Upload 2298 files

.gitattributes

@@ -32,3 +32,5 @@ saved_model/**/* filter=lfs diff=lfs merge=lfs -text
 *.zip filter=lfs diff=lfs merge=lfs -text
 *.zst filter=lfs diff=lfs merge=lfs -text
 *tfevents* filter=lfs diff=lfs merge=lfs -text
+alpaca_data_cleaned_archive_origin.json filter=lfs diff=lfs merge=lfs -text
+cti-ATT-CK-v13.1/enterprise-attack/enterprise-attack.json filter=lfs diff=lfs merge=lfs -text

alpaca_data_cleaned_archive.json

@@ -0,0 +1,37 @@
+[
+  {
+    "instruction": "Describe DDOS attack",
+    "input": "",
+    "output": "A Distributed Denial of Service (DDoS) attack is a malicious attempt to disrupt the normal functioning of a network, service, or website by overwhelming it with a flood of internet traffic. In a DDoS attack, multiple compromised computers or devices, often referred to as a botnet, are used to generate a massive amount of traffic that exceeds the target's capacity to handle it."
+  },
+  {
+    "instruction": "What are DDOS technique?",
+    "input": "",
+    "output": "Traffic flooding: The attacker overwhelms the target with a massive volume of network traffic, consuming all available resources. \nApplication layer attacks: The attacker targets specific applications or services, attempting to exhaust their resources by exploiting vulnerabilities or by initiating resource-intensive operations. \nProtocol attacks: The attacker exploits weaknesses in network protocols, such as the TCP/IP stack, to consume server resources or disrupt communication.\nReflective/amplified attacks: The attacker uses a technique where they send requests to a large number of vulnerable systems that respond by sending a much larger response back to the target, amplifying the attack's impact."
+  },
+  {
+    "instruction": "How to avoid DDOS attack",
+    "input": "",
+    "output": "DDoS mitigation services: Consider using a reputable DDoS mitigation service that specializes in detecting and mitigating attacks. These services can help filter out malicious traffic and ensure your network remains accessible during an attack. \nNetwork monitoring: Implement robust network monitoring systems to detect any unusual traffic patterns or sudden spikes in traffic. Early detection can allow you to respond quickly and mitigate the impact of an attack."
+  },
+  {
+    "instruction": "what to do when getting ddos-ed",
+    "input": "",
+    "output": "Contact your DDoS mitigation service: If you have a DDoS mitigation service in place, immediately contact them to activate their services and inform them about the ongoing attack. They can help filter out malicious traffic and provide guidance on mitigation strategies.\nMonitor network traffic: Use network monitoring tools or services to analyze and monitor the incoming traffic. Identify the characteristics of the attack, such as the source IP addresses, traffic patterns, and attack vectors. This information can be useful for further analysis and potential legal action."
+  },
+  {
+    "instruction": "What is DDOS attack",
+    "input": "",
+    "output": "is a malicious with a flood of internet traffic. In a DDoS attack, multiple compromised computers or devices, often referred to as a botnet, are used to generate a massive amount of traffic that exceeds the target's capacity to handle it."
+  },
+  {
+    "instruction": "Which are DDOS technique?",
+    "input": "Traffic flooding, Scanning, Viewing",
+    "output": "Traffic flooding"
+  },
+  {
+    "instruction": "Avoid DDOS attack",
+    "input": "",
+    "output": "DDoS mitigation services: Consider using a reputable DDoS mitigation service that specializes in detecting and mitigating attacks. These services can help filter out malicious traffic and ensure your network remains accessible during an attack. \nNetwork monitoring: Implement robust network monitoring systems to detect any unusual traffic patterns or sudden spikes in traffic. Early detection can allow you to respond quickly and mitigate the impact of an attack."
+  }
+]

alpaca_data_cleaned_archive_origin.json

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:00c26b8da597c1aaa5a0bac023bdb8f26bbaa37a9ead7837df4aa7e51ad57459
+size 23573609

cti-ATT-CK-v13.1/.gitignore

@@ -0,0 +1,6 @@
+hashes.json
+*.pyc
+.DS_Store
+.idea
+.vscode
+venv

cti-ATT-CK-v13.1/CHANGELOG.md

@@ -0,0 +1,102 @@
+
+# Changes to the ATT&CK/STIX Data Model
+
+## 25 April 2023 - ATT&CK Spec v3.1.0
+
+Changes to ATT&CK in STIX for April 2023 ATT&CK Content Release (ATT&CK v13.0)
+
+* Restored the `labels` property for ICS mitigation objects. This property documents security controls for ICS mitigations.
+
+## 25 October 2022 - ATT&CK Spec v3.0.0
+
+Changes to ATT&CK in STIX for October 2022 ATT&CK Content Release (ATT&CK-v12.0)
+
+* Added Campaign objects. For detailed information about the representation of Campaigns in ATT&CK/STIX, please see the campaign section of the [USAGE document](https://github.com/mitre/cti/blob/master/USAGE.md).
+
+## 25 April 2022 (ATT&CK v11) release
+
+NOTE: Changes to ATT&CK for the April 2022 (ATT&CK v11) release were initially omitted from this change log.
+
+As of the v11 content release, the following fields that previously were only available in the STIX 2.1 bundles are also available in STIX 2.0.
+
+* `x_mitre_modified_by_ref`: has been added to all object types. Defined in spec 2.0.0 below.
+* `x_mitre_domains`: has been added to all non-relationship objects. Defined in spec 2.0.0 below.
+* `x_mitre_attack_spec_version`: has been added to all object types. Defined in spec 2.1.0 below.
+
+## 21 October 2021 - ATT&CK Spec v2.1.0
+Changes to ATT&CK in STIX for October 2021 ATT&CK Content Release (ATT&CK-v10.0)
+
+| Feature | [Available in STIX 2.0](https://github.com/mitre/cti) | [Available in STIX 2.1](https://github.com/mitre-attack/attack-stix-data) |
+|:--------|:-----------------------------------------------------:|:-------------------------------------------------------------------------:|
+| Added full objects for data sources and data components. See [the data sources section of the USAGE document](https://github.com/mitre-attack/attack-stix-data/blob/master/USAGE.md#data-sources-and-data-components) for more information about data sources, data components, and their relationships with techniques. | :white_check_mark: | :white_check_mark: |
+| Added `x_mitre_attack_spec_version` field to all object types. This field tracks the version of the ATT&CK Spec used by the object. Consuming software can use this field to determine if the data format is supported; if the field is absent the object will be assumed to use ATT&CK Spec version `2.0.0`. | :x: | :white_check_mark: |
+
+## 21 June 2021 - ATT&CK Spec v2.0.0
+Release of ATT&CK in STIX 2.1.
+
+The contents of this repository is not affected, but you can find ATT&CK in STIX 2.1 (ATT&CK spec v2.0.0+) on our new [attack-stix-data](https://github.com/mitre-attack/attack-stix-data) GitHub repository. Both MITRE/CTI (this repository) and attack-stix-data will be maintained and updated with new ATT&CK releases for the foreseeable future, but the data model of attack-stix-data includes quality-of-life improvements not found on MITRE/CTI. 
+
+| Feature | [Available in STIX 2.0](https://github.com/mitre/cti) | [Available in STIX 2.1](https://github.com/mitre-attack/attack-stix-data) |
+|:--------|:-----------------------------------------------------:|:-------------------------------------------------------------------------:|
+| Added `x_mitre_modified_by_ref` field to all object types. This field tracks the identity of the individual or organization which created the current _version_ of the object. | :x: | :white_check_mark: | 
+| Added `x_mitre_domains` field to all non-relationship objects. This field tracks the domains the object is found in. | :x: | :white_check_mark: |
+| Added [collection](https://github.com/center-for-threat-informed-defense/attack-workbench-frontend/blob/master/docs/collections.md) objects to track information about specific releases of the dataset and to allow the dataset to be imported into [ATT&CK Workbench](https://github.com/center-for-threat-informed-defense/attack-workbench-frontend/). | :x: | :white_check_mark: |
+| Added a [collection index](https://github.com/center-for-threat-informed-defense/attack-workbench-frontend/blob/master/docs/collections.md) to list the contents of this repository and to allow the data to be imported into [ATT&CK Workbench](https://github.com/center-for-threat-informed-defense/attack-workbench-frontend/). | :x: | :white_check_mark: |
+
+## 29 April 2021
+Changes to ATT&CK in STIX for April 2021 ATT&CK Content Release (ATT&CK-v9.0)
+
+1. Replaced `GCP`, `AWS` and `Azure` platforms under the enterprise domain with `IaaS` (Infrastructure as a Service).
+2. Added `Containers` and `Google Workspace` to the platforms of the enterprise domain.
+3. Revised the data sources of the enterprise domain. Data sources are still represented as a string array, but the elements within that array are now formatted `"data source: data component"` to reflect the new data source representation. More information on the new data sources can be found on our [attack-datasources](https://github.com/mitre-attack/attack-datasources) GitHub repository. Note that the data sources in the ICS domain was not affected by this change.
+
+With the release of ATT&CK version 9 we are also hosting an excel representation of the knowledge base on our website. You can find that representation and more about ATT&CK tools on the updated [Working with ATT&CK](https://attack.mitre.org/resources/working-with-attack/) page.
+
+## 27 October 2020
+Changes to ATT&CK in STIX for October 2020 ATT&CK Content Release (ATT&CK-v8.0)
+
+1. Added new platforms under the enterprise domain: `Network` and `PRE`.
+2. Deprecated the pre-ATT&CK domain. Pre-ATT&CK has been migrated to two new tactics in the Enterprise domain tagged with the `PRE` platform. Please see the new [PRE matrix](https://attack.mitre.org/matrices/enterprise/PRE/) for the replacing Enterprise tactics and techniques. All objects within the pre-ATT&CK domain have been marked as deprecated, along with a new description pointing to their new home in Enterprise.
+3. Added the [ATT&CK for ICS domain](ics-attack).
+
+## 8 July 2020 - ATT&CK Spec v1.3.0
+Changes to ATT&CK in STIX for July 2020 ATT&CK Content Release (ATT&CK-v7.0)
+
+1. Added sub-techniques:
+    - A sub-technique is an attack-pattern where `x_mitre_is_subtechnique` is `true`. 
+    - Relationships of type `subtechnique-of` between sub-techniques and techniques convey their hierarchy.
+
+   For more information about the representation of sub-techniques in STIX, please see [the sub-techniques section of the USAGE document](USAGE.md#sub-techniques). 
+2. Revised the representation of deprecated objects. The first paragraph of deprecated objects' descriptions should in most cases convey the reason the object was deprecated.
+
+We've also rewritten the [USAGE](USAGE.md) document with additional information about the ATT&CK data model and more examples of how to access and use ATT&CK in Python.
+
+## 24 October 2019
+Changes to ATT&CK in STIX for October 2019 ATT&CK Content Release (ATT&CK-v6.0)
+1. Added cloud platforms under the enterprise domain: `AWS`, `GCP`, `Azure`, `Office 365`, `Azure AD`, and `SaaS`.
+
+## 31 July 2019
+Changes to ATT&CK in STIX for July 2019 ATT&CK Content Release (ATT&CK-v5.0)
+1. Descriptions added to relationships of type `mitigates` under the enterprise domain 
+
+## 30 April 2019 - ATT&CK Spec v1.2.0
+Changes to ATT&CK in STIX for April 2019 ATT&CK Content Release (ATT&CK-v4.0)
+1. `x_mitre_impact_type` added for enterprise techniques within the `Impact` tactic
+2. Descriptions added to relationships between software/groups
+
+## 23 October 2018 - ATT&CK Spec v1.1.0
+Changes to ATT&CK in STIX for October 2018 ATT&CK Content Release (ATT&CK-v3.0)
+
+1. `x_mitre_platforms` added for enterprise malware/tools
+2. `x_mitre_detection` added to attack-patterns
+3. Custom MITRE attributes removed from descriptions in attack-patterns
+4. Alias descriptions added for malware/tools/intrusion-sets as external references
+5. Descriptions added to relationships between groups/attack-patterns in PRE-ATT&CK
+6. Names of ATT&CK objects replaced in descriptions and x_mitre_detection fields with markdown links
+7. `CAPEC ids` added to external references for attack-patterns
+8. Citations in alias descriptions added as external references in the object containing the alias description
+9. Added `x-mitre-tactic` and `x-mitre-matrix` objects
+10. Changed ===Windows=== subheadings to ### Windows subheadings (Windows is just one example)
+11. Added space between asterisks (ex. *Content to * Content) to populate markdown correctly
+12. Changed "true" to True in `x_mitre_deprecated`
+13. Added old ATT&CK IDs to Mobile/PRE-ATT&CK objects whose IDs have changed as `x-mitre-old-attack-id`

cti-ATT-CK-v13.1/LICENSE.txt

@@ -0,0 +1,38 @@
+ATT&CK®
+===========================
+License
+-------
+The MITRE Corporation (MITRE) hereby grants you a non-exclusive, royalty-free license to use ATT&CK® for research, 
+development, and commercial purposes. Any copy you make for such purposes is authorized provided that you reproduce 
+MITRE's copyright designation and this license in any such copy.
+
+"© 2021 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation."
+
+Disclaimers
+-----------
+MITRE does not claim ATT&CK enumerates all possibilities for the types of actions and behaviors documented as part 
+of its adversary model and framework of techniques. Using the information contained within ATT&CK to address or 
+cover full categories of techniques will not guarantee full defensive coverage as there may be undisclosed techniques 
+or variations on existing techniques not documented by ATT&CK.
+
+ALL DOCUMENTS AND THE INFORMATION CONTAINED THEREIN ARE PROVIDED ON AN "AS IS" BASIS AND THE CONTRIBUTOR, THE 
+ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE MITRE CORPORATION, ITS BOARD OF TRUSTEES, OFFICERS, 
+AGENTS, AND EMPLOYEES, DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE 
+USE OF THE INFORMATION THEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS 
+FOR A PARTICULAR PURPOSE.
+
+CAPEC™
+===========================
+License
+-------
+The MITRE Corporation (MITRE) hereby grants you a non-exclusive, royalty-free license to use Common Attack Pattern 
+Enumeration and Classification (CAPEC™) for research, development, and commercial purposes. Any copy you make for 
+such purposes is authorized provided that you reproduce MITRE’s copyright designation and this license in any such copy.
+
+Disclaimers
+-----------
+ALL DOCUMENTS AND THE INFORMATION CONTAINED THEREIN ARE PROVIDED ON AN "AS IS" BASIS AND THE CONTRIBUTOR, THE 
+ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE MITRE CORPORATION, ITS BOARD OF TRUSTEES, OFFICERS, 
+AGENTS, AND EMPLOYEES, DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE 
+USE OF THE INFORMATION THEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS 
+FOR A PARTICULAR PURPOSE.

cti-ATT-CK-v13.1/README.md

@@ -0,0 +1,32 @@
+# CTI
+
+This repository contains the MITRE ATT&CK® and CAPEC™ datasets expressed in STIX 2.0. See [USAGE](USAGE.md) or [USAGE-CAPEC](USAGE-CAPEC.md) for information on using this content with [python-stix2](https://github.com/oasis-open/cti-python-stix2).
+
+If you are looking for ATT&CK represented in STIX 2.1, please see the [attack-stix-data](https://github.com/mitre-attack/attack-stix-data) GitHub repository. Both MITRE/CTI (this repository) and attack-stix-data will be maintained and updated with new ATT&CK releases for the foreseeable future, but the data model of attack-stix-data includes quality-of-life improvements not found on MITRE/CTI. Please see the [attack-stix-data USAGE document](https://github.com/mitre-attack/attack-stix-data) for more information on the improved data model of that repository.
+
+## ATT&CK
+
+MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.
+
+<https://attack.mitre.org>
+
+## CAPEC
+
+Understanding how the adversary operates is essential to effective cyber security. CAPEC™ helps by providing a comprehensive dictionary of known patterns of attacks employed by adversaries to exploit known weaknesses in cyber-enabled capabilities. It can be used by analysts, developers, testers, and educators to advance community understanding and enhance defenses.
+
+- Focuses on application security
+- Enumerates exploits against vulnerable systems
+- Includes social engineering / supply chain
+- Associated with Common Weakness Enumeration (CWE)
+
+<https://capec.mitre.org/>
+
+## STIX
+
+Structured Threat Information Expression (STIX™) is a language and serialization format used to exchange cyber threat intelligence (CTI).
+
+STIX enables organizations to share CTI with one another in a consistent and machine readable manner, allowing security communities to better understand what computer-based attacks they are most likely to see and to anticipate and/or respond to those attacks faster and more effectively.
+
+STIX is designed to improve many different capabilities, such as collaborative threat analysis, automated threat exchange, automated detection and response, and more.
+
+<https://oasis-open.github.io/cti-documentation/>

cti-ATT-CK-v13.1/USAGE-CAPEC.md

@@ -0,0 +1,136 @@
+# Introduction
+This document describes how to query and manipulate CAPEC data in this repository. Machine-readable CAPEC data is available in
+a JSON-based [STIX 2.0 and STIX 2.1 formats](https://oasis-open.github.io/cti-documentation/stix/intro). See [Release Notes](#release-notes) for any changes to the generation of the STIX CAPEC data.
+
+STIX 2.x is just JSON and so should be very accessible from Python and other programming languages. If you are using Python, the [python-stix2](https://github.com/oasis-open/cti-python-stix2) library can help you work with the content as shown in the examples below.
+
+# Mapping Concepts
+First, we must describe how CAPEC objects and properties map to STIX 2.x objects and properties.
+
+## Objects
+In CAPEC, the main object is the Attack Pattern. Most Attack Pattern also have Mitigations. There are other types of objects in CAPEC (e.g, Category, View, etc.), but these are not (currently) part of the repository.  
+
+The STIX types are found as literal strings assigned to the `type` property of the STIX JSON object. The STIX 2.x object called "Attack Pattern" corresponds to a CAPEC attack pattern. In STIX 2.x, there are objects called "Course(s) of Action" which can be used to describe CAPEC Mitigations.  
+
+## Properties
+The following is a table mapping of CAPEC properties to STIX properties. Some of these properties are standard STIX properties, while others were custom-created for compatibility with CAPEC. These properties are accessed from STIX objects as JSON properties.
+
+### Attack Pattern Properties
+| CAPEC 3.6 Property | STIX Properties | STIX type |
+| --------------- |  --------------- | --------------- |
+**Name** |  `name` | string |
+**Description** |  `description` | string
+**Extended_Definition** | `x_capec_extended_definition` | string
+**Abstraction** | `x_capec_abstraction` | enumeration(`Meta, Standard, Detailed`)
+**Alternate\_Terms** |  `x_capec_alternate_terms` | list(string)
+**Consequences** |  `x_capec_consequences` | dictionary(enumeration(`High, Medium, Low`), string)
+**Example\_Instances** | `x_capec_example_instances` | list(string)
+**Execution\_Flows** | `x_capec_execution_flows` | (XHTML) string
+**Likelihood\_Of\_Attack** | `x_capec_likelihood_of_attack` | enumeration(`High, Medium, Low`)
+**Notes** | **Other\_Notes** | `x_capec_notes` | list(string)
+**Prerequisites** | `x_capec_prerequisites` | list(string)
+**Skills\_Required** | `x_capec_skills_required` | dictionary(string, enumeration(`High, Medium, Low`))
+**Typical\_Severity** |  `x_capec_typical_severity` | enumeration(`High, Medium, Low`)
+**ID** |  `external_references[i].external_id where external_references[i].source_name == "capec"` | integer 
+**Related\_Weaknesses** |  `external_references[i].external_id where external_references[i].source_name == "cwe"` | integer 
+**References** | `external_references[i].external_id where external_references[i].source_name == "reference_from_CAPEC"` | `external-reference`
+**Mitigation** | `relationship_type == "mitigates"` | `relationship`
+
+### Attack Pattern Relationships
+| CAPEC 3.6 Relationship | STIX Properties | STIX type |
+| --------------- |  --------------- | --------------- |
+**parent_of** | `x_capec_parent_of_refs` | list(identifier)
+**child_of** | `x_capec_child_of_refs` | list(identifier)
+**can_precede** | `x_capec_can_precede_refs` | list(identifier)
+**can_follow** | `x_capec_can_follow_refs` | list(identifier)
+**peer_of** | `x_capec_peer_of_refs` | list(identifier)
+
+CAPEC 3.6 properties not mapped (at this time):  **Indicators**, **Taxonomy\_Mappings**, **Content\_History**
+
+CAPEC 3.6 properties not appropriate to map: **Status**
+
+# Using Python and STIX 2.x
+In this section, we will describe how to query and manipulate CAPEC data that has been stored in a STIX 2.x repository. A Python library has been created for using and creating STIX 2.x data by the OASIS Technical Committee for Cyber Threat Intelligence, which develops the STIX standard. This library abstracts storage and transport details so that the same code can be used to interact with data locally on the filesystem or in memory, or remotely via [TAXII](https://oasis-open.github.io/cti-documentation/taxii/intro). The source code, installation instructions, and basic documentation for the library can be found [here](https://github.com/oasis-open/cti-python-stix2). There is a more thorough [API documentation](http://stix2.readthedocs.io/en/latest/overview.html) as well.
+
+## Python Library
+To begin querying STIX 2.x data, you must first have a [DataSource](http://stix2.readthedocs.io/en/latest/guide/datastore.html). For these examples, we will simply use a [FileSystemSource](http://stix2.readthedocs.io/en/latest/guide/filesystem.html). The CAPEC corpus must first be cloned or downloaded from [GitHub](https://github.com/mitre/cti).
+
+### Get all Attack Patterns
+Once the stix2 Python library is installed and the corpus is acquired, we need to open the DataStore for querying:
+
+```python
+from stix2 import FileSystemSource
+fs = FileSystemSource('./cti/capec')
+```
+
+When creating the DataSource, the keyword agrument `allow_custom` must be set to `True`. This is because the CAPEC data uses several custom properties which are not part of the STIX 2.x specification (`x_capec_prerequisites`, `x_capec_example_instances`, etc).
+
+To perform a query, we must define a [Filter](http://stix2.readthedocs.io/en/latest/guide/datastore.html#Filters). As of this writing, a filter must, at a minimum, specify object `id`'s or an object `type`.  The following filter can be used to retrieve all CAPEC attack patterns:
+
+```python
+from stix2 import Filter
+filt = Filter('type', '=', 'attack-pattern')
+```
+
+Once this filter is defined, you can pass it to the DataSource `query` function in order to actually query the data:
+
+```python
+attack_patterns = fs.query([filt])
+```
+
+Notice that the `query` function takes a **list** of filters.  These filters are logically AND'd together during the query. As of this writing, `allow_custom` must be set to `True` in order to query CAPEC data. This is because the CAPEC data uses several custom properties which are not part of the STIX 2.0 specification (`x_capec_prerequisites`, `x_capec_example_instances`, etc).
+
+**For the remaining examples, these imports and the FileSystemStore initialization will be omitted.**
+
+
+### Get any object by CAPEC ID
+In this example, the STIX 2.x type must be passed into the function. Here we query for the attack pattern with ID `66` (*SQL Injection*).
+
+```python
+def get_attack_pattern_by_capec_id(src, capec_id):
+    filt = [
+        Filter('type', '=', 'attack-pattern'),
+        Filter('external_references.external_id', '=', 'CAPEC-' + capec_id),
+        Filter('external_references.source_name', '=', 'capec'),
+    ]
+    return src.query(filt)
+
+get_attack_pattern_by_capec_id(fs, '66')
+```
+
+### Get all Mitigations for specific Attack Pattern
+The mitigations for a technique are stored in objects separate from the technique. These objects are found through a `mitigates` relationship.
+
+```python
+def get_mitigations_by_attack_pattern(src, ap_stix_id):
+    relations = src.relationships(ap_stix_id, 'mitigates', target_only=True)
+    return src.query([
+        Filter('type', '=', 'course-of-action'),
+        Filter('id', 'in', [r.source_ref for r in relations])])
+
+ap = get_attack_pattern_by_capec_id(fs, '66')[0]
+get_mitigations_by_attack_pattern(fs, ap.id)
+```
+
+### Release Notes
+
+The STIX CAPEC data is generated by a python script named `capec2stix`.  In this section the changes to the script for each new CAPEC release is listed.
+
+## Release for CAPEC 3.6
+
+* Added the `x_capec_extended_definition` property
+
+## Release for CAPEC 3.5 
+
+* Added functionality to infer CAPEC ParentOf and CanFollow relationships:
+  - CAPEC does not explicitly state these relationships, so they needed to be inferred by looking at the children's "ChildOf" relationship and the can follows' "CanPrecede" relationship and work backwards
+  - A global map of CAPEC ids to STIX ids was created by iterating through all CAPEC objects and creating STIX ids
+  - Global maps of CAPEC ids to list of children CAPEC ids and list of CAPEC ids that can follow was created by iterating through all CAPEC objects
+  - When creating STIX Attack Pattern objects, the child and can follow maps are used to find the relationships that are not explicitly stated in the CAPEC object and the STIX id map is used to get the STIX ID for the related CAPECs
+* Added the following properties to the Attack Pattern STIX object:
+  - `x_capec_child_of_refs`: contains a list of STIX ids of the Attack Pattern objects which the current object is a child of
+  - `x_capec_parent_of_refs`: contains a list of STIX ids of the Attack Pattern objects which the current object is a parent of
+  - `x_capec_can_precede_refs`: contains a list of STIX ids of the Attack Pattern objects which the current object can precede
+  - `x_capec_can_follow_refs`: contains a list of STIX ids of the Attack Pattern objects which the current object can follow
+  - `x_capec_peer_of_refs`: contains a list of STIX ids of the Attack Pattern objects which the current object is a peer of
+* Added "allow_custom=True" as a flag when creating STIX bundles to satisfy the requirements for the new STIX release

cti-ATT-CK-v13.1/USAGE.md

@@ -0,0 +1,1182 @@
+# Introduction
+
+This document describes how to query and manipulate ATT&CK data from either this repository or the ATT&CK TAXII server, as well as the formatting of the data itself.
+
+The programmatic uses of ATT&CK demonstrated in this document utilize the [stix2 python library](https://github.com/oasis-open/cti-python-stix2). Please refer to the [STIX2 Python API Documentation](https://stix2.readthedocs.io/en/latest/) for more information on how to work with STIX programmatically. See also the section on [Requirements and imports](#requirements-and-imports).
+
+This document describes how ATT&CK implements and extends the STIX format. To find out more about STIX, please see [the STIX 2.0 website](https://oasis-open.github.io/cti-documentation/stix/intro).
+
+We also recommend reading the [ATT&CK Design and Philosophy Paper](https://attack.mitre.org/docs/ATTACK_Design_and_Philosophy_March_2020.pdf), which describes high-level overall approach, intention, and usage of ATT&CK.
+
+If you are looking for ATT&CK data represented in STIX 2.1, please see our [attack-stix-data](https://github.com/mitre-attack/attack-stix-data) GitHub repository. The accompanying [USAGE document](https://github.com/mitre-attack/attack-stix-data/blob/master/USAGE.md) includes more information on the improved data model of that repository.
+
+## Table of Contents
+
+- [Introduction](#introduction)
+  - [Table of Contents](#table-of-contents)
+  - [The ATT&CK data model](#the-attck-data-model)
+    - [Extensions of the STIX spec](#extensions-of-the-stix-spec)
+    - [IDs in ATT&CK](#ids-in-attck)
+      - [ATT&CK IDs](#attck-ids)
+      - [STIX IDs](#stix-ids)
+      - [Other IDs](#other-ids)
+    - [ATT&CK Types](#attck-types)
+      - [Matrices](#matrices)
+        - [Mapping matrices, tactics and techniques](#mapping-matrices-tactics-and-techniques)
+      - [Tactics](#tactics)
+      - [Techniques](#techniques)
+        - [Sub-Techniques](#sub-techniques)
+      - [Procedures](#procedures)
+      - [Mitigations](#mitigations)
+        - [Collisions with technique ATT&CK IDs](#collisions-with-technique-attck-ids)
+      - [Groups](#groups)
+      - [Software](#software)
+      - [Data Sources and Data Components](#data-sources-and-data-components)
+        - [Data Sources](#data-sources)
+        - [Data Components](#data-components)
+      - [Campaigns](#campaigns)
+      - [Relationships](#relationships)
+  - [Accessing ATT&CK data in python](#accessing-attck-data-in-python)
+    - [Requirements and imports](#requirements-and-imports)
+      - [stix2](#stix2)
+      - [taxii2client](#taxii2client)
+    - [Access local content](#access-local-content)
+      - [Access via FileSystemSource](#access-via-filesystemsource)
+      - [Access via bundle](#access-via-bundle)
+    - [Access live content](#access-live-content)
+      - [Access from the ATT&CK TAXII server](#access-from-the-attck-taxii-server)
+      - [Access from Github via requests](#access-from-github-via-requests)
+    - [Access a specific version of ATT&CK](#access-a-specific-version-of-attck)
+    - [Access multiple domains simultaneously](#access-multiple-domains-simultaneously)
+  - [Python recipes](#python-recipes)
+    - [Getting an object](#getting-an-object)
+      - [By STIX ID](#by-stix-id)
+      - [By ATT&CK ID](#by-attck-id)
+      - [By name](#by-name)
+      - [By alias](#by-alias)
+    - [Getting multiple objects](#getting-multiple-objects)
+      - [Objects by type](#objects-by-type)
+        - [Getting techniques or sub-techniques](#getting-techniques-or-sub-techniques)
+        - [Getting software](#getting-software)
+      - [Objects by content](#objects-by-content)
+      - [Techniques by platform](#techniques-by-platform)
+      - [Techniques by tactic](#techniques-by-tactic)
+      - [Tactics by matrix](#tactics-by-matrix)
+      - [Objects created or modified since a given date](#objects-created-or-modified-since-a-given-date)
+    - [Getting related objects](#getting-related-objects)
+      - [Relationships microlibrary](#relationships-microlibrary)
+      - [Getting techniques used by a group's software](#getting-techniques-used-by-a-groups-software)
+    - [Working with deprecated and revoked objects](#working-with-deprecated-and-revoked-objects)
+      - [Removing revoked and deprecated objects](#removing-revoked-and-deprecated-objects)
+      - [Getting a revoking object](#getting-a-revoking-object)
+
+## The ATT&CK data model
+
+The data in this repository is STIX 2.0 and divided into folders, one for each domain of ATT&CK. These domains generally follow the same format with a few departures. Domain differences will be noted in the relevant sections of this document.
+
+ATT&CK uses a mix of predefined and custom STIX objects to implement ATT&CK concepts. The following table is a mapping of ATT&CK concepts to STIX 2.0 objects:
+
+| ATT&CK concept | STIX object type | Custom type? |
+|:------------|:----------|:---|
+| [Matrix](#matrices)              | `x-mitre-matrix` | yes |
+| [Tactic](#tactics)               | `x-mitre-tactic` | yes |
+| [Technique](#techniques)         | [attack-pattern](http://docs.oasis-open.org/cti/stix/v2.0/csprd01/part2-stix-objects/stix-v2.0-csprd01-part2-stix-objects.html#_Toc476230921) | no |
+| [Sub-technique](#sub-techniques) | [attack-pattern](http://docs.oasis-open.org/cti/stix/v2.0/csprd01/part2-stix-objects/stix-v2.0-csprd01-part2-stix-objects.html#_Toc476230921) where `x_mitre_is_subtechnique = true` | no |
+| [Procedure](#procedures)         | [relationship](https://docs.oasis-open.org/cti/stix/v2.0/csprd01/part2-stix-objects/stix-v2.0-csprd01-part2-stix-objects.html#_Toc476230970) where `relationship_type = "uses"` and `target_ref` is an `attack-pattern` | no |
+| [Mitigation](#mitigations)       | [course-of-action](https://docs.oasis-open.org/cti/stix/v2.0/csprd01/part2-stix-objects/stix-v2.0-csprd01-part2-stix-objects.html#_Toc476230929) | no |
+| [Group](#groups)                 | [intrusion-set](https://docs.oasis-open.org/cti/stix/v2.0/csprd01/part2-stix-objects/stix-v2.0-csprd01-part2-stix-objects.html#_Toc476230941)  | no |
+| [Software](#software)            | [malware](http://docs.oasis-open.org/cti/stix/v2.0/csprd01/part2-stix-objects/stix-v2.0-csprd01-part2-stix-objects.html#_Toc476230945) or [tool](http://docs.oasis-open.org/cti/stix/v2.0/csprd01/part2-stix-objects/stix-v2.0-csprd01-part2-stix-objects.html#_Toc476230961) | no |
+| [Data Source](#data-source)      | `x-mitre-data-source` | yes |
+| [Campaign](#campaigns) | [campaign](http://docs.oasis-open.org/cti/stix/v2.0/csprd01/part2-stix-objects/stix-v2.0-csprd01-part2-stix-objects.html#_Toc476230925) | no |
+
+Two additional object types are found in the ATT&CK catalog:
+
+| STIX object type | About |
+|:-----------------|:------|
+| [identity](https://docs.oasis-open.org/cti/stix/v2.0/csprd01/part2-stix-objects/stix-v2.0-csprd01-part2-stix-objects.html#_Toc476230933)       | Referenced in the `created_by_ref` of all objects to state that the MITRE Corporation created the object |
+| [marking-definition](https://docs.oasis-open.org/cti/stix/v2.0/csprd01/part1-stix-core/stix-v2.0-csprd01-part1-stix-core.html#_Toc476227338) | Referenced in the `object_marking_refs` of all objects to express the MITRE Corporation copyright |
+
+### Extensions of the STIX spec
+
+There are three general ways that ATT&CK extends the STIX 2.0 format:
+
+- Custom object types. Object types prefixed with `x-mitre-`, e.g `x-mitre-matrix`, are custom STIX types extending the STIX 2.0 spec. They follow the general [STIX Domain Object pattern](https://docs.oasis-open.org/cti/stix/v2.0/csprd01/part2-stix-objects/stix-v2.0-csprd01-part2-stix-objects.html#_Toc476230920) but describe concepts not covered by types defined in STIX 2.0.
+
+- Extensions of existing object types. Fields extending the STIX 2.0 spec are prefixed with `x_mitre_`, e.g `x_mitre_platforms` in `attack-patterns`.
+
+    All objects except relationships can have the following extended properties applied:
+
+    | Field | Type | Description |
+    |:------|:-----|:------------|
+    | `x_mitre_version` | string | The version of the object in format `major.minor` where `major` and `minor` are integers. ATT&CK increments this version number when the object content is updated. |
+    | `x_mitre_contributors` | string[] | People and organizations who have contributed to the object. |
+    | `x_mitre_deprecated` | boolean | See [Working with deprecated and revoked objects](#Working-with-deprecated-and-revoked-objects). |
+
+- New relationship types. Unlike custom object types and extended fields, custom relationship types are **not** prefixed with `x_mitre_`. You can find a full list of relationship types in the [Relationships](#Relationships) section, which also mentions whether the type is a default STIX type.
+
+Please see also the STIX documentation on [customizing STIX](https://docs.oasis-open.org/cti/stix/v2.0/csprd01/part1-stix-core/stix-v2.0-csprd01-part1-stix-core.html#_Toc476227365).
+
+### IDs in ATT&CK
+
+Objects in ATT&CK may have several different kinds of IDs.
+
+#### ATT&CK IDs
+
+The most commonly used ID format is what is referred to as the ATT&CK ID or simply ID. Each different type of ATT&CK object has its own variation upon the ATT&CK ID format:
+
+| ATT&CK concept | ID format |
+|:------------|:----------|
+| [Matrix](#matrices)              | `MAxxxx` |
+| [Tactic](#tactics)               | `TAxxxx` |
+| [Technique](#techniques)         | `Txxxx` |
+| [Sub-Technique](#sub-techniques) | `Txxxx.yyy` |
+| [Mitigation](#mitigations)       | `Mxxxx` |
+| [Group](#groups)                 | `Gxxxx`  |
+| [Software](#software)            | `Sxxxx` |
+| [Data Source](#data-source)      | `DSxxxx` |
+| [Campaign](#campaigns)           | `Cxxxx` |
+
+ATT&CK IDs are typically, but not always, unique. See [Collisions with Technique ATT&CK IDs](#collisions-with-technique-attck-ids) for an edge case involving ID collisions between mitigations and techniques.
+
+ATT&CK IDs can be found in the first external reference of all objects except for relationships (which don't have ATT&CK IDs). The first external reference also includes a `url` field linking to the page describing that object on the [ATT&CK Website](https://attack.mitre.org/).
+
+#### STIX IDs
+
+In addition to ATT&CK IDs, all objects in ATT&CK (including relationships) have STIX IDs in the `id` field of the object. Unlike ATT&CK IDs, STIX IDs are guaranteed to be unique. STIX IDs are therefore the best way to retrieve and refer to objects programmatically.
+
+#### Other IDs
+
+Several other IDs can be found in the external references of an object:
+
+1. NIST Mobile Threat Catalogue IDs can be found for some techniques in the Mobile domain where the external reference `source_name` is `"NIST Mobile Threat Catalogue"`
+2. CAPEC IDs can be found for some techniques in the Enterprise domain where the external reference `source_name` is `"capec"`
+
+### ATT&CK Types
+
+#### Matrices
+
+The overall layout of the ATT&CK Matrices is stored in `x-mitre-matrix` objects. As a custom STIX type they follow only the generic [STIX Domain Object pattern](https://docs.oasis-open.org/cti/stix/v2.0/csprd01/part2-stix-objects/stix-v2.0-csprd01-part2-stix-objects.html#_Toc476230920).
+
+Matrices extend the generic SDO format with the following field:
+
+| Field | Type | Description |
+|:------|:-----|-------------|
+| `tactic_refs` | string[] | The `tactic_refs` array of the matrix contains an ordered list of `x-mitre-tactic` STIX IDs corresponding to the tactics of the matrix. The order of `tactic_refs` determines the order the tactics should appear within the matrix. |
+
+##### Mapping matrices, tactics and techniques
+
+Techniques map into tactics by use of their `kill_chain_phases` property. Where the `kill_chain_name` is `mitre-attack`, `mitre-mobile-attack`, or `mitre-ics-attack` (for enterprise, mobile, and ics domains respectively), the `phase_name` corresponds to the `x_mitre_shortname` property of an `x-mitre-tactic` object. Matrices define their tactics in order using the `tactic_refs` embedded relationships.
+
+<img src="https://raw.githubusercontent.com/mitre-attack/attack-website/master/modules/resources/docs/visualizations/data-model/stix-tactics-techniques.png" alt="matrix, tactic and technique data model" width="750px">
+
+#### Tactics
+
+A Tactic in ATT&CK is defined by an `x-mitre-tactic` object. As a custom STIX type they follow only the generic [STIX Domain Object pattern](https://docs.oasis-open.org/cti/stix/v2.0/csprd01/part2-stix-objects/stix-v2.0-csprd01-part2-stix-objects.html#_Toc476230920).
+
+Tactics extend the generic SDO format with the following field:
+
+| Field | Type | Description |
+|:------|:-----|-------------|
+| `x_mitre_shortname` | string | The `x_mitre_shortname` of the tactic is used for mapping techniques into the tactic. It corresponds to `kill_chain_phases.phase_name` of the techniques in the tactic. See [mapping matrices, tactics and techniques](#mapping-matrices-tactics-and-techniques) for more information. |
+
+#### Techniques
+
+A Technique in ATT&CK is defined as an [attack-pattern](http://docs.oasis-open.org/cti/stix/v2.0/csprd01/part2-stix-objects/stix-v2.0-csprd01-part2-stix-objects.html#_Toc476230921) object.
+
+Techniques depart from the attack-pattern format with the following fields. Domain and tactic specific fields are marked in the "applies to" column:
+
+| Field | Type | Applies to | Description |
+|:------|:-----|:--------|:------------|
+| `x_mitre_detection` | string | All techniques | Strategies for identifying if a technique has been used by an adversary. |
+| `x_mitre_platforms` | string[] | All techniques | List of platforms that apply to the technique. |
+| `x_mitre_data_sources` | string[] | Enterprise* & ICS domains | Sources of information that may be used to identify the action or result of the action being performed. |
+| `x_mitre_is_subtechnique` | boolean | Enterprise domain | If true, this `attack-pattern` is a sub-technique. See [sub-techniques](#sub-techniques). |
+| `x_mitre_system_requirements` | string[] | Enterprise domain | Additional information on requirements the adversary needs to meet or about the state of the system (software, patch level, etc.) that may be required for the technique to work. |
+| `x_mitre_tactic_type` | string[] | Mobile domain |  "Post-Adversary Device Access", "Pre-Adversary Device Access", or "Without Adversary Device Access". |
+| `x_mitre_permissions_required` | string[] | Enterprise domain in the _Privilege Escalation_ tactic | The lowest level of permissions the adversary is required to be operating within to perform the technique on a system. |
+| `x_mitre_effective_permissions` | string[] | Enterprise domain in the _Privilege Escalation_ tactic | The level of permissions the adversary will attain by performing the technique. |
+| `x_mitre_defense_bypassed` | string[] | Enterprise domain in the _Defense Evasion_ tactic | List of defensive tools, methodologies, or processes the technique can bypass. |
+| `x_mitre_remote_support` | boolean | Enterprise domain in the _Execution_ tactic | If true, the technique can be used to execute something on a remote system. |
+| `x_mitre_impact_type` | string[] | Enterprise domain in the _Impact_ tactic | Denotes if the technique can be used for integrity or availability attacks. |
+
+\* In the Enterprise domain data sources are represented via [x-mitre-data-source](#data-sources) and [x-mitre-data-component](#data-components) objects, and their relationship with techniques through relationships of type `detects`. The `x_mitre_data_sources` field will still be maintained on enterprise techniques for backwards-compatibility purposes but we advise against its use as it does not include the full context of the data model.
+
+See [mapping matrices, tactics and techniques](#mapping-matrices-tactics-and-techniques) for more information about how techniques map into tactics and matrices.
+
+##### Sub-Techniques
+
+A sub-technique in ATT&CK is represented as an `attack-pattern` and follows the same format as [techniques](#techniques). They differ in that they have a boolean field (`x_mitre_is_subtechnique`) marking them as sub-techniques, and a relationship of the type `subtechnique-of` where the `source_ref` is the sub-technique and the `target_ref` is the parent technique. A sub-technique can only have 1 parent technique, but techniques can have multiple sub-techniques.
+
+Additionally:
+
+- Sub-technique ATT&CK IDs are a suffix of their parent IDs. For a given sub-technique ID `Txxxx.yyy`, `Txxxx` is the parent technique ID and `yyy` is the sub-technique ID. Sub-techniques have unique STIX IDs.
+- Sub-techniques have the same tactics as their parent technique.
+- Sub-techniques have a subset of their parent technique's platforms.
+
+Sub-techniques only exist in the enterprise domain.
+
+#### Procedures
+
+ATT&CK does not represent procedures under their own STIX type. Instead, procedures are represented as relationships of type `uses` where the `target_ref` is a technique. This means that procedures can stem from usage by both groups (`intrusion-set`s) and software (`malware` or `tool`s). The content of the procedure is described in the relationship description.
+
+#### Mitigations
+
+A Mitigation in ATT&CK is defined as a [course-of-action](https://docs.oasis-open.org/cti/stix/v2.0/csprd01/part2-stix-objects/stix-v2.0-csprd01-part2-stix-objects.html#_Toc476230929) object. ATT&CK Mitigations do not depart from the STIX `course-of-action` spec.
+
+##### Collisions with technique ATT&CK IDs
+
+In ATT&CK versions prior to v5 (released in July of 2019), mitigations had 1:1 relationships with techniques and shared their technique's ID. These old 1:1 mitigations are deprecated in subsequent ATT&CK releases, and can be filtered out in queries  — see [Removing revoked and deprecated objects](#Removing-revoked-and-deprecated-objects).
+
+#### Groups
+
+A Group in ATT&CK is defined as an [intrusion-set](https://docs.oasis-open.org/cti/stix/v2.0/csprd01/part2-stix-objects/stix-v2.0-csprd01-part2-stix-objects.html#_Toc476230941) object. ATT&CK Groups do not depart from the STIX `intrusion-set` format.
+
+#### Software
+
+Software in ATT&CK is the union of two distinct STIX types: [malware](http://docs.oasis-open.org/cti/stix/v2.0/csprd01/part2-stix-objects/stix-v2.0-csprd01-part2-stix-objects.html#_Toc476230945) and [tool](http://docs.oasis-open.org/cti/stix/v2.0/csprd01/part2-stix-objects/stix-v2.0-csprd01-part2-stix-objects.html#_Toc476230961).
+
+Both `malware` and `tool` type software depart from the STIX format with the following fields:
+
+| Field | Type | Description |
+|:------|:-----|-------------|
+| `x_mitre_platforms` | string[] | List of platforms that apply to the software. |
+| `x_mitre_aliases` | string[] | List of aliases for the given software. |
+
+#### Data Sources and Data Components
+
+Data Sources and Data Components represent data which can be used to detect techniques. Data components are nested within a data source but have their own STIX object.
+
+- A Data Component can only have one parent Data Source.
+- A Data Source can have any number of Data Components.
+- Data Components can map to any number of techniques.
+
+The general structure of data sources and data components is as follows:
+
+<!-- diagram generated with https://asciiflow.com/ -->
+```sh
+           "detects"       x_mitre_data_source_ref
+          relationship      embedded relationship
+               │                      │
+┌───────────┐  ▼  ┌────────────────┐  │  ┌───────────┐
+│Technique 1│◄────┤                │  │  │           │
+└───────────┘     │                │  ▼  │           │
+                  │Data Component 1├────►│           │
+┌───────────┐     │                │     │           │
+│Technique 2│◄────┤                │     │Data Source│
+└───────────┘     └────────────────┘     │           │
+                                         │           │
+┌───────────┐     ┌────────────────┐     │           │
+│Technique 3│◄────┤Data Component 2├────►│           │
+└───────────┘     └────────────────┘     └───────────┘
+```
+
+Prior to ATT&CK v10 data sources were stored in a `x_mitre_data_sources` field on techniques. This representation is still available for backwards-compatibility purposes, and does properly reflect the current set of data sources. However, because information is lost in that representation we advise against using it except in legacy applications. The ATT&CK for ICS domain still uses only the `x_mitre_data_sources` field.
+
+##### Data Sources
+
+A Data Source in ATT&CK is defined by an `x-mitre-data-source` object. As a custom STIX type they follow only the generic [STIX Domain Object pattern](https://docs.oasis-open.org/cti/stix/v2.0/csprd01/part2-stix-objects/stix-v2.0-csprd01-part2-stix-objects.html#_Toc476230920).
+
+Data Sources extend the generic SDO format with the following fields:
+
+| Field | Type | Description |
+|:------|:-----|-------------|
+| `x_mitre_platforms` | string[] | List of platforms that apply to the data source. |
+| `x_mitre_collection_layers` | string[] | List of places the data can be collected from. |
+
+##### Data Components
+
+A Data Component in ATT&CK is represented as an `x-mitre-data-component` object. As a custom STIX type they follow only the generic [STIX Domain Object pattern](https://docs.oasis-open.org/cti/stix/v2.0/csprd01/part2-stix-objects/stix-v2.0-csprd01-part2-stix-objects.html#_Toc476230920).
+
+Data Components extend the generic SDO format with the following field:
+
+| Field | Type | Description |
+|:------|:-----|-------------|
+| `x_mitre_data_source_ref` | embedded relationship (string) | STIX ID of the data source this component is a part of. |
+
+#### Campaigns
+
+A Campaign in ATT&CK is defined as a [campaign](http://docs.oasis-open.org/cti/stix/v2.0/csprd01/part2-stix-objects/stix-v2.0-csprd01-part2-stix-objects.html#_Toc476230925) object.
+
+Campaigns extend the generic SDO format with the following fields:
+
+| Field | Type | Description |
+|:------|:-----|-------------|
+| `x_mitre_first_seen_citation` | string | One to many citations for when the Campaign was first reported in the form “(Citation: \<citation name>)” where \<citation name> can be found as one of the source_name of one of the external_references. |
+| `x_mitre_last_seen_citation` | string | One to many citations for when the Campaign was last reported in the form “(Citation: \<citation name>)” where \<citation name> can be found as one of the source_name of one of the external_references.
+
+#### Relationships
+
+Objects in ATT&CK are related to each other via STIX [relationship](https://docs.oasis-open.org/cti/stix/v2.0/csprd01/part2-stix-objects/stix-v2.0-csprd01-part2-stix-objects.html#_Toc476230970) objects. These relationships convey concepts like groups using techniques (also called "procedure examples" on the technique pages), the hierarchy of techniques and sub-techniques, and so on.
+
+<img src="https://raw.githubusercontent.com/mitre-attack/attack-website/master/modules/resources/docs/visualizations/data-model/stix-relationships.png" alt="relationships data model" width="750px">
+
+Unlike other objects in the dataset, relationships cannot be revoked or deprecated. Relationships are considered deprecated/revoked if one of the objects it is attached to is revoked or deprecated. See [Working with deprecated and revoked objects](#Working-with-deprecated-and-revoked-objects) for more information on revoked objects.
+
+Relationships oftentimes have descriptions which contextualize the relationship between the objects.
+
+| Source Type | Relationship Type | Target Type | Custom Type? | About |
+|:------------|:------------------|:------------|:----|:------|
+| `intrusion-set` | `uses`        | `malware` or `tool` | No | Group using a software. |
+| `intrusion-set` | `uses`        | `attack-pattern`    | No | Group using a technique, which is also considered a procedure example. |
+| `malware` or `tool` | `uses`    | `attack-pattern`    | No | Software using a technique, which is also considered a procedure example. |
+| `campaign` | `uses` | `malware` or `tool` | No | Campaign using a software. |
+| `campaign` | `uses` | `attack-pattern` | No | Campaign using a technique, which is also considered a procedure example. |
+| `campaign` | `attributed-to` | `intrusion-set` | No | Campaign attributed to a group. |
+| `course-of-action`  | `mitigates` | `attack-pattern`  | No | Mitigation mitigating a technique. |
+| `attack-pattern`    | `subtechnique-of` | `attack-pattern` | Yes | Sub-technique of a technique, where the `source_ref` is the sub-technique and the `target_ref` is the parent technique. |
+| `x-mitre-data-component` | `detects` | `attack-pattern` | Yes | Data component detecting a technique. |
+| any type    | `revoked-by`      | any type | Yes | The target object is a replacement for the source object. Only occurs where the objects are of the same type, and the source object will have the property `revoked = true`. See [Working with deprecated and revoked objects](#Working-with-deprecated-and-revoked-objects) for more information on revoked objects. |
+
+Note that because groups use software and software uses techniques, groups can be considered indirect users of techniques used by their software. See [Getting techniques used by a group's software](#Getting-techniques-used-by-a-groups-software).
+
+## Accessing ATT&CK data in python
+
+There are several ways to acquire the ATT&CK data in Python. All of them will provide an object
+implementing the DataStore API and can be used interchangeably with the recipes provided in the [Python recipes](#Python-Recipes) section.
+
+This section utilizes the [stix2 python library](https://github.com/oasis-open/cti-python-stix2). Please refer to the [STIX2 Python API Documentation](https://stix2.readthedocs.io/en/latest/) for more information on how to work with STIX programmatically.
+
+### Requirements and imports
+
+Before installing requirements, we recommend setting up a virtual environment:
+
+1. Create virtual environment:
+    - macOS and Linux: `python3 -m venv env`
+    - Windows: `py -m venv env`
+2. Activate the virtual environment:
+    - macOS and Linux: `source env/bin/activate`
+    - Windows: `env/Scripts/activate.bat`
+
+#### stix2
+
+[stix2 can be installed by following the instructions on their repository](https://github.com/oasis-open/cti-python-stix2#installation). Imports for the recipes in this repository can be done from the base package, for example:
+
+```python
+from stix2 import Filter
+```
+
+However, if you are aiming to extend the ATT&CK dataset with new objects or implement complex workflows, you may need to use the `v20` specifier for some imports. This ensures that the objects use the STIX 2.0 API instead of the STIX 2.1 API. For example:
+
+```python
+from stix2.v20 import AttackPattern
+```
+
+You can see a full list of the classes which have versioned imports [here](https://stix2.readthedocs.io/en/latest/api/stix2.v20.html).
+
+#### taxii2client
+
+[taxii2-client can be installed by following the instructions on their repository](https://github.com/oasis-open/cti-taxii-client#installation). The ATT&CK TAXII server implements the 2.0 version of the TAXII specification, but the default import of `taxii2client` (version 2.0.0 and above) uses the 2.1 version of the TAXII specification, which can lead to 406 responses when connecting to our TAXII server if not accounted for.
+
+If the TAXII Client is getting a 406 Response, make sure you are running the latest version (`pip install --upgrade stix2` or `pip install --upgrade taxii2-client`). In addition, make sure you are running the 2.0 version of the client (using the `v20` import) as shown below in order to communicate with the ATT&CK TAXII 2.0 Server.
+
+```python
+from taxii2client.v20 import Collection
+```
+
+### Access local content
+
+Many users may opt to access the ATT&CK content via a local copy of the STIX data on this repo. This can be advantageous for several reasons:
+
+- Doesn't require internet access after the initial download
+- User can modify the ATT&CK content if desired
+- Downloaded copy is static, so updates to the ATT&CK catalog won't cause bugs in automated workflows. User can still manually update by cloning a fresh version of the data
+
+#### Access via FileSystemSource
+
+Each domain in this repo is formatted according to the [STIX2 FileSystem spec](https://stix2.readthedocs.io/en/latest/guide/filesystem.html).
+Therefore you can use a `FileSystemSource` to load a domain, for example to load the enterprise-attack domain:
+
+```python
+from stix2 import FileSystemSource
+
+src = FileSystemSource('./cti/enterprise-attack')
+```
+
+#### Access via bundle
+
+If you instead prefer to download just the domain bundle, e.g [enterprise-attack.json](/enterprise-attack/enterprise-attack.json), you can still load this using a MemoryStore:
+
+```python
+from stix2 import MemoryStore
+
+src = MemoryStore()
+src.load_from_file("enterprise-attack.json")
+```
+
+### Access live content
+
+Some users may instead prefer to access "live" ATT&CK content over the internet. This is advantageous for several reasons:
+
+- Always stays up to date with the evolving ATT&CK catalog
+- Doesn't require an initial download of the ATT&CK content, generally requires less setup
+
+#### Access from the ATT&CK TAXII server
+
+Users can access the ATT&CK data from the official ATT&CK TAXII server. In TAXII, the ATT&CK domains are represented as collections with static IDs:
+
+| domain | collection ID |
+|:-------|:--------------|
+| `enterprise-attack` | `95ecc380-afe9-11e4-9b6c-751b66dd541e` |
+| `mobile-attack` | `2f669986-b40b-4423-b720-4396ca6a462b` |
+| `ics-attack` | `02c3ef24-9cd4-48f3-a99f-b74ce24f1d34` |
+
+You can also get a list of available collection from the server directly:
+
+```python
+from taxii2client.v20 import Server # only specify v20 if your installed version is >= 2.0.0
+
+server = Server("https://cti-taxii.mitre.org/taxii/")
+api_root = server.api_roots[0]
+# Print name and ID of all ATT&CK domains available as collections
+for collection in api_root.collections:
+    print(collection.title.ljust(20) + collection.id)
+```
+
+The following recipe demonstrates how to access the enterprise-attack data from the TAXII server.
+
+```python
+from stix2 import TAXIICollectionSource
+from taxii2client.v20 import Collection # only specify v20 if your installed version is >= 2.0.0
+
+collections = {
+    "enterprise_attack": "95ecc380-afe9-11e4-9b6c-751b66dd541e",
+    "mobile_attack": "2f669986-b40b-4423-b720-4396ca6a462b",
+    "ics-attack": "02c3ef24-9cd4-48f3-a99f-b74ce24f1d34"
+}
+
+collection = Collection(f"https://cti-taxii.mitre.org/stix/collections/{collections['enterprise_attack']}/")
+src = TAXIICollectionSource(collection)
+```
+
+For more about TAXII, please see oasis-open's [Introduction to TAXII](https://oasis-open.github.io/cti-documentation/taxii/intro).
+
+#### Access from Github via requests
+
+Users can alternatively access the data from MITRE/CTI using HTTP requests, and load the resulting content into a MemoryStore.
+While typically the TAXII method is more desirable for "live" access, this method can be useful if you want to
+access data on a branch of the MITRE/CTI repo (the TAXII server only holds the master branch) or in the case of a TAXII server outage.
+
+```python
+import requests
+from stix2 import MemoryStore
+
+def get_data_from_branch(domain, branch="master"):
+    """get the ATT&CK STIX data from MITRE/CTI. Domain should be 'enterprise-attack', 'mobile-attack' or 'ics-attack'. Branch should typically be master."""
+    stix_json = requests.get(f"https://raw.githubusercontent.com/mitre/cti/{branch}/{domain}/{domain}.json").json()
+    return MemoryStore(stix_data=stix_json["objects"])
+
+src = get_data_from_branch("enterprise-attack")
+```
+
+### Access a specific version of ATT&CK
+
+ATT&CK versions are tracked on the MITRE/CTI repo using [tags](https://github.com/mitre/cti/tags). Tags prefixed with `ATT&CK-v` correspond to ATT&CK versions and tags prefixed with `CAPEC-v` correspond to CAPEC versions. You can find more information about ATT&CK versions on the [versions of ATT&CK page](https://attack.mitre.org/resources/versions/) on the ATT&CK website.
+
+In addition to checking out the repo under the tag for a given version or downloading the STIX from github using your browser, you can also use a variation on the [requests method](#access-from-github-via-requests) to access a particular version of ATT&CK:
+
+```python
+import requests
+from stix2 import MemoryStore
+
+def get_data_from_version(domain, version):
+    """get the ATT&CK STIX data for the given version from MITRE/CTI. Domain should be 'enterprise-attack', 'mobile-attack' or 'ics-attack'."""
+    stix_json = requests.get(f"https://raw.githubusercontent.com/mitre/cti/ATT%26CK-v{version}/{domain}/{domain}.json").json()
+    return MemoryStore(stix_data=stix_json["objects"])
+
+src = get_data_from_version("enterprise-attack", "5.2")
+```
+
+You can get a list of ATT&CK versions programmatically using the github API:
+
+```python
+import requests
+import re
+
+refToTag = re.compile(r"ATT&CK-v(.*)")
+tags = requests.get("https://api.github.com/repos/mitre/cti/git/refs/tags").json()
+versions = list(map(lambda tag: refToTag.search(tag["ref"]).groups()[0] , filter(lambda tag: "ATT&CK-v" in tag["ref"], tags)))
+# versions = ["1.0", "2.0", ...]
+```
+
+### Access multiple domains simultaneously
+
+Because ATT&CK is stored in multiple domains (as of this writing, enterprise-attack, mobile-attack and ics-attack), the above methodologies will only allow you to work
+with a single domain at a time. While oftentimes the hard separation of domains is advantageous, occasionally it is useful to combine
+domains into a single DataStore. Use any of the methods above to acquire the individual datastores, and then use the following approach to combine them into
+a single CompositeDataSource:
+
+```python
+from stix2 import CompositeDataSource
+
+src = CompositeDataSource()
+src.add_data_sources([enterprise_attack_src, mobile_attack_src, ics_attack_src])
+```
+
+You can then use this CompositeDataSource just as you would the DataSource for an individual domain.
+
+## Python recipes
+
+Below are example python recipes which can be used to work with ATT&CK data. They assume the existence of an object implementing the DataStore API. Any of the methods outlined in the [Accessing ATT&CK data in python](#accessing-ATTCK-Data-in-Python) section should provide an object implementing this API.
+
+This section utilizes the [stix2 python library](https://github.com/oasis-open/cti-python-stix2). Please refer to the [STIX2 Python API Documentation](https://stix2.readthedocs.io/en/latest/) for more information on how to work with STIX programmatically. See also the section on [Requirements and imports](#requirements-and-imports).
+
+### Getting an object
+
+The recipes in this section address how to query the dataset for a single object.
+
+#### By STIX ID
+
+The following recipe can be used to retrieve an object according to its STIX ID. This is typically the preferred way to retrieve objects when working with ATT&CK data because STIX IDs are guaranteed to be unique.
+
+```python
+g0075 = src.get("intrusion-set--f40eb8ce-2a74-4e56-89a1-227021410142")
+```
+
+#### By ATT&CK ID
+
+The following recipe can be used to retrieve an object according to its ATT&CK ID:
+
+```python
+from stix2 import Filter
+
+g0075 = src.query([ Filter("external_references.external_id", "=", "G0075") ])[0]
+```
+
+Note: in prior versions of ATT&CK, mitigations had 1:1 relationships with techniques and shared their technique's ID. Therefore the above method does not work properly for techniques because technique ATTT&CK IDs are not truly unique. By specifying the STIX type you're looking for as `attack-pattern` you can avoid this issue.
+
+```python
+from stix2 import Filter
+
+t1134 = src.query([ 
+    Filter("external_references.external_id", "=", "T1134"), 
+    Filter("type", "=", "attack-pattern")
+])[0]
+```
+
+The old 1:1 mitigations causing this issue are deprecated, so you can also filter them out that way — see [Removing revoked and deprecated objects](#Removing-revoked-and-deprecated-objects).
+
+#### By name
+
+The following recipe retrieves an object according to its name:
+
+```python
+from stix2 import Filter
+
+def get_technique_by_name(thesrc, name):
+    filt = [
+        Filter('type', '=', 'attack-pattern'),
+        Filter('name', '=', name)
+    ]
+    return thesrc.query(filt)
+# get the technique titled "System Information Discovery"
+get_technique_by_name(src, 'System Information Discovery')
+```
+
+#### By alias
+
+The following methodology can be used to find the group corresponding to a given alias:
+
+```python
+from stix2 import Filter
+
+def get_group_by_alias(thesrc, alias):
+    return thesrc.query([
+        Filter('type', '=', 'intrusion-set'),
+        Filter('aliases', '=', alias)
+    ])[0]
+    
+get_group_by_alias(src, 'Cozy Bear')
+```
+
+### Getting multiple objects
+
+The recipes in this section address how to query the dataset for multiple objects.
+
+&#9888; When working with queries to return objects based on a set of characteristics, it is likely that you'll end up with a few objects which are no longer maintained by ATT&CK. These are objects marked as deprecated or revoked. We keep these outdated objects around so that workflows depending on them don't break, but we recommend you avoid using them when possible. Please see the section [Working with deprecated and revoked objects](#Working-with-deprecated-and-revoked-objects) for more information.
+
+#### Objects by type
+
+See [The ATT&CK data model](#The-ATTCK-Data-Model) for mappings of ATT&CK type to STIX type.
+
+```python
+from stix2 import Filter
+
+# use the appropriate STIX type in the query according to the desired ATT&CK type
+groups = src.query([ Filter("type", "=", "intrusion-set") ])
+```
+
+##### Getting techniques or sub-techniques
+
+ATT&CK Techniques and sub-techniques are both represented as `attack-pattern` objects. Therefore further parsing is necessary to get specifically techniques or sub-techniques.
+
+```python
+from stix2 import Filter
+
+def get_techniques_or_subtechniques(thesrc, include="both"):
+    """Filter Techniques or Sub-Techniques from ATT&CK Enterprise Domain.
+    include argument has three options: "techniques", "subtechniques", or "both"
+    depending on the intended behavior."""
+    if include == "techniques":
+        query_results = thesrc.query([
+            Filter('type', '=', 'attack-pattern'),
+            Filter('x_mitre_is_subtechnique', '=', False)
+        ])
+    elif include == "subtechniques":
+        query_results = thesrc.query([
+            Filter('type', '=', 'attack-pattern'),
+            Filter('x_mitre_is_subtechnique', '=', True)
+        ])
+    elif include == "both":
+        query_results = thesrc.query([
+            Filter('type', '=', 'attack-pattern')
+        ])
+    else:
+        raise RuntimeError("Unknown option %s!" % include)
+
+    return query_results
+
+
+subtechniques = get_techniques_or_subtechniques(src, "subtechniques")
+subtechniques = remove_revoked_deprecated(subtechniques) # see https://github.com/mitre/cti/blob/master/USAGE.md#removing-revoked-and-deprecated-objects
+```
+
+##### Getting software
+
+Because software are the union of two STIX types (`tool` and `malware`), the process for accessing software is slightly more complicated.
+
+```python
+from itertools import chain
+from stix2 import Filter
+
+def get_software(thesrc):
+    return list(chain.from_iterable(
+        thesrc.query(f) for f in [
+            Filter("type", "=", "tool"), 
+            Filter("type", "=", "malware")
+        ]
+    ))
+
+get_software(src)
+```
+
+#### Objects by content
+
+Sometimes it may be useful to query objects by the content of their description:
+
+```python
+from stix2 import Filter
+
+def get_techniques_by_content(thesrc, content):
+    techniques = src.query([ Filter('type', '=', 'attack-pattern') ])
+    return list(filter(lambda t: content.lower() in t.description.lower(), techniques))
+
+# Get all techniques where the string LSASS appears in the description
+get_techniques_by_content(src, 'LSASS')
+```
+
+#### Techniques by platform
+
+Techniques are associated with one or more platforms. You can query the techniques
+under a specific platform with the following code:
+
+```python
+from stix2 import Filter
+
+def get_techniques_by_platform(thesrc, platform):
+    return thesrc.query([
+        Filter('type', '=', 'attack-pattern'),
+        Filter('x_mitre_platforms', '=', platform)
+    ])
+
+# get techniques in the windows platform
+get_techniques_by_platform(src, 'Windows')
+```
+
+#### Techniques by tactic
+
+Techniques are related to tactics by their kill_chain_phases property.
+The `phase_name` of each kill chain phase corresponds to the `x_mitre_shortname` of a tactic.
+
+```python
+from stix2 import Filter
+
+def get_tactic_techniques(thesrc, tactic):
+    # double checking the kill chain is MITRE ATT&CK
+    # note: kill_chain_name is different for other domains:
+    #    - enterprise: "mitre-attack"
+    #    - mobile: "mitre-mobile-attack"
+    #    - ics: "mitre-ics-attack"
+    return thesrc.query([
+        Filter('type', '=', 'attack-pattern'),
+        Filter('kill_chain_phases.phase_name', '=', tactic),
+        Filter('kill_chain_phases.kill_chain_name', '=', 'mitre-attack'),
+    ])
+
+
+# use the x_mitre_shortname as argument
+get_tactic_techniques(src, 'defense-evasion')
+```
+
+#### Tactics by matrix
+
+The tactics are individual objects (`x-mitre-tactic`), and their order in a matrix (`x-mitre-matrix`) is
+found within the `tactic_refs` property in a matrix. The order of the tactics in that list matches
+the ordering of the tactics in that matrix. The following recipe returns a structured list of tactics within each matrix of the input DataStore.
+
+```python
+from stix2 import Filter
+
+def getTacticsByMatrix(thesrc):
+    tactics = {}
+    matrix = thesrc.query([
+        Filter('type', '=', 'x-mitre-matrix'),
+    ])
+    
+    for i in range(len(matrix)):
+        tactics[matrix[i]['name']] = []
+        for tactic_id in matrix[i]['tactic_refs']:
+            tactics[matrix[i]['name']].append(thesrc.get(tactic_id))
+    
+    return tactics
+
+# get tactic layout
+getTacticsByMatrix(src)
+```
+
+#### Objects created or modified since a given date
+
+Sometimes you may want to get a list of objects which have been created or modified after a certain time.
+
+```python
+from stix2 import Filter
+
+def get_created_after(thesrc, timestamp):
+    filt = [
+        Filter('created', '>', timestamp)
+    ]
+    return thesrc.query(filt)
+
+get_created_after(src, "2018-10-01T00:14:20.652Z")
+
+
+def get_modified_after(thesrc, timestamp):
+    filt = [
+        Filter('modified', '>', timestamp)
+    ]
+    return thesrc.query(filt)
+    
+get_modified_after(src, "2018-10-01T00:14:20.652Z")
+```
+
+We don't recommend you use this method to detect a change to the contents of the knowledge base. For detecting an update to the overall knowledge base we recommend using requests to [check the list of released versions of ATT&CK](https://github.com/mitre/cti/blob/master/USAGE.md#access-a-specific-version-of-attck).
+
+### Getting related objects
+
+A large part of working with ATT&CK revolves around parsing relationships between objects. It is useful
+to track not only the related object but the relationship itself because a description is often
+present to contextualize the nature of the relationship. The following recipes demonstrate
+some common uses of relationships.
+
+#### Relationships microlibrary
+
+NOTE: The following code is intended to be used with the ATT&CK v12 release which includes Campaign Objects.
+The examples are backwards-compatible for previous versions af ATT&CK that omit those objects.
+
+This microlibrary can be used to build a lookup table of stixID to related objects and relationships.
+The argument to each accessor function is a STIX2 MemoryStore to build the relationship mappings from.
+
+```python
+from pprint import pprint
+from stix2 import MemoryStore, Filter
+
+# See section below on "Removing revoked and deprecated objects"
+def remove_revoked_deprecated(stix_objects):
+    """Remove any revoked or deprecated objects from queries made to the data source"""
+    # Note we use .get() because the property may not be present in the JSON data. The default is False
+    # if the property is not set.
+    return list(
+        filter(
+            lambda x: x.get("x_mitre_deprecated", False) is False and x.get("revoked", False) is False,
+            stix_objects
+        )
+    )
+
+def get_related(thesrc, src_type, rel_type, target_type, reverse=False):
+    """build relationship mappings
+       params:
+         thesrc: MemoryStore to build relationship lookups for
+         src_type: source type for the relationships, e.g "attack-pattern"
+         rel_type: relationship type for the relationships, e.g "uses"
+         target_type: target type for the relationship, e.g "intrusion-set"
+         reverse: build reverse mapping of target to source
+    """
+
+    relationships = thesrc.query([
+        Filter('type', '=', 'relationship'),
+        Filter('relationship_type', '=', rel_type),
+        Filter('revoked', '=', False),
+    ])
+
+    # See section below on "Removing revoked and deprecated objects"
+    relationships = remove_revoked_deprecated(relationships)
+
+    # stix_id => [ { relationship, related_object_id } for each related object ]
+    id_to_related = {}
+
+    # build the dict
+    for relationship in relationships:
+        if src_type in relationship.source_ref and target_type in relationship.target_ref:
+            if (relationship.source_ref in id_to_related and not reverse) or (relationship.target_ref in id_to_related and reverse):
+                # append to existing entry
+                if not reverse:
+                    id_to_related[relationship.source_ref].append({
+                        "relationship": relationship,
+                        "id": relationship.target_ref
+                    })
+                else:
+                    id_to_related[relationship.target_ref].append({
+                        "relationship": relationship,
+                        "id": relationship.source_ref
+                    })
+            else:
+                # create a new entry
+                if not reverse:
+                    id_to_related[relationship.source_ref] = [{
+                        "relationship": relationship,
+                        "id": relationship.target_ref
+                    }]
+                else:
+                    id_to_related[relationship.target_ref] = [{
+                        "relationship": relationship,
+                        "id": relationship.source_ref
+                    }]
+    # all objects of relevant type
+    if not reverse:
+        targets = thesrc.query([
+            Filter('type', '=', target_type),
+            Filter('revoked', '=', False)
+        ])
+    else:
+        targets = thesrc.query([
+            Filter('type', '=', src_type),
+            Filter('revoked', '=', False)
+        ])
+
+    # build lookup of stixID to stix object
+    id_to_target = {}
+    for target in targets:
+        id_to_target[target.id] = target
+
+    # build final output mappings
+    output = {}
+    for stix_id in id_to_related:
+        value = []
+        for related in id_to_related[stix_id]:
+            if not related["id"] in id_to_target:
+                continue  # targeting a revoked object
+            value.append({
+                "object": id_to_target[related["id"]],
+                "relationship": related["relationship"]
+            })
+        output[stix_id] = value
+    return output
+
+# software:group
+def software_used_by_groups(thesrc):
+    """returns group_id => {software, relationship} for each software used by the group and each software used by campaigns attributed to the group."""
+    # get all software used by groups
+    tools_used_by_group = get_related(thesrc, "intrusion-set", "uses", "tool")
+    malware_used_by_group = get_related(thesrc, "intrusion-set", "uses", "malware")
+    software_used_by_group = {**tools_used_by_group, **malware_used_by_group} # group_id -> [{software, relationship}]
+
+    # get groups attributing to campaigns and all software used by campaigns
+    software_used_by_campaign = get_related(thesrc, "campaign", "uses", "tool")
+    malware_used_by_campaign = get_related(thesrc, "campaign", "uses", "malware")
+    for id in malware_used_by_campaign:
+        if id in software_used_by_campaign:
+            software_used_by_campaign[id].extend(malware_used_by_campaign[id])
+        else:
+            software_used_by_campaign[id] = malware_used_by_campaign[id]
+    campaigns_attributed_to_group = {
+        "campaigns": get_related(thesrc, "campaign", "attributed-to", "intrusion-set", reverse=True), # group_id => {campaign, relationship}
+        "software": software_used_by_campaign # campaign_id => {software, relationship}
+    }
+
+    for group_id in campaigns_attributed_to_group["campaigns"]:
+        software_used_by_campaigns = []
+        # check if attributed campaign is using software
+        for campaign in campaigns_attributed_to_group["campaigns"][group_id]:
+            campaign_id = campaign["object"]["id"]
+            if campaign_id in campaigns_attributed_to_group["software"]:
+                software_used_by_campaigns.extend(campaigns_attributed_to_group["software"][campaign_id])
+        
+        # update software used by group to include software used by a groups attributed campaign
+        if group_id in software_used_by_group:
+            software_used_by_group[group_id].extend(software_used_by_campaigns)
+        else:
+            software_used_by_group[group_id] = software_used_by_campaigns
+    return software_used_by_group
+
+def groups_using_software(thesrc):
+    """returns software_id => {group, relationship} for each group using the software and each software used by attributed campaigns."""
+    # get all groups using software
+    groups_using_tool = get_related(thesrc, "intrusion-set", "uses", "tool", reverse=True)
+    groups_using_malware = get_related(thesrc, "intrusion-set", "uses", "malware", reverse=True)
+    groups_using_software = {**groups_using_tool, **groups_using_malware} # software_id => {group, relationship}
+
+    # get campaigns attributed to groups and all campaigns using software
+    campaigns_using_software = get_related(thesrc, "campaign", "uses", "tool", reverse=True)
+    campaigns_using_malware = get_related(thesrc, "campaign", "uses", "malware", reverse=True)
+    for id in campaigns_using_malware:
+        if id in campaigns_using_software:
+            campaigns_using_software[id].extend(campaigns_using_malware[id])
+        else:
+            campaigns_using_software[id] = campaigns_using_malware[id]
+    groups_attributing_to_campaigns = {
+        "campaigns": campaigns_using_software,# software_id => {campaign, relationship}
+        "groups": get_related(thesrc, "campaign", "attributed-to", "intrusion-set") # campaign_id => {group, relationship}
+    }
+
+    for software_id in groups_attributing_to_campaigns["campaigns"]:
+        groups_attributed_to_campaigns = []
+        # check if campaign is attributed to group
+        for campaign in groups_attributing_to_campaigns["campaigns"][software_id]:
+            campaign_id = campaign["object"]["id"]
+            if campaign_id in groups_attributing_to_campaigns["groups"]:
+                groups_attributed_to_campaigns.extend(groups_attributing_to_campaigns["groups"][campaign_id])
+        
+        # update groups using software to include software used by a groups attributed campaign
+        if software_id in groups_using_software:
+            groups_using_software[software_id].extend(groups_attributed_to_campaigns)
+        else:
+            groups_using_software[software_id] = groups_attributed_to_campaigns
+    return groups_using_software
+
+# software:campaign
+def software_used_by_campaigns(thesrc):
+    """returns campaign_id => {software, relationship} for each software used by the campaign."""
+    tools_used_by_campaign = get_related(thesrc, "campaign", "uses", "tool")
+    malware_used_by_campaign = get_related(thesrc, "campaign", "uses", "malware")
+    return {**tools_used_by_campaign, **malware_used_by_campaign}
+
+def campaigns_using_software(thesrc):
+    """returns software_id => {campaign, relationship} for each campaign using the software."""
+    campaigns_using_tool = get_related(thesrc, "campaign", "uses", "tool", reverse=True)
+    campaigns_using_malware = get_related(thesrc, "campaign", "uses", "malware", reverse=True)
+    return {**campaigns_using_tool, **campaigns_using_malware}
+
+# campaign:group
+def groups_attributing_to_campaign(thesrc):
+    """returns campaign_id => {group, relationship} for each group attributing to the campaign."""
+    return get_related(thesrc, "campaign", "attributed-to", "intrusion-set")
+
+def campaigns_attributed_to_group(thesrc):
+    """returns group_id => {campaign, relationship} for each campaign attributed to the group."""
+    return get_related(thesrc, "campaign", "attributed-to", "intrusion-set", reverse=True)
+
+# technique:group
+def techniques_used_by_groups(thesrc):
+    """returns group_id => {technique, relationship} for each technique used by the group and each
+       technique used by campaigns attributed to the group."""
+    # get all techniques used by groups
+    techniques_used_by_groups = get_related(thesrc, "intrusion-set", "uses", "attack-pattern") # group_id => {technique, relationship}
+
+    # get groups attributing to campaigns and all techniques used by campaigns
+    campaigns_attributed_to_group = {
+        "campaigns": get_related(thesrc, "campaign", "attributed-to", "intrusion-set", reverse=True), # group_id => {campaign, relationship}
+        "techniques": get_related(thesrc, "campaign", "uses", "attack-pattern") # campaign_id => {technique, relationship}
+    }
+
+    for group_id in campaigns_attributed_to_group["campaigns"]:
+        techniques_used_by_campaigns = []
+        # check if attributed campaign is using technique
+        for campaign in campaigns_attributed_to_group["campaigns"][group_id]:
+            campaign_id = campaign["object"]["id"]
+            if campaign_id in campaigns_attributed_to_group["techniques"]:
+                techniques_used_by_campaigns.extend(campaigns_attributed_to_group["techniques"][campaign_id])
+
+        # update techniques used by groups to include techniques used by a groups attributed campaign
+        if group_id in techniques_used_by_groups:
+            techniques_used_by_groups[group_id].extend(techniques_used_by_campaigns)
+        else:
+            techniques_used_by_groups[group_id] = techniques_used_by_campaigns
+    return techniques_used_by_groups
+
+def groups_using_technique(thesrc):
+    """returns technique_id => {group, relationship} for each group using the technique and each campaign attributed to groups using the technique."""
+    # get all groups using techniques
+    groups_using_techniques = get_related(thesrc, "intrusion-set", "uses", "attack-pattern", reverse=True) # technique_id => {group, relationship}
+
+    # get campaigns attributed to groups and all campaigns using techniques
+    groups_attributing_to_campaigns = {
+        "campaigns": get_related(thesrc, "campaign", "uses", "attack-pattern", reverse=True), # technique_id => {campaign, relationship}
+        "groups": get_related(thesrc, "campaign", "attributed-to", "intrusion-set") # campaign_id => {group, relationship}
+    }
+
+    for technique_id in groups_attributing_to_campaigns["campaigns"]:
+        campaigns_attributed_to_group = []
+        # check if campaign is attributed to group
+        for campaign in groups_attributing_to_campaigns["campaigns"][technique_id]:
+            campaign_id = campaign["object"]["id"]
+            if campaign_id in groups_attributing_to_campaigns["groups"]:
+                campaigns_attributed_to_group.extend(groups_attributing_to_campaigns["groups"][campaign_id])
+        
+        # update groups using techniques to include techniques used by a groups attributed campaign
+        if technique_id in groups_using_techniques:
+            groups_using_techniques[technique_id].extend(campaigns_attributed_to_group)
+        else:
+            groups_using_techniques[technique_id] = campaigns_attributed_to_group
+    return groups_using_techniques
+
+# technique:campaign
+def techniques_used_by_campaigns(thesrc):
+    """returns campaign_id => {technique, relationship} for each technique used by the campaign."""
+    return get_related(thesrc, "campaign", "uses", "attack-pattern")
+
+def campaigns_using_technique(thesrc):
+    """returns technique_id => {campaign, relationship} for each campaign using the technique."""
+    return get_related(thesrc, "campaign", "uses", "attack-pattern", reverse=True)
+
+# technique:software
+def techniques_used_by_software(thesrc):
+    """return software_id => {technique, relationship} for each technique used by the software."""
+    techniques_by_tool = get_related(thesrc, "tool", "uses", "attack-pattern")
+    techniques_by_malware = get_related(thesrc, "malware", "uses", "attack-pattern")
+    return {**techniques_by_tool, **techniques_by_malware}
+
+def software_using_technique(thesrc):
+    """return technique_id  => {software, relationship} for each software using the technique."""
+    tools_by_technique_id = get_related(thesrc, "tool", "uses", "attack-pattern", reverse=True)
+    malware_by_technique_id = get_related(thesrc, "malware", "uses", "attack-pattern", reverse=True)
+    return {**tools_by_technique_id, **malware_by_technique_id}
+
+# technique:mitigation
+def mitigation_mitigates_techniques(thesrc):
+    """return mitigation_id => {technique, relationship} for each technique mitigated by the mitigation."""
+    return get_related(thesrc, "course-of-action", "mitigates", "attack-pattern", reverse=False)
+
+def technique_mitigated_by_mitigations(thesrc):
+    """return technique_id => {mitigation, relationship} for each mitigation of the technique."""
+    return get_related(thesrc, "course-of-action", "mitigates", "attack-pattern", reverse=True)
+
+# technique:sub-technique
+def subtechniques_of(thesrc):
+    """return technique_id => {subtechnique, relationship} for each subtechnique of the technique."""
+    return get_related(thesrc, "attack-pattern", "subtechnique-of", "attack-pattern", reverse=True)
+
+def parent_technique_of(thesrc):
+    """return subtechnique_id => {technique, relationship} describing the parent technique of the subtechnique"""
+    return get_related(thesrc, "attack-pattern", "subtechnique-of", "attack-pattern")[0]
+
+# technique:data-component
+def datacomponent_detects_techniques(thesrc):
+    """return datacomponent_id => {technique, relationship} describing the detections of each data component"""
+    return get_related(thesrc, "x-mitre-data-component", "detects", "attack-pattern")
+
+def technique_detected_by_datacomponents(thesrc):
+    """return technique_id => {datacomponent, relationship} describing the data components that can detect the technique"""
+    return get_related(thesrc, "x-mitre-data-component", "detects", "attack-pattern", reverse=True)
+
+# Example usage:
+src = MemoryStore()
+src.load_from_file("path/to/enterprise-attack.json")
+
+group_id_to_software = software_used_by_groups(src)
+pprint(group_id_to_software["intrusion-set--2a158b0a-7ef8-43cb-9985-bf34d1e12050"])  # G0019
+# [
+#     {
+#         "object": Malware, # S0061
+#         "relationship": Relationship # relationship between G0019 and S0061
+#     },
+#     {
+#         ...
+#     }
+# ]
+```
+
+#### Getting techniques used by a group's software
+
+Because a group uses software, and software uses techniques, groups can be considered indirect users of techniques used by their software.
+These techniques are oftentimes distinct from the techniques used directly by a group, although there are occasionally intersections in these two sets of techniques.
+
+The following recipe can be used to retrieve the techniques used by a group's software:
+
+```python
+from stix2.utils import get_type_from_id
+from stix2 import Filter
+
+def get_techniques_by_group_software(thesrc, group_stix_id):
+    # get the malware, tools that the group uses
+    group_uses = [
+        r for r in thesrc.relationships(group_stix_id, 'uses', source_only=True)
+        if get_type_from_id(r.target_ref) in ['malware', 'tool']
+    ]
+
+    # get the technique stix ids that the malware, tools use
+    software_uses = thesrc.query([
+        Filter('type', '=', 'relationship'),
+        Filter('relationship_type', '=', 'uses'),
+        Filter('source_ref', 'in', [r.source_ref for r in group_uses])
+    ])
+
+    #get the techniques themselves
+    return thesrc.query([
+        Filter('type', '=', 'attack-pattern'),
+        Filter('id', 'in', [r.target_ref for r in software_uses])
+    ])
+
+get_techniques_by_group_software(src, "intrusion-set--f047ee18-7985-4946-8bfb-4ed754d3a0dd")
+```
+
+### Working with deprecated and revoked objects
+
+Objects that are deemed no longer beneficial to track as part of the knowledge base are marked as deprecated, and objects which are replaced by a different object are revoked. In both cases, the old object is marked with a field (either `x_mitre_deprecated` or `revoked`) noting their status. In the case of revoked objects, a relationship of type `revoked-by` is also created targeting the replacing object.
+
+Unlike other objects in the dataset, relationships cannot be revoked or deprecated. Relationships are considered deprecated/revoked if one of the objects it is attached to is revoked or deprecated.
+
+#### Removing revoked and deprecated objects
+
+Revoked and deprecated objects are kept in the knowledge base so that workflows relying on those objects are not
+broken. We recommend you filter out revoked and deprecated objects from your views whenever possible since they are no
+longer maintained by ATT&CK.
+
+We recommend _not_ using built-in STIX filters for removing revoked objects (e.g `Filter('revoked', '=', False)`). This is because the behavior of this specific filter is inconsistent depending on the method of access (using local data or accessing via the TAXII server). We recommend using the following code example to filter revoked objects instead. See [issue #127](https://github.com/mitre/cti/issues/127) for more details.
+
+```python
+from stix2 import Filter
+
+def remove_revoked_deprecated(stix_objects):
+    """Remove any revoked or deprecated objects from queries made to the data source"""
+    # Note we use .get() because the property may not be present in the JSON data. The default is False
+    # if the property is not set.
+    return list(
+        filter(
+            lambda x: x.get("x_mitre_deprecated", False) is False and x.get("revoked", False) is False,
+            stix_objects
+        )
+    )
+
+mitigations = src.query([ Filter("type", "=", "course-of-action") ])
+mitigations = remove_revoked_deprecated(mitigations)
+```
+
+#### Getting a revoking object
+
+When an object is replaced by another object, it is marked with the field `revoked` and a relationship of type `revoked-by` is created where the `source_ref` is the revoked object and the `target_ref` is the revoking object. This relationship can be followed to find the replacing object:
+
+```python
+from stix2 import Filter
+
+def getRevokedBy(stix_id, thesrc):
+    relations = thesrc.relationships(stix_id, 'revoked-by', source_only=True)
+    revoked_by = thesrc.query([
+        Filter('id', 'in', [r.target_ref for r in relations]),
+        Filter('revoked', '=', False)
+    ])
+    if revoked_by is not None:
+        revoked_by = revoked_by[0]
+
+    return revoked_by
+
+getRevokedBy("attack-pattern--c16e5409-ee53-4d79-afdc-4099dc9292df", src)
+```

cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--00268a75-3243-477d-9166-8c78fddf6df6.json

@@ -0,0 +1,88 @@
+{
+    "id": "bundle--3854e44a-10ea-4970-8e82-5db4b70ba65e",
+    "objects": [
+        {
+            "created": "2014-06-23T00:00:00.000Z",
+            "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
+            "description": "An attacker employs forceful browsing (direct URL entry) to access portions of a website that are otherwise unreachable. Usually, a front controller or similar design pattern is employed to protect access to portions of a web application. Forceful browsing enables an attacker to access information, perform privileged operations and otherwise reach sections of the web application that have been improperly protected.",
+            "external_references": [
+                {
+                    "external_id": "CAPEC-87",
+                    "source_name": "capec",
+                    "url": "https://capec.mitre.org/data/definitions/87.html"
+                },
+                {
+                    "external_id": "CWE-425",
+                    "source_name": "cwe",
+                    "url": "http://cwe.mitre.org/data/definitions/425.html"
+                },
+                {
+                    "external_id": "CWE-285",
+                    "source_name": "cwe",
+                    "url": "http://cwe.mitre.org/data/definitions/285.html"
+                },
+                {
+                    "external_id": "CWE-693",
+                    "source_name": "cwe",
+                    "url": "http://cwe.mitre.org/data/definitions/693.html"
+                },
+                {
+                    "description": "Predictable Resource Location",
+                    "external_id": "34",
+                    "source_name": "WASC",
+                    "url": "http://projects.webappsec.org/Predictable-Resource-Location"
+                },
+                {
+                    "description": "Forced browsing",
+                    "source_name": "OWASP Attacks",
+                    "url": "https://owasp.org/www-community/attacks/Forced_browsing"
+                }
+            ],
+            "id": "attack-pattern--00268a75-3243-477d-9166-8c78fddf6df6",
+            "modified": "2020-12-17T00:00:00.000Z",
+            "name": "Forceful Browsing",
+            "object_marking_refs": [
+                "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
+            ],
+            "type": "attack-pattern",
+            "x_capec_abstraction": "Standard",
+            "x_capec_child_of_refs": [
+                "attack-pattern--8f665166-dfd1-40cb-91e8-b78bee1ceb6a"
+            ],
+            "x_capec_consequences": {
+                "Access_Control": [
+                    "Bypass Protection Mechanism"
+                ],
+                "Authorization": [
+                    "Bypass Protection Mechanism"
+                ],
+                "Confidentiality": [
+                    "Read Data",
+                    "Bypass Protection Mechanism"
+                ]
+            },
+            "x_capec_domains": [
+                "Software"
+            ],
+            "x_capec_example_instances": [
+                "\n               <xhtml:p>A bulletin board application provides an administrative interface at admin.aspx when the user logging in belongs to the administrators group.</xhtml:p>\n               <xhtml:p>An attacker can access the admin.aspx interface by making a direct request to the page. Not having access to the interface appropriately protected allows the attacker to perform administrative functions without having to authenticate themself in that role.</xhtml:p>\n            "
+            ],
+            "x_capec_execution_flow": "<h2> Execution Flow </h2><div><h3>Explore</h3><ol><li> <p> <b>Spider: </b>Using an automated tool, an attacker follows all public links on a web site. They record all the links they find.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>Use a spidering tool to follow and record all links.</td></tr><tr><td>Use a proxy tool to record all links visited during a manual traversal of the web application.</td></tr></tbody></table></ol></div><div><h3>Experiment</h3><ol><li> <p> <b>Attempt well-known or guessable resource locations: </b>Using an automated tool, an attacker requests a variety of well-known URLs that correspond to administrative, debugging, or other useful internal actions. They record all the positive responses from the server.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>Use a spidering tool to follow and record attempts on well-known URLs.</td></tr><tr><td>Use a proxy tool to record all links visited during a manual traversal of attempts on well-known URLs.</td></tr></tbody></table></ol></div><div><h3>Exploit</h3><ol><li> <p> <b>Use unauthorized resources: </b>By visiting the unprotected resource, the attacker makes use of unauthorized functionality.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>Access unprotected functions and execute them.</td></tr></tbody></table><li> <p> <b>View unauthorized data: </b>The attacker discovers and views unprotected sensitive data.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>Direct request of protected pages that directly access database back-ends. (e.g., list.jsp, accounts.jsp, status.jsp, etc.)</td></tr></tbody></table></ol></div>",
+            "x_capec_likelihood_of_attack": "High",
+            "x_capec_prerequisites": [
+                "The forcibly browseable pages or accessible resources must be discoverable and improperly protected."
+            ],
+            "x_capec_resources_required": [
+                "None: No specialized resources are required to execute this type of attack. A directory listing is helpful, but not a requirement."
+            ],
+            "x_capec_skills_required": {
+                "Low": "Forcibly browseable pages can be discovered by using a number of automated tools. Doing the same manually is tedious but by no means difficult."
+            },
+            "x_capec_status": "Draft",
+            "x_capec_typical_severity": "High",
+            "x_capec_version": "3.9"
+        }
+    ],
+    "spec_version": "2.0",
+    "type": "bundle"
+}

cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--0082c733-5245-47ca-a349-6c9fe34114f1.json

@@ -0,0 +1,29 @@
+{
+    "id": "bundle--e5816f1d-9092-4885-a6c2-a171216583ed",
+    "objects": [
+        {
+            "created": "2014-06-23T00:00:00.000Z",
+            "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
+            "description": "This attack pattern has been deprecated as it was deemed not to be a legitimate attack pattern. Please refer to CAPEC-118 : Collect and Analyze Information.",
+            "external_references": [
+                {
+                    "external_id": "CAPEC-409",
+                    "source_name": "capec",
+                    "url": "https://capec.mitre.org/data/definitions/409.html"
+                }
+            ],
+            "id": "attack-pattern--0082c733-5245-47ca-a349-6c9fe34114f1",
+            "modified": "2018-07-31T00:00:00.000Z",
+            "name": "DEPRECATED: Information Gathering from Non-Traditional Sources",
+            "object_marking_refs": [
+                "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
+            ],
+            "type": "attack-pattern",
+            "x_capec_abstraction": "Meta",
+            "x_capec_status": "Deprecated",
+            "x_capec_version": "3.9"
+        }
+    ],
+    "spec_version": "2.0",
+    "type": "bundle"
+}

cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--00c93895-c68e-4d27-a1ec-0dddce68ed97.json

@@ -0,0 +1,45 @@
+{
+    "id": "bundle--1fb1c501-9ddd-4631-957c-e93abe88c5c6",
+    "objects": [
+        {
+            "created": "2014-06-23T00:00:00.000Z",
+            "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
+            "description": "An attacker uses techniques and methods to bypass physical security measures of a building or facility. Physical locks may range from traditional lock and key mechanisms, cable locks used to secure laptops or servers, locks on server cases, or other such devices. Techniques such as lock bumping, lock forcing via snap guns, or lock picking can be employed to bypass those locks and gain access to the facilities or devices they protect, although stealth, evidence of tampering, and the integrity of the lock following an attack, are considerations that may determine the method employed. Physical locks are limited by the complexity of the locking mechanism. While some locks may offer protections such as shock resistant foam to prevent bumping or lock forcing methods, many commonly employed locks offer no such countermeasures.",
+            "external_references": [
+                {
+                    "external_id": "CAPEC-391",
+                    "source_name": "capec",
+                    "url": "https://capec.mitre.org/data/definitions/391.html"
+                },
+                {
+                    "description": "Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed: Network Security Secrets & Solutions (6th Edition), 2009, McGraw Hill",
+                    "external_id": "REF-33",
+                    "source_name": "reference_from_CAPEC"
+                }
+            ],
+            "id": "attack-pattern--00c93895-c68e-4d27-a1ec-0dddce68ed97",
+            "modified": "2019-09-30T00:00:00.000Z",
+            "name": "Bypassing Physical Locks",
+            "object_marking_refs": [
+                "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
+            ],
+            "type": "attack-pattern",
+            "x_capec_abstraction": "Standard",
+            "x_capec_child_of_refs": [
+                "attack-pattern--8ba08815-66fb-4150-a7fa-8ab6d1472b5f"
+            ],
+            "x_capec_domains": [
+                "Physical Security"
+            ],
+            "x_capec_parent_of_refs": [
+                "attack-pattern--4068bee0-b331-49e8-872e-98429a3c374a",
+                "attack-pattern--9996317e-313b-456c-8bc8-491dbb53b368",
+                "attack-pattern--aea87f07-9619-4bc5-9790-01bf3423c494"
+            ],
+            "x_capec_status": "Draft",
+            "x_capec_version": "3.9"
+        }
+    ],
+    "spec_version": "2.0",
+    "type": "bundle"
+}

cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--00d91a4c-2645-4bf1-8db7-e7448ef25f17.json

@@ -0,0 +1,77 @@
+{
+    "id": "bundle--da81b06e-418a-4798-97f9-f4c8cb5d3327",
+    "objects": [
+        {
+            "created": "2014-06-23T00:00:00.000Z",
+            "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
+            "description": "This attack relies on the adversary using unexpected formats for representing IP addresses. Networked applications may expect network location information in a specific format, such as fully qualified domains names (FQDNs), URL, IP address, or IP Address ranges. If the location information is not validated against a variety of different possible encodings and formats, the adversary can use an alternate format to bypass application access control.",
+            "external_references": [
+                {
+                    "external_id": "CAPEC-4",
+                    "source_name": "capec",
+                    "url": "https://capec.mitre.org/data/definitions/4.html"
+                },
+                {
+                    "external_id": "CWE-291",
+                    "source_name": "cwe",
+                    "url": "http://cwe.mitre.org/data/definitions/291.html"
+                },
+                {
+                    "external_id": "CWE-173",
+                    "source_name": "cwe",
+                    "url": "http://cwe.mitre.org/data/definitions/173.html"
+                },
+                {
+                    "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley",
+                    "external_id": "REF-1",
+                    "source_name": "reference_from_CAPEC"
+                }
+            ],
+            "id": "attack-pattern--00d91a4c-2645-4bf1-8db7-e7448ef25f17",
+            "modified": "2022-02-22T00:00:00.000Z",
+            "name": "Using Alternative IP Address Encodings",
+            "object_marking_refs": [
+                "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
+            ],
+            "type": "attack-pattern",
+            "x_capec_abstraction": "Detailed",
+            "x_capec_child_of_refs": [
+                "attack-pattern--a1af7c24-25cb-46e5-a27b-ed316e1f91ce"
+            ],
+            "x_capec_consequences": {
+                "Access_Control": [
+                    "Gain Privileges"
+                ],
+                "Authorization": [
+                    "Gain Privileges"
+                ],
+                "Confidentiality": [
+                    "Gain Privileges"
+                ]
+            },
+            "x_capec_domains": [
+                "Software"
+            ],
+            "x_capec_example_instances": [
+                "An adversary identifies an application server that applies a security policy based on the domain and application name. For example, the access control policy covers authentication and authorization for anyone accessing http://example.domain:8080/application. However, by using the IP address of the host instead (http://192.168.0.1:8080/application), the application authentication and authorization controls may be bypassed. The adversary relies on the victim applying policy to the namespace abstraction and not having a default deny policy in place to manage exceptions."
+            ],
+            "x_capec_execution_flow": "<h2> Execution Flow </h2><div><h3>Explore</h3><ol><li> <p> <b>Survey the application for IP addresses as user input: </b>Using a browser, an automated tool or by inspecting the application, an adversary records all entry points to the application where IP addresses are used.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL.</td></tr><tr><td>Use a proxy tool to record all user input entry points visited during a manual traversal of the web application.</td></tr><tr><td>Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery.</td></tr><tr><td>Manually inspect the application to find entry points.</td></tr></tbody></table></ol></div><div><h3>Experiment</h3><ol><li> <p> <b>Probe entry points to locate vulnerabilities: </b>The adversary uses the entry points gathered in the \"Explore\" phase as a target list and attempts alternate IP address encodings, observing application behavior. The adversary will also attempt to access the application through an alternate IP address encoding to see if access control changes</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>Instead of using a URL, use the IP address that the URL resolves to</td></tr><tr><td>Specify a port directly to a URL input</td></tr><tr><td>Omit or add \"http://\" or \"https://\" to a URL to see if the application behaves differently</td></tr></tbody></table></ol></div><div><h3>Exploit</h3><ol><li> <p> <b>Bypass access control: </b>Using an alternate IP address encoding, the adversary will either access the application or give the alternate encoding as input, bypassing access control restrictions.</p></li></ol></div>",
+            "x_capec_likelihood_of_attack": "Medium",
+            "x_capec_prerequisites": [
+                "The target software must fail to anticipate all of the possible valid encodings of an IP/web address.",
+                "The adversary must have the ability to communicate with the server."
+            ],
+            "x_capec_resources_required": [
+                "The adversary needs to have knowledge of an alternative IP address encoding that bypasses the access control policy of an application. Alternatively, the adversary can simply try to brute-force various encoding possibilities."
+            ],
+            "x_capec_skills_required": {
+                "Low": "The adversary has only to try IP address format combinations."
+            },
+            "x_capec_status": "Draft",
+            "x_capec_typical_severity": "High",
+            "x_capec_version": "3.9"
+        }
+    ],
+    "spec_version": "2.0",
+    "type": "bundle"
+}

cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--0123fa83-2d47-4398-85f1-30ce114abb9a.json

@@ -0,0 +1,47 @@
+{
+    "id": "bundle--fe6f08e4-c5b7-46a8-bcba-74e070e9a67f",
+    "objects": [
+        {
+            "created": "2014-06-23T00:00:00.000Z",
+            "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
+            "description": "An attacker uses deceptive methods to cause a user or an automated process to download and install dangerous code that originates from an attacker controlled source. There are several variations to this strategy of attack.",
+            "external_references": [
+                {
+                    "external_id": "CAPEC-185",
+                    "source_name": "capec",
+                    "url": "https://capec.mitre.org/data/definitions/185.html"
+                },
+                {
+                    "external_id": "CWE-494",
+                    "source_name": "cwe",
+                    "url": "http://cwe.mitre.org/data/definitions/494.html"
+                }
+            ],
+            "id": "attack-pattern--0123fa83-2d47-4398-85f1-30ce114abb9a",
+            "modified": "2022-09-29T00:00:00.000Z",
+            "name": "Malicious Software Download",
+            "object_marking_refs": [
+                "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
+            ],
+            "type": "attack-pattern",
+            "x_capec_abstraction": "Standard",
+            "x_capec_can_follow_refs": [
+                "attack-pattern--d16af13f-5e0f-4a6b-bc1f-23f733d2229b"
+            ],
+            "x_capec_can_precede_refs": [
+                "attack-pattern--558870ad-9433-4e39-a0b0-d9b5c4691862"
+            ],
+            "x_capec_child_of_refs": [
+                "attack-pattern--582f33d6-0aa7-4f34-a91e-d767a65adad1"
+            ],
+            "x_capec_domains": [
+                "Software"
+            ],
+            "x_capec_status": "Draft",
+            "x_capec_typical_severity": "Very High",
+            "x_capec_version": "3.9"
+        }
+    ],
+    "spec_version": "2.0",
+    "type": "bundle"
+}

cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--012db73f-2f3c-49f3-bdf3-12ec3eee01ce.json

@@ -0,0 +1,53 @@
+{
+    "id": "bundle--0a37fa8f-a546-401d-abbe-86fb154ca01e",
+    "objects": [
+        {
+            "created": "2014-06-23T00:00:00.000Z",
+            "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
+            "description": "An attacker manipulates an existing credential in order to gain access to a target application. Session credentials allow users to identify themselves to a service after an initial authentication without needing to resend the authentication information (usually a username and password) with every message. An attacker may be able to manipulate a credential sniffed from an existing connection in order to gain access to a target server.",
+            "external_references": [
+                {
+                    "external_id": "CAPEC-226",
+                    "source_name": "capec",
+                    "url": "https://capec.mitre.org/data/definitions/226.html"
+                },
+                {
+                    "external_id": "CWE-565",
+                    "source_name": "cwe",
+                    "url": "http://cwe.mitre.org/data/definitions/565.html"
+                },
+                {
+                    "external_id": "CWE-472",
+                    "source_name": "cwe",
+                    "url": "http://cwe.mitre.org/data/definitions/472.html"
+                }
+            ],
+            "id": "attack-pattern--012db73f-2f3c-49f3-bdf3-12ec3eee01ce",
+            "modified": "2022-02-22T00:00:00.000Z",
+            "name": "Session Credential Falsification through Manipulation",
+            "object_marking_refs": [
+                "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
+            ],
+            "type": "attack-pattern",
+            "x_capec_abstraction": "Detailed",
+            "x_capec_child_of_refs": [
+                "attack-pattern--414d0884-4f46-4a51-b4ea-72125c7f5f9e"
+            ],
+            "x_capec_domains": [
+                "Software"
+            ],
+            "x_capec_extended_description": "\n            <xhtml:p>For example, a credential in the form of a web cookie might have a field that indicates the access rights of a user. By manually tweaking this cookie, a user might be able to increase their access rights to the server. Alternately an attacker may be able to manipulate an existing credential to appear as a different user. This attack differs from falsification through prediction in that the user bases their modified credentials off existing credentials instead of using patterns detected in prior credentials to create a new credential that is accepted because it fits the pattern. As a result, an attacker may be able to impersonate other users or elevate their permissions to a targeted service.</xhtml:p>\n         ",
+            "x_capec_prerequisites": [
+                "The targeted application must use session credentials to identify legitimate users."
+            ],
+            "x_capec_resources_required": [
+                "An attacker will need tools to sniff existing credentials (possibly their own) in order to retrieve a base credential for modification. They will need to understand how the components of the credential affect server behavior and how to manipulate this behavior by changing the credential. Finally, they will need tools to allow them to craft and transmit a modified credential."
+            ],
+            "x_capec_status": "Draft",
+            "x_capec_typical_severity": "Medium",
+            "x_capec_version": "3.9"
+        }
+    ],
+    "spec_version": "2.0",
+    "type": "bundle"
+}

cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--014e5fc2-7564-4775-94aa-220601522b05.json

@@ -0,0 +1,47 @@
+{
+    "id": "bundle--ec12a87d-bd00-4882-b543-f429cf18fae4",
+    "objects": [
+        {
+            "created": "2014-06-23T00:00:00.000Z",
+            "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
+            "description": "An attacker removes or modifies the logic on a client associated with monetary calculations resulting in incorrect information being sent to the server. A server may rely on a client to correctly compute monetary information. For example, a server might supply a price for an item and then rely on the client to correctly compute the total cost of a purchase given the number of items the user is buying. If the attacker can remove or modify the logic that controls these calculations, they can return incorrect values to the server. The attacker can use this to make purchases for a fraction of the legitimate cost or otherwise avoid correct billing for activities.",
+            "external_references": [
+                {
+                    "external_id": "CAPEC-208",
+                    "source_name": "capec",
+                    "url": "https://capec.mitre.org/data/definitions/208.html"
+                },
+                {
+                    "external_id": "CWE-602",
+                    "source_name": "cwe",
+                    "url": "http://cwe.mitre.org/data/definitions/602.html"
+                }
+            ],
+            "id": "attack-pattern--014e5fc2-7564-4775-94aa-220601522b05",
+            "modified": "2017-08-04T00:00:00.000Z",
+            "name": "Removing/short-circuiting 'Purse' logic: removing/mutating 'cash' decrements",
+            "object_marking_refs": [
+                "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
+            ],
+            "type": "attack-pattern",
+            "x_capec_abstraction": "Detailed",
+            "x_capec_child_of_refs": [
+                "attack-pattern--3c404955-b160-423f-b148-d4fa4727e3a9"
+            ],
+            "x_capec_domains": [
+                "Software"
+            ],
+            "x_capec_prerequisites": [
+                "The targeted server must rely on the client to correctly perform monetary calculations and must fail to detect errors in these calculations."
+            ],
+            "x_capec_resources_required": [
+                "The attacker must have access to the client for the targeted service (this step is trivial for most web-based services). The attacker must also be able to reverse engineer the client in order to locate and modify the client's purse logic. Reverse engineering tools would be necessary for this."
+            ],
+            "x_capec_status": "Draft",
+            "x_capec_typical_severity": "Medium",
+            "x_capec_version": "3.9"
+        }
+    ],
+    "spec_version": "2.0",
+    "type": "bundle"
+}

cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--0184fd4d-9134-42c0-b073-5e614773d408.json

@@ -0,0 +1,70 @@
+{
+    "id": "bundle--1769491d-4eb9-4e12-9f8c-3d73dabca10d",
+    "objects": [
+        {
+            "created": "2017-02-01T00:00:00.000Z",
+            "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
+            "description": "This attack pattern combines malicious Javascript and a legitimate webpage loaded into a concealed iframe. The malicious Javascript is then able to interact with a legitimate webpage in a manner that is unknown to the user. This attack usually leverages some element of social engineering in that an attacker must convinces a user to visit a web page that the attacker controls.",
+            "external_references": [
+                {
+                    "external_id": "CAPEC-587",
+                    "source_name": "capec",
+                    "url": "https://capec.mitre.org/data/definitions/587.html"
+                },
+                {
+                    "external_id": "CWE-1021",
+                    "source_name": "cwe",
+                    "url": "http://cwe.mitre.org/data/definitions/1021.html"
+                },
+                {
+                    "description": "Cross Frame Scripting",
+                    "source_name": "OWASP Attacks",
+                    "url": "https://owasp.org/www-community/attacks/Cross_Frame_Scripting"
+                },
+                {
+                    "description": "Cross Frame Scripting, 2016, OWASP",
+                    "external_id": "REF-469",
+                    "source_name": "reference_from_CAPEC",
+                    "url": "https://www.owasp.org/index.php/Cross_Frame_Scripting"
+                },
+                {
+                    "description": "Gustave Rydstedt, Elie Bursztein, Dan Boneh, and Collin Jackson, Busting Frame Busting: a Study of Clickjacking Vulnerabilities on Popular Sites, 2010--07---20",
+                    "external_id": "REF-470",
+                    "source_name": "reference_from_CAPEC",
+                    "url": "https://seclab.stanford.edu/websec/framebusting/framebust.pdf"
+                }
+            ],
+            "id": "attack-pattern--0184fd4d-9134-42c0-b073-5e614773d408",
+            "modified": "2023-01-24T00:00:00.000Z",
+            "name": "Cross Frame Scripting (XFS)",
+            "object_marking_refs": [
+                "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
+            ],
+            "type": "attack-pattern",
+            "x_capec_abstraction": "Detailed",
+            "x_capec_child_of_refs": [
+                "attack-pattern--ec41b2b3-a3b6-4af0-be65-69e82907dfef"
+            ],
+            "x_capec_consequences": {
+                "Confidentiality": [
+                    "Read Data (Cross Frame Scripting allows an adversary to steal sensitive data from a legitimate site.)"
+                ]
+            },
+            "x_capec_domains": [
+                "Social Engineering",
+                "Software"
+            ],
+            "x_capec_example_instances": [
+                "An adversary-controlled webpage contains malicious Javascript and a concealed iframe containing a legitimate website login (i.e., the concealed iframe would make it appear as though the actual legitimate website was loaded). When the user interacts with the legitimate website in the iframe, the malicious Javascript collects that sensitive information."
+            ],
+            "x_capec_prerequisites": [
+                "The user's browser must have vulnerabilities in its implementation of the same-origin policy. It allows certain data in a loaded page to originate from different servers/domains."
+            ],
+            "x_capec_status": "Draft",
+            "x_capec_typical_severity": "High",
+            "x_capec_version": "3.9"
+        }
+    ],
+    "spec_version": "2.0",
+    "type": "bundle"
+}

cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--01a08342-5c58-4f61-b8e1-997e444b3a59.json

@@ -0,0 +1,100 @@
+{
+    "id": "bundle--a48ef11c-e5a4-47c1-a10f-ec909efbc56b",
+    "objects": [
+        {
+            "created": "2022-09-29T00:00:00.000Z",
+            "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
+            "description": "An adversary may exploit vulnerable code (i.e., firmware or ROM) that is unpatchable. Unpatchable devices exist due to manufacturers intentionally or inadvertently designing devices incapable of updating their software. Additionally, with updatable devices, the manufacturer may decide not to support the device and stop making updates to their software.",
+            "external_references": [
+                {
+                    "external_id": "CAPEC-682",
+                    "source_name": "capec",
+                    "url": "https://capec.mitre.org/data/definitions/682.html"
+                },
+                {
+                    "external_id": "CWE-1277",
+                    "source_name": "cwe",
+                    "url": "http://cwe.mitre.org/data/definitions/1277.html"
+                },
+                {
+                    "external_id": "CWE-1310",
+                    "source_name": "cwe",
+                    "url": "http://cwe.mitre.org/data/definitions/1310.html"
+                },
+                {
+                    "description": "Alex Scroxton, Alarm bells ring, the IoT is listening, 2019--12---13, TechTarget",
+                    "external_id": "REF-723",
+                    "source_name": "reference_from_CAPEC",
+                    "url": "https://www.computerweekly.com/news/252475324/Alarm-bells-ring-the-IoT-is-listening"
+                },
+                {
+                    "description": "Matthew Hughes, Bad news: KeyWe Smart Lock is easily bypassed and can't be fixed, 2019--12---11, Situation Publishing",
+                    "external_id": "REF-724",
+                    "source_name": "reference_from_CAPEC",
+                    "url": "https://www.theregister.com/2019/12/11/f_secure_keywe/"
+                },
+                {
+                    "description": "Brian Krebs, Zyxel Flaw Powers New Mirai IoT Botnet Strain, 2020--03---20, Krebs on Security",
+                    "external_id": "REF-725",
+                    "source_name": "reference_from_CAPEC",
+                    "url": "https://krebsonsecurity.com/2020/03/zxyel-flaw-powers-new-mirai-iot-botnet-strain/"
+                },
+                {
+                    "description": "Colin Schulz, Stefan Raff, Sebastian Kortmann, Nikolaus Obwegeser, Digital Age Organizations: Uncovering Over-the-Air Updates in the Smart Product Realm, 2021--12, International Conference on Information Systems (ICIS) 2021",
+                    "external_id": "REF-726",
+                    "source_name": "reference_from_CAPEC",
+                    "url": "https://www.researchgate.net/publication/356065917_Digital_Age_Organizations_Uncovering_Over-the-Air_Updates_in_the_Smart_Product_Realm"
+                }
+            ],
+            "id": "attack-pattern--01a08342-5c58-4f61-b8e1-997e444b3a59",
+            "modified": "2022-09-29T00:00:00.000Z",
+            "name": "Exploitation of Firmware or ROM Code with Unpatchable Vulnerabilities",
+            "object_marking_refs": [
+                "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
+            ],
+            "type": "attack-pattern",
+            "x_capec_abstraction": "Standard",
+            "x_capec_child_of_refs": [
+                "attack-pattern--c727c058-2c9d-4021-a1ec-81dd030dea59"
+            ],
+            "x_capec_consequences": {
+                "Access_Control": [
+                    "Gain Privileges"
+                ],
+                "Authorization": [
+                    "Gain Privileges"
+                ],
+                "Confidentiality": [
+                    "Read Data"
+                ],
+                "Integrity": [
+                    "Modify Data"
+                ]
+            },
+            "x_capec_domains": [
+                "Software",
+                "Hardware"
+            ],
+            "x_capec_example_instances": [
+                "\n               <xhtml:p>An IoT company comes out with a line of smart products for home use such as home cameras, vacuums, and smart bulbs. The products become popular, and millions of consumers install these devices in their homes. All the devices use a custom module for encryption that is stored on a ROM chip, which is immutable memory and can't be changed. An adversary discovers that there is a vulnerability in the encryption module code that allows authentication bypass, gaining access to any device. The adversary then develops botnet code that is remotely downloaded onto the infected devices. This code scans the internet for nearby devices from the same product line and exploits the vulnerability, loading the botnet code onto these new devices. Over time, the adversary now has a botnet of devices that can carry out malicious activity such as a DDoS attacks. Once the vulnerability is found, it is impossible to remediate because the vulnerable code is unable to be updated.</xhtml:p>\n            ",
+                "\n               <xhtml:p>Older smartphones can become out of date and manufacturers may stop putting out security updates as they focus on newer models. If an adversary discovers a vulnerability in an old smartphone there is a chance that a security update will not be made to mitigate it. This leaves anyone using the old smartphone vulnerable.</xhtml:p>\n            "
+            ],
+            "x_capec_execution_flow": "<h2> Execution Flow </h2><div><h3>Explore</h3><ol><li> <p> <b>Determine vulnerable firmware or ROM code: </b>An adversary will attempt to find device models that are known to have unpatchable firmware or ROM code, or are deemed “end-of-support” where a patch will not be made. The adversary looks for vulnerabilities in firmware or ROM code for the identified devices, or looks for devices which have known vulnerabilities</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>Many botnets use wireless scanning to discover nearby devices that might have default credentials or commonly used passwords. Once these devices are infected, they can search for other nearby devices and so on.</td></tr></tbody></table></ol></div><div><h3>Experiment</h3><ol><li> <p> <b>Determine plan of attack: </b>An adversary identifies a specific device/model that they wish to attack. They will also investigate similar devices to determine if the vulnerable firmware or ROM code is also present.</p></li></ol></div><div><h3>Exploit</h3><ol><li> <p> <b>Carry out attack: </b>An adversary exploits the vulnerable firmware or ROM code on the identified device(s) to achieve their desired goal.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>Install malware on a device to recruit it for a botnet.</td></tr><tr><td>Install malware on the device and use it for a ransomware attack.</td></tr><tr><td>Gain root access and steal information stored on the device.</td></tr><tr><td>Manipulate the device to behave in unexpected ways which would benefit the adversary.</td></tr></tbody></table></ol></div>",
+            "x_capec_extended_description": "When a vulnerability is found in a device that has no means of patching, the attack may be used against an entire class of devices. Devices from the same manufacturer often use similar or identical firmware, which could lead to widespread attacks. Devices of this nature are prime targets for botnet attacks. Consumer devices are frequently targeted for this attack due to the complexities of updating firmware once manufacturers no longer have physical access to a device. When exploiting a found vulnerability, adversaries often try to gain root access on a device. This allows them to use the device for any malicious purpose. Some example exploits are stealing device data, using the device for a ransomware attack, or recruiting the device for a botnet.",
+            "x_capec_likelihood_of_attack": "Medium",
+            "x_capec_prerequisites": [
+                "Awareness of the hardware being leveraged.",
+                "Access to the hardware being leveraged, either physically or remotely."
+            ],
+            "x_capec_skills_required": {
+                "High": "Ability to identify physical entry points such as debug interfaces if the device is not being accessed remotely",
+                "Medium": "Knowledge of various wireless protocols to enable remote access to vulnerable devices"
+            },
+            "x_capec_status": "Draft",
+            "x_capec_typical_severity": "High",
+            "x_capec_version": "3.9"
+        }
+    ],
+    "spec_version": "2.0",
+    "type": "bundle"
+}

cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--02570621-96aa-4525-b782-8e3939affac3.json

@@ -0,0 +1,65 @@
+{
+    "id": "bundle--fab6fa4f-6c5e-4e4a-ad4b-d3c31a9390a9",
+    "objects": [
+        {
+            "created": "2014-06-23T00:00:00.000Z",
+            "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
+            "description": "An attacker implants malicious software into the system in the supply chain distribution channel, with purpose of causing malicious disruption or allowing for additional compromise when the system is deployed.",
+            "external_references": [
+                {
+                    "external_id": "CAPEC-523",
+                    "source_name": "capec",
+                    "url": "https://capec.mitre.org/data/definitions/523.html"
+                },
+                {
+                    "description": "Supply Chain Compromise: Compromise Software Supply Chain",
+                    "external_id": "T1195.002",
+                    "source_name": "ATTACK",
+                    "url": "https://attack.mitre.org/wiki/Technique/T1195/002"
+                },
+                {
+                    "description": "John F. Miller, Supply Chain Attack Framework and Attack Patterns, 2013, The MITRE Corporation",
+                    "external_id": "REF-439",
+                    "source_name": "reference_from_CAPEC",
+                    "url": "http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf"
+                },
+                {
+                    "description": "Daniel Simpson, Dani Halfin, Andrews Mariano Gorzelany, Beth Woodbury, Supply chain attacks, 2021--10---28, Microsoft",
+                    "external_id": "REF-716",
+                    "source_name": "reference_from_CAPEC",
+                    "url": "https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/supply-chain-malware"
+                }
+            ],
+            "id": "attack-pattern--02570621-96aa-4525-b782-8e3939affac3",
+            "modified": "2022-09-29T00:00:00.000Z",
+            "name": "Malicious Software Implanted",
+            "object_marking_refs": [
+                "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
+            ],
+            "type": "attack-pattern",
+            "x_capec_abstraction": "Standard",
+            "x_capec_child_of_refs": [
+                "attack-pattern--59ba3504-6764-48b4-980a-40e4adff2030"
+            ],
+            "x_capec_domains": [
+                "Supply Chain"
+            ],
+            "x_capec_example_instances": [
+                "An attacker has created a piece of malicious software designed to function as a backdoor in a system that is to be deployed at the victim location. During shipment of the system, the attacker has physical access to the system at a loading dock of an integrator for a short time. The attacker unpacks and powers up the system and installs the malicious piece of software, and configures it to run upon system boot. The system is repackaged and returned to its place on the loading dock, and is shipped and installed at the victim location with the malicious software in place, allowing the attacker to bypass firewalls and remotely gain access to the victim's network for further malicious activities."
+            ],
+            "x_capec_execution_flow": "<h2> Execution Flow </h2><div><h3>Explore</h3><ol><li> <p> <b>Determine Entry Point: </b>The adversary must first identify a system that they wish to target and search for an entry point they can use to install the malicious software. This could be a system which they have prior knowledge of, giving them insight into the software and environment.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>Use a JTAGulator to identify exposed JTAG and UART interfaces in smaller embedded systems.</td></tr><tr><td>Identify exposed USB connectors that could be used to load software.</td></tr></tbody></table><li> <p> <b>Discover Vulnerability in Supply Chain: </b>The adversary maps out the supply chain for the targeted system. They look for ooportunities to gain physical access to the system after it has left the manufacturer, but before it is deployed to the victim.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>Procure a system and observe the steps it takes in the shipment process.</td></tr><tr><td>Identify possible warehouses that systems are stored after manufacturing.</td></tr></tbody></table></ol></div><div><h3>Experiment</h3><ol><li> <p> <b>Test Malicious Software: </b>Before performing the attack in the wild, an adversary will test the attack on a system they have procured to ensure that the desired outcome will be achieved.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>Design malicious software that will give an adversary a backdoor into the system once it is deployed to the victim.</td></tr><tr><td>Obtain already designed malicious software that just need to be placed into the system.</td></tr></tbody></table></ol></div><div><h3>Exploit</h3><ol><li> <p> <b>Implant Software in the Supply Chain: </b>Using the vulnerability in the supply chain of the system discovered in the explore phase, the adversary implants the malicious software into the system. This results in the adversary gaining unintended access to systems once they reach the victim and can lead to a variety of follow up attacks.</p></li></ol></div>",
+            "x_capec_likelihood_of_attack": "Low",
+            "x_capec_prerequisites": [
+                "Physical access to the system after it has left the manufacturer but before it is deployed at the victim location."
+            ],
+            "x_capec_skills_required": {
+                "High": "Malicious software creation."
+            },
+            "x_capec_status": "Draft",
+            "x_capec_typical_severity": "High",
+            "x_capec_version": "3.9"
+        }
+    ],
+    "spec_version": "2.0",
+    "type": "bundle"
+}

cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--03093798-f245-4ed2-a085-88e69d303b11.json

@@ -0,0 +1,29 @@
+{
+    "id": "bundle--b8cd0bd1-eed2-47b2-a25b-4a9ca536499c",
+    "objects": [
+        {
+            "created": "2014-06-23T00:00:00.000Z",
+            "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
+            "description": "This attack pattern has been deprecated as it is a duplicate of the existing attack pattern \"CAPEC-407 : Social Information Gathering via Pretexting\". Please refer to this other CAPEC going forward.",
+            "external_references": [
+                {
+                    "external_id": "CAPEC-411",
+                    "source_name": "capec",
+                    "url": "https://capec.mitre.org/data/definitions/411.html"
+                }
+            ],
+            "id": "attack-pattern--03093798-f245-4ed2-a085-88e69d303b11",
+            "modified": "2017-08-04T00:00:00.000Z",
+            "name": "DEPRECATED: Pretexting",
+            "object_marking_refs": [
+                "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
+            ],
+            "type": "attack-pattern",
+            "x_capec_abstraction": "Meta",
+            "x_capec_status": "Deprecated",
+            "x_capec_version": "3.9"
+        }
+    ],
+    "spec_version": "2.0",
+    "type": "bundle"
+}

cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--03a731ef-751b-43de-9159-9667d4be4d1a.json

@@ -0,0 +1,153 @@
+{
+    "id": "bundle--430ad2b5-d745-4d87-8bc4-aa14b8e2f12d",
+    "objects": [
+        {
+            "created": "2020-07-30T00:00:00.000Z",
+            "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
+            "description": "\n            <xhtml:p>An adversary tries known username/password combinations against different systems, applications, or services to gain additional authenticated access. Credential Stuffing attacks rely upon the fact that many users leverage the same username/password combination for multiple systems, applications, and services.</xhtml:p>\n         ",
+            "external_references": [
+                {
+                    "external_id": "CAPEC-600",
+                    "source_name": "capec",
+                    "url": "https://capec.mitre.org/data/definitions/600.html"
+                },
+                {
+                    "external_id": "CWE-522",
+                    "source_name": "cwe",
+                    "url": "http://cwe.mitre.org/data/definitions/522.html"
+                },
+                {
+                    "external_id": "CWE-307",
+                    "source_name": "cwe",
+                    "url": "http://cwe.mitre.org/data/definitions/307.html"
+                },
+                {
+                    "external_id": "CWE-308",
+                    "source_name": "cwe",
+                    "url": "http://cwe.mitre.org/data/definitions/308.html"
+                },
+                {
+                    "external_id": "CWE-309",
+                    "source_name": "cwe",
+                    "url": "http://cwe.mitre.org/data/definitions/309.html"
+                },
+                {
+                    "external_id": "CWE-262",
+                    "source_name": "cwe",
+                    "url": "http://cwe.mitre.org/data/definitions/262.html"
+                },
+                {
+                    "external_id": "CWE-263",
+                    "source_name": "cwe",
+                    "url": "http://cwe.mitre.org/data/definitions/263.html"
+                },
+                {
+                    "external_id": "CWE-654",
+                    "source_name": "cwe",
+                    "url": "http://cwe.mitre.org/data/definitions/654.html"
+                },
+                {
+                    "description": "Brute Force:Credential Stuffing",
+                    "external_id": "T1110.004",
+                    "source_name": "ATTACK",
+                    "url": "https://attack.mitre.org/wiki/Technique/T1110/004"
+                },
+                {
+                    "description": "Credential stuffing",
+                    "source_name": "OWASP Attacks",
+                    "url": "https://owasp.org/www-community/attacks/Credential_stuffing"
+                },
+                {
+                    "description": "Alert (TA18-086A): Brute Force Attacks Conducted by Cyber Actors, 2018--03---27, Cybersecurity and Infrastructure Security Agency (CISA)",
+                    "external_id": "REF-567",
+                    "source_name": "reference_from_CAPEC",
+                    "url": "https://www.us-cert.gov/ncas/alerts/TA18-086A"
+                },
+                {
+                    "description": "Credential stuffing, Open Web Application Security Project (OWASP)",
+                    "external_id": "REF-568",
+                    "source_name": "reference_from_CAPEC",
+                    "url": "https://owasp.org/www-community/attacks/Credential_stuffing"
+                },
+                {
+                    "description": "Jessica Silver-Greenberg, Matthew Goldstein, Nicole Perlroth, JPMorgan Chase Hacking Affects 76 Million Households, 2014--10---02, The New York Times",
+                    "external_id": "REF-569",
+                    "source_name": "reference_from_CAPEC",
+                    "url": "https://dealbook.nytimes.com/2014/10/02/jpmorgan-discovers-further-cyber-security-issues/"
+                }
+            ],
+            "id": "attack-pattern--03a731ef-751b-43de-9159-9667d4be4d1a",
+            "modified": "2022-09-29T00:00:00.000Z",
+            "name": "Credential Stuffing",
+            "object_marking_refs": [
+                "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
+            ],
+            "type": "attack-pattern",
+            "x_capec_abstraction": "Standard",
+            "x_capec_can_follow_refs": [
+                "attack-pattern--4e7abad3-5853-4e4b-a64e-7f23f10f8656",
+                "attack-pattern--a9dc4914-409a-4f71-80df-c5cc3923d112",
+                "attack-pattern--8d88a81c-bde9-4fb3-acbe-901c783d6427",
+                "attack-pattern--addd93c9-9278-4185-b402-e505d632c815",
+                "attack-pattern--a390cb72-b4de-4750-ae05-be556c89f4be",
+                "attack-pattern--f724f0f3-20e6-450c-be4a-f373ea08834d",
+                "attack-pattern--fab7fb48-4503-4e03-980f-9bc827be929f",
+                "attack-pattern--8c7bab16-5ecd-4778-9b04-c185bceed170"
+            ],
+            "x_capec_can_precede_refs": [
+                "attack-pattern--22802ed6-ddc6-4da7-b6be-60b10d26198b",
+                "attack-pattern--2618d0a4-06d0-4bde-8271-2df61ed8297a"
+            ],
+            "x_capec_child_of_refs": [
+                "attack-pattern--886a7175-e28a-4e6d-bd22-3b1497e31dc7"
+            ],
+            "x_capec_consequences": {
+                "Access_Control": [
+                    "Gain Privileges"
+                ],
+                "Authentication": [
+                    "Gain Privileges"
+                ],
+                "Authorization": [
+                    "Read Data"
+                ],
+                "Confidentiality": [
+                    "Gain Privileges",
+                    "Read Data"
+                ],
+                "Integrity": [
+                    "Modify Data"
+                ]
+            },
+            "x_capec_domains": [
+                "Software"
+            ],
+            "x_capec_example_instances": [
+                "A user leverages the password \"Password123\" for a handful of application logins. An adversary obtains a victim's username/password combination from a breach of a social media application and executes a Credential Stuffing attack against multiple banking and credit card applications. Since the user leverages the same credentials for their bank account login, the adversary successfully authenticates to the user's bank account and transfer money to an offshore account.",
+                "In October 2014 J.P. Morgan's Corporate Challenge website was breached, resulting in adversaries obtaining multiple username/password pairs. A Credential Stuffing attack was then executed against J.P. Morgan Chase, which resulted in over 76 million households having their accounts compromised."
+            ],
+            "x_capec_execution_flow": "<h2> Execution Flow </h2><div><h3>Explore</h3><ol><li> <p> <b>Acquire known credentials: </b>The adversary must obtain known credentials in order to access the target system, application, or service.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>An adversary purchases breached username/password combinations or leaked hashed passwords from the dark web.</td></tr><tr><td>An adversary leverages a key logger or phishing attack to steal user credentials as they are provided.</td></tr><tr><td>An adversary conducts a sniffing attack to steal credentials as they are transmitted.</td></tr><tr><td>An adversary gains access to a database and exfiltrates password hashes.</td></tr><tr><td>An adversary examines outward-facing configuration and properties files to discover hardcoded credentials.</td></tr></tbody></table><li> <p> <b>Determine target's password policy: </b>Determine the password policies of the target system/application to determine if the known credentials fit within the specified criteria.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>Determine minimum and maximum allowed password lengths.</td></tr><tr><td>Determine format of allowed passwords (whether they are required or allowed to contain numbers, special characters, etc., or whether they are allowed to contain words from the dictionary).</td></tr><tr><td>Determine account lockout policy (a strict account lockout policy will prevent brute force attacks if multiple passwords are known for a single user account).</td></tr></tbody></table></ol></div><div><h3>Experiment</h3><ol><li> <p> <b>Attempt authentication: </b>Try each username/password combination until the target grants access.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>Manually or automatically enter each username/password combination through the target's interface.</td></tr></tbody></table></ol></div><div><h3>Exploit</h3><ol><li> <p> <b>Impersonate: </b>An adversary can use successful experiments or authentications to impersonate an authorized user or system or to laterally move within a system or application</p></li><li> <p> <b>Spoofing: </b>Malicious data can be injected into the target system or into a victim user's system by an adversary. The adversary can also pose as a legitimate user to perform social engineering attacks.</p></li><li> <p> <b>Data Exfiltration: </b>The adversary can obtain sensitive data contained within the system or application.</p></li></ol></div>",
+            "x_capec_extended_description": "\n            <xhtml:p>Attacks of this kind often target management services over commonly used ports such as SSH, FTP, Telnet, LDAP, Kerberos, MySQL, and more. Additional targets include Single Sign-On (SSO) or cloud-based applications/services that utilize federated authentication protocols, and externally facing applications.</xhtml:p>\n            <xhtml:p>The primary goal of Credential Stuffing is to achieve lateral movement and gain authenticated access to additional systems, applications, and/or services. A successfully executed Credential Stuffing attack could result in the adversary impersonating the victim or executing any action that the victim is authorized to perform.</xhtml:p>\n            <xhtml:p>Although not technically a brute force attack, Credential Stuffing attacks can function as such if an adversary possess multiple known passwords for the same user account. This may occur in the event where an adversary obtains user credentials from multiple sources or if the adversary obtains a user's password history for an account.</xhtml:p>\n            <xhtml:p>Credential Stuffing attacks are similar to Password Spraying attacks (CAPEC-565) regarding their targets and their overall goals. However, Password Spraying attacks do not have any insight into known username/password combinations and instead leverage common or expected passwords. This also means that Password Spraying attacks must avoid inducing account lockouts, which is generally not a worry of Credential Stuffing attacks. Password Spraying attacks may additionally lead to Credential Stuffing attacks, once a successful username/password combination is discovered.</xhtml:p>\n         ",
+            "x_capec_likelihood_of_attack": "High",
+            "x_capec_prerequisites": [
+                "The system/application uses one factor password based authentication, SSO, and/or cloud-based authentication.",
+                "The system/application does not have a sound password policy that is being enforced.",
+                "The system/application does not implement an effective password throttling mechanism.",
+                "The adversary possesses a list of known user accounts and corresponding passwords that may exist on the target."
+            ],
+            "x_capec_resources_required": [
+                "A machine with sufficient resources for the job (e.g. CPU, RAM, HD).",
+                "A known list of username/password combinations.",
+                "A custom script that leverages the credential list to launch the attack."
+            ],
+            "x_capec_skills_required": {
+                "Low": "A Credential Stuffing attack is very straightforward."
+            },
+            "x_capec_status": "Stable",
+            "x_capec_typical_severity": "High",
+            "x_capec_version": "3.9"
+        }
+    ],
+    "spec_version": "2.0",
+    "type": "bundle"
+}

cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--056a463d-6303-438e-a43f-992cee52fb95.json

@@ -0,0 +1,139 @@
+{
+    "id": "bundle--88f28930-9fa6-42d1-9bd4-aa7b8d8527a9",
+    "objects": [
+        {
+            "created": "2018-07-31T00:00:00.000Z",
+            "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
+            "description": "An adversary obtains (i.e. steals or purchases) legitimate Windows domain credential hash values to access systems within the domain that leverage the Lan Man (LM) and/or NT Lan Man (NTLM) authentication protocols.",
+            "external_references": [
+                {
+                    "external_id": "CAPEC-644",
+                    "source_name": "capec",
+                    "url": "https://capec.mitre.org/data/definitions/644.html"
+                },
+                {
+                    "external_id": "CWE-522",
+                    "source_name": "cwe",
+                    "url": "http://cwe.mitre.org/data/definitions/522.html"
+                },
+                {
+                    "external_id": "CWE-836",
+                    "source_name": "cwe",
+                    "url": "http://cwe.mitre.org/data/definitions/836.html"
+                },
+                {
+                    "external_id": "CWE-308",
+                    "source_name": "cwe",
+                    "url": "http://cwe.mitre.org/data/definitions/308.html"
+                },
+                {
+                    "external_id": "CWE-294",
+                    "source_name": "cwe",
+                    "url": "http://cwe.mitre.org/data/definitions/294.html"
+                },
+                {
+                    "external_id": "CWE-308",
+                    "source_name": "cwe",
+                    "url": "http://cwe.mitre.org/data/definitions/308.html"
+                },
+                {
+                    "description": "Use Alternate Authentication Material:Pass The Hash",
+                    "external_id": "T1550.002",
+                    "source_name": "ATTACK",
+                    "url": "https://attack.mitre.org/wiki/Technique/T1550/002"
+                },
+                {
+                    "description": "Dan Goodin, Attackers can use Zoom to steal users’ Windows credentials with no warning, 2020--04---01, Ars Technica",
+                    "external_id": "REF-575",
+                    "source_name": "reference_from_CAPEC",
+                    "url": "https://arstechnica.com/information-technology/2020/04/unpatched-zoom-bug-lets-attackers-steal-windows-credentials-with-no-warning/"
+                },
+                {
+                    "description": "Mor Levi, Assaf Dahan, Amit Serper, Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers, 2019--06---25, CyberReason",
+                    "external_id": "REF-580",
+                    "source_name": "reference_from_CAPEC",
+                    "url": "https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers"
+                },
+                {
+                    "description": "Mitigating Pass-the-Hash and Other Credential Theft v2, Microsoft Corporation",
+                    "external_id": "REF-581",
+                    "source_name": "reference_from_CAPEC",
+                    "url": "https://docs.microsoft.com/en-us/previous-versions/dn785092(v=msdn.10)?redirectedfrom=MSDN"
+                },
+                {
+                    "description": "How Pass-the-Hash works, Microsoft Corporation",
+                    "external_id": "REF-582",
+                    "source_name": "reference_from_CAPEC",
+                    "url": "https://docs.microsoft.com/en-us/previous-versions/dn785092(v=msdn.10)?redirectedfrom=MSDN"
+                },
+                {
+                    "description": "Bashar Ewaida, Pass-the-hash attacks: Tools and Mitigation, 2010--02---23, The SANS Institute",
+                    "external_id": "REF-583",
+                    "source_name": "reference_from_CAPEC",
+                    "url": "https://www.sans.org/reading-room/whitepapers/testing/paper/33283"
+                }
+            ],
+            "id": "attack-pattern--056a463d-6303-438e-a43f-992cee52fb95",
+            "modified": "2022-09-29T00:00:00.000Z",
+            "name": "Use of Captured Hashes (Pass The Hash)",
+            "object_marking_refs": [
+                "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
+            ],
+            "type": "attack-pattern",
+            "x_capec_abstraction": "Detailed",
+            "x_capec_can_precede_refs": [
+                "attack-pattern--22802ed6-ddc6-4da7-b6be-60b10d26198b",
+                "attack-pattern--f8533ce1-5f23-4660-8f70-1a05af2c70d3",
+                "attack-pattern--2c74d7f3-ccb4-4aea-b7fc-8a4da900ec80",
+                "attack-pattern--191fbdab-d3b3-4ffd-8829-51331c20eaa7"
+            ],
+            "x_capec_child_of_refs": [
+                "attack-pattern--2618d0a4-06d0-4bde-8271-2df61ed8297a"
+            ],
+            "x_capec_consequences": {
+                "Access_Control": [
+                    "Gain Privileges"
+                ],
+                "Authentication": [
+                    "Gain Privileges"
+                ],
+                "Authorization": [
+                    "Read Data"
+                ],
+                "Confidentiality": [
+                    "Gain Privileges",
+                    "Read Data"
+                ],
+                "Integrity": [
+                    "Modify Data"
+                ]
+            },
+            "x_capec_domains": [
+                "Software"
+            ],
+            "x_capec_example_instances": [
+                "Adversaries exploited the Zoom video conferencing application during the 2020 COVID-19 pandemic to exfiltrate Windows domain credential hash value pairs from a target system. The attack entailed sending Universal Naming Convention (UNC) paths within the Zoom chat window of an unprotected Zoom call. If the victim clicked on the link, their Windows usernames and the corresponding Net-NTLM-v2 hashes were sent to the address contained in the link. The adversary was then able to infiltrate and laterally move within the Windows domain by passing the acquired credentials to shared network resources. This further provided adversaries with access to Outlook servers and network storage devices. [REF-575]",
+                "Operation Soft Cell, which has been underway since at least 2012, leveraged a modified Mimikatz that dumped NTLM hashes. The acquired hashes were then used to authenticate to other systems within the network via Pass The Hash attacks. [REF-580]"
+            ],
+            "x_capec_execution_flow": "<h2> Execution Flow </h2><div><h3>Explore</h3><ol><li> <p> <b>Acquire known Windows credential hash value pairs: </b>The adversary must obtain known Windows credential hash value pairs of accounts that exist on the domain.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>An adversary purchases breached Windows credential hash value pairs from the dark web.</td></tr><tr><td>An adversary conducts a sniffing attack to steal Windows credential hash value pairs as they are transmitted.</td></tr><tr><td>An adversary gains access to a Windows domain system/files and exfiltrates Windows credential hash value pairs.</td></tr><tr><td>An adversary examines outward-facing configuration and properties files to discover hardcoded Windows credential hash value pairs.</td></tr></tbody></table></ol></div><div><h3>Experiment</h3><ol><li> <p> <b>Attempt domain authentication: </b>Try each Windows credential hash value pair until the target grants access.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>Manually or automatically enter each Windows credential hash value pair through the target's interface.</td></tr></tbody></table></ol></div><div><h3>Exploit</h3><ol><li> <p> <b>Impersonate: </b>An adversary can use successful experiments or authentications to impersonate an authorized user or system, or to laterally move within the domain</p></li><li> <p> <b>Spoofing: </b>Malicious data can be injected into the target system or into other systems on the domain. The adversary can also pose as a legitimate domain user to perform social engineering attacks.</p></li><li> <p> <b>Data Exfiltration: </b>The adversary can obtain sensitive data contained within domain systems or applications.</p></li></ol></div>",
+            "x_capec_extended_description": "\n            <xhtml:p>When authenticating via LM or NTLM, an authenticating account's plaintext credentials are not required by the protocols for successful authentication. Instead, the hashed credentials are used to determine if an authentication attempt is valid. If an adversary can obtain an account's hashed credentials, the hash values can then be passed to a system or service to authenticate, without needing to brute-force the hashes to obtain their cleartext values. Successful Pass The Hash attacks result in the adversary fully authenticating as the targeted account, which can further allow the adversary to laterally move within the network, impersonate a legitimate user, and/or download/install malware to systems within the domain. This technique can be performed against any operating system that leverages the LM or NTLM protocols even if the operating system is not Windows-based, since these systems/accounts may still authenticate to a Windows domain.</xhtml:p>\n         ",
+            "x_capec_likelihood_of_attack": "Medium",
+            "x_capec_prerequisites": [
+                "The system/application is connected to the Windows domain.",
+                "The system/application leverages the Lan Man (LM) and/or NT Lan Man (NTLM) authentication protocols.",
+                "The adversary possesses known Windows credential hash value pairs that exist on the target domain."
+            ],
+            "x_capec_resources_required": [
+                "A list of known Window credential hash value pairs for the targeted domain."
+            ],
+            "x_capec_skills_required": {
+                "Low": "Once an adversary obtains a known Windows credential hash value pair, leveraging it is trivial."
+            },
+            "x_capec_status": "Stable",
+            "x_capec_typical_severity": "High",
+            "x_capec_version": "3.9"
+        }
+    ],
+    "spec_version": "2.0",
+    "type": "bundle"
+}

cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--05740120-81ef-4224-9805-2f0b54d1111f.json

@@ -0,0 +1,83 @@
+{
+    "id": "bundle--ac9e8470-4635-4e2b-b6ed-f46e5ee678c1",
+    "objects": [
+        {
+            "created": "2018-07-31T00:00:00.000Z",
+            "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
+            "description": "An adversary uses stolen Kerberos tickets to access systems/resources that leverage the Kerberos authentication protocol. The Kerberos authentication protocol centers around a ticketing system which is used to request/grant access to services and to then access the requested services. An adversary can obtain any one of these tickets (e.g. Service Ticket, Ticket Granting Ticket, Silver Ticket, or Golden Ticket) to authenticate to a system/resource without needing the account's credentials. Depending on the ticket obtained, the adversary may be able to access a particular resource or generate TGTs for any account within an Active Directory Domain.",
+            "external_references": [
+                {
+                    "external_id": "CAPEC-645",
+                    "source_name": "capec",
+                    "url": "https://capec.mitre.org/data/definitions/645.html"
+                },
+                {
+                    "external_id": "CWE-522",
+                    "source_name": "cwe",
+                    "url": "http://cwe.mitre.org/data/definitions/522.html"
+                },
+                {
+                    "external_id": "CWE-294",
+                    "source_name": "cwe",
+                    "url": "http://cwe.mitre.org/data/definitions/294.html"
+                },
+                {
+                    "external_id": "CWE-308",
+                    "source_name": "cwe",
+                    "url": "http://cwe.mitre.org/data/definitions/308.html"
+                },
+                {
+                    "description": "Use Alternate Authentication Material:Pass The Ticket",
+                    "external_id": "T1550.003",
+                    "source_name": "ATTACK",
+                    "url": "https://attack.mitre.org/wiki/Technique/T1550/003"
+                },
+                {
+                    "description": "BRONZE BUTLER Targets Japanese Enterprises, 2017--10---12, Secureworks® Counter Threat Unit™ Threat Intelligence",
+                    "external_id": "REF-584",
+                    "source_name": "reference_from_CAPEC",
+                    "url": "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses"
+                }
+            ],
+            "id": "attack-pattern--05740120-81ef-4224-9805-2f0b54d1111f",
+            "modified": "2020-07-30T00:00:00.000Z",
+            "name": "Use of Captured Tickets (Pass The Ticket)",
+            "object_marking_refs": [
+                "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
+            ],
+            "type": "attack-pattern",
+            "x_capec_abstraction": "Detailed",
+            "x_capec_can_precede_refs": [
+                "attack-pattern--22802ed6-ddc6-4da7-b6be-60b10d26198b"
+            ],
+            "x_capec_child_of_refs": [
+                "attack-pattern--755bb5ac-2eee-4e54-9864-92812666120c"
+            ],
+            "x_capec_consequences": {
+                "Integrity": [
+                    "Gain Privileges"
+                ]
+            },
+            "x_capec_domains": [
+                "Software"
+            ],
+            "x_capec_example_instances": [
+                "Bronze Butler (also known as Tick), has been shown to leverage forged Kerberos Ticket Granting Tickets (TGTs) and Ticket Granting Service (TGS) tickets to maintain administrative access on a number of systems. [REF-584]"
+            ],
+            "x_capec_likelihood_of_attack": "Low",
+            "x_capec_prerequisites": [
+                "The adversary needs physical access to the victim system.",
+                "The use of a third-party credential harvesting tool."
+            ],
+            "x_capec_skills_required": {
+                "High": "The adversary uses a third-party tool to obtain the necessary tickets to execute the attack.",
+                "Low": "Determine if Kerberos authentication is used on the server."
+            },
+            "x_capec_status": "Stable",
+            "x_capec_typical_severity": "High",
+            "x_capec_version": "3.9"
+        }
+    ],
+    "spec_version": "2.0",
+    "type": "bundle"
+}

cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--0618a68a-c6e1-4370-82d3-c76fa2745905.json

@@ -0,0 +1,42 @@
+{
+    "id": "bundle--da039cb2-0553-4b45-b243-bbbcef385587",
+    "objects": [
+        {
+            "created": "2014-06-23T00:00:00.000Z",
+            "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
+            "description": "",
+            "external_references": [
+                {
+                    "external_id": "CAPEC-435",
+                    "source_name": "capec",
+                    "url": "https://capec.mitre.org/data/definitions/435.html"
+                },
+                {
+                    "description": "The Official Social Engineering Portal, Social-Engineer.org, Tick Tock Computers, LLC",
+                    "external_id": "REF-348",
+                    "source_name": "reference_from_CAPEC",
+                    "url": "http://www.social-engineer.org"
+                }
+            ],
+            "id": "attack-pattern--0618a68a-c6e1-4370-82d3-c76fa2745905",
+            "modified": "2014-06-23T00:00:00.000Z",
+            "name": "Target Influence via Instant Rapport",
+            "object_marking_refs": [
+                "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
+            ],
+            "type": "attack-pattern",
+            "x_capec_abstraction": "Detailed",
+            "x_capec_child_of_refs": [
+                "attack-pattern--9e487767-c1e6-45f9-ae01-1fb1e2d6f030"
+            ],
+            "x_capec_domains": [
+                "Social Engineering"
+            ],
+            "x_capec_status": "Draft",
+            "x_capec_typical_severity": "Low",
+            "x_capec_version": "3.9"
+        }
+    ],
+    "spec_version": "2.0",
+    "type": "bundle"
+}

cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--06e8782a-87af-4863-b6b1-99e09edda3be.json

@@ -0,0 +1,96 @@
+{
+    "id": "bundle--166a8c6c-2412-4410-bede-9eea8069da67",
+    "objects": [
+        {
+            "created": "2015-11-09T00:00:00.000Z",
+            "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
+            "description": "This pattern of attack involves an adversary that uses stolen credentials to leverage remote services such as RDP, telnet, SSH, and VNC to log into a system. Once access is gained, any number of malicious activities could be performed.",
+            "external_references": [
+                {
+                    "external_id": "CAPEC-555",
+                    "source_name": "capec",
+                    "url": "https://capec.mitre.org/data/definitions/555.html"
+                },
+                {
+                    "external_id": "CWE-522",
+                    "source_name": "cwe",
+                    "url": "http://cwe.mitre.org/data/definitions/522.html"
+                },
+                {
+                    "external_id": "CWE-308",
+                    "source_name": "cwe",
+                    "url": "http://cwe.mitre.org/data/definitions/308.html"
+                },
+                {
+                    "external_id": "CWE-309",
+                    "source_name": "cwe",
+                    "url": "http://cwe.mitre.org/data/definitions/309.html"
+                },
+                {
+                    "external_id": "CWE-294",
+                    "source_name": "cwe",
+                    "url": "http://cwe.mitre.org/data/definitions/294.html"
+                },
+                {
+                    "external_id": "CWE-263",
+                    "source_name": "cwe",
+                    "url": "http://cwe.mitre.org/data/definitions/263.html"
+                },
+                {
+                    "external_id": "CWE-262",
+                    "source_name": "cwe",
+                    "url": "http://cwe.mitre.org/data/definitions/262.html"
+                },
+                {
+                    "external_id": "CWE-521",
+                    "source_name": "cwe",
+                    "url": "http://cwe.mitre.org/data/definitions/521.html"
+                },
+                {
+                    "description": "Remote Services",
+                    "external_id": "T1021",
+                    "source_name": "ATTACK",
+                    "url": "https://attack.mitre.org/wiki/Technique/T1021"
+                },
+                {
+                    "description": "Email Collection:Remote Email Collection",
+                    "external_id": "T1114.002",
+                    "source_name": "ATTACK",
+                    "url": "https://attack.mitre.org/wiki/Technique/T1114/002"
+                },
+                {
+                    "description": "External Remote Services",
+                    "external_id": "T1133",
+                    "source_name": "ATTACK",
+                    "url": "https://attack.mitre.org/wiki/Technique/T1133"
+                }
+            ],
+            "id": "attack-pattern--06e8782a-87af-4863-b6b1-99e09edda3be",
+            "modified": "2022-09-29T00:00:00.000Z",
+            "name": "Remote Services with Stolen Credentials",
+            "object_marking_refs": [
+                "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
+            ],
+            "type": "attack-pattern",
+            "x_capec_abstraction": "Standard",
+            "x_capec_can_precede_refs": [
+                "attack-pattern--22802ed6-ddc6-4da7-b6be-60b10d26198b"
+            ],
+            "x_capec_child_of_refs": [
+                "attack-pattern--886a7175-e28a-4e6d-bd22-3b1497e31dc7"
+            ],
+            "x_capec_domains": [
+                "Software"
+            ],
+            "x_capec_example_instances": [
+                "Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS). There are other implementations and third-party tools that provide graphical access Remote Services similar to RDS. Adversaries may connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials.",
+                "Windows Remote Management (WinRM) is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services). It may be called with the winrm command or by any number of programs such as PowerShell."
+            ],
+            "x_capec_status": "Stable",
+            "x_capec_typical_severity": "Very High",
+            "x_capec_version": "3.9"
+        }
+    ],
+    "spec_version": "2.0",
+    "type": "bundle"
+}

cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--071baf4e-1d72-497e-8ac4-edb513262aca.json

@@ -0,0 +1,29 @@
+{
+    "id": "bundle--d09b00cd-66be-4092-a8bf-3dd885546af6",
+    "objects": [
+        {
+            "created": "2014-06-23T00:00:00.000Z",
+            "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
+            "description": "This attack pattern has been deprecated as it is a duplicate of the existing attack pattern \"CAPEC-13 : Subverting Environment Variable Values\". Please refer to this other CAPEC going forward.",
+            "external_references": [
+                {
+                    "external_id": "CAPEC-264",
+                    "source_name": "capec",
+                    "url": "https://capec.mitre.org/data/definitions/264.html"
+                }
+            ],
+            "id": "attack-pattern--071baf4e-1d72-497e-8ac4-edb513262aca",
+            "modified": "2017-05-01T00:00:00.000Z",
+            "name": "DEPRECATED: Environment Variable Manipulation",
+            "object_marking_refs": [
+                "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
+            ],
+            "type": "attack-pattern",
+            "x_capec_abstraction": "Meta",
+            "x_capec_status": "Deprecated",
+            "x_capec_version": "3.9"
+        }
+    ],
+    "spec_version": "2.0",
+    "type": "bundle"
+}

cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--074a7522-162a-4656-8c50-36ce5ee5adc6.json

@@ -0,0 +1,87 @@
+{
+    "id": "bundle--adb95240-6b88-4395-8777-7e2a6197220d",
+    "objects": [
+        {
+            "created": "2014-06-23T00:00:00.000Z",
+            "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
+            "description": "An adversary engages in UDP scanning to gather information about UDP port status on the target system. UDP scanning methods involve sending a UDP datagram to the target port and looking for evidence that the port is closed. Open UDP ports usually do not respond to UDP datagrams as there is no stateful mechanism within the protocol that requires building or establishing a session. Responses to UDP datagrams are therefore application specific and cannot be relied upon as a method of detecting an open port. UDP scanning relies heavily upon ICMP diagnostic messages in order to determine the status of a remote port.",
+            "external_references": [
+                {
+                    "external_id": "CAPEC-308",
+                    "source_name": "capec",
+                    "url": "https://capec.mitre.org/data/definitions/308.html"
+                },
+                {
+                    "external_id": "CWE-200",
+                    "source_name": "cwe",
+                    "url": "http://cwe.mitre.org/data/definitions/200.html"
+                },
+                {
+                    "description": "Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed: Network Security Secrets & Solutions (6th Edition), 2009, McGraw Hill",
+                    "external_id": "REF-33",
+                    "source_name": "reference_from_CAPEC"
+                },
+                {
+                    "description": "J. Postel, RFC768 - User Datagram Protocol, 1980--08---28",
+                    "external_id": "REF-158",
+                    "source_name": "reference_from_CAPEC",
+                    "url": "http://www.faqs.org/rfcs/rfc768.html"
+                },
+                {
+                    "description": "Gordon \"Fyodor\" Lyon, Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning (3rd \"Zero Day\" Edition,), 2008, Insecure.com LLC, ISBN: 978-0-9799587-1-7",
+                    "external_id": "REF-34",
+                    "source_name": "reference_from_CAPEC"
+                },
+                {
+                    "description": "Gordon \"Fyodor\" Lyon, The Art of Port Scanning (Volume: 7, Issue. 51), Phrack Magazine, 1997",
+                    "external_id": "REF-130",
+                    "source_name": "reference_from_CAPEC",
+                    "url": "http://phrack.org/issues/51/11.html"
+                }
+            ],
+            "id": "attack-pattern--074a7522-162a-4656-8c50-36ce5ee5adc6",
+            "modified": "2022-02-22T00:00:00.000Z",
+            "name": "UDP Scan",
+            "object_marking_refs": [
+                "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
+            ],
+            "type": "attack-pattern",
+            "x_capec_abstraction": "Detailed",
+            "x_capec_child_of_refs": [
+                "attack-pattern--9ca34308-a8e4-40b6-becd-3ff95bac628a"
+            ],
+            "x_capec_consequences": {
+                "Access_Control": [
+                    "Bypass Protection Mechanism",
+                    "Hide Activities"
+                ],
+                "Authorization": [
+                    "Bypass Protection Mechanism",
+                    "Hide Activities"
+                ],
+                "Confidentiality": [
+                    "Other",
+                    "Bypass Protection Mechanism",
+                    "Hide Activities"
+                ]
+            },
+            "x_capec_domains": [
+                "Communications",
+                "Software"
+            ],
+            "x_capec_execution_flow": "<h2> Execution Flow </h2><div><h3>Experiment</h3><ol><li> <p>An adversary sends UDP packets to target ports.</p></li><li> <p>An adversary uses the response from the target to determine the port's state. Whether a port responds to a UDP packet is dependant on what application is listening on that port. No response does not indicate the port is not open.</p></li></ol></div>",
+            "x_capec_extended_description": "\n            <xhtml:p>During a UDP scan, a datagram is sent to a target port. If an 'ICMP Type 3 Port unreachable' error message is returned then the port is considered closed. Different types of ICMP messages can indicate a filtered port. UDP scanning is slower than TCP scanning. The protocol characteristics of UDP make port scanning inherently more difficult than with TCP, as well as dependent upon ICMP for accurate scanning. Due to ambiguities that can arise between open ports and filtered ports, UDP scanning results often require a high degree of interpretation and further testing to refine. In general, UDP scanning results are less reliable or accurate than TCP-based scanning.</xhtml:p>\n         ",
+            "x_capec_prerequisites": [
+                "The ability to send UDP datagrams to a host and receive ICMP error messages from that host. In cases where particular types of ICMP messaging is disallowed, the reliability of UDP scanning drops off sharply."
+            ],
+            "x_capec_resources_required": [
+                "The ability to craft custom UDP Packets for use during network reconnaissance. This can be accomplished via the use of a port scanner, or via socket manipulation in a programming or scripting language. Packet injection tools are also useful. It is also necessary to trap ICMP diagnostic messages during this process. Depending upon the method used it may be necessary to sniff the network in order to see the response."
+            ],
+            "x_capec_status": "Stable",
+            "x_capec_typical_severity": "Low",
+            "x_capec_version": "3.9"
+        }
+    ],
+    "spec_version": "2.0",
+    "type": "bundle"
+}

cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--08c74bd3-c5ad-4d6c-a8bb-bb93d7503ddb.json

@@ -0,0 +1,92 @@
+{
+    "id": "bundle--2ea1bdda-a06e-4a67-9a5f-a12e922a0e90",
+    "objects": [
+        {
+            "created": "2014-06-23T00:00:00.000Z",
+            "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
+            "description": "Generally these are manually edited files that are not in the preview of the system administrators, any ability on the attackers' behalf to modify these files, for example in a CVS repository, gives unauthorized access directly to the application, the same as authorized users.",
+            "external_references": [
+                {
+                    "external_id": "CAPEC-75",
+                    "source_name": "capec",
+                    "url": "https://capec.mitre.org/data/definitions/75.html"
+                },
+                {
+                    "external_id": "CWE-349",
+                    "source_name": "cwe",
+                    "url": "http://cwe.mitre.org/data/definitions/349.html"
+                },
+                {
+                    "external_id": "CWE-99",
+                    "source_name": "cwe",
+                    "url": "http://cwe.mitre.org/data/definitions/99.html"
+                },
+                {
+                    "external_id": "CWE-77",
+                    "source_name": "cwe",
+                    "url": "http://cwe.mitre.org/data/definitions/77.html"
+                },
+                {
+                    "external_id": "CWE-346",
+                    "source_name": "cwe",
+                    "url": "http://cwe.mitre.org/data/definitions/346.html"
+                },
+                {
+                    "external_id": "CWE-353",
+                    "source_name": "cwe",
+                    "url": "http://cwe.mitre.org/data/definitions/353.html"
+                },
+                {
+                    "external_id": "CWE-354",
+                    "source_name": "cwe",
+                    "url": "http://cwe.mitre.org/data/definitions/354.html"
+                },
+                {
+                    "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley",
+                    "external_id": "REF-1",
+                    "source_name": "reference_from_CAPEC"
+                }
+            ],
+            "id": "attack-pattern--08c74bd3-c5ad-4d6c-a8bb-bb93d7503ddb",
+            "modified": "2022-09-29T00:00:00.000Z",
+            "name": "Manipulating Writeable Configuration Files",
+            "object_marking_refs": [
+                "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
+            ],
+            "type": "attack-pattern",
+            "x_capec_abstraction": "Standard",
+            "x_capec_child_of_refs": [
+                "attack-pattern--f9f65fdd-5857-4a57-a725-066465397601"
+            ],
+            "x_capec_consequences": {
+                "Access_Control": [
+                    "Gain Privileges"
+                ],
+                "Authorization": [
+                    "Gain Privileges"
+                ],
+                "Confidentiality": [
+                    "Gain Privileges"
+                ]
+            },
+            "x_capec_domains": [
+                "Software"
+            ],
+            "x_capec_example_instances": [
+                "\n               <xhtml:p>The BEA Weblogic server uses a config.xml file to store configuration data. If this file is not properly protected by the system access control, an attacker can write configuration information to redirect server output through system logs, database connections, malicious URLs and so on. Access to the Weblogic server may be from a so-called Custom realm which manages authentication and authorization privileges on behalf of user principals. Given write access, the attacker can insert a pointer to a custom realm jar file in the config.xml</xhtml:p>\n               <xhtml:div style=\"margin-left:1em;\" class=\"informative\">< CustomRealm<xhtml:div style=\"margin-left:1em;\">ConfigurationData=\"java.util.Properties\"Name=\"CustomRealm\"RealmClassName=\"Maliciousrealm.jar\"/></xhtml:div>\n               </xhtml:div>\n               <xhtml:p>The main issue with configuration files is that the attacker can leverage all the same functionality the server has, but for malicious means. Given the complexity of server configuration, these changes may be very hard for administrators to detect.</xhtml:p>\n            "
+            ],
+            "x_capec_likelihood_of_attack": "High",
+            "x_capec_prerequisites": [
+                "Configuration files must be modifiable by the attacker"
+            ],
+            "x_capec_skills_required": {
+                "Medium": "To identify vulnerable configuration files, and understand how to manipulate servers and erase forensic evidence"
+            },
+            "x_capec_status": "Draft",
+            "x_capec_typical_severity": "Very High",
+            "x_capec_version": "3.9"
+        }
+    ],
+    "spec_version": "2.0",
+    "type": "bundle"
+}

cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--0939f361-ea31-454b-ae3d-4af2411b756d.json

@@ -0,0 +1,116 @@
+{
+    "id": "bundle--de716e2a-a3d4-40b8-a3da-527be75f6a35",
+    "objects": [
+        {
+            "created": "2014-06-23T00:00:00.000Z",
+            "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
+            "description": "An attacker crafts malicious web links and distributes them (via web pages, email, etc.), typically in a targeted manner, hoping to induce users to click on the link and execute the malicious action against some third-party application. If successful, the action embedded in the malicious link will be processed and accepted by the targeted application with the users' privilege level. This type of attack leverages the persistence and implicit trust placed in user session cookies by many web applications today. In such an architecture, once the user authenticates to an application and a session cookie is created on the user's system, all following transactions for that session are authenticated using that cookie including potential actions initiated by an attacker and simply \"riding\" the existing session cookie.",
+            "external_references": [
+                {
+                    "external_id": "CAPEC-62",
+                    "source_name": "capec",
+                    "url": "https://capec.mitre.org/data/definitions/62.html"
+                },
+                {
+                    "external_id": "CWE-352",
+                    "source_name": "cwe",
+                    "url": "http://cwe.mitre.org/data/definitions/352.html"
+                },
+                {
+                    "external_id": "CWE-306",
+                    "source_name": "cwe",
+                    "url": "http://cwe.mitre.org/data/definitions/306.html"
+                },
+                {
+                    "external_id": "CWE-664",
+                    "source_name": "cwe",
+                    "url": "http://cwe.mitre.org/data/definitions/664.html"
+                },
+                {
+                    "external_id": "CWE-732",
+                    "source_name": "cwe",
+                    "url": "http://cwe.mitre.org/data/definitions/732.html"
+                },
+                {
+                    "external_id": "CWE-1275",
+                    "source_name": "cwe",
+                    "url": "http://cwe.mitre.org/data/definitions/1275.html"
+                },
+                {
+                    "description": "Cross-Site Request Forgery",
+                    "external_id": "09",
+                    "source_name": "WASC",
+                    "url": "http://projects.webappsec.org/Cross-Site-Request-Forgery"
+                },
+                {
+                    "description": "Cross Site Request Forgery (CSRF)",
+                    "source_name": "OWASP Attacks",
+                    "url": "https://owasp.org/www-community/attacks/csrf"
+                },
+                {
+                    "description": "Thomas Schreiber, Session Riding: A Widespread Vulnerability in Today's Web Applications, SecureNet GmbH",
+                    "external_id": "REF-62",
+                    "source_name": "reference_from_CAPEC",
+                    "url": "https://crypto.stanford.edu/cs155old/cs155-spring08/papers/Session_Riding.pdf"
+                },
+                {
+                    "description": "OWASP Web Security Testing Guide, The Open Web Application Security Project (OWASP)",
+                    "external_id": "REF-602",
+                    "source_name": "reference_from_CAPEC",
+                    "url": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/05-Testing_for_Cross_Site_Request_Forgery.html"
+                }
+            ],
+            "id": "attack-pattern--0939f361-ea31-454b-ae3d-4af2411b756d",
+            "modified": "2021-06-24T00:00:00.000Z",
+            "name": "Cross Site Request Forgery",
+            "object_marking_refs": [
+                "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
+            ],
+            "type": "attack-pattern",
+            "x_capec_abstraction": "Standard",
+            "x_capec_alternate_terms": [
+                "Session Riding"
+            ],
+            "x_capec_child_of_refs": [
+                "attack-pattern--2351ee64-dd85-4bc3-bb43-aaa2ca5c1228"
+            ],
+            "x_capec_consequences": {
+                "Access_Control": [
+                    "Gain Privileges"
+                ],
+                "Authorization": [
+                    "Gain Privileges"
+                ],
+                "Confidentiality": [
+                    "Gain Privileges",
+                    "Read Data"
+                ],
+                "Integrity": [
+                    "Modify Data"
+                ]
+            },
+            "x_capec_domains": [
+                "Software"
+            ],
+            "x_capec_example_instances": [
+                "\n               <xhtml:p>While a user is logged into their bank account, an attacker can send an email with some potentially interesting content and require the user to click on a link in the email.</xhtml:p>\n               <xhtml:p>The link points to or contains an attacker setup script, probably even within an iFrame, that mimics an actual user form submission to perform a malicious activity, such as transferring funds from the victim's account.</xhtml:p>\n               <xhtml:p>The attacker can have the script embedded in, or targeted by, the link perform any arbitrary action as the authenticated user. When this script is executed, the targeted application authenticates and accepts the actions based on the victims existing session cookie.</xhtml:p>See also: Cross-site request forgery (CSRF) vulnerability in util.pl in @Mail WebMail 4.51 allows remote attackers to modify arbitrary settings and perform unauthorized actions as an arbitrary user, as demonstrated using a settings action in the SRC attribute of an IMG element in an HTML e-mail."
+            ],
+            "x_capec_execution_flow": "<h2> Execution Flow </h2><div><h3>Explore</h3><ol><li> <p> <b>Explore target website: </b>The attacker first explores the target website to determine pieces of functionality that are of interest to them (e.g. money transfers). The attacker will need a legitimate user account on the target website. It would help to have two accounts.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>Use web application debugging tool such as WebScarab, Tamper Data or TamperIE to analyze the information exchanged between the client and the server</td></tr><tr><td>Use network sniffing tool such as Wireshark to analyze the information exchanged between the client and the server</td></tr><tr><td>View HTML source of web pages that contain links or buttons that perform actions of interest.</td></tr></tbody></table></ol></div><div><h3>Experiment</h3><ol><li> <p> <b>Create a link that when clicked on, will execute the interesting functionality.: </b>The attacker needs to create a link that will execute some interesting functionality such as transfer money, change a password, etc.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>Create a GET request containing all required parameters (e.g. https://www.somebank.com/members/transfer.asp?to=012345678901&amt=10000)</td></tr><tr><td>Create a form that will submit a POST request (e.g. <form method=\"POST\" action=\"https://www.somebank.com/members/transfer.asp\"><input type=\"hidden\" Name=\"to\" value=\"012345678901\"/><input type=\"hidden\" Name=\"amt\" value=\"10000\"/><input type=\"submit\" src=\"clickhere.jpg\"/></form></td></tr></tbody></table></ol></div><div><h3>Exploit</h3><ol><li> <p> <b>Convince user to click on link: </b>Finally, the attacker needs to convince a user that is logged into the target website to click on a link to execute the CSRF attack.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>Execute a phishing attack and send the user an e-mail convincing them to click on a link.</td></tr><tr><td>Execute a stored XSS attack on a website to permanently embed the malicious link into the website.</td></tr><tr><td>Execute a stored XSS attack on a website where an XMLHTTPRequest object will automatically execute the attack as soon as a user visits the page. This removes the step of convincing a user to click on a link.</td></tr><tr><td>Include the malicious link on the attackers' own website where the user may have to click on the link, or where an XMLHTTPRequest object may automatically execute the attack when a user visits the site.</td></tr></tbody></table></ol></div>",
+            "x_capec_likelihood_of_attack": "High",
+            "x_capec_parent_of_refs": [
+                "attack-pattern--c50d5a35-0010-422d-b6f7-d4b963c9bad4"
+            ],
+            "x_capec_resources_required": [
+                "All the attacker needs is the exact representation of requests to be made to the application and to be able to get the malicious link across to a victim."
+            ],
+            "x_capec_skills_required": {
+                "Medium": "The attacker needs to figure out the exact invocation of the targeted malicious action and then craft a link that performs the said action. Having the user click on such a link is often accomplished by sending an email or posting such a link to a bulletin board or the likes."
+            },
+            "x_capec_status": "Draft",
+            "x_capec_typical_severity": "Very High",
+            "x_capec_version": "3.9"
+        }
+    ],
+    "spec_version": "2.0",
+    "type": "bundle"
+}

cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--0a765348-6b5a-4797-9724-44b4fc4f9c55.json

@@ -0,0 +1,49 @@
+{
+    "id": "bundle--846f1965-3494-4a8f-af2b-e10356d8a807",
+    "objects": [
+        {
+            "created": "2017-01-12T00:00:00.000Z",
+            "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
+            "description": "In this attack pattern, an adversary physically disables networking hardware by powering it down or disconnecting critical equipment. Disabling or shutting off critical system resources prevents them from performing their service as intended, which can have direct and indirect consequences on other systems. This attack pattern is considerably less technical than the selective blocking used in most obstruction attacks.",
+            "external_references": [
+                {
+                    "external_id": "CAPEC-583",
+                    "source_name": "capec",
+                    "url": "https://capec.mitre.org/data/definitions/583.html"
+                },
+                {
+                    "description": "Analysis of Country-wide Internet Outages Caused by Censorship, 2011, Center for Applied Internet Data Analysis",
+                    "external_id": "REF-464",
+                    "source_name": "reference_from_CAPEC",
+                    "url": "http://www.caida.org/publications/papers/2011/outages_censorship/outages_censorship.pdf"
+                }
+            ],
+            "id": "attack-pattern--0a765348-6b5a-4797-9724-44b4fc4f9c55",
+            "modified": "2019-09-30T00:00:00.000Z",
+            "name": "Disabling Network Hardware",
+            "object_marking_refs": [
+                "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
+            ],
+            "type": "attack-pattern",
+            "x_capec_abstraction": "Detailed",
+            "x_capec_child_of_refs": [
+                "attack-pattern--795c323b-cae6-4846-99f1-dad3fe0ab8e8"
+            ],
+            "x_capec_consequences": {
+                "Availability": [
+                    "Other (Denial of Service)"
+                ]
+            },
+            "x_capec_domains": [
+                "Hardware"
+            ],
+            "x_capec_prerequisites": [
+                "The adversary requires physical access to the targeted communications equipment (networking devices, cables, etc.), which may be spread over a wide area."
+            ],
+            "x_capec_status": "Draft",
+            "x_capec_version": "3.9"
+        }
+    ],
+    "spec_version": "2.0",
+    "type": "bundle"
+}

cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--0a899aed-6271-4cc9-8ffc-5c9575776731.json

@@ -0,0 +1,73 @@
+{
+    "id": "bundle--acca830b-0515-460e-80ab-4681e294b274",
+    "objects": [
+        {
+            "created": "2014-06-23T00:00:00.000Z",
+            "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
+            "description": "An attacker hosts or joins an event or transaction within an application framework in order to change the content of messages or items that are being exchanged. Performing this attack allows the attacker to manipulate content in such a way as to produce messages or content that look authentic but may contain deceptive links, substitute one item or another, spoof an existing item and conduct a false exchange, or otherwise change the amounts or identity of what is being exchanged. The techniques require use of specialized software that allow the attacker to man-in-the-middle communications between the web browser and the remote system in order to change the content of various application elements. Often, items exchanged in game can be monetized via sales for coin, virtual dollars, etc. The purpose of the attack is for the attack to scam the victim by trapping the data packets involved the exchange and altering the integrity of the transfer process.",
+            "external_references": [
+                {
+                    "external_id": "CAPEC-385",
+                    "source_name": "capec",
+                    "url": "https://capec.mitre.org/data/definitions/385.html"
+                },
+                {
+                    "external_id": "CWE-471",
+                    "source_name": "cwe",
+                    "url": "http://cwe.mitre.org/data/definitions/471.html"
+                },
+                {
+                    "external_id": "CWE-345",
+                    "source_name": "cwe",
+                    "url": "http://cwe.mitre.org/data/definitions/345.html"
+                },
+                {
+                    "external_id": "CWE-346",
+                    "source_name": "cwe",
+                    "url": "http://cwe.mitre.org/data/definitions/346.html"
+                },
+                {
+                    "external_id": "CWE-602",
+                    "source_name": "cwe",
+                    "url": "http://cwe.mitre.org/data/definitions/602.html"
+                },
+                {
+                    "external_id": "CWE-311",
+                    "source_name": "cwe",
+                    "url": "http://cwe.mitre.org/data/definitions/311.html"
+                },
+                {
+                    "description": "Tom Stracener, Sean Barnum, So Many Ways [...]: Exploiting Facebook and YoVille, 2010, Defcon 18",
+                    "external_id": "REF-327",
+                    "source_name": "reference_from_CAPEC"
+                }
+            ],
+            "id": "attack-pattern--0a899aed-6271-4cc9-8ffc-5c9575776731",
+            "modified": "2021-06-24T00:00:00.000Z",
+            "name": "Transaction or Event Tampering via Application API Manipulation",
+            "object_marking_refs": [
+                "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
+            ],
+            "type": "attack-pattern",
+            "x_capec_abstraction": "Detailed",
+            "x_capec_child_of_refs": [
+                "attack-pattern--ea07b1ea-c1b0-4923-8d25-a8fc39da040a"
+            ],
+            "x_capec_domains": [
+                "Communications",
+                "Software"
+            ],
+            "x_capec_prerequisites": [
+                "Targeted software is utilizing application framework APIs"
+            ],
+            "x_capec_resources_required": [
+                "A software program that allows the use of adversary-in-the-middle communications (CAPEC-94) between the client and server, such as a man-in-the-middle proxy."
+            ],
+            "x_capec_status": "Draft",
+            "x_capec_typical_severity": "Medium",
+            "x_capec_version": "3.9"
+        }
+    ],
+    "spec_version": "2.0",
+    "type": "bundle"
+}

cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--0a8ef002-1cb8-46e1-bc44-efd0a39b2a67.json

@@ -0,0 +1,70 @@
+{
+    "id": "bundle--8340da62-8f2a-4c99-a71c-1d8f3bc6323f",
+    "objects": [
+        {
+            "created": "2023-01-24T00:00:00.000Z",
+            "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
+            "description": "An Adversary can eavesdrop on the content of an external monitor through the air without modifying any cable or installing software, just capturing this signal emitted by the cable or video port, with this the attacker will be able to impact the confidentiality of the data without being detected by traditional security tools",
+            "external_references": [
+                {
+                    "external_id": "CAPEC-699",
+                    "source_name": "capec",
+                    "url": "https://capec.mitre.org/data/definitions/699.html"
+                },
+                {
+                    "external_id": "CWE-1300",
+                    "source_name": "cwe",
+                    "url": "http://cwe.mitre.org/data/definitions/1300.html"
+                },
+                {
+                    "description": "TempestSDR: An SDR Tool For Eavesdropping on Computer Screens Via Unintentionally Radiated RF",
+                    "external_id": "REF-744",
+                    "source_name": "reference_from_CAPEC",
+                    "url": "https://www.rtl-sdr.com/tempestsdr-a-sdr-tool-for-eavesdropping-on-computer-screens-via-unintentionally-radiated-rf/"
+                },
+                {
+                    "description": "Dan Maloney, Exposing Computer Monitor Side-Channel Vulnerabilities with TempestSDR",
+                    "external_id": "REF-745",
+                    "source_name": "reference_from_CAPEC",
+                    "url": "https://hackaday.com/2020/07/15/exposing-computer-monitor-side-channel-vulnerabilities-with-tempestsdr/"
+                }
+            ],
+            "id": "attack-pattern--0a8ef002-1cb8-46e1-bc44-efd0a39b2a67",
+            "modified": "2023-01-24T00:00:00.000Z",
+            "name": "Eavesdropping on a Monitor",
+            "object_marking_refs": [
+                "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
+            ],
+            "type": "attack-pattern",
+            "x_capec_abstraction": "Meta",
+            "x_capec_child_of_refs": [
+                "attack-pattern--94e596d2-6844-4031-80c3-8522642aaff8"
+            ],
+            "x_capec_consequences": {
+                "Confidentiality": [
+                    "Read Data"
+                ]
+            },
+            "x_capec_execution_flow": "<h2> Execution Flow </h2><div><h3>Explore</h3><ol><li> <p> <b>Survey Target: </b>The adversary surveys the target location, looking for exposed display cables and locations to hide an SDR. This also includes looking for display cables or monitors placed close to a wall, where the SDR can be in range while behind the wall. The adversary also attempts to discover the resolution and refresh rate of the targeted display.</p></li></ol></div><div><h3>Experiment</h3><ol><li> <p> <b>Find target using SDR: </b>The adversary sets up an SDR near the target display cable or monitor. They use the SDR software to locate the corresponding frequency of the display cable. This is done by looking for interference peaks that change depending on what the screen is showing. The adversary notes down the possible frequencies of unintentional emission.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>An adversary can make use of many different commercially available SDR devices which are easy to setup such as a HackRF, Ubertooth, RTL-SDR, and many others.</td></tr></tbody></table></ol></div><div><h3>Exploit</h3><ol><li> <p> <b>Visualize Monitor Image: </b>Once the SDR software has been used to identify the target, the adversary will record the transmissions and visualize the monitor image using these transmissions, which allows them to eavesdrop on the information visible on the monitor.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>The TempestSDR software can be used in conjunction an SDR device to visualize the monitor image. The adversary will specify the known monitor resolution and refresh rate, or if those are not known they can use the provided auto-correlation graphs to help predict these values. The adversary will then try the different frequencies recorded from the experiment phase, looking for a viewing monitor display. Low pass filters and gain can be manipulated to make the display image clearer.</td></tr></tbody></table></ol></div>",
+            "x_capec_extended_description": "\n            <xhtml:p>This attack gives the adversary the ability to view an external monitor with an insignificant delay. There is also no indicator of compromise from the victim visible on the monitor.</xhtml:p>\n            <xhtml:p>The eavesdrop is possible due to a signal leakage, that is produced at different points of the connection, including the source port, the connection between the cable and PC, the cable itself, and the connection between the cable and the monitor. That signal leakage can be captured near any of the leak points, but also in a near location, like the next room or a few meters away, using an SDR (Software-defined Radio) device and the correspondent software, that process and interpret the signal to show attackers what the monitor is displaying.</xhtml:p>\n            <xhtml:p>From the victim’s point of view, this specified attack might cause a high risk, and from the other hand, from the attacker’s point of view, the attack is excellent, since the specified attack method can be used without investing too much effort or require too many skills, as long as the right attack tool is in right place, this allows attackers to completely compromise the confidentiality of the data; also giving the attacker the advantage of being undetectable by not only traditional security products but also from bug sweep because the SDR device is acting in passive mode.</xhtml:p>\n         ",
+            "x_capec_likelihood_of_attack": "Medium",
+            "x_capec_prerequisites": [
+                "Victim should use an external monitor device",
+                "Physical access to the target location and devices"
+            ],
+            "x_capec_resources_required": [
+                "SDR device set with the correspondent antenna",
+                "Computer with SDR Software"
+            ],
+            "x_capec_skills_required": {
+                "Low": "Understanding of computing hardware, to identify the video cable and video ports",
+                "Medium": "Knowledge of how to use the SDR and related software: With this knowledge, the adversary will find the correct frequency where the signal is being leaked"
+            },
+            "x_capec_status": "Draft",
+            "x_capec_typical_severity": "High",
+            "x_capec_version": "3.9"
+        }
+    ],
+    "spec_version": "2.0",
+    "type": "bundle"
+}

cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--0b08a46d-d680-4f3d-91ad-f97e00878780.json

@@ -0,0 +1,110 @@
+{
+    "id": "bundle--5e35451a-bdcf-469a-b35e-217164fc7416",
+    "objects": [
+        {
+            "created": "2014-06-23T00:00:00.000Z",
+            "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
+            "description": "Web Logs Tampering attacks involve an attacker injecting, deleting or otherwise tampering with the contents of web logs typically for the purposes of masking other malicious behavior. Additionally, writing malicious data to log files may target jobs, filters, reports, and other agents that process the logs in an asynchronous attack pattern. This pattern of attack is similar to \"Log Injection-Tampering-Forging\" except that in this case, the attack is targeting the logs of the web server and not the application.",
+            "external_references": [
+                {
+                    "external_id": "CAPEC-81",
+                    "source_name": "capec",
+                    "url": "https://capec.mitre.org/data/definitions/81.html"
+                },
+                {
+                    "external_id": "CWE-117",
+                    "source_name": "cwe",
+                    "url": "http://cwe.mitre.org/data/definitions/117.html"
+                },
+                {
+                    "external_id": "CWE-93",
+                    "source_name": "cwe",
+                    "url": "http://cwe.mitre.org/data/definitions/93.html"
+                },
+                {
+                    "external_id": "CWE-75",
+                    "source_name": "cwe",
+                    "url": "http://cwe.mitre.org/data/definitions/75.html"
+                },
+                {
+                    "external_id": "CWE-221",
+                    "source_name": "cwe",
+                    "url": "http://cwe.mitre.org/data/definitions/221.html"
+                },
+                {
+                    "external_id": "CWE-96",
+                    "source_name": "cwe",
+                    "url": "http://cwe.mitre.org/data/definitions/96.html"
+                },
+                {
+                    "external_id": "CWE-20",
+                    "source_name": "cwe",
+                    "url": "http://cwe.mitre.org/data/definitions/20.html"
+                },
+                {
+                    "external_id": "CWE-150",
+                    "source_name": "cwe",
+                    "url": "http://cwe.mitre.org/data/definitions/150.html"
+                },
+                {
+                    "external_id": "CWE-276",
+                    "source_name": "cwe",
+                    "url": "http://cwe.mitre.org/data/definitions/276.html"
+                },
+                {
+                    "external_id": "CWE-279",
+                    "source_name": "cwe",
+                    "url": "http://cwe.mitre.org/data/definitions/279.html"
+                },
+                {
+                    "external_id": "CWE-116",
+                    "source_name": "cwe",
+                    "url": "http://cwe.mitre.org/data/definitions/116.html"
+                },
+                {
+                    "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley",
+                    "external_id": "REF-1",
+                    "source_name": "reference_from_CAPEC"
+                }
+            ],
+            "id": "attack-pattern--0b08a46d-d680-4f3d-91ad-f97e00878780",
+            "modified": "2022-09-29T00:00:00.000Z",
+            "name": "Web Server Logs Tampering",
+            "object_marking_refs": [
+                "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
+            ],
+            "type": "attack-pattern",
+            "x_capec_abstraction": "Detailed",
+            "x_capec_child_of_refs": [
+                "attack-pattern--b3eaa7aa-9601-406c-ae82-0a0e2ea16116"
+            ],
+            "x_capec_consequences": {
+                "Integrity": [
+                    "Modify Data"
+                ]
+            },
+            "x_capec_domains": [
+                "Software"
+            ],
+            "x_capec_example_instances": [
+                "Most web servers have a public interface, even if the majority of the site is password protected, there is usually at least a login site and brochureware that is publicly available. HTTP requests to the site are also generally logged to a Web log. From an attacker point of view, standard HTTP requests containing a malicious payload can be sent to the public website (with no other access required), when those requests appear in the log (such as http://victimsite/index.html?< malicious script> if they are followed by an administrator this may be sufficient to probe the administrator's host or local network."
+            ],
+            "x_capec_execution_flow": "<h2> Execution Flow </h2><div><h3>Explore</h3><ol><li> <p> <b>Determine Application Web Server Log File Format: </b>The attacker observes the system and looks for indicators of which logging utility is being used by the web server.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>Determine logging utility being used by application web server (e.g. log4j), only possible if the application is known by the attacker or if the application returns error messages with logging utility information.</td></tr></tbody></table></ol></div><div><h3>Experiment</h3><ol><li> <p> <b>Determine Injectable Content: </b>The attacker launches various logged actions with malicious data to determine what sort of log injection is possible.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>Attacker triggers logged actions with maliciously crafted data as inputs, parameters, arguments, etc.</td></tr></tbody></table></ol></div><div><h3>Exploit</h3><ol><li> <p> <b>Manipulate Log Files: </b>The attacker alters the log contents either directly through manipulation or forging or indirectly through injection of specially crafted request that the web server will receive and write into the logs. This type of attack typically follows another attack and is used to try to cover the traces of the previous attack.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>\n                  <xhtml:p>Indirectly through injection, use carriage return and/or line feed characters to start a new line in the log file, and then, add a fake entry.</xhtml:p>\n                  <xhtml:p>For example: The HTTP request for \"/index.html%0A%0DIP_ADDRESS- - DATE_FORMAT] \"GET /forged-path HTTP/1.1\" 200 - \"-\" USER_AGENT\" may add the log line into Apache \"access_log\" (for example). Different applications may require different encodings of the carriage return and line feed characters.</xhtml:p>\n               </td></tr><tr><td>\n                  <xhtml:p>Directly through log file or database manipulation, use carriage return and/or line feed characters to start a new line in the log file, and then, add a fake entry.</xhtml:p>\n                  <xhtml:p>For example: The HTTP request for \"/index.html%0A%0DIP_ADDRESS- - DATE_FORMAT] \"GET /forged-path HTTP/1.1\" 200 - \"-\" USER_AGENT\" may add the log line into Apache \"access_log\" (for example). Different applications may require different encodings of the carriage return and line feed characters.</xhtml:p>\n               </td></tr><tr><td>Directly through log file or database manipulation, modify existing log entries.</td></tr></tbody></table></ol></div>",
+            "x_capec_likelihood_of_attack": "Medium",
+            "x_capec_prerequisites": [
+                "Target server software must be a HTTP server that performs web logging."
+            ],
+            "x_capec_resources_required": [
+                "Ability to send specially formatted HTTP request to web server"
+            ],
+            "x_capec_skills_required": {
+                "Low": "To input faked entries into Web logs"
+            },
+            "x_capec_status": "Draft",
+            "x_capec_typical_severity": "High",
+            "x_capec_version": "3.9"
+        }
+    ],
+    "spec_version": "2.0",
+    "type": "bundle"
+}

cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--0cf857f6-afa4-4f0c-850f-58a4f11df157.json

@@ -0,0 +1,84 @@
+{
+    "id": "bundle--2f7ae244-5d8b-45d0-b28a-06555424ecba",
+    "objects": [
+        {
+            "created": "2014-06-23T00:00:00.000Z",
+            "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
+            "description": "An attacker sends a series of probes to a web application in order to elicit version-dependent and type-dependent behavior that assists in identifying the target. An attacker could learn information such as software versions, error pages, and response headers, variations in implementations of the HTTP protocol, directory structures, and other similar information about the targeted service. This information can then be used by an attacker to formulate a targeted attack plan. While web application fingerprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks.",
+            "external_references": [
+                {
+                    "external_id": "CAPEC-170",
+                    "source_name": "capec",
+                    "url": "https://capec.mitre.org/data/definitions/170.html"
+                },
+                {
+                    "external_id": "CWE-497",
+                    "source_name": "cwe",
+                    "url": "http://cwe.mitre.org/data/definitions/497.html"
+                },
+                {
+                    "description": "Saumil Shah, An Introduction to HTTP fingerprinting",
+                    "external_id": "REF-36",
+                    "source_name": "reference_from_CAPEC",
+                    "url": "http://www.net-square.com/httprint_paper.html"
+                },
+                {
+                    "description": "OWASP Web Security Testing Guide (v4 [DRAFT]), The Open Web Application Security Project (OWASP)",
+                    "external_id": "REF-37",
+                    "source_name": "reference_from_CAPEC",
+                    "url": "https://www.owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/01-Information_Gathering/08-Fingerprint_Web_Application_Framework"
+                },
+                {
+                    "description": "HTTP 1.1 Specification (RFC 2616), IETF RFC",
+                    "external_id": "REF-38",
+                    "source_name": "reference_from_CAPEC",
+                    "url": "http://www.ietf.org/rfc/rfc2616.txt"
+                },
+                {
+                    "description": "WASC Threat Classification 2.0, 2010, The Web Application Security Consortium (WASC)",
+                    "external_id": "REF-39",
+                    "source_name": "reference_from_CAPEC",
+                    "url": "http://projects.webappsec.org/Fingerprinting"
+                }
+            ],
+            "id": "attack-pattern--0cf857f6-afa4-4f0c-850f-58a4f11df157",
+            "modified": "2022-09-29T00:00:00.000Z",
+            "name": "Web Application Fingerprinting",
+            "object_marking_refs": [
+                "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
+            ],
+            "type": "attack-pattern",
+            "x_capec_abstraction": "Detailed",
+            "x_capec_child_of_refs": [
+                "attack-pattern--e7eec058-4cd9-4fa0-8784-ed961d8d7290"
+            ],
+            "x_capec_consequences": {
+                "Confidentiality": [
+                    "Other (Information Leakage)"
+                ]
+            },
+            "x_capec_domains": [
+                "Software"
+            ],
+            "x_capec_example_instances": [
+                "\n               <xhtml:p>An attacker sends malformed requests or requests of nonexistent pages to the server. Consider the following HTTP responses.</xhtml:p>\n               <xhtml:b>Response from Apache 1.3.23</xhtml:b>\n               <xhtml:div style=\"margin-left:1em;\" class=\"informative\">$ nc apache.server.com80 GET / HTTP/3.0\n                  HTTP/1.1 400 Bad RequestDate: Sun, 15 Jun 2003 17:12: 37 GMTServer: Apache/1.3.23Connection: closeTransfer: chunkedContent-Type: text/HTML; charset=iso-8859-1</xhtml:div>\n               <xhtml:b>Response from IIS 5.0</xhtml:b>\n               <xhtml:div style=\"margin-left:1em;\" class=\"informative\">$ nc iis.server.com 80GET / HTTP/3.0\n                  HTTP/1.1 200 OKServer: Microsoft-IIS/5.0Content-Location: http://iis.example.com/Default.htmDate: Fri, 01 Jan 1999 20:14: 02 GMTContent-Type: text/HTMLAccept-Ranges: bytes Last-Modified: Fri, 01 Jan 1999 20:14: 02 GMTETag: W/e0d362a4c335be1: ae1Content-Length: 133</xhtml:div>\n               <xhtml:p>[REF-37]</xhtml:p>\n            "
+            ],
+            "x_capec_execution_flow": "<h2> Execution Flow </h2><div><h3>Explore</h3><ol><li> <p> <b>Request fingerprinting: </b>Use automated tools or send web server specific commands to web server and wait for server's response.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>Use automated tools or send web server specific commands to web server and then receive server's response.</td></tr></tbody></table></ol></div><div><h3>Experiment</h3><ol><li> <p> <b>Increase the accuracy of server fingerprinting of Web servers: </b>Attacker usually needs to send several different commands to accurately identify the web server. Attacker can also use automated tools to send requests to the server. The responses of the server may be different in terms of protocol behavior.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>Observe the ordering of the several HTTP response headers. The ordering of the header of each server may have unique identities.</td></tr><tr><td>Send bad requests or requests of nonexistent pages to the server.</td></tr><tr><td>Attacker takes existing automated tools to recognize the type and the version of the web server in use.</td></tr></tbody></table><li> <p> <b>Identify Web Application Software: </b>After the web server platform software has been identified, the attacker start to identify web application technologies such as ASP, .NET, PHP and Java on the server.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>Examine the file name extensions in URL, for example .php indicates PHP script interfaced with Apache server.</td></tr><tr><td>Examine the HTTP Response Headers. This may leak information about software signatures</td></tr><tr><td>Examine Cookies that may contain server's software information.</td></tr><tr><td>Check error pages.</td></tr></tbody></table><li> <p> <b>Identify Backend Database Version: </b>Determining the database engine type can assist attackers' attempt to successfully execute SQL injection. Some database API such as ODBC will show a database type as part of the driver information when reporting an error.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>Use tools to send bogus SQL query to the server and check error pages.</td></tr></tbody></table></ol></div>",
+            "x_capec_likelihood_of_attack": "High",
+            "x_capec_prerequisites": [
+                "Any web application can be fingerprinted. However, some configuration choices can limit the useful information an attacker may collect during a fingerprinting attack."
+            ],
+            "x_capec_resources_required": [
+                "While simple fingerprinting can be accomplished with only a web browser, for more thorough fingerprinting an attacker requires a variety of tools to collect information about the target. These tools might include protocol analyzers, web-site crawlers, and fuzzing tools. Footprinting a service adequately may also take a few days if the attacker wishes the footprinting attempt to go undetected."
+            ],
+            "x_capec_skills_required": {
+                "Low": "Attacker knows how to send HTTP request, SQL query to a web application."
+            },
+            "x_capec_status": "Draft",
+            "x_capec_typical_severity": "Low",
+            "x_capec_version": "3.9"
+        }
+    ],
+    "spec_version": "2.0",
+    "type": "bundle"
+}

cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--0d249bf9-13b3-4c13-9423-bcb1ea73c067.json

@@ -0,0 +1,55 @@
+{
+    "id": "bundle--fdfdc2b9-1600-4cde-b9e8-6a591b35740f",
+    "objects": [
+        {
+            "created": "2014-06-23T00:00:00.000Z",
+            "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
+            "description": "Adversary creates duplicates of legitimate websites. When users visit a counterfeit site, the site can gather information or upload malware.",
+            "external_references": [
+                {
+                    "external_id": "CAPEC-543",
+                    "source_name": "capec",
+                    "url": "https://capec.mitre.org/data/definitions/543.html"
+                },
+                {
+                    "description": "Masquerading: Match Legitimate Name or Location",
+                    "external_id": "T1036.005",
+                    "source_name": "ATTACK",
+                    "url": "https://attack.mitre.org/wiki/Technique/T1036/005"
+                }
+            ],
+            "id": "attack-pattern--0d249bf9-13b3-4c13-9423-bcb1ea73c067",
+            "modified": "2022-09-29T00:00:00.000Z",
+            "name": "Counterfeit Websites",
+            "object_marking_refs": [
+                "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
+            ],
+            "type": "attack-pattern",
+            "x_capec_abstraction": "Detailed",
+            "x_capec_can_follow_refs": [
+                "attack-pattern--a69b641a-dff7-4dad-b9b1-e00f80b083a2",
+                "attack-pattern--b6f0fd7e-6068-4557-976c-fd34914b11bf",
+                "attack-pattern--a2cad567-3a04-4ef3-8b62-25924c93b53f",
+                "attack-pattern--c4e18b3f-0445-49e8-9bf1-d47a23082501",
+                "attack-pattern--a00c2cc2-bd4f-4594-9ec1-b021b62ac896"
+            ],
+            "x_capec_can_precede_refs": [
+                "attack-pattern--5dec633b-7b10-4bfe-9270-e68b98112285"
+            ],
+            "x_capec_child_of_refs": [
+                "attack-pattern--862d18f1-a87c-4f1b-acc2-882697d5d6e5"
+            ],
+            "x_capec_domains": [
+                "Social Engineering"
+            ],
+            "x_capec_prerequisites": [
+                "None"
+            ],
+            "x_capec_status": "Draft",
+            "x_capec_typical_severity": "High",
+            "x_capec_version": "3.9"
+        }
+    ],
+    "spec_version": "2.0",
+    "type": "bundle"
+}

cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--0d2d1e18-6e28-4c58-b442-c5450e6c1112.json

@@ -0,0 +1,57 @@
+{
+    "id": "bundle--7b20b768-0707-4aa2-b71f-06e623a4cb00",
+    "objects": [
+        {
+            "created": "2014-06-23T00:00:00.000Z",
+            "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
+            "description": "An attacker exploits the functionality of Microsoft NTFS Alternate Data Streams (ADS) to undermine system security. ADS allows multiple \"files\" to be stored in one directory entry referenced as filename:streamname. One or more alternate data streams may be stored in any file or directory. Normal Microsoft utilities do not show the presence of an ADS stream attached to a file. The additional space for the ADS is not recorded in the displayed file size. The additional space for ADS is accounted for in the used space on the volume. An ADS can be any type of file. ADS are copied by standard Microsoft utilities between NTFS volumes. ADS can be used by an attacker or intruder to hide tools, scripts, and data from detection by normal system utilities. Many anti-virus programs do not check for or scan ADS. Windows Vista does have a switch (-R) on the command line DIR command that will display alternate streams.",
+            "external_references": [
+                {
+                    "external_id": "CAPEC-168",
+                    "source_name": "capec",
+                    "url": "https://capec.mitre.org/data/definitions/168.html"
+                },
+                {
+                    "external_id": "CWE-212",
+                    "source_name": "cwe",
+                    "url": "http://cwe.mitre.org/data/definitions/212.html"
+                },
+                {
+                    "external_id": "CWE-69",
+                    "source_name": "cwe",
+                    "url": "http://cwe.mitre.org/data/definitions/69.html"
+                },
+                {
+                    "description": "Windows alternate data stream",
+                    "source_name": "OWASP Attacks",
+                    "url": "https://owasp.org/www-community/attacks/Windows_alternate_data_stream"
+                }
+            ],
+            "id": "attack-pattern--0d2d1e18-6e28-4c58-b442-c5450e6c1112",
+            "modified": "2020-12-17T00:00:00.000Z",
+            "name": "Windows ::DATA Alternate Data Stream",
+            "object_marking_refs": [
+                "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
+            ],
+            "type": "attack-pattern",
+            "x_capec_abstraction": "Detailed",
+            "x_capec_child_of_refs": [
+                "attack-pattern--7f2c0e10-0afe-4edf-bb23-43d6f29ec932"
+            ],
+            "x_capec_domains": [
+                "Software"
+            ],
+            "x_capec_prerequisites": [
+                "The target must be running the Microsoft NTFS file system."
+            ],
+            "x_capec_resources_required": [
+                "The attacker must have command line or programmatic access to the target's files system with write/read permissions."
+            ],
+            "x_capec_status": "Draft",
+            "x_capec_typical_severity": "Medium",
+            "x_capec_version": "3.9"
+        }
+    ],
+    "spec_version": "2.0",
+    "type": "bundle"
+}

cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--0e475610-f909-4927-a93c-04f08b1781b3.json

@@ -0,0 +1,29 @@
+{
+    "id": "bundle--9c23af26-b581-44a2-89aa-c1f7f893926d",
+    "objects": [
+        {
+            "created": "2014-06-23T00:00:00.000Z",
+            "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
+            "description": "This attack pattern has been deprecated as it is a duplicate of the existing attack pattern \"CAPEC-65 : Sniff Application Code\". Please refer to this other CAPEC going forward.",
+            "external_references": [
+                {
+                    "external_id": "CAPEC-259",
+                    "source_name": "capec",
+                    "url": "https://capec.mitre.org/data/definitions/259.html"
+                }
+            ],
+            "id": "attack-pattern--0e475610-f909-4927-a93c-04f08b1781b3",
+            "modified": "2017-08-04T00:00:00.000Z",
+            "name": "DEPRECATED: Passively Sniffing and Capturing Application Code Bound for an Authorized Client During Patching",
+            "object_marking_refs": [
+                "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
+            ],
+            "type": "attack-pattern",
+            "x_capec_abstraction": "Standard",
+            "x_capec_status": "Deprecated",
+            "x_capec_version": "3.9"
+        }
+    ],
+    "spec_version": "2.0",
+    "type": "bundle"
+}

cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--0fda524b-2218-4aec-bf3e-6f345d13e459.json

@@ -0,0 +1,46 @@
+{
+    "id": "bundle--4d7e6793-b3bc-4a92-96ca-fc95d834d373",
+    "objects": [
+        {
+            "created": "2015-11-09T00:00:00.000Z",
+            "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
+            "description": "Attacks that reveal the password/passcode pattern on a touchscreen device by detecting oil smudges left behind by the user’s fingers.",
+            "external_references": [
+                {
+                    "external_id": "CAPEC-626",
+                    "source_name": "capec",
+                    "url": "https://capec.mitre.org/data/definitions/626.html"
+                }
+            ],
+            "id": "attack-pattern--0fda524b-2218-4aec-bf3e-6f345d13e459",
+            "modified": "2019-09-30T00:00:00.000Z",
+            "name": "Smudge Attack",
+            "object_marking_refs": [
+                "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
+            ],
+            "type": "attack-pattern",
+            "x_capec_abstraction": "Detailed",
+            "x_capec_child_of_refs": [
+                "attack-pattern--5e808864-44b1-478c-8cb0-75c55cd51e2b"
+            ],
+            "x_capec_consequences": {
+                "Access_Control": [
+                    "Bypass Protection Mechanism"
+                ]
+            },
+            "x_capec_domains": [
+                "Physical Security"
+            ],
+            "x_capec_prerequisites": [
+                "The attacker must have physical access to the device."
+            ],
+            "x_capec_skills_required": {
+                "Medium": "The attacker must know how to make use of these smudges."
+            },
+            "x_capec_status": "Draft",
+            "x_capec_version": "3.9"
+        }
+    ],
+    "spec_version": "2.0",
+    "type": "bundle"
+}

cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--1059e91f-43ff-4a00-bc74-4110979f5247.json

@@ -0,0 +1,87 @@
+{
+    "id": "bundle--a33feb37-d5fc-4db7-b136-45158b8c7eae",
+    "objects": [
+        {
+            "created": "2014-06-23T00:00:00.000Z",
+            "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
+            "description": "An adversary uses a technique to generate an ICMP Error message (Port Unreachable, Destination Unreachable, Redirect, Source Quench, Time Exceeded, Parameter Problem) from a target and then analyze the amount of data returned or \"Quoted\" from the originating request that generated the ICMP error message.",
+            "external_references": [
+                {
+                    "external_id": "CAPEC-329",
+                    "source_name": "capec",
+                    "url": "https://capec.mitre.org/data/definitions/329.html"
+                },
+                {
+                    "external_id": "CWE-200",
+                    "source_name": "cwe",
+                    "url": "http://cwe.mitre.org/data/definitions/200.html"
+                },
+                {
+                    "description": "Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed: Network Security Secrets & Solutions (6th Edition), 2009, McGraw Hill",
+                    "external_id": "REF-33",
+                    "source_name": "reference_from_CAPEC"
+                },
+                {
+                    "description": "J. Postel, RFC792 - Internet Control Messaging Protocol, 1981--09, Defense Advanced Research Projects Agency (DARPA)",
+                    "external_id": "REF-123",
+                    "source_name": "reference_from_CAPEC",
+                    "url": "http://www.faqs.org/rfcs/rfc792.html"
+                },
+                {
+                    "description": "R. Braden, Ed., RFC1122 - Requirements for Internet Hosts - Communication Layers, 1989--10",
+                    "external_id": "REF-124",
+                    "source_name": "reference_from_CAPEC",
+                    "url": "http://www.faqs.org/rfcs/rfc1122.html"
+                },
+                {
+                    "description": "Ofir Arkin, A Remote Active OS Fingerprinting Tool using ICMP, 2002--04, The Sys-Security Group",
+                    "external_id": "REF-262",
+                    "source_name": "reference_from_CAPEC",
+                    "url": "http://ofirarkin.files.wordpress.com/2008/11/login.pdf"
+                }
+            ],
+            "id": "attack-pattern--1059e91f-43ff-4a00-bc74-4110979f5247",
+            "modified": "2022-02-22T00:00:00.000Z",
+            "name": "ICMP Error Message Quoting Probe",
+            "object_marking_refs": [
+                "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
+            ],
+            "type": "attack-pattern",
+            "x_capec_abstraction": "Detailed",
+            "x_capec_child_of_refs": [
+                "attack-pattern--6227a1fc-7504-4a5f-b5b2-4c4f1fe38617"
+            ],
+            "x_capec_consequences": {
+                "Access_Control": [
+                    "Bypass Protection Mechanism",
+                    "Hide Activities"
+                ],
+                "Authorization": [
+                    "Bypass Protection Mechanism",
+                    "Hide Activities"
+                ],
+                "Confidentiality": [
+                    "Read Data",
+                    "Bypass Protection Mechanism",
+                    "Hide Activities"
+                ]
+            },
+            "x_capec_domains": [
+                "Software"
+            ],
+            "x_capec_extended_description": "\n            <xhtml:p>For this purpose \"Port Unreachable\" error messages are often used, as generating them requires the adversary to send a UDP datagram to a closed port on the target. The goal of this analysis to make inferences about the type of operating system or firmware that sent the error message in reply.</xhtml:p>\n            <xhtml:p>This is useful for identifying unique characteristics of operating systems because the RFC-1122 expected behavior reads: \"Every ICMP error message includes the Internet header and at least the first 8 data octets of the datagram that triggered the error; more than 8 octets MAY be sent [...].\" This contrasts with RFC-792 expected behavior, which limited the quoted text to 64 bits (8 octets). Given the latitude in the specification the resulting RFC-1122 stack implementations often respond with a high degree of variability in the amount of data quoted in the error message because \"older\" or \"legacy\" stacks may comply with the RFC-792 specification, while other stacks may choose a longer format in accordance with RFC-1122. As a general rule most operating systems or firmware will quote the first 8 bytes of the datagram triggering the error, but some IP stacks will quote more than the first 8 bytes of data.</xhtml:p>\n         ",
+            "x_capec_likelihood_of_attack": "Medium",
+            "x_capec_prerequisites": [
+                "The ability to monitor and interact with network communications.Access to at least one host, and the privileges to interface with the network interface card."
+            ],
+            "x_capec_resources_required": [
+                "A tool capable of sending/receiving UDP datagram packets from a remote system to a closed port and receive an ICMP Error Message Type 3, \"Port Unreachable.."
+            ],
+            "x_capec_status": "Stable",
+            "x_capec_typical_severity": "Low",
+            "x_capec_version": "3.9"
+        }
+    ],
+    "spec_version": "2.0",
+    "type": "bundle"
+}

cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--10ce28bf-9f93-4a45-a39e-6407141a34d4.json

@@ -0,0 +1,64 @@
+{
+    "id": "bundle--d630fe85-698a-4959-8ba0-64319c6b597c",
+    "objects": [
+        {
+            "created": "2014-06-23T00:00:00.000Z",
+            "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
+            "description": "An adversary intercepts an implicit intent sent to launch a Android-based trusted activity and instead launches a counterfeit activity in its place. The malicious activity is then used to mimic the trusted activity's user interface and prompt the target to enter sensitive data as if they were interacting with the trusted activity.",
+            "external_references": [
+                {
+                    "external_id": "CAPEC-501",
+                    "source_name": "capec",
+                    "url": "https://capec.mitre.org/data/definitions/501.html"
+                },
+                {
+                    "external_id": "CWE-923",
+                    "source_name": "cwe",
+                    "url": "http://cwe.mitre.org/data/definitions/923.html"
+                },
+                {
+                    "description": "Erika Chin, Adrienne Porter Felt, Kate Greenwood, David Wagner, Analyzing Inter-Application Communication in Android, 2011, International Conference on Mobile Systems, Applications, and Services (MobiSys)",
+                    "external_id": "REF-427",
+                    "source_name": "reference_from_CAPEC",
+                    "url": "https://people.eecs.berkeley.edu/~daw/papers/intents-mobisys11.pdf"
+                }
+            ],
+            "id": "attack-pattern--10ce28bf-9f93-4a45-a39e-6407141a34d4",
+            "modified": "2021-10-21T00:00:00.000Z",
+            "name": "Android Activity Hijack",
+            "object_marking_refs": [
+                "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
+            ],
+            "type": "attack-pattern",
+            "x_capec_abstraction": "Detailed",
+            "x_capec_child_of_refs": [
+                "attack-pattern--48f21dcd-2490-49c6-9690-1cb586b201f4",
+                "attack-pattern--fc3a9a6f-66c9-4363-8ebd-9bd18725fff8"
+            ],
+            "x_capec_consequences": {
+                "Confidentiality": [
+                    "Read Data"
+                ]
+            },
+            "x_capec_domains": [
+                "Software",
+                "Software"
+            ],
+            "x_capec_execution_flow": "<h2> Execution Flow </h2><div><h3>Explore</h3><ol><li> <p> <b>Find an android application that uses implicit intents: </b>Since this attack only works on android applications that use implicit intents, rather than explicit intents, an adversary must first identify an app that uses implicit intents to launch an Android-based trusted activity, and what that activity is.</p></li></ol></div><div><h3>Experiment</h3><ol><li> <p> <b>Create a malicious app: </b>The adversary must create a malicious android app meant to intercept implicit intents to launch an Adroid-based trusted activity. This malicious app will mimic the trusted activiy's user interface to get the user to enter sensitive data.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>Specify the type of intent wished to be intercepted in the malicious app's manifest file using an intent filter</td></tr></tbody></table><li> <p> <b>Get user to download malicious app: </b>The adversary must get a user using the targeted app to download the malicious app by any means necessary</p></li></ol></div><div><h3>Exploit</h3><ol><li> <p> <b>Gather sensitive data through malicious app: </b>Once the target application sends an implicit intent to launch a trusted activity, the malicious app will be launched instead that looks identical to the interface of that activity. When the user enters sensitive information it will be captured by the malicious app.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>Gather login information from a user using a malicious app</td></tr></tbody></table></ol></div>",
+            "x_capec_prerequisites": [
+                "The adversary must have previously installed the malicious application onto the Android device that will run in place of the trusted activity."
+            ],
+            "x_capec_resources_required": [
+                "Malware capable of acting on the adversary's objectives."
+            ],
+            "x_capec_skills_required": {
+                "High": "The adversary must typically overcome network and host defenses in order to place malware on the system."
+            },
+            "x_capec_status": "Draft",
+            "x_capec_typical_severity": "Medium",
+            "x_capec_version": "3.9"
+        }
+    ],
+    "spec_version": "2.0",
+    "type": "bundle"
+}

cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--11d7e0d6-5655-4fc7-aee8-e2e0fc6c5088.json

@@ -0,0 +1,53 @@
+{
+    "id": "bundle--0a006e5e-ce77-4270-a01c-eafbfe068116",
+    "objects": [
+        {
+            "created": "2015-11-09T00:00:00.000Z",
+            "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
+            "description": "In this attack scenario, the attacker passively listens for WiFi management frame messages containing the Service Set Identifier (SSID) for the WiFi network. These messages are frequently transmitted by WiFi access points (e.g., the retransmission device) as well as by clients that are accessing the network (e.g., the handset/mobile device). Once the attacker is able to associate an SSID with a particular user or set of users (for example, when attending a public event), the attacker can then scan for this SSID to track that user in the future.",
+            "external_references": [
+                {
+                    "external_id": "CAPEC-613",
+                    "source_name": "capec",
+                    "url": "https://capec.mitre.org/data/definitions/613.html"
+                },
+                {
+                    "external_id": "CWE-201",
+                    "source_name": "cwe",
+                    "url": "http://cwe.mitre.org/data/definitions/201.html"
+                },
+                {
+                    "external_id": "CWE-300",
+                    "source_name": "cwe",
+                    "url": "http://cwe.mitre.org/data/definitions/300.html"
+                }
+            ],
+            "id": "attack-pattern--11d7e0d6-5655-4fc7-aee8-e2e0fc6c5088",
+            "modified": "2019-09-30T00:00:00.000Z",
+            "name": "WiFi SSID Tracking",
+            "object_marking_refs": [
+                "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
+            ],
+            "type": "attack-pattern",
+            "x_capec_abstraction": "Detailed",
+            "x_capec_child_of_refs": [
+                "attack-pattern--d780db94-413f-402d-a4d9-cf179b316c8c"
+            ],
+            "x_capec_domains": [
+                "Communications",
+                "Software"
+            ],
+            "x_capec_prerequisites": [
+                "None"
+            ],
+            "x_capec_skills_required": {
+                "Low": "Open source and commercial software tools are available and open databases of known WiFi SSID addresses are available online."
+            },
+            "x_capec_status": "Draft",
+            "x_capec_typical_severity": "Low",
+            "x_capec_version": "3.9"
+        }
+    ],
+    "spec_version": "2.0",
+    "type": "bundle"
+}

cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--123b3182-a540-4b15-ac28-0fbf607f9ebf.json

@@ -0,0 +1,29 @@
+{
+    "id": "bundle--2ad6b4ba-4549-4dd2-bc9b-b9f4c3c567c4",
+    "objects": [
+        {
+            "created": "2014-06-23T00:00:00.000Z",
+            "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
+            "description": "This attack pattern has been deprecated as it was deemed not to be a legitimate attack pattern.",
+            "external_references": [
+                {
+                    "external_id": "CAPEC-257",
+                    "source_name": "capec",
+                    "url": "https://capec.mitre.org/data/definitions/257.html"
+                }
+            ],
+            "id": "attack-pattern--123b3182-a540-4b15-ac28-0fbf607f9ebf",
+            "modified": "2018-07-31T00:00:00.000Z",
+            "name": "DEPRECATED: Abuse of Transaction Data Structure",
+            "object_marking_refs": [
+                "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
+            ],
+            "type": "attack-pattern",
+            "x_capec_abstraction": "Meta",
+            "x_capec_status": "Deprecated",
+            "x_capec_version": "3.9"
+        }
+    ],
+    "spec_version": "2.0",
+    "type": "bundle"
+}

cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--12d80b47-8e4c-4646-bcc3-2bd7059a44e1.json

@@ -0,0 +1,85 @@
+{
+    "id": "bundle--a3bf3520-5f52-4328-971d-a978a4de3dc0",
+    "objects": [
+        {
+            "created": "2014-06-23T00:00:00.000Z",
+            "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
+            "description": "This type of operating system probe attempts to determine an estimate for how predictable the sequence number generation algorithm is for a remote host. Statistical techniques, such as standard deviation, can be used to determine how predictable the sequence number generation is for a system. This result can then be compared to a database of operating system behaviors to determine a likely match for operating system and version.",
+            "external_references": [
+                {
+                    "external_id": "CAPEC-324",
+                    "source_name": "capec",
+                    "url": "https://capec.mitre.org/data/definitions/324.html"
+                },
+                {
+                    "external_id": "CWE-200",
+                    "source_name": "cwe",
+                    "url": "http://cwe.mitre.org/data/definitions/200.html"
+                },
+                {
+                    "description": "Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed: Network Security Secrets & Solutions (6th Edition), 2009, McGraw Hill",
+                    "external_id": "REF-33",
+                    "source_name": "reference_from_CAPEC"
+                },
+                {
+                    "description": "Defense Advanced Research Projects Agency Information Processing Techniques Office, Information Sciences Institute University of Southern California, RFC793 - Transmission Control Protocol, 1981--09, Defense Advanced Research Projects Agency (DARPA)",
+                    "external_id": "REF-128",
+                    "source_name": "reference_from_CAPEC",
+                    "url": "http://www.faqs.org/rfcs/rfc793.html"
+                },
+                {
+                    "description": "Gordon \"Fyodor\" Lyon, Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning (3rd \"Zero Day\" Edition,), 2008, Insecure.com LLC",
+                    "external_id": "REF-212",
+                    "source_name": "reference_from_CAPEC"
+                },
+                {
+                    "description": "Gordon \"Fyodor\" Lyon, The Art of Port Scanning (Volume: 7, Issue. 51), Phrack Magazine, 1997",
+                    "external_id": "REF-130",
+                    "source_name": "reference_from_CAPEC",
+                    "url": "http://phrack.org/issues/51/11.html"
+                }
+            ],
+            "id": "attack-pattern--12d80b47-8e4c-4646-bcc3-2bd7059a44e1",
+            "modified": "2018-07-31T00:00:00.000Z",
+            "name": "TCP (ISN) Sequence Predictability Probe",
+            "object_marking_refs": [
+                "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
+            ],
+            "type": "attack-pattern",
+            "x_capec_abstraction": "Detailed",
+            "x_capec_child_of_refs": [
+                "attack-pattern--6227a1fc-7504-4a5f-b5b2-4c4f1fe38617"
+            ],
+            "x_capec_consequences": {
+                "Access_Control": [
+                    "Bypass Protection Mechanism",
+                    "Hide Activities"
+                ],
+                "Authorization": [
+                    "Bypass Protection Mechanism",
+                    "Hide Activities"
+                ],
+                "Confidentiality": [
+                    "Read Data",
+                    "Bypass Protection Mechanism",
+                    "Hide Activities"
+                ]
+            },
+            "x_capec_domains": [
+                "Software"
+            ],
+            "x_capec_likelihood_of_attack": "Medium",
+            "x_capec_prerequisites": [
+                "The ability to monitor and interact with network communications.Access to at least one host, and the privileges to interface with the network interface card."
+            ],
+            "x_capec_resources_required": [
+                "A tool capable of sending and receiving packets from a remote system."
+            ],
+            "x_capec_status": "Stable",
+            "x_capec_typical_severity": "Low",
+            "x_capec_version": "3.9"
+        }
+    ],
+    "spec_version": "2.0",
+    "type": "bundle"
+}

cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--12de9227-495b-49b2-859f-334a20197ba3.json

@@ -0,0 +1,59 @@
+{
+    "id": "bundle--bd4bd57c-622a-4776-8dee-6cf204fcd9de",
+    "objects": [
+        {
+            "created": "2014-06-23T00:00:00.000Z",
+            "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
+            "description": "An adversary exploits weaknesses in input validation by manipulating resource identifiers enabling the unintended modification or specification of a resource.",
+            "external_references": [
+                {
+                    "external_id": "CAPEC-240",
+                    "source_name": "capec",
+                    "url": "https://capec.mitre.org/data/definitions/240.html"
+                },
+                {
+                    "external_id": "CWE-99",
+                    "source_name": "cwe",
+                    "url": "http://cwe.mitre.org/data/definitions/99.html"
+                },
+                {
+                    "description": "Resource Injection",
+                    "source_name": "OWASP Attacks",
+                    "url": "https://owasp.org/www-community/attacks/Resource_Injection"
+                }
+            ],
+            "id": "attack-pattern--12de9227-495b-49b2-859f-334a20197ba3",
+            "modified": "2020-12-17T00:00:00.000Z",
+            "name": "Resource Injection",
+            "object_marking_refs": [
+                "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
+            ],
+            "type": "attack-pattern",
+            "x_capec_abstraction": "Meta",
+            "x_capec_consequences": {
+                "Confidentiality": [
+                    "Read Data"
+                ],
+                "Integrity": [
+                    "Modify Data"
+                ]
+            },
+            "x_capec_domains": [
+                "Communications",
+                "Software"
+            ],
+            "x_capec_likelihood_of_attack": "High",
+            "x_capec_parent_of_refs": [
+                "attack-pattern--b5cd5231-d7ef-4366-b713-a44d3f1134b4"
+            ],
+            "x_capec_prerequisites": [
+                "The target application allows the user to both specify the identifier used to access a system resource. Through this permission, the user gains the capability to perform actions on that resource (e.g., overwrite the file)"
+            ],
+            "x_capec_status": "Stable",
+            "x_capec_typical_severity": "High",
+            "x_capec_version": "3.9"
+        }
+    ],
+    "spec_version": "2.0",
+    "type": "bundle"
+}

cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--1339dbbe-fe41-467a-b43c-7d56d22a9fe4.json

@@ -0,0 +1,65 @@
+{
+    "id": "bundle--f5965262-a64c-465b-8d62-96b3d3ad1008",
+    "objects": [
+        {
+            "created": "2014-06-23T00:00:00.000Z",
+            "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
+            "description": "An attacker modifies a technology, product, or component during a stage in its manufacture for the purpose of carrying out an attack against some entity involved in the supply chain lifecycle. There are an almost limitless number of ways an attacker can modify a technology when they are involved in its manufacture, as the attacker has potential inroads to the software composition, hardware design and assembly, firmware, or basic design mechanics. Additionally, manufacturing of key components is often outsourced with the final product assembled by the primary manufacturer. The greatest risk, however, is deliberate manipulation of design specifications to produce malicious hardware or devices. There are billions of transistors in a single integrated circuit and studies have shown that fewer than 10 transistors are required to create malicious functionality.",
+            "external_references": [
+                {
+                    "external_id": "CAPEC-438",
+                    "source_name": "capec",
+                    "url": "https://capec.mitre.org/data/definitions/438.html"
+                },
+                {
+                    "description": "Supply Chain Compromise",
+                    "external_id": "T1195",
+                    "source_name": "ATTACK",
+                    "url": "https://attack.mitre.org/wiki/Technique/T1195"
+                },
+                {
+                    "description": "Jon Boyens, Angela Smith, Nadya Bartol, Kris Winkler, Alex Holbrook, Matthew Fallon, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (2nd Draft), 2021--10---28, National Institute of Standards and Technology (NIST)",
+                    "external_id": "REF-379",
+                    "source_name": "reference_from_CAPEC",
+                    "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-161r1-draft2.pdf"
+                },
+                {
+                    "description": "Marcus Sachs, Supply Chain Attacks: Can We Secure Information Technology Supply Chain in the Age of Globalization, Verizon, Inc.",
+                    "external_id": "REF-380",
+                    "source_name": "reference_from_CAPEC"
+                },
+                {
+                    "description": "Thea Reilkoff, Hardware Trojans: A Novel Attack Meets a New Defense, 2010, Yale School of Engineering and Applied Science",
+                    "external_id": "REF-381",
+                    "source_name": "reference_from_CAPEC"
+                },
+                {
+                    "description": "Marianne Swanson, Nadya Bartol, Rama Moorthy, Piloting Supply Chain Risk Management Practices for Federal Information Systems (Draft NISTIR 7622), 2010, National Institute of Standards and Technology",
+                    "external_id": "REF-382",
+                    "source_name": "reference_from_CAPEC"
+                }
+            ],
+            "id": "attack-pattern--1339dbbe-fe41-467a-b43c-7d56d22a9fe4",
+            "modified": "2021-06-24T00:00:00.000Z",
+            "name": "Modification During Manufacture",
+            "object_marking_refs": [
+                "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
+            ],
+            "type": "attack-pattern",
+            "x_capec_abstraction": "Meta",
+            "x_capec_domains": [
+                "Supply Chain",
+                "Software",
+                "Hardware"
+            ],
+            "x_capec_parent_of_refs": [
+                "attack-pattern--efb74200-657d-438c-aaff-bbd9644dd72d",
+                "attack-pattern--cf550376-63ac-4b46-87d1-0e324c1c1c46"
+            ],
+            "x_capec_status": "Draft",
+            "x_capec_version": "3.9"
+        }
+    ],
+    "spec_version": "2.0",
+    "type": "bundle"
+}

cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--13b94aaa-9c95-487c-ad68-8c29d8ac0068.json

@@ -0,0 +1,53 @@
+{
+    "id": "bundle--5689cc74-34df-4969-a05e-a8873b3fbae5",
+    "objects": [
+        {
+            "created": "2014-06-23T00:00:00.000Z",
+            "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
+            "description": "An adversary installs or adds malicious logic (also known as malware) into a seemingly benign component of a fielded system. This logic is often hidden from the user of the system and works behind the scenes to achieve negative impacts. With the proliferation of mass digital storage and inexpensive multimedia devices, Bluetooth and 802.11 support, new attack vectors for spreading malware are emerging for things we once thought of as innocuous greeting cards, picture frames, or digital projectors. This pattern of attack focuses on systems already fielded and used in operation as opposed to systems and their components that are still under development and part of the supply chain.",
+            "external_references": [
+                {
+                    "external_id": "CAPEC-441",
+                    "source_name": "capec",
+                    "url": "https://capec.mitre.org/data/definitions/441.html"
+                },
+                {
+                    "external_id": "CWE-284",
+                    "source_name": "cwe",
+                    "url": "http://cwe.mitre.org/data/definitions/284.html"
+                }
+            ],
+            "id": "attack-pattern--13b94aaa-9c95-487c-ad68-8c29d8ac0068",
+            "modified": "2018-07-31T00:00:00.000Z",
+            "name": "Malicious Logic Insertion",
+            "object_marking_refs": [
+                "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
+            ],
+            "type": "attack-pattern",
+            "x_capec_abstraction": "Meta",
+            "x_capec_consequences": {
+                "Authorization": [
+                    "Execute Unauthorized Commands"
+                ]
+            },
+            "x_capec_domains": [
+                "Software",
+                "Hardware"
+            ],
+            "x_capec_likelihood_of_attack": "Medium",
+            "x_capec_parent_of_refs": [
+                "attack-pattern--66112136-aa17-4300-aef8-d7a42ebc6e38",
+                "attack-pattern--4cfba0b3-4740-49ae-bbb4-2dad27886239",
+                "attack-pattern--dc05cb9b-00ae-4fd0-8743-b1fb507ea1d3"
+            ],
+            "x_capec_prerequisites": [
+                "Access to the component currently deployed at a victim location."
+            ],
+            "x_capec_status": "Stable",
+            "x_capec_typical_severity": "High",
+            "x_capec_version": "3.9"
+        }
+    ],
+    "spec_version": "2.0",
+    "type": "bundle"
+}

cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--13d1d169-0023-41e2-952f-7d794844733b.json

@@ -0,0 +1,58 @@
+{
+    "id": "bundle--99c9f361-5e1c-43cb-a352-53633f050e9b",
+    "objects": [
+        {
+            "created": "2014-06-23T00:00:00.000Z",
+            "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
+            "description": "An attacker modifies the HTTP Verb (e.g. GET, PUT, TRACE, etc.) in order to bypass access restrictions. Some web environments allow administrators to restrict access based on the HTTP Verb used with requests. However, attackers can often provide a different HTTP Verb, or even provide a random string as a verb in order to bypass these protections. This allows the attacker to access data that should otherwise be protected.",
+            "external_references": [
+                {
+                    "external_id": "CAPEC-274",
+                    "source_name": "capec",
+                    "url": "https://capec.mitre.org/data/definitions/274.html"
+                },
+                {
+                    "external_id": "CWE-302",
+                    "source_name": "cwe",
+                    "url": "http://cwe.mitre.org/data/definitions/302.html"
+                },
+                {
+                    "external_id": "CWE-654",
+                    "source_name": "cwe",
+                    "url": "http://cwe.mitre.org/data/definitions/654.html"
+                },
+                {
+                    "description": "Arshan Dabirsiaghi, Bypassing Web Authentication and Authorization with HTTP Verb Tampering: How to inadvertently allow attackers full access to your web application, Aspect Security",
+                    "external_id": "REF-118",
+                    "source_name": "reference_from_CAPEC",
+                    "url": "http://mirror.transact.net.au/sourceforge/w/project/wa/waspap/waspap/Core/Bypassing_VBAAC_with_HTTP_Verb_Tampering.pdf"
+                }
+            ],
+            "id": "attack-pattern--13d1d169-0023-41e2-952f-7d794844733b",
+            "modified": "2019-09-30T00:00:00.000Z",
+            "name": "HTTP Verb Tampering",
+            "object_marking_refs": [
+                "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
+            ],
+            "type": "attack-pattern",
+            "x_capec_abstraction": "Detailed",
+            "x_capec_child_of_refs": [
+                "attack-pattern--9c983530-1927-43ca-addd-63d149cda4a7"
+            ],
+            "x_capec_domains": [
+                "Software"
+            ],
+            "x_capec_prerequisites": [
+                "The targeted system must attempt to filter access based on the HTTP verb used in requests."
+            ],
+            "x_capec_resources_required": [
+                "The attacker requires a tool that allows them to manually control the HTTP verb used to send messages to the targeted server."
+            ],
+            "x_capec_status": "Draft",
+            "x_capec_typical_severity": "Medium",
+            "x_capec_version": "3.9"
+        }
+    ],
+    "spec_version": "2.0",
+    "type": "bundle"
+}

cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--13e147c3-7baa-4ec4-aafd-9135d46545cc.json

@@ -0,0 +1,51 @@
+{
+    "id": "bundle--10793f96-eabc-406f-85f1-25ea3bd8a085",
+    "objects": [
+        {
+            "created": "2015-11-09T00:00:00.000Z",
+            "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
+            "description": "When an operating system starts, it also starts programs called services or daemons. Modifying existing services may break existing services or may enable services that are disabled/not commonly used.",
+            "external_references": [
+                {
+                    "external_id": "CAPEC-551",
+                    "source_name": "capec",
+                    "url": "https://capec.mitre.org/data/definitions/551.html"
+                },
+                {
+                    "external_id": "CWE-284",
+                    "source_name": "cwe",
+                    "url": "http://cwe.mitre.org/data/definitions/284.html"
+                },
+                {
+                    "external_id": "CWE-522",
+                    "source_name": "cwe",
+                    "url": "http://cwe.mitre.org/data/definitions/522.html"
+                },
+                {
+                    "description": "Create or Modify System Process",
+                    "external_id": "T1543",
+                    "source_name": "ATTACK",
+                    "url": "https://attack.mitre.org/wiki/Technique/T1543"
+                }
+            ],
+            "id": "attack-pattern--13e147c3-7baa-4ec4-aafd-9135d46545cc",
+            "modified": "2022-09-29T00:00:00.000Z",
+            "name": "Modify Existing Service",
+            "object_marking_refs": [
+                "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
+            ],
+            "type": "attack-pattern",
+            "x_capec_abstraction": "Detailed",
+            "x_capec_child_of_refs": [
+                "attack-pattern--482cb9fc-0122-49f0-b6df-6d2d42098b0a"
+            ],
+            "x_capec_domains": [
+                "Software"
+            ],
+            "x_capec_status": "Draft",
+            "x_capec_version": "3.9"
+        }
+    ],
+    "spec_version": "2.0",
+    "type": "bundle"
+}