#74c476",
- "comment": "used by APT3, APT29, SeaDuke, SDelete, PowerDuke"
- },
- {
- "techniqueID": "T1555",
- "color": "#74c476",
- "comment": "used by APT3, APT29, PinchDuke, LaZagne, Mimikatz, CosmicDuke"
- },
- {
- "techniqueID": "T1555.003",
- "color": "#74c476",
- "comment": "used by APT3, APT29, PinchDuke, LaZagne, Mimikatz, CosmicDuke"
- },
- {
- "techniqueID": "T1552.001",
- "color": "#6baed6",
- "comment": "used by APT3, LaZagne"
- },
- {
- "techniqueID": "T1003.004",
- "color": "#74c476",
- "comment": "used by APT3, APT29, LaZagne, Mimikatz, CosmicDuke"
- },
- {
- "techniqueID": "T1003.005",
- "color": "#6baed6",
- "comment": "used by APT3, LaZagne"
- },
- {
- "techniqueID": "T1555.001",
- "color": "#6baed6",
- "comment": "used by APT3, LaZagne"
- },
- {
- "techniqueID": "T1003.007",
- "color": "#6baed6",
- "comment": "used by APT3, LaZagne"
- },
- {
- "techniqueID": "T1003.008",
- "color": "#6baed6",
- "comment": "used by APT3, LaZagne"
- },
- {
- "techniqueID": "T1564.003",
- "color": "#74c476",
- "comment": "used by APT3, APT29, HAMMERTOSS"
- },
- {
- "techniqueID": "T1203",
- "color": "#fce93b",
- "comment": "used by APT29"
- },
- {
- "techniqueID": "T1548.002",
- "color": "#fce93b",
- "comment": "used by APT29, Cobalt Strike"
- },
- {
- "techniqueID": "T1204.002",
- "color": "#fce93b",
- "comment": "used by APT29"
- },
- {
- "techniqueID": "T1546.003",
- "color": "#fce93b",
- "comment": "used by APT29, SeaDuke, POSHSPY"
- },
- {
- "techniqueID": "T1090.004",
- "color": "#fce93b",
- "comment": "used by APT29, meek"
- },
- {
- "techniqueID": "T1003",
- "color": "#fce93b",
- "comment": "used by APT29, PinchDuke, OnionDuke"
- },
- {
- "techniqueID": "T1090.003",
- "color": "#fce93b",
- "comment": "used by APT29, Tor"
- },
- {
- "techniqueID": "T1566.001",
- "color": "#fce93b",
- "comment": "used by APT29"
- },
- {
- "techniqueID": "T1573.002",
- "color": "#fce93b",
- "comment": "used by APT29, Tor, POSHSPY"
- },
- {
- "techniqueID": "T1102.002",
- "color": "#fce93b",
- "comment": "used by APT29, CozyCar, CloudDuke"
- },
- {
- "techniqueID": "T1518.001",
- "color": "#fce93b",
- "comment": "used by APT29, CozyCar"
- },
- {
- "techniqueID": "T1036.003",
- "color": "#fce93b",
- "comment": "used by APT29, CozyCar"
- },
- {
- "techniqueID": "T1003.002",
- "color": "#fce93b",
- "comment": "used by APT29, CozyCar, Cobalt Strike, Mimikatz, CosmicDuke"
- },
- {
- "techniqueID": "T1497",
- "color": "#fce93b",
- "comment": "used by APT29, CozyCar"
- },
- {
- "techniqueID": "T1047",
- "color": "#fce93b",
- "comment": "used by APT29, Cobalt Strike"
- },
- {
- "techniqueID": "T1550.003",
- "color": "#fce93b",
- "comment": "used by APT29, SeaDuke, Mimikatz"
- },
- {
- "techniqueID": "T1564.004",
- "color": "#fce93b",
- "comment": "used by APT29, PowerDuke"
- },
- {
- "techniqueID": "T1010",
- "color": "#fce93b",
- "comment": "used by APT29, PowerDuke"
- },
- {
- "techniqueID": "T1124",
- "color": "#fce93b",
- "comment": "used by APT29, PowerDuke"
- },
- {
- "techniqueID": "T1485",
- "color": "#fce93b",
- "comment": "used by APT29, SDelete, PowerDuke"
- },
- {
- "techniqueID": "T1027.003",
- "color": "#fce93b",
- "comment": "used by APT29, PowerDuke"
- },
- {
- "techniqueID": "T1553.002",
- "color": "#fce93b",
- "comment": "used by APT29, SDelete"
- },
- {
- "techniqueID": "T1007",
- "color": "#fce93b",
- "comment": "used by APT29, GeminiDuke"
- },
- {
- "techniqueID": "T1566.002",
- "color": "#fce93b",
- "comment": "used by APT29"
- },
- {
- "techniqueID": "T1020",
- "color": "#fce93b",
- "comment": "used by APT29, CosmicDuke"
- },
- {
- "techniqueID": "T1025",
- "color": "#fce93b",
- "comment": "used by APT29, CosmicDuke"
- },
- {
- "techniqueID": "T1114.001",
- "color": "#fce93b",
- "comment": "used by APT29, CosmicDuke"
- },
- {
- "techniqueID": "T1068",
- "color": "#fce93b",
- "comment": "used by APT29, Cobalt Strike, CosmicDuke"
- },
- {
- "techniqueID": "T1573.001",
- "color": "#fce93b",
- "comment": "used by APT29, SeaDuke, HAMMERTOSS, CosmicDuke"
- },
- {
- "techniqueID": "T1039",
- "color": "#fce93b",
- "comment": "used by APT29, CosmicDuke"
- },
- {
- "techniqueID": "T1048.003",
- "color": "#fce93b",
- "comment": "used by APT29, CosmicDuke"
- },
- {
- "techniqueID": "T1115",
- "color": "#fce93b",
- "comment": "used by APT29, CosmicDuke"
- },
- {
- "techniqueID": "T1008",
- "color": "#fce93b",
- "comment": "used by APT29, MiniDuke"
- },
- {
- "techniqueID": "T1102.003",
- "color": "#fce93b",
- "comment": "used by APT29, HAMMERTOSS, OnionDuke"
- },
- {
- "techniqueID": "T1001.002",
- "color": "#fce93b",
- "comment": "used by APT29, HAMMERTOSS"
- },
- {
- "techniqueID": "T1567.002",
- "color": "#fce93b",
- "comment": "used by APT29, HAMMERTOSS"
- },
- {
- "techniqueID": "T1547.005",
- "color": "#fce93b",
- "comment": "used by APT29, Mimikatz"
- },
- {
- "techniqueID": "T1134.005",
- "color": "#fce93b",
- "comment": "used by APT29, Mimikatz"
- },
- {
- "techniqueID": "T1550.002",
- "color": "#fce93b",
- "comment": "used by APT29, Cobalt Strike, Mimikatz"
- },
- {
- "techniqueID": "T1207",
- "color": "#fce93b",
- "comment": "used by APT29, Mimikatz"
- },
- {
- "techniqueID": "T1552.004",
- "color": "#fce93b",
- "comment": "used by APT29, Mimikatz"
- },
- {
- "techniqueID": "T1558.002",
- "color": "#fce93b",
- "comment": "used by APT29, Mimikatz"
- },
- {
- "techniqueID": "T1558.001",
- "color": "#fce93b",
- "comment": "used by APT29, Mimikatz"
- },
- {
- "techniqueID": "T1003.006",
- "color": "#fce93b",
- "comment": "used by APT29, Mimikatz"
- },
- {
- "techniqueID": "T1030",
- "color": "#fce93b",
- "comment": "used by APT29, POSHSPY"
- },
- {
- "techniqueID": "T1070.006",
- "color": "#fce93b",
- "comment": "used by APT29, Cobalt Strike, POSHSPY"
- },
- {
- "techniqueID": "T1568.002",
- "color": "#fce93b",
- "comment": "used by APT29, POSHSPY"
- },
- {
- "techniqueID": "T1570",
- "color": "#fce93b",
- "comment": "used by APT29, PsExec"
- },
- {
- "techniqueID": "T1029",
- "color": "#fce93b",
- "comment": "used by APT29, Cobalt Strike"
- },
- {
- "techniqueID": "T1046",
- "color": "#fce93b",
- "comment": "used by APT29, Cobalt Strike"
- },
- {
- "techniqueID": "T1078.003",
- "color": "#fce93b",
- "comment": "used by APT29, Cobalt Strike"
- },
- {
- "techniqueID": "T1021.006",
- "color": "#fce93b",
- "comment": "used by APT29, Cobalt Strike"
- },
- {
- "techniqueID": "T1021.004",
- "color": "#fce93b",
- "comment": "used by APT29, Cobalt Strike"
- },
- {
- "techniqueID": "T1090.001",
- "color": "#fce93b",
- "comment": "used by APT29, Cobalt Strike"
- },
- {
- "techniqueID": "T1572",
- "color": "#fce93b",
- "comment": "used by APT29, Cobalt Strike"
- },
- {
- "techniqueID": "T1055",
- "color": "#fce93b",
- "comment": "used by APT29, Cobalt Strike"
- },
- {
- "techniqueID": "T1134.001",
- "color": "#fce93b",
- "comment": "used by APT29, Cobalt Strike"
- },
- {
- "techniqueID": "T1185",
- "color": "#fce93b",
- "comment": "used by APT29, Cobalt Strike"
- },
- {
- "techniqueID": "T1197",
- "color": "#fce93b",
- "comment": "used by APT29, Cobalt Strike"
- },
- {
- "techniqueID": "T1055.012",
- "color": "#fce93b",
- "comment": "used by APT29, Cobalt Strike"
- },
- {
- "techniqueID": "T1021.003",
- "color": "#fce93b",
- "comment": "used by APT29, Cobalt Strike"
- },
- {
- "techniqueID": "T1134.004",
- "color": "#fce93b",
- "comment": "used by APT29, Cobalt Strike"
- },
- {
- "techniqueID": "T1134.003",
- "color": "#fce93b",
- "comment": "used by APT29, Cobalt Strike"
- },
- {
- "techniqueID": "T1071",
- "color": "#fce93b",
- "comment": "used by APT29, Cobalt Strike"
- },
- {
- "techniqueID": "T1059.005",
- "color": "#fce93b",
- "comment": "used by APT29, Cobalt Strike"
- },
- {
- "techniqueID": "T1059.006",
- "color": "#fce93b",
- "comment": "used by APT29, Cobalt Strike"
- },
- {
- "techniqueID": "T1560.002",
- "color": "#fce93b",
- "comment": "used by APT29, SeaDuke"
- },
- {
- "techniqueID": "T1547.009",
- "color": "#fce93b",
- "comment": "used by APT29, SeaDuke"
- },
- {
- "techniqueID": "T1078",
- "color": "#fce93b",
- "comment": "used by APT29, SeaDuke"
- },
- {
- "techniqueID": "T1132.001",
- "color": "#fce93b",
- "comment": "used by APT29, SeaDuke"
- },
- {
- "techniqueID": "T1114.002",
- "color": "#fce93b",
- "comment": "used by APT29, SeaDuke"
- }
- ],
- "legendItems": [
- {
- "label": "Used by APT3 or a software APT3 uses",
- "color": "#6baed6"
- },
- {
- "label": "Used by APT29 or a software APT29 uses",
- "color": "#fce93b"
- },
- {
- "label": "Used by both APT3 or a softare APT3 uses and APT29 or a software APT29 uses",
- "color": "#74c476"
- }
- ]
-}
\ No newline at end of file
diff --git a/layers/data/samples/APT3_+_APT29_with_software_and_notional_no_detection.json b/layers/data/samples/APT3_+_APT29_with_software_and_notional_no_detection.json
deleted file mode 100644
index 3d1d47f86..000000000
--- a/layers/data/samples/APT3_+_APT29_with_software_and_notional_no_detection.json
+++ /dev/null
@@ -1,691 +0,0 @@
-{
- "name": "APT3 + APT29 with software and notional no detection",
- "version": "3.0",
- "description": "This layer shows techniques (including techniques from software used by the groups) used by APT3 only in blue, APT29 only in yellow, and both APT3 and APT29 in green. The techniques in red denote techniques considered undetectable by a notional organization because they have no data-sources. Disclaimer: Data-sources in ATT&CK are sources of information that COULD be used to identify adversary actions, however the exactness of that evidence varies greatly. Therefore the presence of a data source for technique should only be considered a potential metric for detectability.",
- "domain": "mitre-enterprise",
- "techniques": [
- {
- "techniqueID": "T1569.002",
- "color": "#74c476",
- "comment": "considered detectable by a notional organization because it has data-sources Windows Registry, Process monitoring, Process command-line parameters"
- },
- {
- "techniqueID": "T1053.005",
- "color": "#74c476",
- "comment": "considered detectable by a notional organization because it has data-sources File monitoring, Process command-line parameters, Process monitoring, Windows event logs"
- },
- {
- "techniqueID": "T1105",
- "color": "#74c476",
- "comment": "considered detectable by a notional organization because it has data-sources Process command-line parameters, File monitoring, Packet capture, Process use of network, Netflow/Enclave netflow, Network protocol analysis, Process monitoring"
- },
- {
- "techniqueID": "T1074.001",
- "color": "#6baed6",
- "comment": "considered detectable by a notional organization because it has data-sources Process command-line parameters, Process monitoring, File monitoring"
- },
- {
- "techniqueID": "T1087.001",
- "color": "#74c476",
- "comment": "considered detectable by a notional organization because it has data-sources API monitoring, Process monitoring, Process command-line parameters"
- },
- {
- "techniqueID": "T1056.001",
- "color": "#74c476",
- "comment": "considered detectable by a notional organization because it has data-sources Windows Registry, Process monitoring, API monitoring"
- },
- {
- "techniqueID": "T1016",
- "color": "#74c476",
- "comment": "considered detectable by a notional organization because it has data-sources Process monitoring, Process command-line parameters"
- },
- {
- "techniqueID": "T1546.008",
- "color": "#74c476",
- "comment": "considered detectable by a notional organization because it has data-sources Process command-line parameters, Process monitoring, File monitoring, Windows Registry"
- },
- {
- "techniqueID": "T1021.001",
- "color": "#74c476",
- "comment": "considered detectable by a notional organization because it has data-sources Process monitoring, Netflow/Enclave netflow, Authentication logs"
- },
- {
- "techniqueID": "T1005",
- "color": "#74c476",
- "comment": "considered detectable by a notional organization because it has data-sources File monitoring, Process monitoring, Process command-line parameters"
- },
- {
- "techniqueID": "T1083",
- "color": "#74c476",
- "comment": "considered detectable by a notional organization because it has data-sources File monitoring, Process monitoring, Process command-line parameters"
- },
- {
- "techniqueID": "T1090.002",
- "color": "#6baed6",
- "comment": "considered detectable by a notional organization because it has data-sources Process use of network, Process monitoring, Network protocol analysis, Netflow/Enclave netflow, Packet capture"
- },
- {
- "techniqueID": "T1018",
- "color": "#74c476",
- "comment": "considered detectable by a notional organization because it has data-sources Azure activity logs, Stackdriver logs, AWS CloudTrail logs, Network protocol analysis, Process monitoring, Process use of network, Process command-line parameters"
- },
- {
- "techniqueID": "T1059.003",
- "color": "#74c476",
- "comment": "considered detectable by a notional organization because it has data-sources Windows event logs, Process command-line parameters, Process monitoring"
- },
- {
- "techniqueID": "T1078.002",
- "color": "#74c476",
- "comment": "considered detectable by a notional organization because it has data-sources Authentication logs, Process monitoring"
- },
- {
- "techniqueID": "T1069",
- "color": "#6baed6",
- "comment": "considered detectable by a notional organization because it has data-sources Azure activity logs, Office 365 account logs, API monitoring, Process monitoring, Process command-line parameters"
- },
- {
- "techniqueID": "T1057",
- "color": "#74c476",
- "comment": "considered detectable by a notional organization because it has data-sources API monitoring, Process monitoring, Process command-line parameters"
- },
- {
- "techniqueID": "T1003.001",
- "color": "#74c476",
- "comment": "considered detectable by a notional organization because it has data-sources Process command-line parameters, PowerShell logs, Process monitoring"
- },
- {
- "techniqueID": "T1059.001",
- "color": "#74c476",
- "comment": "considered detectable by a notional organization because it has data-sources Windows event logs, Process monitoring, Process command-line parameters, PowerShell logs, Loaded DLLs, File monitoring, DLL monitoring"
- },
- {
- "techniqueID": "T1543.003",
- "color": "#74c476",
- "comment": "considered detectable by a notional organization because it has data-sources API monitoring, Windows event logs, Process command-line parameters, Process monitoring, File monitoring, Windows Registry"
- },
- {
- "techniqueID": "T1104",
- "color": "#6baed6",
- "comment": "considered detectable by a notional organization because it has data-sources Netflow/Enclave netflow, Network device logs, Network protocol analysis, Packet capture, Process use of network"
- },
- {
- "techniqueID": "T1049",
- "color": "#6baed6",
- "comment": "considered detectable by a notional organization because it has data-sources Process monitoring, Process command-line parameters"
- },
- {
- "techniqueID": "T1041",
- "color": "#6baed6",
- "comment": "considered detectable by a notional organization because it has data-sources Packet capture, Process use of network, Netflow/Enclave netflow, Process monitoring"
- },
- {
- "techniqueID": "T1218.011",
- "color": "#74c476",
- "comment": "considered detectable by a notional organization because it has data-sources DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring"
- },
- {
- "techniqueID": "T1106",
- "color": "#74c476",
- "comment": "considered detectable by a notional organization because it has data-sources System calls, Loaded DLLs, API monitoring, Process monitoring"
- },
- {
- "techniqueID": "T1140",
- "color": "#6baed6",
- "comment": "considered detectable by a notional organization because it has data-sources File monitoring, Process monitoring, Process command-line parameters"
- },
- {
- "techniqueID": "T1574.002",
- "color": "#6baed6",
- "comment": "considered detectable by a notional organization because it has data-sources Loaded DLLs, Process monitoring, Process use of network"
- },
- {
- "techniqueID": "T1071.001",
- "color": "#74c476",
- "comment": "considered detectable by a notional organization because it has data-sources Network protocol analysis, Process monitoring, Process use of network, Netflow/Enclave netflow, Packet capture"
- },
- {
- "techniqueID": "T1113",
- "color": "#74c476",
- "comment": "considered detectable by a notional organization because it has data-sources API monitoring, Process monitoring, File monitoring"
- },
- {
- "techniqueID": "T1112",
- "color": "#6baed6",
- "comment": "considered detectable by a notional organization because it has data-sources Windows Registry, File monitoring, Process monitoring, Process command-line parameters, Windows event logs"
- },
- {
- "techniqueID": "T1012",
- "color": "#6baed6",
- "comment": "considered detectable by a notional organization because it has data-sources Windows Registry, Process monitoring, Process command-line parameters"
- },
- {
- "techniqueID": "T1102.001",
- "color": "#74c476",
- "comment": "considered detectable by a notional organization because it has data-sources Host network interface, Netflow/Enclave netflow, Network protocol analysis, Packet capture, SSL/TLS inspection"
- },
- {
- "techniqueID": "T1036.004",
- "color": "#6baed6",
- "comment": "considered detectable by a notional organization because it has data-sources Windows Registry, Process monitoring, Process command-line parameters, Windows event logs"
- },
- {
- "techniqueID": "T1095",
- "color": "#74c476",
- "comment": "considered detectable by a notional organization because it has data-sources Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network"
- },
- {
- "techniqueID": "T1547.001",
- "color": "#74c476",
- "comment": "considered detectable by a notional organization because it has data-sources Windows Registry, File monitoring"
- },
- {
- "techniqueID": "T1135",
- "color": "#74c476",
- "comment": "considered detectable by a notional organization because it has data-sources Process monitoring, Process command-line parameters, Network protocol analysis, Process use of network"
- },
- {
- "techniqueID": "T1497.001",
- "color": "#6baed6",
- "comment": "considered detectable by a notional organization because it has data-sources Process command-line parameters, Process monitoring"
- },
- {
- "techniqueID": "T1071.004",
- "color": "#74c476",
- "comment": "considered detectable by a notional organization because it has data-sources DNS records, Netflow/Enclave netflow, Process monitoring, Process use of network, Netflow/Enclave netflow, Packet capture"
- },
- {
- "techniqueID": "T1127.001",
- "color": "#6baed6",
- "comment": "considered detectable by a notional organization because it has data-sources Process monitoring"
- },
- {
- "techniqueID": "T1027.002",
- "color": "#74c476",
- "comment": "considered detectable by a notional organization because it has data-sources Binary file metadata"
- },
- {
- "techniqueID": "T1027",
- "color": "#74c476",
- "comment": "considered detectable by a notional organization because it has data-sources Network protocol analysis, Process use of network, File monitoring, Malware reverse engineering, Binary file metadata, Process command-line parameters, Environment variable, Process monitoring, Windows event logs, Network intrusion detection system, Email gateway, SSL/TLS inspection"
- },
- {
- "techniqueID": "T1033",
- "color": "#74c476",
- "comment": "considered detectable by a notional organization because it has data-sources File monitoring, Process monitoring, Process command-line parameters"
- },
- {
- "techniqueID": "T1136.001",
- "color": "#6baed6",
- "comment": "considered detectable by a notional organization because it has data-sources Process monitoring, Process command-line parameters, Authentication logs, Windows event logs"
- },
- {
- "techniqueID": "T1560.001",
- "color": "#6baed6",
- "comment": "considered detectable by a notional organization because it has data-sources Process monitoring, Process command-line parameters, File monitoring, Binary file metadata"
- },
- {
- "techniqueID": "T1027.005",
- "color": "#74c476",
- "comment": "considered detectable by a notional organization because it has data-sources Process monitoring, Process command-line parameters, Anti-virus, Binary file metadata"
- },
- {
- "techniqueID": "T1087.002",
- "color": "#6baed6",
- "comment": "considered detectable by a notional organization because it has data-sources API monitoring, Process monitoring, Process command-line parameters"
- },
- {
- "techniqueID": "T1069.001",
- "color": "#6baed6",
- "comment": "considered detectable by a notional organization because it has data-sources API monitoring, Process monitoring, Process command-line parameters"
- },
- {
- "techniqueID": "T1082",
- "color": "#74c476",
- "comment": "considered detectable by a notional organization because it has data-sources Azure activity logs, Stackdriver logs, AWS CloudTrail logs, Process monitoring, Process command-line parameters"
- },
- {
- "techniqueID": "T1069.002",
- "color": "#6baed6",
- "comment": "considered detectable by a notional organization because it has data-sources API monitoring, Process monitoring, Process command-line parameters"
- },
- {
- "techniqueID": "T1098",
- "color": "#74c476",
- "comment": "considered detectable by a notional organization because it has data-sources Authentication logs, Windows event logs"
- },
- {
- "techniqueID": "T1021.002",
- "color": "#74c476",
- "comment": "considered detectable by a notional organization because it has data-sources Process command-line parameters, Process monitoring, Authentication logs, Process use of network"
- },
- {
- "techniqueID": "T1110.002",
- "color": "#6baed6",
- "comment": "considered detectable by a notional organization because it has data-sources Authentication logs, Office 365 account logs"
- },
- {
- "techniqueID": "T1070.004",
- "color": "#74c476",
- "comment": "considered detectable by a notional organization because it has data-sources Binary file metadata, Process command-line parameters, File monitoring"
- },
- {
- "techniqueID": "T1555",
- "color": "#74c476",
- "comment": "considered detectable by a notional organization because it has data-sources PowerShell logs, API monitoring, File monitoring, Process monitoring, System calls"
- },
- {
- "techniqueID": "T1555.003",
- "color": "#74c476",
- "comment": "considered detectable by a notional organization because it has data-sources File monitoring, API monitoring, PowerShell logs, Process monitoring"
- },
- {
- "techniqueID": "T1552.001",
- "color": "#6baed6",
- "comment": "considered detectable by a notional organization because it has data-sources Process command-line parameters, File monitoring"
- },
- {
- "techniqueID": "T1003.004",
- "color": "#74c476",
- "comment": "considered detectable by a notional organization because it has data-sources Process monitoring, PowerShell logs, Process command-line parameters"
- },
- {
- "techniqueID": "T1003.005",
- "color": "#6baed6",
- "comment": "considered detectable by a notional organization because it has data-sources PowerShell logs, Process command-line parameters, Process monitoring"
- },
- {
- "techniqueID": "T1555.001",
- "color": "#6baed6",
- "comment": "considered detectable by a notional organization because it has data-sources PowerShell logs, Process monitoring, File monitoring, System calls, API monitoring"
- },
- {
- "techniqueID": "T1003.007",
- "color": "#6baed6",
- "comment": "considered detectable by a notional organization because it has data-sources Process monitoring"
- },
- {
- "techniqueID": "T1003.008",
- "color": "#fc3b3b",
- "comment": "considered undetectable by a notional organization because it has no data-sources"
- },
- {
- "techniqueID": "T1564.003",
- "color": "#74c476",
- "comment": "considered detectable by a notional organization because it has data-sources File monitoring, Process monitoring, Process command-line parameters, PowerShell logs"
- },
- {
- "techniqueID": "T1203",
- "color": "#fce93b",
- "comment": "considered detectable by a notional organization because it has data-sources Anti-virus, System calls, Process monitoring"
- },
- {
- "techniqueID": "T1548.002",
- "color": "#fce93b",
- "comment": "considered detectable by a notional organization because it has data-sources Windows Registry, Process command-line parameters, Process monitoring"
- },
- {
- "techniqueID": "T1204.002",
- "color": "#fce93b",
- "comment": "considered detectable by a notional organization because it has data-sources Anti-virus, Process command-line parameters, Process monitoring"
- },
- {
- "techniqueID": "T1546.003",
- "color": "#fce93b",
- "comment": "considered detectable by a notional organization because it has data-sources Process command-line parameters, Process monitoring, WMI Objects"
- },
- {
- "techniqueID": "T1090.004",
- "color": "#fce93b",
- "comment": "considered detectable by a notional organization because it has data-sources SSL/TLS inspection, Packet capture"
- },
- {
- "techniqueID": "T1003",
- "color": "#fce93b",
- "comment": "considered detectable by a notional organization because it has data-sources API monitoring, Process monitoring, PowerShell logs, Process command-line parameters"
- },
- {
- "techniqueID": "T1090.003",
- "color": "#fce93b",
- "comment": "considered detectable by a notional organization because it has data-sources Network protocol analysis, Netflow/Enclave netflow"
- },
- {
- "techniqueID": "T1566.001",
- "color": "#fce93b",
- "comment": "considered detectable by a notional organization because it has data-sources File monitoring, Packet capture, Network intrusion detection system, Detonation chamber, Email gateway, Mail server"
- },
- {
- "techniqueID": "T1573.002",
- "color": "#fce93b",
- "comment": "considered detectable by a notional organization because it has data-sources Process monitoring, Process use of network, Malware reverse engineering, Netflow/Enclave netflow, Packet capture"
- },
- {
- "techniqueID": "T1102.002",
- "color": "#fce93b",
- "comment": "considered detectable by a notional organization because it has data-sources Host network interface, Netflow/Enclave netflow, Network protocol analysis, Packet capture, SSL/TLS inspection"
- },
- {
- "techniqueID": "T1518.001",
- "color": "#fce93b",
- "comment": "considered detectable by a notional organization because it has data-sources Stackdriver logs, Azure activity logs, AWS CloudTrail logs, File monitoring, Process monitoring, Process command-line parameters"
- },
- {
- "techniqueID": "T1036.003",
- "color": "#fce93b",
- "comment": "considered detectable by a notional organization because it has data-sources File monitoring, Process monitoring, Process command-line parameters, Binary file metadata"
- },
- {
- "techniqueID": "T1003.002",
- "color": "#fce93b",
- "comment": "considered detectable by a notional organization because it has data-sources Process command-line parameters, PowerShell logs, Process monitoring"
- },
- {
- "techniqueID": "T1497",
- "color": "#fce93b",
- "comment": "considered detectable by a notional organization because it has data-sources Process monitoring, Process command-line parameters"
- },
- {
- "techniqueID": "T1047",
- "color": "#fce93b",
- "comment": "considered detectable by a notional organization because it has data-sources Authentication logs, Netflow/Enclave netflow, Process monitoring, Process command-line parameters"
- },
- {
- "techniqueID": "T1550.003",
- "color": "#fce93b",
- "comment": "considered detectable by a notional organization because it has data-sources Authentication logs"
- },
- {
- "techniqueID": "T1564.004",
- "color": "#fce93b",
- "comment": "considered detectable by a notional organization because it has data-sources Process command-line parameters, API monitoring, File monitoring"
- },
- {
- "techniqueID": "T1010",
- "color": "#fce93b",
- "comment": "considered detectable by a notional organization because it has data-sources API monitoring, Process monitoring, Process command-line parameters"
- },
- {
- "techniqueID": "T1124",
- "color": "#fce93b",
- "comment": "considered detectable by a notional organization because it has data-sources Process monitoring, Process command-line parameters, API monitoring"
- },
- {
- "techniqueID": "T1485",
- "color": "#fce93b",
- "comment": "considered detectable by a notional organization because it has data-sources File monitoring, Process command-line parameters, Process monitoring"
- },
- {
- "techniqueID": "T1027.003",
- "color": "#fce93b",
- "comment": "considered detectable by a notional organization because it has data-sources Binary file metadata"
- },
- {
- "techniqueID": "T1553.002",
- "color": "#fce93b",
- "comment": "considered detectable by a notional organization because it has data-sources Binary file metadata"
- },
- {
- "techniqueID": "T1007",
- "color": "#fce93b",
- "comment": "considered detectable by a notional organization because it has data-sources Process monitoring, Process command-line parameters"
- },
- {
- "techniqueID": "T1566.002",
- "color": "#fce93b",
- "comment": "considered detectable by a notional organization because it has data-sources Packet capture, Web proxy, Email gateway, Detonation chamber, SSL/TLS inspection, DNS records, Mail server"
- },
- {
- "techniqueID": "T1020",
- "color": "#fce93b",
- "comment": "considered detectable by a notional organization because it has data-sources File monitoring, Process monitoring, Process use of network"
- },
- {
- "techniqueID": "T1025",
- "color": "#fce93b",
- "comment": "considered detectable by a notional organization because it has data-sources File monitoring, Process monitoring, Process command-line parameters"
- },
- {
- "techniqueID": "T1114.001",
- "color": "#fce93b",
- "comment": "considered detectable by a notional organization because it has data-sources Process monitoring, File monitoring, Authentication logs, Mail server"
- },
- {
- "techniqueID": "T1068",
- "color": "#fce93b",
- "comment": "considered detectable by a notional organization because it has data-sources Windows Error Reporting, Process monitoring, Application logs"
- },
- {
- "techniqueID": "T1573.001",
- "color": "#fce93b",
- "comment": "considered detectable by a notional organization because it has data-sources SSL/TLS inspection, Process monitoring, Process use of network, Malware reverse engineering, Netflow/Enclave netflow, Packet capture"
- },
- {
- "techniqueID": "T1039",
- "color": "#fce93b",
- "comment": "considered detectable by a notional organization because it has data-sources File monitoring, Process monitoring, Process command-line parameters"
- },
- {
- "techniqueID": "T1048.003",
- "color": "#fce93b",
- "comment": "considered detectable by a notional organization because it has data-sources Network protocol analysis, Netflow/Enclave netflow, Packet capture, Process use of network"
- },
- {
- "techniqueID": "T1115",
- "color": "#fce93b",
- "comment": "considered detectable by a notional organization because it has data-sources API monitoring"
- },
- {
- "techniqueID": "T1008",
- "color": "#fce93b",
- "comment": "considered detectable by a notional organization because it has data-sources Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network"
- },
- {
- "techniqueID": "T1102.003",
- "color": "#fce93b",
- "comment": "considered detectable by a notional organization because it has data-sources Host network interface, Netflow/Enclave netflow, Network protocol analysis, Packet capture, SSL/TLS inspection"
- },
- {
- "techniqueID": "T1001.002",
- "color": "#fce93b",
- "comment": "considered detectable by a notional organization because it has data-sources Packet capture, Process use of network, Process monitoring, Network protocol analysis"
- },
- {
- "techniqueID": "T1567.002",
- "color": "#fce93b",
- "comment": "considered detectable by a notional organization because it has data-sources Process monitoring, Process use of network, Packet capture, Netflow/Enclave netflow, Network protocol analysis, SSL/TLS inspection"
- },
- {
- "techniqueID": "T1547.005",
- "color": "#fce93b",
- "comment": "considered detectable by a notional organization because it has data-sources DLL monitoring, Windows Registry, Loaded DLLs"
- },
- {
- "techniqueID": "T1134.005",
- "color": "#fce93b",
- "comment": "considered detectable by a notional organization because it has data-sources Windows event logs, Authentication logs, API monitoring"
- },
- {
- "techniqueID": "T1550.002",
- "color": "#fce93b",
- "comment": "considered detectable by a notional organization because it has data-sources Authentication logs"
- },
- {
- "techniqueID": "T1207",
- "color": "#fce93b",
- "comment": "considered detectable by a notional organization because it has data-sources API monitoring, Authentication logs, Network protocol analysis, Packet capture"
- },
- {
- "techniqueID": "T1552.004",
- "color": "#fce93b",
- "comment": "considered detectable by a notional organization because it has data-sources File monitoring"
- },
- {
- "techniqueID": "T1558.002",
- "color": "#fce93b",
- "comment": "considered detectable by a notional organization because it has data-sources Authentication logs, Windows event logs"
- },
- {
- "techniqueID": "T1558.001",
- "color": "#fce93b",
- "comment": "considered detectable by a notional organization because it has data-sources Authentication logs, Windows event logs"
- },
- {
- "techniqueID": "T1003.006",
- "color": "#fce93b",
- "comment": "considered detectable by a notional organization because it has data-sources Windows event logs"
- },
- {
- "techniqueID": "T1030",
- "color": "#fce93b",
- "comment": "considered detectable by a notional organization because it has data-sources Packet capture, Netflow/Enclave netflow, Process use of network, Process monitoring"
- },
- {
- "techniqueID": "T1070.006",
- "color": "#fce93b",
- "comment": "considered detectable by a notional organization because it has data-sources Process command-line parameters, Process monitoring, File monitoring"
- },
- {
- "techniqueID": "T1568.002",
- "color": "#fce93b",
- "comment": "considered detectable by a notional organization because it has data-sources DNS records, Netflow/Enclave netflow, Network device logs, Packet capture, Process use of network"
- },
- {
- "techniqueID": "T1570",
- "color": "#fce93b",
- "comment": "considered detectable by a notional organization because it has data-sources Process command-line parameters, File monitoring, Packet capture, Process use of network, Netflow/Enclave netflow, Network protocol analysis, Process monitoring"
- },
- {
- "techniqueID": "T1029",
- "color": "#fce93b",
- "comment": "considered detectable by a notional organization because it has data-sources Netflow/Enclave netflow, Process use of network, Process monitoring"
- },
- {
- "techniqueID": "T1046",
- "color": "#fce93b",
- "comment": "considered detectable by a notional organization because it has data-sources Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process use of network"
- },
- {
- "techniqueID": "T1078.003",
- "color": "#fce93b",
- "comment": "considered detectable by a notional organization because it has data-sources Authentication logs"
- },
- {
- "techniqueID": "T1021.006",
- "color": "#fce93b",
- "comment": "considered detectable by a notional organization because it has data-sources Process command-line parameters, Process monitoring, Netflow/Enclave netflow, Authentication logs, File monitoring"
- },
- {
- "techniqueID": "T1021.004",
- "color": "#fce93b",
- "comment": "considered detectable by a notional organization because it has data-sources Authentication logs, Process use of network, Network protocol analysis, Netflow/Enclave netflow"
- },
- {
- "techniqueID": "T1090.001",
- "color": "#fce93b",
- "comment": "considered detectable by a notional organization because it has data-sources Process use of network, Process monitoring, Network protocol analysis, Netflow/Enclave netflow, Packet capture"
- },
- {
- "techniqueID": "T1572",
- "color": "#fce93b",
- "comment": "considered detectable by a notional organization because it has data-sources Network protocol analysis, Process monitoring, Process use of network, Netflow/Enclave netflow, Packet capture"
- },
- {
- "techniqueID": "T1055",
- "color": "#fce93b",
- "comment": "considered detectable by a notional organization because it has data-sources API monitoring, File monitoring, DLL monitoring, Process monitoring, Named Pipes"
- },
- {
- "techniqueID": "T1134.001",
- "color": "#fce93b",
- "comment": "considered detectable by a notional organization because it has data-sources Process command-line parameters, Process monitoring, Access tokens, API monitoring"
- },
- {
- "techniqueID": "T1185",
- "color": "#fce93b",
- "comment": "considered detectable by a notional organization because it has data-sources Authentication logs, Packet capture, Process monitoring, API monitoring"
- },
- {
- "techniqueID": "T1197",
- "color": "#fce93b",
- "comment": "considered detectable by a notional organization because it has data-sources Process monitoring, Process command-line parameters, Packet capture, Windows event logs"
- },
- {
- "techniqueID": "T1055.012",
- "color": "#fce93b",
- "comment": "considered detectable by a notional organization because it has data-sources Process monitoring, API monitoring"
- },
- {
- "techniqueID": "T1021.003",
- "color": "#fce93b",
- "comment": "considered detectable by a notional organization because it has data-sources Windows event logs, Windows Registry, Process monitoring, Packet capture, DLL monitoring, Authentication logs, API monitoring, PowerShell logs"
- },
- {
- "techniqueID": "T1134.004",
- "color": "#fce93b",
- "comment": "considered detectable by a notional organization because it has data-sources API monitoring, Process monitoring, Windows event logs"
- },
- {
- "techniqueID": "T1134.003",
- "color": "#fce93b",
- "comment": "considered detectable by a notional organization because it has data-sources Process command-line parameters, Process monitoring, Access tokens, API monitoring"
- },
- {
- "techniqueID": "T1071",
- "color": "#fce93b",
- "comment": "considered detectable by a notional organization because it has data-sources DNS records, Network protocol analysis, Packet capture, Netflow/Enclave netflow, Process use of network, Process monitoring"
- },
- {
- "techniqueID": "T1059.005",
- "color": "#fce93b",
- "comment": "considered detectable by a notional organization because it has data-sources DLL monitoring, Loaded DLLs, File monitoring, Process monitoring, Process command-line parameters"
- },
- {
- "techniqueID": "T1059.006",
- "color": "#fce93b",
- "comment": "considered detectable by a notional organization because it has data-sources System calls, Process monitoring, Process command-line parameters, API monitoring"
- },
- {
- "techniqueID": "T1560.002",
- "color": "#fce93b",
- "comment": "considered detectable by a notional organization because it has data-sources Process monitoring, Process command-line parameters"
- },
- {
- "techniqueID": "T1547.009",
- "color": "#fce93b",
- "comment": "considered detectable by a notional organization because it has data-sources File monitoring, Process monitoring, Process command-line parameters"
- },
- {
- "techniqueID": "T1078",
- "color": "#fce93b",
- "comment": "considered detectable by a notional organization because it has data-sources AWS CloudTrail logs, Stackdriver logs, Authentication logs, Process monitoring"
- },
- {
- "techniqueID": "T1132.001",
- "color": "#fce93b",
- "comment": "considered detectable by a notional organization because it has data-sources Packet capture, Process use of network, Process monitoring, Network protocol analysis"
- },
- {
- "techniqueID": "T1114.002",
- "color": "#fce93b",
- "comment": "considered detectable by a notional organization because it has data-sources Authentication logs, Email gateway, Mail server, Office 365 trace logs"
- }
- ],
- "legendItems": [
- {
- "label": "Used by APT3 or a software APT3 uses",
- "color": "#6baed6"
- },
- {
- "label": "Used by APT29 or a software APT29 uses",
- "color": "#fce93b"
- },
- {
- "label": "Used by both APT3 or a softare APT3 uses and APT29 or a software APT29 uses",
- "color": "#74c476"
- },
- {
- "label": "Used by either APT3 or APT29 but considered undetectable by a notional organization because it has no data-sources",
- "color": "#fc3b3b"
- }
- ]
-}
\ No newline at end of file
diff --git a/layers/data/samples/Wizard_Spider-G0102-Updated.json b/layers/data/samples/Wizard_Spider-G0102-Updated.json
deleted file mode 100644
index 631f692de..000000000
--- a/layers/data/samples/Wizard_Spider-G0102-Updated.json
+++ /dev/null
@@ -1,882 +0,0 @@
-{
- "name": "Wizard Spider (G0102)",
- "versions": {
- "attack": "8",
- "navigator": "4.0",
- "layer": "4.0"
- },
- "domain": "enterprise-attack",
- "description": "Enterprise techniques used by Wizard Spider, ATT&CK group G0102 v1.1",
- "filters": {
- "platforms": [
- "Linux",
- "macOS",
- "Windows",
- "Office 365",
- "Azure AD",
- "AWS",
- "GCP",
- "Azure",
- "SaaS",
- "PRE",
- "Network"
- ]
- },
- "sorting": 0,
- "layout": {
- "layout": "side",
- "showID": false,
- "showName": true
- },
- "hideDisabled": false,
- "techniques": [
- {
- "techniqueID": "T1071",
- "tactic": "command-and-control",
- "color": "",
- "comment": "",
- "enabled": true,
- "metadata": [],
- "showSubtechniques": true
- },
- {
- "techniqueID": "T1071.001",
- "tactic": "command-and-control",
- "score": 1,
- "color": "",
- "comment": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has used HTTP for network communications.(Citation: CrowdStrike Grim Spider May 2019)",
- "enabled": true,
- "metadata": [],
- "showSubtechniques": true
- },
- {
- "techniqueID": "T1059",
- "tactic": "execution",
- "color": "",
- "comment": "",
- "enabled": true,
- "metadata": [],
- "showSubtechniques": true
- },
- {
- "techniqueID": "T1059.001",
- "tactic": "execution",
- "score": 1,
- "color": "",
- "comment": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has used macros to execute PowerShell scripts to download malware on victims machines.(Citation: CrowdStrike Grim Spider May 2019)",
- "enabled": true,
- "metadata": [],
- "showSubtechniques": true
- },
- {
- "techniqueID": "T1543",
- "tactic": "persistence",
- "color": "",
- "comment": "",
- "enabled": true,
- "metadata": [],
- "showSubtechniques": true
- },
- {
- "techniqueID": "T1543",
- "tactic": "privilege-escalation",
- "color": "",
- "comment": "",
- "enabled": true,
- "metadata": [],
- "showSubtechniques": true
- },
- {
- "techniqueID": "T1543.003",
- "tactic": "persistence",
- "score": 1,
- "color": "",
- "comment": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has installed [TrickBot](https://attack.mitre.org/software/S0266) as a service named ControlServiceA in order to establish persistence.(Citation: CrowdStrike Grim Spider May 2019)",
- "enabled": true,
- "metadata": [],
- "showSubtechniques": true
- },
- {
- "techniqueID": "T1543.003",
- "tactic": "privilege-escalation",
- "score": 1,
- "color": "",
- "comment": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has installed [TrickBot](https://attack.mitre.org/software/S0266) as a service named ControlServiceA in order to establish persistence.(Citation: CrowdStrike Grim Spider May 2019)",
- "enabled": true,
- "metadata": [],
- "showSubtechniques": true
- },
- {
- "techniqueID": "T1074",
- "tactic": "collection",
- "score": 1,
- "color": "",
- "comment": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has collected and staged credentials and network enumeration information, using the networkdll and psfin [TrickBot](https://attack.mitre.org/software/S0266) modules.(Citation: CrowdStrike Grim Spider May 2019)",
- "enabled": true,
- "metadata": [],
- "showSubtechniques": false
- },
- {
- "techniqueID": "T1482",
- "tactic": "discovery",
- "score": 1,
- "color": "",
- "comment": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has used AdFind.exe to collect information about Active Directory organizational units and trust objects.(Citation: FireEye Ryuk and Trickbot January 2019)",
- "enabled": true,
- "metadata": [],
- "showSubtechniques": false
- },
- {
- "techniqueID": "T1041",
- "tactic": "exfiltration",
- "score": 1,
- "color": "",
- "comment": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has exfiltrated domain credentials and network enumeration information over command and control (C2) channels.(Citation: CrowdStrike Grim Spider May 2019)",
- "enabled": true,
- "metadata": [],
- "showSubtechniques": false
- },
- {
- "techniqueID": "T1070",
- "tactic": "defense-evasion",
- "color": "",
- "comment": "",
- "enabled": true,
- "metadata": [],
- "showSubtechniques": true
- },
- {
- "techniqueID": "T1070.004",
- "tactic": "defense-evasion",
- "score": 1,
- "color": "",
- "comment": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has used file deletion to remove some modules and configurations from an infected host after use.(Citation: CrowdStrike Grim Spider May 2019)",
- "enabled": true,
- "metadata": [],
- "showSubtechniques": true
- },
- {
- "techniqueID": "T1570",
- "tactic": "lateral-movement",
- "score": 1,
- "color": "",
- "comment": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has used stolen credentials to copy tools into the %TEMP% directory of domain controllers.(Citation: CrowdStrike Grim Spider May 2019)",
- "enabled": true,
- "metadata": [],
- "showSubtechniques": false
- },
- {
- "techniqueID": "T1036",
- "tactic": "defense-evasion",
- "color": "",
- "comment": "",
- "enabled": true,
- "metadata": [],
- "showSubtechniques": true
- },
- {
- "techniqueID": "T1036.004",
- "tactic": "defense-evasion",
- "score": 1,
- "color": "",
- "comment": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has used scheduled tasks to install [TrickBot](https://attack.mitre.org/software/S0266), using task names to appear legitimate such as WinDotNet, GoogleTask, or Sysnetsf.(Citation: CrowdStrike Grim Spider May 2019)",
- "enabled": true,
- "metadata": [],
- "showSubtechniques": true
- },
- {
- "techniqueID": "T1112",
- "tactic": "defense-evasion",
- "score": 1,
- "color": "",
- "comment": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has modified the Registry key HKLM\\System\\CurrentControlSet\\Control\\SecurityProviders\\WDigest by setting the UseLogonCredential registry value to 1 in order to force credentials to be stored in clear text in memory.(Citation: CrowdStrike Grim Spider May 2019)",
- "enabled": true,
- "metadata": [],
- "showSubtechniques": false
- },
- {
- "techniqueID": "T1027",
- "tactic": "defense-evasion",
- "score": 1,
- "color": "",
- "comment": "[Wizard Spider](https://attack.mitre.org/groups/G0102) used base64 encoding to obfuscate an [Empire](https://attack.mitre.org/software/S0363) service.(Citation: FireEye Ryuk and Trickbot January 2019)",
- "enabled": true,
- "metadata": [],
- "showSubtechniques": false
- },
- {
- "techniqueID": "T1069",
- "tactic": "discovery",
- "color": "",
- "comment": "",
- "enabled": true,
- "metadata": [],
- "showSubtechniques": true
- },
- {
- "techniqueID": "T1069.002",
- "tactic": "discovery",
- "score": 1,
- "color": "",
- "comment": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has used AdFind.exe to collect information about Active Directory groups and accounts.(Citation: FireEye Ryuk and Trickbot January 2019)",
- "enabled": true,
- "metadata": [],
- "showSubtechniques": true
- },
- {
- "techniqueID": "T1566",
- "tactic": "initial-access",
- "color": "",
- "comment": "",
- "enabled": true,
- "metadata": [],
- "showSubtechniques": true
- },
- {
- "techniqueID": "T1566.001",
- "tactic": "initial-access",
- "score": 1,
- "color": "",
- "comment": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has used spearphishing attachments to deliver Microsoft documents containing macros to download either [Emotet](https://attack.mitre.org/software/S0367), Bokbot, or [TrickBot](https://attack.mitre.org/software/S0266).(Citation: CrowdStrike Grim Spider May 2019)",
- "enabled": true,
- "metadata": [],
- "showSubtechniques": true
- },
- {
- "techniqueID": "T1021",
- "tactic": "lateral-movement",
- "color": "",
- "comment": "",
- "enabled": true,
- "metadata": [],
- "showSubtechniques": true
- },
- {
- "techniqueID": "T1021.001",
- "tactic": "lateral-movement",
- "score": 1,
- "color": "",
- "comment": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has used RDP for lateral movement.(Citation: CrowdStrike Grim Spider May 2019)",
- "enabled": true,
- "metadata": [],
- "showSubtechniques": true
- },
- {
- "techniqueID": "T1018",
- "tactic": "discovery",
- "score": 1,
- "color": "",
- "comment": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has used networkdll for network discovery and psfin specifically for financial and point of sale indicators. [Wizard Spider](https://attack.mitre.org/groups/G0102) has also used AdFind.exe to enumerate domain computers, including the domain controller.(Citation: FireEye Ryuk and Trickbot January 2019)(Citation: CrowdStrike Grim Spider May 2019)",
- "enabled": true,
- "metadata": [],
- "showSubtechniques": false
- },
- {
- "techniqueID": "T1053",
- "tactic": "execution",
- "color": "",
- "comment": "",
- "enabled": true,
- "metadata": [],
- "showSubtechniques": true
- },
- {
- "techniqueID": "T1053",
- "tactic": "persistence",
- "color": "",
- "comment": "",
- "enabled": true,
- "metadata": [],
- "showSubtechniques": true
- },
- {
- "techniqueID": "T1053",
- "tactic": "privilege-escalation",
- "color": "",
- "comment": "",
- "enabled": true,
- "metadata": [],
- "showSubtechniques": true
- },
- {
- "techniqueID": "T1053.005",
- "tactic": "execution",
- "score": 1,
- "color": "",
- "comment": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has used scheduled tasks establish persistence for [TrickBot](https://attack.mitre.org/software/S0266).(Citation: CrowdStrike Grim Spider May 2019)",
- "enabled": true,
- "metadata": [],
- "showSubtechniques": true
- },
- {
- "techniqueID": "T1053.005",
- "tactic": "persistence",
- "score": 1,
- "color": "",
- "comment": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has used scheduled tasks establish persistence for [TrickBot](https://attack.mitre.org/software/S0266).(Citation: CrowdStrike Grim Spider May 2019)",
- "enabled": true,
- "metadata": [],
- "showSubtechniques": true
- },
- {
- "techniqueID": "T1053.005",
- "tactic": "privilege-escalation",
- "score": 1,
- "color": "",
- "comment": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has used scheduled tasks establish persistence for [TrickBot](https://attack.mitre.org/software/S0266).(Citation: CrowdStrike Grim Spider May 2019)",
- "enabled": true,
- "metadata": [],
- "showSubtechniques": true
- },
- {
- "techniqueID": "T1204",
- "tactic": "execution",
- "color": "",
- "comment": "",
- "enabled": true,
- "metadata": [],
- "showSubtechniques": true
- },
- {
- "techniqueID": "T1204.002",
- "tactic": "execution",
- "score": 1,
- "color": "",
- "comment": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has lured victims to execute malware with spearphishing attachments containing macros to download either [Emotet](https://attack.mitre.org/software/S0367), Bokbot, or [TrickBot](https://attack.mitre.org/software/S0266).(Citation: CrowdStrike Grim Spider May 2019)",
- "enabled": true,
- "metadata": [],
- "showSubtechniques": true
- },
- {
- "techniqueID": "T1078",
- "tactic": "defense-evasion",
- "score": 1,
- "color": "",
- "comment": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has used valid credentials for privileged accounts with the goal of accessing domain controllers.(Citation: CrowdStrike Grim Spider May 2019) ",
- "enabled": true,
- "metadata": [],
- "showSubtechniques": false
- },
- {
- "techniqueID": "T1078",
- "tactic": "persistence",
- "score": 1,
- "color": "",
- "comment": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has used valid credentials for privileged accounts with the goal of accessing domain controllers.(Citation: CrowdStrike Grim Spider May 2019) ",
- "enabled": true,
- "metadata": [],
- "showSubtechniques": true
- },
- {
- "techniqueID": "T1078",
- "tactic": "privilege-escalation",
- "score": 1,
- "color": "",
- "comment": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has used valid credentials for privileged accounts with the goal of accessing domain controllers.(Citation: CrowdStrike Grim Spider May 2019) ",
- "enabled": true,
- "metadata": [],
- "showSubtechniques": false
- },
- {
- "techniqueID": "T1078",
- "tactic": "initial-access",
- "score": 1,
- "color": "",
- "comment": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has used valid credentials for privileged accounts with the goal of accessing domain controllers.(Citation: CrowdStrike Grim Spider May 2019) ",
- "enabled": true,
- "metadata": [],
- "showSubtechniques": false
- },
- {
- "techniqueID": "T1047",
- "tactic": "execution",
- "score": 1,
- "color": "",
- "comment": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has used WMI and LDAP queries for network discovery.(Citation: CrowdStrike Grim Spider May 2019)",
- "enabled": true,
- "metadata": [],
- "showSubtechniques": false
- },
- {
- "techniqueID": "T1003",
- "tactic": "credential-access",
- "color": "",
- "comment": "",
- "enabled": true,
- "metadata": [],
- "showSubtechniques": true
- },
- {
- "techniqueID": "T1003.003",
- "tactic": "credential-access",
- "score": 2,
- "color": "#a1d99b",
- "comment": "WIZARD SPIDER has gained access to credentials via exported copies of the ntds.dit Active Directory database.\n\nhttps://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html ",
- "enabled": true,
- "metadata": [],
- "showSubtechniques": false
- },
- {
- "techniqueID": "T1566.002",
- "tactic": "initial-access",
- "score": 2,
- "color": "#a1d99b",
- "comment": "WIZARD SPIDER has sent phishing emails containing a link to an actor-controlled Google Drive document or other free online file hosting services.\n\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-302a\n\nhttps://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/ ",
- "enabled": true,
- "metadata": [],
- "showSubtechniques": false
- },
- {
- "techniqueID": "T1055",
- "tactic": "privilege-escalation",
- "color": "",
- "comment": "",
- "enabled": true,
- "metadata": [],
- "showSubtechniques": true
- },
- {
- "techniqueID": "T1055.001",
- "tactic": "defense-evasion",
- "score": 2,
- "color": "#a1d99b",
- "comment": "WIZARD SPIDER has injected malicious DLLs into memory with read, write, and execute permissions.\n\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-302a\n\nhttps://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/ ",
- "enabled": true,
- "metadata": [],
- "showSubtechniques": false
- },
- {
- "techniqueID": "T1055.001",
- "tactic": "privilege-escalation",
- "score": 2,
- "color": "#a1d99b",
- "comment": "WIZARD SPIDER has injected malicious DLLs into memory with read, write, and execute permissions.\n\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-302a\n\nhttps://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/ ",
- "enabled": true,
- "metadata": [],
- "showSubtechniques": false
- },
- {
- "techniqueID": "T1204.001",
- "tactic": "execution",
- "score": 2,
- "color": "#a1d99b",
- "comment": "WIZARD SPIDER has lured victims into clicking a malicious link delivered through spearphishing.\n\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-302a",
- "enabled": true,
- "metadata": [],
- "showSubtechniques": false
- },
- {
- "techniqueID": "T1547",
- "tactic": "persistence",
- "color": "",
- "comment": "",
- "enabled": true,
- "metadata": [],
- "showSubtechniques": true
- },
- {
- "techniqueID": "T1547.001",
- "tactic": "persistence",
- "score": 2,
- "color": "#a1d99b",
- "comment": "WIZARD SPIDER has established persistence via the Registry key HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run and a shortcut within the startup folder\n\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-302a\n\nhttps://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html ",
- "enabled": true,
- "metadata": [],
- "showSubtechniques": false
- },
- {
- "techniqueID": "T1547.001",
- "tactic": "privilege-escalation",
- "score": 2,
- "color": "#a1d99b",
- "comment": "WIZARD SPIDER has established persistence via the Registry key HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run and a shortcut within the startup folder\n\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-302a\n\nhttps://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html ",
- "enabled": true,
- "metadata": [],
- "showSubtechniques": false
- },
- {
- "techniqueID": "T1547.004",
- "tactic": "persistence",
- "score": 2,
- "color": "#a1d99b",
- "comment": "WIZARD SPIDER has established persistence using Userinit by adding the Registry key HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon. \n\nhttps://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html ",
- "enabled": true,
- "metadata": [],
- "showSubtechniques": false
- },
- {
- "techniqueID": "T1547.004",
- "tactic": "privilege-escalation",
- "score": 2,
- "color": "#a1d99b",
- "comment": "WIZARD SPIDER has established persistence using Userinit by adding the Registry key HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon. \n\nhttps://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html ",
- "enabled": true,
- "metadata": [],
- "showSubtechniques": false
- },
- {
- "techniqueID": "T1059.003",
- "tactic": "execution",
- "score": 2,
- "color": "#a1d99b",
- "comment": "WIZARD SPIDER has used cmd.exe to execute commands on a victim’s machine. \n\nhttps://thedfirreport.com/2020/10/08/ryuks-return/ ",
- "enabled": true,
- "metadata": [],
- "showSubtechniques": false
- },
- {
- "techniqueID": "T1048",
- "tactic": "exfiltration",
- "color": "",
- "comment": "",
- "enabled": true,
- "metadata": [],
- "showSubtechniques": true
- },
- {
- "techniqueID": "T1048.003",
- "tactic": "exfiltration",
- "score": 2,
- "color": "#a1d99b",
- "comment": "WIZARD SPIDER has exfiltrated victim information using FTP. \n\nhttps://thedfirreport.com/2020/10/08/ryuks-return/ \n https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/ \n",
- "enabled": true,
- "metadata": [],
- "showSubtechniques": false
- },
- {
- "techniqueID": "T1210",
- "tactic": "lateral-movement",
- "score": 2,
- "color": "#a1d99b",
- "comment": "WIZARD SPIDER has exploited or attempted to exploit Zerologon (CVE-2020-1472) and EternalBlue (MS17-010) vulnerabilities.\n\nhttps://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html \n https://thedfirreport.com/2020/10/08/ryuks-return/ \n https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/ \n",
- "enabled": true,
- "metadata": [],
- "showSubtechniques": false
- },
- {
- "techniqueID": "T1133",
- "tactic": "persistence",
- "score": 2,
- "color": "#a1d99b",
- "comment": "WIZARD SPIDER has accessed victim networks by using stolen credentials to access the corporate VPN infrastructure. \n\nhttps://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html ",
- "enabled": true,
- "metadata": [],
- "showSubtechniques": false
- },
- {
- "techniqueID": "T1133",
- "tactic": "initial-access",
- "score": 2,
- "color": "#a1d99b",
- "comment": "WIZARD SPIDER has accessed victim networks by using stolen credentials to access the corporate VPN infrastructure. \n\nhttps://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html ",
- "enabled": true,
- "metadata": [],
- "showSubtechniques": false
- },
- {
- "techniqueID": "T1222",
- "tactic": "defense-evasion",
- "color": "",
- "comment": "",
- "enabled": true,
- "metadata": [],
- "showSubtechniques": true
- },
- {
- "techniqueID": "T1222.001",
- "tactic": "defense-evasion",
- "score": 2,
- "color": "#a1d99b",
- "comment": "WIZARD SPIDER has used the icacls command to modify access control to backup servers, providing them with full control of all the system folders. \n\nhttps://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/ ",
- "enabled": true,
- "metadata": [],
- "showSubtechniques": false
- },
- {
- "techniqueID": "T1562",
- "tactic": "defense-evasion",
- "color": "",
- "comment": "",
- "enabled": true,
- "metadata": [],
- "showSubtechniques": true
- },
- {
- "techniqueID": "T1562.001",
- "tactic": "defense-evasion",
- "score": 2,
- "color": "#a1d99b",
- "comment": "WIZARD SPIDER has shut down or uninstalled security applications on victim systems that might prevent ransomware from executing. \n\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-302a\n https://thedfirreport.com/2020/10/08/ryuks-return/\n www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html \n",
- "enabled": true,
- "metadata": [],
- "showSubtechniques": false
- },
- {
- "techniqueID": "T1557",
- "tactic": "credential-access",
- "color": "",
- "comment": "",
- "enabled": true,
- "metadata": [],
- "showSubtechniques": true
- },
- {
- "techniqueID": "T1557.001",
- "tactic": "credential-access",
- "score": 2,
- "color": "#a1d99b",
- "comment": "WIZARD SPIDER has used the Invoke-Inveigh PowerShell cmdlets, likely for name service poisoning. \n\nhttps://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html ",
- "enabled": true,
- "metadata": [],
- "showSubtechniques": false
- },
- {
- "techniqueID": "T1557.001",
- "tactic": "collection",
- "score": 2,
- "color": "#a1d99b",
- "comment": "WIZARD SPIDER has used the Invoke-Inveigh PowerShell cmdlets, likely for name service poisoning. \n\nhttps://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html ",
- "enabled": true,
- "metadata": [],
- "showSubtechniques": false
- },
- {
- "techniqueID": "T1135",
- "tactic": "discovery",
- "score": 2,
- "color": "#a1d99b",
- "comment": "WIZARD SPIDER has used the “net view” command to locate mapped network shares. \n\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-302a",
- "enabled": true,
- "metadata": [],
- "showSubtechniques": false
- },
- {
- "techniqueID": "T1003.002",
- "tactic": "credential-access",
- "score": 2,
- "color": "#a1d99b",
- "comment": "WIZARD SPIDER has acquired credentials from the SAM/SECURITY registry hives. \n\nhttps://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html",
- "enabled": true,
- "metadata": [],
- "showSubtechniques": false
- },
- {
- "techniqueID": "T1588",
- "tactic": "resource-development",
- "color": "",
- "comment": "",
- "enabled": true,
- "metadata": [],
- "showSubtechniques": true
- },
- {
- "techniqueID": "T1588.003",
- "tactic": "resource-development",
- "score": 2,
- "color": "#a1d99b",
- "comment": "WIZARD SPIDER obtained a code signing certificate signed by Digicert for BazarLoader.\n\nhttps://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/ ",
- "enabled": true,
- "metadata": [],
- "showSubtechniques": false
- },
- {
- "techniqueID": "T1021.002",
- "tactic": "lateral-movement",
- "score": 2,
- "color": "#a1d99b",
- "comment": "WIZARD SPIDER has used SMB to drop Cobalt Strike Beacon on a domain controller for lateral movement. \n\nhttps://thedfirreport.com/2020/10/08/ryuks-return/\n https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/ \n",
- "enabled": true,
- "metadata": [],
- "showSubtechniques": false
- },
- {
- "techniqueID": "T1021.006",
- "tactic": "lateral-movement",
- "score": 2,
- "color": "#a1d99b",
- "comment": "WIZARD SPIDER has used Window Remote Management to move laterally through a victim network.\n\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-302a",
- "enabled": true,
- "metadata": [],
- "showSubtechniques": false
- },
- {
- "techniqueID": "T1489",
- "tactic": "impact",
- "score": 2,
- "color": "#a1d99b",
- "comment": "WIZARD SPIDER has used taskkill.exe, and net.exe to stop backup, catalog, cloud, and other services prior to network encryption. \n\nhttps://thedfirreport.com/2020/10/08/ryuks-return/ ",
- "enabled": true,
- "metadata": [],
- "showSubtechniques": false
- },
- {
- "techniqueID": "T1518",
- "tactic": "discovery",
- "color": "",
- "comment": "",
- "enabled": true,
- "metadata": [],
- "showSubtechniques": true
- },
- {
- "techniqueID": "T1518.001",
- "tactic": "discovery",
- "score": 2,
- "color": "#a1d99b",
- "comment": "WIZARD SPIDER has use WMI to identify anti-virus products installed on a victim’s machine. \n\nhttps://thedfirreport.com/2020/10/08/ryuks-return/",
- "enabled": true,
- "metadata": [],
- "showSubtechniques": false
- },
- {
- "techniqueID": "T1558",
- "tactic": "credential-access",
- "color": "",
- "comment": "",
- "enabled": true,
- "metadata": [],
- "showSubtechniques": true
- },
- {
- "techniqueID": "T1558.003",
- "tactic": "credential-access",
- "score": 2,
- "color": "#a1d99b",
- "comment": "WIZARD SPIDER has used Rubeus, MimiKatz Kerberos module, and the Invoke-Kerberoast cmdlet to steal AES hashes.\n\nhttps://thedfirreport.com/2020/10/08/ryuks-return/\n www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html \n https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/ \n https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html \n",
- "enabled": true,
- "metadata": [],
- "showSubtechniques": false
- },
- {
- "techniqueID": "T1553",
- "tactic": "defense-evasion",
- "color": "",
- "comment": "",
- "enabled": true,
- "metadata": [],
- "showSubtechniques": true
- },
- {
- "techniqueID": "T1553.002",
- "tactic": "defense-evasion",
- "score": 2,
- "color": "#a1d99b",
- "comment": "WIZARD SPIDER has used Digicert code-signing certificates for some of its malware. \n\nhttps://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/ ",
- "enabled": true,
- "metadata": [],
- "showSubtechniques": false
- },
- {
- "techniqueID": "T1082",
- "tactic": "discovery",
- "score": 2,
- "color": "#a1d99b",
- "comment": "WIZARD SPIDER has used “systeminfo” and similar commands to acquire detailed configuration information of a victim machine. \n\nhttps://thedfirreport.com/2020/10/08/ryuks-return/ ",
- "enabled": true,
- "metadata": [],
- "showSubtechniques": false
- },
- {
- "techniqueID": "T1016",
- "tactic": "discovery",
- "score": 2,
- "color": "#a1d99b",
- "comment": "WIZARD SPIDER has used the ipconfig command to identify the network configuration of a victim machine.\n\nhttps://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/ ",
- "enabled": true,
- "metadata": [],
- "showSubtechniques": false
- },
- {
- "techniqueID": "T1033",
- "tactic": "discovery",
- "score": 2,
- "color": "#a1d99b",
- "comment": "WIZARD SPIDER has used whoami to identify the local user and their privileges. \n\nhttps://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/ ",
- "enabled": true,
- "metadata": [],
- "showSubtechniques": false
- },
- {
- "techniqueID": "T1569",
- "tactic": "execution",
- "color": "",
- "comment": "",
- "enabled": true,
- "metadata": [],
- "showSubtechniques": true
- },
- {
- "techniqueID": "T1569.002",
- "tactic": "execution",
- "score": 2,
- "color": "#a1d99b",
- "comment": "WIZARD SPIDER has used services.exe to execute scripts and executables during lateral movement within a victim network. \n\nhttps://thedfirreport.com/2020/10/08/ryuks-return/\n https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/\n",
- "enabled": true,
- "metadata": [],
- "showSubtechniques": false
- },
- {
- "techniqueID": "T1078.002",
- "tactic": "defense-evasion",
- "score": 2,
- "color": "#a1d99b",
- "comment": "WIZARD SPIDER has used administrative accounts, including Domain Admin, to move laterally within a victim network. \n\nhttps://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html ",
- "enabled": true,
- "metadata": [],
- "showSubtechniques": false
- },
- {
- "techniqueID": "T1078.002",
- "tactic": "persistence",
- "score": 2,
- "color": "#a1d99b",
- "comment": "WIZARD SPIDER has used administrative accounts, including Domain Admin, to move laterally within a victim network. \n\nhttps://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html ",
- "enabled": true,
- "metadata": [],
- "showSubtechniques": false
- },
- {
- "techniqueID": "T1078.002",
- "tactic": "privilege-escalation",
- "score": 2,
- "color": "#a1d99b",
- "comment": "WIZARD SPIDER has used administrative accounts, including Domain Admin, to move laterally within a victim network. \n\nhttps://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html ",
- "enabled": true,
- "metadata": [],
- "showSubtechniques": false
- },
- {
- "techniqueID": "T1078.002",
- "tactic": "initial-access",
- "score": 2,
- "color": "#a1d99b",
- "comment": "WIZARD SPIDER has used administrative accounts, including Domain Admin, to move laterally within a victim network. \n\nhttps://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html ",
- "enabled": true,
- "metadata": [],
- "showSubtechniques": false
- }
- ],
- "gradient": {
- "colors": [
- "#ffffff",
- "#66b1ff"
- ],
- "minValue": 0,
- "maxValue": 1
- },
- "legendItems": [
- {
- "color": "#66b1ff",
- "label": "used by Wizard Spider"
- },
- {
- "color": "#a1d99b",
- "label": "New Wizard Spider techniques as of Nov 2020 "
- }
- ],
- "metadata": [],
- "showTacticRowBackground": false,
- "tacticRowBackground": "#dddddd",
- "selectTechniquesAcrossTactics": true,
- "selectSubtechniquesWithParent": false
-}
\ No newline at end of file
diff --git a/layers/data/samples/software_execution.json b/layers/data/samples/software_execution.json
deleted file mode 100644
index 7b7442d81..000000000
--- a/layers/data/samples/software_execution.json
+++ /dev/null
@@ -1,1497 +0,0 @@
-{
- "name": "Software Execution",
- "description": "All techniques that can be executed by software, where the score is the count of software using the technique",
- "version": "3.0",
- "domain": "mitre-enterprise",
- "techniques": [
- {
- "techniqueID": "T1070.006",
- "comment": "executed by 3PARA RAT, Attor, Bankshot, China Chopper, Derusbi, Elise, FALLCHILL, Gazer, InvisiMole, KeyBoy, Misdat, OwaAuth, POSHSPY, PowerStallion, Psylo, SEASHARPEE, Shamoon, TDTESS, USBStealer, Cobalt Strike, Empire",
- "score": 21
- },
- {
- "techniqueID": "T1071.001",
- "comment": "executed by 3PARA RAT, 4H RAT, ABK, ADVSTORESHELL, Agent Tesla, Aria-body, Avenger, BACKSPACE, BADNEWS, BBK, BBSRAT, BUBBLEWRAP, BackConfig, BadPatch, Bankshot, Bisonal, BlackEnergy, Bundlore, CHOPSTICK, CORESHELL, Carbanak, Cardinal RAT, ChChes, China Chopper, CloudDuke, ComRAT, Comnie, CosmicDuke, CozyCar, DarkComet, Daserf, DealersChoice, Dipsind, DownPaper, Dridex, DustySky, Dyre, ELMER, Elise, Emissary, Epic, EvilBunny, Exaramel for Linux, FELIXROOT, Felismus, Final1stspy, FlawedAmmyy, Gazer, GeminiDuke, Get2, Gold Dragon, Goopy, GravityRAT, GreyEnergy, HAMMERTOSS, HAWKBALL, HTTPBrowser, Helminth, Hi-Zor, Hikit, HyperBro, InvisiMole, Ixeshe, JHUHUGIT, KONNI, Kazuar, Keydnap, Komplex, LOWBALL, Lokibot, MAZE, MacSpy, Machete, MechaFlounder, Metamorfo, Micropsia, MiniDuke, Mis-Type, More_eggs, NETEAGLE, NOKKI, OLDBAIT, Octopus, Okrum, OnionDuke, OopsIE, OwaAuth, PLEAD, POWERTON, POWRUNER, PUNCHBUGGY, PinchDuke, PlugX, Pony, PowerShower, Proxysvc, Psylo, Pteranodon, QUADAGENT, RATANKBA, RGDoor, RIPTIDE, ROKRAT, RTM, Reaver, RedLeaves, Regin, Remexi, Remsec, Rising Sun, S-Type, SNUGRIDE, Sakula, SeaDuke, Seasalt, ServHelper, Shamoon, ShimRat, Smoke Loader, SpeakUp, Sys10, TSCookie, TrickBot, UBoatRAT, UPPERCUT, Ursnif, VBShower, VERMIN, Valak, Vasport, WinMM, WindTail, Winnti for Linux, Xbash, YAHOYAH, ZLib, Zebrocy, ZeroT, Zeus Panda, ZxShell, down_new, httpclient, pngdowner, Cobalt Strike, Empire, PoshC2, Pupy, ShimRatReporter",
- "score": 148
- },
- {
- "techniqueID": "T1083",
- "comment": "executed by 3PARA RAT, 4H RAT, ADVSTORESHELL, Aria-body, Attor, AuditCred, AutoIt backdoor, Avenger, Azorult, BACKSPACE, BADNEWS, BBSRAT, BLACKCOFFEE, BabyShark, BackConfig, Backdoor.Oldrea, BadPatch, Bankshot, BlackEnergy, Brave Prince, CHOPSTICK, CORALDECK, Cannon, Cardinal RAT, ChChes, China Chopper, CosmicDuke, Crimson, CrossRAT, DDKONG, Denis, Derusbi, DustySky, ELMER, Elise, Epic, FALLCHILL, FLASHFLOOD, FinFisher, FruitFly, Fysbis, GeminiDuke, Gold Dragon, GravityRAT, HOPLIGHT, HTTPBrowser, HotCroissant, Hydraq, InnaputRAT, InvisiMole, Ixeshe, JPIN, KEYMARBLE, KONNI, Kasidet, Kazuar, KeyBoy, Kivars, Kwampirs, Linfo, MESSAGETAP, Machete, Metamorfo, Micropsia, Misdat, MobileOrder, MoonWind, NDiskMonitor, NETEAGLE, OceanSalt, Octopus, Okrum, Orz, OwaAuth, PLEAD, POORAIM, POWRUNER, Pasam, PinchDuke, Pisloader, PlugX, PoetRAT, PowerDuke, Prikormka, Proxysvc, Psylo, Pteranodon, RARSTONE, ROKRAT, RTM, Ramsay, RedLeaves, Remexi, Remsec, Rising Sun, Rover, Ryuk, SDBot, SHOTPUT, SOUNDBITE, SPACESHIP, Seasalt, ShimRat, Skidmap, Smoke Loader, StreamEx, SynAck, TINYTYPHON, TSCookie, TYPEFRAME, TajMahal, TrickBot, UPPERCUT, USBStealer, USBferry, Volgmer, WINERACK, WannaCry, WinMM, WindTail, XAgentOSX, ZLib, Zebrocy, Zeus Panda, ZxShell, down_new, jRAT, njRAT, yty, zwShell, Empire, Forfiles, Imminent Monitor, PoshC2, Pupy, Remcos, cmd",
- "score": 137
- },
- {
- "techniqueID": "T1573.001",
- "comment": "executed by 3PARA RAT, 4H RAT, ADVSTORESHELL, Attor, Azorult, BADCALL, BADNEWS, BBSRAT, Bisonal, CHOPSTICK, CORESHELL, CallMe, Carbanak, Cardinal RAT, ChChes, Chaos, Comnie, CosmicDuke, Daserf, Derusbi, Dipsind, Downdelph, Dridex, Duqu, Ebury, Elise, Emissary, Epic, FALLCHILL, FakeM, Felismus, FlawedAmmyy, Gazer, GreyEnergy, H1N1, HAMMERTOSS, Helminth, Hi-Zor, HiddenWasp, Hikit, HotCroissant, Hydraq, InvisiMole, KEYMARBLE, Komplex, LightNeuron, Lurid, MoonWind, More_eggs, Mosquito, NDiskMonitor, NETEAGLE, NanoCore, Okrum, PLAINTEE, PLEAD, POWERTON, PoisonIvy, Prikormka, RIPTIDE, RTM, RedLeaves, Rifdoor, SNUGRIDE, Sakula, SeaDuke, Sys10, TSCookie, Taidoor, TrickBot, UPPERCUT, Volgmer, Winnti for Linux, ZeroT, down_new, gh0st RAT, httpclient, QuasarRAT",
- "score": 78
- },
- {
- "techniqueID": "T1082",
- "comment": "executed by 4H RAT, ADVSTORESHELL, Agent Tesla, Aria-body, Astaroth, Attor, Avenger, Azorult, BACKSPACE, BADCALL, BISCUIT, BUBBLEWRAP, BabyShark, BackConfig, Backdoor.Oldrea, BadPatch, Bankshot, Bisonal, BlackEnergy, Brave Prince, Bundlore, CARROTBAT, CORESHELL, Cadelspy, Cannon, Cardinal RAT, ChChes, Comnie, CozyCar, Crimson, DarkComet, Denis, Derusbi, DownPaper, DustySky, Dyre, Elise, Emissary, Epic, FALLCHILL, FELIXROOT, Felismus, FinFisher, Final1stspy, FlawedAmmyy, Fysbis, GRIFFON, Get2, Gold Dragon, GravityRAT, HALFBAKED, HAPPYWORK, HAWKBALL, HOPLIGHT, HotCroissant, Hydraq, InnaputRAT, InvisiMole, Ixeshe, JHUHUGIT, JPIN, KARAE, KEYMARBLE, KOMPROGO, KONNI, Kasidet, Kazuar, KeyBoy, Kwampirs, LightNeuron, Linfo, Lokibot, LoudMiner, MAZE, MURKYTOP, Machete, Micropsia, MirageFox, Mis-Type, Misdat, MobileOrder, MoonWind, More_eggs, NDiskMonitor, NETWIRE, NOKKI, Naid, NanHaiShu, NavRAT, Netwalker, OSInfo, OSX/Shlayer, OSX_OCEANLOTUS.D, OceanSalt, Octopus, Okrum, OopsIE, Orz, PLAINTEE, POORAIM, POWERSTATS, POWRUNER, PUNCHBUGGY, Pasam, PinchDuke, Pisloader, PoetRAT, Pony, PowerDuke, PowerShower, Prikormka, Proxysvc, RATANKBA, ROKRAT, RTM, Ramsay, Reaver, RedLeaves, Remsec, Revenge RAT, Rifdoor, Rising Sun, RogueRobin, RunningRAT, S-Type, SDBot, SHARPSTATS, SHUTTERSPEED, SLOWDRIFT, SOUNDBITE, SYSCON, ServHelper, Shamoon, Skidmap, SpeakUp, SslMM, StoneDrill, StreamEx, SynAck, Sys10, T9000, TURNEDUP, TYPEFRAME, TajMahal, TrickBot, UPPERCUT, Unknown Logger, Ursnif, VERMIN, Valak, Volgmer, WINDSHIELD, WINERACK, WinMM, Wingbird, XAgentOSX, YAHOYAH, ZLib, Zebrocy, ZeroT, Zeus Panda, ZxShell, build_downer, down_new, jRAT, njRAT, yty, zwShell, Empire, PoshC2, Pupy, QuasarRAT, ShimRatReporter, Systeminfo, cmd",
- "score": 175
- },
- {
- "techniqueID": "T1057",
- "comment": "executed by 4H RAT, ADVSTORESHELL, Agent Tesla, Aria-body, Astaroth, Avenger, Azorult, BACKSPACE, BBSRAT, BISCUIT, BLACKCOFFEE, BabyShark, Backdoor.Oldrea, Bankshot, Bisonal, BlackEnergy, Brave Prince, Bundlore, Cannon, Carbanak, Carbon, Cardinal RAT, ChChes, Comnie, Crimson, DarkComet, Derusbi, Duqu, DustySky, ELMER, Elise, Emotet, Epic, EvilBunny, FELIXROOT, FinFisher, Final1stspy, FruitFly, Fysbis, GeminiDuke, Get2, Gold Dragon, Goopy, GravityRAT, HALFBAKED, Helminth, HotCroissant, Hydraq, InvisiMole, Ixeshe, JHUHUGIT, JPIN, KEYMARBLE, KONNI, Kasidet, Kazuar, Komplex, Kwampirs, Linfo, LoudMiner, MAZE, Machete, Metamorfo, MobileOrder, MoonWind, Mosquito, NETEAGLE, NavRAT, OceanSalt, Orz, PLAINTEE, PLEAD, POORAIM, POWERSTATS, POWRUNER, Pasam, PlugX, PoetRAT, PowerDuke, PowerShower, PowerStallion, Proxysvc, RATANKBA, ROKRAT, RTM, Remsec, Rising Sun, RogueRobin, Ryuk, SHOTPUT, SYSCON, Seasalt, Skidmap, Socksbot, StreamEx, Sykipot, SynAck, TSCookie, TajMahal, Trojan.Karagany, UBoatRAT, USBferry, Ursnif, VERMIN, Valak, Volgmer, WINERACK, WinMM, XAgentOSX, Zebrocy, Zeus Panda, ZxShell, down_new, gh0st RAT, iKitten, jRAT, yty, Cobalt Strike, Empire, Imminent Monitor, PowerSploit, Pupy, ShimRatReporter, Tasklist",
- "score": 124
- },
- {
- "techniqueID": "T1059.003",
- "comment": "executed by 4H RAT, ABK, ADVSTORESHELL, Astaroth, AuditCred, BACKSPACE, BADNEWS, BBK, BISCUIT, BLACKCOFFEE, BONDUPDATER, BabyShark, BackConfig, Bandook, Bankshot, Bisonal, CALENDAR, CARROTBAT, Carbanak, Cardinal RAT, China Chopper, Cobian RAT, CoinTicker, ComRAT, Comnie, CozyCar, DarkComet, Daserf, DealersChoice, Denis, Dipsind, DownPaper, Emissary, Emotet, EvilBunny, Exaramel for Windows, FELIXROOT, Felismus, Gold Dragon, Goopy, GravityRAT, GreyEnergy, H1N1, HARDRAIN, HAWKBALL, HOMEFRY, HOPLIGHT, HTTPBrowser, Helminth, Hi-Zor, HiddenWasp, Hikit, HotCroissant, InnaputRAT, InvisiMole, Ixeshe, JCry, JHUHUGIT, JPIN, KEYMARBLE, KOMPROGO, KONNI, Kasidet, Kazuar, KeyBoy, LightNeuron, Linfo, LoudMiner, MAZE, MURKYTOP, MechaFlounder, Metamorfo, Micropsia, MirageFox, Mis-Type, Misdat, Mivast, MoonWind, More_eggs, Mosquito, NETEAGLE, NanoCore, NavRAT, Netwalker, OceanSalt, Okrum, OopsIE, Orz, PHOREAL, PLAINTEE, PLEAD, POWRUNER, Pisloader, PlugX, PoisonIvy, Pony, PowerDuke, Proxysvc, Pteranodon, QUADAGENT, RATANKBA, RGDoor, RTM, Ragnar Locker, RedLeaves, Remexi, Revenge RAT, Rising Sun, RobbinHood, RogueRobin, RunningRAT, Ryuk, SDBot, SEASHARPEE, SNUGRIDE, SQLRat, SYSCON, Sakula, SamSam, SeaDuke, Seasalt, ServHelper, ShimRat, StreamEx, TDTESS, TEXTMATE, TSCookie, TURNEDUP, TYPEFRAME, TinyZBot, TrickBot, UBoatRAT, UPPERCUT, USBferry, Umbreon, Volgmer, WEBC2, Wiarp, XTunnel, ZLib, Zebrocy, Zeus Panda, ZxShell, adbupd, hcdLoader, httpclient, jRAT, njRAT, zwShell, Cobalt Strike, Empire, Koadic, QuasarRAT, Remcos, cmd",
- "score": 155
- },
- {
- "techniqueID": "T1518.001",
- "comment": "executed by ABK, Astaroth, Avenger, BadPatch, CHOPSTICK, Comnie, CozyCar, Crimson, DustySky, Epic, EvilBunny, FELIXROOT, Felismus, FinFisher, Flame, FlawedAmmyy, Gold Dragon, JPIN, Kasidet, Micropsia, More_eggs, Mosquito, Netwalker, POWERSTATS, POWRUNER, PUNCHBUGGY, Prikormka, ROKRAT, RTM, Remsec, RogueRobin, Skidmap, StoneDrill, StreamEx, T9000, TajMahal, VERMIN, Valak, Wingbird, YAHOYAH, Zeus Panda, build_downer, down_new, jRAT, Empire, Tasklist, netsh",
- "score": 47
- },
- {
- "techniqueID": "T1055",
- "comment": "executed by ABK, Attor, AuditCred, Avenger, BBK, Backdoor.Oldrea, Cardinal RAT, Dyre, Gazer, HOPLIGHT, HyperBro, JHUHUGIT, JPIN, NavRAT, Ryuk, Smoke Loader, StoneDrill, TSCookie, Taidoor, Wiarp, Wingbird, Cobalt Strike, Empire, HTRAN, PoshC2, Remcos",
- "score": 26
- },
- {
- "techniqueID": "T1140",
- "comment": "executed by ABK, Agent Tesla, Aria-body, Astaroth, AuditCred, Avenger, Azorult, BBK, BBSRAT, BOOSTWRITE, BackConfig, Bankshot, Bisonal, Bundlore, Carbon, Cardinal RAT, CoinTicker, ComRAT, DDKONG, Denis, Dyre, FinFisher, Final1stspy, Goopy, HiddenWasp, ISMInjector, InvisiMole, KONNI, Kwampirs, LightNeuron, MESSAGETAP, Machete, Metamorfo, MirageFox, More_eggs, NOKKI, Netwalker, OSX/Shlayer, Okrum, OopsIE, POWERSTATS, PUNCHBUGGY, PlugX, Proton, QUADAGENT, RGDoor, Ramsay, Remexi, Rising Sun, RogueRobin, SDBot, SQLRat, Shamoon, ShimRat, Skidmap, Smoke Loader, Starloader, TSCookie, TYPEFRAME, TrickBot, Ursnif, VERMIN, Valak, Volgmer, WindTail, Winnti for Linux, YAHOYAH, Zebrocy, ZeroT, Zeus Panda, Expand, Imminent Monitor, certutil",
- "score": 73
- },
- {
- "techniqueID": "T1105",
- "comment": "executed by ABK, Agent Tesla, Agent.btz, Aria-body, Astaroth, Attor, AuditCred, Avenger, Azorult, BADNEWS, BBK, BISCUIT, BONDUPDATER, BabyShark, BackConfig, BadPatch, Bankshot, Bisonal, Briba, Bundlore, CARROTBAT, CHOPSTICK, CORESHELL, Calisto, CallMe, Cannon, Cardinal RAT, ChChes, China Chopper, CloudDuke, CoinTicker, Crimson, DDKONG, DOGCALL, DarkComet, Daserf, Denis, Dipsind, Downdelph, Dyre, Elise, Emissary, EvilBunny, Exaramel for Linux, FELIXROOT, Felismus, Gazer, Gold Dragon, GreyEnergy, H1N1, HAPPYWORK, HOPLIGHT, HTTPBrowser, Helminth, Hi-Zor, HiddenWasp, HotCroissant, Hydraq, HyperBro, InvisiMole, Ixeshe, JHUHUGIT, JPIN, KARAE, KEYMARBLE, KONNI, Kasidet, Kazuar, KeyBoy, Kivars, Kwampirs, LOWBALL, LightNeuron, Linfo, LoudMiner, Machete, MechaFlounder, Metamorfo, Micropsia, MiniDuke, Misdat, Mivast, MobileOrder, More_eggs, Mosquito, NDiskMonitor, NOKKI, NanHaiShu, NanoCore, NavRAT, Nerex, Netwalker, Nidiran, OSX_OCEANLOTUS.D, Octopus, Okrum, OopsIE, Orz, PLAINTEE, PLEAD, POSHSPY, POWERSOURCE, POWERSTATS, POWRUNER, PUNCHBUGGY, Pasam, Pisloader, PlugX, PoetRAT, PoisonIvy, Pony, PowerDuke, Psylo, Pteranodon, RARSTONE, RATANKBA, RGDoor, ROKRAT, RTM, RedLeaves, RemoteCMD, Remsec, Revenge RAT, RogueRobin, SDBot, SEASHARPEE, SHARPSTATS, SHUTTERSPEED, SLOWDRIFT, SQLRat, Sakula, SeaDuke, Seasalt, ServHelper, Shamoon, ShimRat, Skidmap, Smoke Loader, SpeakUp, StoneDrill, TDTESS, TSCookie, TURNEDUP, TYPEFRAME, TrickBot, Trojan.Karagany, UBoatRAT, UPPERCUT, Unknown Logger, Ursnif, VBShower, VERMIN, Valak, Vasport, Volgmer, WEBC2, Wiarp, Winnti for Linux, Xbash, YAHOYAH, ZLib, Zebrocy, ZeroT, Zeus Panda, ZxShell, build_downer, down_new, gh0st RAT, jRAT, njRAT, BITSAdmin, CARROTBALL, Empire, Koadic, Pupy, QuasarRAT, Remcos, ShimRatReporter, certutil, cmd, esentutl",
- "score": 181
- },
- {
- "techniqueID": "T1027.003",
- "comment": "executed by ABK, Avenger, BBK, Okrum, PowerDuke, build_downer",
- "score": 6
- },
- {
- "techniqueID": "T1106",
- "comment": "executed by ADVSTORESHELL, Aria-body, Attor, BADNEWS, BBK, BackConfig, Bankshot, ComRAT, Denis, Goopy, HAWKBALL, HotCroissant, HyperBro, InnaputRAT, LightNeuron, MAZE, Metamorfo, Mosquito, Netwalker, PlugX, Pony, RDFSNIFFER, RTM, Ramsay, Rising Sun, Ryuk, ShimRat, SynAck, TrickBot, Ursnif, Volgmer, WindTail, XAgentOSX, build_downer, Cobalt Strike, Empire, Imminent Monitor, ShimRatReporter",
- "score": 38
- },
- {
- "techniqueID": "T1027",
- "comment": "executed by ADVSTORESHELL, Agent Tesla, Aria-body, Astaroth, Attor, AuditCred, Avenger, BOOSTWRITE, BackConfig, Bisonal, Bundlore, CARROTBAT, CORESHELL, Carbanak, Carbon, Cardinal RAT, CoinTicker, ComRAT, Comnie, CozyCar, DOGCALL, Daserf, Denis, DustySky, Ebury, Elise, Emissary, Emotet, Epic, Exaramel for Linux, FELIXROOT, FinFisher, Final1stspy, FlawedGrace, FruitFly, Fysbis, Gazer, Goopy, GravityRAT, GreyEnergy, H1N1, HAWKBALL, HOMEFRY, HTTPBrowser, Helminth, Hi-Zor, HiddenWasp, HotCroissant, Hydraq, ISMInjector, InnaputRAT, InvisiMole, JHUHUGIT, JPIN, Kazuar, KeyBoy, Kwampirs, LightNeuron, Lokibot, LoudMiner, MAZE, Machete, Matroyshka, Metamorfo, Micropsia, Mosquito, NOKKI, NanHaiShu, NanoCore, Netwalker, OLDBAIT, OSX_OCEANLOTUS.D, OopsIE, Orz, POSHSPY, POWERSTATS, PUNCHBUGGY, PUNCHTRACK, Pisloader, PoetRAT, PoisonIvy, Pony, PowerStallion, Prikormka, QUADAGENT, RTM, Ramsay, Reaver, RedLeaves, Remexi, Remsec, Rifdoor, Rising Sun, RogueRobin, SDBot, SHARPSTATS, SHOTPUT, SQLRat, Sakula, SamSam, Seasalt, Shamoon, ShimRat, Skidmap, Smoke Loader, SpeakUp, StoneDrill, StreamEx, SynAck, TINYTYPHON, TYPEFRAME, TajMahal, TrickBot, UBoatRAT, USBStealer, Ursnif, VERMIN, Valak, Volgmer, WindTail, Winnti for Linux, XTunnel, YAHOYAH, ZeroT, Zeus Panda, jRAT, CARROTBALL, Empire, Imminent Monitor, Invoke-PSImage, PowerSploit, Remcos, ShimRatReporter",
- "score": 133
- },
- {
- "techniqueID": "T1056.001",
- "comment": "executed by ADVSTORESHELL, Agent Tesla, Astaroth, Attor, BADNEWS, BISCUIT, BabyShark, BadPatch, Bandook, BlackEnergy, CHOPSTICK, Cadelspy, Carbanak, Cardinal RAT, Catchamas, Cobian RAT, CosmicDuke, DOGCALL, DarkComet, Daserf, Derusbi, Duqu, DustySky, EvilGrab, FakeM, Fysbis, GreyEnergy, HTTPBrowser, Helminth, JPIN, KONNI, Kasidet, KeyBoy, Kivars, Lokibot, MacSpy, Machete, Matroyshka, Micropsia, MoonWind, NETWIRE, NanoCore, NavRAT, NetTraveler, Okrum, OwaAuth, PlugX, PoetRAT, PoisonIvy, Prikormka, Proton, ROKRAT, RTM, Regin, Remexi, Remsec, Revenge RAT, Rover, RunningRAT, SslMM, Sykipot, TajMahal, TinyZBot, Unknown Logger, VERMIN, XAgentOSX, Zeus Panda, ZxShell, gh0st RAT, jRAT, njRAT, yty, Cobalt Strike, Empire, Imminent Monitor, PoshC2, PowerSploit, Pupy, QuasarRAT, Remcos",
- "score": 80
- },
- {
- "techniqueID": "T1120",
- "comment": "executed by ADVSTORESHELL, Attor, BADNEWS, BlackEnergy, Cadelspy, DustySky, FlawedAmmyy, Machete, MoonWind, Prikormka, RTM, Ragnar Locker, Ramsay, T9000, TajMahal, USBStealer, USBferry, WannaCry, Zebrocy, jRAT, njRAT",
- "score": 21
- },
- {
- "techniqueID": "T1070.004",
- "comment": "executed by ADVSTORESHELL, Aria-body, Attor, AuditCred, Azorult, BBSRAT, BLACKCOFFEE, BabyShark, BackConfig, Backdoor.Oldrea, Bankshot, Bisonal, CARROTBAT, Calisto, Carbanak, Cardinal RAT, Cherry Picker, Denis, Derusbi, DustySky, Elise, Epic, EvilBunny, FALLCHILL, FELIXROOT, FruitFly, Fysbis, Gazer, Gold Dragon, GreyEnergy, HALFBAKED, HAWKBALL, HTTPBrowser, Hi-Zor, HotCroissant, Hydraq, HyperBro, InnaputRAT, InvisiMole, Ixeshe, JHUHUGIT, JPIN, KEYMARBLE, KONNI, Kazuar, Kivars, Komplex, LightNeuron, Linfo, LockerGoga, LoudMiner, MESSAGETAP, MURKYTOP, MacSpy, Machete, Metamorfo, Misdat, MoonWind, More_eggs, Mosquito, NOKKI, NanHaiShu, OSX_OCEANLOTUS.D, OceanSalt, Okrum, OopsIE, PLEAD, POWERSTATS, PUNCHBUGGY, Pasam, Pony, PowerDuke, PowerShower, Proton, Proxysvc, Pteranodon, QUADAGENT, RDFSNIFFER, ROKRAT, RTM, Reaver, RedLeaves, Remsec, Rising Sun, RunningRAT, SDBot, SQLRat, Sakula, SamSam, SeaDuke, Seasalt, ServHelper, ShimRat, SpeakUp, StoneDrill, TDTESS, TYPEFRAME, USBStealer, Ursnif, VBShower, VERMIN, Volgmer, WINDSHIELD, WindTail, Wingbird, XAgentOSX, Zebrocy, Zeus Panda, ZxShell, gh0st RAT, jRAT, njRAT, pngdowner, zwShell, Imminent Monitor, SDelete, cmd",
- "score": 117
- },
- {
- "techniqueID": "T1546.015",
- "comment": "executed by ADVSTORESHELL, BBSRAT, ComRAT, JHUHUGIT, KONNI, Mosquito",
- "score": 6
- },
- {
- "techniqueID": "T1112",
- "comment": "executed by ADVSTORESHELL, Attor, BACKSPACE, BADCALL, Bankshot, CHOPSTICK, Cardinal RAT, Catchamas, ComRAT, DarkComet, Exaramel for Windows, FELIXROOT, GreyEnergy, HOPLIGHT, Hydraq, InvisiMole, KEYMARBLE, KONNI, LoJax, Metamorfo, Mosquito, Naid, NanoCore, Nerex, Netwalker, PHOREAL, PLAINTEE, PlugX, PoetRAT, PoisonIvy, PowerShower, QUADAGENT, RTM, Regin, Rover, SOUNDBITE, Shamoon, ShimRat, StreamEx, SynAck, TYPEFRAME, TajMahal, TrickBot, Ursnif, Valak, Volgmer, Zeus Panda, njRAT, zwShell, QuasarRAT, Reg, Remcos",
- "score": 52
- },
- {
- "techniqueID": "T1029",
- "comment": "executed by ADVSTORESHELL, ComRAT, Dipsind, Kazuar, LightNeuron, Linfo, Machete, POWERSTATS, ShimRat, jRAT, Cobalt Strike",
- "score": 11
- },
- {
- "techniqueID": "T1012",
- "comment": "executed by ADVSTORESHELL, Attor, Azorult, BACKSPACE, BabyShark, Bankshot, Brave Prince, CHOPSTICK, Carbanak, Carbon, Cardinal RAT, ComRAT, Denis, Derusbi, DownPaper, Epic, FELIXROOT, FinFisher, Gold Dragon, HOPLIGHT, Hydraq, InvisiMole, JPIN, OSInfo, POWERSOURCE, POWRUNER, PlugX, Proxysvc, QUADAGENT, RATANKBA, ROKRAT, Reaver, Shamoon, StoneDrill, SynAck, Ursnif, Volgmer, WINDSHIELD, Zebrocy, Zeus Panda, ZxShell, PowerSploit, Reg",
- "score": 43
- },
- {
- "techniqueID": "T1041",
- "comment": "executed by ADVSTORESHELL, Astaroth, Attor, BACKSPACE, Bankshot, CallMe, Cannon, DustySky, Dyre, Emotet, Goopy, HAWKBALL, HOPLIGHT, HotCroissant, LightNeuron, Lokibot, Machete, MechaFlounder, MobileOrder, NETEAGLE, Okrum, OopsIE, PowerShower, Proxysvc, Psylo, Pteranodon, ROKRAT, Remexi, Rising Sun, TajMahal, Ursnif, Valak, Zebrocy, Empire, Imminent Monitor, Pupy, ShimRatReporter",
- "score": 37
- },
- {
- "techniqueID": "T1560.003",
- "comment": "executed by ADVSTORESHELL, Agent.btz, Attor, Duqu, FLASHFLOOD, HAWKBALL, InvisiMole, MESSAGETAP, Machete, Okrum, OopsIE, OwaAuth, RGDoor, Ramsay, RawPOS, Reaver, Rising Sun, SPACESHIP, T9000",
- "score": 19
- },
- {
- "techniqueID": "T1074.001",
- "comment": "executed by ADVSTORESHELL, Astaroth, Attor, BADNEWS, BadPatch, Calisto, Carbon, Catchamas, Duqu, DustySky, Dyre, Elise, Exaramel for Windows, FLASHFLOOD, Gold Dragon, Helminth, InvisiMole, Kazuar, LightNeuron, MESSAGETAP, Machete, MoonWind, NOKKI, NavRAT, OopsIE, PUNCHBUGGY, PUNCHTRACK, PoisonIvy, Prikormka, Pteranodon, Ramsay, RawPOS, Rover, SPACESHIP, Trojan.Karagany, USBStealer, Ursnif, Zebrocy",
- "score": 38
- },
- {
- "techniqueID": "T1547.001",
- "comment": "executed by ADVSTORESHELL, Agent Tesla, Aria-body, Astaroth, BACKSPACE, BADNEWS, BBSRAT, BabyShark, Backdoor.Oldrea, BadPatch, Bisonal, BlackEnergy, Briba, CORESHELL, Carbanak, Cardinal RAT, ChChes, Cobian RAT, Comnie, CozyCar, CrossRAT, DarkComet, DownPaper, DustySky, Elise, Emissary, Emotet, EvilBunny, EvilGrab, FELIXROOT, FLASHFLOOD, FinFisher, Final1stspy, GRIFFON, Gazer, Gold Dragon, HTTPBrowser, Helminth, Hi-Zor, InnaputRAT, Ixeshe, JCry, JHUHUGIT, KONNI, Kasidet, Kazuar, LoJax, Matroyshka, Metamorfo, Mivast, Mosquito, NETEAGLE, NETWIRE, NOKKI, NanHaiShu, NanoCore, NavRAT, Okrum, PLAINTEE, POWERSOURCE, POWERTON, PUNCHBUGGY, Pisloader, PlugX, PoetRAT, PoisonIvy, PowerDuke, PowerShower, Prikormka, Pteranodon, RTM, Reaver, RedLeaves, Remexi, Revenge RAT, Rifdoor, RogueRobin, Rover, RunningRAT, Ryuk, S-Type, SDBot, SHIPSHAPE, SNUGRIDE, SPACESHIP, Sakula, SeaDuke, Seasalt, ServHelper, ShimRat, Smoke Loader, SslMM, Sykipot, TINYTYPHON, TURNEDUP, TinyZBot, TrickBot, Trojan.Karagany, Truvasys, USBStealer, Ursnif, VBShower, Vasport, Xbash, Zebrocy, Zeus Panda, build_downer, gh0st RAT, njRAT, Empire, PowerSploit, Pupy, Remcos",
- "score": 113
- },
- {
- "techniqueID": "T1560",
- "comment": "executed by ADVSTORESHELL, Agent Tesla, Aria-body, Backdoor.Oldrea, Cadelspy, Daserf, Emotet, Epic, Exaramel for Windows, FELIXROOT, Gold Dragon, LightNeuron, Lurid, Machete, OSX_OCEANLOTUS.D, Prikormka, Proton, Remexi, RunningRAT, VERMIN, Zebrocy, Empire, ShimRatReporter",
- "score": 23
- },
- {
- "techniqueID": "T1132.001",
- "comment": "executed by ADVSTORESHELL, Astaroth, AutoIt backdoor, BADNEWS, BS2005, BabyShark, Backdoor.Oldrea, CORESHELL, Carbanak, ChChes, Cobian RAT, Daserf, Denis, Dipsind, Ebury, Elise, Felismus, Fysbis, HOPLIGHT, Helminth, Ixeshe, JHUHUGIT, KONNI, Kazuar, MechaFlounder, Mis-Type, Misdat, More_eggs, Octopus, Okrum, OopsIE, POWERSTATS, POWRUNER, Pisloader, PowerShower, Prikormka, QUADAGENT, Revenge RAT, RogueRobin, S-Type, SeaDuke, SpeakUp, Zebrocy, down_new, njRAT",
- "score": 45
- },
- {
- "techniqueID": "T1218.011",
- "comment": "executed by ADVSTORESHELL, Attor, Bisonal, Briba, CORESHELL, Comnie, CozyCar, DDKONG, Elise, Emissary, FELIXROOT, Flame, GreyEnergy, JHUHUGIT, KONNI, Kwampirs, Matroyshka, Mosquito, NOKKI, NotPetya, PUNCHBUGGY, PowerDuke, Prikormka, Pteranodon, RTM, Ragnar Locker, Sakula, ServHelper, StreamEx, USBferry, Winnti for Windows, ZxShell, gh0st RAT, Koadic",
- "score": 34
- },
- {
- "techniqueID": "T1573.002",
- "comment": "executed by ADVSTORESHELL, Attor, BISCUIT, CHOPSTICK, ComRAT, Dridex, Emotet, Gazer, GreyEnergy, Hi-Zor, Metamorfo, POSHSPY, POWERSTATS, PoetRAT, ServHelper, Sykipot, Volgmer, WannaCry, XTunnel, Zebrocy, adbupd, Empire, Koadic, Pupy, Tor",
- "score": 25
- },
- {
- "techniqueID": "T1505.003",
- "comment": "executed by ASPXSpy, China Chopper, OwaAuth, SEASHARPEE",
- "score": 4
- },
- {
- "techniqueID": "T1124",
- "comment": "executed by Agent Tesla, Astaroth, Azorult, Cannon, Carbon, Epic, EvilBunny, FELIXROOT, GRIFFON, GravityRAT, HOPLIGHT, InvisiMole, Metamorfo, MoonWind, NOKKI, Okrum, OopsIE, PowerDuke, Proxysvc, RTM, SHARPSTATS, Shamoon, StoneDrill, T9000, TajMahal, UPPERCUT, WindTail, Zebrocy, Zeus Panda, build_downer, Net",
- "score": 31
- },
- {
- "techniqueID": "T1115",
- "comment": "executed by Agent Tesla, Astaroth, Attor, Cadelspy, Catchamas, CosmicDuke, DarkComet, Helminth, JHUHUGIT, KONNI, MacSpy, Machete, RTM, Remexi, RunningRAT, TajMahal, TinyZBot, VERMIN, Zeus Panda, jRAT, Empire, Koadic, Remcos",
- "score": 23
- },
- {
- "techniqueID": "T1033",
- "comment": "executed by Agent Tesla, Agent.btz, Aria-body, Azorult, BISCUIT, BabyShark, Backdoor.Oldrea, Cannon, Cardinal RAT, DarkComet, Denis, Derusbi, DownPaper, Dyre, Epic, FELIXROOT, Felismus, FlawedAmmyy, Gazer, Get2, Gold Dragon, Goopy, GravityRAT, HAPPYWORK, HAWKBALL, HotCroissant, InvisiMole, Ixeshe, JPIN, KONNI, Kazuar, Komplex, Kwampirs, Linux Rabbit, Lokibot, MechaFlounder, Micropsia, MirageFox, Mis-Type, MoonWind, More_eggs, Mosquito, NDiskMonitor, NOKKI, NanHaiShu, Octopus, Okrum, POWERSTATS, POWRUNER, PoetRAT, PowerDuke, PowerShower, Prikormka, QUADAGENT, RATANKBA, RGDoor, RTM, Reaver, RedLeaves, Remsec, Revenge RAT, Rifdoor, Rising Sun, RogueRobin, SDBot, SHARPSTATS, ServHelper, SpeakUp, SslMM, SynAck, Sys10, T9000, UPPERCUT, Unknown Logger, VERMIN, Valak, WINDSHIELD, WINERACK, WinMM, XAgentOSX, Zebrocy, ZxShell, njRAT, yty, zwShell, Koadic, Pupy",
- "score": 87
- },
- {
- "techniqueID": "T1562.001",
- "comment": "executed by Agent Tesla, Brave Prince, Bundlore, ChChes, DarkComet, Gold Dragon, Goopy, H1N1, HDoor, JPIN, LockerGoga, MAZE, NanHaiShu, NanoCore, Netwalker, OSX/Shlayer, POWERSTATS, Proton, Ragnar Locker, RobbinHood, RunningRAT, Ryuk, Skidmap, SslMM, TinyZBot, TrickBot, Unknown Logger, ZxShell, Imminent Monitor",
- "score": 29
- },
- {
- "techniqueID": "T1087.001",
- "comment": "executed by Agent Tesla, Bankshot, Carbon, Comnie, Duqu, Elise, Epic, GeminiDuke, InvisiMole, Kazuar, Kwampirs, MURKYTOP, Mis-Type, OSInfo, POWERSTATS, PUNCHBUGGY, Pony, RATANKBA, Remsec, S-Type, SHOTPUT, TrickBot, USBferry, Valak, Empire, Net, PoshC2, PowerSploit, Pupy",
- "score": 29
- },
- {
- "techniqueID": "T1048.003",
- "comment": "executed by Agent Tesla, Brave Prince, CORALDECK, Carbon, Cherry Picker, CosmicDuke, KONNI, PoetRAT, Remsec, WindTail, BITSAdmin, FTP",
- "score": 12
- },
- {
- "techniqueID": "T1113",
- "comment": "executed by Agent Tesla, Aria-body, Attor, Azorult, BADNEWS, BISCUIT, BadPatch, Bandook, BlackEnergy, CHOPSTICK, Cadelspy, Cannon, Carbanak, Cardinal RAT, Catchamas, Cobian RAT, CosmicDuke, Crimson, CrossRAT, DOGCALL, Daserf, Derusbi, DustySky, EvilGrab, FinFisher, Flame, FruitFly, GRIFFON, HALFBAKED, HotCroissant, Hydraq, HyperBro, InvisiMole, JHUHUGIT, Janicab, KEYMARBLE, KONNI, Kasidet, Kazuar, KeyBoy, Kivars, MacSpy, Machete, Matroyshka, Micropsia, NETWIRE, Octopus, POORAIM, POWERSTATS, POWRUNER, PlugX, PoetRAT, Prikormka, Proton, Pteranodon, ROKRAT, RTM, RedLeaves, Remexi, Revenge RAT, RogueRobin, Rover, SHUTTERSPEED, Socksbot, StoneDrill, T9000, TURNEDUP, TajMahal, TinyZBot, Trojan.Karagany, UPPERCUT, Ursnif, VERMIN, Valak, XAgentOSX, ZLib, Zebrocy, Zeus Panda, ZxShell, gh0st RAT, jRAT, njRAT, yty, Cobalt Strike, Empire, PowerSploit, Pupy, Remcos",
- "score": 88
- },
- {
- "techniqueID": "T1016",
- "comment": "executed by Agent Tesla, Agent.btz, Aria-body, Astaroth, Avenger, Azorult, BADCALL, BabyShark, Backdoor.Oldrea, Bisonal, BlackEnergy, Brave Prince, Calisto, Carbon, Catchamas, Comnie, Crimson, Denis, Duqu, Dyre, Elise, Emissary, Epic, FALLCHILL, FELIXROOT, Felismus, GeminiDuke, GravityRAT, HotCroissant, Hydraq, InvisiMole, Ixeshe, JHUHUGIT, JPIN, KEYMARBLE, KONNI, Kazuar, KeyBoy, Kwampirs, LightNeuron, Lokibot, LoudMiner, Machete, Mis-Type, MoonWind, More_eggs, Mosquito, NOKKI, Naid, NanHaiShu, NanoCore, OSInfo, OceanSalt, Octopus, Okrum, Olympic Destroyer, Orz, PLAINTEE, POWERSTATS, POWRUNER, Pisloader, PowerDuke, PowerShower, Prikormka, Proxysvc, QUADAGENT, RATANKBA, Reaver, RedLeaves, Remsec, Revenge RAT, Rifdoor, Rising Sun, RogueRobin, Ryuk, SDBot, SHARPSTATS, Shamoon, SpeakUp, Sykipot, Sys10, T9000, TSCookie, TajMahal, TrickBot, UPPERCUT, USBferry, Unknown Logger, VERMIN, Valak, Volgmer, WannaCry, Xbash, Zebrocy, ZeroT, down_new, iKitten, jRAT, yty, zwShell, Arp, Empire, Koadic, Nltest, PoshC2, Pupy, ShimRatReporter, ifconfig, ipconfig, nbtstat, route",
- "score": 111
- },
- {
- "techniqueID": "T1125",
- "comment": "executed by Agent Tesla, Bandook, Cobian RAT, DarkComet, Derusbi, EvilGrab, InvisiMole, Kazuar, Machete, NanoCore, PoetRAT, Revenge RAT, SDBot, T9000, TajMahal, ZxShell, jRAT, njRAT, Empire, Imminent Monitor, Pupy, QuasarRAT, Remcos",
- "score": 23
- },
- {
- "techniqueID": "T1071.003",
- "comment": "executed by Agent Tesla, BadPatch, CHOPSTICK, CORESHELL, Cannon, ComRAT, Goopy, JPIN, LightNeuron, NavRAT, OLDBAIT, Remsec, Zebrocy",
- "score": 13
- },
- {
- "techniqueID": "T1555",
- "comment": "executed by Agent Tesla, Astaroth, CosmicDuke, Lokibot, Matroyshka, OLDBAIT, PLEAD, PinchDuke, Prikormka, Proton, ROKRAT, LaZagne, Mimikatz, PowerSploit, Pupy, QuasarRAT",
- "score": 16
- },
- {
- "techniqueID": "T1564.003",
- "comment": "executed by Agent Tesla, Astaroth, BONDUPDATER, HAMMERTOSS, HotCroissant, KeyBoy, Kivars, Metamorfo, PowerShower, Ursnif, WindTail",
- "score": 11
- },
- {
- "techniqueID": "T1497",
- "comment": "executed by Agent Tesla, CHOPSTICK, CozyCar, Metamorfo, RTM, StoneDrill",
- "score": 6
- },
- {
- "techniqueID": "T1185",
- "comment": "executed by Agent Tesla, Dridex, TrickBot, Ursnif, Cobalt Strike",
- "score": 5
- },
- {
- "techniqueID": "T1204.002",
- "comment": "executed by Agent Tesla, Bundlore, Cardinal RAT, Emotet, JCry, Lokibot, OSX/Shlayer, PLEAD, PoetRAT, Pony, RTM, Rifdoor, SQLRat, SYSCON, TYPEFRAME, TrickBot, Valak, CARROTBALL",
- "score": 18
- },
- {
- "techniqueID": "T1091",
- "comment": "executed by Agent.btz, CHOPSTICK, DustySky, Flame, H1N1, Ramsay, SHIPSHAPE, USBStealer, USBferry, Unknown Logger, Ursnif, njRAT",
- "score": 12
- },
- {
- "techniqueID": "T1052.001",
- "comment": "executed by Agent.btz, Machete, Remsec, SPACESHIP, USBStealer",
- "score": 5
- },
- {
- "techniqueID": "T1055.001",
- "comment": "executed by Aria-body, BlackEnergy, Carbon, ComRAT, Derusbi, Duqu, Dyre, Elise, Emissary, Emotet, FinFisher, Get2, HIDEDRV, Kazuar, MAZE, Matroyshka, Metamorfo, Netwalker, PoisonIvy, RARSTONE, RATANKBA, Ramsay, Remsec, SDBot, Socksbot, Sykipot, TajMahal, ZxShell, Koadic, PowerSploit, Pupy",
- "score": 31
- },
- {
- "techniqueID": "T1568.002",
- "comment": "executed by Aria-body, BONDUPDATER, CCBkdr, CHOPSTICK, Ebury, POSHSPY, Ursnif",
- "score": 7
- },
- {
- "techniqueID": "T1049",
- "comment": "executed by Aria-body, BlackEnergy, Carbon, Comnie, Duqu, Epic, GravityRAT, Kwampirs, MAZE, MESSAGETAP, Machete, OSInfo, Okrum, POWRUNER, PlugX, RATANKBA, RedLeaves, Remsec, SHOTPUT, SpeakUp, Sykipot, USBferry, Volgmer, Zebrocy, jRAT, Empire, Net, PoshC2, Pupy, ShimRatReporter, nbtstat, netstat",
- "score": 32
- },
- {
- "techniqueID": "T1095",
- "comment": "executed by Aria-body, BUBBLEWRAP, Carbon, Crimson, Derusbi, FakeM, HiddenWasp, Mis-Type, Misdat, MoonWind, NETEAGLE, PHOREAL, PlugX, RARSTONE, Reaver, Regin, Remsec, SDBot, TSCookie, Umbreon, WINDSHIELD, Winnti for Linux",
- "score": 22
- },
- {
- "techniqueID": "T1025",
- "comment": "executed by Aria-body, BADNEWS, CosmicDuke, Crimson, FLASHFLOOD, GravityRAT, Machete, Prikormka, Ramsay, Remsec, Rover, TajMahal, USBStealer",
- "score": 13
- },
- {
- "techniqueID": "T1090",
- "comment": "executed by Aria-body, AuditCred, BADCALL, Cardinal RAT, Dridex, HARDRAIN, HOPLIGHT, PLEAD, SDBot, Socksbot, TSCookie, TYPEFRAME, Ursnif, Vasport, XTunnel, ZxShell, jRAT, HTRAN, PoshC2, QuasarRAT, Remcos, netsh",
- "score": 22
- },
- {
- "techniqueID": "T1134.001",
- "comment": "executed by Aria-body, FinFisher, Okrum, Shamoon, Cobalt Strike, Pupy",
- "score": 6
- },
- {
- "techniqueID": "T1134.002",
- "comment": "executed by Aria-body, Azorult, Bankshot, KONNI, ZxShell, Empire, PoshC2",
- "score": 7
- },
- {
- "techniqueID": "T1010",
- "comment": "executed by Aria-body, Attor, Cadelspy, Catchamas, Duqu, HotCroissant, Kazuar, Machete, NetTraveler, PLEAD, PoisonIvy, PowerDuke, Remexi, SOUNDBITE, WINERACK, njRAT",
- "score": 16
- },
- {
- "techniqueID": "T1027.002",
- "comment": "executed by Astaroth, China Chopper, DarkComet, Daserf, Dyre, Emotet, FinFisher, GreyEnergy, H1N1, HotCroissant, Lokibot, Machete, OSX_OCEANLOTUS.D, OopsIE, SDBot, SeaDuke, ShimRat, TrickBot, Trojan.Karagany, Uroburos, VERMIN, Zebrocy, ZeroT, jRAT, yty",
- "score": 25
- },
- {
- "techniqueID": "T1220",
- "comment": "executed by Astaroth",
- "score": 1
- },
- {
- "techniqueID": "T1218.001",
- "comment": "executed by Astaroth",
- "score": 1
- },
- {
- "techniqueID": "T1047",
- "comment": "executed by Astaroth, BlackEnergy, DustySky, Emotet, EvilBunny, FELIXROOT, FlawedAmmyy, GravityRAT, HALFBAKED, HOPLIGHT, KOMPROGO, Kazuar, MAZE, Micropsia, Mosquito, Netwalker, NotPetya, Octopus, Olympic Destroyer, OopsIE, POWERSTATS, POWRUNER, RATANKBA, Remexi, RogueRobin, StoneDrill, Ursnif, WannaCry, Zebrocy, jRAT, Cobalt Strike, Empire, Impacket, Koadic, PoshC2, PowerSploit",
- "score": 36
- },
- {
- "techniqueID": "T1059.007",
- "comment": "executed by Astaroth, Bundlore, GRIFFON, Metamorfo, NanHaiShu, POWERSTATS, Xbash, jRAT",
- "score": 8
- },
- {
- "techniqueID": "T1547.009",
- "comment": "executed by Astaroth, BACKSPACE, BlackEnergy, Comnie, FELIXROOT, Gazer, Helminth, KONNI, Kazuar, Micropsia, Okrum, Reaver, RedLeaves, RogueRobin, S-Type, SHIPSHAPE, SPACESHIP, SeaDuke, SslMM, TinyZBot, Empire",
- "score": 21
- },
- {
- "techniqueID": "T1129",
- "comment": "executed by Astaroth, Attor, BOOSTWRITE, Hydraq, PUNCHBUGGY, TajMahal",
- "score": 6
- },
- {
- "techniqueID": "T1218.010",
- "comment": "executed by Astaroth, Derusbi, Hi-Zor, More_eggs, Orz, Ragnar Locker, RogueRobin, Valak, Xbash, Koadic",
- "score": 10
- },
- {
- "techniqueID": "T1055.012",
- "comment": "executed by Astaroth, Azorult, BADNEWS, BBSRAT, Bandook, Denis, Duqu, ISMInjector, Lokibot, Orz, Smoke Loader, TrickBot, Ursnif, Cobalt Strike",
- "score": 14
- },
- {
- "techniqueID": "T1552",
- "comment": "executed by Astaroth",
- "score": 1
- },
- {
- "techniqueID": "T1564.001",
- "comment": "executed by Attor, BackConfig, Calisto, CoinTicker, FruitFly, Ixeshe, Komplex, Lokibot, LoudMiner, MacSpy, Machete, Micropsia, OSX/Shlayer, OSX_OCEANLOTUS.D, Okrum, PoetRAT, Rising Sun, WannaCry, iKitten, Imminent Monitor",
- "score": 20
- },
- {
- "techniqueID": "T1119",
- "comment": "executed by Attor, BADNEWS, Bankshot, Comnie, Helminth, InvisiMole, LightNeuron, MESSAGETAP, Micropsia, PoetRAT, Proxysvc, RTM, Ramsay, Rover, T9000, TajMahal, USBStealer, VERMIN, WindTail, Zebrocy, PoshC2, ShimRatReporter",
- "score": 22
- },
- {
- "techniqueID": "T1569.002",
- "comment": "executed by Attor, BBSRAT, HOPLIGHT, Hydraq, HyperBro, LoudMiner, Net Crawler, Netwalker, NotPetya, Okrum, Olympic Destroyer, Proxysvc, Ragnar Locker, RemoteCMD, Shamoon, Wingbird, Cobalt Strike, Empire, Impacket, Koadic, Net, PoshC2, PsExec, Pupy, Winexe, xCmd",
- "score": 26
- },
- {
- "techniqueID": "T1037.001",
- "comment": "executed by Attor, JHUHUGIT, Zebrocy",
- "score": 3
- },
- {
- "techniqueID": "T1053.005",
- "comment": "executed by Attor, BADNEWS, BONDUPDATER, BackConfig, Carbon, ComRAT, CosmicDuke, CozyCar, Duqu, Dyre, Emotet, EvilBunny, GRIFFON, Gazer, Goopy, GravityRAT, Helminth, HotCroissant, ISMInjector, JHUHUGIT, Machete, Matroyshka, NotPetya, Okrum, OopsIE, POWERSTATS, POWRUNER, Pteranodon, QUADAGENT, RTM, Ramsay, Remexi, RemoteCMD, Revenge RAT, SQLRat, ServHelper, Shamoon, Smoke Loader, TrickBot, Valak, yty, zwShell, Empire, PowerSploit, QuasarRAT, schtasks",
- "score": 46
- },
- {
- "techniqueID": "T1497.001",
- "comment": "executed by Attor, BadPatch, Denis, Dyre, EvilBunny, FinFisher, GravityRAT, OSX_OCEANLOTUS.D, Okrum, OopsIE, PlugX, PoetRAT, ROKRAT, RogueRobin, Smoke Loader, SynAck, UBoatRAT, yty, Pupy, Remcos",
- "score": 20
- },
- {
- "techniqueID": "T1090.003",
- "comment": "executed by Attor, Dok, GreyEnergy, Keydnap, MacSpy, Ursnif, WannaCry, Tor",
- "score": 8
- },
- {
- "techniqueID": "T1055.004",
- "comment": "executed by Attor, TURNEDUP",
- "score": 2
- },
- {
- "techniqueID": "T1071.002",
- "comment": "executed by Attor, JPIN, Kazuar, Machete, NOKKI, SYSCON, XAgentOSX, ZxShell, CARROTBALL",
- "score": 9
- },
- {
- "techniqueID": "T1020",
- "comment": "executed by Attor, CosmicDuke, LightNeuron, Machete, Rover, TINYTYPHON, TajMahal, USBStealer, ShimRatReporter",
- "score": 9
- },
- {
- "techniqueID": "T1543.003",
- "comment": "executed by Attor, AuditCred, BBSRAT, Bankshot, BlackEnergy, Briba, Carbon, Catchamas, CosmicDuke, CozyCar, Duqu, Dyre, Elise, Emissary, Emotet, Exaramel for Windows, FinFisher, GreyEnergy, Hydraq, InnaputRAT, JHUHUGIT, Kazuar, KeyBoy, Kwampirs, LoudMiner, MoonWind, Naid, Nerex, Nidiran, Okrum, PlugX, PoisonIvy, Ragnar Locker, RawPOS, Reaver, Sakula, Seasalt, Shamoon, ShimRat, StreamEx, TDTESS, TYPEFRAME, TinyZBot, Ursnif, Volgmer, WannaCry, Wiarp, Wingbird, Winnti for Windows, ZLib, ZeroT, ZxShell, gh0st RAT, hcdLoader, zwShell, Cobalt Strike, Empire, PowerSploit",
- "score": 58
- },
- {
- "techniqueID": "T1123",
- "comment": "executed by Attor, Bandook, Cadelspy, Cobian RAT, DOGCALL, DarkComet, Derusbi, EvilGrab, Flame, InvisiMole, Janicab, MacSpy, Machete, Micropsia, NanoCore, ROKRAT, Revenge RAT, T9000, TajMahal, VERMIN, jRAT, Imminent Monitor, PowerSploit, Pupy, Remcos",
- "score": 25
- },
- {
- "techniqueID": "T1036.004",
- "comment": "executed by Attor, Catchamas, ComRAT, Exaramel for Windows, Fysbis, InnaputRAT, Kwampirs, Machete, Nidiran, Okrum, POWERSTATS, PlugX, RTM, RawPOS, Seasalt, Shamoon, ShimRat, Truvasys, Volgmer, build_downer",
- "score": 20
- },
- {
- "techniqueID": "T1059.001",
- "comment": "executed by AutoIt backdoor, BONDUPDATER, ComRAT, Denis, DownPaper, Emotet, GRIFFON, HALFBAKED, HAMMERTOSS, Helminth, JCry, KONNI, KeyBoy, Mosquito, Netwalker, OSX_OCEANLOTUS.D, POSHSPY, POWERSOURCE, POWERSTATS, POWERTON, POWRUNER, PUNCHBUGGY, PowerShower, PowerStallion, QUADAGENT, RATANKBA, Revenge RAT, RogueRobin, SHARPSTATS, SQLRat, SeaDuke, ServHelper, Socksbot, Ursnif, Valak, Xbash, Zeus Panda, Cobalt Strike, Empire, PowerSploit, Pupy",
- "score": 41
- },
- {
- "techniqueID": "T1548.002",
- "comment": "executed by AutoIt backdoor, BlackEnergy, Downdelph, FinFisher, H1N1, InvisiMole, KONNI, PLAINTEE, RTM, Ramsay, Sakula, Shamoon, ShimRat, ZeroT, Cobalt Strike, Empire, Koadic, PoshC2, Pupy, Remcos, UACMe",
- "score": 21
- },
- {
- "techniqueID": "T1552.001",
- "comment": "executed by Azorult, BlackEnergy, Emotet, Smoke Loader, TrickBot, XTunnel, jRAT, pngdowner, Empire, LaZagne, PoshC2, Pupy, QuasarRAT",
- "score": 13
- },
- {
- "techniqueID": "T1555.003",
- "comment": "executed by Azorult, Backdoor.Oldrea, BlackEnergy, ChChes, CosmicDuke, Crimson, Emotet, H1N1, KONNI, KeyBoy, Lokibot, Machete, OLDBAIT, Olympic Destroyer, PLEAD, PinchDuke, PoetRAT, Prikormka, Proton, ROKRAT, RedLeaves, Smoke Loader, TSCookie, TrickBot, Unknown Logger, XAgentOSX, Zebrocy, jRAT, njRAT, Empire, Imminent Monitor, LaZagne, Mimikatz, Pupy, QuasarRAT",
- "score": 35
- },
- {
- "techniqueID": "T1562.004",
- "comment": "executed by BACKSPACE, BADCALL, DarkComet, H1N1, HARDRAIN, HOPLIGHT, InvisiMole, Kasidet, NanoCore, Remsec, TYPEFRAME, ZxShell, njRAT, netsh",
- "score": 14
- },
- {
- "techniqueID": "T1090.001",
- "comment": "executed by BACKSPACE, CHOPSTICK, Duqu, Hikit, InvisiMole, Cobalt Strike",
- "score": 6
- },
- {
- "techniqueID": "T1104",
- "comment": "executed by BACKSPACE, BLACKCOFFEE, Chaos",
- "score": 3
- },
- {
- "techniqueID": "T1132.002",
- "comment": "executed by BACKSPACE, Bankshot, OceanSalt",
- "score": 3
- },
- {
- "techniqueID": "T1001.003",
- "comment": "executed by BADCALL, Bankshot, FALLCHILL, FakeM, HARDRAIN, KeyBoy, Okrum",
- "score": 7
- },
- {
- "techniqueID": "T1571",
- "comment": "executed by BADCALL, Bankshot, Derusbi, Emotet, GravityRAT, HARDRAIN, HOPLIGHT, MoonWind, PoetRAT, RTM, RedLeaves, TYPEFRAME, TrickBot",
- "score": 13
- },
- {
- "techniqueID": "T1574.002",
- "comment": "executed by BADNEWS, BBSRAT, Denis, FinFisher, Goopy, HTTPBrowser, HyperBro, Metamorfo, OwaAuth, PlugX, Sakula, T9000, Wingbird, ZeroT, gh0st RAT",
- "score": 15
- },
- {
- "techniqueID": "T1039",
- "comment": "executed by BADNEWS, CosmicDuke, Ramsay",
- "score": 3
- },
- {
- "techniqueID": "T1005",
- "comment": "executed by BADNEWS, BadPatch, Bankshot, Calisto, China Chopper, CosmicDuke, FLASHFLOOD, Goopy, GravityRAT, Hydraq, Ixeshe, Kazuar, LightNeuron, Linfo, Machete, MobileOrder, POWERSTATS, PUNCHTRACK, Pasam, PinchDuke, PoisonIvy, Proxysvc, ROKRAT, Ramsay, RawPOS, Rover, SDBot, ShimRat, TajMahal, TrickBot, USBferry, Ursnif, njRAT, yty, Cobalt Strike, Forfiles, Koadic, PowerSploit",
- "score": 38
- },
- {
- "techniqueID": "T1553.002",
- "comment": "executed by BADNEWS, BOOSTWRITE, BackConfig, ChChes, Daserf, Ebury, Epic, Gazer, GreyEnergy, Helminth, Janicab, LockerGoga, Metamorfo, More_eggs, NETWIRE, Nerex, RTM, QuasarRAT, SDelete",
- "score": 19
- },
- {
- "techniqueID": "T1102.001",
- "comment": "executed by BADNEWS, BLACKCOFFEE, MiniDuke, PlugX, RTM, Xbash",
- "score": 6
- },
- {
- "techniqueID": "T1132",
- "comment": "executed by BADNEWS, H1N1, Linux Rabbit, Ursnif",
- "score": 4
- },
- {
- "techniqueID": "T1036.005",
- "comment": "executed by BADNEWS, BackConfig, Bundlore, Calisto, ChChes, DarkComet, Daserf, Elise, Felismus, FinFisher, Fysbis, Goopy, HTTPBrowser, InnaputRAT, InvisiMole, Ixeshe, KONNI, LightNeuron, Machete, MechaFlounder, Metamorfo, Mis-Type, Misdat, NOKKI, OLDBAIT, OSX/Shlayer, OwaAuth, PUNCHBUGGY, Pony, QUADAGENT, Ramsay, Remsec, Ryuk, S-Type, Skidmap, SslMM, Starloader, USBStealer, Ursnif, Winnti for Windows, ZLib, ShimRatReporter",
- "score": 42
- },
- {
- "techniqueID": "T1102.002",
- "comment": "executed by BADNEWS, BLACKCOFFEE, CALENDAR, CloudDuke, ComRAT, Comnie, CozyCar, DOGCALL, GLOOXMAIL, KARAE, Kazuar, LOWBALL, Orz, POORAIM, PowerStallion, ROKRAT, Revenge RAT, RogueRobin, SLOWDRIFT, Twitoor, UBoatRAT, yty, Empire",
- "score": 23
- },
- {
- "techniqueID": "T1007",
- "comment": "executed by BBSRAT, Comnie, Dyre, Elise, Emissary, Epic, GeminiDuke, GravityRAT, GreyEnergy, HotCroissant, Hydraq, HyperBro, InvisiMole, Ixeshe, JPIN, Kwampirs, RATANKBA, S-Type, Sykipot, SynAck, TrickBot, Ursnif, Volgmer, WINERACK, ZLib, ZxShell, jRAT, Net, PoshC2, Tasklist",
- "score": 30
- },
- {
- "techniqueID": "T1560.002",
- "comment": "executed by BBSRAT, Cardinal RAT, Denis, Epic, SeaDuke, TajMahal, ZLib",
- "score": 7
- },
- {
- "techniqueID": "T1008",
- "comment": "executed by BISCUIT, BlackEnergy, CHOPSTICK, Cardinal RAT, Derusbi, DustySky, HOPLIGHT, JHUHUGIT, Kazuar, Kwampirs, Linfo, Machete, MiniDuke, Mis-Type, NETEAGLE, QUADAGENT, S-Type, ShimRat, SslMM, WinMM, XTunnel",
- "score": 21
- },
- {
- "techniqueID": "T1071.004",
- "comment": "executed by BONDUPDATER, Cobian RAT, Denis, Ebury, Goopy, HTTPBrowser, Helminth, Matroyshka, NanHaiShu, POWERSOURCE, POWRUNER, Pisloader, PlugX, QUADAGENT, Remsec, SOUNDBITE, TEXTMATE, Cobalt Strike",
- "score": 18
- },
- {
- "techniqueID": "T1574.001",
- "comment": "executed by BOOSTWRITE, Downdelph, FinFisher, HTTPBrowser, Hikit, InvisiMole, MirageFox, Prikormka, RedLeaves, WEBC2, Empire, PowerSploit",
- "score": 12
- },
- {
- "techniqueID": "T1542.003",
- "comment": "executed by BOOTRASH, FinFisher, ROCKBOOT",
- "score": 3
- },
- {
- "techniqueID": "T1564.005",
- "comment": "executed by BOOTRASH, ComRAT, Regin",
- "score": 3
- },
- {
- "techniqueID": "T1204.001",
- "comment": "executed by BackConfig, Emotet, PLEAD, Pony, TSCookie",
- "score": 5
- },
- {
- "techniqueID": "T1059.005",
- "comment": "executed by BackConfig, Bisonal, Comnie, Emotet, Exaramel for Windows, Goopy, Helminth, JCry, KeyBoy, NanHaiShu, NanoCore, OSX_OCEANLOTUS.D, OopsIE, POWERSTATS, PoetRAT, PowerShower, QUADAGENT, Ramsay, Remexi, Smoke Loader, StoneDrill, TYPEFRAME, Ursnif, VBShower, Xbash, jRAT, Cobalt Strike, Koadic",
- "score": 28
- },
- {
- "techniqueID": "T1137.001",
- "comment": "executed by BackConfig",
- "score": 1
- },
- {
- "techniqueID": "T1087.003",
- "comment": "executed by Backdoor.Oldrea, Emotet, TrickBot, MailSniper, Ruler",
- "score": 5
- },
- {
- "techniqueID": "T1203",
- "comment": "executed by Bankshot, DealersChoice, EvilBunny, HAWKBALL, Ramsay, SpeakUp, Xbash",
- "score": 7
- },
- {
- "techniqueID": "T1070",
- "comment": "executed by Bankshot, Goopy, MAZE, Misdat, Orz, PoetRAT, Prikormka, RTM, Rising Sun, SDBot",
- "score": 10
- },
- {
- "techniqueID": "T1087.002",
- "comment": "executed by Bankshot, OSInfo, POWRUNER, Sykipot, Valak, Empire, Net, PoshC2, dsquery",
- "score": 9
- },
- {
- "techniqueID": "T1485",
- "comment": "executed by BlackEnergy, Kazuar, Olympic Destroyer, PowerDuke, Proxysvc, Shamoon, StoneDrill, Xbash, RawDisk, SDelete",
- "score": 10
- },
- {
- "techniqueID": "T1021.002",
- "comment": "executed by BlackEnergy, Duqu, Emotet, Kwampirs, Net Crawler, NotPetya, Olympic Destroyer, Regin, Shamoon, zwShell, Cobalt Strike, Net, PsExec",
- "score": 13
- },
- {
- "techniqueID": "T1046",
- "comment": "executed by BlackEnergy, China Chopper, HDoor, MURKYTOP, Ramsay, Remsec, SpeakUp, XTunnel, Xbash, ZxShell, Cobalt Strike, Empire, Koadic, PoshC2, Pupy",
- "score": 15
- },
- {
- "techniqueID": "T1070.001",
- "comment": "executed by BlackEnergy, FinFisher, Hydraq, NotPetya, Olympic Destroyer, RunningRAT, SynAck, ZxShell, gh0st RAT, Pupy",
- "score": 10
- },
- {
- "techniqueID": "T1574.010",
- "comment": "executed by BlackEnergy",
- "score": 1
- },
- {
- "techniqueID": "T1189",
- "comment": "executed by Bundlore, KARAE, LoudMiner, POORAIM",
- "score": 4
- },
- {
- "techniqueID": "T1056.002",
- "comment": "executed by Bundlore, Calisto, Dok, Keydnap, Proton, iKitten",
- "score": 6
- },
- {
- "techniqueID": "T1059.004",
- "comment": "executed by Bundlore, CallMe, Chaos, CoinTicker, Derusbi, Exaramel for Linux, Fysbis, Kazuar, LoudMiner, OSX/Shlayer, Proton, Skidmap, WindTail",
- "score": 13
- },
- {
- "techniqueID": "T1543.001",
- "comment": "executed by Bundlore, Calisto, CoinTicker, CrossRAT, Dok, FruitFly, Keydnap, Komplex, MacSpy, OSX_OCEANLOTUS.D, Proton",
- "score": 11
- },
- {
- "techniqueID": "T1059.002",
- "comment": "executed by Bundlore, Dok",
- "score": 2
- },
- {
- "techniqueID": "T1543.004",
- "comment": "executed by Bundlore, LoudMiner, OSX_OCEANLOTUS.D",
- "score": 3
- },
- {
- "techniqueID": "T1098.004",
- "comment": "executed by Bundlore, Skidmap",
- "score": 2
- },
- {
- "techniqueID": "T1059.006",
- "comment": "executed by Bundlore, CoinTicker, KeyBoy, Keydnap, Machete, MechaFlounder, PUNCHBUGGY, PoetRAT, SpeakUp, Cobalt Strike, Pupy, Remcos",
- "score": 12
- },
- {
- "techniqueID": "T1518",
- "comment": "executed by Bundlore, ComRAT, DustySky, Dyre, HotCroissant, Orz, RTM, TajMahal, down_new, ShimRatReporter",
- "score": 10
- },
- {
- "techniqueID": "T1176",
- "comment": "executed by Bundlore, OSX/Shlayer",
- "score": 2
- },
- {
- "techniqueID": "T1195.002",
- "comment": "executed by CCBkdr",
- "score": 1
- },
- {
- "techniqueID": "T1092",
- "comment": "executed by CHOPSTICK, USBStealer",
- "score": 2
- },
- {
- "techniqueID": "T1059",
- "comment": "executed by CHOPSTICK, DarkComet, Get2, Matroyshka, SpeakUp, WINERACK, Zeus Panda, gh0st RAT, Empire, Imminent Monitor",
- "score": 10
- },
- {
- "techniqueID": "T1560.001",
- "comment": "executed by CORALDECK, Calisto, Daserf, DustySky, InvisiMole, Micropsia, Okrum, OopsIE, PUNCHBUGGY, PoetRAT, PowerShower, Ramsay, WindTail, iKitten, PoshC2, Pupy",
- "score": 16
- },
- {
- "techniqueID": "T1027.001",
- "comment": "executed by CORESHELL, Comnie, Emissary, FinFisher, Goopy, Kwampirs, MAZE, POWERSTATS, Rifdoor, SamSam, XTunnel, ZeroT, yty",
- "score": 13
- },
- {
- "techniqueID": "T1098",
- "comment": "executed by Calisto, Mimikatz",
- "score": 2
- },
- {
- "techniqueID": "T1555.001",
- "comment": "executed by Calisto, Proton, iKitten, LaZagne",
- "score": 4
- },
- {
- "techniqueID": "T1217",
- "comment": "executed by Calisto, Machete, MobileOrder, Empire",
- "score": 4
- },
- {
- "techniqueID": "T1569.001",
- "comment": "executed by Calisto, LoudMiner",
- "score": 2
- },
- {
- "techniqueID": "T1136.001",
- "comment": "executed by Calisto, Carbanak, Flame, HiddenWasp, Mis-Type, S-Type, ServHelper, ZxShell, Empire, Net, Pupy",
- "score": 11
- },
- {
- "techniqueID": "T1547.004",
- "comment": "executed by Cannon, Dipsind, Gazer, KeyBoy, Remexi",
- "score": 5
- },
- {
- "techniqueID": "T1003",
- "comment": "executed by Carbanak, HOMEFRY, OnionDuke, PinchDuke, Revenge RAT, Trojan.Karagany",
- "score": 6
- },
- {
- "techniqueID": "T1114.001",
- "comment": "executed by Carbanak, CosmicDuke, Crimson, Emotet, Smoke Loader, Empire, Pupy",
- "score": 7
- },
- {
- "techniqueID": "T1219",
- "comment": "executed by Carbanak, Dridex, RTM",
- "score": 3
- },
- {
- "techniqueID": "T1030",
- "comment": "executed by Carbanak, Helminth, OopsIE, POSHSPY",
- "score": 4
- },
- {
- "techniqueID": "T1055.002",
- "comment": "executed by Carbanak, GreyEnergy, Zeus Panda, PowerSploit",
- "score": 4
- },
- {
- "techniqueID": "T1021.001",
- "comment": "executed by Carbanak, DarkComet, Revenge RAT, SDBot, ServHelper, ZxShell, jRAT, njRAT, zwShell, Cobalt Strike, Imminent Monitor, Koadic, Pupy, QuasarRAT",
- "score": 14
- },
- {
- "techniqueID": "T1018",
- "comment": "executed by Carbon, Comnie, Epic, Kwampirs, MURKYTOP, OSInfo, Olympic Destroyer, PoetRAT, RATANKBA, Remsec, SHOTPUT, Shamoon, Sykipot, USBferry, WannaCry, njRAT, yty, Cobalt Strike, Net, Nltest, Ping",
- "score": 21
- },
- {
- "techniqueID": "T1027.004",
- "comment": "executed by Cardinal RAT",
- "score": 1
- },
- {
- "techniqueID": "T1110",
- "comment": "executed by Chaos, PoshC2",
- "score": 2
- },
- {
- "techniqueID": "T1205",
- "comment": "executed by Chaos, Umbreon, Winnti for Linux",
- "score": 3
- },
- {
- "techniqueID": "T1546.010",
- "comment": "executed by Cherry Picker, Ramsay, T9000",
- "score": 3
- },
- {
- "techniqueID": "T1110.001",
- "comment": "executed by China Chopper, Emotet, Pony, SpeakUp, Xbash",
- "score": 5
- },
- {
- "techniqueID": "T1553.001",
- "comment": "executed by CoinTicker",
- "score": 1
- },
- {
- "techniqueID": "T1068",
- "comment": "executed by CosmicDuke, JHUHUGIT, Remsec, Wingbird, Cobalt Strike, Empire, PoshC2",
- "score": 7
- },
- {
- "techniqueID": "T1003.004",
- "comment": "executed by CosmicDuke, Impacket, LaZagne, Mimikatz, Pupy, gsecdump",
- "score": 6
- },
- {
- "techniqueID": "T1003.002",
- "comment": "executed by CosmicDuke, CozyCar, HOPLIGHT, Mivast, POWERTON, Remsec, Cobalt Strike, Fgdump, Impacket, Koadic, Mimikatz, gsecdump, pwdump",
- "score": 13
- },
- {
- "techniqueID": "T1036.003",
- "comment": "executed by CozyCar, NotPetya",
- "score": 2
- },
- {
- "techniqueID": "T1003.001",
- "comment": "executed by CozyCar, Daserf, Emotet, GreyEnergy, Net Crawler, NotPetya, Okrum, Olympic Destroyer, PoetRAT, Empire, Impacket, LaZagne, Lslsass, Mimikatz, PoshC2, PowerSploit, Pupy, Windows Credential Editor",
- "score": 18
- },
- {
- "techniqueID": "T1027.005",
- "comment": "executed by Daserf, GravityRAT, Cobalt Strike, PowerSploit",
- "score": 4
- },
- {
- "techniqueID": "T1001.002",
- "comment": "executed by Daserf, Duqu, HAMMERTOSS, LightNeuron, ZeroT",
- "score": 5
- },
- {
- "techniqueID": "T1574",
- "comment": "executed by Denis, Ramsay, ShimRat",
- "score": 3
- },
- {
- "techniqueID": "T1553.004",
- "comment": "executed by Dok, Hikit, RTM, certutil",
- "score": 4
- },
- {
- "techniqueID": "T1547.011",
- "comment": "executed by Dok, LoudMiner",
- "score": 2
- },
- {
- "techniqueID": "T1001.001",
- "comment": "executed by Downdelph, P2P ZeuS, PLEAD",
- "score": 3
- },
- {
- "techniqueID": "T1134",
- "comment": "executed by Duqu, Hydraq, Ryuk, SslMM, Empire, PoshC2, PowerSploit",
- "score": 7
- },
- {
- "techniqueID": "T1071",
- "comment": "executed by Duqu, NETEAGLE, Regin, Cobalt Strike",
- "score": 4
- },
- {
- "techniqueID": "T1078",
- "comment": "executed by Duqu, Linux Rabbit, SeaDuke",
- "score": 3
- },
- {
- "techniqueID": "T1218.007",
- "comment": "executed by Duqu, LoudMiner, Ragnar Locker",
- "score": 3
- },
- {
- "techniqueID": "T1572",
- "comment": "executed by Duqu, FLIPSIDE, Cobalt Strike",
- "score": 3
- },
- {
- "techniqueID": "T1570",
- "comment": "executed by DustySky, LockerGoga, Netwalker, Olympic Destroyer, Shamoon, WannaCry, BITSAdmin, Expand, PsExec, cmd, esentutl",
- "score": 11
- },
- {
- "techniqueID": "T1529",
- "comment": "executed by DustySky, LockerGoga, NotPetya, Olympic Destroyer, Shamoon",
- "score": 5
- },
- {
- "techniqueID": "T1552.004",
- "comment": "executed by Ebury, Machete, jRAT, Empire, Mimikatz",
- "score": 5
- },
- {
- "techniqueID": "T1562.002",
- "comment": "executed by Ebury",
- "score": 1
- },
- {
- "techniqueID": "T1554",
- "comment": "executed by Ebury",
- "score": 1
- },
- {
- "techniqueID": "T1069.001",
- "comment": "executed by Emissary, Epic, FlawedAmmyy, Helminth, JPIN, Kazuar, Kwampirs, OSInfo, POWRUNER, Sys10, Net, PoshC2",
- "score": 12
- },
- {
- "techniqueID": "T1040",
- "comment": "executed by Emotet, MESSAGETAP, Regin, Empire, Impacket, PoshC2, Responder",
- "score": 7
- },
- {
- "techniqueID": "T1210",
- "comment": "executed by Emotet, Flame, NotPetya, WannaCry, Empire, PoshC2",
- "score": 6
- },
- {
- "techniqueID": "T1566.002",
- "comment": "executed by Emotet, Pony",
- "score": 2
- },
- {
- "techniqueID": "T1566.001",
- "comment": "executed by Emotet, OceanSalt, PoetRAT, Pony, RTM, Rifdoor, TrickBot",
- "score": 7
- },
- {
- "techniqueID": "T1078.003",
- "comment": "executed by Emotet, NotPetya, Umbreon, Cobalt Strike",
- "score": 4
- },
- {
- "techniqueID": "T1055.011",
- "comment": "executed by Epic, Power Loader",
- "score": 2
- },
- {
- "techniqueID": "T1053.003",
- "comment": "executed by Exaramel for Linux, Janicab, Skidmap, SpeakUp, Xbash",
- "score": 5
- },
- {
- "techniqueID": "T1543.002",
- "comment": "executed by Exaramel for Linux, Fysbis, Pupy",
- "score": 3
- },
- {
- "techniqueID": "T1056.004",
- "comment": "executed by FinFisher, NOKKI, RDFSNIFFER, TrickBot, Ursnif, Zebrocy, Zeus Panda, ZxShell, Empire",
- "score": 9
- },
- {
- "techniqueID": "T1011.001",
- "comment": "executed by Flame",
- "score": 1
- },
- {
- "techniqueID": "T1547.002",
- "comment": "executed by Flame",
- "score": 1
- },
- {
- "techniqueID": "T1001",
- "comment": "executed by FlawedAmmyy",
- "score": 1
- },
- {
- "techniqueID": "T1069.002",
- "comment": "executed by GRIFFON, Helminth, Kwampirs, OSInfo, POWRUNER, Net, dsquery",
- "score": 7
- },
- {
- "techniqueID": "T1055.003",
- "comment": "executed by Gazer",
- "score": 1
- },
- {
- "techniqueID": "T1546.002",
- "comment": "executed by Gazer",
- "score": 1
- },
- {
- "techniqueID": "T1564.004",
- "comment": "executed by Gazer, LoJax, POWERSOURCE, PowerDuke, Regin, Valak, Zeroaccess, Expand, esentutl",
- "score": 9
- },
- {
- "techniqueID": "T1559.002",
- "comment": "executed by GravityRAT, HAWKBALL, KeyBoy, POWERSTATS, PoetRAT, RTM, Ramsay",
- "score": 7
- },
- {
- "techniqueID": "T1080",
- "comment": "executed by H1N1, Miner-C, Ramsay, Ursnif",
- "score": 4
- },
- {
- "techniqueID": "T1490",
- "comment": "executed by H1N1, JCry, MAZE, Netwalker, Olympic Destroyer, Ragnar Locker, RobbinHood, Ryuk, WannaCry",
- "score": 9
- },
- {
- "techniqueID": "T1102.003",
- "comment": "executed by HAMMERTOSS, OnionDuke",
- "score": 2
- },
- {
- "techniqueID": "T1567.002",
- "comment": "executed by HAMMERTOSS, Empire",
- "score": 2
- },
- {
- "techniqueID": "T1014",
- "comment": "executed by HIDEDRV, Hacking Team UEFI Rootkit, HiddenWasp, Hikit, LoJax, PoisonIvy, Ramsay, Skidmap, Umbreon, Uroburos, Winnti for Linux, Zeroaccess, HTRAN",
- "score": 13
- },
- {
- "techniqueID": "T1550.002",
- "comment": "executed by HOPLIGHT, Cobalt Strike, Empire, Mimikatz, Pass-The-Hash Toolkit, PoshC2",
- "score": 6
- },
- {
- "techniqueID": "T1542.001",
- "comment": "executed by Hacking Team UEFI Rootkit, LoJax, Trojan.Mebromi",
- "score": 3
- },
- {
- "techniqueID": "T1546.004",
- "comment": "executed by HiddenWasp, Linux Rabbit",
- "score": 2
- },
- {
- "techniqueID": "T1574.006",
- "comment": "executed by HiddenWasp",
- "score": 1
- },
- {
- "techniqueID": "T1489",
- "comment": "executed by HotCroissant, Netwalker, Olympic Destroyer, Ragnar Locker, RobbinHood, Ryuk, WannaCry",
- "score": 7
- },
- {
- "techniqueID": "T1048",
- "comment": "executed by Hydraq, PoetRAT",
- "score": 2
- },
- {
- "techniqueID": "T1135",
- "comment": "executed by InvisiMole, Kwampirs, MURKYTOP, OSInfo, Olympic Destroyer, PlugX, Ramsay, ShimRat, Zebrocy, Cobalt Strike, Empire, Koadic, Net, Pupy",
- "score": 14
- },
- {
- "techniqueID": "T1486",
- "comment": "executed by JCry, LockerGoga, MAZE, Netwalker, NotPetya, Ragnar Locker, RobbinHood, Ryuk, SamSam, Shamoon, SynAck, WannaCry, Xbash",
- "score": 13
- },
- {
- "techniqueID": "T1222.001",
- "comment": "executed by JPIN, WannaCry",
- "score": 2
- },
- {
- "techniqueID": "T1197",
- "comment": "executed by JPIN, UBoatRAT, BITSAdmin, Cobalt Strike",
- "score": 4
- },
- {
- "techniqueID": "T1548.001",
- "comment": "executed by Keydnap",
- "score": 1
- },
- {
- "techniqueID": "T1555.002",
- "comment": "executed by Keydnap",
- "score": 1
- },
- {
- "techniqueID": "T1036.006",
- "comment": "executed by Keydnap",
- "score": 1
- },
- {
- "techniqueID": "T1021",
- "comment": "executed by Kivars",
- "score": 1
- },
- {
- "techniqueID": "T1201",
- "comment": "executed by Kwampirs, Net, PoshC2",
- "score": 3
- },
- {
- "techniqueID": "T1114.002",
- "comment": "executed by LightNeuron, SeaDuke, Valak, MailSniper",
- "score": 4
- },
- {
- "techniqueID": "T1565.002",
- "comment": "executed by LightNeuron",
- "score": 1
- },
- {
- "techniqueID": "T1505.002",
- "comment": "executed by LightNeuron",
- "score": 1
- },
- {
- "techniqueID": "T1133",
- "comment": "executed by Linux Rabbit",
- "score": 1
- },
- {
- "techniqueID": "T1110.003",
- "comment": "executed by Linux Rabbit, MailSniper",
- "score": 2
- },
- {
- "techniqueID": "T1531",
- "comment": "executed by LockerGoga",
- "score": 1
- },
- {
- "techniqueID": "T1547",
- "comment": "executed by LoudMiner",
- "score": 1
- },
- {
- "techniqueID": "T1496",
- "comment": "executed by LoudMiner, Skidmap, Imminent Monitor",
- "score": 3
- },
- {
- "techniqueID": "T1564.006",
- "comment": "executed by LoudMiner, Ragnar Locker",
- "score": 2
- },
- {
- "techniqueID": "T1568",
- "comment": "executed by MAZE, NETEAGLE, RTM",
- "score": 3
- },
- {
- "techniqueID": "T1053.002",
- "comment": "executed by MURKYTOP, at",
- "score": 2
- },
- {
- "techniqueID": "T1069",
- "comment": "executed by MURKYTOP, ShimRatReporter",
- "score": 2
- },
- {
- "techniqueID": "T1218.005",
- "comment": "executed by NanHaiShu, POWERSTATS, Revenge RAT, Xbash, Koadic",
- "score": 5
- },
- {
- "techniqueID": "T1110.002",
- "comment": "executed by Net Crawler",
- "score": 1
- },
- {
- "techniqueID": "T1548.004",
- "comment": "executed by OSX/Shlayer",
- "score": 1
- },
- {
- "techniqueID": "T1222.002",
- "comment": "executed by OSX/Shlayer",
- "score": 1
- },
- {
- "techniqueID": "T1090.002",
- "comment": "executed by Okrum, POWERSTATS, Regin, ShimRat",
- "score": 4
- },
- {
- "techniqueID": "T1003.005",
- "comment": "executed by Okrum, Cachedump, LaZagne, Pupy",
- "score": 4
- },
- {
- "techniqueID": "T1497.003",
- "comment": "executed by Okrum, Pony, Ursnif",
- "score": 3
- },
- {
- "techniqueID": "T1497.002",
- "comment": "executed by Okrum",
- "score": 1
- },
- {
- "techniqueID": "T1546.003",
- "comment": "executed by POSHSPY, POWERTON, SeaDuke, adbupd, PoshC2",
- "score": 5
- },
- {
- "techniqueID": "T1559.001",
- "comment": "executed by POWERSTATS, Ursnif",
- "score": 2
- },
- {
- "techniqueID": "T1546.009",
- "comment": "executed by PUNCHBUGGY",
- "score": 1
- },
- {
- "techniqueID": "T1547.008",
- "comment": "executed by Pasam, Wingbird",
- "score": 2
- },
- {
- "techniqueID": "T1127.001",
- "comment": "executed by PlugX, Empire",
- "score": 2
- },
- {
- "techniqueID": "T1548.003",
- "comment": "executed by Proton",
- "score": 1
- },
- {
- "techniqueID": "T1070.002",
- "comment": "executed by Proton",
- "score": 1
- },
- {
- "techniqueID": "T1021.005",
- "comment": "executed by Proton, ZxShell",
- "score": 2
- },
- {
- "techniqueID": "T1036",
- "comment": "executed by RTM, Ramsay, WindTail",
- "score": 3
- },
- {
- "techniqueID": "T1218.002",
- "comment": "executed by Reaver",
- "score": 1
- },
- {
- "techniqueID": "T1036.001",
- "comment": "executed by Regin, WindTail",
- "score": 2
- },
- {
- "techniqueID": "T1556.002",
- "comment": "executed by Remsec",
- "score": 1
- },
- {
- "techniqueID": "T1053",
- "comment": "executed by Remsec",
- "score": 1
- },
- {
- "techniqueID": "T1202",
- "comment": "executed by Revenge RAT, Forfiles",
- "score": 2
- },
- {
- "techniqueID": "T1070.005",
- "comment": "executed by RobbinHood, Net",
- "score": 2
- },
- {
- "techniqueID": "T1546.012",
- "comment": "executed by SDBot",
- "score": 1
- },
- {
- "techniqueID": "T1546.011",
- "comment": "executed by SDBot, ShimRat",
- "score": 2
- },
- {
- "techniqueID": "T1550.003",
- "comment": "executed by SeaDuke, Mimikatz, Pupy",
- "score": 3
- },
- {
- "techniqueID": "T1078.002",
- "comment": "executed by Shamoon, Cobalt Strike",
- "score": 2
- },
- {
- "techniqueID": "T1561.002",
- "comment": "executed by Shamoon, StoneDrill, RawDisk",
- "score": 3
- },
- {
- "techniqueID": "T1556.001",
- "comment": "executed by Skeleton Key",
- "score": 1
- },
- {
- "techniqueID": "T1547.006",
- "comment": "executed by Skidmap",
- "score": 1
- },
- {
- "techniqueID": "T1556.003",
- "comment": "executed by Skidmap",
- "score": 1
- },
- {
- "techniqueID": "T1561.001",
- "comment": "executed by StoneDrill, RawDisk",
- "score": 2
- },
- {
- "techniqueID": "T1111",
- "comment": "executed by Sykipot",
- "score": 1
- },
- {
- "techniqueID": "T1055.013",
- "comment": "executed by SynAck",
- "score": 1
- },
- {
- "techniqueID": "T1539",
- "comment": "executed by TajMahal",
- "score": 1
- },
- {
- "techniqueID": "T1482",
- "comment": "executed by TrickBot, Empire, Nltest, PoshC2, PowerSploit, dsquery",
- "score": 6
- },
- {
- "techniqueID": "T1552.002",
- "comment": "executed by TrickBot, PowerSploit, Reg",
- "score": 3
- },
- {
- "techniqueID": "T1055.005",
- "comment": "executed by Ursnif",
- "score": 1
- },
- {
- "techniqueID": "T1563.002",
- "comment": "executed by WannaCry",
- "score": 1
- },
- {
- "techniqueID": "T1072",
- "comment": "executed by Wiper",
- "score": 1
- },
- {
- "techniqueID": "T1499",
- "comment": "executed by ZxShell",
- "score": 1
- },
- {
- "techniqueID": "T1037.004",
- "comment": "executed by iKitten",
- "score": 1
- },
- {
- "techniqueID": "T1037.005",
- "comment": "executed by jRAT",
- "score": 1
- },
- {
- "techniqueID": "T1021.006",
- "comment": "executed by Cobalt Strike",
- "score": 1
- },
- {
- "techniqueID": "T1021.004",
- "comment": "executed by Cobalt Strike, Empire",
- "score": 2
- },
- {
- "techniqueID": "T1021.003",
- "comment": "executed by Cobalt Strike, Empire",
- "score": 2
- },
- {
- "techniqueID": "T1134.004",
- "comment": "executed by Cobalt Strike",
- "score": 1
- },
- {
- "techniqueID": "T1134.003",
- "comment": "executed by Cobalt Strike",
- "score": 1
- },
- {
- "techniqueID": "T1558.001",
- "comment": "executed by Empire, Mimikatz",
- "score": 2
- },
- {
- "techniqueID": "T1558.003",
- "comment": "executed by Empire, Impacket, PowerSploit",
- "score": 3
- },
- {
- "techniqueID": "T1557.001",
- "comment": "executed by Empire, Impacket, PoshC2, Pupy, Responder",
- "score": 5
- },
- {
- "techniqueID": "T1546.008",
- "comment": "executed by Empire",
- "score": 1
- },
- {
- "techniqueID": "T1547.005",
- "comment": "executed by Empire, Mimikatz, PowerSploit",
- "score": 3
- },
- {
- "techniqueID": "T1134.005",
- "comment": "executed by Empire, Mimikatz",
- "score": 2
- },
- {
- "techniqueID": "T1484",
- "comment": "executed by Empire",
- "score": 1
- },
- {
- "techniqueID": "T1136.002",
- "comment": "executed by Empire, Net, Pupy",
- "score": 3
- },
- {
- "techniqueID": "T1567.001",
- "comment": "executed by Empire",
- "score": 1
- },
- {
- "techniqueID": "T1558.002",
- "comment": "executed by Empire, Mimikatz",
- "score": 2
- },
- {
- "techniqueID": "T1574.007",
- "comment": "executed by Empire, PowerSploit",
- "score": 2
- },
- {
- "techniqueID": "T1574.008",
- "comment": "executed by Empire, PowerSploit",
- "score": 2
- },
- {
- "techniqueID": "T1574.009",
- "comment": "executed by Empire, PowerSploit",
- "score": 2
- },
- {
- "techniqueID": "T1190",
- "comment": "executed by Havij, sqlmap",
- "score": 2
- },
- {
- "techniqueID": "T1003.003",
- "comment": "executed by Impacket, Koadic, esentutl",
- "score": 3
- },
- {
- "techniqueID": "T1003.007",
- "comment": "executed by LaZagne, MimiPenguin",
- "score": 2
- },
- {
- "techniqueID": "T1003.008",
- "comment": "executed by LaZagne",
- "score": 1
- },
- {
- "techniqueID": "T1207",
- "comment": "executed by Mimikatz",
- "score": 1
- },
- {
- "techniqueID": "T1003.006",
- "comment": "executed by Mimikatz",
- "score": 1
- },
- {
- "techniqueID": "T1552.006",
- "comment": "executed by PowerSploit",
- "score": 1
- },
- {
- "techniqueID": "T1137.004",
- "comment": "executed by Ruler",
- "score": 1
- },
- {
- "techniqueID": "T1137.005",
- "comment": "executed by Ruler",
- "score": 1
- },
- {
- "techniqueID": "T1137.003",
- "comment": "executed by Ruler",
- "score": 1
- },
- {
- "techniqueID": "T1087",
- "comment": "executed by ShimRatReporter",
- "score": 1
- },
- {
- "techniqueID": "T1090.004",
- "comment": "executed by meek",
- "score": 1
- },
- {
- "techniqueID": "T1546.007",
- "comment": "executed by netsh",
- "score": 1
- },
- {
- "techniqueID": "T1213.002",
- "comment": "executed by spwebmember",
- "score": 1
- }
- ],
- "sorting": 3,
- "gradient": {
- "colors": [
- "#fff7b3",
- "#ff6666"
- ],
- "minValue": 1,
- "maxValue": 181
- }
-}
\ No newline at end of file
diff --git a/layers/data/samples/software_malware_execution.json b/layers/data/samples/software_malware_execution.json
deleted file mode 100644
index cfc18aadc..000000000
--- a/layers/data/samples/software_malware_execution.json
+++ /dev/null
@@ -1,1337 +0,0 @@
-{
- "name": "Software (malware) Execution",
- "description": "All techniques that can be executed by software of subtype malware, where the score is the count of malware using the technique",
- "version": "3.0",
- "domain": "mitre-enterprise",
- "techniques": [
- {
- "techniqueID": "T1070.006",
- "comment": "executed by 3PARA RAT, Attor, Bankshot, China Chopper, Derusbi, Elise, FALLCHILL, Gazer, InvisiMole, KeyBoy, Misdat, OwaAuth, POSHSPY, PowerStallion, Psylo, SEASHARPEE, Shamoon, TDTESS, USBStealer",
- "score": 19
- },
- {
- "techniqueID": "T1071.001",
- "comment": "executed by 3PARA RAT, 4H RAT, ABK, ADVSTORESHELL, Agent Tesla, Aria-body, Avenger, BACKSPACE, BADNEWS, BBK, BBSRAT, BUBBLEWRAP, BackConfig, BadPatch, Bankshot, Bisonal, BlackEnergy, Bundlore, CHOPSTICK, CORESHELL, Carbanak, Cardinal RAT, ChChes, China Chopper, CloudDuke, ComRAT, Comnie, CosmicDuke, CozyCar, DarkComet, Daserf, DealersChoice, Dipsind, DownPaper, Dridex, DustySky, Dyre, ELMER, Elise, Emissary, Epic, EvilBunny, Exaramel for Linux, FELIXROOT, Felismus, Final1stspy, FlawedAmmyy, Gazer, GeminiDuke, Get2, Gold Dragon, Goopy, GravityRAT, GreyEnergy, HAMMERTOSS, HAWKBALL, HTTPBrowser, Helminth, Hi-Zor, Hikit, HyperBro, InvisiMole, Ixeshe, JHUHUGIT, KONNI, Kazuar, Keydnap, Komplex, LOWBALL, Lokibot, MAZE, MacSpy, Machete, MechaFlounder, Metamorfo, Micropsia, MiniDuke, Mis-Type, More_eggs, NETEAGLE, NOKKI, OLDBAIT, Octopus, Okrum, OnionDuke, OopsIE, OwaAuth, PLEAD, POWERTON, POWRUNER, PUNCHBUGGY, PinchDuke, PlugX, Pony, PowerShower, Proxysvc, Psylo, Pteranodon, QUADAGENT, RATANKBA, RGDoor, RIPTIDE, ROKRAT, RTM, Reaver, RedLeaves, Regin, Remexi, Remsec, Rising Sun, S-Type, SNUGRIDE, Sakula, SeaDuke, Seasalt, ServHelper, Shamoon, ShimRat, Smoke Loader, SpeakUp, Sys10, TSCookie, TrickBot, UBoatRAT, UPPERCUT, Ursnif, VBShower, VERMIN, Valak, Vasport, WinMM, WindTail, Winnti for Linux, Xbash, YAHOYAH, ZLib, Zebrocy, ZeroT, Zeus Panda, ZxShell, down_new, httpclient, pngdowner",
- "score": 143
- },
- {
- "techniqueID": "T1083",
- "comment": "executed by 3PARA RAT, 4H RAT, ADVSTORESHELL, Aria-body, Attor, AuditCred, AutoIt backdoor, Avenger, Azorult, BACKSPACE, BADNEWS, BBSRAT, BLACKCOFFEE, BabyShark, BackConfig, Backdoor.Oldrea, BadPatch, Bankshot, BlackEnergy, Brave Prince, CHOPSTICK, CORALDECK, Cannon, Cardinal RAT, ChChes, China Chopper, CosmicDuke, Crimson, CrossRAT, DDKONG, Denis, Derusbi, DustySky, ELMER, Elise, Epic, FALLCHILL, FLASHFLOOD, FinFisher, FruitFly, Fysbis, GeminiDuke, Gold Dragon, GravityRAT, HOPLIGHT, HTTPBrowser, HotCroissant, Hydraq, InnaputRAT, InvisiMole, Ixeshe, JPIN, KEYMARBLE, KONNI, Kasidet, Kazuar, KeyBoy, Kivars, Kwampirs, Linfo, MESSAGETAP, Machete, Metamorfo, Micropsia, Misdat, MobileOrder, MoonWind, NDiskMonitor, NETEAGLE, OceanSalt, Octopus, Okrum, Orz, OwaAuth, PLEAD, POORAIM, POWRUNER, Pasam, PinchDuke, Pisloader, PlugX, PoetRAT, PowerDuke, Prikormka, Proxysvc, Psylo, Pteranodon, RARSTONE, ROKRAT, RTM, Ramsay, RedLeaves, Remexi, Remsec, Rising Sun, Rover, Ryuk, SDBot, SHOTPUT, SOUNDBITE, SPACESHIP, Seasalt, ShimRat, Skidmap, Smoke Loader, StreamEx, SynAck, TINYTYPHON, TSCookie, TYPEFRAME, TajMahal, TrickBot, UPPERCUT, USBStealer, USBferry, Volgmer, WINERACK, WannaCry, WinMM, WindTail, XAgentOSX, ZLib, Zebrocy, Zeus Panda, ZxShell, down_new, jRAT, njRAT, yty, zwShell",
- "score": 130
- },
- {
- "techniqueID": "T1573.001",
- "comment": "executed by 3PARA RAT, 4H RAT, ADVSTORESHELL, Attor, Azorult, BADCALL, BADNEWS, BBSRAT, Bisonal, CHOPSTICK, CORESHELL, CallMe, Carbanak, Cardinal RAT, ChChes, Chaos, Comnie, CosmicDuke, Daserf, Derusbi, Dipsind, Downdelph, Dridex, Duqu, Ebury, Elise, Emissary, Epic, FALLCHILL, FakeM, Felismus, FlawedAmmyy, Gazer, GreyEnergy, H1N1, HAMMERTOSS, Helminth, Hi-Zor, HiddenWasp, Hikit, HotCroissant, Hydraq, InvisiMole, KEYMARBLE, Komplex, LightNeuron, Lurid, MoonWind, More_eggs, Mosquito, NDiskMonitor, NETEAGLE, NanoCore, Okrum, PLAINTEE, PLEAD, POWERTON, PoisonIvy, Prikormka, RIPTIDE, RTM, RedLeaves, Rifdoor, SNUGRIDE, Sakula, SeaDuke, Sys10, TSCookie, Taidoor, TrickBot, UPPERCUT, Volgmer, Winnti for Linux, ZeroT, down_new, gh0st RAT, httpclient",
- "score": 77
- },
- {
- "techniqueID": "T1082",
- "comment": "executed by 4H RAT, ADVSTORESHELL, Agent Tesla, Aria-body, Astaroth, Attor, Avenger, Azorult, BACKSPACE, BADCALL, BISCUIT, BUBBLEWRAP, BabyShark, BackConfig, Backdoor.Oldrea, BadPatch, Bankshot, Bisonal, BlackEnergy, Brave Prince, Bundlore, CARROTBAT, CORESHELL, Cadelspy, Cannon, Cardinal RAT, ChChes, Comnie, CozyCar, Crimson, DarkComet, Denis, Derusbi, DownPaper, DustySky, Dyre, Elise, Emissary, Epic, FALLCHILL, FELIXROOT, Felismus, FinFisher, Final1stspy, FlawedAmmyy, Fysbis, GRIFFON, Get2, Gold Dragon, GravityRAT, HALFBAKED, HAPPYWORK, HAWKBALL, HOPLIGHT, HotCroissant, Hydraq, InnaputRAT, InvisiMole, Ixeshe, JHUHUGIT, JPIN, KARAE, KEYMARBLE, KOMPROGO, KONNI, Kasidet, Kazuar, KeyBoy, Kwampirs, LightNeuron, Linfo, Lokibot, LoudMiner, MAZE, MURKYTOP, Machete, Micropsia, MirageFox, Mis-Type, Misdat, MobileOrder, MoonWind, More_eggs, NDiskMonitor, NETWIRE, NOKKI, Naid, NanHaiShu, NavRAT, Netwalker, OSInfo, OSX/Shlayer, OSX_OCEANLOTUS.D, OceanSalt, Octopus, Okrum, OopsIE, Orz, PLAINTEE, POORAIM, POWERSTATS, POWRUNER, PUNCHBUGGY, Pasam, PinchDuke, Pisloader, PoetRAT, Pony, PowerDuke, PowerShower, Prikormka, Proxysvc, RATANKBA, ROKRAT, RTM, Ramsay, Reaver, RedLeaves, Remsec, Revenge RAT, Rifdoor, Rising Sun, RogueRobin, RunningRAT, S-Type, SDBot, SHARPSTATS, SHUTTERSPEED, SLOWDRIFT, SOUNDBITE, SYSCON, ServHelper, Shamoon, Skidmap, SpeakUp, SslMM, StoneDrill, StreamEx, SynAck, Sys10, T9000, TURNEDUP, TYPEFRAME, TajMahal, TrickBot, UPPERCUT, Unknown Logger, Ursnif, VERMIN, Valak, Volgmer, WINDSHIELD, WINERACK, WinMM, Wingbird, XAgentOSX, YAHOYAH, ZLib, Zebrocy, ZeroT, Zeus Panda, ZxShell, build_downer, down_new, jRAT, njRAT, yty, zwShell",
- "score": 168
- },
- {
- "techniqueID": "T1057",
- "comment": "executed by 4H RAT, ADVSTORESHELL, Agent Tesla, Aria-body, Astaroth, Avenger, Azorult, BACKSPACE, BBSRAT, BISCUIT, BLACKCOFFEE, BabyShark, Backdoor.Oldrea, Bankshot, Bisonal, BlackEnergy, Brave Prince, Bundlore, Cannon, Carbanak, Carbon, Cardinal RAT, ChChes, Comnie, Crimson, DarkComet, Derusbi, Duqu, DustySky, ELMER, Elise, Emotet, Epic, EvilBunny, FELIXROOT, FinFisher, Final1stspy, FruitFly, Fysbis, GeminiDuke, Get2, Gold Dragon, Goopy, GravityRAT, HALFBAKED, Helminth, HotCroissant, Hydraq, InvisiMole, Ixeshe, JHUHUGIT, JPIN, KEYMARBLE, KONNI, Kasidet, Kazuar, Komplex, Kwampirs, Linfo, LoudMiner, MAZE, Machete, Metamorfo, MobileOrder, MoonWind, Mosquito, NETEAGLE, NavRAT, OceanSalt, Orz, PLAINTEE, PLEAD, POORAIM, POWERSTATS, POWRUNER, Pasam, PlugX, PoetRAT, PowerDuke, PowerShower, PowerStallion, Proxysvc, RATANKBA, ROKRAT, RTM, Remsec, Rising Sun, RogueRobin, Ryuk, SHOTPUT, SYSCON, Seasalt, Skidmap, Socksbot, StreamEx, Sykipot, SynAck, TSCookie, TajMahal, Trojan.Karagany, UBoatRAT, USBferry, Ursnif, VERMIN, Valak, Volgmer, WINERACK, WinMM, XAgentOSX, Zebrocy, Zeus Panda, ZxShell, down_new, gh0st RAT, iKitten, jRAT, yty",
- "score": 117
- },
- {
- "techniqueID": "T1059.003",
- "comment": "executed by 4H RAT, ABK, ADVSTORESHELL, Astaroth, AuditCred, BACKSPACE, BADNEWS, BBK, BISCUIT, BLACKCOFFEE, BONDUPDATER, BabyShark, BackConfig, Bandook, Bankshot, Bisonal, CALENDAR, CARROTBAT, Carbanak, Cardinal RAT, China Chopper, Cobian RAT, CoinTicker, ComRAT, Comnie, CozyCar, DarkComet, Daserf, DealersChoice, Denis, Dipsind, DownPaper, Emissary, Emotet, EvilBunny, Exaramel for Windows, FELIXROOT, Felismus, Gold Dragon, Goopy, GravityRAT, GreyEnergy, H1N1, HARDRAIN, HAWKBALL, HOMEFRY, HOPLIGHT, HTTPBrowser, Helminth, Hi-Zor, HiddenWasp, Hikit, HotCroissant, InnaputRAT, InvisiMole, Ixeshe, JCry, JHUHUGIT, JPIN, KEYMARBLE, KOMPROGO, KONNI, Kasidet, Kazuar, KeyBoy, LightNeuron, Linfo, LoudMiner, MAZE, MURKYTOP, MechaFlounder, Metamorfo, Micropsia, MirageFox, Mis-Type, Misdat, Mivast, MoonWind, More_eggs, Mosquito, NETEAGLE, NanoCore, NavRAT, Netwalker, OceanSalt, Okrum, OopsIE, Orz, PHOREAL, PLAINTEE, PLEAD, POWRUNER, Pisloader, PlugX, PoisonIvy, Pony, PowerDuke, Proxysvc, Pteranodon, QUADAGENT, RATANKBA, RGDoor, RTM, Ragnar Locker, RedLeaves, Remexi, Revenge RAT, Rising Sun, RobbinHood, RogueRobin, RunningRAT, Ryuk, SDBot, SEASHARPEE, SNUGRIDE, SQLRat, SYSCON, Sakula, SamSam, SeaDuke, Seasalt, ServHelper, ShimRat, StreamEx, TDTESS, TEXTMATE, TSCookie, TURNEDUP, TYPEFRAME, TinyZBot, TrickBot, UBoatRAT, UPPERCUT, USBferry, Umbreon, Volgmer, WEBC2, Wiarp, XTunnel, ZLib, Zebrocy, Zeus Panda, ZxShell, adbupd, hcdLoader, httpclient, jRAT, njRAT, zwShell",
- "score": 149
- },
- {
- "techniqueID": "T1518.001",
- "comment": "executed by ABK, Astaroth, Avenger, BadPatch, CHOPSTICK, Comnie, CozyCar, Crimson, DustySky, Epic, EvilBunny, FELIXROOT, Felismus, FinFisher, Flame, FlawedAmmyy, Gold Dragon, JPIN, Kasidet, Micropsia, More_eggs, Mosquito, Netwalker, POWERSTATS, POWRUNER, PUNCHBUGGY, Prikormka, ROKRAT, RTM, Remsec, RogueRobin, Skidmap, StoneDrill, StreamEx, T9000, TajMahal, VERMIN, Valak, Wingbird, YAHOYAH, Zeus Panda, build_downer, down_new, jRAT",
- "score": 44
- },
- {
- "techniqueID": "T1055",
- "comment": "executed by ABK, Attor, AuditCred, Avenger, BBK, Backdoor.Oldrea, Cardinal RAT, Dyre, Gazer, HOPLIGHT, HyperBro, JHUHUGIT, JPIN, NavRAT, Ryuk, Smoke Loader, StoneDrill, TSCookie, Taidoor, Wiarp, Wingbird",
- "score": 21
- },
- {
- "techniqueID": "T1140",
- "comment": "executed by ABK, Agent Tesla, Aria-body, Astaroth, AuditCred, Avenger, Azorult, BBK, BBSRAT, BOOSTWRITE, BackConfig, Bankshot, Bisonal, Bundlore, Carbon, Cardinal RAT, CoinTicker, ComRAT, DDKONG, Denis, Dyre, FinFisher, Final1stspy, Goopy, HiddenWasp, ISMInjector, InvisiMole, KONNI, Kwampirs, LightNeuron, MESSAGETAP, Machete, Metamorfo, MirageFox, More_eggs, NOKKI, Netwalker, OSX/Shlayer, Okrum, OopsIE, POWERSTATS, PUNCHBUGGY, PlugX, Proton, QUADAGENT, RGDoor, Ramsay, Remexi, Rising Sun, RogueRobin, SDBot, SQLRat, Shamoon, ShimRat, Skidmap, Smoke Loader, Starloader, TSCookie, TYPEFRAME, TrickBot, Ursnif, VERMIN, Valak, Volgmer, WindTail, Winnti for Linux, YAHOYAH, Zebrocy, ZeroT, Zeus Panda",
- "score": 70
- },
- {
- "techniqueID": "T1105",
- "comment": "executed by ABK, Agent Tesla, Agent.btz, Aria-body, Astaroth, Attor, AuditCred, Avenger, Azorult, BADNEWS, BBK, BISCUIT, BONDUPDATER, BabyShark, BackConfig, BadPatch, Bankshot, Bisonal, Briba, Bundlore, CARROTBAT, CHOPSTICK, CORESHELL, Calisto, CallMe, Cannon, Cardinal RAT, ChChes, China Chopper, CloudDuke, CoinTicker, Crimson, DDKONG, DOGCALL, DarkComet, Daserf, Denis, Dipsind, Downdelph, Dyre, Elise, Emissary, EvilBunny, Exaramel for Linux, FELIXROOT, Felismus, Gazer, Gold Dragon, GreyEnergy, H1N1, HAPPYWORK, HOPLIGHT, HTTPBrowser, Helminth, Hi-Zor, HiddenWasp, HotCroissant, Hydraq, HyperBro, InvisiMole, Ixeshe, JHUHUGIT, JPIN, KARAE, KEYMARBLE, KONNI, Kasidet, Kazuar, KeyBoy, Kivars, Kwampirs, LOWBALL, LightNeuron, Linfo, LoudMiner, Machete, MechaFlounder, Metamorfo, Micropsia, MiniDuke, Misdat, Mivast, MobileOrder, More_eggs, Mosquito, NDiskMonitor, NOKKI, NanHaiShu, NanoCore, NavRAT, Nerex, Netwalker, Nidiran, OSX_OCEANLOTUS.D, Octopus, Okrum, OopsIE, Orz, PLAINTEE, PLEAD, POSHSPY, POWERSOURCE, POWERSTATS, POWRUNER, PUNCHBUGGY, Pasam, Pisloader, PlugX, PoetRAT, PoisonIvy, Pony, PowerDuke, Psylo, Pteranodon, RARSTONE, RATANKBA, RGDoor, ROKRAT, RTM, RedLeaves, RemoteCMD, Remsec, Revenge RAT, RogueRobin, SDBot, SEASHARPEE, SHARPSTATS, SHUTTERSPEED, SLOWDRIFT, SQLRat, Sakula, SeaDuke, Seasalt, ServHelper, Shamoon, ShimRat, Skidmap, Smoke Loader, SpeakUp, StoneDrill, TDTESS, TSCookie, TURNEDUP, TYPEFRAME, TrickBot, Trojan.Karagany, UBoatRAT, UPPERCUT, Unknown Logger, Ursnif, VBShower, VERMIN, Valak, Vasport, Volgmer, WEBC2, Wiarp, Winnti for Linux, Xbash, YAHOYAH, ZLib, Zebrocy, ZeroT, Zeus Panda, ZxShell, build_downer, down_new, gh0st RAT, jRAT, njRAT",
- "score": 170
- },
- {
- "techniqueID": "T1027.003",
- "comment": "executed by ABK, Avenger, BBK, Okrum, PowerDuke, build_downer",
- "score": 6
- },
- {
- "techniqueID": "T1106",
- "comment": "executed by ADVSTORESHELL, Aria-body, Attor, BADNEWS, BBK, BackConfig, Bankshot, ComRAT, Denis, Goopy, HAWKBALL, HotCroissant, HyperBro, InnaputRAT, LightNeuron, MAZE, Metamorfo, Mosquito, Netwalker, PlugX, Pony, RDFSNIFFER, RTM, Ramsay, Rising Sun, Ryuk, ShimRat, SynAck, TrickBot, Ursnif, Volgmer, WindTail, XAgentOSX, build_downer",
- "score": 34
- },
- {
- "techniqueID": "T1027",
- "comment": "executed by ADVSTORESHELL, Agent Tesla, Aria-body, Astaroth, Attor, AuditCred, Avenger, BOOSTWRITE, BackConfig, Bisonal, Bundlore, CARROTBAT, CORESHELL, Carbanak, Carbon, Cardinal RAT, CoinTicker, ComRAT, Comnie, CozyCar, DOGCALL, Daserf, Denis, DustySky, Ebury, Elise, Emissary, Emotet, Epic, Exaramel for Linux, FELIXROOT, FinFisher, Final1stspy, FlawedGrace, FruitFly, Fysbis, Gazer, Goopy, GravityRAT, GreyEnergy, H1N1, HAWKBALL, HOMEFRY, HTTPBrowser, Helminth, Hi-Zor, HiddenWasp, HotCroissant, Hydraq, ISMInjector, InnaputRAT, InvisiMole, JHUHUGIT, JPIN, Kazuar, KeyBoy, Kwampirs, LightNeuron, Lokibot, LoudMiner, MAZE, Machete, Matroyshka, Metamorfo, Micropsia, Mosquito, NOKKI, NanHaiShu, NanoCore, Netwalker, OLDBAIT, OSX_OCEANLOTUS.D, OopsIE, Orz, POSHSPY, POWERSTATS, PUNCHBUGGY, PUNCHTRACK, Pisloader, PoetRAT, PoisonIvy, Pony, PowerStallion, Prikormka, QUADAGENT, RTM, Ramsay, Reaver, RedLeaves, Remexi, Remsec, Rifdoor, Rising Sun, RogueRobin, SDBot, SHARPSTATS, SHOTPUT, SQLRat, Sakula, SamSam, Seasalt, Shamoon, ShimRat, Skidmap, Smoke Loader, SpeakUp, StoneDrill, StreamEx, SynAck, TINYTYPHON, TYPEFRAME, TajMahal, TrickBot, UBoatRAT, USBStealer, Ursnif, VERMIN, Valak, Volgmer, WindTail, Winnti for Linux, XTunnel, YAHOYAH, ZeroT, Zeus Panda, jRAT",
- "score": 126
- },
- {
- "techniqueID": "T1056.001",
- "comment": "executed by ADVSTORESHELL, Agent Tesla, Astaroth, Attor, BADNEWS, BISCUIT, BabyShark, BadPatch, Bandook, BlackEnergy, CHOPSTICK, Cadelspy, Carbanak, Cardinal RAT, Catchamas, Cobian RAT, CosmicDuke, DOGCALL, DarkComet, Daserf, Derusbi, Duqu, DustySky, EvilGrab, FakeM, Fysbis, GreyEnergy, HTTPBrowser, Helminth, JPIN, KONNI, Kasidet, KeyBoy, Kivars, Lokibot, MacSpy, Machete, Matroyshka, Micropsia, MoonWind, NETWIRE, NanoCore, NavRAT, NetTraveler, Okrum, OwaAuth, PlugX, PoetRAT, PoisonIvy, Prikormka, Proton, ROKRAT, RTM, Regin, Remexi, Remsec, Revenge RAT, Rover, RunningRAT, SslMM, Sykipot, TajMahal, TinyZBot, Unknown Logger, VERMIN, XAgentOSX, Zeus Panda, ZxShell, gh0st RAT, jRAT, njRAT, yty",
- "score": 72
- },
- {
- "techniqueID": "T1120",
- "comment": "executed by ADVSTORESHELL, Attor, BADNEWS, BlackEnergy, Cadelspy, DustySky, FlawedAmmyy, Machete, MoonWind, Prikormka, RTM, Ragnar Locker, Ramsay, T9000, TajMahal, USBStealer, USBferry, WannaCry, Zebrocy, jRAT, njRAT",
- "score": 21
- },
- {
- "techniqueID": "T1070.004",
- "comment": "executed by ADVSTORESHELL, Aria-body, Attor, AuditCred, Azorult, BBSRAT, BLACKCOFFEE, BabyShark, BackConfig, Backdoor.Oldrea, Bankshot, Bisonal, CARROTBAT, Calisto, Carbanak, Cardinal RAT, Cherry Picker, Denis, Derusbi, DustySky, Elise, Epic, EvilBunny, FALLCHILL, FELIXROOT, FruitFly, Fysbis, Gazer, Gold Dragon, GreyEnergy, HALFBAKED, HAWKBALL, HTTPBrowser, Hi-Zor, HotCroissant, Hydraq, HyperBro, InnaputRAT, InvisiMole, Ixeshe, JHUHUGIT, JPIN, KEYMARBLE, KONNI, Kazuar, Kivars, Komplex, LightNeuron, Linfo, LockerGoga, LoudMiner, MESSAGETAP, MURKYTOP, MacSpy, Machete, Metamorfo, Misdat, MoonWind, More_eggs, Mosquito, NOKKI, NanHaiShu, OSX_OCEANLOTUS.D, OceanSalt, Okrum, OopsIE, PLEAD, POWERSTATS, PUNCHBUGGY, Pasam, Pony, PowerDuke, PowerShower, Proton, Proxysvc, Pteranodon, QUADAGENT, RDFSNIFFER, ROKRAT, RTM, Reaver, RedLeaves, Remsec, Rising Sun, RunningRAT, SDBot, SQLRat, Sakula, SamSam, SeaDuke, Seasalt, ServHelper, ShimRat, SpeakUp, StoneDrill, TDTESS, TYPEFRAME, USBStealer, Ursnif, VBShower, VERMIN, Volgmer, WINDSHIELD, WindTail, Wingbird, XAgentOSX, Zebrocy, Zeus Panda, ZxShell, gh0st RAT, jRAT, njRAT, pngdowner, zwShell",
- "score": 114
- },
- {
- "techniqueID": "T1546.015",
- "comment": "executed by ADVSTORESHELL, BBSRAT, ComRAT, JHUHUGIT, KONNI, Mosquito",
- "score": 6
- },
- {
- "techniqueID": "T1112",
- "comment": "executed by ADVSTORESHELL, Attor, BACKSPACE, BADCALL, Bankshot, CHOPSTICK, Cardinal RAT, Catchamas, ComRAT, DarkComet, Exaramel for Windows, FELIXROOT, GreyEnergy, HOPLIGHT, Hydraq, InvisiMole, KEYMARBLE, KONNI, LoJax, Metamorfo, Mosquito, Naid, NanoCore, Nerex, Netwalker, PHOREAL, PLAINTEE, PlugX, PoetRAT, PoisonIvy, PowerShower, QUADAGENT, RTM, Regin, Rover, SOUNDBITE, Shamoon, ShimRat, StreamEx, SynAck, TYPEFRAME, TajMahal, TrickBot, Ursnif, Valak, Volgmer, Zeus Panda, njRAT, zwShell",
- "score": 49
- },
- {
- "techniqueID": "T1029",
- "comment": "executed by ADVSTORESHELL, ComRAT, Dipsind, Kazuar, LightNeuron, Linfo, Machete, POWERSTATS, ShimRat, jRAT",
- "score": 10
- },
- {
- "techniqueID": "T1012",
- "comment": "executed by ADVSTORESHELL, Attor, Azorult, BACKSPACE, BabyShark, Bankshot, Brave Prince, CHOPSTICK, Carbanak, Carbon, Cardinal RAT, ComRAT, Denis, Derusbi, DownPaper, Epic, FELIXROOT, FinFisher, Gold Dragon, HOPLIGHT, Hydraq, InvisiMole, JPIN, OSInfo, POWERSOURCE, POWRUNER, PlugX, Proxysvc, QUADAGENT, RATANKBA, ROKRAT, Reaver, Shamoon, StoneDrill, SynAck, Ursnif, Volgmer, WINDSHIELD, Zebrocy, Zeus Panda, ZxShell",
- "score": 41
- },
- {
- "techniqueID": "T1041",
- "comment": "executed by ADVSTORESHELL, Astaroth, Attor, BACKSPACE, Bankshot, CallMe, Cannon, DustySky, Dyre, Emotet, Goopy, HAWKBALL, HOPLIGHT, HotCroissant, LightNeuron, Lokibot, Machete, MechaFlounder, MobileOrder, NETEAGLE, Okrum, OopsIE, PowerShower, Proxysvc, Psylo, Pteranodon, ROKRAT, Remexi, Rising Sun, TajMahal, Ursnif, Valak, Zebrocy",
- "score": 33
- },
- {
- "techniqueID": "T1560.003",
- "comment": "executed by ADVSTORESHELL, Agent.btz, Attor, Duqu, FLASHFLOOD, HAWKBALL, InvisiMole, MESSAGETAP, Machete, Okrum, OopsIE, OwaAuth, RGDoor, Ramsay, RawPOS, Reaver, Rising Sun, SPACESHIP, T9000",
- "score": 19
- },
- {
- "techniqueID": "T1074.001",
- "comment": "executed by ADVSTORESHELL, Astaroth, Attor, BADNEWS, BadPatch, Calisto, Carbon, Catchamas, Duqu, DustySky, Dyre, Elise, Exaramel for Windows, FLASHFLOOD, Gold Dragon, Helminth, InvisiMole, Kazuar, LightNeuron, MESSAGETAP, Machete, MoonWind, NOKKI, NavRAT, OopsIE, PUNCHBUGGY, PUNCHTRACK, PoisonIvy, Prikormka, Pteranodon, Ramsay, RawPOS, Rover, SPACESHIP, Trojan.Karagany, USBStealer, Ursnif, Zebrocy",
- "score": 38
- },
- {
- "techniqueID": "T1547.001",
- "comment": "executed by ADVSTORESHELL, Agent Tesla, Aria-body, Astaroth, BACKSPACE, BADNEWS, BBSRAT, BabyShark, Backdoor.Oldrea, BadPatch, Bisonal, BlackEnergy, Briba, CORESHELL, Carbanak, Cardinal RAT, ChChes, Cobian RAT, Comnie, CozyCar, CrossRAT, DarkComet, DownPaper, DustySky, Elise, Emissary, Emotet, EvilBunny, EvilGrab, FELIXROOT, FLASHFLOOD, FinFisher, Final1stspy, GRIFFON, Gazer, Gold Dragon, HTTPBrowser, Helminth, Hi-Zor, InnaputRAT, Ixeshe, JCry, JHUHUGIT, KONNI, Kasidet, Kazuar, LoJax, Matroyshka, Metamorfo, Mivast, Mosquito, NETEAGLE, NETWIRE, NOKKI, NanHaiShu, NanoCore, NavRAT, Okrum, PLAINTEE, POWERSOURCE, POWERTON, PUNCHBUGGY, Pisloader, PlugX, PoetRAT, PoisonIvy, PowerDuke, PowerShower, Prikormka, Pteranodon, RTM, Reaver, RedLeaves, Remexi, Revenge RAT, Rifdoor, RogueRobin, Rover, RunningRAT, Ryuk, S-Type, SDBot, SHIPSHAPE, SNUGRIDE, SPACESHIP, Sakula, SeaDuke, Seasalt, ServHelper, ShimRat, Smoke Loader, SslMM, Sykipot, TINYTYPHON, TURNEDUP, TinyZBot, TrickBot, Trojan.Karagany, Truvasys, USBStealer, Ursnif, VBShower, Vasport, Xbash, Zebrocy, Zeus Panda, build_downer, gh0st RAT, njRAT",
- "score": 109
- },
- {
- "techniqueID": "T1560",
- "comment": "executed by ADVSTORESHELL, Agent Tesla, Aria-body, Backdoor.Oldrea, Cadelspy, Daserf, Emotet, Epic, Exaramel for Windows, FELIXROOT, Gold Dragon, LightNeuron, Lurid, Machete, OSX_OCEANLOTUS.D, Prikormka, Proton, Remexi, RunningRAT, VERMIN, Zebrocy",
- "score": 21
- },
- {
- "techniqueID": "T1132.001",
- "comment": "executed by ADVSTORESHELL, Astaroth, AutoIt backdoor, BADNEWS, BS2005, BabyShark, Backdoor.Oldrea, CORESHELL, Carbanak, ChChes, Cobian RAT, Daserf, Denis, Dipsind, Ebury, Elise, Felismus, Fysbis, HOPLIGHT, Helminth, Ixeshe, JHUHUGIT, KONNI, Kazuar, MechaFlounder, Mis-Type, Misdat, More_eggs, Octopus, Okrum, OopsIE, POWERSTATS, POWRUNER, Pisloader, PowerShower, Prikormka, QUADAGENT, Revenge RAT, RogueRobin, S-Type, SeaDuke, SpeakUp, Zebrocy, down_new, njRAT",
- "score": 45
- },
- {
- "techniqueID": "T1218.011",
- "comment": "executed by ADVSTORESHELL, Attor, Bisonal, Briba, CORESHELL, Comnie, CozyCar, DDKONG, Elise, Emissary, FELIXROOT, Flame, GreyEnergy, JHUHUGIT, KONNI, Kwampirs, Matroyshka, Mosquito, NOKKI, NotPetya, PUNCHBUGGY, PowerDuke, Prikormka, Pteranodon, RTM, Ragnar Locker, Sakula, ServHelper, StreamEx, USBferry, Winnti for Windows, ZxShell, gh0st RAT",
- "score": 33
- },
- {
- "techniqueID": "T1573.002",
- "comment": "executed by ADVSTORESHELL, Attor, BISCUIT, CHOPSTICK, ComRAT, Dridex, Emotet, Gazer, GreyEnergy, Hi-Zor, Metamorfo, POSHSPY, POWERSTATS, PoetRAT, ServHelper, Sykipot, Volgmer, WannaCry, XTunnel, Zebrocy, adbupd",
- "score": 21
- },
- {
- "techniqueID": "T1505.003",
- "comment": "executed by ASPXSpy, China Chopper, OwaAuth, SEASHARPEE",
- "score": 4
- },
- {
- "techniqueID": "T1124",
- "comment": "executed by Agent Tesla, Astaroth, Azorult, Cannon, Carbon, Epic, EvilBunny, FELIXROOT, GRIFFON, GravityRAT, HOPLIGHT, InvisiMole, Metamorfo, MoonWind, NOKKI, Okrum, OopsIE, PowerDuke, Proxysvc, RTM, SHARPSTATS, Shamoon, StoneDrill, T9000, TajMahal, UPPERCUT, WindTail, Zebrocy, Zeus Panda, build_downer",
- "score": 30
- },
- {
- "techniqueID": "T1115",
- "comment": "executed by Agent Tesla, Astaroth, Attor, Cadelspy, Catchamas, CosmicDuke, DarkComet, Helminth, JHUHUGIT, KONNI, MacSpy, Machete, RTM, Remexi, RunningRAT, TajMahal, TinyZBot, VERMIN, Zeus Panda, jRAT",
- "score": 20
- },
- {
- "techniqueID": "T1033",
- "comment": "executed by Agent Tesla, Agent.btz, Aria-body, Azorult, BISCUIT, BabyShark, Backdoor.Oldrea, Cannon, Cardinal RAT, DarkComet, Denis, Derusbi, DownPaper, Dyre, Epic, FELIXROOT, Felismus, FlawedAmmyy, Gazer, Get2, Gold Dragon, Goopy, GravityRAT, HAPPYWORK, HAWKBALL, HotCroissant, InvisiMole, Ixeshe, JPIN, KONNI, Kazuar, Komplex, Kwampirs, Linux Rabbit, Lokibot, MechaFlounder, Micropsia, MirageFox, Mis-Type, MoonWind, More_eggs, Mosquito, NDiskMonitor, NOKKI, NanHaiShu, Octopus, Okrum, POWERSTATS, POWRUNER, PoetRAT, PowerDuke, PowerShower, Prikormka, QUADAGENT, RATANKBA, RGDoor, RTM, Reaver, RedLeaves, Remsec, Revenge RAT, Rifdoor, Rising Sun, RogueRobin, SDBot, SHARPSTATS, ServHelper, SpeakUp, SslMM, SynAck, Sys10, T9000, UPPERCUT, Unknown Logger, VERMIN, Valak, WINDSHIELD, WINERACK, WinMM, XAgentOSX, Zebrocy, ZxShell, njRAT, yty, zwShell",
- "score": 85
- },
- {
- "techniqueID": "T1562.001",
- "comment": "executed by Agent Tesla, Brave Prince, Bundlore, ChChes, DarkComet, Gold Dragon, Goopy, H1N1, HDoor, JPIN, LockerGoga, MAZE, NanHaiShu, NanoCore, Netwalker, OSX/Shlayer, POWERSTATS, Proton, Ragnar Locker, RobbinHood, RunningRAT, Ryuk, Skidmap, SslMM, TinyZBot, TrickBot, Unknown Logger, ZxShell",
- "score": 28
- },
- {
- "techniqueID": "T1087.001",
- "comment": "executed by Agent Tesla, Bankshot, Carbon, Comnie, Duqu, Elise, Epic, GeminiDuke, InvisiMole, Kazuar, Kwampirs, MURKYTOP, Mis-Type, OSInfo, POWERSTATS, PUNCHBUGGY, Pony, RATANKBA, Remsec, S-Type, SHOTPUT, TrickBot, USBferry, Valak",
- "score": 24
- },
- {
- "techniqueID": "T1048.003",
- "comment": "executed by Agent Tesla, Brave Prince, CORALDECK, Carbon, Cherry Picker, CosmicDuke, KONNI, PoetRAT, Remsec, WindTail",
- "score": 10
- },
- {
- "techniqueID": "T1113",
- "comment": "executed by Agent Tesla, Aria-body, Attor, Azorult, BADNEWS, BISCUIT, BadPatch, Bandook, BlackEnergy, CHOPSTICK, Cadelspy, Cannon, Carbanak, Cardinal RAT, Catchamas, Cobian RAT, CosmicDuke, Crimson, CrossRAT, DOGCALL, Daserf, Derusbi, DustySky, EvilGrab, FinFisher, Flame, FruitFly, GRIFFON, HALFBAKED, HotCroissant, Hydraq, HyperBro, InvisiMole, JHUHUGIT, Janicab, KEYMARBLE, KONNI, Kasidet, Kazuar, KeyBoy, Kivars, MacSpy, Machete, Matroyshka, Micropsia, NETWIRE, Octopus, POORAIM, POWERSTATS, POWRUNER, PlugX, PoetRAT, Prikormka, Proton, Pteranodon, ROKRAT, RTM, RedLeaves, Remexi, Revenge RAT, RogueRobin, Rover, SHUTTERSPEED, Socksbot, StoneDrill, T9000, TURNEDUP, TajMahal, TinyZBot, Trojan.Karagany, UPPERCUT, Ursnif, VERMIN, Valak, XAgentOSX, ZLib, Zebrocy, Zeus Panda, ZxShell, gh0st RAT, jRAT, njRAT, yty",
- "score": 83
- },
- {
- "techniqueID": "T1016",
- "comment": "executed by Agent Tesla, Agent.btz, Aria-body, Astaroth, Avenger, Azorult, BADCALL, BabyShark, Backdoor.Oldrea, Bisonal, BlackEnergy, Brave Prince, Calisto, Carbon, Catchamas, Comnie, Crimson, Denis, Duqu, Dyre, Elise, Emissary, Epic, FALLCHILL, FELIXROOT, Felismus, GeminiDuke, GravityRAT, HotCroissant, Hydraq, InvisiMole, Ixeshe, JHUHUGIT, JPIN, KEYMARBLE, KONNI, Kazuar, KeyBoy, Kwampirs, LightNeuron, Lokibot, LoudMiner, Machete, Mis-Type, MoonWind, More_eggs, Mosquito, NOKKI, Naid, NanHaiShu, NanoCore, OSInfo, OceanSalt, Octopus, Okrum, Olympic Destroyer, Orz, PLAINTEE, POWERSTATS, POWRUNER, Pisloader, PowerDuke, PowerShower, Prikormka, Proxysvc, QUADAGENT, RATANKBA, Reaver, RedLeaves, Remsec, Revenge RAT, Rifdoor, Rising Sun, RogueRobin, Ryuk, SDBot, SHARPSTATS, Shamoon, SpeakUp, Sykipot, Sys10, T9000, TSCookie, TajMahal, TrickBot, UPPERCUT, USBferry, Unknown Logger, VERMIN, Valak, Volgmer, WannaCry, Xbash, Zebrocy, ZeroT, down_new, iKitten, jRAT, yty, zwShell",
- "score": 100
- },
- {
- "techniqueID": "T1125",
- "comment": "executed by Agent Tesla, Bandook, Cobian RAT, DarkComet, Derusbi, EvilGrab, InvisiMole, Kazuar, Machete, NanoCore, PoetRAT, Revenge RAT, SDBot, T9000, TajMahal, ZxShell, jRAT, njRAT",
- "score": 18
- },
- {
- "techniqueID": "T1071.003",
- "comment": "executed by Agent Tesla, BadPatch, CHOPSTICK, CORESHELL, Cannon, ComRAT, Goopy, JPIN, LightNeuron, NavRAT, OLDBAIT, Remsec, Zebrocy",
- "score": 13
- },
- {
- "techniqueID": "T1555",
- "comment": "executed by Agent Tesla, Astaroth, CosmicDuke, Lokibot, Matroyshka, OLDBAIT, PLEAD, PinchDuke, Prikormka, Proton, ROKRAT",
- "score": 11
- },
- {
- "techniqueID": "T1564.003",
- "comment": "executed by Agent Tesla, Astaroth, BONDUPDATER, HAMMERTOSS, HotCroissant, KeyBoy, Kivars, Metamorfo, PowerShower, Ursnif, WindTail",
- "score": 11
- },
- {
- "techniqueID": "T1497",
- "comment": "executed by Agent Tesla, CHOPSTICK, CozyCar, Metamorfo, RTM, StoneDrill",
- "score": 6
- },
- {
- "techniqueID": "T1185",
- "comment": "executed by Agent Tesla, Dridex, TrickBot, Ursnif",
- "score": 4
- },
- {
- "techniqueID": "T1204.002",
- "comment": "executed by Agent Tesla, Bundlore, Cardinal RAT, Emotet, JCry, Lokibot, OSX/Shlayer, PLEAD, PoetRAT, Pony, RTM, Rifdoor, SQLRat, SYSCON, TYPEFRAME, TrickBot, Valak",
- "score": 17
- },
- {
- "techniqueID": "T1091",
- "comment": "executed by Agent.btz, CHOPSTICK, DustySky, Flame, H1N1, Ramsay, SHIPSHAPE, USBStealer, USBferry, Unknown Logger, Ursnif, njRAT",
- "score": 12
- },
- {
- "techniqueID": "T1052.001",
- "comment": "executed by Agent.btz, Machete, Remsec, SPACESHIP, USBStealer",
- "score": 5
- },
- {
- "techniqueID": "T1055.001",
- "comment": "executed by Aria-body, BlackEnergy, Carbon, ComRAT, Derusbi, Duqu, Dyre, Elise, Emissary, Emotet, FinFisher, Get2, HIDEDRV, Kazuar, MAZE, Matroyshka, Metamorfo, Netwalker, PoisonIvy, RARSTONE, RATANKBA, Ramsay, Remsec, SDBot, Socksbot, Sykipot, TajMahal, ZxShell",
- "score": 28
- },
- {
- "techniqueID": "T1568.002",
- "comment": "executed by Aria-body, BONDUPDATER, CCBkdr, CHOPSTICK, Ebury, POSHSPY, Ursnif",
- "score": 7
- },
- {
- "techniqueID": "T1049",
- "comment": "executed by Aria-body, BlackEnergy, Carbon, Comnie, Duqu, Epic, GravityRAT, Kwampirs, MAZE, MESSAGETAP, Machete, OSInfo, Okrum, POWRUNER, PlugX, RATANKBA, RedLeaves, Remsec, SHOTPUT, SpeakUp, Sykipot, USBferry, Volgmer, Zebrocy, jRAT",
- "score": 25
- },
- {
- "techniqueID": "T1095",
- "comment": "executed by Aria-body, BUBBLEWRAP, Carbon, Crimson, Derusbi, FakeM, HiddenWasp, Mis-Type, Misdat, MoonWind, NETEAGLE, PHOREAL, PlugX, RARSTONE, Reaver, Regin, Remsec, SDBot, TSCookie, Umbreon, WINDSHIELD, Winnti for Linux",
- "score": 22
- },
- {
- "techniqueID": "T1025",
- "comment": "executed by Aria-body, BADNEWS, CosmicDuke, Crimson, FLASHFLOOD, GravityRAT, Machete, Prikormka, Ramsay, Remsec, Rover, TajMahal, USBStealer",
- "score": 13
- },
- {
- "techniqueID": "T1090",
- "comment": "executed by Aria-body, AuditCred, BADCALL, Cardinal RAT, Dridex, HARDRAIN, HOPLIGHT, PLEAD, SDBot, Socksbot, TSCookie, TYPEFRAME, Ursnif, Vasport, XTunnel, ZxShell, jRAT",
- "score": 17
- },
- {
- "techniqueID": "T1134.001",
- "comment": "executed by Aria-body, FinFisher, Okrum, Shamoon",
- "score": 4
- },
- {
- "techniqueID": "T1134.002",
- "comment": "executed by Aria-body, Azorult, Bankshot, KONNI, ZxShell",
- "score": 5
- },
- {
- "techniqueID": "T1010",
- "comment": "executed by Aria-body, Attor, Cadelspy, Catchamas, Duqu, HotCroissant, Kazuar, Machete, NetTraveler, PLEAD, PoisonIvy, PowerDuke, Remexi, SOUNDBITE, WINERACK, njRAT",
- "score": 16
- },
- {
- "techniqueID": "T1027.002",
- "comment": "executed by Astaroth, China Chopper, DarkComet, Daserf, Dyre, Emotet, FinFisher, GreyEnergy, H1N1, HotCroissant, Lokibot, Machete, OSX_OCEANLOTUS.D, OopsIE, SDBot, SeaDuke, ShimRat, TrickBot, Trojan.Karagany, Uroburos, VERMIN, Zebrocy, ZeroT, jRAT, yty",
- "score": 25
- },
- {
- "techniqueID": "T1220",
- "comment": "executed by Astaroth",
- "score": 1
- },
- {
- "techniqueID": "T1218.001",
- "comment": "executed by Astaroth",
- "score": 1
- },
- {
- "techniqueID": "T1047",
- "comment": "executed by Astaroth, BlackEnergy, DustySky, Emotet, EvilBunny, FELIXROOT, FlawedAmmyy, GravityRAT, HALFBAKED, HOPLIGHT, KOMPROGO, Kazuar, MAZE, Micropsia, Mosquito, Netwalker, NotPetya, Octopus, Olympic Destroyer, OopsIE, POWERSTATS, POWRUNER, RATANKBA, Remexi, RogueRobin, StoneDrill, Ursnif, WannaCry, Zebrocy, jRAT",
- "score": 30
- },
- {
- "techniqueID": "T1059.007",
- "comment": "executed by Astaroth, Bundlore, GRIFFON, Metamorfo, NanHaiShu, POWERSTATS, Xbash, jRAT",
- "score": 8
- },
- {
- "techniqueID": "T1547.009",
- "comment": "executed by Astaroth, BACKSPACE, BlackEnergy, Comnie, FELIXROOT, Gazer, Helminth, KONNI, Kazuar, Micropsia, Okrum, Reaver, RedLeaves, RogueRobin, S-Type, SHIPSHAPE, SPACESHIP, SeaDuke, SslMM, TinyZBot",
- "score": 20
- },
- {
- "techniqueID": "T1129",
- "comment": "executed by Astaroth, Attor, BOOSTWRITE, Hydraq, PUNCHBUGGY, TajMahal",
- "score": 6
- },
- {
- "techniqueID": "T1218.010",
- "comment": "executed by Astaroth, Derusbi, Hi-Zor, More_eggs, Orz, Ragnar Locker, RogueRobin, Valak, Xbash",
- "score": 9
- },
- {
- "techniqueID": "T1055.012",
- "comment": "executed by Astaroth, Azorult, BADNEWS, BBSRAT, Bandook, Denis, Duqu, ISMInjector, Lokibot, Orz, Smoke Loader, TrickBot, Ursnif",
- "score": 13
- },
- {
- "techniqueID": "T1552",
- "comment": "executed by Astaroth",
- "score": 1
- },
- {
- "techniqueID": "T1564.001",
- "comment": "executed by Attor, BackConfig, Calisto, CoinTicker, FruitFly, Ixeshe, Komplex, Lokibot, LoudMiner, MacSpy, Machete, Micropsia, OSX/Shlayer, OSX_OCEANLOTUS.D, Okrum, PoetRAT, Rising Sun, WannaCry, iKitten",
- "score": 19
- },
- {
- "techniqueID": "T1119",
- "comment": "executed by Attor, BADNEWS, Bankshot, Comnie, Helminth, InvisiMole, LightNeuron, MESSAGETAP, Micropsia, PoetRAT, Proxysvc, RTM, Ramsay, Rover, T9000, TajMahal, USBStealer, VERMIN, WindTail, Zebrocy",
- "score": 20
- },
- {
- "techniqueID": "T1569.002",
- "comment": "executed by Attor, BBSRAT, HOPLIGHT, Hydraq, HyperBro, LoudMiner, Net Crawler, Netwalker, NotPetya, Okrum, Olympic Destroyer, Proxysvc, Ragnar Locker, RemoteCMD, Shamoon, Wingbird",
- "score": 16
- },
- {
- "techniqueID": "T1037.001",
- "comment": "executed by Attor, JHUHUGIT, Zebrocy",
- "score": 3
- },
- {
- "techniqueID": "T1053.005",
- "comment": "executed by Attor, BADNEWS, BONDUPDATER, BackConfig, Carbon, ComRAT, CosmicDuke, CozyCar, Duqu, Dyre, Emotet, EvilBunny, GRIFFON, Gazer, Goopy, GravityRAT, Helminth, HotCroissant, ISMInjector, JHUHUGIT, Machete, Matroyshka, NotPetya, Okrum, OopsIE, POWERSTATS, POWRUNER, Pteranodon, QUADAGENT, RTM, Ramsay, Remexi, RemoteCMD, Revenge RAT, SQLRat, ServHelper, Shamoon, Smoke Loader, TrickBot, Valak, yty, zwShell",
- "score": 42
- },
- {
- "techniqueID": "T1497.001",
- "comment": "executed by Attor, BadPatch, Denis, Dyre, EvilBunny, FinFisher, GravityRAT, OSX_OCEANLOTUS.D, Okrum, OopsIE, PlugX, PoetRAT, ROKRAT, RogueRobin, Smoke Loader, SynAck, UBoatRAT, yty",
- "score": 18
- },
- {
- "techniqueID": "T1090.003",
- "comment": "executed by Attor, Dok, GreyEnergy, Keydnap, MacSpy, Ursnif, WannaCry",
- "score": 7
- },
- {
- "techniqueID": "T1055.004",
- "comment": "executed by Attor, TURNEDUP",
- "score": 2
- },
- {
- "techniqueID": "T1071.002",
- "comment": "executed by Attor, JPIN, Kazuar, Machete, NOKKI, SYSCON, XAgentOSX, ZxShell",
- "score": 8
- },
- {
- "techniqueID": "T1020",
- "comment": "executed by Attor, CosmicDuke, LightNeuron, Machete, Rover, TINYTYPHON, TajMahal, USBStealer",
- "score": 8
- },
- {
- "techniqueID": "T1543.003",
- "comment": "executed by Attor, AuditCred, BBSRAT, Bankshot, BlackEnergy, Briba, Carbon, Catchamas, CosmicDuke, CozyCar, Duqu, Dyre, Elise, Emissary, Emotet, Exaramel for Windows, FinFisher, GreyEnergy, Hydraq, InnaputRAT, JHUHUGIT, Kazuar, KeyBoy, Kwampirs, LoudMiner, MoonWind, Naid, Nerex, Nidiran, Okrum, PlugX, PoisonIvy, Ragnar Locker, RawPOS, Reaver, Sakula, Seasalt, Shamoon, ShimRat, StreamEx, TDTESS, TYPEFRAME, TinyZBot, Ursnif, Volgmer, WannaCry, Wiarp, Wingbird, Winnti for Windows, ZLib, ZeroT, ZxShell, gh0st RAT, hcdLoader, zwShell",
- "score": 55
- },
- {
- "techniqueID": "T1123",
- "comment": "executed by Attor, Bandook, Cadelspy, Cobian RAT, DOGCALL, DarkComet, Derusbi, EvilGrab, Flame, InvisiMole, Janicab, MacSpy, Machete, Micropsia, NanoCore, ROKRAT, Revenge RAT, T9000, TajMahal, VERMIN, jRAT",
- "score": 21
- },
- {
- "techniqueID": "T1036.004",
- "comment": "executed by Attor, Catchamas, ComRAT, Exaramel for Windows, Fysbis, InnaputRAT, Kwampirs, Machete, Nidiran, Okrum, POWERSTATS, PlugX, RTM, RawPOS, Seasalt, Shamoon, ShimRat, Truvasys, Volgmer, build_downer",
- "score": 20
- },
- {
- "techniqueID": "T1059.001",
- "comment": "executed by AutoIt backdoor, BONDUPDATER, ComRAT, Denis, DownPaper, Emotet, GRIFFON, HALFBAKED, HAMMERTOSS, Helminth, JCry, KONNI, KeyBoy, Mosquito, Netwalker, OSX_OCEANLOTUS.D, POSHSPY, POWERSOURCE, POWERSTATS, POWERTON, POWRUNER, PUNCHBUGGY, PowerShower, PowerStallion, QUADAGENT, RATANKBA, Revenge RAT, RogueRobin, SHARPSTATS, SQLRat, SeaDuke, ServHelper, Socksbot, Ursnif, Valak, Xbash, Zeus Panda",
- "score": 37
- },
- {
- "techniqueID": "T1548.002",
- "comment": "executed by AutoIt backdoor, BlackEnergy, Downdelph, FinFisher, H1N1, InvisiMole, KONNI, PLAINTEE, RTM, Ramsay, Sakula, Shamoon, ShimRat, ZeroT",
- "score": 14
- },
- {
- "techniqueID": "T1552.001",
- "comment": "executed by Azorult, BlackEnergy, Emotet, Smoke Loader, TrickBot, XTunnel, jRAT, pngdowner",
- "score": 8
- },
- {
- "techniqueID": "T1555.003",
- "comment": "executed by Azorult, Backdoor.Oldrea, BlackEnergy, ChChes, CosmicDuke, Crimson, Emotet, H1N1, KONNI, KeyBoy, Lokibot, Machete, OLDBAIT, Olympic Destroyer, PLEAD, PinchDuke, PoetRAT, Prikormka, Proton, ROKRAT, RedLeaves, Smoke Loader, TSCookie, TrickBot, Unknown Logger, XAgentOSX, Zebrocy, jRAT, njRAT",
- "score": 29
- },
- {
- "techniqueID": "T1562.004",
- "comment": "executed by BACKSPACE, BADCALL, DarkComet, H1N1, HARDRAIN, HOPLIGHT, InvisiMole, Kasidet, NanoCore, Remsec, TYPEFRAME, ZxShell, njRAT",
- "score": 13
- },
- {
- "techniqueID": "T1090.001",
- "comment": "executed by BACKSPACE, CHOPSTICK, Duqu, Hikit, InvisiMole",
- "score": 5
- },
- {
- "techniqueID": "T1104",
- "comment": "executed by BACKSPACE, BLACKCOFFEE, Chaos",
- "score": 3
- },
- {
- "techniqueID": "T1132.002",
- "comment": "executed by BACKSPACE, Bankshot, OceanSalt",
- "score": 3
- },
- {
- "techniqueID": "T1001.003",
- "comment": "executed by BADCALL, Bankshot, FALLCHILL, FakeM, HARDRAIN, KeyBoy, Okrum",
- "score": 7
- },
- {
- "techniqueID": "T1571",
- "comment": "executed by BADCALL, Bankshot, Derusbi, Emotet, GravityRAT, HARDRAIN, HOPLIGHT, MoonWind, PoetRAT, RTM, RedLeaves, TYPEFRAME, TrickBot",
- "score": 13
- },
- {
- "techniqueID": "T1574.002",
- "comment": "executed by BADNEWS, BBSRAT, Denis, FinFisher, Goopy, HTTPBrowser, HyperBro, Metamorfo, OwaAuth, PlugX, Sakula, T9000, Wingbird, ZeroT, gh0st RAT",
- "score": 15
- },
- {
- "techniqueID": "T1039",
- "comment": "executed by BADNEWS, CosmicDuke, Ramsay",
- "score": 3
- },
- {
- "techniqueID": "T1005",
- "comment": "executed by BADNEWS, BadPatch, Bankshot, Calisto, China Chopper, CosmicDuke, FLASHFLOOD, Goopy, GravityRAT, Hydraq, Ixeshe, Kazuar, LightNeuron, Linfo, Machete, MobileOrder, POWERSTATS, PUNCHTRACK, Pasam, PinchDuke, PoisonIvy, Proxysvc, ROKRAT, Ramsay, RawPOS, Rover, SDBot, ShimRat, TajMahal, TrickBot, USBferry, Ursnif, njRAT, yty",
- "score": 34
- },
- {
- "techniqueID": "T1553.002",
- "comment": "executed by BADNEWS, BOOSTWRITE, BackConfig, ChChes, Daserf, Ebury, Epic, Gazer, GreyEnergy, Helminth, Janicab, LockerGoga, Metamorfo, More_eggs, NETWIRE, Nerex, RTM",
- "score": 17
- },
- {
- "techniqueID": "T1102.001",
- "comment": "executed by BADNEWS, BLACKCOFFEE, MiniDuke, PlugX, RTM, Xbash",
- "score": 6
- },
- {
- "techniqueID": "T1132",
- "comment": "executed by BADNEWS, H1N1, Linux Rabbit, Ursnif",
- "score": 4
- },
- {
- "techniqueID": "T1036.005",
- "comment": "executed by BADNEWS, BackConfig, Bundlore, Calisto, ChChes, DarkComet, Daserf, Elise, Felismus, FinFisher, Fysbis, Goopy, HTTPBrowser, InnaputRAT, InvisiMole, Ixeshe, KONNI, LightNeuron, Machete, MechaFlounder, Metamorfo, Mis-Type, Misdat, NOKKI, OLDBAIT, OSX/Shlayer, OwaAuth, PUNCHBUGGY, Pony, QUADAGENT, Ramsay, Remsec, Ryuk, S-Type, Skidmap, SslMM, Starloader, USBStealer, Ursnif, Winnti for Windows, ZLib",
- "score": 41
- },
- {
- "techniqueID": "T1102.002",
- "comment": "executed by BADNEWS, BLACKCOFFEE, CALENDAR, CloudDuke, ComRAT, Comnie, CozyCar, DOGCALL, GLOOXMAIL, KARAE, Kazuar, LOWBALL, Orz, POORAIM, PowerStallion, ROKRAT, Revenge RAT, RogueRobin, SLOWDRIFT, Twitoor, UBoatRAT, yty",
- "score": 22
- },
- {
- "techniqueID": "T1007",
- "comment": "executed by BBSRAT, Comnie, Dyre, Elise, Emissary, Epic, GeminiDuke, GravityRAT, GreyEnergy, HotCroissant, Hydraq, HyperBro, InvisiMole, Ixeshe, JPIN, Kwampirs, RATANKBA, S-Type, Sykipot, SynAck, TrickBot, Ursnif, Volgmer, WINERACK, ZLib, ZxShell, jRAT",
- "score": 27
- },
- {
- "techniqueID": "T1560.002",
- "comment": "executed by BBSRAT, Cardinal RAT, Denis, Epic, SeaDuke, TajMahal, ZLib",
- "score": 7
- },
- {
- "techniqueID": "T1008",
- "comment": "executed by BISCUIT, BlackEnergy, CHOPSTICK, Cardinal RAT, Derusbi, DustySky, HOPLIGHT, JHUHUGIT, Kazuar, Kwampirs, Linfo, Machete, MiniDuke, Mis-Type, NETEAGLE, QUADAGENT, S-Type, ShimRat, SslMM, WinMM, XTunnel",
- "score": 21
- },
- {
- "techniqueID": "T1071.004",
- "comment": "executed by BONDUPDATER, Cobian RAT, Denis, Ebury, Goopy, HTTPBrowser, Helminth, Matroyshka, NanHaiShu, POWERSOURCE, POWRUNER, Pisloader, PlugX, QUADAGENT, Remsec, SOUNDBITE, TEXTMATE",
- "score": 17
- },
- {
- "techniqueID": "T1574.001",
- "comment": "executed by BOOSTWRITE, Downdelph, FinFisher, HTTPBrowser, Hikit, InvisiMole, MirageFox, Prikormka, RedLeaves, WEBC2",
- "score": 10
- },
- {
- "techniqueID": "T1542.003",
- "comment": "executed by BOOTRASH, FinFisher, ROCKBOOT",
- "score": 3
- },
- {
- "techniqueID": "T1564.005",
- "comment": "executed by BOOTRASH, ComRAT, Regin",
- "score": 3
- },
- {
- "techniqueID": "T1204.001",
- "comment": "executed by BackConfig, Emotet, PLEAD, Pony, TSCookie",
- "score": 5
- },
- {
- "techniqueID": "T1059.005",
- "comment": "executed by BackConfig, Bisonal, Comnie, Emotet, Exaramel for Windows, Goopy, Helminth, JCry, KeyBoy, NanHaiShu, NanoCore, OSX_OCEANLOTUS.D, OopsIE, POWERSTATS, PoetRAT, PowerShower, QUADAGENT, Ramsay, Remexi, Smoke Loader, StoneDrill, TYPEFRAME, Ursnif, VBShower, Xbash, jRAT",
- "score": 26
- },
- {
- "techniqueID": "T1137.001",
- "comment": "executed by BackConfig",
- "score": 1
- },
- {
- "techniqueID": "T1087.003",
- "comment": "executed by Backdoor.Oldrea, Emotet, TrickBot",
- "score": 3
- },
- {
- "techniqueID": "T1203",
- "comment": "executed by Bankshot, DealersChoice, EvilBunny, HAWKBALL, Ramsay, SpeakUp, Xbash",
- "score": 7
- },
- {
- "techniqueID": "T1070",
- "comment": "executed by Bankshot, Goopy, MAZE, Misdat, Orz, PoetRAT, Prikormka, RTM, Rising Sun, SDBot",
- "score": 10
- },
- {
- "techniqueID": "T1087.002",
- "comment": "executed by Bankshot, OSInfo, POWRUNER, Sykipot, Valak",
- "score": 5
- },
- {
- "techniqueID": "T1485",
- "comment": "executed by BlackEnergy, Kazuar, Olympic Destroyer, PowerDuke, Proxysvc, Shamoon, StoneDrill, Xbash",
- "score": 8
- },
- {
- "techniqueID": "T1021.002",
- "comment": "executed by BlackEnergy, Duqu, Emotet, Kwampirs, Net Crawler, NotPetya, Olympic Destroyer, Regin, Shamoon, zwShell",
- "score": 10
- },
- {
- "techniqueID": "T1046",
- "comment": "executed by BlackEnergy, China Chopper, HDoor, MURKYTOP, Ramsay, Remsec, SpeakUp, XTunnel, Xbash, ZxShell",
- "score": 10
- },
- {
- "techniqueID": "T1070.001",
- "comment": "executed by BlackEnergy, FinFisher, Hydraq, NotPetya, Olympic Destroyer, RunningRAT, SynAck, ZxShell, gh0st RAT",
- "score": 9
- },
- {
- "techniqueID": "T1574.010",
- "comment": "executed by BlackEnergy",
- "score": 1
- },
- {
- "techniqueID": "T1189",
- "comment": "executed by Bundlore, KARAE, LoudMiner, POORAIM",
- "score": 4
- },
- {
- "techniqueID": "T1056.002",
- "comment": "executed by Bundlore, Calisto, Dok, Keydnap, Proton, iKitten",
- "score": 6
- },
- {
- "techniqueID": "T1059.004",
- "comment": "executed by Bundlore, CallMe, Chaos, CoinTicker, Derusbi, Exaramel for Linux, Fysbis, Kazuar, LoudMiner, OSX/Shlayer, Proton, Skidmap, WindTail",
- "score": 13
- },
- {
- "techniqueID": "T1543.001",
- "comment": "executed by Bundlore, Calisto, CoinTicker, CrossRAT, Dok, FruitFly, Keydnap, Komplex, MacSpy, OSX_OCEANLOTUS.D, Proton",
- "score": 11
- },
- {
- "techniqueID": "T1059.002",
- "comment": "executed by Bundlore, Dok",
- "score": 2
- },
- {
- "techniqueID": "T1543.004",
- "comment": "executed by Bundlore, LoudMiner, OSX_OCEANLOTUS.D",
- "score": 3
- },
- {
- "techniqueID": "T1098.004",
- "comment": "executed by Bundlore, Skidmap",
- "score": 2
- },
- {
- "techniqueID": "T1059.006",
- "comment": "executed by Bundlore, CoinTicker, KeyBoy, Keydnap, Machete, MechaFlounder, PUNCHBUGGY, PoetRAT, SpeakUp",
- "score": 9
- },
- {
- "techniqueID": "T1518",
- "comment": "executed by Bundlore, ComRAT, DustySky, Dyre, HotCroissant, Orz, RTM, TajMahal, down_new",
- "score": 9
- },
- {
- "techniqueID": "T1176",
- "comment": "executed by Bundlore, OSX/Shlayer",
- "score": 2
- },
- {
- "techniqueID": "T1195.002",
- "comment": "executed by CCBkdr",
- "score": 1
- },
- {
- "techniqueID": "T1092",
- "comment": "executed by CHOPSTICK, USBStealer",
- "score": 2
- },
- {
- "techniqueID": "T1059",
- "comment": "executed by CHOPSTICK, DarkComet, Get2, Matroyshka, SpeakUp, WINERACK, Zeus Panda, gh0st RAT",
- "score": 8
- },
- {
- "techniqueID": "T1560.001",
- "comment": "executed by CORALDECK, Calisto, Daserf, DustySky, InvisiMole, Micropsia, Okrum, OopsIE, PUNCHBUGGY, PoetRAT, PowerShower, Ramsay, WindTail, iKitten",
- "score": 14
- },
- {
- "techniqueID": "T1027.001",
- "comment": "executed by CORESHELL, Comnie, Emissary, FinFisher, Goopy, Kwampirs, MAZE, POWERSTATS, Rifdoor, SamSam, XTunnel, ZeroT, yty",
- "score": 13
- },
- {
- "techniqueID": "T1098",
- "comment": "executed by Calisto",
- "score": 1
- },
- {
- "techniqueID": "T1555.001",
- "comment": "executed by Calisto, Proton, iKitten",
- "score": 3
- },
- {
- "techniqueID": "T1217",
- "comment": "executed by Calisto, Machete, MobileOrder",
- "score": 3
- },
- {
- "techniqueID": "T1569.001",
- "comment": "executed by Calisto, LoudMiner",
- "score": 2
- },
- {
- "techniqueID": "T1136.001",
- "comment": "executed by Calisto, Carbanak, Flame, HiddenWasp, Mis-Type, S-Type, ServHelper, ZxShell",
- "score": 8
- },
- {
- "techniqueID": "T1547.004",
- "comment": "executed by Cannon, Dipsind, Gazer, KeyBoy, Remexi",
- "score": 5
- },
- {
- "techniqueID": "T1003",
- "comment": "executed by Carbanak, HOMEFRY, OnionDuke, PinchDuke, Revenge RAT, Trojan.Karagany",
- "score": 6
- },
- {
- "techniqueID": "T1114.001",
- "comment": "executed by Carbanak, CosmicDuke, Crimson, Emotet, Smoke Loader",
- "score": 5
- },
- {
- "techniqueID": "T1219",
- "comment": "executed by Carbanak, Dridex, RTM",
- "score": 3
- },
- {
- "techniqueID": "T1030",
- "comment": "executed by Carbanak, Helminth, OopsIE, POSHSPY",
- "score": 4
- },
- {
- "techniqueID": "T1055.002",
- "comment": "executed by Carbanak, GreyEnergy, Zeus Panda",
- "score": 3
- },
- {
- "techniqueID": "T1021.001",
- "comment": "executed by Carbanak, DarkComet, Revenge RAT, SDBot, ServHelper, ZxShell, jRAT, njRAT, zwShell",
- "score": 9
- },
- {
- "techniqueID": "T1018",
- "comment": "executed by Carbon, Comnie, Epic, Kwampirs, MURKYTOP, OSInfo, Olympic Destroyer, PoetRAT, RATANKBA, Remsec, SHOTPUT, Shamoon, Sykipot, USBferry, WannaCry, njRAT, yty",
- "score": 17
- },
- {
- "techniqueID": "T1027.004",
- "comment": "executed by Cardinal RAT",
- "score": 1
- },
- {
- "techniqueID": "T1110",
- "comment": "executed by Chaos",
- "score": 1
- },
- {
- "techniqueID": "T1205",
- "comment": "executed by Chaos, Umbreon, Winnti for Linux",
- "score": 3
- },
- {
- "techniqueID": "T1546.010",
- "comment": "executed by Cherry Picker, Ramsay, T9000",
- "score": 3
- },
- {
- "techniqueID": "T1110.001",
- "comment": "executed by China Chopper, Emotet, Pony, SpeakUp, Xbash",
- "score": 5
- },
- {
- "techniqueID": "T1553.001",
- "comment": "executed by CoinTicker",
- "score": 1
- },
- {
- "techniqueID": "T1068",
- "comment": "executed by CosmicDuke, JHUHUGIT, Remsec, Wingbird",
- "score": 4
- },
- {
- "techniqueID": "T1003.004",
- "comment": "executed by CosmicDuke",
- "score": 1
- },
- {
- "techniqueID": "T1003.002",
- "comment": "executed by CosmicDuke, CozyCar, HOPLIGHT, Mivast, POWERTON, Remsec",
- "score": 6
- },
- {
- "techniqueID": "T1036.003",
- "comment": "executed by CozyCar, NotPetya",
- "score": 2
- },
- {
- "techniqueID": "T1003.001",
- "comment": "executed by CozyCar, Daserf, Emotet, GreyEnergy, Net Crawler, NotPetya, Okrum, Olympic Destroyer, PoetRAT",
- "score": 9
- },
- {
- "techniqueID": "T1027.005",
- "comment": "executed by Daserf, GravityRAT",
- "score": 2
- },
- {
- "techniqueID": "T1001.002",
- "comment": "executed by Daserf, Duqu, HAMMERTOSS, LightNeuron, ZeroT",
- "score": 5
- },
- {
- "techniqueID": "T1574",
- "comment": "executed by Denis, Ramsay, ShimRat",
- "score": 3
- },
- {
- "techniqueID": "T1553.004",
- "comment": "executed by Dok, Hikit, RTM",
- "score": 3
- },
- {
- "techniqueID": "T1547.011",
- "comment": "executed by Dok, LoudMiner",
- "score": 2
- },
- {
- "techniqueID": "T1001.001",
- "comment": "executed by Downdelph, P2P ZeuS, PLEAD",
- "score": 3
- },
- {
- "techniqueID": "T1134",
- "comment": "executed by Duqu, Hydraq, Ryuk, SslMM",
- "score": 4
- },
- {
- "techniqueID": "T1071",
- "comment": "executed by Duqu, NETEAGLE, Regin",
- "score": 3
- },
- {
- "techniqueID": "T1078",
- "comment": "executed by Duqu, Linux Rabbit, SeaDuke",
- "score": 3
- },
- {
- "techniqueID": "T1218.007",
- "comment": "executed by Duqu, LoudMiner, Ragnar Locker",
- "score": 3
- },
- {
- "techniqueID": "T1572",
- "comment": "executed by Duqu, FLIPSIDE",
- "score": 2
- },
- {
- "techniqueID": "T1570",
- "comment": "executed by DustySky, LockerGoga, Netwalker, Olympic Destroyer, Shamoon, WannaCry",
- "score": 6
- },
- {
- "techniqueID": "T1529",
- "comment": "executed by DustySky, LockerGoga, NotPetya, Olympic Destroyer, Shamoon",
- "score": 5
- },
- {
- "techniqueID": "T1552.004",
- "comment": "executed by Ebury, Machete, jRAT",
- "score": 3
- },
- {
- "techniqueID": "T1562.002",
- "comment": "executed by Ebury",
- "score": 1
- },
- {
- "techniqueID": "T1554",
- "comment": "executed by Ebury",
- "score": 1
- },
- {
- "techniqueID": "T1069.001",
- "comment": "executed by Emissary, Epic, FlawedAmmyy, Helminth, JPIN, Kazuar, Kwampirs, OSInfo, POWRUNER, Sys10",
- "score": 10
- },
- {
- "techniqueID": "T1040",
- "comment": "executed by Emotet, MESSAGETAP, Regin",
- "score": 3
- },
- {
- "techniqueID": "T1210",
- "comment": "executed by Emotet, Flame, NotPetya, WannaCry",
- "score": 4
- },
- {
- "techniqueID": "T1566.002",
- "comment": "executed by Emotet, Pony",
- "score": 2
- },
- {
- "techniqueID": "T1566.001",
- "comment": "executed by Emotet, OceanSalt, PoetRAT, Pony, RTM, Rifdoor, TrickBot",
- "score": 7
- },
- {
- "techniqueID": "T1078.003",
- "comment": "executed by Emotet, NotPetya, Umbreon",
- "score": 3
- },
- {
- "techniqueID": "T1055.011",
- "comment": "executed by Epic, Power Loader",
- "score": 2
- },
- {
- "techniqueID": "T1053.003",
- "comment": "executed by Exaramel for Linux, Janicab, Skidmap, SpeakUp, Xbash",
- "score": 5
- },
- {
- "techniqueID": "T1543.002",
- "comment": "executed by Exaramel for Linux, Fysbis",
- "score": 2
- },
- {
- "techniqueID": "T1056.004",
- "comment": "executed by FinFisher, NOKKI, RDFSNIFFER, TrickBot, Ursnif, Zebrocy, Zeus Panda, ZxShell",
- "score": 8
- },
- {
- "techniqueID": "T1011.001",
- "comment": "executed by Flame",
- "score": 1
- },
- {
- "techniqueID": "T1547.002",
- "comment": "executed by Flame",
- "score": 1
- },
- {
- "techniqueID": "T1001",
- "comment": "executed by FlawedAmmyy",
- "score": 1
- },
- {
- "techniqueID": "T1069.002",
- "comment": "executed by GRIFFON, Helminth, Kwampirs, OSInfo, POWRUNER",
- "score": 5
- },
- {
- "techniqueID": "T1055.003",
- "comment": "executed by Gazer",
- "score": 1
- },
- {
- "techniqueID": "T1546.002",
- "comment": "executed by Gazer",
- "score": 1
- },
- {
- "techniqueID": "T1564.004",
- "comment": "executed by Gazer, LoJax, POWERSOURCE, PowerDuke, Regin, Valak, Zeroaccess",
- "score": 7
- },
- {
- "techniqueID": "T1559.002",
- "comment": "executed by GravityRAT, HAWKBALL, KeyBoy, POWERSTATS, PoetRAT, RTM, Ramsay",
- "score": 7
- },
- {
- "techniqueID": "T1080",
- "comment": "executed by H1N1, Miner-C, Ramsay, Ursnif",
- "score": 4
- },
- {
- "techniqueID": "T1490",
- "comment": "executed by H1N1, JCry, MAZE, Netwalker, Olympic Destroyer, Ragnar Locker, RobbinHood, Ryuk, WannaCry",
- "score": 9
- },
- {
- "techniqueID": "T1102.003",
- "comment": "executed by HAMMERTOSS, OnionDuke",
- "score": 2
- },
- {
- "techniqueID": "T1567.002",
- "comment": "executed by HAMMERTOSS",
- "score": 1
- },
- {
- "techniqueID": "T1014",
- "comment": "executed by HIDEDRV, Hacking Team UEFI Rootkit, HiddenWasp, Hikit, LoJax, PoisonIvy, Ramsay, Skidmap, Umbreon, Uroburos, Winnti for Linux, Zeroaccess",
- "score": 12
- },
- {
- "techniqueID": "T1550.002",
- "comment": "executed by HOPLIGHT",
- "score": 1
- },
- {
- "techniqueID": "T1542.001",
- "comment": "executed by Hacking Team UEFI Rootkit, LoJax, Trojan.Mebromi",
- "score": 3
- },
- {
- "techniqueID": "T1546.004",
- "comment": "executed by HiddenWasp, Linux Rabbit",
- "score": 2
- },
- {
- "techniqueID": "T1574.006",
- "comment": "executed by HiddenWasp",
- "score": 1
- },
- {
- "techniqueID": "T1489",
- "comment": "executed by HotCroissant, Netwalker, Olympic Destroyer, Ragnar Locker, RobbinHood, Ryuk, WannaCry",
- "score": 7
- },
- {
- "techniqueID": "T1048",
- "comment": "executed by Hydraq, PoetRAT",
- "score": 2
- },
- {
- "techniqueID": "T1135",
- "comment": "executed by InvisiMole, Kwampirs, MURKYTOP, OSInfo, Olympic Destroyer, PlugX, Ramsay, ShimRat, Zebrocy",
- "score": 9
- },
- {
- "techniqueID": "T1486",
- "comment": "executed by JCry, LockerGoga, MAZE, Netwalker, NotPetya, Ragnar Locker, RobbinHood, Ryuk, SamSam, Shamoon, SynAck, WannaCry, Xbash",
- "score": 13
- },
- {
- "techniqueID": "T1222.001",
- "comment": "executed by JPIN, WannaCry",
- "score": 2
- },
- {
- "techniqueID": "T1197",
- "comment": "executed by JPIN, UBoatRAT",
- "score": 2
- },
- {
- "techniqueID": "T1548.001",
- "comment": "executed by Keydnap",
- "score": 1
- },
- {
- "techniqueID": "T1555.002",
- "comment": "executed by Keydnap",
- "score": 1
- },
- {
- "techniqueID": "T1036.006",
- "comment": "executed by Keydnap",
- "score": 1
- },
- {
- "techniqueID": "T1021",
- "comment": "executed by Kivars",
- "score": 1
- },
- {
- "techniqueID": "T1201",
- "comment": "executed by Kwampirs",
- "score": 1
- },
- {
- "techniqueID": "T1114.002",
- "comment": "executed by LightNeuron, SeaDuke, Valak",
- "score": 3
- },
- {
- "techniqueID": "T1565.002",
- "comment": "executed by LightNeuron",
- "score": 1
- },
- {
- "techniqueID": "T1505.002",
- "comment": "executed by LightNeuron",
- "score": 1
- },
- {
- "techniqueID": "T1133",
- "comment": "executed by Linux Rabbit",
- "score": 1
- },
- {
- "techniqueID": "T1110.003",
- "comment": "executed by Linux Rabbit",
- "score": 1
- },
- {
- "techniqueID": "T1531",
- "comment": "executed by LockerGoga",
- "score": 1
- },
- {
- "techniqueID": "T1547",
- "comment": "executed by LoudMiner",
- "score": 1
- },
- {
- "techniqueID": "T1496",
- "comment": "executed by LoudMiner, Skidmap",
- "score": 2
- },
- {
- "techniqueID": "T1564.006",
- "comment": "executed by LoudMiner, Ragnar Locker",
- "score": 2
- },
- {
- "techniqueID": "T1568",
- "comment": "executed by MAZE, NETEAGLE, RTM",
- "score": 3
- },
- {
- "techniqueID": "T1053.002",
- "comment": "executed by MURKYTOP",
- "score": 1
- },
- {
- "techniqueID": "T1069",
- "comment": "executed by MURKYTOP",
- "score": 1
- },
- {
- "techniqueID": "T1218.005",
- "comment": "executed by NanHaiShu, POWERSTATS, Revenge RAT, Xbash",
- "score": 4
- },
- {
- "techniqueID": "T1110.002",
- "comment": "executed by Net Crawler",
- "score": 1
- },
- {
- "techniqueID": "T1548.004",
- "comment": "executed by OSX/Shlayer",
- "score": 1
- },
- {
- "techniqueID": "T1222.002",
- "comment": "executed by OSX/Shlayer",
- "score": 1
- },
- {
- "techniqueID": "T1090.002",
- "comment": "executed by Okrum, POWERSTATS, Regin, ShimRat",
- "score": 4
- },
- {
- "techniqueID": "T1003.005",
- "comment": "executed by Okrum",
- "score": 1
- },
- {
- "techniqueID": "T1497.003",
- "comment": "executed by Okrum, Pony, Ursnif",
- "score": 3
- },
- {
- "techniqueID": "T1497.002",
- "comment": "executed by Okrum",
- "score": 1
- },
- {
- "techniqueID": "T1546.003",
- "comment": "executed by POSHSPY, POWERTON, SeaDuke, adbupd",
- "score": 4
- },
- {
- "techniqueID": "T1559.001",
- "comment": "executed by POWERSTATS, Ursnif",
- "score": 2
- },
- {
- "techniqueID": "T1546.009",
- "comment": "executed by PUNCHBUGGY",
- "score": 1
- },
- {
- "techniqueID": "T1547.008",
- "comment": "executed by Pasam, Wingbird",
- "score": 2
- },
- {
- "techniqueID": "T1127.001",
- "comment": "executed by PlugX",
- "score": 1
- },
- {
- "techniqueID": "T1548.003",
- "comment": "executed by Proton",
- "score": 1
- },
- {
- "techniqueID": "T1070.002",
- "comment": "executed by Proton",
- "score": 1
- },
- {
- "techniqueID": "T1021.005",
- "comment": "executed by Proton, ZxShell",
- "score": 2
- },
- {
- "techniqueID": "T1036",
- "comment": "executed by RTM, Ramsay, WindTail",
- "score": 3
- },
- {
- "techniqueID": "T1218.002",
- "comment": "executed by Reaver",
- "score": 1
- },
- {
- "techniqueID": "T1036.001",
- "comment": "executed by Regin, WindTail",
- "score": 2
- },
- {
- "techniqueID": "T1556.002",
- "comment": "executed by Remsec",
- "score": 1
- },
- {
- "techniqueID": "T1053",
- "comment": "executed by Remsec",
- "score": 1
- },
- {
- "techniqueID": "T1202",
- "comment": "executed by Revenge RAT",
- "score": 1
- },
- {
- "techniqueID": "T1070.005",
- "comment": "executed by RobbinHood",
- "score": 1
- },
- {
- "techniqueID": "T1546.012",
- "comment": "executed by SDBot",
- "score": 1
- },
- {
- "techniqueID": "T1546.011",
- "comment": "executed by SDBot, ShimRat",
- "score": 2
- },
- {
- "techniqueID": "T1550.003",
- "comment": "executed by SeaDuke",
- "score": 1
- },
- {
- "techniqueID": "T1078.002",
- "comment": "executed by Shamoon",
- "score": 1
- },
- {
- "techniqueID": "T1561.002",
- "comment": "executed by Shamoon, StoneDrill",
- "score": 2
- },
- {
- "techniqueID": "T1556.001",
- "comment": "executed by Skeleton Key",
- "score": 1
- },
- {
- "techniqueID": "T1547.006",
- "comment": "executed by Skidmap",
- "score": 1
- },
- {
- "techniqueID": "T1556.003",
- "comment": "executed by Skidmap",
- "score": 1
- },
- {
- "techniqueID": "T1561.001",
- "comment": "executed by StoneDrill",
- "score": 1
- },
- {
- "techniqueID": "T1111",
- "comment": "executed by Sykipot",
- "score": 1
- },
- {
- "techniqueID": "T1055.013",
- "comment": "executed by SynAck",
- "score": 1
- },
- {
- "techniqueID": "T1539",
- "comment": "executed by TajMahal",
- "score": 1
- },
- {
- "techniqueID": "T1482",
- "comment": "executed by TrickBot",
- "score": 1
- },
- {
- "techniqueID": "T1552.002",
- "comment": "executed by TrickBot",
- "score": 1
- },
- {
- "techniqueID": "T1055.005",
- "comment": "executed by Ursnif",
- "score": 1
- },
- {
- "techniqueID": "T1563.002",
- "comment": "executed by WannaCry",
- "score": 1
- },
- {
- "techniqueID": "T1072",
- "comment": "executed by Wiper",
- "score": 1
- },
- {
- "techniqueID": "T1499",
- "comment": "executed by ZxShell",
- "score": 1
- },
- {
- "techniqueID": "T1037.004",
- "comment": "executed by iKitten",
- "score": 1
- },
- {
- "techniqueID": "T1037.005",
- "comment": "executed by jRAT",
- "score": 1
- }
- ],
- "sorting": 3,
- "gradient": {
- "colors": [
- "#fff7b3",
- "#ff6666"
- ],
- "minValue": 1,
- "maxValue": 170
- }
-}
\ No newline at end of file
diff --git a/layers/data/samples/software_tool_execution.json b/layers/data/samples/software_tool_execution.json
deleted file mode 100644
index 27e912196..000000000
--- a/layers/data/samples/software_tool_execution.json
+++ /dev/null
@@ -1,822 +0,0 @@
-{
- "name": "Software (tool) Execution",
- "description": "All techniques that can be executed by software of subtype tool, where the score is the count of tools using the technique",
- "version": "3.0",
- "domain": "mitre-enterprise",
- "techniques": [
- {
- "techniqueID": "T1016",
- "comment": "executed by Arp, Empire, Koadic, Nltest, PoshC2, Pupy, ShimRatReporter, ifconfig, ipconfig, nbtstat, route",
- "score": 11
- },
- {
- "techniqueID": "T1048.003",
- "comment": "executed by BITSAdmin, FTP",
- "score": 2
- },
- {
- "techniqueID": "T1105",
- "comment": "executed by BITSAdmin, CARROTBALL, Empire, Koadic, Pupy, QuasarRAT, Remcos, ShimRatReporter, certutil, cmd, esentutl",
- "score": 11
- },
- {
- "techniqueID": "T1197",
- "comment": "executed by BITSAdmin, Cobalt Strike",
- "score": 2
- },
- {
- "techniqueID": "T1570",
- "comment": "executed by BITSAdmin, Expand, PsExec, cmd, esentutl",
- "score": 5
- },
- {
- "techniqueID": "T1071.002",
- "comment": "executed by CARROTBALL",
- "score": 1
- },
- {
- "techniqueID": "T1204.002",
- "comment": "executed by CARROTBALL",
- "score": 1
- },
- {
- "techniqueID": "T1027",
- "comment": "executed by CARROTBALL, Empire, Imminent Monitor, Invoke-PSImage, PowerSploit, Remcos, ShimRatReporter",
- "score": 7
- },
- {
- "techniqueID": "T1003.005",
- "comment": "executed by Cachedump, LaZagne, Pupy",
- "score": 3
- },
- {
- "techniqueID": "T1059.003",
- "comment": "executed by Cobalt Strike, Empire, Koadic, QuasarRAT, Remcos, cmd",
- "score": 6
- },
- {
- "techniqueID": "T1029",
- "comment": "executed by Cobalt Strike",
- "score": 1
- },
- {
- "techniqueID": "T1057",
- "comment": "executed by Cobalt Strike, Empire, Imminent Monitor, PowerSploit, Pupy, ShimRatReporter, Tasklist",
- "score": 7
- },
- {
- "techniqueID": "T1106",
- "comment": "executed by Cobalt Strike, Empire, Imminent Monitor, ShimRatReporter",
- "score": 4
- },
- {
- "techniqueID": "T1543.003",
- "comment": "executed by Cobalt Strike, Empire, PowerSploit",
- "score": 3
- },
- {
- "techniqueID": "T1070.006",
- "comment": "executed by Cobalt Strike, Empire",
- "score": 2
- },
- {
- "techniqueID": "T1046",
- "comment": "executed by Cobalt Strike, Empire, Koadic, PoshC2, Pupy",
- "score": 5
- },
- {
- "techniqueID": "T1550.002",
- "comment": "executed by Cobalt Strike, Empire, Mimikatz, Pass-The-Hash Toolkit, PoshC2",
- "score": 5
- },
- {
- "techniqueID": "T1027.005",
- "comment": "executed by Cobalt Strike, PowerSploit",
- "score": 2
- },
- {
- "techniqueID": "T1059.001",
- "comment": "executed by Cobalt Strike, Empire, PowerSploit, Pupy",
- "score": 4
- },
- {
- "techniqueID": "T1021.002",
- "comment": "executed by Cobalt Strike, Net, PsExec",
- "score": 3
- },
- {
- "techniqueID": "T1078.003",
- "comment": "executed by Cobalt Strike",
- "score": 1
- },
- {
- "techniqueID": "T1021.006",
- "comment": "executed by Cobalt Strike",
- "score": 1
- },
- {
- "techniqueID": "T1548.002",
- "comment": "executed by Cobalt Strike, Empire, Koadic, PoshC2, Pupy, Remcos, UACMe",
- "score": 7
- },
- {
- "techniqueID": "T1021.004",
- "comment": "executed by Cobalt Strike, Empire",
- "score": 2
- },
- {
- "techniqueID": "T1047",
- "comment": "executed by Cobalt Strike, Empire, Impacket, Koadic, PoshC2, PowerSploit",
- "score": 6
- },
- {
- "techniqueID": "T1068",
- "comment": "executed by Cobalt Strike, Empire, PoshC2",
- "score": 3
- },
- {
- "techniqueID": "T1090.001",
- "comment": "executed by Cobalt Strike",
- "score": 1
- },
- {
- "techniqueID": "T1005",
- "comment": "executed by Cobalt Strike, Forfiles, Koadic, PowerSploit",
- "score": 4
- },
- {
- "techniqueID": "T1572",
- "comment": "executed by Cobalt Strike",
- "score": 1
- },
- {
- "techniqueID": "T1113",
- "comment": "executed by Cobalt Strike, Empire, PowerSploit, Pupy, Remcos",
- "score": 5
- },
- {
- "techniqueID": "T1055",
- "comment": "executed by Cobalt Strike, Empire, HTRAN, PoshC2, Remcos",
- "score": 5
- },
- {
- "techniqueID": "T1134.001",
- "comment": "executed by Cobalt Strike, Pupy",
- "score": 2
- },
- {
- "techniqueID": "T1569.002",
- "comment": "executed by Cobalt Strike, Empire, Impacket, Koadic, Net, PoshC2, PsExec, Pupy, Winexe, xCmd",
- "score": 10
- },
- {
- "techniqueID": "T1185",
- "comment": "executed by Cobalt Strike",
- "score": 1
- },
- {
- "techniqueID": "T1003.002",
- "comment": "executed by Cobalt Strike, Fgdump, Impacket, Koadic, Mimikatz, gsecdump, pwdump",
- "score": 7
- },
- {
- "techniqueID": "T1021.001",
- "comment": "executed by Cobalt Strike, Imminent Monitor, Koadic, Pupy, QuasarRAT",
- "score": 5
- },
- {
- "techniqueID": "T1056.001",
- "comment": "executed by Cobalt Strike, Empire, Imminent Monitor, PoshC2, PowerSploit, Pupy, QuasarRAT, Remcos",
- "score": 8
- },
- {
- "techniqueID": "T1055.012",
- "comment": "executed by Cobalt Strike",
- "score": 1
- },
- {
- "techniqueID": "T1018",
- "comment": "executed by Cobalt Strike, Net, Nltest, Ping",
- "score": 4
- },
- {
- "techniqueID": "T1021.003",
- "comment": "executed by Cobalt Strike, Empire",
- "score": 2
- },
- {
- "techniqueID": "T1135",
- "comment": "executed by Cobalt Strike, Empire, Koadic, Net, Pupy",
- "score": 5
- },
- {
- "techniqueID": "T1134.004",
- "comment": "executed by Cobalt Strike",
- "score": 1
- },
- {
- "techniqueID": "T1134.003",
- "comment": "executed by Cobalt Strike",
- "score": 1
- },
- {
- "techniqueID": "T1078.002",
- "comment": "executed by Cobalt Strike",
- "score": 1
- },
- {
- "techniqueID": "T1071",
- "comment": "executed by Cobalt Strike",
- "score": 1
- },
- {
- "techniqueID": "T1071.004",
- "comment": "executed by Cobalt Strike",
- "score": 1
- },
- {
- "techniqueID": "T1071.001",
- "comment": "executed by Cobalt Strike, Empire, PoshC2, Pupy, ShimRatReporter",
- "score": 5
- },
- {
- "techniqueID": "T1059.005",
- "comment": "executed by Cobalt Strike, Koadic",
- "score": 2
- },
- {
- "techniqueID": "T1059.006",
- "comment": "executed by Cobalt Strike, Pupy, Remcos",
- "score": 3
- },
- {
- "techniqueID": "T1217",
- "comment": "executed by Empire",
- "score": 1
- },
- {
- "techniqueID": "T1552.001",
- "comment": "executed by Empire, LaZagne, PoshC2, Pupy, QuasarRAT",
- "score": 5
- },
- {
- "techniqueID": "T1003.001",
- "comment": "executed by Empire, Impacket, LaZagne, Lslsass, Mimikatz, PoshC2, PowerSploit, Pupy, Windows Credential Editor",
- "score": 9
- },
- {
- "techniqueID": "T1125",
- "comment": "executed by Empire, Imminent Monitor, Pupy, QuasarRAT, Remcos",
- "score": 5
- },
- {
- "techniqueID": "T1083",
- "comment": "executed by Empire, Forfiles, Imminent Monitor, PoshC2, Pupy, Remcos, cmd",
- "score": 7
- },
- {
- "techniqueID": "T1115",
- "comment": "executed by Empire, Koadic, Remcos",
- "score": 3
- },
- {
- "techniqueID": "T1558.001",
- "comment": "executed by Empire, Mimikatz",
- "score": 2
- },
- {
- "techniqueID": "T1552.004",
- "comment": "executed by Empire, Mimikatz",
- "score": 2
- },
- {
- "techniqueID": "T1558.003",
- "comment": "executed by Empire, Impacket, PowerSploit",
- "score": 3
- },
- {
- "techniqueID": "T1040",
- "comment": "executed by Empire, Impacket, PoshC2, Responder",
- "score": 4
- },
- {
- "techniqueID": "T1557.001",
- "comment": "executed by Empire, Impacket, PoshC2, Pupy, Responder",
- "score": 5
- },
- {
- "techniqueID": "T1056.004",
- "comment": "executed by Empire",
- "score": 1
- },
- {
- "techniqueID": "T1059",
- "comment": "executed by Empire, Imminent Monitor",
- "score": 2
- },
- {
- "techniqueID": "T1210",
- "comment": "executed by Empire, PoshC2",
- "score": 2
- },
- {
- "techniqueID": "T1134.002",
- "comment": "executed by Empire, PoshC2",
- "score": 2
- },
- {
- "techniqueID": "T1053.005",
- "comment": "executed by Empire, PowerSploit, QuasarRAT, schtasks",
- "score": 4
- },
- {
- "techniqueID": "T1546.008",
- "comment": "executed by Empire",
- "score": 1
- },
- {
- "techniqueID": "T1574.001",
- "comment": "executed by Empire, PowerSploit",
- "score": 2
- },
- {
- "techniqueID": "T1547.005",
- "comment": "executed by Empire, Mimikatz, PowerSploit",
- "score": 3
- },
- {
- "techniqueID": "T1134.005",
- "comment": "executed by Empire, Mimikatz",
- "score": 2
- },
- {
- "techniqueID": "T1547.009",
- "comment": "executed by Empire",
- "score": 1
- },
- {
- "techniqueID": "T1136.001",
- "comment": "executed by Empire, Net, Pupy",
- "score": 3
- },
- {
- "techniqueID": "T1560",
- "comment": "executed by Empire, ShimRatReporter",
- "score": 2
- },
- {
- "techniqueID": "T1114.001",
- "comment": "executed by Empire, Pupy",
- "score": 2
- },
- {
- "techniqueID": "T1547.001",
- "comment": "executed by Empire, PowerSploit, Pupy, Remcos",
- "score": 4
- },
- {
- "techniqueID": "T1087.002",
- "comment": "executed by Empire, Net, PoshC2, dsquery",
- "score": 4
- },
- {
- "techniqueID": "T1567.002",
- "comment": "executed by Empire",
- "score": 1
- },
- {
- "techniqueID": "T1041",
- "comment": "executed by Empire, Imminent Monitor, Pupy, ShimRatReporter",
- "score": 4
- },
- {
- "techniqueID": "T1049",
- "comment": "executed by Empire, Net, PoshC2, Pupy, ShimRatReporter, nbtstat, netstat",
- "score": 7
- },
- {
- "techniqueID": "T1082",
- "comment": "executed by Empire, PoshC2, Pupy, QuasarRAT, ShimRatReporter, Systeminfo, cmd",
- "score": 7
- },
- {
- "techniqueID": "T1518.001",
- "comment": "executed by Empire, Tasklist, netsh",
- "score": 3
- },
- {
- "techniqueID": "T1573.002",
- "comment": "executed by Empire, Koadic, Pupy, Tor",
- "score": 4
- },
- {
- "techniqueID": "T1484",
- "comment": "executed by Empire",
- "score": 1
- },
- {
- "techniqueID": "T1102.002",
- "comment": "executed by Empire",
- "score": 1
- },
- {
- "techniqueID": "T1482",
- "comment": "executed by Empire, Nltest, PoshC2, PowerSploit, dsquery",
- "score": 5
- },
- {
- "techniqueID": "T1555.003",
- "comment": "executed by Empire, Imminent Monitor, LaZagne, Mimikatz, Pupy, QuasarRAT",
- "score": 6
- },
- {
- "techniqueID": "T1136.002",
- "comment": "executed by Empire, Net, Pupy",
- "score": 3
- },
- {
- "techniqueID": "T1567.001",
- "comment": "executed by Empire",
- "score": 1
- },
- {
- "techniqueID": "T1134",
- "comment": "executed by Empire, PoshC2, PowerSploit",
- "score": 3
- },
- {
- "techniqueID": "T1558.002",
- "comment": "executed by Empire, Mimikatz",
- "score": 2
- },
- {
- "techniqueID": "T1087.001",
- "comment": "executed by Empire, Net, PoshC2, PowerSploit, Pupy",
- "score": 5
- },
- {
- "techniqueID": "T1574.007",
- "comment": "executed by Empire, PowerSploit",
- "score": 2
- },
- {
- "techniqueID": "T1574.008",
- "comment": "executed by Empire, PowerSploit",
- "score": 2
- },
- {
- "techniqueID": "T1574.009",
- "comment": "executed by Empire, PowerSploit",
- "score": 2
- },
- {
- "techniqueID": "T1127.001",
- "comment": "executed by Empire",
- "score": 1
- },
- {
- "techniqueID": "T1564.004",
- "comment": "executed by Expand, esentutl",
- "score": 2
- },
- {
- "techniqueID": "T1140",
- "comment": "executed by Expand, Imminent Monitor, certutil",
- "score": 3
- },
- {
- "techniqueID": "T1202",
- "comment": "executed by Forfiles",
- "score": 1
- },
- {
- "techniqueID": "T1090",
- "comment": "executed by HTRAN, PoshC2, QuasarRAT, Remcos, netsh",
- "score": 5
- },
- {
- "techniqueID": "T1014",
- "comment": "executed by HTRAN",
- "score": 1
- },
- {
- "techniqueID": "T1190",
- "comment": "executed by Havij, sqlmap",
- "score": 2
- },
- {
- "techniqueID": "T1564.001",
- "comment": "executed by Imminent Monitor",
- "score": 1
- },
- {
- "techniqueID": "T1496",
- "comment": "executed by Imminent Monitor",
- "score": 1
- },
- {
- "techniqueID": "T1123",
- "comment": "executed by Imminent Monitor, PowerSploit, Pupy, Remcos",
- "score": 4
- },
- {
- "techniqueID": "T1562.001",
- "comment": "executed by Imminent Monitor",
- "score": 1
- },
- {
- "techniqueID": "T1070.004",
- "comment": "executed by Imminent Monitor, SDelete, cmd",
- "score": 3
- },
- {
- "techniqueID": "T1003.003",
- "comment": "executed by Impacket, Koadic, esentutl",
- "score": 3
- },
- {
- "techniqueID": "T1003.004",
- "comment": "executed by Impacket, LaZagne, Mimikatz, Pupy, gsecdump",
- "score": 5
- },
- {
- "techniqueID": "T1055.001",
- "comment": "executed by Koadic, PowerSploit, Pupy",
- "score": 3
- },
- {
- "techniqueID": "T1218.011",
- "comment": "executed by Koadic",
- "score": 1
- },
- {
- "techniqueID": "T1218.005",
- "comment": "executed by Koadic",
- "score": 1
- },
- {
- "techniqueID": "T1218.010",
- "comment": "executed by Koadic",
- "score": 1
- },
- {
- "techniqueID": "T1033",
- "comment": "executed by Koadic, Pupy",
- "score": 2
- },
- {
- "techniqueID": "T1555",
- "comment": "executed by LaZagne, Mimikatz, PowerSploit, Pupy, QuasarRAT",
- "score": 5
- },
- {
- "techniqueID": "T1555.001",
- "comment": "executed by LaZagne",
- "score": 1
- },
- {
- "techniqueID": "T1003.007",
- "comment": "executed by LaZagne, MimiPenguin",
- "score": 2
- },
- {
- "techniqueID": "T1003.008",
- "comment": "executed by LaZagne",
- "score": 1
- },
- {
- "techniqueID": "T1110.003",
- "comment": "executed by MailSniper",
- "score": 1
- },
- {
- "techniqueID": "T1114.002",
- "comment": "executed by MailSniper",
- "score": 1
- },
- {
- "techniqueID": "T1087.003",
- "comment": "executed by MailSniper, Ruler",
- "score": 2
- },
- {
- "techniqueID": "T1207",
- "comment": "executed by Mimikatz",
- "score": 1
- },
- {
- "techniqueID": "T1550.003",
- "comment": "executed by Mimikatz, Pupy",
- "score": 2
- },
- {
- "techniqueID": "T1098",
- "comment": "executed by Mimikatz",
- "score": 1
- },
- {
- "techniqueID": "T1003.006",
- "comment": "executed by Mimikatz",
- "score": 1
- },
- {
- "techniqueID": "T1069.001",
- "comment": "executed by Net, PoshC2",
- "score": 2
- },
- {
- "techniqueID": "T1007",
- "comment": "executed by Net, PoshC2, Tasklist",
- "score": 3
- },
- {
- "techniqueID": "T1201",
- "comment": "executed by Net, PoshC2",
- "score": 2
- },
- {
- "techniqueID": "T1124",
- "comment": "executed by Net",
- "score": 1
- },
- {
- "techniqueID": "T1070.005",
- "comment": "executed by Net",
- "score": 1
- },
- {
- "techniqueID": "T1069.002",
- "comment": "executed by Net, dsquery",
- "score": 2
- },
- {
- "techniqueID": "T1110",
- "comment": "executed by PoshC2",
- "score": 1
- },
- {
- "techniqueID": "T1119",
- "comment": "executed by PoshC2, ShimRatReporter",
- "score": 2
- },
- {
- "techniqueID": "T1546.003",
- "comment": "executed by PoshC2",
- "score": 1
- },
- {
- "techniqueID": "T1560.001",
- "comment": "executed by PoshC2, Pupy",
- "score": 2
- },
- {
- "techniqueID": "T1055.002",
- "comment": "executed by PowerSploit",
- "score": 1
- },
- {
- "techniqueID": "T1552.002",
- "comment": "executed by PowerSploit, Reg",
- "score": 2
- },
- {
- "techniqueID": "T1552.006",
- "comment": "executed by PowerSploit",
- "score": 1
- },
- {
- "techniqueID": "T1012",
- "comment": "executed by PowerSploit, Reg",
- "score": 2
- },
- {
- "techniqueID": "T1070.001",
- "comment": "executed by Pupy",
- "score": 1
- },
- {
- "techniqueID": "T1497.001",
- "comment": "executed by Pupy, Remcos",
- "score": 2
- },
- {
- "techniqueID": "T1543.002",
- "comment": "executed by Pupy",
- "score": 1
- },
- {
- "techniqueID": "T1573.001",
- "comment": "executed by QuasarRAT",
- "score": 1
- },
- {
- "techniqueID": "T1112",
- "comment": "executed by QuasarRAT, Reg, Remcos",
- "score": 3
- },
- {
- "techniqueID": "T1553.002",
- "comment": "executed by QuasarRAT, SDelete",
- "score": 2
- },
- {
- "techniqueID": "T1561.002",
- "comment": "executed by RawDisk",
- "score": 1
- },
- {
- "techniqueID": "T1485",
- "comment": "executed by RawDisk, SDelete",
- "score": 2
- },
- {
- "techniqueID": "T1561.001",
- "comment": "executed by RawDisk",
- "score": 1
- },
- {
- "techniqueID": "T1137.004",
- "comment": "executed by Ruler",
- "score": 1
- },
- {
- "techniqueID": "T1137.005",
- "comment": "executed by Ruler",
- "score": 1
- },
- {
- "techniqueID": "T1137.003",
- "comment": "executed by Ruler",
- "score": 1
- },
- {
- "techniqueID": "T1087",
- "comment": "executed by ShimRatReporter",
- "score": 1
- },
- {
- "techniqueID": "T1036.005",
- "comment": "executed by ShimRatReporter",
- "score": 1
- },
- {
- "techniqueID": "T1020",
- "comment": "executed by ShimRatReporter",
- "score": 1
- },
- {
- "techniqueID": "T1069",
- "comment": "executed by ShimRatReporter",
- "score": 1
- },
- {
- "techniqueID": "T1518",
- "comment": "executed by ShimRatReporter",
- "score": 1
- },
- {
- "techniqueID": "T1090.003",
- "comment": "executed by Tor",
- "score": 1
- },
- {
- "techniqueID": "T1053.002",
- "comment": "executed by at",
- "score": 1
- },
- {
- "techniqueID": "T1553.004",
- "comment": "executed by certutil",
- "score": 1
- },
- {
- "techniqueID": "T1090.004",
- "comment": "executed by meek",
- "score": 1
- },
- {
- "techniqueID": "T1562.004",
- "comment": "executed by netsh",
- "score": 1
- },
- {
- "techniqueID": "T1546.007",
- "comment": "executed by netsh",
- "score": 1
- },
- {
- "techniqueID": "T1213.002",
- "comment": "executed by spwebmember",
- "score": 1
- }
- ],
- "sorting": 3,
- "gradient": {
- "colors": [
- "#fff7b3",
- "#ff6666"
- ],
- "minValue": 1,
- "maxValue": 11
- }
-}
\ No newline at end of file
diff --git a/layers/data/update_layers/April_2018_Updates.json b/layers/data/update_layers/April_2018_Updates.json
deleted file mode 100644
index d47281d30..000000000
--- a/layers/data/update_layers/April_2018_Updates.json
+++ /dev/null
@@ -1,420 +0,0 @@
-{
- "name": "April 2018 Updates",
- "version": "3.0",
- "domain": "mitre-enterprise",
- "description": "Green techniques are techniques that are new to ATT&CK as of the April 2018 Update. Yellow techniques are techniques that changed in scope or content, including existing techniques that were added to new tactics.",
- "filters": {
- "stages": [
- "act"
- ],
- "platforms": [
- "Windows",
- "Linux",
- "macOS"
- ]
- },
- "sorting": 0,
- "hideDisabled": false,
- "techniques": [
- {
- "techniqueID": "T1197",
- "tactic": "defense-evasion",
- "color": "#a1d99b",
- "comment": "New technique",
- "enabled": true
- },
- {
- "techniqueID": "T1197",
- "tactic": "persistence",
- "color": "#a1d99b",
- "comment": "New technique",
- "enabled": true
- },
- {
- "techniqueID": "T1191",
- "tactic": "defense-evasion",
- "color": "#a1d99b",
- "comment": "New technique",
- "enabled": true
- },
- {
- "techniqueID": "T1191",
- "tactic": "execution",
- "color": "#a1d99b",
- "comment": "New technique",
- "enabled": true
- },
- {
- "techniqueID": "T1196",
- "tactic": "defense-evasion",
- "color": "#a1d99b",
- "comment": "New technique",
- "enabled": true
- },
- {
- "techniqueID": "T1196",
- "tactic": "execution",
- "color": "#a1d99b",
- "comment": "New technique",
- "enabled": true
- },
- {
- "techniqueID": "T1003",
- "tactic": "credential-access",
- "color": "#fcf26b",
- "comment": "Major content change from previous release - updated description and contributors",
- "enabled": true
- },
- {
- "techniqueID": "T1214",
- "tactic": "credential-access",
- "color": "#a1d99b",
- "comment": "New technique",
- "enabled": true
- },
- {
- "techniqueID": "T1207",
- "tactic": "defense-evasion",
- "color": "#a1d99b",
- "comment": "New technique",
- "enabled": true
- },
- {
- "techniqueID": "T1213",
- "tactic": "collection",
- "color": "#a1d99b",
- "comment": "New technique",
- "enabled": true
- },
- {
- "techniqueID": "T1189",
- "tactic": "initial-access",
- "color": "#a1d99b",
- "comment": "New technique added to new tactic",
- "enabled": true
- },
- {
- "techniqueID": "T1190",
- "tactic": "initial-access",
- "color": "#a1d99b",
- "comment": "Exploitation of Vulnerability was broken out into six variations - this is one of these variations under an individual tactic",
- "enabled": true
- },
- {
- "techniqueID": "T1203",
- "tactic": "execution",
- "color": "#a1d99b",
- "comment": "Exploitation of Vulnerability was broken out into six variations - this is one of these variations under an individual tactic",
- "enabled": true
- },
- {
- "techniqueID": "T1212",
- "tactic": "credential-access",
- "color": "#a1d99b",
- "comment": "Exploitation of Vulnerability was broken out into six variations - this is one of these variations under an individual tactic",
- "enabled": true
- },
- {
- "techniqueID": "T1211",
- "tactic": "defense-evasion",
- "color": "#a1d99b",
- "comment": "Exploitation of Vulnerability was broken out into six variations - this is one of these variations under an individual tactic",
- "enabled": true
- },
- {
- "techniqueID": "T1068",
- "tactic": "privilege-escalation",
- "color": "#fcf26b",
- "comment": "Exploitation of Vulnerability was broken out into six variations - this is one of these variations under an individual tactic",
- "enabled": true
- },
- {
- "techniqueID": "T1210",
- "tactic": "lateral-movement",
- "color": "#a1d99b",
- "comment": "Exploitation of Vulnerability was broken out into six variations - this is one of these variations under an individual tactic",
- "enabled": true
- },
- {
- "techniqueID": "T1200",
- "tactic": "initial-access",
- "color": "#a1d99b",
- "comment": "New technique added to new tactic",
- "enabled": true
- },
- {
- "techniqueID": "T1202",
- "tactic": "defense-evasion",
- "color": "#a1d99b",
- "comment": "New technique",
- "enabled": true
- },
- {
- "techniqueID": "T1208",
- "tactic": "credential-access",
- "color": "#a1d99b",
- "comment": "New technique",
- "enabled": true
- },
- {
- "techniqueID": "T1215",
- "tactic": "persistence",
- "color": "#a1d99b",
- "comment": "New technique",
- "enabled": true
- },
- {
- "techniqueID": "T1217",
- "tactic": "discovery",
- "color": "#a1d99b",
- "comment": "New technique",
- "enabled": true
- },
- {
- "techniqueID": "T1218",
- "tactic": "defense-evasion",
- "color": "#a1d99b",
- "comment": "New technique",
- "enabled": true
- },
- {
- "techniqueID": "T1218",
- "tactic": "execution",
- "color": "#a1d99b",
- "comment": "New technique",
- "enabled": true
- },
- {
- "techniqueID": "T1096",
- "tactic": "defense-evasion",
- "color": "#fcf26b",
- "comment": "Renamed from NTFS Extended Attributes, updated description, added data source, and contributor added",
- "enabled": true
- },
- {
- "techniqueID": "T1201",
- "tactic": "discovery",
- "color": "#a1d99b",
- "comment": "New technique",
- "enabled": true
- },
- {
- "techniqueID": "T1205",
- "tactic": "defense-evasion",
- "color": "#a1d99b",
- "comment": "New technique",
- "enabled": true
- },
- {
- "techniqueID": "T1205",
- "tactic": "persistence",
- "color": "#a1d99b",
- "comment": "New technique",
- "enabled": true
- },
- {
- "techniqueID": "T1205",
- "tactic": "command-and-control",
- "color": "#a1d99b",
- "comment": "New technique",
- "enabled": true
- },
- {
- "techniqueID": "T1219",
- "tactic": "command-and-control",
- "color": "#a1d99b",
- "comment": "New technique",
- "enabled": true
- },
- {
- "techniqueID": "T1091",
- "tactic": "lateral-movement",
- "color": "#fcf26b",
- "comment": "Existing technique cross-referenced into new Initial Access tactic",
- "enabled": true
- },
- {
- "techniqueID": "T1091",
- "tactic": "initial-access",
- "color": "#fcf26b",
- "comment": "Existing technique cross-referenced into new Initial Access tactic",
- "enabled": true
- },
- {
- "techniqueID": "T1198",
- "tactic": "defense-evasion",
- "color": "#a1d99b",
- "comment": "New technique",
- "enabled": true
- },
- {
- "techniqueID": "T1198",
- "tactic": "persistence",
- "color": "#a1d99b",
- "comment": "New technique",
- "enabled": true
- },
- {
- "techniqueID": "T1216",
- "tactic": "defense-evasion",
- "color": "#a1d99b",
- "comment": "New technique",
- "enabled": true
- },
- {
- "techniqueID": "T1216",
- "tactic": "execution",
- "color": "#a1d99b",
- "comment": "New technique",
- "enabled": true
- },
- {
- "techniqueID": "T1193",
- "tactic": "initial-access",
- "color": "#a1d99b",
- "comment": "New technique added to new tactic",
- "enabled": true
- },
- {
- "techniqueID": "T1192",
- "tactic": "initial-access",
- "color": "#a1d99b",
- "comment": "New technique added to new tactic",
- "enabled": true
- },
- {
- "techniqueID": "T1194",
- "tactic": "initial-access",
- "color": "#a1d99b",
- "comment": "New technique added to new tactic",
- "enabled": true
- },
- {
- "techniqueID": "T1206",
- "tactic": "privilege-escalation",
- "color": "#a1d99b",
- "comment": "New technique",
- "enabled": true
- },
- {
- "techniqueID": "T1195",
- "tactic": "initial-access",
- "color": "#a1d99b",
- "comment": "New technique added to new tactic",
- "enabled": true
- },
- {
- "techniqueID": "T1209",
- "tactic": "persistence",
- "color": "#a1d99b",
- "comment": "New technique",
- "enabled": true
- },
- {
- "techniqueID": "T1199",
- "tactic": "initial-access",
- "color": "#a1d99b",
- "comment": "New technique added to new tactic",
- "enabled": true
- },
- {
- "techniqueID": "T1204",
- "tactic": "execution",
- "color": "#a1d99b",
- "comment": "New technique",
- "enabled": true
- },
- {
- "techniqueID": "T1078",
- "tactic": "defense-evasion",
- "color": "#fcf26b",
- "comment": "Existing technique cross-referenced into new Initial Access tactic",
- "enabled": true
- },
- {
- "techniqueID": "T1078",
- "tactic": "persistence",
- "color": "#fcf26b",
- "comment": "Existing technique cross-referenced into new Initial Access tactic",
- "enabled": true
- },
- {
- "techniqueID": "T1078",
- "tactic": "privilege-escalation",
- "color": "#fcf26b",
- "comment": "Existing technique cross-referenced into new Initial Access tactic",
- "enabled": true
- },
- {
- "techniqueID": "T1078",
- "tactic": "initial-access",
- "color": "#fcf26b",
- "comment": "Existing technique cross-referenced into new Initial Access tactic",
- "enabled": true
- },
- {
- "techniqueID": "T1080",
- "tactic": "lateral-movement",
- "color": "#fcf26b",
- "comment": "Major content change from previous release - updated description, permissions required added, contributor added",
- "enabled": true
- },
- {
- "techniqueID": "T1102",
- "tactic": "command-and-control",
- "color": "#fcf26b",
- "comment": "Major content change from previous release - updated description, data source added, defense bypassed added, contributor added",
- "enabled": true
- },
- {
- "techniqueID": "T1102",
- "tactic": "defense-evasion",
- "color": "#fcf26b",
- "comment": "Major content change from previous release - updated description, data source added, defense bypassed added, contributor added",
- "enabled": true
- },
- {
- "techniqueID": "T1004",
- "tactic": "persistence",
- "color": "#fcf26b",
- "comment": "Major content change from previous release - updated description and contributor",
- "enabled": true
- },
- {
- "techniqueID": "T1379",
- "tactic": "stage-capabilities",
- "color": "#fcf26b",
- "comment": "Moved from deprecated Launch tactic to Stage Capabilities",
- "enabled": true
- },
- {
- "techniqueID": "T1397",
- "tactic": "technical-information-gathering",
- "color": "#74c476",
- "comment": "New technique added to PRE-ATT&CK",
- "enabled": true
- }
- ],
- "gradient": {
- "colors": [
- "#ff6666",
- "#ffe766",
- "#8ec843"
- ],
- "minValue": 0,
- "maxValue": 100
- },
- "legendItems": [
- {
- "color": "#a1d99b",
- "label": "new techniques"
- },
- {
- "color": "#fcf26b",
- "label": "changed scope, content, or tactics"
- }
- ],
- "showTacticRowBackground": true,
- "tacticRowBackground": "#205b8f",
- "selectTechniquesAcrossTactics": true
-}
\ No newline at end of file
diff --git a/layers/data/update_layers/April_2019_Updates_Enterprise.json b/layers/data/update_layers/April_2019_Updates_Enterprise.json
deleted file mode 100644
index a477b1705..000000000
--- a/layers/data/update_layers/April_2019_Updates_Enterprise.json
+++ /dev/null
@@ -1,408 +0,0 @@
-{
- "version": "3.0",
- "name": "April 2019 Enterprise Updates",
- "description": "Enterprise updates for the April 2019 release of ATT&CK",
- "domain": "mitre-enterprise",
- "techniques": [
- {
- "techniqueID": "T1486",
- "tactic": "impact",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1485",
- "tactic": "impact",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1490",
- "tactic": "impact",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1489",
- "tactic": "impact",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1497",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1497",
- "tactic": "discovery",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1482",
- "tactic": "discovery",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1496",
- "tactic": "impact",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1484",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1494",
- "tactic": "impact",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1501",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1480",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1493",
- "tactic": "impact",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1487",
- "tactic": "impact",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1483",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1491",
- "tactic": "impact",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1499",
- "tactic": "impact",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1498",
- "tactic": "impact",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1488",
- "tactic": "impact",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1492",
- "tactic": "impact",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1495",
- "tactic": "impact",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1500",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1078",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1078",
- "tactic": "persistence",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1078",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1078",
- "tactic": "initial-access",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1117",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1117",
- "tactic": "execution",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1018",
- "tactic": "discovery",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1190",
- "tactic": "initial-access",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1086",
- "tactic": "execution",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1195",
- "tactic": "initial-access",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1223",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1223",
- "tactic": "execution",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1171",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1221",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1141",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1133",
- "tactic": "persistence",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1133",
- "tactic": "initial-access",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1118",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1118",
- "tactic": "execution",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1218",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1218",
- "tactic": "execution",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1063",
- "tactic": "discovery",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1121",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1121",
- "tactic": "execution",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1085",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1085",
- "tactic": "execution",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1110",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1036",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1137",
- "tactic": "persistence",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1170",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1170",
- "tactic": "execution",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1173",
- "tactic": "execution",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1180",
- "tactic": "persistence",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- }
- ],
- "sorting": 0,
- "hideDisabled": false,
- "legendItems": [
- {
- "color": "#fcf26b",
- "label": "changes"
- },
- {
- "color": "#a1d99b",
- "label": "additions"
- }
- ],
- "showTacticRowBackground": true,
- "tacticRowBackground": "#205b8f",
- "selectTechniquesAcrossTactics": true
-}
\ No newline at end of file
diff --git a/layers/data/update_layers/April_2019_Updates_Mobile.json b/layers/data/update_layers/April_2019_Updates_Mobile.json
deleted file mode 100644
index 3a62e33dd..000000000
--- a/layers/data/update_layers/April_2019_Updates_Mobile.json
+++ /dev/null
@@ -1,296 +0,0 @@
-{
- "version": "3.0",
- "name": "April 2019 Mobile Updates",
- "description": "Mobile updates for the April 2019 release of ATT&CK",
- "domain": "mitre-mobile",
- "techniques": [
- {
- "techniqueID": "T1481",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1439",
- "tactic": "network-effects",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1415",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1476",
- "tactic": "initial-access",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1477",
- "tactic": "initial-access",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1426",
- "tactic": "discovery",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1464",
- "tactic": "network-effects",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1401",
- "tactic": "persistence",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1400",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1400",
- "tactic": "persistence",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1449",
- "tactic": "network-effects",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1466",
- "tactic": "network-effects",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1417",
- "tactic": "collection",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1417",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1467",
- "tactic": "network-effects",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1448",
- "tactic": "effects",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1461",
- "tactic": "initial-access",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1408",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1465",
- "tactic": "network-effects",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1458",
- "tactic": "initial-access",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1444",
- "tactic": "initial-access",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1471",
- "tactic": "effects",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1411",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1421",
- "tactic": "discovery",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1437",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1437",
- "tactic": "exfiltration",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1406",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1453",
- "tactic": "collection",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1453",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1402",
- "tactic": "persistence",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1422",
- "tactic": "discovery",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1451",
- "tactic": "network-effects",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1450",
- "tactic": "network-effects",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1407",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1468",
- "tactic": "remote-service-effects",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1399",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1399",
- "tactic": "persistence",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1427",
- "tactic": "lateral-movement",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1416",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- }
- ],
- "sorting": 0,
- "hideDisabled": false,
- "legendItems": [
- {
- "color": "#fcf26b",
- "label": "changes"
- },
- {
- "color": "#a1d99b",
- "label": "additions"
- }
- ],
- "showTacticRowBackground": true,
- "tacticRowBackground": "#205b8f",
- "selectTechniquesAcrossTactics": true
-}
\ No newline at end of file
diff --git a/layers/data/update_layers/July_2020/July_2020_enterprise_attack.json b/layers/data/update_layers/July_2020/July_2020_enterprise_attack.json
deleted file mode 100644
index ffce5435a..000000000
--- a/layers/data/update_layers/July_2020/July_2020_enterprise_attack.json
+++ /dev/null
@@ -1,3926 +0,0 @@
-{
- "version": "3.0",
- "name": "July 2020 Enterprise Updates",
- "description": "Enterprise updates for the July 2020 release of ATT&CK. This layer represents the updates made since the last full release of ATT&CK.",
- "domain": "mitre-enterprise",
- "techniques": [
- {
- "techniqueID": "T1071.002",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1558.003",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1021.006",
- "tactic": "lateral-movement",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1548",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1548",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1578.004",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1218.001",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1136.003",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1560.003",
- "tactic": "collection",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1543.004",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1543.004",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1564",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1546.002",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1546.002",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1102.003",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1569.002",
- "tactic": "execution",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1037.001",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1037.001",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1037.002",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1037.002",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1566",
- "tactic": "initial-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1546.001",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1546.001",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1518.001",
- "tactic": "discovery",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1052.001",
- "tactic": "exfiltration",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1021.004",
- "tactic": "lateral-movement",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1548.002",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1548.002",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1098.002",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1543.002",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1543.002",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1557.001",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1557.001",
- "tactic": "collection",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1222.002",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1561.002",
- "tactic": "impact",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1547.007",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1547.007",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1552",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1550.001",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1550.001",
- "tactic": "lateral-movement",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1548.003",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1548.003",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1555.003",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1567.002",
- "tactic": "exfiltration",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1071.004",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1574.005",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1574.005",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1574.005",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1036.003",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1562.003",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1550.003",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1550.003",
- "tactic": "lateral-movement",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1542.002",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1542.002",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1055.005",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1055.005",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1037.004",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1037.004",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1036.004",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1071.003",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1098.001",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1574.008",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1574.008",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1574.008",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1053.001",
- "tactic": "execution",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1053.001",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1053.001",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1059.006",
- "tactic": "execution",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1561",
- "tactic": "impact",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1137.002",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1027.005",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1090.001",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1546",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1546",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1087.004",
- "tactic": "discovery",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1132.001",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1552.004",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1036.005",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1547.001",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1547.001",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1137.001",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1053.004",
- "tactic": "execution",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1053.004",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1053.004",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1542.003",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1542.003",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1553.003",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1555.001",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1564.006",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1578",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1070.006",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1499.004",
- "tactic": "impact",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1218.004",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1574",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1574",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1574",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1134.005",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1134.005",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1070.004",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1074.001",
- "tactic": "collection",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1573.001",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1055.003",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1055.003",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1098.004",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1554",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1218.002",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1558.001",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1543.003",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1543.003",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1556.001",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1556.001",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1574.011",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1574.011",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1574.011",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1056.001",
- "tactic": "collection",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1056.001",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1216.001",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1134.002",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1134.002",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1480.001",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1070.003",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1505.002",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1001.002",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1559.002",
- "tactic": "execution",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1136.001",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1136.002",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1562",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1552.002",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1542",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1542",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1204.002",
- "tactic": "execution",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1564.005",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1132.002",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1499.003",
- "tactic": "impact",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1003.003",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1546.011",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1546.011",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1558.002",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1547.006",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1547.006",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1566.001",
- "tactic": "initial-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1566.002",
- "tactic": "initial-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1560.001",
- "tactic": "collection",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1562.004",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1059.001",
- "tactic": "execution",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1055.013",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1055.013",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1497.001",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1497.001",
- "tactic": "discovery",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1543.001",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1543.001",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1546.007",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1546.007",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1036.001",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1218.007",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1055.009",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1055.009",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1036.006",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1547.002",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1547.002",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1547.003",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1547.003",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1222.001",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1578.002",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1059.007",
- "tactic": "execution",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1574.010",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1574.010",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1574.010",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1546.004",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1546.004",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1003.005",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1003.004",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1213.002",
- "tactic": "collection",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1548.001",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1548.001",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1003.002",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1110.003",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1568.003",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1102.002",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1546.008",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1546.008",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1574.007",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1574.007",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1574.007",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1553",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1566.003",
- "tactic": "initial-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1565.003",
- "tactic": "impact",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1001.001",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1204.001",
- "tactic": "execution",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1110.001",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1578.001",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1547.008",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1547.008",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1552.006",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1550.002",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1550.002",
- "tactic": "lateral-movement",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1560.002",
- "tactic": "collection",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1499.002",
- "tactic": "impact",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1573.002",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1546.014",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1546.014",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1561.001",
- "tactic": "impact",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1098.003",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1556.002",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1556.002",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1195.001",
- "tactic": "initial-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1548.004",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1548.004",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1568.002",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1134.004",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1134.004",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1137.004",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1546.009",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1546.009",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1542.001",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1542.001",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1059.003",
- "tactic": "execution",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1562.002",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1110.004",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1546.012",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1546.012",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1552.005",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1070.005",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1546.015",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1546.015",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1055.001",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1055.001",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1547.011",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1547.011",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1114.002",
- "tactic": "collection",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1573",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1567.001",
- "tactic": "exfiltration",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1195.003",
- "tactic": "initial-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1574.009",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1574.009",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1574.009",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1562.007",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1055.008",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1055.008",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1563",
- "tactic": "lateral-movement",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1553.004",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1069.001",
- "tactic": "discovery",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1218.010",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1021.001",
- "tactic": "lateral-movement",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1578.003",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1087.002",
- "tactic": "discovery",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1558",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1078.004",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1078.004",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1078.004",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1078.004",
- "tactic": "initial-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1114.001",
- "tactic": "collection",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1055.011",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1055.011",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1555.002",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1027.002",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1059.002",
- "tactic": "execution",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1565",
- "tactic": "impact",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1499.001",
- "tactic": "impact",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1003.001",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1505.003",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1567",
- "tactic": "exfiltration",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1059.005",
- "tactic": "execution",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1574.002",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1574.002",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1574.002",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1114.003",
- "tactic": "collection",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1559",
- "tactic": "execution",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1021.002",
- "tactic": "lateral-movement",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1546.010",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1546.010",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1090.004",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1564.003",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1048.002",
- "tactic": "exfiltration",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1552.001",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1090.003",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1574.012",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1574.012",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1574.012",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1553.001",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1037.005",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1037.005",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1546.003",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1546.003",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1491.001",
- "tactic": "impact",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1546.013",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1546.013",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1565.002",
- "tactic": "impact",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1087.003",
- "tactic": "discovery",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1011.001",
- "tactic": "exfiltration",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1055.002",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1055.002",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1134.001",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1134.001",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1562.006",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1137.006",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1572",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1069.002",
- "tactic": "discovery",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1218.011",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1059.004",
- "tactic": "execution",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1195.002",
- "tactic": "initial-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1568",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1570",
- "tactic": "lateral-movement",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1547.004",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1547.004",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1027.004",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1550",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1550",
- "tactic": "lateral-movement",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1056.002",
- "tactic": "collection",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1056.002",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1547.010",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1547.010",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1070.001",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1055.014",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1055.014",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1560",
- "tactic": "collection",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1218.005",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1053.003",
- "tactic": "execution",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1053.003",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1053.003",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1090.002",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1053.002",
- "tactic": "execution",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1053.002",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1053.002",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1505.001",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1003.007",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1055.012",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1055.012",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1498.002",
- "tactic": "impact",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1056.004",
- "tactic": "collection",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1056.004",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1553.002",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1569.001",
- "tactic": "execution",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1056.003",
- "tactic": "collection",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1056.003",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1071.001",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1218.009",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1497.003",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1497.003",
- "tactic": "discovery",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1134.003",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1134.003",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1557",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1557",
- "tactic": "collection",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1055.004",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1055.004",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1552.003",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1547.009",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1547.009",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1137.005",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1205.001",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1205.001",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1205.001",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1543",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1543",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1569",
- "tactic": "execution",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1053.005",
- "tactic": "execution",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1053.005",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1053.005",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1070.002",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1078.001",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1078.001",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1078.001",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1078.001",
- "tactic": "initial-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1003.006",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1550.004",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1550.004",
- "tactic": "lateral-movement",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1074.002",
- "tactic": "collection",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1021.003",
- "tactic": "lateral-movement",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1574.004",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1574.004",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1574.004",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1078.003",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1078.003",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1078.003",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1078.003",
- "tactic": "initial-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1564.001",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1564.004",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1547",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1547",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1556",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1556",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1021.005",
- "tactic": "lateral-movement",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1498.001",
- "tactic": "impact",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1546.006",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1546.006",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1556.003",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1556.003",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1048.001",
- "tactic": "exfiltration",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1036.002",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1069.003",
- "tactic": "discovery",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1565.001",
- "tactic": "impact",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1571",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1127.001",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1027.003",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1137.003",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1102.001",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1218.008",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1555",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1048.003",
- "tactic": "exfiltration",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1218.003",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1491.002",
- "tactic": "impact",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1110.002",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1574.001",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1574.001",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1574.001",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1546.005",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1546.005",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1562.001",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1559.001",
- "tactic": "execution",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1087.001",
- "tactic": "discovery",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1027.001",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1037.003",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1037.003",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1547.005",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1547.005",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1213.001",
- "tactic": "collection",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1078.002",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1078.002",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1078.002",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1078.002",
- "tactic": "initial-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1001.003",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1497.002",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1497.002",
- "tactic": "discovery",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1003.008",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1563.001",
- "tactic": "lateral-movement",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1574.006",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1574.006",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1574.006",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1568.001",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1564.002",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1563.002",
- "tactic": "lateral-movement",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1027",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1021",
- "tactic": "lateral-movement",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1120",
- "tactic": "discovery",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1480",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1072",
- "tactic": "execution",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1072",
- "tactic": "lateral-movement",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1047",
- "tactic": "execution",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1095",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1140",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1053",
- "tactic": "execution",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1053",
- "tactic": "persistence",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1053",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1176",
- "tactic": "persistence",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1082",
- "tactic": "discovery",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1219",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1011",
- "tactic": "exfiltration",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1213",
- "tactic": "collection",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1207",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1083",
- "tactic": "discovery",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1505",
- "tactic": "persistence",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1105",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1111",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1195",
- "tactic": "initial-access",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1210",
- "tactic": "lateral-movement",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1113",
- "tactic": "collection",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1029",
- "tactic": "exfiltration",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1052",
- "tactic": "exfiltration",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1036",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1040",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1040",
- "tactic": "discovery",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1211",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1202",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1005",
- "tactic": "collection",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1018",
- "tactic": "discovery",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1006",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1012",
- "tactic": "discovery",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1197",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1197",
- "tactic": "persistence",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1212",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1001",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1220",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1071",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1057",
- "tactic": "discovery",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1482",
- "tactic": "discovery",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1046",
- "tactic": "discovery",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1059",
- "tactic": "execution",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1216",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1025",
- "tactic": "collection",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1203",
- "tactic": "execution",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1102",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1129",
- "tactic": "execution",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1010",
- "tactic": "discovery",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1068",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1016",
- "tactic": "discovery",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1074",
- "tactic": "collection",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1014",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1020",
- "tactic": "exfiltration",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1106",
- "tactic": "execution",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1114",
- "tactic": "collection",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1135",
- "tactic": "discovery",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1069",
- "tactic": "discovery",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1048",
- "tactic": "exfiltration",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1491",
- "tactic": "impact",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1056",
- "tactic": "collection",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1056",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1205",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1205",
- "tactic": "persistence",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1205",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1124",
- "tactic": "discovery",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1218",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1134",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1134",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1127",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1222",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1033",
- "tactic": "discovery",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1087",
- "tactic": "discovery",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1518",
- "tactic": "discovery",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1190",
- "tactic": "initial-access",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1189",
- "tactic": "initial-access",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1204",
- "tactic": "execution",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1070",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1090",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1037",
- "tactic": "persistence",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1037",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1041",
- "tactic": "exfiltration",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1049",
- "tactic": "discovery",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1497",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1497",
- "tactic": "discovery",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1003",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1221",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1132",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1115",
- "tactic": "collection",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1055",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1055",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1098",
- "tactic": "persistence",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1133",
- "tactic": "persistence",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1133",
- "tactic": "initial-access",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1112",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1526",
- "tactic": "discovery",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1484",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1484",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1080",
- "tactic": "lateral-movement",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1187",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1110",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1039",
- "tactic": "collection",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1201",
- "tactic": "discovery",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1078",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1078",
- "tactic": "persistence",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1078",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1078",
- "tactic": "initial-access",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1136",
- "tactic": "persistence",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1499",
- "tactic": "impact",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1007",
- "tactic": "discovery",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1539",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1217",
- "tactic": "discovery",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1498",
- "tactic": "impact",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1137",
- "tactic": "persistence",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1485",
- "tactic": "impact",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1525",
- "tactic": "persistence",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1534",
- "tactic": "lateral-movement",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1528",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1530",
- "tactic": "collection",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1537",
- "tactic": "exfiltration",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1119",
- "tactic": "collection",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1529",
- "tactic": "impact",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1486",
- "tactic": "impact",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- }
- ],
- "sorting": 0,
- "hideDisabled": false,
- "legendItems": [
- {
- "color": "#a1d99b",
- "label": "additions: objects which are present in the new data and not the old"
- },
- {
- "color": "#c7c4e0",
- "label": "minor_changes: objects which have a newer last edit date in the new data than in the old, but the same version number"
- },
- {
- "color": "#fcf3a2",
- "label": "changes: objects which have a newer version number in the new data compared to the old"
- }
- ],
- "showTacticRowBackground": true,
- "tacticRowBackground": "#205b8f",
- "selectTechniquesAcrossTactics": true
-}
\ No newline at end of file
diff --git a/layers/data/update_layers/July_2020/July_2020_enterprise_attack_beta.json b/layers/data/update_layers/July_2020/July_2020_enterprise_attack_beta.json
deleted file mode 100644
index 23ed819de..000000000
--- a/layers/data/update_layers/July_2020/July_2020_enterprise_attack_beta.json
+++ /dev/null
@@ -1,1375 +0,0 @@
-{
- "version": "3.0",
- "name": "July 2020 Enterprise Updates (vs v7.0-beta)",
- "description": "Enterprise updates for the July 2020 release of ATT&CK. This layer represents the updates made between the beta and final release.",
- "domain": "mitre-enterprise",
- "techniques": [
- {
- "techniqueID": "T1480.001",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1578.003",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1578.004",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1556.003",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1556.003",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1574.012",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1574.012",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1574.012",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1098.004",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1562.007",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1564.005",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1205.001",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1205.001",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1205.001",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1564.006",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1578",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1059.007",
- "tactic": "execution",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1578.002",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1578.001",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1480",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1526",
- "tactic": "discovery",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1027",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1548",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1548",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1218.001",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1564",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1047",
- "tactic": "execution",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1140",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1518.001",
- "tactic": "discovery",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1548.002",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1548.002",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1098.002",
- "tactic": "persistence",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1552",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1219",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1213",
- "tactic": "collection",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1055.005",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1055.005",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1098.001",
- "tactic": "persistence",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1059.006",
- "tactic": "execution",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1505",
- "tactic": "persistence",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1119",
- "tactic": "collection",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1546",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1546",
- "tactic": "persistence",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1036.005",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1137.001",
- "tactic": "persistence",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1542.003",
- "tactic": "persistence",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1542.003",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1137",
- "tactic": "persistence",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1553.003",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1036",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1218.004",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1574",
- "tactic": "persistence",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1574",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1574",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1202",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1074.001",
- "tactic": "collection",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1005",
- "tactic": "collection",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1055.003",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1055.003",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1018",
- "tactic": "discovery",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1218.002",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1530",
- "tactic": "collection",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1574.011",
- "tactic": "persistence",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1574.011",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1574.011",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1216.001",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1562",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1542",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1542",
- "tactic": "persistence",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1220",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1546.011",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1546.011",
- "tactic": "persistence",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1547.006",
- "tactic": "persistence",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1547.006",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1059.001",
- "tactic": "execution",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1055.013",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1055.013",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1497.001",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1497.001",
- "tactic": "discovery",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1218.007",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1055.009",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1055.009",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1059",
- "tactic": "execution",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1216",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1546.008",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1546.008",
- "tactic": "persistence",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1574.007",
- "tactic": "persistence",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1574.007",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1574.007",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1553",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1552.006",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1074",
- "tactic": "collection",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1014",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1134.004",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1134.004",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1542.001",
- "tactic": "persistence",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1542.001",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1539",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1546.015",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1546.015",
- "tactic": "persistence",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1106",
- "tactic": "execution",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1055.001",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1055.001",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1547.011",
- "tactic": "persistence",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1547.011",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1491",
- "tactic": "impact",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1205",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1205",
- "tactic": "persistence",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1205",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1055.008",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1055.008",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1218",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1218.010",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1134",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1134",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1127",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1055.011",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1055.011",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1518",
- "tactic": "discovery",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1059.002",
- "tactic": "execution",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1003.001",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1505.003",
- "tactic": "persistence",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1059.005",
- "tactic": "execution",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1574.002",
- "tactic": "persistence",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1574.002",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1574.002",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1090.004",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1553.001",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1546.003",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1546.003",
- "tactic": "persistence",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1534",
- "tactic": "lateral-movement",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1055.002",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1055.002",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1562.006",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1090",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1059.004",
- "tactic": "execution",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1218.011",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1497",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1497",
- "tactic": "discovery",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1547.004",
- "tactic": "persistence",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1547.004",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1003",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1055.014",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1055.014",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1221",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1218.005",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1055.012",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1055.012",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1115",
- "tactic": "collection",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1569.001",
- "tactic": "execution",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1218.009",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1497.003",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1497.003",
- "tactic": "discovery",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1055.004",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1055.004",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1055",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1055",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1098",
- "tactic": "persistence",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1133",
- "tactic": "persistence",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1133",
- "tactic": "initial-access",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1569",
- "tactic": "execution",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1074.002",
- "tactic": "collection",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1574.004",
- "tactic": "persistence",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1574.004",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1574.004",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1547",
- "tactic": "persistence",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1547",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1556",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1556",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1080",
- "tactic": "lateral-movement",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1127.001",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1027.003",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1218.008",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1187",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1218.003",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1491.002",
- "tactic": "impact",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1027.001",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1078",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1078",
- "tactic": "persistence",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1078",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1078",
- "tactic": "initial-access",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1497.002",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1497.002",
- "tactic": "discovery",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1574.006",
- "tactic": "persistence",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1574.006",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1574.006",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1545",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#ff00e1",
- "comment": "deletion"
- },
- {
- "techniqueID": "T1545",
- "tactic": "persistence",
- "enabled": true,
- "color": "#ff00e1",
- "comment": "deletion"
- },
- {
- "techniqueID": "T1545",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#ff00e1",
- "comment": "deletion"
- },
- {
- "techniqueID": "T1545.001",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#ff00e1",
- "comment": "deletion"
- },
- {
- "techniqueID": "T1545.001",
- "tactic": "persistence",
- "enabled": true,
- "color": "#ff00e1",
- "comment": "deletion"
- },
- {
- "techniqueID": "T1545.001",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#ff00e1",
- "comment": "deletion"
- }
- ],
- "sorting": 0,
- "hideDisabled": false,
- "legendItems": [
- {
- "color": "#a1d99b",
- "label": "additions: objects which are present in the new data and not the old"
- },
- {
- "color": "#c7c4e0",
- "label": "minor_changes: objects which have a newer last edit date in the new data than in the old, but the same version number"
- },
- {
- "color": "#fcf3a2",
- "label": "changes: objects which have a newer version number in the new data compared to the old"
- },
- {
- "color": "#ff00e1",
- "label": "deletions: objects which are present in the old data but not the new"
- }
- ],
- "showTacticRowBackground": true,
- "tacticRowBackground": "#205b8f",
- "selectTechniquesAcrossTactics": true
-}
\ No newline at end of file
diff --git a/layers/data/update_layers/July_2020/July_2020_mobile_attack.json b/layers/data/update_layers/July_2020/July_2020_mobile_attack.json
deleted file mode 100644
index 9cfc2ae00..000000000
--- a/layers/data/update_layers/July_2020/July_2020_mobile_attack.json
+++ /dev/null
@@ -1,230 +0,0 @@
-{
- "version": "3.0",
- "name": "July 2020 Mobile Updates",
- "description": "Mobile updates for the July 2020 release of ATT&CK. This layer represents the updates made since the last full release of ATT&CK.",
- "domain": "mitre-mobile",
- "techniques": [
- {
- "techniqueID": "T1577",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1541",
- "tactic": "collection",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1541",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1540",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1540",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1540",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1575",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1575",
- "tactic": "execution",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1579",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1544",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1576",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1422",
- "tactic": "discovery",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1444",
- "tactic": "initial-access",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1444",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1411",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1402",
- "tactic": "persistence",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1402",
- "tactic": "execution",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1417",
- "tactic": "collection",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1417",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1516",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1516",
- "tactic": "impact",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1513",
- "tactic": "collection",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1448",
- "tactic": "impact",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1508",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1517",
- "tactic": "collection",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1517",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1476",
- "tactic": "initial-access",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1510",
- "tactic": "impact",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1426",
- "tactic": "discovery",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- }
- ],
- "sorting": 0,
- "hideDisabled": false,
- "legendItems": [
- {
- "color": "#a1d99b",
- "label": "additions: objects which are present in the new data and not the old"
- },
- {
- "color": "#c7c4e0",
- "label": "minor_changes: objects which have a newer last edit date in the new data than in the old, but the same version number"
- },
- {
- "color": "#fcf3a2",
- "label": "changes: objects which have a newer version number in the new data compared to the old"
- }
- ],
- "showTacticRowBackground": true,
- "tacticRowBackground": "#205b8f",
- "selectTechniquesAcrossTactics": true
-}
\ No newline at end of file
diff --git a/layers/data/update_layers/July_2020/July_2020_mobile_attack_beta.json b/layers/data/update_layers/July_2020/July_2020_mobile_attack_beta.json
deleted file mode 100644
index 94d1f239a..000000000
--- a/layers/data/update_layers/July_2020/July_2020_mobile_attack_beta.json
+++ /dev/null
@@ -1,146 +0,0 @@
-{
- "version": "3.0",
- "name": "July 2020 Mobile Updates (vs v7.0-beta)",
- "description": "Mobile updates for the July 2020 release of ATT&CK. This layer represents the updates made between the beta and final release.",
- "domain": "mitre-mobile",
- "techniques": [
- {
- "techniqueID": "T1577",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1576",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1579",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1575",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1575",
- "tactic": "execution",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1422",
- "tactic": "discovery",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1444",
- "tactic": "initial-access",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1444",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1411",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1417",
- "tactic": "collection",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1417",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1513",
- "tactic": "collection",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1516",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1516",
- "tactic": "impact",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1517",
- "tactic": "collection",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1517",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1448",
- "tactic": "impact",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- }
- ],
- "sorting": 0,
- "hideDisabled": false,
- "legendItems": [
- {
- "color": "#a1d99b",
- "label": "additions: objects which are present in the new data and not the old"
- },
- {
- "color": "#c7c4e0",
- "label": "minor_changes: objects which have a newer last edit date in the new data than in the old, but the same version number"
- },
- {
- "color": "#fcf3a2",
- "label": "changes: objects which have a newer version number in the new data compared to the old"
- }
- ],
- "showTacticRowBackground": true,
- "tacticRowBackground": "#205b8f",
- "selectTechniquesAcrossTactics": true
-}
\ No newline at end of file
diff --git a/layers/data/update_layers/July_2020/README.md b/layers/data/update_layers/July_2020/README.md
deleted file mode 100644
index 8114e4c50..000000000
--- a/layers/data/update_layers/July_2020/README.md
+++ /dev/null
@@ -1,11 +0,0 @@
-# July 2020 update layers
-
-Due to the sub-techniques beta, we have split our update layers for this release into two different types:
-
-### Changes compared to the last full release
-- [July_2020_enterprise_attack.json](July_2020_enterprise_attack.json)
-- [July_2020_mobile_attack.json](July_2020_mobile_attack.json)
-
-### Changes compared to the sub-techniques beta
-- [July_2020_enterprise_attack_beta.json](July_2020_enterprise_attack_beta.json)
-- [July_2020_mobile_attack_beta.json](July_2020_mobile_attack_beta.json)
diff --git a/layers/data/update_layers/March_2020_Updates_Enterprise.json b/layers/data/update_layers/March_2020_Updates_Enterprise.json
deleted file mode 100644
index 10bd8c130..000000000
--- a/layers/data/update_layers/March_2020_Updates_Enterprise.json
+++ /dev/null
@@ -1,3751 +0,0 @@
-{
- "version": "3.0",
- "name": "March 2020 Enterprise Updates",
- "description": "Enterprise updates for the March 2020 release of ATT&CK",
- "domain": "mitre-enterprise",
- "techniques": [
- {
- "techniqueID": "T1011.001",
- "tactic": "exfiltration",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1570",
- "tactic": "lateral-movement",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1562.002",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1036.001",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1497.003",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1059.003",
- "tactic": "execution",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1055.001",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1055.001",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1499.004",
- "tactic": "impact",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1543.004",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1543.004",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1546.009",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1546.009",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1564.003",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1059.001",
- "tactic": "execution",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1069.002",
- "tactic": "discovery",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1564.004",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1218.002",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1551.003",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1559.002",
- "tactic": "execution",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1137.002",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1098.001",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1568.002",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1036.006",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1555.003",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1087.004",
- "tactic": "discovery",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1102.001",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1110.004",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1498.002",
- "tactic": "impact",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1497.001",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1003.006",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1552.002",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1218.008",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1102.002",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1069.003",
- "tactic": "discovery",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1555",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1027.004",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1546.002",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1546.002",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1053.002",
- "tactic": "execution",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1053.002",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1053.002",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1052.001",
- "tactic": "exfiltration",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1195.002",
- "tactic": "initial-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1551.006",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1136.003",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1562",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1556",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1556",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1056.004",
- "tactic": "collection",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1056.004",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1132.001",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1548.001",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1548.001",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1574.009",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1574.009",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1574.009",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1548.004",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1548.004",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1110.003",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1553",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1036.003",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1561",
- "tactic": "impact",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1573",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1003.002",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1102.003",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1558.002",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1195.003",
- "tactic": "initial-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1498.001",
- "tactic": "impact",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1542.001",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1542.001",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1558.003",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1218.011",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1565.001",
- "tactic": "impact",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1557",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1557",
- "tactic": "collection",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1021.003",
- "tactic": "lateral-movement",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1555.001",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1098.002",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1518.001",
- "tactic": "discovery",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1569.001",
- "tactic": "execution",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1574.008",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1574.008",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1574.008",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1090.002",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1027.003",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1059.004",
- "tactic": "execution",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1545",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1545",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1545",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1546",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1546",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1552.001",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1568",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1547.005",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1547.005",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1564.001",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1003.001",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1218.004",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1053.005",
- "tactic": "execution",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1053.005",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1053.005",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1137.006",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1218.001",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1573.002",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1087.001",
- "tactic": "discovery",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1546.012",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1546.012",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1574.007",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1574.007",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1574.007",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1078.002",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1078.002",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1078.002",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1078.002",
- "tactic": "initial-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1546.015",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1546.015",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1564",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1560.003",
- "tactic": "collection",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1551.002",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1574.010",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1574.010",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1574.010",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1055.009",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1055.009",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1550",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1550",
- "tactic": "lateral-movement",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1557.001",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1557.001",
- "tactic": "collection",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1491.002",
- "tactic": "impact",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1562.003",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1071.002",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1036.004",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1090.001",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1568.001",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1548.003",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1548.003",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1548",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1548",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1574.004",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1574.004",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1574.004",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1547.009",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1547.009",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1547.004",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1547.004",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1564.002",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1543.002",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1543.002",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1543",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1543",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1566",
- "tactic": "initial-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1003.003",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1546.014",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1546.014",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1505.003",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1547.008",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1547.008",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1037.003",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1037.003",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1055.002",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1055.002",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1218.003",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1556.001",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1556.001",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1078.003",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1078.003",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1078.003",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1078.003",
- "tactic": "initial-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1053.001",
- "tactic": "execution",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1053.001",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1053.001",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1114.003",
- "tactic": "collection",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1542.003",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1542.003",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1566.001",
- "tactic": "initial-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1560.001",
- "tactic": "collection",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1071.004",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1562.001",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1563",
- "tactic": "lateral-movement",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1574.011",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1574.011",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1574.011",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1547.001",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1547.001",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1216.001",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1048.002",
- "tactic": "exfiltration",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1021.005",
- "tactic": "lateral-movement",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1543.003",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1543.003",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1547.006",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1547.006",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1499.002",
- "tactic": "impact",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1048.003",
- "tactic": "exfiltration",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1547.011",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1547.011",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1550.001",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1550.001",
- "tactic": "lateral-movement",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1547.010",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1547.010",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1546.005",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1546.005",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1491.001",
- "tactic": "impact",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1574.002",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1574.002",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1574.002",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1027.002",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1087.002",
- "tactic": "discovery",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1137.001",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1551.005",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1552.005",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1036.005",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1098.003",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1546.010",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1546.010",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1036.002",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1027.005",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1134.002",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1134.002",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1560.002",
- "tactic": "collection",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1546.013",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1546.013",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1552.006",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1505.002",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1003.008",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1069.001",
- "tactic": "discovery",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1114.002",
- "tactic": "collection",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1566.003",
- "tactic": "initial-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1553.003",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1558.001",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1059.002",
- "tactic": "execution",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1568.003",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1547.003",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1547.003",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1037.002",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1037.002",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1218.007",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1552",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1562.006",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1545.001",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1545.001",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1545.001",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1055.011",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1055.011",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1055.003",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1055.003",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1562.004",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1134.003",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1134.003",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1543.001",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1543.001",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1204.002",
- "tactic": "execution",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1053.003",
- "tactic": "execution",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1053.003",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1053.003",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1563.002",
- "tactic": "lateral-movement",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1055.013",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1055.013",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1134.005",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1134.005",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1542.002",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1542.002",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1551.004",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1055.008",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1055.008",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1021.006",
- "tactic": "lateral-movement",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1497.002",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1059.005",
- "tactic": "execution",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1550.004",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1550.004",
- "tactic": "lateral-movement",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1566.002",
- "tactic": "initial-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1553.001",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1567",
- "tactic": "exfiltration",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1571",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1222.001",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1561.002",
- "tactic": "impact",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1132.002",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1553.004",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1546.006",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1546.006",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1574.001",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1574.001",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1574.001",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1567.001",
- "tactic": "exfiltration",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1037.004",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1037.004",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1552.004",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1547.007",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1547.007",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1137.003",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1554",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1056.002",
- "tactic": "collection",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1056.002",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1505.001",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1037.005",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1037.005",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1546.003",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1546.003",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1499.003",
- "tactic": "impact",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1560",
- "tactic": "collection",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1546.011",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1546.011",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1134.001",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1134.001",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1134.004",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1134.004",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1559.001",
- "tactic": "execution",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1556.002",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1556.002",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1048.001",
- "tactic": "exfiltration",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1218.010",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1553.002",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1572",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1561.001",
- "tactic": "impact",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1574",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1574",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1574",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1056.001",
- "tactic": "collection",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1056.001",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1001.003",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1003.004",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1573.001",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1003.007",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1001.002",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1137.004",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1021.004",
- "tactic": "lateral-movement",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1547.002",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1547.002",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1565.002",
- "tactic": "impact",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1055.012",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1055.012",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1218.009",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1559",
- "tactic": "execution",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1547",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1547",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1551.001",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1027.001",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1550.003",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1550.003",
- "tactic": "lateral-movement",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1546.007",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1546.007",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1110.002",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1136.002",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1003.005",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1074.002",
- "tactic": "collection",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1021.002",
- "tactic": "lateral-movement",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1071.003",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1078.001",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1078.001",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1078.001",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1078.001",
- "tactic": "initial-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1037.001",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1037.001",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1213.002",
- "tactic": "collection",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1499.001",
- "tactic": "impact",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1567.002",
- "tactic": "exfiltration",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1055.004",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1055.004",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1059.006",
- "tactic": "execution",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1055.005",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1055.005",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1213.001",
- "tactic": "collection",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1136.001",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1055.014",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1055.014",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1565",
- "tactic": "impact",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1137.005",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1078.004",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1078.004",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1078.004",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1078.004",
- "tactic": "initial-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1552.003",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1071.001",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1546.001",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1546.001",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1114.001",
- "tactic": "collection",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1090.003",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1127.001",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1053.004",
- "tactic": "execution",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1053.004",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1053.004",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1218.005",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1056.003",
- "tactic": "collection",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1056.003",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1087.003",
- "tactic": "discovery",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1569.002",
- "tactic": "execution",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1090.004",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1546.008",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1546.008",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1558",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1021.001",
- "tactic": "lateral-movement",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1204.001",
- "tactic": "execution",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1001.001",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1195.001",
- "tactic": "initial-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1222.002",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1550.002",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1550.002",
- "tactic": "lateral-movement",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1574.005",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1574.005",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1574.005",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1546.004",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1546.004",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1555.002",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1563.001",
- "tactic": "lateral-movement",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1565.003",
- "tactic": "impact",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1574.006",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1574.006",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1574.006",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1569",
- "tactic": "execution",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1074.001",
- "tactic": "collection",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1542",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1542",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1548.002",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1548.002",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1110.001",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1112",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1218",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1021",
- "tactic": "lateral-movement",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1071",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1204",
- "tactic": "execution",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1049",
- "tactic": "discovery",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1090",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1484",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1484",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1001",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1505",
- "tactic": "persistence",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1018",
- "tactic": "discovery",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1134",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1134",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1115",
- "tactic": "collection",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1072",
- "tactic": "execution",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1072",
- "tactic": "lateral-movement",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1120",
- "tactic": "discovery",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1106",
- "tactic": "execution",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1025",
- "tactic": "collection",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1053",
- "tactic": "execution",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1053",
- "tactic": "persistence",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1053",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1078",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1078",
- "tactic": "persistence",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1078",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1078",
- "tactic": "initial-access",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1098",
- "tactic": "persistence",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1012",
- "tactic": "discovery",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1140",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1536",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1216",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1207",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1136",
- "tactic": "persistence",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1029",
- "tactic": "exfiltration",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1016",
- "tactic": "discovery",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1212",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1105",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1518",
- "tactic": "discovery",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1059",
- "tactic": "execution",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1187",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1219",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1074",
- "tactic": "collection",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1083",
- "tactic": "discovery",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1132",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1124",
- "tactic": "discovery",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1041",
- "tactic": "exfiltration",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1551",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1047",
- "tactic": "execution",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1055",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1055",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1195",
- "tactic": "initial-access",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1497",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1048",
- "tactic": "exfiltration",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1082",
- "tactic": "discovery",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1080",
- "tactic": "lateral-movement",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1036",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1037",
- "tactic": "persistence",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1037",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1027",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1020",
- "tactic": "exfiltration",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1056",
- "tactic": "collection",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1056",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1197",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1197",
- "tactic": "persistence",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1202",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1005",
- "tactic": "collection",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1010",
- "tactic": "discovery",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1095",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1491",
- "tactic": "impact",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1014",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1033",
- "tactic": "discovery",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1220",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1114",
- "tactic": "collection",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1203",
- "tactic": "execution",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1087",
- "tactic": "discovery",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1189",
- "tactic": "initial-access",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1190",
- "tactic": "initial-access",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1006",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1133",
- "tactic": "persistence",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1133",
- "tactic": "initial-access",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1102",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1213",
- "tactic": "collection",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1003",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1221",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1210",
- "tactic": "lateral-movement",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1222",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1057",
- "tactic": "discovery",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1211",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1039",
- "tactic": "collection",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1127",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1111",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1129",
- "tactic": "execution",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1040",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1040",
- "tactic": "discovery",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1068",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1176",
- "tactic": "persistence",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1011",
- "tactic": "exfiltration",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1482",
- "tactic": "discovery",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1052",
- "tactic": "exfiltration",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1201",
- "tactic": "discovery",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1113",
- "tactic": "collection",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1110",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1135",
- "tactic": "discovery",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1046",
- "tactic": "discovery",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1069",
- "tactic": "discovery",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1528",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1485",
- "tactic": "impact",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1525",
- "tactic": "persistence",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1498",
- "tactic": "impact",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1499",
- "tactic": "impact",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1217",
- "tactic": "discovery",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1007",
- "tactic": "discovery",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1486",
- "tactic": "impact",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1529",
- "tactic": "impact",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1137",
- "tactic": "persistence",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1537",
- "tactic": "exfiltration",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- }
- ],
- "sorting": 0,
- "hideDisabled": false,
- "legendItems": [
- {
- "color": "#a1d99b",
- "label": "additions: objects which are present in the new data and not the old"
- },
- {
- "color": "#fcf3a2",
- "label": "changes: objects which have a newer version number in the new data compared to the old"
- },
- {
- "color": "#c7c4e0",
- "label": "minor_changes: objects which have a newer last edit date in the new data than in the old, but the same version number"
- }
- ],
- "showTacticRowBackground": true,
- "tacticRowBackground": "#205b8f",
- "selectTechniquesAcrossTactics": true
-}
\ No newline at end of file
diff --git a/layers/data/update_layers/March_2020_Updates_Mobile.json b/layers/data/update_layers/March_2020_Updates_Mobile.json
deleted file mode 100644
index 3a8b25a14..000000000
--- a/layers/data/update_layers/March_2020_Updates_Mobile.json
+++ /dev/null
@@ -1,160 +0,0 @@
-{
- "version": "3.0",
- "name": "March 2020 Mobile Updates",
- "description": "Mobile updates for the March 2020 release of ATT&CK",
- "domain": "mitre-mobile",
- "techniques": [
- {
- "techniqueID": "T1540",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1540",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1540",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1541",
- "tactic": "collection",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1541",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1544",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1448",
- "tactic": "impact",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1402",
- "tactic": "persistence",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1402",
- "tactic": "execution",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1508",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#fcf3a2",
- "comment": "change"
- },
- {
- "techniqueID": "T1476",
- "tactic": "initial-access",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1510",
- "tactic": "impact",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1517",
- "tactic": "collection",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1517",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1516",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1516",
- "tactic": "impact",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1513",
- "tactic": "collection",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1426",
- "tactic": "discovery",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1411",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#c7c4e0",
- "comment": "minor_change"
- }
- ],
- "sorting": 0,
- "hideDisabled": false,
- "legendItems": [
- {
- "color": "#a1d99b",
- "label": "additions: objects which are present in the new data and not the old"
- },
- {
- "color": "#fcf3a2",
- "label": "changes: objects which have a newer version number in the new data compared to the old"
- },
- {
- "color": "#c7c4e0",
- "label": "minor_changes: objects which have a newer last edit date in the new data than in the old, but the same version number"
- }
- ],
- "showTacticRowBackground": true,
- "tacticRowBackground": "#205b8f",
- "selectTechniquesAcrossTactics": true
-}
\ No newline at end of file
diff --git a/layers/data/update_layers/October_2018_Updates_Enterprise.json b/layers/data/update_layers/October_2018_Updates_Enterprise.json
deleted file mode 100644
index 934834b1f..000000000
--- a/layers/data/update_layers/October_2018_Updates_Enterprise.json
+++ /dev/null
@@ -1,259 +0,0 @@
-{
- "name": "October 2018 Updates Enterprise",
- "version": "3.0",
- "domain": "mitre-enterprise",
- "description": "",
- "filters": {
- "stages": [
- "act"
- ],
- "platforms": [
- "Windows",
- "Linux",
- "macOS"
- ]
- },
- "sorting": 0,
- "hideDisabled": false,
- "techniques": [
- {
- "techniqueID": "T1009",
- "tactic": "defense-evasion",
- "color": "#fcf26b",
- "comment": "Changed scope, content, or tactics",
- "enabled": true
- },
- {
- "techniqueID": "T1042",
- "tactic": "persistence",
- "color": "#fcf26b",
- "comment": "Changed scope, content, or tactics",
- "enabled": true
- },
- {
- "techniqueID": "T1109",
- "tactic": "defense-evasion",
- "color": "#fcf26b",
- "comment": "Changed scope, content, or tactics",
- "enabled": true
- },
- {
- "techniqueID": "T1109",
- "tactic": "persistence",
- "color": "#fcf26b",
- "comment": "Changed scope, content, or tactics",
- "enabled": true
- },
- {
- "techniqueID": "T1181",
- "tactic": "privilege-escalation",
- "color": "#fcf26b",
- "comment": "Changed scope, content, or tactics",
- "enabled": true
- },
- {
- "techniqueID": "T1181",
- "tactic": "defense-evasion",
- "color": "#fcf26b",
- "comment": "Changed scope, content, or tactics",
- "enabled": true
- },
- {
- "techniqueID": "T1222",
- "tactic": "defense-evasion",
- "color": "#a1d99b",
- "comment": "new technique",
- "enabled": true
- },
- {
- "techniqueID": "T1223",
- "tactic": "defense-evasion",
- "color": "#a1d99b",
- "comment": "new technique",
- "enabled": true
- },
- {
- "techniqueID": "T1223",
- "tactic": "execution",
- "color": "#a1d99b",
- "comment": "new technique",
- "enabled": true
- },
- {
- "techniqueID": "T1061",
- "tactic": "execution",
- "color": "#fcf26b",
- "comment": "Changed scope, content, or tactics",
- "enabled": true
- },
- {
- "techniqueID": "T1183",
- "tactic": "privilege-escalation",
- "color": "#fcf26b",
- "comment": "Changed scope, content, or tactics",
- "enabled": true
- },
- {
- "techniqueID": "T1183",
- "tactic": "persistence",
- "color": "#fcf26b",
- "comment": "Changed scope, content, or tactics",
- "enabled": true
- },
- {
- "techniqueID": "T1183",
- "tactic": "defense-evasion",
- "color": "#fcf26b",
- "comment": "Changed scope, content, or tactics",
- "enabled": true
- },
- {
- "techniqueID": "T1054",
- "tactic": "defense-evasion",
- "color": "#fcf26b",
- "comment": "Changed scope, content, or tactics",
- "enabled": true
- },
- {
- "techniqueID": "T1070",
- "tactic": "defense-evasion",
- "color": "#fcf26b",
- "comment": "Changed scope, content, or tactics",
- "enabled": true
- },
- {
- "techniqueID": "T1112",
- "tactic": "defense-evasion",
- "color": "#fcf26b",
- "comment": "Changed scope, content, or tactics",
- "enabled": true
- },
- {
- "techniqueID": "T1096",
- "tactic": "defense-evasion",
- "color": "#fcf26b",
- "comment": "Changed scope, content, or tactics",
- "enabled": true
- },
- {
- "techniqueID": "T1034",
- "tactic": "persistence",
- "color": "#fcf26b",
- "comment": "Changed scope, content, or tactics",
- "enabled": true
- },
- {
- "techniqueID": "T1034",
- "tactic": "privilege-escalation",
- "color": "#fcf26b",
- "comment": "Changed scope, content, or tactics",
- "enabled": true
- },
- {
- "techniqueID": "T1205",
- "tactic": "command-and-control",
- "color": "#fcf26b",
- "comment": "Changed scope, content, or tactics",
- "enabled": true
- },
- {
- "techniqueID": "T1205",
- "tactic": "defense-evasion",
- "color": "#fcf26b",
- "comment": "Changed scope, content, or tactics",
- "enabled": true
- },
- {
- "techniqueID": "T1205",
- "tactic": "persistence",
- "color": "#fcf26b",
- "comment": "Changed scope, content, or tactics",
- "enabled": true
- },
- {
- "techniqueID": "T1055",
- "tactic": "defense-evasion",
- "color": "#fcf26b",
- "comment": "Changed scope, content, or tactics",
- "enabled": true
- },
- {
- "techniqueID": "T1055",
- "tactic": "privilege-escalation",
- "color": "#fcf26b",
- "comment": "Changed scope, content, or tactics",
- "enabled": true
- },
- {
- "techniqueID": "T1060",
- "tactic": "persistence",
- "color": "#fcf26b",
- "comment": "Changed scope, content, or tactics",
- "enabled": true
- },
- {
- "techniqueID": "T1178",
- "tactic": "privilege-escalation",
- "color": "#fcf26b",
- "comment": "Changed scope, content, or tactics",
- "enabled": true
- },
- {
- "techniqueID": "T1051",
- "tactic": "lateral-movement",
- "color": "#fcf26b",
- "comment": "Changed scope, content, or tactics",
- "enabled": true
- },
- {
- "techniqueID": "T1221",
- "tactic": "defense-evasion",
- "color": "#a1d99b",
- "comment": "new technique",
- "enabled": true
- },
- {
- "techniqueID": "T1111",
- "tactic": "credential-access",
- "color": "#fcf26b",
- "comment": "Changed scope, content, or tactics",
- "enabled": true
- },
- {
- "techniqueID": "T1220",
- "tactic": "defense-evasion",
- "color": "#a1d99b",
- "comment": "new technique",
- "enabled": true
- },
- {
- "techniqueID": "T1220",
- "tactic": "execution",
- "color": "#a1d99b",
- "comment": "new technique",
- "enabled": true
- }
- ],
- "gradient": {
- "colors": [
- "#ff6666",
- "#ffe766",
- "#8ec843"
- ],
- "minValue": 0,
- "maxValue": 100
- },
- "legendItems": [
- {
- "color": "#a1d99b",
- "label": "new techniques"
- },
- {
- "color": "#fcf26b",
- "label": "changed scope, content, or tactics"
- }
- ],
- "showTacticRowBackground": true,
- "tacticRowBackground": "#205b8f",
- "selectTechniquesAcrossTactics": true
-}
diff --git a/layers/data/update_layers/October_2018_Updates_Mobile.json b/layers/data/update_layers/October_2018_Updates_Mobile.json
deleted file mode 100644
index e08bdaa6a..000000000
--- a/layers/data/update_layers/October_2018_Updates_Mobile.json
+++ /dev/null
@@ -1,202 +0,0 @@
-{
- "name": "October 2018 Updates Mobile",
- "version": "3.0",
- "domain": "mitre-mobile",
- "description": "",
- "filters": {
- "stages": [
- "act"
- ],
- "platforms": [
- "Android",
- "iOS"
- ]
- },
- "sorting": 0,
- "hideDisabled": false,
- "techniques": [
- {
- "techniqueID": "T1475",
- "tactic": "initial-access",
- "color": "#a1d99b",
- "comment": "created to consolidate several techniques from old tactic",
- "enabled": true
- },
- {
- "techniqueID": "T1476",
- "tactic": "initial-access",
- "color": "#a1d99b",
- "comment": "created to consolidate several techniques from old tactic",
- "enabled": true
- },
- {
- "techniqueID": "T1466",
- "tactic": "network-effects",
- "color": "#fcf26b",
- "comment": "moved into new tactics from the Network-Based Effects Matrix",
- "enabled": true
- },
- {
- "techniqueID": "T1456",
- "tactic": "initial-access",
- "color": "#fcf26b",
- "comment": "renamed from Malicious Web Content and moved to Initial Access",
- "enabled": true
- },
- {
- "techniqueID": "T1439",
- "tactic": "network-effects",
- "color": "#fcf26b",
- "comment": "moved into new tactics from the Network-Based Effects Matrix",
- "enabled": true
- },
- {
- "techniqueID": "T1449",
- "tactic": "network-effects",
- "color": "#fcf26b",
- "comment": "moved into new tactics from the Network-Based Effects Matrix",
- "enabled": true
- },
- {
- "techniqueID": "T1450",
- "tactic": "network-effects",
- "color": "#fcf26b",
- "comment": "moved into new tactics from the Network-Based Effects Matrix",
- "enabled": true
- },
- {
- "techniqueID": "T1458",
- "tactic": "initial-access",
- "color": "#fcf26b",
- "comment": "moved to Initial Access",
- "enabled": true
- },
- {
- "techniqueID": "T1477",
- "tactic": "initial-access",
- "color": "#fcf26b",
- "comment": "changed scope, content, or tactics",
- "enabled": true
- },
- {
- "techniqueID": "T1478",
- "tactic": "defense-evasion",
- "color": "#a1d99b",
- "comment": "new technique",
- "enabled": true
- },
- {
- "techniqueID": "T1478",
- "tactic": "initial-access",
- "color": "#a1d99b",
- "comment": "new technique",
- "enabled": true
- },
- {
- "techniqueID": "T1464",
- "tactic": "network-effects",
- "color": "#fcf26b",
- "comment": "moved into new tactics from the Network-Based Effects Matrix",
- "enabled": true
- },
- {
- "techniqueID": "T1461",
- "tactic": "initial-access",
- "color": "#fcf26b",
- "comment": "moved to Initial Access",
- "enabled": true
- },
- {
- "techniqueID": "T1463",
- "tactic": "network-effects",
- "color": "#fcf26b",
- "comment": "moved into new tactics from the Network-Based Effects Matrix",
- "enabled": true
- },
- {
- "techniqueID": "T1470",
- "tactic": "remote-service-effects",
- "color": "#fcf26b",
- "comment": "moved into new tactics from the Network-Based Effects Matrix",
- "enabled": true
- },
- {
- "techniqueID": "T1468",
- "tactic": "remote-service-effects",
- "color": "#fcf26b",
- "comment": "moved into new tactics from the Network-Based Effects Matrix",
- "enabled": true
- },
- {
- "techniqueID": "T1469",
- "tactic": "remote-service-effects",
- "color": "#fcf26b",
- "comment": "moved into new tactics from the Network-Based Effects Matrix",
- "enabled": true
- },
- {
- "techniqueID": "T1444",
- "tactic": "initial-access",
- "color": "#fcf26b",
- "comment": "moved to Initial Access",
- "enabled": true
- },
- {
- "techniqueID": "T1467",
- "tactic": "network-effects",
- "color": "#fcf26b",
- "comment": "moved into new tactics from the Network-Based Effects Matrix",
- "enabled": true
- },
- {
- "techniqueID": "T1465",
- "tactic": "network-effects",
- "color": "#fcf26b",
- "comment": "moved into new tactics from the Network-Based Effects Matrix",
- "enabled": true
- },
- {
- "techniqueID": "T1451",
- "tactic": "network-effects",
- "color": "#fcf26b",
- "comment": "moved into new tactics from the Network-Based Effects Matrix",
- "enabled": true
- },
- {
- "techniqueID": "T1474",
- "tactic": "initial-access",
- "color": "#a1d99b",
- "comment": "created to consolidate several techniques in the old tactic",
- "enabled": true
- },
- {
- "techniqueID": "T1411",
- "tactic": "credential-access",
- "color": "#fcf26b",
- "comment": "changed scope, content, or tactics",
- "enabled": true
- }
- ],
- "gradient": {
- "colors": [
- "#ff6666",
- "#ffe766",
- "#8ec843"
- ],
- "minValue": 0,
- "maxValue": 100
- },
- "legendItems": [
- {
- "color": "#a1d99b",
- "label": "new technique"
- },
- {
- "color": "#fcf26b",
- "label": "changed scope, content, or tactics"
- }
- ],
- "showTacticRowBackground": true,
- "tacticRowBackground": "#205b8f",
- "selectTechniquesAcrossTactics": true
-}
\ No newline at end of file
diff --git a/layers/data/update_layers/October_2019_Updates_Enterprise.json b/layers/data/update_layers/October_2019_Updates_Enterprise.json
deleted file mode 100644
index 0ff5855e0..000000000
--- a/layers/data/update_layers/October_2019_Updates_Enterprise.json
+++ /dev/null
@@ -1,2197 +0,0 @@
-{
- "version": "3.0",
- "name": "October 2019 Enterprise Updates",
- "description": "Enterprise updates for the October 2019 release of ATT&CK",
- "domain": "mitre-enterprise",
- "techniques": [
- {
- "techniqueID": "T1506",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1506",
- "tactic": "lateral-movement",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1503",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1528",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1504",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1504",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1522",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1531",
- "tactic": "impact",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1519",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1519",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1537",
- "tactic": "exfiltration",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1530",
- "tactic": "collection",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1526",
- "tactic": "discovery",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1502",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1502",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1527",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1527",
- "tactic": "lateral-movement",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1525",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1529",
- "tactic": "impact",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1505",
- "tactic": "persistence",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1539",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1538",
- "tactic": "discovery",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1534",
- "tactic": "lateral-movement",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1514",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1535",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1536",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1518",
- "tactic": "discovery",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1117",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1117",
- "tactic": "execution",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1007",
- "tactic": "discovery",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1170",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1170",
- "tactic": "execution",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1098",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1098",
- "tactic": "persistence",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1154",
- "tactic": "execution",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1154",
- "tactic": "persistence",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1199",
- "tactic": "initial-access",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1110",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1143",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1045",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1175",
- "tactic": "lateral-movement",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1175",
- "tactic": "execution",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1068",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1204",
- "tactic": "execution",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1069",
- "tactic": "discovery",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1496",
- "tactic": "impact",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1121",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1121",
- "tactic": "execution",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1082",
- "tactic": "discovery",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1016",
- "tactic": "discovery",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1028",
- "tactic": "execution",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1028",
- "tactic": "lateral-movement",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1033",
- "tactic": "discovery",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1222",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1049",
- "tactic": "discovery",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1220",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1220",
- "tactic": "execution",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1114",
- "tactic": "collection",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1205",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1205",
- "tactic": "persistence",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1205",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1497",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1497",
- "tactic": "discovery",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1077",
- "tactic": "lateral-movement",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1164",
- "tactic": "persistence",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1063",
- "tactic": "discovery",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1189",
- "tactic": "initial-access",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1053",
- "tactic": "execution",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1053",
- "tactic": "persistence",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1053",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1012",
- "tactic": "discovery",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1087",
- "tactic": "discovery",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1074",
- "tactic": "collection",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1081",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1127",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1127",
- "tactic": "execution",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1136",
- "tactic": "persistence",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1118",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1118",
- "tactic": "execution",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1054",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1058",
- "tactic": "persistence",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1058",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1108",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1108",
- "tactic": "persistence",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1099",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1018",
- "tactic": "discovery",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1135",
- "tactic": "discovery",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1084",
- "tactic": "persistence",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1090",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1090",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1213",
- "tactic": "collection",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1009",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1083",
- "tactic": "discovery",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1153",
- "tactic": "execution",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1156",
- "tactic": "persistence",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1005",
- "tactic": "collection",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1048",
- "tactic": "exfiltration",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1120",
- "tactic": "discovery",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1187",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1192",
- "tactic": "initial-access",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1003",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1190",
- "tactic": "initial-access",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1078",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1078",
- "tactic": "persistence",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1078",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1078",
- "tactic": "initial-access",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1144",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1072",
- "tactic": "execution",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1072",
- "tactic": "lateral-movement",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1036",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1137",
- "tactic": "persistence",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1057",
- "tactic": "discovery",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1080",
- "tactic": "lateral-movement",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1046",
- "tactic": "discovery",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1223",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1223",
- "tactic": "execution",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1056",
- "tactic": "collection",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1056",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1169",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1092",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1216",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1216",
- "tactic": "execution",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1152",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1152",
- "tactic": "execution",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1152",
- "tactic": "persistence",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1015",
- "tactic": "persistence",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1015",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1115",
- "tactic": "collection",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1019",
- "tactic": "persistence",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1029",
- "tactic": "exfiltration",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1173",
- "tactic": "execution",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1104",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1035",
- "tactic": "execution",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1119",
- "tactic": "collection",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1123",
- "tactic": "collection",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1160",
- "tactic": "persistence",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1160",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1008",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1105",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1105",
- "tactic": "lateral-movement",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1184",
- "tactic": "lateral-movement",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1060",
- "tactic": "persistence",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1198",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1198",
- "tactic": "persistence",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1487",
- "tactic": "impact",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1100",
- "tactic": "persistence",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1100",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1102",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1102",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1085",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1085",
- "tactic": "execution",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1148",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1050",
- "tactic": "persistence",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1050",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1096",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1138",
- "tactic": "persistence",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1138",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1166",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1166",
- "tactic": "persistence",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1142",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1101",
- "tactic": "persistence",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1188",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1493",
- "tactic": "impact",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1146",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1178",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1023",
- "tactic": "persistence",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1489",
- "tactic": "impact",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1043",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1071",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1186",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1032",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1031",
- "tactic": "persistence",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1195",
- "tactic": "initial-access",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1001",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1494",
- "tactic": "impact",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1206",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1495",
- "tactic": "impact",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1488",
- "tactic": "impact",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1086",
- "tactic": "execution",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1030",
- "tactic": "exfiltration",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1203",
- "tactic": "execution",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1150",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1150",
- "tactic": "persistence",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1150",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1193",
- "tactic": "initial-access",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1157",
- "tactic": "persistence",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1157",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1130",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1095",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1026",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1159",
- "tactic": "persistence",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1172",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1047",
- "tactic": "execution",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1180",
- "tactic": "persistence",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1011",
- "tactic": "exfiltration",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1134",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1134",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1139",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1109",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1109",
- "tactic": "persistence",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1163",
- "tactic": "persistence",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1044",
- "tactic": "persistence",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1044",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1182",
- "tactic": "persistence",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1182",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1191",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1191",
- "tactic": "execution",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1021",
- "tactic": "lateral-movement",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1038",
- "tactic": "persistence",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1038",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1038",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1106",
- "tactic": "execution",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1208",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1174",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1498",
- "tactic": "impact",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1014",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1194",
- "tactic": "initial-access",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1147",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1212",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1079",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1002",
- "tactic": "exfiltration",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1065",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1064",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1064",
- "tactic": "execution",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1485",
- "tactic": "impact",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1211",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1103",
- "tactic": "persistence",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1103",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1133",
- "tactic": "persistence",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1133",
- "tactic": "initial-access",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1076",
- "tactic": "lateral-movement",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1067",
- "tactic": "persistence",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1197",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1197",
- "tactic": "persistence",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1051",
- "tactic": "lateral-movement",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1486",
- "tactic": "impact",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1111",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1004",
- "tactic": "persistence",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1132",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1171",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1075",
- "tactic": "lateral-movement",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1089",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1219",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1482",
- "tactic": "discovery",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1124",
- "tactic": "discovery",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1141",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1027",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1024",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1112",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1480",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1149",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1501",
- "tactic": "persistence",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1161",
- "tactic": "persistence",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1209",
- "tactic": "persistence",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1165",
- "tactic": "persistence",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1165",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1040",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1040",
- "tactic": "discovery",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1052",
- "tactic": "exfiltration",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1185",
- "tactic": "collection",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1070",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1107",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1017",
- "tactic": "lateral-movement",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1129",
- "tactic": "execution",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1145",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1196",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1196",
- "tactic": "execution",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1215",
- "tactic": "persistence",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1131",
- "tactic": "persistence",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1061",
- "tactic": "execution",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1484",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1168",
- "tactic": "persistence",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1168",
- "tactic": "execution",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1097",
- "tactic": "lateral-movement",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1483",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1492",
- "tactic": "impact",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1113",
- "tactic": "collection",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1125",
- "tactic": "collection",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1155",
- "tactic": "execution",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1155",
- "tactic": "lateral-movement",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1176",
- "tactic": "persistence",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1210",
- "tactic": "lateral-movement",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1177",
- "tactic": "execution",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1177",
- "tactic": "persistence",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1055",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1055",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1094",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1490",
- "tactic": "impact",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1214",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1091",
- "tactic": "lateral-movement",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1091",
- "tactic": "initial-access",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1041",
- "tactic": "exfiltration",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1200",
- "tactic": "initial-access",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1218",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1218",
- "tactic": "execution",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1499",
- "tactic": "impact",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1059",
- "tactic": "execution",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1151",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1151",
- "tactic": "execution",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1073",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1491",
- "tactic": "impact",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1088",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1088",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1037",
- "tactic": "lateral-movement",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1037",
- "tactic": "persistence",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1034",
- "tactic": "persistence",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1034",
- "tactic": "privilege-escalation",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1221",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1201",
- "tactic": "discovery",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1162",
- "tactic": "persistence",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- }
- ],
- "sorting": 0,
- "hideDisabled": false,
- "legendItems": [
- {
- "color": "#fcf26b",
- "label": "changes"
- },
- {
- "color": "#a1d99b",
- "label": "additions"
- },
- {
- "color": "#0043ff",
- "label": "minor_changes"
- }
- ],
- "showTacticRowBackground": true,
- "tacticRowBackground": "#205b8f",
- "selectTechniquesAcrossTactics": true
-}
\ No newline at end of file
diff --git a/layers/data/update_layers/October_2019_Updates_Mobile.json b/layers/data/update_layers/October_2019_Updates_Mobile.json
deleted file mode 100644
index 4975ceb35..000000000
--- a/layers/data/update_layers/October_2019_Updates_Mobile.json
+++ /dev/null
@@ -1,370 +0,0 @@
-{
- "version": "3.0",
- "name": "October 2019 Mobile Updates",
- "description": "Mobile updates for the October 2019 release of ATT&CK",
- "domain": "mitre-mobile",
- "techniques": [
- {
- "techniqueID": "T1521",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1533",
- "tactic": "collection",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1510",
- "tactic": "impact",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1507",
- "tactic": "collection",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1520",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1516",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1516",
- "tactic": "impact",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1512",
- "tactic": "collection",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1513",
- "tactic": "collection",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1508",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1532",
- "tactic": "exfiltration",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1509",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1523",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1523",
- "tactic": "discovery",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1517",
- "tactic": "collection",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1517",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#a1d99b",
- "comment": "addition"
- },
- {
- "techniqueID": "T1475",
- "tactic": "initial-access",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1476",
- "tactic": "initial-access",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1447",
- "tactic": "impact",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1407",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1446",
- "tactic": "impact",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1446",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1411",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1414",
- "tactic": "collection",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1414",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1409",
- "tactic": "collection",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1409",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1400",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1400",
- "tactic": "persistence",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1400",
- "tactic": "impact",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1444",
- "tactic": "initial-access",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1471",
- "tactic": "impact",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1417",
- "tactic": "collection",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1417",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1403",
- "tactic": "persistence",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1433",
- "tactic": "collection",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1429",
- "tactic": "collection",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1412",
- "tactic": "collection",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1412",
- "tactic": "credential-access",
- "enabled": true,
- "color": "#fcf26b",
- "comment": "change"
- },
- {
- "techniqueID": "T1426",
- "tactic": "discovery",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1406",
- "tactic": "defense-evasion",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1430",
- "tactic": "collection",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1430",
- "tactic": "discovery",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1436",
- "tactic": "command-and-control",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1436",
- "tactic": "exfiltration",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1402",
- "tactic": "persistence",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1472",
- "tactic": "impact",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1452",
- "tactic": "impact",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- },
- {
- "techniqueID": "T1448",
- "tactic": "impact",
- "enabled": true,
- "color": "#0043ff",
- "comment": "minor_change"
- }
- ],
- "sorting": 0,
- "hideDisabled": false,
- "legendItems": [
- {
- "color": "#fcf26b",
- "label": "changes"
- },
- {
- "color": "#a1d99b",
- "label": "additions"
- },
- {
- "color": "#0043ff",
- "label": "minor_changes"
- }
- ],
- "showTacticRowBackground": true,
- "tacticRowBackground": "#205b8f",
- "selectTechniquesAcrossTactics": true
-}
\ No newline at end of file
diff --git a/layers/data/samples/ATTACKcon/Black_Pins.json b/layers/samples/ATTACKcon 2018/Black_Pins.json
similarity index 100%
rename from layers/data/samples/ATTACKcon/Black_Pins.json
rename to layers/samples/ATTACKcon 2018/Black_Pins.json
diff --git a/layers/data/samples/ATTACKcon/Blue_Pins.json b/layers/samples/ATTACKcon 2018/Blue_Pins.json
similarity index 100%
rename from layers/data/samples/ATTACKcon/Blue_Pins.json
rename to layers/samples/ATTACKcon 2018/Blue_Pins.json
diff --git a/layers/data/samples/ATTACKcon/Gold_Pins.json b/layers/samples/ATTACKcon 2018/Gold_Pins.json
similarity index 100%
rename from layers/data/samples/ATTACKcon/Gold_Pins.json
rename to layers/samples/ATTACKcon 2018/Gold_Pins.json
diff --git a/layers/data/samples/ATTACKcon/Red_Pins.json b/layers/samples/ATTACKcon 2018/Red_Pins.json
similarity index 100%
rename from layers/data/samples/ATTACKcon/Red_Pins.json
rename to layers/samples/ATTACKcon 2018/Red_Pins.json
diff --git a/layers/data/samples/ATTACKcon/Submitter_Responses.json b/layers/samples/ATTACKcon 2018/Submitter_Responses.json
similarity index 100%
rename from layers/data/samples/ATTACKcon/Submitter_Responses.json
rename to layers/samples/ATTACKcon 2018/Submitter_Responses.json
diff --git a/layers/data/samples/Bear_APT.json b/layers/samples/Bear_APT.json
similarity index 100%
rename from layers/data/samples/Bear_APT.json
rename to layers/samples/Bear_APT.json
diff --git a/layers/data/samples/heatmap_layer.json b/layers/samples/heatmap_layer.json
similarity index 100%
rename from layers/data/samples/heatmap_layer.json
rename to layers/samples/heatmap_layer.json
diff --git a/layers/LAYERFORMATv1.md b/layers/spec/v1.0/layerformat.md
similarity index 95%
rename from layers/LAYERFORMATv1.md
rename to layers/spec/v1.0/layerformat.md
index da77be973..0bcd4e0f9 100755
--- a/layers/LAYERFORMATv1.md
+++ b/layers/spec/v1.0/layerformat.md
@@ -1,5 +1,5 @@
# ATT&CKTM Navigator Layer File Format Definition
-This document describes **Version 1** of the MITRE ATT&CK Navigator Layer file format. The ATT&CK Navigator stores layers as JSON, therefore this document defines the JSON properties in a layer file.
+This document describes **Version 1.0** of the MITRE ATT&CK Navigator Layer file format. The ATT&CK Navigator stores layers as JSON, therefore this document defines the JSON properties in a layer file.
## Property Table
diff --git a/layers/LAYERFORMATv1_1.md b/layers/spec/v1.1/layerformat.md
similarity index 100%
rename from layers/LAYERFORMATv1_1.md
rename to layers/spec/v1.1/layerformat.md
diff --git a/layers/LAYERFORMATv1_2.md b/layers/spec/v1.2/layerformat.md
similarity index 100%
rename from layers/LAYERFORMATv1_2.md
rename to layers/spec/v1.2/layerformat.md
diff --git a/layers/LAYERFORMATv1_3.md b/layers/spec/v1.3/layerformat.md
similarity index 100%
rename from layers/LAYERFORMATv1_3.md
rename to layers/spec/v1.3/layerformat.md
diff --git a/layers/LAYERFORMATv2.md b/layers/spec/v2.0/layerformat.md
similarity index 100%
rename from layers/LAYERFORMATv2.md
rename to layers/spec/v2.0/layerformat.md
diff --git a/layers/LAYERFORMATv2_1.md b/layers/spec/v2.1/layerformat.md
similarity index 100%
rename from layers/LAYERFORMATv2_1.md
rename to layers/spec/v2.1/layerformat.md
diff --git a/layers/LAYERFORMATv2_2.md b/layers/spec/v2.2/layerformat.md
similarity index 100%
rename from layers/LAYERFORMATv2_2.md
rename to layers/spec/v2.2/layerformat.md
diff --git a/layers/LAYERFORMATv3.md b/layers/spec/v3.0/layerformat.md
similarity index 100%
rename from layers/LAYERFORMATv3.md
rename to layers/spec/v3.0/layerformat.md
diff --git a/layers/LAYERFORMATv4.md b/layers/spec/v4.0/layerformat.md
similarity index 100%
rename from layers/LAYERFORMATv4.md
rename to layers/spec/v4.0/layerformat.md
diff --git a/layers/LAYERFORMATv4_1.md b/layers/spec/v4.1/layerformat.md
similarity index 100%
rename from layers/LAYERFORMATv4_1.md
rename to layers/spec/v4.1/layerformat.md
diff --git a/layers/LAYERFORMATv4_2.md b/layers/spec/v4.2/layerformat.md
similarity index 100%
rename from layers/LAYERFORMATv4_2.md
rename to layers/spec/v4.2/layerformat.md
diff --git a/layers/LAYERFORMATv4_3.md b/layers/spec/v4.3/layerformat.md
similarity index 100%
rename from layers/LAYERFORMATv4_3.md
rename to layers/spec/v4.3/layerformat.md
diff --git a/layers/LAYERFORMATv4_4.md b/layers/spec/v4.4/layerformat.md
similarity index 100%
rename from layers/LAYERFORMATv4_4.md
rename to layers/spec/v4.4/layerformat.md
diff --git a/layers/LAYERFORMATv4_5.md b/layers/spec/v4.5/layerformat.md
similarity index 100%
rename from layers/LAYERFORMATv4_5.md
rename to layers/spec/v4.5/layerformat.md
diff --git a/layers/update-layers.py b/layers/update-layers.py
deleted file mode 100644
index 3c3800c7a..000000000
--- a/layers/update-layers.py
+++ /dev/null
@@ -1,149 +0,0 @@
-import argparse
-import requests
-import json
-
-revoked_by = {} #attackID => {replacing attackID, tactics[] of new technique}
-domains = {
- "enterprise-attack": {"url": "https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json", "downloaded": False },
- "mobile-attack": {"url": "https://raw.githubusercontent.com/mitre/cti/master/mobile-attack/mobile-attack.json", "downloaded": False }
-}
-
-# backwards compatability for domain format
-domain_backwards_compatability = {
- "enterprise-attack": "enterprise-attack", # no change
- "mitre-enterprise": "enterprise-attack",
- "mobile-attack": "mobile-attack", # no change
- "mitre-mobile": "mobile-attack",
- "ics-attack": "ics-attack" # no change
- # ICS had no old format domain
-}
-
-def download_domain(domain):
- # download the data for the domain
- print("\t-", "downloading data for", domain)
- stix_data = requests.get(domains[domain]["url"], verify=False).json()["objects"]
- print("\t-", "parsing data for", domain)
- # get stixID to attackID mapping for techniques
- attack_id_map = {}
- techniques = filter(lambda sdo: sdo["type"] == "attack-pattern", stix_data)
- for technique in techniques:
- tactics = list(map(lambda kcp: kcp["phase_name"], technique["kill_chain_phases"])) if "kill_chain_phases" in technique else []
- attack_id_map[technique["id"]] = {
- "attackID": technique["external_references"][0]["external_id"],
- "tactics": tactics
- }
-
- # build revocations of techniques
- revocations = filter(lambda sdo: sdo["type"] == "relationship" and sdo["relationship_type"] == "revoked-by", stix_data)
- for revocation in revocations:
- if revocation["source_ref"] in attack_id_map and revocation["target_ref"] in attack_id_map:
- revoked_by[attack_id_map[revocation["source_ref"]]["attackID"]] = attack_id_map[revocation["target_ref"]]
- # record that it's already downloaded so we don't download twice
- domains[domain]["downloaded"] = True
-
-def update_layer(layerfile, replace=False):
- print("processing", layerfile)
- with open(layerfile, "r") as f:
- layer = json.load(f)
-
- layer["domain"] = domain_backwards_compatability[layer["domain"]] # patch old domain setup
-
- # download data for appropriate domains
- if not domains[layer["domain"]]["downloaded"]:
- download_domain(layer["domain"])
- else:
- print("data already downloaded for", layer["domain"])
-
- # update viewMode to layout
- if "viewMode" in layer:
- print("\t-", "updating viewMode to layout")
- if layer["viewMode"] == 0:
- layer["layout"] = {
- "layout": "side",
- "showName": True,
- "showID": False
- }
- elif layer["viewMode"] == 1:
- layer["layout"] = {
- "layout": "side",
- "showName": False,
- "showID": True
- }
- elif layer["viewMode"] == 2:
- layer["layout"] = {
- "layout": "mini",
- "showName": False,
- "showID": False
- }
- del layer["viewMode"]
-
- # update with new platform formats
- if "filters" in layer and "platforms" in layer["filters"]:
- platforms = []
- for platform in layer["filters"]["platforms"]:
- platform_mappings = {
- "android": "Android",
- "ios": "iOS",
- "windows": "Windows",
- "linux": "Linux",
- "mac": "macOS"
- }
- if platform in platform_mappings:
- new_platform = platform_mappings[platform]
- print("\t-", "updating platform", platform, "to", new_platform)
- platforms.append(new_platform)
- else:
- platforms.append(platform)
- layer["filters"]["platforms"] = platforms
-
- # remove stages filter
- if "filters" in layer and "stages" in layer["filters"]:
- layer["filters"].pop("stages")
-
- # update techniques by revocations
- for technique in layer["techniques"]:
- if technique["techniqueID"] in revoked_by:
- new_id = revoked_by[technique["techniqueID"]]["attackID"]
- if "tactic" in technique:
- print("\t-", "updating technique", technique["techniqueID"], "(" + technique["tactic"] + ")", "to", new_id)
- else:
- print("\t-", "updating technique", technique["techniqueID"], "to", new_id)
- # make sure tactic hasn't changed
- if "tactic" in technique and technique["tactic"] not in revoked_by[technique["techniqueID"]]["tactics"]:
- print("\t -", "WARNING: replacing technique is no longer in the", technique["tactic"], "tactic, annotations will be skipped")
- continue
- technique["techniqueID"] = new_id
-
- # set the version to current
- layer["versions"] = {
- "navigator": "4.0",
- "layer": "4.0",
- "attack": "8"
- }
-
- # output layer
- outfile = layerfile if replace else layerfile.split(".")[0] + "-updated.json"
- with open(outfile, "w") as f:
- print("\t-", "writing", outfile)
- f.write(json.dumps(layer, indent=2))
-
-
-if __name__ == '__main__':
- # download data depending on domain
- parser = argparse.ArgumentParser(
- description="Updates outdated layer files. Follows revoked-by relationships in the STIX data to update layers with revoked techniques to use the replacing techniques, and updates layers to the latest version of the layer file format."
- )
- parser.add_argument("layers",
- type=str,
- nargs="+",
- help="paths to the layers to update"
- )
- parser.add_argument("--replace",
- action="store_true",
- help="replace the layer files with the updated version. If flag not specified, appends '-updated' to the end of the file name."
- )
- args = parser.parse_args()
-
- # update the layers
- for layer in args.layers:
- update_layer(layer, args.replace)
diff --git a/nav-app/angular.json b/nav-app/angular.json
index fc0895f55..273c07da2 100644
--- a/nav-app/angular.json
+++ b/nav-app/angular.json
@@ -20,7 +20,7 @@
"allowedCommonJsDependencies": ["lodash", "is_js", "seedrandom", "typed_function", "tinygradient", "exceljs"],
"assets": [
{ "glob": "*.md", "input": "../", "output": "/" },
- { "glob": "*.md", "input": "../layers", "output": "/layers" },
+ { "glob": "**/*", "input": "../layers", "output": "/layers" },
"src/assets",
"src/favicon.ico"
],
diff --git a/nav-app/src/app/help/help.component.ts b/nav-app/src/app/help/help.component.ts
index 4c7e78d90..53609c276 100755
--- a/nav-app/src/app/help/help.component.ts
+++ b/nav-app/src/app/help/help.component.ts
@@ -86,7 +86,6 @@ export class HelpComponent implements OnInit {
*/
public openLayerDialog(): void {
this.dialog.open(LayerInformationComponent, {
- maxWidth: '90ch',
autoFocus: false,
panelClass: this.data.theme,
});
diff --git a/nav-app/src/app/layer-information/layer-information.component.spec.ts b/nav-app/src/app/layer-information/layer-information.component.spec.ts
index c48a08abd..33da37329 100644
--- a/nav-app/src/app/layer-information/layer-information.component.spec.ts
+++ b/nav-app/src/app/layer-information/layer-information.component.spec.ts
@@ -29,8 +29,7 @@ describe('LayerInformationComponent', () => {
});
it('should return correct layerFormatLink based on global layer version', () => {
- let layerVersion = globals.layerVersion.split('.');
- let formatFilePath = `./layers/LAYERFORMATv${layerVersion[0]}_${layerVersion[1]}.md`;
- expect(component.layerFormatLink).toBe(formatFilePath);
+ let filePath = `./layers/spec/v${globals.layerVersion}/layerformat.md`;
+ expect(component.layerFormatLink).toBe(filePath);
});
});
diff --git a/nav-app/src/app/layer-information/layer-information.component.ts b/nav-app/src/app/layer-information/layer-information.component.ts
index f71a50316..17c88b60c 100644
--- a/nav-app/src/app/layer-information/layer-information.component.ts
+++ b/nav-app/src/app/layer-information/layer-information.component.ts
@@ -9,6 +9,6 @@ import * as globals from '../utils/globals';
})
export class LayerInformationComponent {
public get layerFormatLink(): string {
- return `./layers/LAYERFORMATv${globals.layerVersion.replace('.', '_')}.md`;
+ return `./layers/spec/v${globals.layerVersion}/layerformat.md`;
}
}
diff --git a/nav-app/src/app/tabs/tabs.component.spec.ts b/nav-app/src/app/tabs/tabs.component.spec.ts
index 9bffb12a8..255be097b 100755
--- a/nav-app/src/app/tabs/tabs.component.spec.ts
+++ b/nav-app/src/app/tabs/tabs.component.spec.ts
@@ -28,7 +28,7 @@ describe('TabsComponent', () => {
let testTab = new Tab('test tab', true, false, 'enterprise-attack', true);
let loadData = {
- url: 'https://raw.githubusercontent.com/mitre-attack/attack-navigator/master/layers/data/samples/Bear_APT.json',
+ url: 'https://raw.githubusercontent.com/mitre-attack/attack-navigator/master/layers/samples/Bear_APT.json',
version: '14',
identifier: 'enterprise-attack',
};
@@ -726,7 +726,7 @@ describe('TabsComponent', () => {
let alertSpy = spyOn(window, 'alert');
let consoleSpy = spyOn(console, 'error');
component
- .loadLayerFromURL('https://raw.githubusercontent.com/mitre-attack/attack-navigator/master/layers/data/samples/Bear_APT.json', false)
+ .loadLayerFromURL('https://raw.githubusercontent.com/mitre-attack/attack-navigator/master/layers/samples/Bear_APT.json', false)
.then(() => {
expect(consoleSpy).toHaveBeenCalled();
expect(alertSpy).toHaveBeenCalled();
diff --git a/nav-app/src/assets/config.json b/nav-app/src/assets/config.json
index 527f254c5..7add4d200 100755
--- a/nav-app/src/assets/config.json
+++ b/nav-app/src/assets/config.json
@@ -24,7 +24,7 @@
"default_layers": {
"enabled": false,
- "urls": ["assets/example.json", "https://raw.githubusercontent.com/mitre-attack/attack-navigator/master/layers/data/samples/Bear_APT.json"]
+ "urls": ["assets/example.json", "https://raw.githubusercontent.com/mitre-attack/attack-navigator/master/layers/samples/Bear_APT.json"]
},
"comment_color": "yellow",
diff --git a/nav-app/src/tests/utils/mock-data.ts b/nav-app/src/tests/utils/mock-data.ts
index d9a4f70ca..ad138ae99 100644
--- a/nav-app/src/tests/utils/mock-data.ts
+++ b/nav-app/src/tests/utils/mock-data.ts
@@ -78,11 +78,11 @@ export const configDataExtended = {
};
export const defaultLayersEnabled = {
enabled: true,
- urls: ['https://raw.githubusercontent.com/mitre-attack/attack-navigator/master/layers/data/samples/Bear_APT.json'],
+ urls: ['https://raw.githubusercontent.com/mitre-attack/attack-navigator/master/layers/samples/Bear_APT.json'],
};
export const defaultLayersDisabled = {
enabled: false,
- urls: ['https://raw.githubusercontent.com/mitre-attack/attack-navigator/master/layers/data/samples/Bear_APT.json'],
+ urls: ['https://raw.githubusercontent.com/mitre-attack/attack-navigator/master/layers/samples/Bear_APT.json'],
};
export const taxiiData = {