Cybersecurity Latest Rundown

Threat Rundown

Industry Watch

🚨 Healthcare (HIPAA) CRITICAL

Threat activity 3.2x above normal

Key threat: Ransomware targeting critical infrastructure and management systems

Action: Review Romanian Waters Ransomware, Oracle Breach Impact

Finance & Tech (SOX) ELEVATED

Threat activity 2.5x above normal

Key threat: Database vulnerabilities and cloud tenant risks

Action: Review Critical MongoDB 'MongoBleed' Flaw, KMSAuto Malware

CyberSecurity Latest Rundown

Heroes, late breaking critical news. Here's a detailed look at the current cybersecurity landscape for December 30, 2025.

CRITICAL ITEMS

Critical MongoDB 'MongoBleed' Flaw Added to CISA KEV
Date & Time: 2025-12-30T08:33:56

CISA has added a critical vulnerability (CVE-2025-14847) in MongoDB Server to its Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild. This flaw allows unauthenticated attackers to leak sensitive data from affected database instances.

Business impact

If exploited, attackers could exfiltrate proprietary customer data or financial records without credentials - expect immediate regulatory scrutiny, potential fines under SOX/FISMA, and mandatory breach notifications.

Recommended action

Ask your IT team: "Have we identified all internet-facing MongoDB instances and applied the patch for CVE-2025-14847 immediately?"

CVE: CVE-2025-14847 | Compliance: SOX, FISMA | Source: Security Affairs ↗, Security Boulevard ↗
Operator of KMSAuto Malware Arrested After Infecting 2.8 Million Systems
Date & Time: 2025-12-30T11:26:46

Authorities have arrested a Lithuanian national accused of distributing the KMSAuto malware, which masqueraded as software activation tools to infect 2.8 million systems and steal clipboard data.

Business impact

Widespread use of unauthorized software activation tools by employees creates a massive shadow IT risk, potentially exposing corporate credentials and sensitive data copied to clipboards.

Recommended action

Ask your Endpoint Security team: "Do we have a policy and detection logic in place to block the execution of 'KMSAuto' and similar software piracy tools?"

CVE: n/a | Compliance: SOX | Source: Security Affairs ↗

HIGH SEVERITY ITEMS

Oracle Breach Analysis Reveals Amplified Cloud Tenant Risks
Date & Time: 2025-12-30T14:00:58

New analysis of the Oracle breach highlights the severe risks posed by rogue cloud tenants and the challenges organizations face in detecting exposure within complex cloud environments.

Business impact

Reliance on shared cloud infrastructure requires rigorous tenant isolation; failure to detect rogue tenants could lead to cross-tenant data leakage and compliance violations.

Recommended action

Ask your Cloud Security Architects: "Have we audited our tenant isolation configurations and third-party access controls in light of the Oracle breach findings?"

CVE: n/a | Compliance: SOX | Source: Security Boulevard ↗
Mustang Panda Deploys Kernel-Mode Rootkit for TONESHELL Backdoor
Date & Time: 2025-12-30T08:35:00

The Mustang Panda threat group is utilizing a signed kernel-mode rootkit to deploy the TONESHELL backdoor, targeting Asian entities in a sophisticated espionage campaign.

Business impact

Successful rootkit implantation allows attackers to hide deep within the infrastructure, facilitating long-term espionage and intellectual property theft that is extremely difficult to detect.

Recommended action

Ask your SOC: "Does our EDR solution have visibility into kernel-level driver loading, and are we blocking known malicious driver signatures?"

CVE: n/a | Compliance: General Enterprise | Source: The Hacker News ↗
Romanian National Water Authority Hit by Ransomware
Date & Time: 2025-12-29T11:33:48

Romanian Waters, the national water management authority, suffered a ransomware attack compromising nearly 1,000 systems, underscoring the continued threat to critical infrastructure.

Business impact

Operational downtime in critical utility sectors can lead to public safety risks and severe reputational damage, emphasizing the need for robust disaster recovery plans.

Recommended action

Ask your IT team: "Have we tested our offline backups this month to ensure we can recover from a similar mass-encryption event?"

CVE: n/a | Compliance: HIPAA, SOX | Source: Check Point Research ↗
AI Prompt Injection Risks in Claude Code and GitHub Copilot
Date & Time: 2025-12-30T08:38:07

Security experts warn that AI coding assistants like Claude Code and GitHub Copilot are vulnerable to zero-click prompt injection attacks, potentially treating LLMs as untrusted actors.

Business impact

Developers using these tools could inadvertently introduce malicious code or exfiltrate sensitive codebase data if the AI processes a malicious prompt.

Recommended action

Ask your AppSec team: "Do we have guidelines for developers on the safe use of AI coding assistants regarding sensitive proprietary code?"

CVE: n/a | Compliance: SOX | Source: Reddit ↗

MEDIUM SEVERITY ITEMS

State-Level AI Regulation Accelerates in Absence of Federal Guidance
Date & Time: 2025-12-30T00:00:00

States like California are implementing their own AI laws (e.g., S.B. 53) to shape AI development, creating a fragmented regulatory landscape for businesses.

CVE: n/a | Compliance: SOX, HIPAA | Source: CyberScoop ↗
Top Sectors Under Cyberattack in 2025
Date & Time: 2025-12-30T05:45:17

Global cyberattacks have increased by mid-single digits in 2025, with Europe seeing a sharp 22% jump, highlighting regional disparities in threat volume.

CVE: n/a | Compliance: SOX, GDPR | Source: Kratikal ↗

🔵 LOW SEVERITY ITEMS

KrebsOnSecurity Celebrates 16th Anniversary
Date & Time: 2025-12-29T20:23:26

Brian Krebs marks 16 years of independent investigative journalism, reflecting on a year of significant engagement and industry developments.

CVE: n/a | Compliance: SOX, HIPAA | Source: KrebsOnSecurity ↗

OTHER NOTEWORTHY ITEMS

Quantum Computing Breakthrough Challenges Encryption Secrets
Date & Time: 2025-12-29T20:08:32

New discussions on quantum technological breakthroughs suggest that current encryption standards may soon be obsolete, pushing the urgency for post-quantum cryptography.

Source: Lifeboat ↗

EXECUTIVE INSIGHTS

The Top Cybersecurity Predictions For 2026
Date & Time: 2025-12-30T14:35:02

Industry leaders and Cybercrime Magazine editors outline the top 26 security predictions for the coming year, focusing on government technology and evolving threat vectors.

Source: Cybersecurity Ventures ↗

VENDOR SPOTLIGHT

Spotlight Rationale: Selected for relevance to the MongoBleed (CVE-2025-14847) exploit and Mustang Panda rootkit activity reported today.

Threat Context: CVE-2025-14847

Platform Focus: Palo Alto Networks Next-Generation Firewalls (NGFW) and Cortex XDR

Palo Alto Networks addresses today's critical threats through a multi-layered approach. Their NGFW Threat Prevention signatures can block the network traffic associated with the MongoBleed exploit before it reaches the database. Simultaneously, Cortex XDR's Behavioral Threat Protection is designed to identify and block the loading of malicious kernel drivers, such as the rootkit used by Mustang Panda to deploy the TONESHELL backdoor.

Actionable Platform Guidance: Ensure Threat Prevention content is updated to the latest release to include coverage for CVE-2025-14847. Verify that "Behavioral Threat Protection" is enabled in Cortex XDR profiles to detect unsigned or suspicious driver loading events.

Source: Palo Alto Networks ↗

DETECTION & RESPONSE KIT

⚠️ Disclaimer: Test all detection logic in non-production environments before deployment.

1. Vendor Platform Configuration - Palo Alto Networks

# Actionable Guidance for Palo Alto Networks Administrators

1. IMMEDIATE: Update Threat Prevention Content
- Navigate to Device > Dynamic Updates
- Check for latest Applications and Threats content
- Download and Install immediately to ensure coverage for CVE-2025-14847

2. IMMEDIATE: Verify Security Profiles
- Go to Policies > Security
- Ensure the 'Vulnerability Protection' profile is applied to rules allowing traffic to MongoDB (Port 27017)
- Set action to 'Reset-both' for critical severity threats

3. VERIFICATION: Cortex XDR Agent Settings
- In Cortex XDR management console, go to Endpoints > Policy Management
- Edit the Malware Protection profile
- Ensure "Behavioral Threat Protection" is set to BLOCK
- Ensure "Block unknown kernel modules" is ENABLED (to mitigate Mustang Panda rootkits)

2. YARA Rule for MongoBleed/CVE-2025-14847

rule Detect_MongoBleed_Indicators {
meta:
description = "Detects artifacts associated with MongoBleed exploitation and CVE-2025-14847"
author = "Threat Rundown"
date = "2025-12-30"
reference = "https://securityaffairs.com/?p=186297"
severity = "high"
tlp = "white"
strings:
$s1 = "MongoBleed" ascii wide
$s2 = "CVE-2025-14847" ascii wide
$s3 = "MongoDB" ascii wide
$h1 = { 4D 6F 6E 67 6F 42 6C 65 65 64 } /* Hex for MongoBleed */
condition:
(any of ($s*) or $h1) and $s3
}

3. SIEM Query — MongoDB Exploitation Attempts

index=security sourcetype="stream:http" OR sourcetype="suricata"
(dest_port=27017 OR app="mongodb")
| eval risk_score=case(
match(_raw, "CVE-2025-14847"), 100,
match(_raw, "MongoBleed"), 100,
match(http_method, "DEBUG"), 75,
1==1, 25)
| where risk_score >= 50
| table _time, src_ip, dest_ip, dest_port, risk_score, _raw
| sort -_time

4. PowerShell Script — KMSAuto Artifact Detection

$computers = "localhost", "SERVER01", "WKSTN01"
foreach ($computer in $computers) {
if (Test-Connection -ComputerName $computer -Count 1 -Quiet) {
# Detects presence of KMSAuto tools based on common names
$suspicious = Get-ChildItem -Path "C:\ProgramData", "C:\Users" -Recurse -ErrorAction SilentlyContinue -Include "*KMSAuto*", "*KMS_VL_ALL*" | Select-Object FullName, CreationTime

if ($suspicious) {
Write-Host "[ALERT] KMSAuto artifacts found on $computer" -ForegroundColor Red
$suspicious | Format-Table -AutoSize
} else {
Write-Host "Clean: $computer" -ForegroundColor Green
}
}
}

This rundown should provide a solid overview of the current threat landscape. Thank you to all our cyberheroes for your diligence and hard work. Stay vigilant!

{ "type": "bundle", "id": "bundle--7d9e0160-8f4f-405f-801c-278dba185fd9", "objects": [ { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487", "created": "2022-10-01T00:00:00.000Z", "definition_type": "tlp:2.0", "name": "TLP:CLEAR", "definition": { "tlp": "clear" } }, { "type": "identity", "spec_version": "2.1", "id": "identity--7b112455-7d99-4b76-9db9-0ec1469f8859", "created": "2025-12-30T15:18:36.144Z", "modified": "2025-12-30T15:18:36.144Z", "name": "MikeGPT Intelligence Platform", "description": "AI-powered threat intelligence collection and analysis platform providing automated cybersecurity intelligence feeds", "identity_class": "organization", "sectors": [ "technology", "defense" ], "contact_information": "Website: https://mikegptai.com | Email: intel@mikegptai.com", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "report", "spec_version": "2.1", "id": "report--3f852966-8828-4f34-9e03-8c5daf4319f0", "created": "2025-12-30T15:18:36.145Z", "modified": "2025-12-30T15:18:36.145Z", "name": "Threat Intelligence Report - 2025-12-30", "description": "Threat Intelligence Report - 2025-12-30\n\nThis report consolidates actionable cybersecurity intelligence from 86 sources, processed through automated threat analysis and relationship extraction.\n\nKEY FINDINGS:\n• ZDI-25-1200: (0Day) Anritsu ShockLine SCPI Race Condition Remote Code Execution Vulnerability (Score: 100)\n• Best of 2025: Oracle Breach: The Impact is Bigger Than You Think | Grip (Score: 100)\n• Anton’s Security Blog Quarterly Q4 2025 (Score: 100)\n• U.S. CISA adds a flaw in MongoDB Server to its Known Exploited Vulnerabilities catalog (Score: 100)\n• MongoBleed defect swirls, stamping out hope of year-end respite (Score: 100)\n\nEXTRACTED ENTITIES:\n• 29 Attack Pattern(s)\n• 1 Marking Definition(s)\n• 3 Tool(s)\n• 8 Vulnerability(s)\n\nCONFIDENCE ASSESSMENT:\nVariable confidence scoring applied based on entity type and intelligence source reliability. Confidence ranges from 30-95% reflecting professional intelligence assessment practices.\n\nGENERATION METADATA:\n- Processing Time: Automated\n- Validation: Three-LLM consensus committee\n- Standards Compliance: STIX 2.1\n", "published": "2025-12-30T15:18:36.145Z", "object_refs": [ "identity--7b112455-7d99-4b76-9db9-0ec1469f8859", "vulnerability--3429ba46-9d14-4bf2-94b3-b58e4cd7a269", "vulnerability--0eeed38c-ad53-4d03-91b9-68adce80181b", "vulnerability--0939e377-efcf-44d2-ba69-a9794c7184bc", "identity--62522ca0-5df7-4a7f-b817-a969c39fad76", "vulnerability--9fbd3570-7d2f-42cc-8d4a-9d186d7f4749", "vulnerability--b92231d2-d9b1-4177-ab65-401adc9a2c6d", "identity--9bafa8cc-056c-4e34-bb2d-61e718a0438b", "tool--4cc7aac6-53bb-4fd2-94f9-f2d3d05ad748", "vulnerability--529a846b-9748-411d-8c11-8180c182421c", "vulnerability--f657b609-daab-4236-9b1d-24e71a267d0e", "vulnerability--993c9315-fd98-4117-b938-a977f0706975", "tool--089ccf2c-8012-4fef-be51-58d0d9b30093", "identity--b3a97109-7af0-4d53-8687-f9fbd15a98aa", "identity--84cc9f98-37d8-4790-bdcd-597ce6a2e6ac", "identity--b2a9a1d6-643a-4e4c-b7d8-1e16ef11056c", "identity--fb9c0def-15ea-4141-bcb8-aa8b6a6b268e", "tool--d8cc8106-7bc1-4398-b9d4-73a132b0ee40", "identity--4e9b4c49-e9d4-4528-94d2-741592f6960c", "identity--74882002-dc02-42bf-b7ed-70ab30033070", "identity--06b70d7b-8838-4176-9d1c-742c3c4155df", "attack-pattern--280ebd89-59bc-4ae2-a9db-1c01a56e50dc", "attack-pattern--e5974f70-5745-450a-908a-6483ad9c4678", "attack-pattern--771ed4e5-6dde-43a8-9c72-d006b0c83e3d", "attack-pattern--ce39e6f2-b20f-421e-83e1-242a773e1927", "attack-pattern--d5229cf6-f11b-41bc-8aca-0df713047400", "attack-pattern--d8c19aae-4529-4107-99a6-36dce8e073a4", "attack-pattern--612a21d0-9d6a-4d03-bd0e-ae31234d4cef", "attack-pattern--2da268b5-7100-4dbc-b23b-d5deafdf268c", "attack-pattern--baad7d00-8591-4c49-8f48-fabb6a35df65", "attack-pattern--c627c29c-1385-4d76-9046-9c2db86dab11", "attack-pattern--b62ebbf0-ec9b-418e-a094-2c8fdd5234b7", "attack-pattern--f4a2a757-99db-48e9-b04d-e17b178a8318", "attack-pattern--bc6ae8c8-5b72-4bf7-85f1-4477630885a4", "attack-pattern--d09d4c99-d4cc-4ae4-aad9-7e6c32bfc732", "attack-pattern--e1d88fb2-b905-48ed-a931-a5f20b548774", "attack-pattern--a9b2b3d1-728e-47be-adb2-f74a7e4c4f94", "attack-pattern--172f3845-7870-4c1c-80bd-251e10ce9f1e", "attack-pattern--0b9d5f9a-d372-4a5d-8f9f-e62f6d5e8719", "attack-pattern--13975792-7c14-4c1e-a11e-80b1ecbde971", "attack-pattern--4e2f5b9a-cf3a-4ab7-9169-8362c52dd57d", "attack-pattern--27b36b6d-ae90-4767-b07a-563ecef589ea", "attack-pattern--ed3369e1-8515-458a-99e3-cb9283fb73d1", "attack-pattern--5cf0f3fb-3459-4a3d-ad3c-4700efcfecd8", "attack-pattern--d2a77ce3-d278-4f77-97f0-227b744a33d3", "attack-pattern--a6ff86fe-f269-42e5-9428-ab17d04e30e2", "attack-pattern--e8d516a9-a107-4c4b-806f-bc9c612eef18", "attack-pattern--5cd42343-7b5a-4509-9e09-23572a60413a", "attack-pattern--648fba01-e867-4fc6-96df-cc8f6217bee6", "attack-pattern--d76e0650-6edf-46e7-b957-362aa1c14d07" ], "labels": [ "threat-report", "threat-intelligence" ], "created_by_ref": "identity--7b112455-7d99-4b76-9db9-0ec1469f8859", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-30T15:18:36.140Z", "modified": "2025-12-30T15:18:36.140Z", "confidence": 88, "type": "vulnerability", "id": "vulnerability--3429ba46-9d14-4bf2-94b3-b58e4cd7a269", "name": "Known Exploited Vulnerabilities", "description": "A catalog of vulnerabilities that are known to be actively exploited.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "vulnerability" ] }, { "spec_version": "2.1", "created": "2025-12-30T15:18:36.141Z", "modified": "2025-12-30T15:18:36.141Z", "confidence": 95, "type": "vulnerability", "id": "vulnerability--0eeed38c-ad53-4d03-91b9-68adce80181b", "name": "CVE-2025-14847", "description": "Mismatched length fields in Zlib compressed protocol headers may allow a read of uninitialized heap memory by an unauthenticated client. This issue affects all MongoDB Server v7.0 prior to 7.0.28 versions, MongoDB Server v8.0 versions prior to 8.0.17, MongoDB Server v8.2 versions prior to 8.2.3, MongoDB Server v6.0 versions prior to 6.0.27, MongoDB Server v5.0 versions prior to 5.0.32, MongoDB Server v4.4 versions prior to 4.4.30, MongoDB Server v4.2 versions greater than or equal to 4.2.0, Mong. CVSS Score: 7.5 (HIGH). CISA KEV: Active exploitation confirmed. EPSS: 58.3% exploitation probability", "x_cvss_score": 7.5, "x_cvss_severity": "HIGH", "x_kev_status": true, "x_epss_score": 0.58251, "external_references": [ { "source_name": "cve", "external_id": "CVE-2025-14847", "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-14847" }, { "source_name": "nvd", "external_id": "CVE-2025-14847", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14847" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "vulnerability" ] }, { "spec_version": "2.1", "created": "2025-12-30T15:18:36.142Z", "modified": "2025-12-30T15:18:36.142Z", "confidence": 95, "type": "vulnerability", "id": "vulnerability--0939e377-efcf-44d2-ba69-a9794c7184bc", "name": "MongoBleed", "description": "An event where data is accessed without authorization.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "vulnerability" ] }, { "spec_version": "2.1", "created": "2025-12-30T15:18:36.142Z", "modified": "2025-12-30T15:18:36.142Z", "confidence": 95, "type": "identity", "id": "identity--62522ca0-5df7-4a7f-b817-a969c39fad76", "name": "Non-Human Identities", "identity_class": "unknown", "labels": [ "identity" ], "description": "A cybersecurity news website", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-30T15:18:36.142Z", "modified": "2025-12-30T15:18:36.142Z", "confidence": 89, "type": "vulnerability", "id": "vulnerability--9fbd3570-7d2f-42cc-8d4a-9d186d7f4749", "name": "CVE-2025", "description": "A high-severity security flaw in MongoDB", "external_references": [ { "source_name": "cve", "external_id": "CVE-2025", "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025" }, { "source_name": "nvd", "external_id": "CVE-2025", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "vulnerability" ] }, { "spec_version": "2.1", "created": "2025-12-30T15:18:36.142Z", "modified": "2025-12-30T15:18:36.142Z", "confidence": 87, "type": "vulnerability", "id": "vulnerability--b92231d2-d9b1-4177-ab65-401adc9a2c6d", "name": "SecurityWeek", "description": "A vulnerability in MongoDB", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "vulnerability" ] }, { "spec_version": "2.1", "created": "2025-12-30T15:18:36.142Z", "modified": "2025-12-30T15:18:36.142Z", "confidence": 95, "type": "identity", "id": "identity--9bafa8cc-056c-4e34-bb2d-61e718a0438b", "name": "Cybersecurity", "identity_class": "organization", "labels": [ "identity" ], "description": "Cybersecurity is a company", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-30T15:18:36.142Z", "modified": "2025-12-30T15:18:36.142Z", "confidence": 95, "type": "tool", "id": "tool--4cc7aac6-53bb-4fd2-94f9-f2d3d05ad748", "name": "LastPass", "tool_types": [ "unknown" ], "labels": [ "tool" ], "description": "A password manager", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-30T15:18:36.142Z", "modified": "2025-12-30T15:18:36.142Z", "confidence": 75, "type": "vulnerability", "id": "vulnerability--529a846b-9748-411d-8c11-8180c182421c", "name": "CVE-2025-15349", "description": "The following CVEs are assigned: CVE-2025-15349.", "x_cvss_severity": "Unknown", "x_kev_status": false, "external_references": [ { "source_name": "cve", "external_id": "CVE-2025-15349", "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15349" }, { "source_name": "nvd", "external_id": "CVE-2025-15349", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15349" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "vulnerability" ] }, { "spec_version": "2.1", "created": "2025-12-30T15:18:36.142Z", "modified": "2025-12-30T15:18:36.142Z", "confidence": 95, "type": "vulnerability", "id": "vulnerability--f657b609-daab-4236-9b1d-24e71a267d0e", "name": "CVE-2020-12812", "description": "An improper authentication vulnerability in SSL VPN in FortiOS 6.4.0, 6.2.0 to 6.2.3, 6.0.9 and below may result in a user being able to log in successfully without being prompted for the second factor of authentication (FortiToken) if they changed the case of their username.. CVSS Score: 9.8 (CRITICAL). CISA KEV: Active exploitation confirmed. EPSS: 50.3% exploitation probability", "x_cvss_score": 9.8, "x_cvss_severity": "CRITICAL", "x_kev_status": true, "x_epss_score": 0.50292, "external_references": [ { "source_name": "cve", "external_id": "CVE-2020-12812", "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12812" }, { "source_name": "nvd", "external_id": "CVE-2020-12812", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12812" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "vulnerability" ] }, { "spec_version": "2.1", "created": "2025-12-30T15:18:36.142Z", "modified": "2025-12-30T15:18:36.142Z", "confidence": 95, "type": "vulnerability", "id": "vulnerability--993c9315-fd98-4117-b938-a977f0706975", "name": "CVE-2025-54322", "description": "Xspeeder SXZOS through 2025-12-26 allows root remote code execution via base64-encoded Python code in the chkid parameter to vLogin.py. The title and oIP parameters are also used.. CVSS Score: 10.0 (CRITICAL). EPSS: 0.3% exploitation probability", "x_cvss_score": 10.0, "x_cvss_severity": "CRITICAL", "x_kev_status": false, "x_epss_score": 0.00287, "external_references": [ { "source_name": "cve", "external_id": "CVE-2025-54322", "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-54322" }, { "source_name": "nvd", "external_id": "CVE-2025-54322", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54322" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "vulnerability" ] }, { "spec_version": "2.1", "created": "2025-12-30T15:18:36.142Z", "modified": "2025-12-30T15:18:36.142Z", "confidence": 95, "type": "tool", "id": "tool--089ccf2c-8012-4fef-be51-58d0d9b30093", "name": "Anritsu ShockLine", "tool_types": [ "unknown" ], "labels": [ "tool" ], "description": "A network testing tool", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-30T15:18:36.143Z", "modified": "2025-12-30T15:18:36.143Z", "confidence": 88, "type": "identity", "id": "identity--b3a97109-7af0-4d53-8687-f9fbd15a98aa", "name": "Oracle Breach", "identity_class": "unknown", "labels": [ "identity" ], "description": "A security breach in Oracle's systems", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-30T15:18:36.143Z", "modified": "2025-12-30T15:18:36.143Z", "confidence": 95, "type": "identity", "id": "identity--84cc9f98-37d8-4790-bdcd-597ce6a2e6ac", "name": "Security Boulevard", "identity_class": "organization", "labels": [ "identity" ], "description": "A cybersecurity-focused online publication", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-30T15:18:36.143Z", "modified": "2025-12-30T15:18:36.143Z", "confidence": 95, "type": "identity", "id": "identity--b2a9a1d6-643a-4e4c-b7d8-1e16ef11056c", "name": "Anton", "identity_class": "unknown", "labels": [ "identity" ], "description": "A cybersecurity professional", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-30T15:18:36.143Z", "modified": "2025-12-30T15:18:36.143Z", "confidence": 95, "type": "identity", "id": "identity--fb9c0def-15ea-4141-bcb8-aa8b6a6b268e", "name": "Google Cloud", "identity_class": "unknown", "labels": [ "identity" ], "description": "A cloud computing platform", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-30T15:18:36.143Z", "modified": "2025-12-30T15:18:36.143Z", "confidence": 95, "type": "tool", "id": "tool--d8cc8106-7bc1-4398-b9d4-73a132b0ee40", "name": "Cloud Security Podcast", "tool_types": [ "unknown" ], "labels": [ "tool" ], "description": "A cybersecurity-focused podcast", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-30T15:18:36.143Z", "modified": "2025-12-30T15:18:36.143Z", "confidence": 95, "type": "identity", "id": "identity--4e9b4c49-e9d4-4528-94d2-741592f6960c", "name": "Infrastructure Security Agency", "identity_class": "organization", "labels": [ "identity" ], "description": "A US government agency focused on cybersecurity", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-30T15:18:36.143Z", "modified": "2025-12-30T15:18:36.143Z", "confidence": 90, "type": "identity", "id": "identity--74882002-dc02-42bf-b7ed-70ab30033070", "name": "Cyberattack", "identity_class": "unknown", "labels": [ "identity" ], "description": "A cybersecurity professional", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-30T15:18:36.143Z", "modified": "2025-12-30T15:18:36.143Z", "confidence": 95, "type": "identity", "id": "identity--06b70d7b-8838-4176-9d1c-742c3c4155df", "name": "Sausalito", "identity_class": "unknown", "labels": [ "identity" ], "description": "A cybersecurity-focused online publication", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-30T15:18:36.143Z", "modified": "2025-12-30T15:18:36.143Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--280ebd89-59bc-4ae2-a9db-1c01a56e50dc", "name": "Exploit Public-Facing Application", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ], "x_mitre_id": "T1190", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1190/", "external_id": "T1190" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-30T15:18:36.143Z", "modified": "2025-12-30T15:18:36.143Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--e5974f70-5745-450a-908a-6483ad9c4678", "name": "Exploitation for Client Execution", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "execution" } ], "x_mitre_id": "T1203", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1203/", "external_id": "T1203" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-30T15:18:36.143Z", "modified": "2025-12-30T15:18:36.143Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--771ed4e5-6dde-43a8-9c72-d006b0c83e3d", "name": "Command and Scripting Interpreter", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "execution" } ], "x_mitre_id": "T1059", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1059/", "external_id": "T1059" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-30T15:18:36.143Z", "modified": "2025-12-30T15:18:36.143Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--ce39e6f2-b20f-421e-83e1-242a773e1927", "name": "Create or Modify System Process", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" }, { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" } ], "x_mitre_id": "T1543", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1543/", "external_id": "T1543" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-30T15:18:36.143Z", "modified": "2025-12-30T15:18:36.143Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--d5229cf6-f11b-41bc-8aca-0df713047400", "name": "Boot or Logon Autostart Execution", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" }, { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" } ], "x_mitre_id": "T1547", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1547/", "external_id": "T1547" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-30T15:18:36.143Z", "modified": "2025-12-30T15:18:36.143Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--d8c19aae-4529-4107-99a6-36dce8e073a4", "name": "ARP Cache Poisoning", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "credential-access" }, { "kill_chain_name": "mitre-attack", "phase_name": "collection" } ], "x_mitre_id": "T1557.002", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1557/002/", "external_id": "T1557.002" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-30T15:18:36.143Z", "modified": "2025-12-30T15:18:36.143Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--612a21d0-9d6a-4d03-bd0e-ae31234d4cef", "name": "Brute Force", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "credential-access" } ], "x_mitre_id": "T1110", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1110/", "external_id": "T1110" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-30T15:18:36.143Z", "modified": "2025-12-30T15:18:36.143Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--2da268b5-7100-4dbc-b23b-d5deafdf268c", "name": "Spearphishing Attachment", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ], "x_mitre_id": "T1566.001", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1566/001/", "external_id": "T1566.001" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-30T15:18:36.143Z", "modified": "2025-12-30T15:18:36.143Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--baad7d00-8591-4c49-8f48-fabb6a35df65", "name": "Spearphishing Link", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ], "x_mitre_id": "T1566.002", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1566/002/", "external_id": "T1566.002" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-30T15:18:36.143Z", "modified": "2025-12-30T15:18:36.143Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--c627c29c-1385-4d76-9046-9c2db86dab11", "name": "Spearphishing via Service", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ], "x_mitre_id": "T1566.003", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1566/003/", "external_id": "T1566.003" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-30T15:18:36.143Z", "modified": "2025-12-30T15:18:36.143Z", "confidence": 85, "type": "attack-pattern", "id": "attack-pattern--b62ebbf0-ec9b-418e-a094-2c8fdd5234b7", "name": "Clipboard Data", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "collection" } ], "x_mitre_id": "T1115", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1115/", "external_id": "T1115" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-30T15:18:36.143Z", "modified": "2025-12-30T15:18:36.143Z", "confidence": 85, "type": "attack-pattern", "id": "attack-pattern--f4a2a757-99db-48e9-b04d-e17b178a8318", "name": "Credentials from Web Browsers", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "credential-access" } ], "x_mitre_id": "T1555.003", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1555/003/", "external_id": "T1555.003" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-30T15:18:36.143Z", "modified": "2025-12-30T15:18:36.143Z", "confidence": 85, "type": "attack-pattern", "id": "attack-pattern--bc6ae8c8-5b72-4bf7-85f1-4477630885a4", "name": "Escape to Host", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" } ], "x_mitre_id": "T1611", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1611/", "external_id": "T1611" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-30T15:18:36.143Z", "modified": "2025-12-30T15:18:36.143Z", "confidence": 85, "type": "attack-pattern", "id": "attack-pattern--d09d4c99-d4cc-4ae4-aad9-7e6c32bfc732", "name": "Data from Cloud Storage", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "collection" } ], "x_mitre_id": "T1530", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1530/", "external_id": "T1530" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-30T15:18:36.143Z", "modified": "2025-12-30T15:18:36.143Z", "confidence": 85, "type": "attack-pattern", "id": "attack-pattern--e1d88fb2-b905-48ed-a931-a5f20b548774", "name": "Cloud Storage Object Discovery", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "discovery" } ], "x_mitre_id": "T1619", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1619/", "external_id": "T1619" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-30T15:18:36.143Z", "modified": "2025-12-30T15:18:36.143Z", "confidence": 85, "type": "attack-pattern", "id": "attack-pattern--a9b2b3d1-728e-47be-adb2-f74a7e4c4f94", "name": "Exfiltration to Cloud Storage", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "exfiltration" } ], "x_mitre_id": "T1567.002", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1567/002/", "external_id": "T1567.002" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-30T15:18:36.143Z", "modified": "2025-12-30T15:18:36.143Z", "confidence": 84, "type": "attack-pattern", "id": "attack-pattern--172f3845-7870-4c1c-80bd-251e10ce9f1e", "name": "Browser Extensions", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" } ], "x_mitre_id": "T1176.001", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1176/001/", "external_id": "T1176.001" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-30T15:18:36.143Z", "modified": "2025-12-30T15:18:36.143Z", "confidence": 77, "type": "attack-pattern", "id": "attack-pattern--0b9d5f9a-d372-4a5d-8f9f-e62f6d5e8719", "name": "Vulnerabilities", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "resource-development" } ], "x_mitre_id": "T1588.006", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1588/006/", "external_id": "T1588.006" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-30T15:18:36.143Z", "modified": "2025-12-30T15:18:36.143Z", "confidence": 74, "type": "attack-pattern", "id": "attack-pattern--13975792-7c14-4c1e-a11e-80b1ecbde971", "name": "Disable or Modify Linux Audit System", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" } ], "x_mitre_id": "T1562.012", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1562/012/", "external_id": "T1562.012" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-30T15:18:36.143Z", "modified": "2025-12-30T15:18:36.143Z", "confidence": 70, "type": "attack-pattern", "id": "attack-pattern--4e2f5b9a-cf3a-4ab7-9169-8362c52dd57d", "name": "Search Threat Vendor Data", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "reconnaissance" } ], "x_mitre_id": "T1681", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1681/", "external_id": "T1681" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-30T15:18:36.143Z", "modified": "2025-12-30T15:18:36.143Z", "confidence": 70, "type": "attack-pattern", "id": "attack-pattern--27b36b6d-ae90-4767-b07a-563ecef589ea", "name": "Scheduled Task", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "execution" }, { "kill_chain_name": "mitre-attack", "phase_name": "persistence" }, { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" } ], "x_mitre_id": "T1053.005", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1053/005/", "external_id": "T1053.005" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-30T15:18:36.143Z", "modified": "2025-12-30T15:18:36.143Z", "confidence": 70, "type": "attack-pattern", "id": "attack-pattern--ed3369e1-8515-458a-99e3-cb9283fb73d1", "name": "Socket Filters", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" }, { "kill_chain_name": "mitre-attack", "phase_name": "persistence" }, { "kill_chain_name": "mitre-attack", "phase_name": "command-and-control" } ], "x_mitre_id": "T1205.002", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1205/002/", "external_id": "T1205.002" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-30T15:18:36.143Z", "modified": "2025-12-30T15:18:36.143Z", "confidence": 70, "type": "attack-pattern", "id": "attack-pattern--5cf0f3fb-3459-4a3d-ad3c-4700efcfecd8", "name": "Boot or Logon Initialization Scripts", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" }, { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" } ], "x_mitre_id": "T1037", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1037/", "external_id": "T1037" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-30T15:18:36.143Z", "modified": "2025-12-30T15:18:36.143Z", "confidence": 70, "type": "attack-pattern", "id": "attack-pattern--d2a77ce3-d278-4f77-97f0-227b744a33d3", "name": "Archive via Utility", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "collection" } ], "x_mitre_id": "T1560.001", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1560/001/", "external_id": "T1560.001" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-30T15:18:36.143Z", "modified": "2025-12-30T15:18:36.143Z", "confidence": 70, "type": "attack-pattern", "id": "attack-pattern--a6ff86fe-f269-42e5-9428-ab17d04e30e2", "name": "Screen Capture", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "collection" } ], "x_mitre_id": "T1113", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1113/", "external_id": "T1113" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-30T15:18:36.143Z", "modified": "2025-12-30T15:18:36.143Z", "confidence": 70, "type": "attack-pattern", "id": "attack-pattern--e8d516a9-a107-4c4b-806f-bc9c612eef18", "name": "Adversary-in-the-Middle", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "credential-access" }, { "kill_chain_name": "mitre-attack", "phase_name": "collection" } ], "x_mitre_id": "T1557", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1557/", "external_id": "T1557" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-30T15:18:36.143Z", "modified": "2025-12-30T15:18:36.143Z", "confidence": 67, "type": "attack-pattern", "id": "attack-pattern--5cd42343-7b5a-4509-9e09-23572a60413a", "name": "Domain or Tenant Policy Modification", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" }, { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" } ], "x_mitre_id": "T1484", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1484/", "external_id": "T1484" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-30T15:18:36.143Z", "modified": "2025-12-30T15:18:36.143Z", "confidence": 67, "type": "attack-pattern", "id": "attack-pattern--648fba01-e867-4fc6-96df-cc8f6217bee6", "name": "Artificial Intelligence", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "resource-development" } ], "x_mitre_id": "T1588.007", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1588/007/", "external_id": "T1588.007" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-30T15:18:36.143Z", "modified": "2025-12-30T15:18:36.143Z", "confidence": 66, "type": "attack-pattern", "id": "attack-pattern--d76e0650-6edf-46e7-b957-362aa1c14d07", "name": "Lifecycle-Triggered Deletion", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "impact" } ], "x_mitre_id": "T1485.001", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1485/001/", "external_id": "T1485.001" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] } ] }

Playbook for the Secure Enterprise