Heroes, Pennsylvania reveals a breach, and Google implements a novel approach to taking down Black Hats. Here's a look at the current cybersecurity landscape for November 19, 2025.
The Pennsylvania Office of the Attorney General (OAG) has officially confirmed it suffered a data breach resulting from a ransomware attack in August. The attack is attributed to the "Inc Ransom" group. While the OAG has not specified the exact nature of the data compromised, a breach at a state-level legal and law enforcement agency is highly significant and could involve sensitive case files, PII, and other confidential information.
Business impact
This breach severely undermines public trust and could expose sensitive legal strategies, witness information, and personal data of citizens and government employees. The incident carries a high risk of follow-on fraud, identity theft, and potential interference with ongoing legal cases.
Recommended action
While the breach has already occurred, this incident serves as a critical reminder for all public sector organizations to review their ransomware defense, incident response, and data backup strategies. Third-party organizations that interact with the PA OAG should be on high alert for related phishing or social engineering attempts.
Fortinet has released a patch for a new zero-day vulnerability, CVE-2025-58034, in its FortiWeb Web Application Firewall (WAF). The vulnerability is confirmed to be actively exploited in the wild. Details on the nature of the vulnerability are limited, but its active exploitation requires immediate attention from all organizations using the affected products.
Business impact
Failure to patch this vulnerability could lead to a complete compromise of the FortiWeb appliance, allowing attackers to bypass security controls, access sensitive backend application data, or use the compromised device as a pivot point for further network intrusion. This poses a direct threat to data integrity and availability for web applications protected by FortiWeb.
Recommended action
All organizations using FortiWeb appliances must apply the vendor-supplied patch immediately. Monitor FortiWeb logs for any indicators of compromise or unusual activity preceding the patch deployment.
CERT Polska has disclosed a vulnerability, CVE-2025-9977, in the Times Software E-Payroll application. The flaw resides in the login process, where a POST parameter is not properly sanitized. This could potentially allow an attacker to bypass authentication or execute arbitrary code, depending on how the unsanitized value is processed by the application.
Business impact
Exploitation of this vulnerability could lead to unauthorized access to sensitive payroll data, including employee personal identifiable information (PII), salary details, and financial records. This could result in significant financial fraud, identity theft, and severe regulatory penalties.
Recommended action
Organizations using Times Software E-Payroll should immediately check for patches or mitigation guidance from the vendor. Restrict access to the application's login interface and review logs for any anomalous POST requests.
A widespread attack campaign, dubbed ShadowRay 2.0, is actively compromising exposed Ray AI/Python framework clusters. Attackers are exploiting a known remote code execution flaw to deploy a self-propagating botnet that uses the clusters' computational power for cryptomining. The campaign highlights the growing risk of unsecured AI/ML infrastructure becoming a prime target for resource hijacking.
Business impact
Compromised Ray clusters will suffer from significant performance degradation, leading to increased operational costs and disruption of critical AI/ML workloads. The presence of the botnet also creates a persistent security risk, as the malware could be updated to exfiltrate data or launch further attacks.
Recommended action
Immediately audit all Ray cluster deployments for public exposure and apply necessary patches for known vulnerabilities. Implement strict network access controls and monitor clusters for signs of unauthorized processes or excessive resource consumption.
Google is leveraging civil litigation, including RICO and CFAA statutes, to sue the operators of a Phishing-as-a-Service (PhaaS) platform. This legal action aims to dismantle the malicious infrastructure and disrupt the cybercrime ecosystem where criminal prosecution is often slow or impossible. This represents a significant shift, with tech companies taking a more aggressive legal stance to protect their users and brand.
Business impact
The success of such lawsuits could establish a new precedent for disrupting cybercrime operations, making it more difficult and legally risky for threat actors to operate. This strategy complements technical defenses by attacking the business model of cybercrime itself.
Recommended action
This is a strategic intelligence item. Security leaders should monitor the outcome of this case, as it may influence future public-private partnerships and strategies for combating large-scale cybercrime.
Microsoft discusses the future of cybersecurity in an era dominated by AI agents, advocating for a shift towards "ambient and autonomous security." This paradigm involves security systems that can operate independently, adapt to new threats, and manage the complex interactions between humans and AI agents. This strategic brief is crucial for leaders planning long-term security architecture and investments to align with the rapid advancements in AI.
Kaspersky's latest quarterly report details the evolution of IT threats during the third quarter of 2025. The analysis, based on updated statistical methodologies, provides a high-level overview of trends in both mobile and traditional computing environments. This report offers valuable context for understanding broader threat patterns and adjusting strategic security priorities for the coming months.
Spotlight Rationale: In response to high-impact data breaches like the one confirmed at the Pennsylvania OAG, the ability to discover, classify, and protect sensitive data at scale is critical. Today's intelligence highlights the direct consequences of failing to secure sensitive information against ransomware groups.
Platform Focus: Varonis Data Security Platform with Microsoft Purview DSPM Integration
Varonis has announced a new integration with Microsoft Purview's Data Security Posture Management (DSPM) solution. This collaboration enriches Purview with Varonis's detailed data sensitivity and access signals from a wide range of third-party platforms like Salesforce. This provides security teams with a single, unified view of their sensitive data risk across both Microsoft and non-Microsoft environments, directly addressing the challenge of protecting disparate data stores from threats like ransomware.
Actionable Platform Guidance: Organizations using both Microsoft Purview and Varonis should engage with their respective representatives to enable this integration. This will allow them to centralize data security insights, improve the accuracy of sensitive data discovery, and streamline incident response by having a comprehensive view of data exposure before and during an attack.
β οΈ Disclaimer: Test all detection logic in non-production environments before deployment.
1. Vendor Platform Configuration - Varonis & Microsoft Purview
# Action Plan for Varonis-Purview DSPM Integration
# 1. Prerequisite Verification:
# - Confirm active licensing for both Varonis Data Security Platform and Microsoft Purview.
# - Ensure network connectivity and required API permissions are established between Varonis and your Azure tenant.
# 2. Enable Integration:
# - Contact your Varonis and/or Microsoft account team to request access to the DSPM integration feature.
# - Follow the vendor-provided guide to configure the data connector within the Microsoft Purview compliance portal, authorizing Varonis as a signal provider.
# 3. Data Synchronization and Validation:
# - Initiate the first data synchronization from Varonis to Purview.
# - In the Purview portal, verify that Varonis-discovered sensitive data from sources like Salesforce is appearing alongside Microsoft 365 data.
# - Validate that Varonis-generated alerts (e.g., unusual data access) are correctly ingested and correlated within Purview's incident dashboard.
# 4. Policy and Alert Tuning:
# - Review and tune Purview data security policies to leverage the new, richer context provided by Varonis.
# - Adjust alert thresholds based on the combined intelligence to reduce false positives and prioritize high-risk activities.
2. YARA Rule for FortiWeb Zero-Day (CVE-2025-58034) Indicators
rule Detect_FortiWeb_Exploit_Attempt_CVE_2025_58034 {
meta:
description = "Detects potential exploit patterns associated with the FortiWeb zero-day CVE-2025-58034. This is a template and requires tuning with specific IOCs."
author = "Threat Rundown"
date = "2025-11-19"
reference = "https://securityaffairs.com/?p=184806"
severity = "critical"
tlp = "white"
strings:
// Placeholder for a specific, anomalous URI path observed in exploit attempts
$uri_pattern = "/path/to/vulnerable/endpoint?param=" ascii wide
// Placeholder for a unique User-Agent or other header value used by attackers
$header_pattern = "User-Agent: Malicious-Scanner-v1" ascii wide
// Placeholder for a specific payload string
$payload_str = "specific_exploit_command" ascii wide
condition:
// This rule should be applied to captured web traffic logs from the FortiWeb device
all of them
}
3. SIEM Query β Hunting for FortiWeb Exploitation (CVE-2025-58034)
// Query for Splunk, adapt for other SIEMs
sourcetype="fortinet:fortiweb:http"
| search action!="blocked" status=200
// Add specific URI paths, user agents, or source IPs once IOCs are published
| search (uri_path="/suspicious/path/exploit.cgi" OR http_user_agent="ExploitTool/1.0")
| stats count by src_ip, dest_ip, uri_path, http_user_agent
| where count > 5
| sort -count
| table src_ip, dest_ip, uri_path, http_user_agent, count
| rename count as "SuspiciousRequestCount"
4. PowerShell Script β Check for ShadowRay IOCs on Windows Hosts
# This script is a template to check for hypothetical file-based IOCs related to the ShadowRay campaign.
# Indicators should be updated as they become available.
$suspiciousFileHashes = @{
"C:\Users\Public\Downloads\ray_updater.exe" = "SHA256_HASH_PLACEHOLDER_1";
"C:\Temp\compute.dll" = "SHA256_HASH_PLACEHOLDER_2";
}
Write-Host "Scanning for ShadowRay campaign file indicators..."
foreach ($filePath in $suspiciousFileHashes.Keys) {
if (Test-Path $filePath) {
$fileHash = (Get-FileHash -Path $filePath -Algorithm SHA256).Hash
if ($fileHash -eq $suspiciousFileHashes[$filePath]) {
Write-Host "[ALERT] Found suspicious file matching ShadowRay IOC: $filePath" -ForegroundColor Red
} else {
Write-Host "[INFO] Found file at suspicious path, but hash does not match: $filePath" -ForegroundColor Yellow
}
}
}
Write-Host "Scan complete."
Cookie Notice
We use essential cookies to provide our cybersecurity newsletter service and analytics cookies to improve your experience. We respect your privacy and comply with GDPR requirements.
About STIX 2.1: Structured Threat Information eXpression (STIX) is the machine language of cybersecurity. This bundle contains validated threat objects, indicators, and relationships that can be directly imported into your SIEM, TIP, or security orchestration platform.
Usage: Download or copy the JSON below and import it directly into your threat intelligence platform, SIEM, or security orchestration tools for automated threat detection and response.
{
"type": "bundle",
"id": "bundle--567f033e-7941-4ea6-87e0-9f0e642bd781",
"objects": [
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487",
"created": "2022-10-01T00:00:00.000Z",
"definition_type": "tlp:2.0",
"name": "TLP:CLEAR",
"definition": {
"tlp": "clear"
}
},
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--cf73e62c-3526-4227-bb37-3ef5080c1146",
"created": "2025-11-19T13:38:17.870Z",
"modified": "2025-11-19T13:38:17.870Z",
"name": "MikeGPT Intelligence Platform",
"description": "AI-powered threat intelligence collection and analysis platform providing automated cybersecurity intelligence feeds",
"identity_class": "organization",
"sectors": [
"technology",
"defense"
],
"contact_information": "Website: https://mikegptai.com | Email: intel@mikegptai.com",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--b58fc65a-616d-453e-a701-c6ab3ba0a9e0",
"created": "2025-11-19T13:38:17.870Z",
"modified": "2025-11-19T13:38:17.870Z",
"name": "Threat Intelligence Report - 2025-11-19",
"description": "Threat Intelligence Report - 2025-11-19\n\nThis report consolidates actionable cybersecurity intelligence from 87 sources, processed through automated threat analysis and relationship extraction.\n\nKEY FINDINGS:\nβ’ Varonis Announces New Microsoft Purview DSPM Integration (Score: 100)\nβ’ New FortiWeb zero-day CVE-2025-58034 under attack patched by Fortinet (Score: 100)\nβ’ Analyze AWS Network Firewall logs using Amazon OpenSearch dashboard (Score: 100)\nβ’ Bill Largent: On epic reads, lifelong learning, and empathy (Score: 100)\nβ’ Microsoft Unveils Security Enhancements for Identity, Defense, Compliance (Score: 100)\n\nEXTRACTED ENTITIES:\nβ’ 31 Attack Pattern(s)\nβ’ 1 Marking Definition(s)\nβ’ 6 Relationship(s)\nβ’ 2 Threat Actor(s)\nβ’ 1 Tool(s)\nβ’ 2 Vulnerability(s)\n\nCONFIDENCE ASSESSMENT:\nVariable confidence scoring applied based on entity type and intelligence source reliability. Confidence ranges from 30-95% reflecting professional intelligence assessment practices.\n\nGENERATION METADATA:\n- Processing Time: Automated\n- Validation: Three-LLM consensus committee\n- Standards Compliance: STIX 2.1\n",
"published": "2025-11-19T13:38:17.870Z",
"object_refs": [
"identity--cf73e62c-3526-4227-bb37-3ef5080c1146",
"identity--ae4d5f46-29c5-40ae-842b-378abf057c12",
"identity--8c1fecc5-666c-4007-be86-c4b6d149231b",
"identity--8a7ca088-fae7-4645-8f55-5f28dd9b1396",
"identity--437b7cf0-8e51-4d57-8ed6-fd20a9f08d8c",
"identity--c4bddfde-bffe-4aa3-970b-dd430d1877f3",
"identity--ef2b7947-9704-4ef1-aa2c-f851ec298519",
"identity--a728a080-82ff-441a-9f7b-f80ed1280225",
"vulnerability--6643f5db-a06a-43cf-b9d0-39b421db4cf8",
"identity--14f4a526-b812-4dde-818a-ea4b61147b6a",
"identity--7e326481-38b2-41cb-bfdc-01bd3616f369",
"identity--40416163-20f0-4fbf-9b1b-6fa528702daa",
"identity--3b3fab43-dd90-4de4-92cf-882871455cf2",
"identity--6e903063-e398-408b-95bb-a79f6445171b",
"identity--b81e0301-d2bc-4f52-96a7-f330f7b2238a",
"identity--852f1ded-54a0-4678-8751-1aa05a63754e",
"identity--8ab8376a-b261-46d5-beed-eb624e865f18",
"identity--a782cd42-da9c-4428-9a29-7548c23a9afa",
"identity--bea66eff-1768-40e4-9d44-77ef880741a1",
"identity--e0805c18-217e-4859-b3bf-5fd1221905e5",
"identity--c4e7c40a-5b32-43f2-ab64-e5dd1d106174",
"identity--91889494-9896-493d-855f-219340c5ad50",
"threat-actor--1bb97c31-b094-4483-9bc1-b45488c4cc73",
"identity--5ccdf7bc-6dc4-4348-ac05-2f7e1ccfb271",
"identity--56bf1e2d-5540-458a-b453-7ef5ae8ac4e0",
"identity--9e9710bb-c936-43c6-9dbe-3ea9bd402ed5",
"identity--9e221940-56db-4bff-9bec-74d128f9e398",
"identity--3ae3a0f9-69b3-41f1-add8-06c8e80ccb32",
"identity--c7816e41-8fd5-4cdb-aa58-dab2f4941ee6",
"identity--c5a4a488-0f6e-4747-a3ca-c02ad0b7e598",
"identity--40ad243f-d6e5-4e92-ac9a-f485af0c3376",
"identity--01c3a82c-3675-4c6b-bf58-2cd10e6b546a",
"identity--924915e3-0edd-4fd7-a0de-e13c0305db5f",
"identity--69268c33-6dec-4faa-a418-09b5f7cf3f86",
"tool--9b2f8e39-6ef0-4fea-826c-ed3f982552d8",
"identity--5aac2a37-5c3e-49dd-a58f-8c7948cb2c6c",
"identity--69dc2e0e-3c8f-4419-98b5-8c3b3159869f",
"identity--55002d32-4f63-4bec-9d1d-313be1288a12",
"identity--4432ecd8-a1d5-4876-8163-2b138f4af7e7",
"identity--fdf3b224-8270-433b-b5c3-267ed0546d96",
"identity--26ac9aad-1c38-495e-908a-d40627f5246c",
"threat-actor--482bb05b-eba6-4311-a6a7-14c1a631a7e3",
"vulnerability--5687549e-eb3c-4796-9a87-f737da038bfa",
"identity--5d393703-17ab-4d70-8400-b43a4b79d42e",
"identity--684340e8-d939-4b21-9acb-3a70cc9bba98",
"attack-pattern--280ebd89-59bc-4ae2-a9db-1c01a56e50dc",
"attack-pattern--e5974f70-5745-450a-908a-6483ad9c4678",
"attack-pattern--2da268b5-7100-4dbc-b23b-d5deafdf268c",
"attack-pattern--baad7d00-8591-4c49-8f48-fabb6a35df65",
"attack-pattern--c627c29c-1385-4d76-9046-9c2db86dab11",
"attack-pattern--9325bcc6-c11d-4aec-aaea-a5fd82035bd5",
"attack-pattern--4a2578d4-fdf6-48d3-b66a-93c681e1e21e",
"attack-pattern--68a5c7b8-09b4-49b1-8149-bc23ed0260c9",
"attack-pattern--771ed4e5-6dde-43a8-9c72-d006b0c83e3d",
"attack-pattern--b0e5285c-e953-4745-a8d6-56e03a076a5c",
"attack-pattern--5aa11eb6-804f-4920-a45f-1fae275ef314",
"attack-pattern--2c821981-fda2-4cb8-926c-6edd4905d65c",
"attack-pattern--0b9d5f9a-d372-4a5d-8f9f-e62f6d5e8719",
"attack-pattern--775a5581-fd79-4cfc-a505-6d409b3bbfba",
"attack-pattern--624fa034-c944-4489-a990-1f1111e2e237",
"attack-pattern--d7071d58-f8d5-4ecb-9a0c-67be9c2fa496",
"attack-pattern--66eadfa7-b2f9-47eb-8355-f93b5343f8fd",
"attack-pattern--84e3f4d3-4768-4b3c-8559-7547d3d836ca",
"attack-pattern--9177f72b-d9a0-4bc3-a63e-5f88098b7b96",
"attack-pattern--bb8e93cc-5495-417b-9b6c-2c104b2930e9",
"attack-pattern--27b36b6d-ae90-4767-b07a-563ecef589ea",
"attack-pattern--ed3369e1-8515-458a-99e3-cb9283fb73d1",
"attack-pattern--e03eb8e0-183c-4351-82cb-2d9c193d1530",
"attack-pattern--d2a77ce3-d278-4f77-97f0-227b744a33d3",
"attack-pattern--a6ff86fe-f269-42e5-9428-ab17d04e30e2",
"attack-pattern--e8d516a9-a107-4c4b-806f-bc9c612eef18",
"attack-pattern--3dfbd980-9c7a-4d3d-9e53-14e24b1fabdf",
"attack-pattern--f760717d-5b8a-4175-b9b4-03024fa8c285",
"attack-pattern--da82a474-3eb8-46ae-af12-cd8d8a29ed4d",
"attack-pattern--648fba01-e867-4fc6-96df-cc8f6217bee6",
"attack-pattern--8dd2a740-fa1b-4f41-be82-018bed51553e",
"relationship--f1e41025-7989-47b2-9c41-8c00f5072c7c",
"relationship--5e7d97d4-7b91-4000-bdbd-12afdb3cea66",
"relationship--d7cdabc5-824c-48bb-b546-e2d8eee09c1e",
"relationship--89aae958-1ac8-447b-9caa-7e0eaff5f5dc",
"relationship--24953316-69c8-4f01-95ab-4489043cacd4",
"relationship--c65e6057-a8f4-4913-9829-acbd1d33f070"
],
"labels": [
"threat-report",
"threat-intelligence"
],
"created_by_ref": "identity--cf73e62c-3526-4227-bb37-3ef5080c1146",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-19T13:38:16.861Z",
"modified": "2025-11-19T13:38:16.861Z",
"confidence": 95,
"type": "identity",
"id": "identity--ae4d5f46-29c5-40ae-842b-378abf057c12",
"name": "Microsoft",
"identity_class": "unknown",
"labels": [
"identity"
],
"description": "Microsoft is a multinational technology company that develops, manufactures, licenses, and supports a wide range of software products, services, and devices.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-19T13:38:16.861Z",
"modified": "2025-11-19T13:38:16.861Z",
"confidence": 95,
"type": "identity",
"id": "identity--8c1fecc5-666c-4007-be86-c4b6d149231b",
"name": "FortiWeb",
"identity_class": "unknown",
"labels": [
"identity"
],
"description": "FortiWeb is a web application firewall (WAF) that protects web applications from various types of cyber threats, including SQL injection, cross-site scripting (XSS), and denial-of-service (DoS) attacks.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-19T13:38:16.861Z",
"modified": "2025-11-19T13:38:16.861Z",
"confidence": 95,
"type": "identity",
"id": "identity--8a7ca088-fae7-4645-8f55-5f28dd9b1396",
"name": "Google",
"identity_class": "unknown",
"labels": [
"identity"
],
"description": "Google is a multinational technology company specializing in Internet-related services and products, including search engines, online advertising technologies, cloud computing, and software.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-19T13:38:16.861Z",
"modified": "2025-11-19T13:38:16.861Z",
"confidence": 95,
"type": "identity",
"id": "identity--437b7cf0-8e51-4d57-8ed6-fd20a9f08d8c",
"name": "Creators & Presenters",
"identity_class": "unknown",
"labels": [
"identity"
],
"description": "Creators & Presenters is a company.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-19T13:38:16.861Z",
"modified": "2025-11-19T13:38:16.861Z",
"confidence": 95,
"type": "identity",
"id": "identity--c4bddfde-bffe-4aa3-970b-dd430d1877f3",
"name": "Fortinet",
"identity_class": "unknown",
"labels": [
"identity"
],
"description": "Fortinet is a company that specializes in developing and providing cybersecurity solutions, including network security, threat protection, and network access control, to protect organizations from cyber threats.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-19T13:38:16.861Z",
"modified": "2025-11-19T13:38:16.861Z",
"confidence": 95,
"type": "identity",
"id": "identity--ef2b7947-9704-4ef1-aa2c-f851ec298519",
"name": "Varonis",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Varonis is a data security company that provides solutions for data governance, data security, and compliance.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-19T13:38:16.861Z",
"modified": "2025-11-19T13:38:16.861Z",
"confidence": 95,
"type": "identity",
"id": "identity--a728a080-82ff-441a-9f7b-f80ed1280225",
"name": "Salesforce",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Salesforce is a cloud-based software company that provides customer relationship management (CRM) solutions for businesses to manage sales, marketing, and customer service operations.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-19T13:38:16.861Z",
"modified": "2025-11-19T13:38:16.861Z",
"confidence": 95,
"type": "vulnerability",
"id": "vulnerability--6643f5db-a06a-43cf-b9d0-39b421db4cf8",
"name": "CVE-2025-58034",
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2025-58034",
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-58034"
},
{
"source_name": "nvd",
"external_id": "CVE-2025-58034",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58034"
}
],
"description": "By integrating Varonis signals into Purview, data security teams gain unified visibility into sensitive data across third-party platforms like Salesforce alongside their Microsoft data. βThis security integration be",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"vulnerability"
]
},
{
"spec_version": "2.1",
"created": "2025-11-19T13:38:16.861Z",
"modified": "2025-11-19T13:38:16.861Z",
"confidence": 95,
"type": "identity",
"id": "identity--14f4a526-b812-4dde-818a-ea4b61147b6a",
"name": "Trend Micro",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Trend Micro is a cybersecurity software company that specializes in developing and providing antivirus software, firewall protection, and other security solutions for individuals and businesses.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-19T13:38:16.861Z",
"modified": "2025-11-19T13:38:16.861Z",
"confidence": 95,
"type": "identity",
"id": "identity--7e326481-38b2-41cb-bfdc-01bd3616f369",
"name": "Amazon CloudWatch",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Amazon CloudWatch is a monitoring and observability service that provides real-time data and insights into the performance and health of Amazon Web Services (AWS) resources and applications.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-19T13:38:16.861Z",
"modified": "2025-11-19T13:38:16.861Z",
"confidence": 95,
"type": "identity",
"id": "identity--40416163-20f0-4fbf-9b1b-6fa528702daa",
"name": "Amazon OpenSearch Service",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Amazon OpenSearch Service is a managed service that makes it easy to deploy, secure, and scale the OpenSearch engine in the cloud.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-19T13:38:16.861Z",
"modified": "2025-11-19T13:38:16.861Z",
"confidence": 95,
"type": "identity",
"id": "identity--3b3fab43-dd90-4de4-92cf-882871455cf2",
"name": "AWS Network Firewall",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "AWS Network Firewall is a managed network firewall service that helps protect network traffic flowing in and out of AWS resources by providing visibility and control over network traffic.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-19T13:38:16.861Z",
"modified": "2025-11-19T13:38:16.861Z",
"confidence": 95,
"type": "identity",
"id": "identity--6e903063-e398-408b-95bb-a79f6445171b",
"name": "Talos",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Talos is a threat intelligence and security research group that provides threat intelligence, malware analysis, and security research to help protect against cyber threats.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-19T13:38:16.861Z",
"modified": "2025-11-19T13:38:16.861Z",
"confidence": 95,
"type": "identity",
"id": "identity--b81e0301-d2bc-4f52-96a7-f330f7b2238a",
"name": "FortiWeb Zero-Day",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "FortiWeb Zero-Day is a vulnerability or exploit that refers to a previously unknown security weakness in the FortiWeb web application firewall, allowing unauthorized access or attacks.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-19T13:38:16.861Z",
"modified": "2025-11-19T13:38:16.861Z",
"confidence": 95,
"type": "identity",
"id": "identity--852f1ded-54a0-4678-8751-1aa05a63754e",
"name": "Gmail",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Gmail is a free web-based email service provided by Google that allows users to send and receive emails securely.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-19T13:38:16.861Z",
"modified": "2025-11-19T13:38:16.861Z",
"confidence": 95,
"type": "identity",
"id": "identity--8ab8376a-b261-46d5-beed-eb624e865f18",
"name": "Amazon Elastic Compute Cloud",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Amazon Elastic Compute Cloud (EC2) is a web service that provides scalable virtual servers in the cloud, allowing users to run applications and services on \\<^Amazon's scalable infrastructure.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-19T13:38:16.861Z",
"modified": "2025-11-19T13:38:16.861Z",
"confidence": 95,
"type": "identity",
"id": "identity--a782cd42-da9c-4428-9a29-7548c23a9afa",
"name": "Amazon EC2",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Amazon EC2 is a web service that provides scalable virtual servers in the cloud, allowing users to run applications and services on a flexible and on-demand computing environment.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-19T13:38:16.861Z",
"modified": "2025-11-19T13:38:16.861Z",
"confidence": 95,
"type": "identity",
"id": "identity--bea66eff-1768-40e4-9d44-77ef880741a1",
"name": "the Kaspersky Security Network",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "The Kaspersky Security Network is a cloud-based system that collects and analyzes threat data from Kaspersky users to provide real-time protection and improve cybersecurity services.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-19T13:38:16.861Z",
"modified": "2025-11-19T13:38:16.861Z",
"confidence": 95,
"type": "identity",
"id": "identity--e0805c18-217e-4859-b3bf-5fd1221905e5",
"name": "Reliance",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Reliance is a multinational conglomerate headquartered in India, operating in various sectors including telecommunications, retail, and energy.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-19T13:38:16.861Z",
"modified": "2025-11-19T13:38:16.861Z",
"confidence": 95,
"type": "identity",
"id": "identity--c4e7c40a-5b32-43f2-ab64-e5dd1d106174",
"name": "Mike Rounds",
"identity_class": "individual",
"labels": [
"identity"
],
"description": "Mike Rounds is a U.S. Senator from South Dakota, serving since 2015. He is a member of the Republican Party and has been involved in various legislative efforts related to cybersecurity and national security.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-19T13:38:16.861Z",
"modified": "2025-11-19T13:38:16.861Z",
"confidence": 95,
"type": "identity",
"id": "identity--91889494-9896-493d-855f-219340c5ad50",
"name": "DoorDash",
"identity_class": "organization",
"labels": [
"organization"
],
"description": "DoorDash is a U.S.-based food delivery and logistics company that experienced a social engineering attack leading to a data breach, exposing users' names, addresses, emails, and phone numbers.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-19T13:38:16.861Z",
"modified": "2025-11-19T13:38:16.861Z",
"confidence": 95,
"type": "threat-actor",
"id": "threat-actor--1bb97c31-b094-4483-9bc1-b45488c4cc73",
"name": "Dashers",
"threat_actor_types": [
"hacker"
],
"labels": [
"threat-actor"
],
"description": "Dashers is a group of individuals, likely threat actors, who have been involved in a data breach at DoorDash, a U.S.-based food delivery and logistics company, where they exposed names, addresses, emails, and phone numbers of users, Dashers, and merchants.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-19T13:38:16.861Z",
"modified": "2025-11-19T13:38:16.861Z",
"confidence": 95,
"type": "identity",
"id": "identity--5ccdf7bc-6dc4-4348-ac05-2f7e1ccfb271",
"name": "Cloudflare",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Cloudflare is a company that provides a suite of cybersecurity services, including content delivery networks, web application firewalls, and distributed denial-of-service (DDoS) protection, to help protect websites and applications from cyber threats.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-19T13:38:16.861Z",
"modified": "2025-11-19T13:38:16.861Z",
"confidence": 95,
"type": "identity",
"id": "identity--56bf1e2d-5540-458a-b453-7ef5ae8ac4e0",
"name": "the Cloudflare Incident",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "The Cloudflare Incident is a global outage that occurred on November 18, 2025, caused by an unspecified issue, not a DDoS attack, resulting in widespread confusion and incorrect reports of a DDoS incident.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-19T13:38:16.861Z",
"modified": "2025-11-19T13:38:16.861Z",
"confidence": 95,
"type": "identity",
"id": "identity--9e9710bb-c936-43c6-9dbe-3ea9bd402ed5",
"name": "Eurofiber",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Eurofiber is a company.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-19T13:38:16.861Z",
"modified": "2025-11-19T13:38:16.861Z",
"confidence": 95,
"type": "identity",
"id": "identity--9e221940-56db-4bff-9bec-74d128f9e398",
"name": "Chrome",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Chrome is a web browser developed by Google that allows users to access and navigate the internet securely and efficiently.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-19T13:38:16.861Z",
"modified": "2025-11-19T13:38:16.861Z",
"confidence": 95,
"type": "identity",
"id": "identity--3ae3a0f9-69b3-41f1-add8-06c8e80ccb32",
"name": "Microsoft Edge",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Microsoft Edge is a web browser developed by Microsoft that provides a secure and fast browsing experience with features such as password management and tracking protection.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-19T13:38:16.861Z",
"modified": "2025-11-19T13:38:16.861Z",
"confidence": 95,
"type": "identity",
"id": "identity--c7816e41-8fd5-4cdb-aa58-dab2f4941ee6",
"name": "Google Chrome",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Google Chrome is a free web browser developed by Google that provides a secure and fast browsing experience with features like tab management and extensions.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-19T13:38:16.862Z",
"modified": "2025-11-19T13:38:16.862Z",
"confidence": 95,
"type": "identity",
"id": "identity--c5a4a488-0f6e-4747-a3ca-c02ad0b7e598",
"name": "Votiro",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Votiro is a cybersecurity company specializing in file sanitization and secure file handling solutions to protect against zero-day attacks and malware threats.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-19T13:38:16.862Z",
"modified": "2025-11-19T13:38:16.862Z",
"confidence": 95,
"type": "identity",
"id": "identity--40ad243f-d6e5-4e92-ac9a-f485af0c3376",
"name": "Nudge Security",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Nudge Security is a company.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-19T13:38:16.862Z",
"modified": "2025-11-19T13:38:16.862Z",
"confidence": 95,
"type": "identity",
"id": "identity--01c3a82c-3675-4c6b-bf58-2cd10e6b546a",
"name": "Mend.io",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Mend.io is a company that specializes in cloud security and provides a platform for secure cloud infrastructure and application development.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-19T13:38:16.862Z",
"modified": "2025-11-19T13:38:16.862Z",
"confidence": 95,
"type": "identity",
"id": "identity--924915e3-0edd-4fd7-a0de-e13c0305db5f",
"name": "Mend.ioβs Risk Reduction Dashboard",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Mend.ioβs Risk Reduction Dashboard is a platform that provides real-time visibility into software risk and security posture, enabling organizations to identify and mitigate vulnerabilities.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-19T13:38:16.862Z",
"modified": "2025-11-19T13:38:16.862Z",
"confidence": 95,
"type": "identity",
"id": "identity--69268c33-6dec-4faa-a418-09b5f7cf3f86",
"name": "Stripe",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Stripe is a global online payment processing system that enables businesses to securely accept and manage various payment methods.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-19T13:38:16.862Z",
"modified": "2025-11-19T13:38:16.862Z",
"confidence": 95,
"type": "tool",
"id": "tool--9b2f8e39-6ef0-4fea-826c-ed3f982552d8",
"name": "ClamAV",
"tool_types": [
"unknown"
],
"labels": [
"tool"
],
"description": "ClamAV is a free, open-source antivirus software toolkit designed to detect and remove malware, including viruses, trojans, and other malicious software. It is widely used in various industries, including security and IT, to scan and protect systems from malware threats. In the context provided, the user is considering using ClamAV as a freeware alternative to a commercial malware scanning tool.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-19T13:38:16.862Z",
"modified": "2025-11-19T13:38:16.862Z",
"confidence": 95,
"type": "identity",
"id": "identity--5aac2a37-5c3e-49dd-a58f-8c7948cb2c6c",
"name": "Windows",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Windows is a proprietary operating system developed by Microsoft for personal computers, providing a platform for running applications, managing hardware resources, and offering various features for productivity and security.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-19T13:38:16.862Z",
"modified": "2025-11-19T13:38:16.862Z",
"confidence": 95,
"type": "identity",
"id": "identity--69dc2e0e-3c8f-4419-98b5-8c3b3159869f",
"name": "LG Electronics",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "LG Electronics is a multinational electronics company that designs and manufactures consumer electronics, home appliances, and mobile communications products.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-19T13:38:16.862Z",
"modified": "2025-11-19T13:38:16.862Z",
"confidence": 95,
"type": "identity",
"id": "identity--55002d32-4f63-4bec-9d1d-313be1288a12",
"name": "Red Hat Advanced Cluster Security",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Red Hat Advanced Cluster Security is a security solution that provides threat detection, vulnerability management, and compliance for Kubernetes clusters.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-19T13:38:16.862Z",
"modified": "2025-11-19T13:38:16.862Z",
"confidence": 95,
"type": "identity",
"id": "identity--4432ecd8-a1d5-4876-8163-2b138f4af7e7",
"name": "Beazley Security",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Beazley Security is a company.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-19T13:38:16.862Z",
"modified": "2025-11-19T13:38:16.862Z",
"confidence": 95,
"type": "identity",
"id": "identity--fdf3b224-8270-433b-b5c3-267ed0546d96",
"name": "Active Directory",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Active Directory is a directory service that manages and secures access to network resources, user identities, and permissions within an organization.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-19T13:38:16.862Z",
"modified": "2025-11-19T13:38:16.862Z",
"confidence": 95,
"type": "identity",
"id": "identity--26ac9aad-1c38-495e-908a-d40627f5246c",
"name": "Microsoft Security Copilot",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Microsoft Security Copilot is an AI-powered security tool that integrates with Microsoft products to provide threat detection, incident response, and security recommendations.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-19T13:38:16.862Z",
"modified": "2025-11-19T13:38:16.862Z",
"confidence": 95,
"type": "threat-actor",
"id": "threat-actor--482bb05b-eba6-4311-a6a7-14c1a631a7e3",
"name": "After Ransomware",
"threat_actor_types": [
"hacker"
],
"labels": [
"threat-actor"
],
"description": "After Ransomware, also known as Inc Ransom group, is a cyber threat actor responsible for a recent data breach, claiming to have stolen several terabytes of data. The group's activities have been reported in the context of ransomware attacks, highlighting the need for robust cybersecurity measures to prevent such incidents.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-19T13:38:16.862Z",
"modified": "2025-11-19T13:38:16.862Z",
"confidence": 95,
"type": "vulnerability",
"id": "vulnerability--5687549e-eb3c-4796-9a87-f737da038bfa",
"name": "CVE-2025-9977",
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2025-9977",
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-9977"
},
{
"source_name": "nvd",
"external_id": "CVE-2025-9977",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9977"
}
],
"description": "There are over four million unfilled cybersecurity jobs, so depending solely on hum",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"vulnerability"
]
},
{
"spec_version": "2.1",
"created": "2025-11-19T13:38:16.862Z",
"modified": "2025-11-19T13:38:16.862Z",
"confidence": 95,
"type": "identity",
"id": "identity--5d393703-17ab-4d70-8400-b43a4b79d42e",
"name": "cyble.com",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Cyble.com is a cybersecurity company that helps organizations track, monitor, and combat cyber threats, and provides intelligence on dark web activities.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-19T13:38:16.862Z",
"modified": "2025-11-19T13:38:16.862Z",
"confidence": 95,
"type": "identity",
"id": "identity--684340e8-d939-4b21-9acb-3a70cc9bba98",
"name": "chromereleases.googleblog.com",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "chromereleases.googleblog.com is a blog where Google announces and discusses updates, releases, and changes to the Chrome browser and related projects.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-19T13:38:16.862Z",
"modified": "2025-11-19T13:38:16.862Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--280ebd89-59bc-4ae2-a9db-1c01a56e50dc",
"name": "Exploit Public-Facing Application",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "initial-access"
}
],
"x_mitre_id": "T1190",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1190/",
"external_id": "T1190"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-19T13:38:17.869Z",
"modified": "2025-11-19T13:38:17.869Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--e5974f70-5745-450a-908a-6483ad9c4678",
"name": "Exploitation for Client Execution",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
}
],
"x_mitre_id": "T1203",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1203/",
"external_id": "T1203"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-19T13:38:17.869Z",
"modified": "2025-11-19T13:38:17.869Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--2da268b5-7100-4dbc-b23b-d5deafdf268c",
"name": "Spearphishing Attachment",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "initial-access"
}
],
"x_mitre_id": "T1566.001",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1566/001/",
"external_id": "T1566.001"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-19T13:38:17.869Z",
"modified": "2025-11-19T13:38:17.869Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--baad7d00-8591-4c49-8f48-fabb6a35df65",
"name": "Spearphishing Link",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "initial-access"
}
],
"x_mitre_id": "T1566.002",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1566/002/",
"external_id": "T1566.002"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-19T13:38:17.869Z",
"modified": "2025-11-19T13:38:17.869Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--c627c29c-1385-4d76-9046-9c2db86dab11",
"name": "Spearphishing via Service",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "initial-access"
}
],
"x_mitre_id": "T1566.003",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1566/003/",
"external_id": "T1566.003"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-19T13:38:17.869Z",
"modified": "2025-11-19T13:38:17.869Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--9325bcc6-c11d-4aec-aaea-a5fd82035bd5",
"name": "Windows Command Shell",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
}
],
"x_mitre_id": "T1059.003",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1059/003/",
"external_id": "T1059.003"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-19T13:38:17.869Z",
"modified": "2025-11-19T13:38:17.869Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--4a2578d4-fdf6-48d3-b66a-93c681e1e21e",
"name": "Application Layer Protocol",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "command-and-control"
}
],
"x_mitre_id": "T1071",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1071/",
"external_id": "T1071"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-19T13:38:17.869Z",
"modified": "2025-11-19T13:38:17.869Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--68a5c7b8-09b4-49b1-8149-bc23ed0260c9",
"name": "Non-Application Layer Protocol",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "command-and-control"
}
],
"x_mitre_id": "T1095",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1095/",
"external_id": "T1095"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-19T13:38:17.869Z",
"modified": "2025-11-19T13:38:17.869Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--771ed4e5-6dde-43a8-9c72-d006b0c83e3d",
"name": "Command and Scripting Interpreter",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
}
],
"x_mitre_id": "T1059",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1059/",
"external_id": "T1059"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-19T13:38:17.869Z",
"modified": "2025-11-19T13:38:17.869Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--b0e5285c-e953-4745-a8d6-56e03a076a5c",
"name": "Valid Accounts",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-evasion"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "privilege-escalation"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "initial-access"
}
],
"x_mitre_id": "T1078",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1078/",
"external_id": "T1078"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-19T13:38:17.869Z",
"modified": "2025-11-19T13:38:17.869Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--5aa11eb6-804f-4920-a45f-1fae275ef314",
"name": "Remote Services",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "lateral-movement"
}
],
"x_mitre_id": "T1021",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1021/",
"external_id": "T1021"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-19T13:38:17.869Z",
"modified": "2025-11-19T13:38:17.869Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--2c821981-fda2-4cb8-926c-6edd4905d65c",
"name": "Lateral Tool Transfer",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "lateral-movement"
}
],
"x_mitre_id": "T1570",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1570/",
"external_id": "T1570"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-19T13:38:17.869Z",
"modified": "2025-11-19T13:38:17.869Z",
"confidence": 85,
"type": "attack-pattern",
"id": "attack-pattern--0b9d5f9a-d372-4a5d-8f9f-e62f6d5e8719",
"name": "Vulnerabilities",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "resource-development"
}
],
"x_mitre_id": "T1588.006",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1588/006/",
"external_id": "T1588.006"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-19T13:38:17.869Z",
"modified": "2025-11-19T13:38:17.869Z",
"confidence": 85,
"type": "attack-pattern",
"id": "attack-pattern--775a5581-fd79-4cfc-a505-6d409b3bbfba",
"name": "Browser Session Hijacking",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "collection"
}
],
"x_mitre_id": "T1185",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1185/",
"external_id": "T1185"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-19T13:38:17.869Z",
"modified": "2025-11-19T13:38:17.869Z",
"confidence": 85,
"type": "attack-pattern",
"id": "attack-pattern--624fa034-c944-4489-a990-1f1111e2e237",
"name": "Botnet",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "resource-development"
}
],
"x_mitre_id": "T1584.005",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1584/005/",
"external_id": "T1584.005"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-19T13:38:17.869Z",
"modified": "2025-11-19T13:38:17.869Z",
"confidence": 85,
"type": "attack-pattern",
"id": "attack-pattern--d7071d58-f8d5-4ecb-9a0c-67be9c2fa496",
"name": "Social Media Accounts",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "resource-development"
}
],
"x_mitre_id": "T1586.001",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1586/001/",
"external_id": "T1586.001"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-19T13:38:17.869Z",
"modified": "2025-11-19T13:38:17.869Z",
"confidence": 82,
"type": "attack-pattern",
"id": "attack-pattern--66eadfa7-b2f9-47eb-8355-f93b5343f8fd",
"name": "Social Media",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "reconnaissance"
}
],
"x_mitre_id": "T1593.001",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1593/001/",
"external_id": "T1593.001"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-19T13:38:17.869Z",
"modified": "2025-11-19T13:38:17.869Z",
"confidence": 76,
"type": "attack-pattern",
"id": "attack-pattern--84e3f4d3-4768-4b3c-8559-7547d3d836ca",
"name": "Code Repositories",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "collection"
}
],
"x_mitre_id": "T1213.003",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1213/003/",
"external_id": "T1213.003"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-19T13:38:17.869Z",
"modified": "2025-11-19T13:38:17.869Z",
"confidence": 75,
"type": "attack-pattern",
"id": "attack-pattern--9177f72b-d9a0-4bc3-a63e-5f88098b7b96",
"name": "Cloud Service Dashboard",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "discovery"
}
],
"x_mitre_id": "T1538",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1538/",
"external_id": "T1538"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-19T13:38:17.869Z",
"modified": "2025-11-19T13:38:17.869Z",
"confidence": 72,
"type": "attack-pattern",
"id": "attack-pattern--bb8e93cc-5495-417b-9b6c-2c104b2930e9",
"name": "Endpoint Denial of Service",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "impact"
}
],
"x_mitre_id": "T1499",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1499/",
"external_id": "T1499"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-19T13:38:17.869Z",
"modified": "2025-11-19T13:38:17.869Z",
"confidence": 70,
"type": "attack-pattern",
"id": "attack-pattern--27b36b6d-ae90-4767-b07a-563ecef589ea",
"name": "Scheduled Task",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "privilege-escalation"
}
],
"x_mitre_id": "T1053.005",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1053/005/",
"external_id": "T1053.005"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-19T13:38:17.869Z",
"modified": "2025-11-19T13:38:17.869Z",
"confidence": 70,
"type": "attack-pattern",
"id": "attack-pattern--ed3369e1-8515-458a-99e3-cb9283fb73d1",
"name": "Socket Filters",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-evasion"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "command-and-control"
}
],
"x_mitre_id": "T1205.002",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1205/002/",
"external_id": "T1205.002"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-19T13:38:17.869Z",
"modified": "2025-11-19T13:38:17.869Z",
"confidence": 70,
"type": "attack-pattern",
"id": "attack-pattern--e03eb8e0-183c-4351-82cb-2d9c193d1530",
"name": "Malicious Shell Modification",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
}
],
"x_mitre_id": "T1156",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1156/",
"external_id": "T1156"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-19T13:38:17.869Z",
"modified": "2025-11-19T13:38:17.869Z",
"confidence": 70,
"type": "attack-pattern",
"id": "attack-pattern--d2a77ce3-d278-4f77-97f0-227b744a33d3",
"name": "Archive via Utility",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "collection"
}
],
"x_mitre_id": "T1560.001",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1560/001/",
"external_id": "T1560.001"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-19T13:38:17.869Z",
"modified": "2025-11-19T13:38:17.869Z",
"confidence": 70,
"type": "attack-pattern",
"id": "attack-pattern--a6ff86fe-f269-42e5-9428-ab17d04e30e2",
"name": "Screen Capture",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "collection"
}
],
"x_mitre_id": "T1113",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1113/",
"external_id": "T1113"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-19T13:38:17.869Z",
"modified": "2025-11-19T13:38:17.869Z",
"confidence": 70,
"type": "attack-pattern",
"id": "attack-pattern--e8d516a9-a107-4c4b-806f-bc9c612eef18",
"name": "Adversary-in-the-Middle",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "credential-access"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "collection"
}
],
"x_mitre_id": "T1557",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1557/",
"external_id": "T1557"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-19T13:38:17.870Z",
"modified": "2025-11-19T13:38:17.870Z",
"confidence": 69,
"type": "attack-pattern",
"id": "attack-pattern--3dfbd980-9c7a-4d3d-9e53-14e24b1fabdf",
"name": "Compromise Software Dependencies and Development Tools",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "initial-access"
}
],
"x_mitre_id": "T1195.001",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1195/001/",
"external_id": "T1195.001"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-19T13:38:17.870Z",
"modified": "2025-11-19T13:38:17.870Z",
"confidence": 69,
"type": "attack-pattern",
"id": "attack-pattern--f760717d-5b8a-4175-b9b4-03024fa8c285",
"name": "Spearphishing Service",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "reconnaissance"
}
],
"x_mitre_id": "T1598.001",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1598/001/",
"external_id": "T1598.001"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-19T13:38:17.870Z",
"modified": "2025-11-19T13:38:17.870Z",
"confidence": 67,
"type": "attack-pattern",
"id": "attack-pattern--da82a474-3eb8-46ae-af12-cd8d8a29ed4d",
"name": "Email Accounts",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "resource-development"
}
],
"x_mitre_id": "T1586.002",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1586/002/",
"external_id": "T1586.002"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-19T13:38:17.870Z",
"modified": "2025-11-19T13:38:17.870Z",
"confidence": 65,
"type": "attack-pattern",
"id": "attack-pattern--648fba01-e867-4fc6-96df-cc8f6217bee6",
"name": "Artificial Intelligence",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "resource-development"
}
],
"x_mitre_id": "T1588.007",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1588/007/",
"external_id": "T1588.007"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-19T13:38:17.870Z",
"modified": "2025-11-19T13:38:17.870Z",
"confidence": 65,
"type": "attack-pattern",
"id": "attack-pattern--8dd2a740-fa1b-4f41-be82-018bed51553e",
"name": "Safe Mode Boot",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-evasion"
}
],
"x_mitre_id": "T1562.009",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1562/009/",
"external_id": "T1562.009"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--f1e41025-7989-47b2-9c41-8c00f5072c7c",
"created": "2025-11-19T13:38:17.870Z",
"modified": "2025-11-19T13:38:17.870Z",
"relationship_type": "uses",
"source_ref": "threat-actor--1bb97c31-b094-4483-9bc1-b45488c4cc73",
"target_ref": "attack-pattern--2da268b5-7100-4dbc-b23b-d5deafdf268c",
"confidence": 75,
"description": "MITRE ATT&CK mapping: dashers uses spearphishing attachment (T1566.001)",
"x_validation_method": "mitre-mapper"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--5e7d97d4-7b91-4000-bdbd-12afdb3cea66",
"created": "2025-11-19T13:38:17.870Z",
"modified": "2025-11-19T13:38:17.870Z",
"relationship_type": "uses",
"source_ref": "threat-actor--1bb97c31-b094-4483-9bc1-b45488c4cc73",
"target_ref": "attack-pattern--771ed4e5-6dde-43a8-9c72-d006b0c83e3d",
"confidence": 75,
"description": "MITRE ATT&CK mapping: dashers uses command and scripting interpreter (T1059)",
"x_validation_method": "mitre-mapper"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--d7cdabc5-824c-48bb-b546-e2d8eee09c1e",
"created": "2025-11-19T13:38:17.870Z",
"modified": "2025-11-19T13:38:17.870Z",
"relationship_type": "uses",
"source_ref": "threat-actor--1bb97c31-b094-4483-9bc1-b45488c4cc73",
"target_ref": "attack-pattern--b0e5285c-e953-4745-a8d6-56e03a076a5c",
"confidence": 75,
"description": "MITRE ATT&CK mapping: dashers uses valid accounts (T1078)",
"x_validation_method": "mitre-mapper"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--89aae958-1ac8-447b-9caa-7e0eaff5f5dc",
"created": "2025-11-19T13:38:17.870Z",
"modified": "2025-11-19T13:38:17.870Z",
"relationship_type": "uses",
"source_ref": "threat-actor--482bb05b-eba6-4311-a6a7-14c1a631a7e3",
"target_ref": "attack-pattern--2da268b5-7100-4dbc-b23b-d5deafdf268c",
"confidence": 75,
"description": "MITRE ATT&CK mapping: after ransomware uses spearphishing attachment (T1566.001)",
"x_validation_method": "mitre-mapper"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--24953316-69c8-4f01-95ab-4489043cacd4",
"created": "2025-11-19T13:38:17.870Z",
"modified": "2025-11-19T13:38:17.870Z",
"relationship_type": "uses",
"source_ref": "threat-actor--482bb05b-eba6-4311-a6a7-14c1a631a7e3",
"target_ref": "attack-pattern--771ed4e5-6dde-43a8-9c72-d006b0c83e3d",
"confidence": 75,
"description": "MITRE ATT&CK mapping: after ransomware uses command and scripting interpreter (T1059)",
"x_validation_method": "mitre-mapper"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--c65e6057-a8f4-4913-9829-acbd1d33f070",
"created": "2025-11-19T13:38:17.870Z",
"modified": "2025-11-19T13:38:17.870Z",
"relationship_type": "uses",
"source_ref": "threat-actor--482bb05b-eba6-4311-a6a7-14c1a631a7e3",
"target_ref": "attack-pattern--b0e5285c-e953-4745-a8d6-56e03a076a5c",
"confidence": 75,
"description": "MITRE ATT&CK mapping: after ransomware uses valid accounts (T1078)",
"x_validation_method": "mitre-mapper"
}
]
}
EU Critical Infrastructure (NIS2)
QUIET
CRITICAL ITEMS
HIGH SEVERITY ITEMS
EXECUTIVE INSIGHTS
VENDOR SPOTLIGHT
DETECTION & RESPONSE KIT