{ "@context": { "d3f": "http://d3fend.mitre.org/ontologies/d3fend.owl#", "dbr": "http://dbpedia.org/resource/", "dc": "http://purl.org/dc/elements/1.1/", "dcterms": "http://purl.org/dc/terms/", "owl": "http://www.w3.org/2002/07/owl#", "rdf": "http://www.w3.org/1999/02/22-rdf-syntax-ns#", "rdfs": "http://www.w3.org/2000/01/rdf-schema#", "skos": "http://www.w3.org/2004/02/skos/core#", "xml": "http://www.w3.org/XML/1998/namespace", "xsd": "http://www.w3.org/2001/XMLSchema#" }, "@graph": [ { "@id": "d3f:MemoryPool", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:contains": { "@id": "d3f:MemoryBlock" }, "d3f:definition": "Memory pools, also called fixed-size blocks allocation, is the use of pools for memory management… preallocating a number of memory blocks with the same size called the memory pool. The application can allocate, access, and free blocks represented by handles at run time.", "rdfs:isDefinedBy": "https://dbpedia.org/page/Memory_pool", "rdfs:label": "Memory Pool", "rdfs:subClassOf": [ { "@id": "d3f:MemoryExtent" }, { "@id": "_:N46128b17e5ff46ed9b1c2cb7ef8f29ce" } ] }, { "@id": "_:N46128b17e5ff46ed9b1c2cb7ef8f29ce", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:contains" }, "owl:someValuesFrom": { "@id": "d3f:MemoryBlock" } }, { "@id": "d3f:CWE-426", "@type": "owl:Class", "d3f:cwe-id": "CWE-426", "rdfs:label": "Untrusted Search Path", "rdfs:subClassOf": [ { "@id": "d3f:CWE-642" }, { "@id": "d3f:CWE-673" } ] }, { "@id": "d3f:CWE-774", "@type": "owl:Class", "d3f:cwe-id": "CWE-774", "rdfs:label": "Allocation of File Descriptors or Handles Without Limits or Throttling", "rdfs:subClassOf": { "@id": "d3f:CWE-770" } }, { "@id": "d3f:CWE-527", "@type": "owl:Class", "d3f:cwe-id": "CWE-527", "rdfs:label": "Exposure of Version-Control Repository to an Unauthorized Control Sphere", "rdfs:subClassOf": { "@id": "d3f:CWE-552" } }, { "@id": "d3f:T1171", "@type": "owl:Class", "d3f:attack-id": "T1171", "rdfs:label": "LLMNR/NBT-NS Poisoning and Relay", "rdfs:subClassOf": { "@id": "d3f:CredentialAccessTechnique" } }, { "@id": "d3f:CWE-770", "@type": "owl:Class", "d3f:cwe-id": "CWE-770", "rdfs:label": "Allocation of Resources Without Limits or Throttling", "rdfs:subClassOf": [ { "@id": "d3f:CWE-400" }, { "@id": "d3f:CWE-665" } ] }, { "@id": "d3f:implemented-by", "@type": "owl:ObjectProperty", "owl:inverseOf": { "@id": "d3f:implements" }, "rdfs:label": "implemented-by", "rdfs:range": { "@id": "d3f:CapabilityImplementation" }, "rdfs:subPropertyOf": { "@id": "d3f:d3fend-catalog-object-property" } }, { "@id": "d3f:PlatformHardening", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:DefensiveTechnique" ], "d3f:d3fend-id": "D3-PH", "d3f:definition": "Hardening components of a Platform with the intention of making them more difficult to exploit.\n\nPlatforms includes components such as:\n* BIOS UEFI Subsystems\n* Hardware security devices such as Trusted Platform Modules\n* Boot process logic or code\n* Kernel software components", "d3f:enables": { "@id": "d3f:Harden" }, "d3f:synonym": [ "Endpoint Hardening", "System Hardening" ], "rdfs:label": "Platform Hardening", "rdfs:subClassOf": [ { "@id": "d3f:DefensiveTechnique" }, { "@id": "_:Nd218fa1e51b14baeb32d523b8eaf66a4" } ] }, { "@id": "_:Nd218fa1e51b14baeb32d523b8eaf66a4", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:enables" }, "owl:someValuesFrom": { "@id": "d3f:Harden" } }, { "@id": "d3f:CCI-002397_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system, in conjunction with a remote device, prevents the device from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": [ { "@id": "d3f:InboundTrafficFiltering" }, { "@id": "d3f:OutboundTrafficFiltering" } ], "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-07-02T00:00:00" }, "rdfs:label": "CCI-002397" }, { "@id": "d3f:CWE-62", "@type": "owl:Class", "d3f:cwe-id": "CWE-62", "rdfs:label": "UNIX Hard Link", "rdfs:subClassOf": { "@id": "d3f:CWE-59" } }, { "@id": "d3f:T1574.006", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1574.006", "d3f:modifies": { "@id": "d3f:OperatingSystemConfigurationFile" }, "rdfs:label": "LD_PRELOAD", "rdfs:subClassOf": [ { "@id": "d3f:T1574" }, { "@id": "_:N4977d3f3fe47473e860c841308897691" } ] }, { "@id": "_:N4977d3f3fe47473e860c841308897691", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:OperatingSystemConfigurationFile" } }, { "@id": "d3f:CWE-314", "@type": "owl:Class", "d3f:cwe-id": "CWE-314", "rdfs:label": "Cleartext Storage in the Registry", "rdfs:subClassOf": { "@id": "d3f:CWE-312" } }, { "@id": "d3f:T1560.003", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1560.003", "d3f:creates": { "@id": "d3f:CustomArchiveFile" }, "rdfs:label": "Archive via Custom Method", "rdfs:subClassOf": [ { "@id": "d3f:T1560" }, { "@id": "_:N20b571a1ffeb4dd4971ca92b22c1c415" } ] }, { "@id": "_:N20b571a1ffeb4dd4971ca92b22c1c415", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:creates" }, "owl:someValuesFrom": { "@id": "d3f:CustomArchiveFile" } }, { "@id": "d3f:Reference-SystemForDetectingThreatsUsingScenario-basedTrackingOfInternalAndExternalNetworkTraffic_VECTRANETWORKSInc", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US20160191563A1" }, "d3f:kb-abstract": "Disclosed is an improved approach to implement a system and method for detecting insider threats, where models are constructed that is capable of defining what constitutes the normal behavior for any given hosts and quickly find anomalous behaviors that could constitute a potential threat to an organization. The disclosed approach provides a way to identify abnormal data transfers within and external to an organization without the need for individual monitoring software on each host, by leveraging metadata that describe the data exchange patterns observed in the network.", "d3f:kb-author": "Nicolas BEAUCHESNE; David Lopes Pegna", "d3f:kb-mitre-analysis": "Determination of anomalous data transfers is performed over a given time period. For example, a check of a pull vs. push data ratio can be established over a specific time period, e.g., over a three-hour period, over a one day period, over a one week period, etc.\n\nThe system can also establish a baseline behavior for data exchange for each host in terms of pull vs. push data ratio for each resource contacted by the host.\n\nNetwork packet capture data is collected and metadata is extracted. Aggregate data push/pull information from the metadata is then analyzed for a given host versus specific client to server relationships. This technique can potentially catch lateral data transfers, and may have filtering on alerting logic to only raise alarms when external hosts receive large data transfers.", "d3f:kb-organization": "VECTRA NETWORKS Inc", "d3f:kb-reference-of": { "@id": "d3f:PerHostDownload-UploadRatioAnalysis" }, "d3f:kb-reference-title": "System for detecting threats using scenario-based tracking of internal and external network traffic", "rdfs:label": "Reference - System for detecting threats using scenario-based tracking of internal and external network traffic - VECTRA NETWORKS Inc" }, { "@id": "d3f:Process", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:contains": { "@id": "d3f:ProcessImage" }, "d3f:definition": "A process is an instance of a computer program that is being executed. It contains the program code and its current activity. Depending on the operating system (OS), a process may be made up of multiple threads of execution that execute instructions concurrently. A computer program is a passive collection of instructions, while a process is the actual execution of those instructions. Several processes may be associated with the same program; for example, opening up several instances of the same program often means more than one process is being executed.", "d3f:instructed-by": { "@id": "d3f:Software" }, "d3f:may-execute": { "@id": "d3f:Thread" }, "d3f:process-image-path": { "@id": "d3f:ExecutableBinary" }, "d3f:process-user": { "@id": "d3f:UserAccount" }, "d3f:uses": { "@id": "d3f:Resource" }, "rdfs:isDefinedBy": { "@id": "dbr:Process_(computing)" }, "rdfs:label": "Process", "rdfs:seeAlso": "https://schema.ocsf.io/objects/process", "rdfs:subClassOf": [ { "@id": "d3f:DigitalArtifact" }, { "@id": "_:N5e0046276a1a40d5ae01d3b97843132f" }, { "@id": "_:N96dd7111b14a46cf88e33c936e191782" }, { "@id": "_:Nf05e597c0ac94ea8b7ecc4a4f4eadc1e" }, { "@id": "_:N190f1bd1fa4b4c71b1ebede77ca9f7a8" }, { "@id": "_:N938376dd7629413f936a73847b923057" }, { "@id": "_:N17b0b3e3bdb3407ba78fe587ca783996" }, { "@id": "_:Ndcceb5e613aa4f8a840952c489f01f60" }, { "@id": "_:N08753b97fede4024bf454b854e4a14dd" }, { "@id": "_:N8095dca66d6047a8abb009c227479e52" }, { "@id": "_:N4f0cba56ac9d4a658c706d47db391a14" } ] }, { "@id": "_:N5e0046276a1a40d5ae01d3b97843132f", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:contains" }, "owl:someValuesFrom": { "@id": "d3f:ProcessImage" } }, { "@id": "_:N96dd7111b14a46cf88e33c936e191782", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:instructed-by" }, "owl:someValuesFrom": { "@id": "d3f:Software" } }, { "@id": "_:Nf05e597c0ac94ea8b7ecc4a4f4eadc1e", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-execute" }, "owl:someValuesFrom": { "@id": "d3f:Thread" } }, { "@id": "_:N190f1bd1fa4b4c71b1ebede77ca9f7a8", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:process-image-path" }, "owl:someValuesFrom": { "@id": "d3f:ExecutableBinary" } }, { "@id": "_:N938376dd7629413f936a73847b923057", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:process-user" }, "owl:someValuesFrom": { "@id": "d3f:UserAccount" } }, { "@id": "_:N17b0b3e3bdb3407ba78fe587ca783996", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:uses" }, "owl:someValuesFrom": { "@id": "d3f:Resource" } }, { "@id": "_:Ndcceb5e613aa4f8a840952c489f01f60", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:process-command-line-arguments" }, "owl:someValuesFrom": { "@id": "xsd:string" } }, { "@id": "_:N08753b97fede4024bf454b854e4a14dd", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:process-environmental-variables" }, "owl:someValuesFrom": { "@id": "xsd:string" } }, { "@id": "_:N8095dca66d6047a8abb009c227479e52", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:process-identifier" }, "owl:someValuesFrom": { "@id": "xsd:integer" } }, { "@id": "_:N4f0cba56ac9d4a658c706d47db391a14", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:process-security-context" }, "owl:someValuesFrom": { "@id": "xsd:string" } }, { "@id": "d3f:FileAccessPatternAnalysis", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:ProcessAnalysis" ], "d3f:analyzes": { "@id": "d3f:LocalResourceAccess" }, "d3f:d3fend-id": "D3-FAPA", "d3f:definition": "Analyzing the files accessed by a process to identify unauthorized activity.", "d3f:kb-article": "## How it works\nFile modifying malware such as wipers and ransomware are detected by identifying file access patterns that are associated with a malicious process. Examples of file access patterns include accessing a large number of files, accessing multiple file types, files being accessed located in multiple locations in a directory, and copying a file and encrypting the contents of that file into a copy.\n\n## Considerations\nCertain file access actions may not be statistically different from authorized activity.", "d3f:kb-reference": { "@id": "d3f:Reference-File-modifyingMalwareDetection_CrowdstrikeInc" }, "rdfs:label": "File Access Pattern Analysis", "rdfs:subClassOf": [ { "@id": "d3f:ProcessAnalysis" }, { "@id": "_:N6259f418f7be48bebe7ef18f0ead9e11" } ] }, { "@id": "_:N6259f418f7be48bebe7ef18f0ead9e11", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:analyzes" }, "owl:someValuesFrom": { "@id": "d3f:LocalResourceAccess" } }, { "@id": "d3f:Reference-SMBCopyAndExecution_MITRE", "@type": [ "owl:NamedIndividual", "d3f:ExternalKnowledgeBase" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://car.mitre.org/analytics/CAR-2013-05-005/" }, "d3f:kb-abstract": "An adversary needs to gain access to other hosts to move throughout an environment. In many cases, this is a twofold process. First, a file is remotely written to a host via an SMB share (detected by CAR-2013-05-003). Then, a variety of Execution techniques can be used to remotely establish execution of the file or script. To detect this behavior, look for files that are written to a host over SMB and then later run directly as a process or in the command line arguments. SMB File Writes and Remote Execution may happen normally in an environment, but the combination of the two behaviors is less frequent and more likely to indicate adversarial activity.\n\nThis can possibly extend to more copy protocols in order to widen its reach, or it could be tuned more finely to focus on specific program run locations (e.g. %SYSTEMROOT%\\system32) to gain a higher detection rate.", "d3f:kb-author": "", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "", "d3f:kb-reference-of": { "@id": "d3f:IPCTrafficAnalysis" }, "d3f:kb-reference-title": "CAR-2013-05-005: SMB Copy and Execution", "rdfs:label": "Reference - CAR-2013-05-005: SMB Copy and Execution - MITRE" }, { "@id": "d3f:StringPatternMatching", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-SPM", "d3f:definition": "String pattern-matching algorithms, also known as string-matching algorithms, are an important class of string algorithms that try to find a place where one or several strings (also called patterns) are found within a larger string or text", "d3f:kb-article": "## How it works\nA basic example of string searching is when the pattern and the searched text are arrays of elements of an alphabet (finite set) Σ. Σ may be a human language alphabet, for example, the letters A through Z and other applications may use a binary alphabet (Σ = {0,1}) or a DNA alphabet (Σ = {A,C,G,T}) in bioinformatics.\n\nIn practice, the method of feasible string-search algorithm may be affected by the string encoding. In particular, if a variable-width encoding is in use, then it may be slower to find the Nth character, perhaps requiring time proportional to N. This may significantly slow some search algorithms. One of many possible solutions is to search for the sequence of code units instead, but doing so may produce false matches unless the encoding is specifically designed to avoid it.\n\n## References\n1. String-searching algorithm. (2023, April 8). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/String-searching_algorithm)", "rdfs:label": "String Pattern Matching", "rdfs:subClassOf": { "@id": "d3f:PatternMatching" } }, { "@id": "d3f:CCI-002710_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:broader": [ { "@id": "d3f:DriverLoadIntegrityChecking" }, { "@id": "d3f:FileHashing" }, { "@id": "d3f:PointerAuthentication" }, { "@id": "d3f:TPMBootIntegrity" } ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system performs an integrity check of organization-defined software at startup, at organization-defined transitional states or security-relevant events, or on an organization-defined frequency.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-07-11T00:00:00" }, "rdfs:label": "CCI-002710" }, { "@id": "d3f:CCI-001199_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:broader": [ { "@id": "d3f:DiskEncryption" }, { "@id": "d3f:FileContentRules" }, { "@id": "d3f:FileEncryption" }, { "@id": "d3f:FileHashing" }, { "@id": "d3f:LocalFilePermissions" } ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system protects the confidentiality and/or integrity of organization-defined information at rest.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-21T00:00:00" }, "rdfs:label": "CCI-001199" }, { "@id": "d3f:InboundInternetNetworkTraffic", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "Inbound internet traffic is network traffic from a host outside a given network initiated on an incoming connection to a host inside that network.", "d3f:produces": { "@id": "d3f:NetworkTraffic" }, "rdfs:label": "Inbound Internet Network Traffic", "rdfs:seeAlso": { "@id": "dbr:Internetworking" }, "rdfs:subClassOf": [ { "@id": "d3f:InboundNetworkTraffic" }, { "@id": "d3f:InternetNetworkTraffic" }, { "@id": "_:Nf3f293fa3c944db3a2ed66fbbd577312" } ] }, { "@id": "_:Nf3f293fa3c944db3a2ed66fbbd577312", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:produces" }, "owl:someValuesFrom": { "@id": "d3f:NetworkTraffic" } }, { "@id": "d3f:T1168", "@type": "owl:Class", "d3f:attack-id": "T1168", "rdfs:label": "Local Job Scheduling", "rdfs:subClassOf": [ { "@id": "d3f:ExecutionTechnique" }, { "@id": "d3f:PersistenceTechnique" } ] }, { "@id": "d3f:CWE-1124", "@type": "owl:Class", "d3f:cwe-id": "CWE-1124", "rdfs:label": "Excessively Deep Nesting", "rdfs:subClassOf": { "@id": "d3f:CWE-1120" } }, { "@id": "d3f:T1505.005", "@type": "owl:Class", "d3f:attack-id": "T1505.005", "rdfs:label": "Terminal Services DLL", "rdfs:subClassOf": { "@id": "d3f:T1505" } }, { "@id": "d3f:CWE-463", "@type": "owl:Class", "d3f:cwe-id": "CWE-463", "rdfs:label": "Deletion of Data Structure Sentinel", "rdfs:subClassOf": { "@id": "d3f:CWE-707" } }, { "@id": "d3f:UserProcess", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A user process is a process running to perform functions in the name of on particular user and user account, such as run an application or application service serving any number users. This is in contrast to a system process, which executes software to fulfill operating system functions.", "rdfs:label": "User Process", "rdfs:subClassOf": { "@id": "d3f:Process" } }, { "@id": "d3f:MultivariateAnalysis", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-MA", "d3f:definition": "Multivariate statistics encompassed the simultaneous observation and analysis of more than one outcome variable, i.e., multivariate random variables.", "d3f:kb-article": "## References\nWikipedia. (n.d.). Multivariate statistics. [Link](https://en.wikipedia.org/wiki/Multivariate_statistics)", "rdfs:label": "Multivariate Analysis", "rdfs:subClassOf": { "@id": "d3f:StatisticalMethod" } }, { "@id": "d3f:d3fend-use-case-object-property", "@type": "owl:ObjectProperty", "rdfs:subPropertyOf": { "@id": "d3f:d3fend-object-property" } }, { "@id": "d3f:T1613", "@type": "owl:Class", "d3f:attack-id": "T1613", "rdfs:label": "Container and Resource Discovery", "rdfs:subClassOf": { "@id": "d3f:DiscoveryTechnique" } }, { "@id": "d3f:T1044", "@type": "owl:Class", "d3f:attack-id": "T1044", "rdfs:label": "File System Permissions Weakness", "rdfs:subClassOf": [ { "@id": "d3f:PersistenceTechnique" }, { "@id": "d3f:PrivilegeEscalationTechnique" } ] }, { "@id": "d3f:ContainerOrchestrationSoftware", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A d3f:Software which manages and coordinates running one or more d3f:ContainerProcess.", "rdfs:label": "Container Orchestration Software", "rdfs:subClassOf": { "@id": "d3f:ServiceApplication" } }, { "@id": "d3f:CWE-789", "@type": "owl:Class", "d3f:cwe-id": "CWE-789", "rdfs:label": "Memory Allocation with Excessive Size Value", "rdfs:subClassOf": [ { "@id": "d3f:CWE-1284" }, { "@id": "d3f:CWE-770" } ] }, { "@id": "d3f:CWE-444", "@type": "owl:Class", "d3f:cwe-id": "CWE-444", "rdfs:label": "Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')", "rdfs:subClassOf": { "@id": "d3f:CWE-436" } }, { "@id": "d3f:TrustStore", "@type": "owl:Class", "d3f:definition": "Stores public information necessary to determine if another party can be trusted.", "rdfs:label": "Trust Store", "rdfs:seeAlso": [ { "@id": "dbr:Public_key_certificate" }, { "@id": "https://www.educative.io/edpresso/keystore-vs-truststore" } ], "rdfs:subClassOf": { "@id": "d3f:DigitalArtifact" } }, { "@id": "d3f:CWE-749", "@type": "owl:Class", "d3f:cwe-id": "CWE-749", "rdfs:label": "Exposed Dangerous Method or Function", "rdfs:subClassOf": { "@id": "d3f:CWE-284" } }, { "@id": "d3f:Generation", "@type": "owl:Class", "rdfs:label": "Media Generation", "rdfs:subClassOf": { "@id": "d3f:AnalyticalPurpose" } }, { "@id": "d3f:CWE-114", "@type": "owl:Class", "d3f:cwe-id": "CWE-114", "rdfs:label": "Process Control", "rdfs:subClassOf": { "@id": "d3f:CWE-73" } }, { "@id": "d3f:copies", "@type": "owl:ObjectProperty", "d3f:definition": "x copies y: An technique or agent x reproduces or makes and exact copy of some digital artifact y.", "rdfs:isDefinedBy": { "@id": "http://wordnet-rdf.princeton.edu/id/01738810-v" }, "rdfs:label": "copies", "rdfs:subPropertyOf": { "@id": "d3f:creates" } }, { "@id": "d3f:CCI-000056_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system retains the session lock until the user reestablishes access using established identification and authentication procedures.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:AccountLocking" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-14T00:00:00" }, "rdfs:label": "CCI-000056" }, { "@id": "d3f:CWE-540", "@type": "owl:Class", "d3f:cwe-id": "CWE-540", "rdfs:label": "Inclusion of Sensitive Information in Source Code", "rdfs:subClassOf": { "@id": "d3f:CWE-538" } }, { "@id": "d3f:T1098.005", "@type": "owl:Class", "d3f:attack-id": "T1098.005", "rdfs:label": "Device Registration", "rdfs:subClassOf": { "@id": "d3f:T1098" } }, { "@id": "d3f:T1016", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1016", "d3f:may-execute": { "@id": "d3f:ExecutableScript" }, "d3f:may-invoke": [ { "@id": "d3f:CreateProcess" }, { "@id": "d3f:GetSystemNetworkConfigValue" } ], "rdfs:label": "System Network Configuration Discovery", "rdfs:subClassOf": [ { "@id": "d3f:DiscoveryTechnique" }, { "@id": "_:N9369fbe4b5ca476391679b9efd88e0b0" }, { "@id": "_:Nc31a9b2a8b214bdc9c1cbaeec0f1cc8b" }, { "@id": "_:N420f8602e34c43559c1fc53b7e3345ce" } ] }, { "@id": "_:N9369fbe4b5ca476391679b9efd88e0b0", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-execute" }, "owl:someValuesFrom": { "@id": "d3f:ExecutableScript" } }, { "@id": "_:Nc31a9b2a8b214bdc9c1cbaeec0f1cc8b", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-invoke" }, "owl:someValuesFrom": { "@id": "d3f:CreateProcess" } }, { "@id": "_:N420f8602e34c43559c1fc53b7e3345ce", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-invoke" }, "owl:someValuesFrom": { "@id": "d3f:GetSystemNetworkConfigValue" } }, { "@id": "d3f:CWE-40", "@type": "owl:Class", "d3f:cwe-id": "CWE-40", "rdfs:label": "Path Traversal: '\\\\UNC\\share\\name\\' (Windows UNC Share)", "rdfs:subClassOf": { "@id": "d3f:CWE-36" } }, { "@id": "d3f:next", "@type": "owl:ObjectProperty", "rdfs:label": "next", "rdfs:subPropertyOf": { "@id": "d3f:d3fend-process-object-property" } }, { "@id": "d3f:LinuxExecveat", "@type": "owl:Class", "d3f:definition": "Execute program relative to a directory file descriptor. Behavior is similar to Linux Execve.", "rdfs:isDefinedBy": "https://man7.org/linux/man-pages/man2/execveat.2.html", "rdfs:label": "Linux Execveat", "rdfs:subClassOf": { "@id": "d3f:OSAPIExec" } }, { "@id": "d3f:WebServerApplication", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A web server application (or web app) is an application software that runs on a web server, unlike computer-based software programs that are stored locally on the Operating System (OS) of the device. Web applications are accessed by the user through a web browser with an active internet connection. These applications are programmed using a client-server modeled structure-the user (\"client\") is provided services through an off-site server that is hosted by a third-party. Examples of commonly-used, web applications, include: web-mail, online retail sales, online banking, and online auctions.", "rdfs:isDefinedBy": { "@id": "dbr:Web_application" }, "rdfs:label": "Web Server Application", "rdfs:subClassOf": { "@id": "d3f:ServiceApplication" }, "skos:altLabel": [ "Web Application", "Web App" ] }, { "@id": "d3f:CWE-1230", "@type": "owl:Class", "d3f:cwe-id": "CWE-1230", "rdfs:label": "Exposure of Sensitive Information Through Metadata", "rdfs:subClassOf": { "@id": "d3f:CWE-285" } }, { "@id": "d3f:CWE-224", "@type": "owl:Class", "d3f:cwe-id": "CWE-224", "rdfs:label": "Obscured Security-relevant Information by Alternate Name", "rdfs:subClassOf": { "@id": "d3f:CWE-221" } }, { "@id": "d3f:GetOpenWindows", "@type": [ "owl:Class", "owl:NamedIndividual" ], "rdfs:label": "Get Open Windows", "rdfs:subClassOf": { "@id": "d3f:SystemCall" } }, { "@id": "d3f:Reference-GS_BufferSecurityCheck_MicrosoftDocs", "@type": [ "owl:NamedIndividual", "d3f:UserManualReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://docs.microsoft.com/en-us/cpp/build/reference/gs-buffer-security-check?view=vs-2019" }, "d3f:kb-abstract": "", "d3f:kb-author": "", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "Microsoft Docs", "d3f:kb-reference-of": { "@id": "d3f:StackFrameCanaryValidation" }, "d3f:kb-reference-title": "/GS (Buffer Security Check)", "rdfs:label": "Reference - /GS (Buffer Security Check) - Microsoft Docs" }, { "@id": "d3f:CCI-000193_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system enforces password complexity by the minimum number of lower case characters used.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:StrongPasswordPolicy" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-15T00:00:00" }, "rdfs:label": "CCI-000193" }, { "@id": "d3f:T1548.003", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1548.003", "d3f:may-modify": { "@id": "d3f:EventLog" }, "d3f:modifies": { "@id": "d3f:OperatingSystemConfigurationFile" }, "rdfs:label": "Sudo and Sudo Caching", "rdfs:subClassOf": [ { "@id": "d3f:T1548" }, { "@id": "_:Nd0c470254f3f41dfad7a1aea2a0707b7" }, { "@id": "_:Nf10fcb4ce1634290a4a9267243769c6f" } ] }, { "@id": "_:Nd0c470254f3f41dfad7a1aea2a0707b7", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-modify" }, "owl:someValuesFrom": { "@id": "d3f:EventLog" } }, { "@id": "_:Nf10fcb4ce1634290a4a9267243769c6f", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:OperatingSystemConfigurationFile" } }, { "@id": "d3f:CWE-499", "@type": "owl:Class", "d3f:cwe-id": "CWE-499", "rdfs:label": "Serializable Class Containing Sensitive Data", "rdfs:subClassOf": { "@id": "d3f:CWE-668" } }, { "@id": "d3f:Microcode", "@type": "owl:Class", "d3f:definition": "Microcode is a computer hardware technique that interposes a layer of organization between the CPU hardware and the programmer-visible instruction set architecture of the computer. As such, the microcode is a layer of hardware-level instructions that implement higher-level machine code instructions or internal state machine sequencing in many digital processing elements.", "rdfs:isDefinedBy": { "@id": "dbr:Microcode" }, "rdfs:label": "Microcode", "rdfs:subClassOf": { "@id": "d3f:Firmware" } }, { "@id": "d3f:CWE-680", "@type": "owl:Class", "d3f:cwe-id": "CWE-680", "rdfs:label": "Integer Overflow to Buffer Overflow", "rdfs:subClassOf": { "@id": "d3f:CWE-119" } }, { "@id": "d3f:WindowsNtCreateNamedPipeFile", "@type": "owl:Class", "d3f:definition": "Creates Named Pipe File Object.", "rdfs:label": "Windows NtCreateNamedPipeFile", "rdfs:seeAlso": "https://j00ru.vexillium.org/syscalls/nt/64/", "rdfs:subClassOf": [ { "@id": "d3f:OSAPICreateFile" }, { "@id": "d3f:OSAPIPrivateFunction" } ] }, { "@id": "d3f:LinuxOpenAtArgumentO_RDONLY-O_WRONLY-O_RDWR", "@type": "owl:Class", "d3f:definition": "Same functionality as Linux Open but slight differences in parameter.", "rdfs:isDefinedBy": "https://man7.org/linux/man-pages/man2/openat.2.html", "rdfs:label": "Linux OpenAt Argument O_RDONLY, O_WRONLY, O_RDWR", "rdfs:subClassOf": { "@id": "d3f:OSAPIOpenFile" } }, { "@id": "d3f:T1556.002", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1556.002", "d3f:creates": { "@id": "d3f:SharedLibraryFile" }, "d3f:modifies": { "@id": "d3f:SystemConfigurationDatabaseRecord" }, "rdfs:label": "Password Filter DLL", "rdfs:subClassOf": [ { "@id": "d3f:T1556" }, { "@id": "_:Nbe36e2546a5b498e824144f6b32fda85" }, { "@id": "_:N6937eca35caf430b943d641acb7c45d6" } ] }, { "@id": "_:Nbe36e2546a5b498e824144f6b32fda85", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:creates" }, "owl:someValuesFrom": { "@id": "d3f:SharedLibraryFile" } }, { "@id": "_:N6937eca35caf430b943d641acb7c45d6", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:SystemConfigurationDatabaseRecord" } }, { "@id": "d3f:DataLinkLink", "@type": "owl:Class", "d3f:definition": "A communication link between two network devices connected directly at the physical layer and on the same network segment; i.e., an OSI Layer 2 link.", "d3f:synonym": [ "Data Link Layer Link", "Layer-2 Link", "Link Layer Link" ], "rdfs:label": "Data Link Link", "rdfs:seeAlso": "https://dbpedia.org/resource/Link_layer", "rdfs:subClassOf": { "@id": "d3f:LogicalLink" } }, { "@id": "d3f:Estimation", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-EST", "d3f:definition": "Estimation represents ways or a process of learning and determining the population parameter based on the model fitted to the data.", "d3f:kb-article": "## References\nPennsylvania State University. (n.d.). Statistical Inference and Estimation. [Link](https://online.stat.psu.edu/stat504/lesson/statistical-inference-and-estimation)", "rdfs:label": "Estimation", "rdfs:subClassOf": { "@id": "d3f:InferentialStatistics" } }, { "@id": "d3f:NIST_SP_800-53_R5_AC-4", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:control-name": "Information Flow Enforcement", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "d3f:narrower": [ { "@id": "d3f:InboundTrafficFiltering" }, { "@id": "d3f:OutboundTrafficFiltering" } ], "rdfs:label": "AC-4" }, { "@id": "d3f:T1571", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1571", "d3f:produces": { "@id": "d3f:OutboundInternetNetworkTraffic" }, "rdfs:label": "Non-Standard Port", "rdfs:subClassOf": [ { "@id": "d3f:CommandAndControlTechnique" }, { "@id": "_:N2fe33f2d207344dfb4d45ad205d587e8" } ] }, { "@id": "_:N2fe33f2d207344dfb4d45ad205d587e8", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:produces" }, "owl:someValuesFrom": { "@id": "d3f:OutboundInternetNetworkTraffic" } }, { "@id": "d3f:CommandHistoryLogFile", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:contains": { "@id": "d3f:CommandHistoryLog" }, "d3f:definition": "A command history log file is a file containing a command history, which the history of commands run in an operating system shell.", "rdfs:label": "Command History Log File", "rdfs:seeAlso": { "@id": "dbr:Command_history" }, "rdfs:subClassOf": [ { "@id": "d3f:LogFile" }, { "@id": "_:N8ae1197f82264b15824897c2aa198684" } ] }, { "@id": "_:N8ae1197f82264b15824897c2aa198684", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:contains" }, "owl:someValuesFrom": { "@id": "d3f:CommandHistoryLog" } }, { "@id": "d3f:AcademicPaperReference", "@type": "owl:Class", "d3f:pref-label": "Academic Paper", "rdfs:label": "Academic Paper Reference", "rdfs:subClassOf": { "@id": "d3f:TechniqueReference" } }, { "@id": "d3f:T1539", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:accesses": { "@id": "d3f:SessionCookie" }, "d3f:attack-id": "T1539", "rdfs:label": "Steal Web Session Cookie", "rdfs:subClassOf": [ { "@id": "d3f:CredentialAccessTechnique" }, { "@id": "_:Ndf79b4664e7446599d778829985131e8" } ] }, { "@id": "_:Ndf79b4664e7446599d778829985131e8", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:accesses" }, "owl:someValuesFrom": { "@id": "d3f:SessionCookie" } }, { "@id": "d3f:MessageAnalysis", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:DefensiveTechnique" ], "d3f:d3fend-id": "D3-MA", "d3f:definition": "Analyzing email or instant message content to detect unauthorized activity.", "d3f:enables": { "@id": "d3f:Detect" }, "d3f:kb-article": "## Technique Overview\n\nEmail and messaging are frequently used to deliver malicious content to targets. These enterprise capabilities are used to deliver software exploits or social engineering tricks. If the recipient of a message trusts the sender, attackers can avoid escalating suspicion.\n\nEmails and messages are also complex data structures. They contain files and links, and complex data encodings which vary region to region. Thus the defensive techniques used to analyze emails and messages are highly varied ranging from deep content analysis and execution to social network graph-style analytics to analyze trust or risk.", "d3f:synonym": [ "Electronic Message Analysis", "Email Or Messaging Analysis" ], "rdfs:label": "Message Analysis", "rdfs:subClassOf": [ { "@id": "d3f:DefensiveTechnique" }, { "@id": "_:Ne9c303596189405dabca87402c995b02" } ] }, { "@id": "_:Ne9c303596189405dabca87402c995b02", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:enables" }, "owl:someValuesFrom": { "@id": "d3f:Detect" } }, { "@id": "d3f:CWE-1099", "@type": "owl:Class", "d3f:cwe-id": "CWE-1099", "rdfs:label": "Inconsistent Naming Conventions for Identifiers", "rdfs:subClassOf": { "@id": "d3f:CWE-1078" } }, { "@id": "d3f:SoftwareUpdate", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:PlatformHardening" ], "d3f:d3fend-id": "D3-SU", "d3f:definition": "Replacing old software on a computer system component.", "d3f:kb-reference": { "@id": "d3f:Reference-MethodAndSystemForProvidingSoftwareUpdatesToLocalMachines" }, "d3f:updates": { "@id": "d3f:Software" }, "rdfs:label": "Software Update", "rdfs:subClassOf": [ { "@id": "d3f:PlatformHardening" }, { "@id": "_:Nd8dff35e361e44fea1fa5c57ec1cf111" } ] }, { "@id": "_:Nd8dff35e361e44fea1fa5c57ec1cf111", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:updates" }, "owl:someValuesFrom": { "@id": "d3f:Software" } }, { "@id": "d3f:T1071.003", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1071.003", "d3f:produces": { "@id": "d3f:OutboundInternetMailTraffic" }, "rdfs:label": "Mail Protocols", "rdfs:subClassOf": [ { "@id": "d3f:T1071" }, { "@id": "_:Nde336009cc2a4b8d80df3c8a34b226b2" } ] }, { "@id": "_:Nde336009cc2a4b8d80df3c8a34b226b2", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:produces" }, "owl:someValuesFrom": { "@id": "d3f:OutboundInternetMailTraffic" } }, { "@id": "d3f:CWE-842", "@type": "owl:Class", "d3f:cwe-id": "CWE-842", "rdfs:label": "Placement of User into Incorrect Group", "rdfs:subClassOf": { "@id": "d3f:CWE-286" } }, { "@id": "d3f:CCI-000417_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:broader": [ { "@id": "d3f:ExecutionIsolation" }, { "@id": "d3f:NetworkIsolation" } ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The organization disables network access by unauthorized components/devices or notifies designated organizational officials.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-18T00:00:00" }, "rdfs:label": "CCI-000417" }, { "@id": "d3f:CCI-001262_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system monitors inbound and outbound communications for unusual or unauthorized activities or conditions.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": [ { "@id": "d3f:InboundTrafficFiltering" }, { "@id": "d3f:OutboundTrafficFiltering" } ], "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-22T00:00:00" }, "rdfs:label": "CCI-001262" }, { "@id": "d3f:CWE-1122", "@type": "owl:Class", "d3f:cwe-id": "CWE-1122", "rdfs:label": "Excessive Halstead Complexity", "rdfs:subClassOf": { "@id": "d3f:CWE-1120" } }, { "@id": "d3f:BayesianMethod", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-BM", "d3f:definition": "Bayesian analysis is a statistical procedure which endeavors to estimate parameters of an underlying distribution based on the observed distribution.", "d3f:kb-article": "## References\nWolfram MathWorld. (n.d.). Bayesian Analysis. [Link](https://mathworld.wolfram.com/BayesianAnalysis.html)", "rdfs:label": "Bayesian Method", "rdfs:subClassOf": { "@id": "d3f:StatisticalMethod" } }, { "@id": "d3f:T1542.002", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1542.002", "d3f:modifies": { "@id": "d3f:Firmware" }, "rdfs:label": "Component Firmware", "rdfs:subClassOf": [ { "@id": "d3f:T1542" }, { "@id": "_:Na8625e56ccdb43109e33510565b66efa" } ] }, { "@id": "_:Na8625e56ccdb43109e33510565b66efa", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:Firmware" } }, { "@id": "d3f:NIST_SP_800-53_R5_AC-4_26", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:control-name": "Information Flow Enforcement | Audit Filtering Actions", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "d3f:narrower": { "@id": "d3f:FileContentRules" }, "rdfs:label": "AC-4(26)" }, { "@id": "d3f:CWE-334", "@type": "owl:Class", "d3f:cwe-id": "CWE-334", "rdfs:label": "Small Space of Random Values", "rdfs:subClassOf": { "@id": "d3f:CWE-330" } }, { "@id": "d3f:Reference-ModelingUserAccessToComputerResources_DaedalusGroupLLC", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US8214364B2" }, "d3f:kb-abstract": "Embodiments of the invention provide a method for detecting changes in behavior of authorized users of computer resources and reporting the detected changes to the relevant individuals. The method includes evaluating actions performed by each user against user behavioral models and business rules. As a result of the analysis, a subset of users may be identified and reported as having unusual or suspicious behavior. In response, the management may provide feedback indicating that the user behavior is due to the normal expected business needs or that the behavior warrants further review. The management feedback is available for use by machine learning algorithms to improve the analysis of user actions over time. Consequently, investigation of user actions regarding computer resources is facilitated and data loss is prevented more efficiently relative to the prior art approaches with only minimal disruption to the ongoing business processes.", "d3f:kb-author": "Joseph P. Bigus, Leon Gong, Christoph Lingenfelder", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "Daedalus Group LLC (formerly IBM)", "d3f:kb-reference-of": { "@id": "d3f:ResourceAccessPatternAnalysis" }, "d3f:kb-reference-title": "Modeling user access to computer resources", "rdfs:label": "Reference - Modeling user access to computer resources - Daedalus Group LLC (formerly IBM)" }, { "@id": "d3f:CWE-350", "@type": "owl:Class", "d3f:cwe-id": "CWE-350", "rdfs:label": "Reliance on Reverse DNS Resolution for a Security-Critical Action", "rdfs:subClassOf": [ { "@id": "d3f:CWE-290" }, { "@id": "d3f:CWE-807" } ] }, { "@id": "d3f:T1159", "@type": "owl:Class", "d3f:attack-id": "T1159", "rdfs:label": "Launch Agent", "rdfs:subClassOf": { "@id": "d3f:PersistenceTechnique" } }, { "@id": "d3f:Reference-CAR-2020-11-007%3ANetworkShareConnectionRemoval_MITRE", "@type": [ "owl:NamedIndividual", "d3f:ExternalKnowledgeBase" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://car.mitre.org/analytics/CAR-2020-11-007/" }, "d3f:kb-abstract": "Adversaries may use network shares to exfliltrate date; they will then remove the shares to cover their tracks. This analytic looks for the removal of network shares via commandline, which is otherwise a rare event.", "d3f:kb-author": "MITRE", "d3f:kb-organization": "MITRE", "d3f:kb-reference-of": { "@id": "d3f:ProcessSpawnAnalysis" }, "d3f:kb-reference-title": "CAR-2020-11-007: Network Share Connection Removal", "rdfs:label": "Reference - CAR-2020-11-007: Network Share Connection Removal - MITRE" }, { "@id": "d3f:CWE-780", "@type": "owl:Class", "d3f:cwe-id": "CWE-780", "rdfs:label": "Use of RSA Algorithm without OAEP", "rdfs:subClassOf": { "@id": "d3f:CWE-327" } }, { "@id": "d3f:CWE-345", "@type": "owl:Class", "d3f:cwe-id": "CWE-345", "rdfs:label": "Insufficient Verification of Data Authenticity", "rdfs:subClassOf": { "@id": "d3f:CWE-693" } }, { "@id": "d3f:CWE-799", "@type": "owl:Class", "d3f:cwe-id": "CWE-799", "rdfs:label": "Improper Control of Interaction Frequency", "rdfs:subClassOf": { "@id": "d3f:CWE-691" } }, { "@id": "d3f:WindowsNtCreateProcessEx", "@type": "owl:Class", "rdfs:label": "Windows NtCreateProcessEx", "rdfs:subClassOf": [ { "@id": "d3f:OSAPICreateProcess" }, { "@id": "d3f:OSAPIPrivateFunction" } ] }, { "@id": "d3f:Provider", "@type": "owl:Class", "rdfs:label": "Provider", "rdfs:subClassOf": [ { "@id": "d3f:Organization" }, { "@id": "_:N7736442ac32547ffbaa54d8f8a83ba02" } ] }, { "@id": "_:N7736442ac32547ffbaa54d8f8a83ba02", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:produces" }, "owl:someValuesFrom": { "@id": "d3f:CapabilityImplementation" } }, { "@id": "d3f:kb-reference-of", "@type": "owl:ObjectProperty", "d3f:definition": "x kb-is-example-of y: The reference x is an example of technique y.", "rdfs:domain": { "@id": "d3f:Reference" }, "rdfs:label": "kb-reference-of", "rdfs:range": { "@id": "d3f:Technique" }, "rdfs:subPropertyOf": { "@id": "d3f:d3fend-kb-object-property" }, "skos:altLabel": "kb-is-example-of" }, { "@id": "d3f:cwe-kb-annotation", "@type": "owl:AnnotationProperty", "rdfs:label": "cwe-kb-annotation", "rdfs:subPropertyOf": { "@id": "d3f:d3fend-annotation" } }, { "@id": "d3f:CWE-694", "@type": "owl:Class", "d3f:cwe-id": "CWE-694", "rdfs:label": "Use of Multiple Resources with Duplicate Identifier", "rdfs:subClassOf": [ { "@id": "d3f:CWE-573" }, { "@id": "d3f:CWE-99" } ] }, { "@id": "d3f:Reference-PrivateVirtualLocalAreaNetworkIsolation_CiscoTechnologyInc", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US20120331142A1" }, "d3f:kb-abstract": "In one embodiment, a method includes obtaining addresses of end hosts at a switch, the switch configured with a primary virtual local area network and a secondary virtual local area network, creating a private virtual local area network access list comprising the addresses of end hosts permitted to communicate on the secondary virtual local area network, and applying the private virtual local area network access list to interfaces connected to the end hosts permitted to communicate on the secondary virtual local area network. An apparatus is also disclosed.", "d3f:kb-author": "Anuraag Mittal, Huei-Ping Chen", "d3f:kb-organization": "Cisco Technology Inc", "d3f:kb-reference-of": { "@id": "d3f:BroadcastDomainIsolation" }, "d3f:kb-reference-title": "Private virtual local area network isolation", "rdfs:label": "Reference - Private virtual local area network isolation - Cisco Technology Inc" }, { "@id": "d3f:Stacking", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-STA", "d3f:definition": "Stacking is a method of using the results and predictions from one layer of ML models as inputs to another layer of ML models. Stacking (sometimes called stacked generalization) involves training a model to combine the predictions of several other learning algorithms.", "d3f:kb-article": "## References\nEnsemble learning. Wikipedia. [Link](https://en.wikipedia.org/wiki/Ensemble_learning).", "rdfs:label": "Stacking", "rdfs:subClassOf": { "@id": "d3f:EnsembleLearning" } }, { "@id": "d3f:CWE-1268", "@type": "owl:Class", "d3f:cwe-id": "CWE-1268", "rdfs:label": "Policy Privileges are not Assigned Consistently Between Control and Data Agents", "rdfs:subClassOf": { "@id": "d3f:CWE-284" } }, { "@id": "d3f:CWE-671", "@type": "owl:Class", "d3f:cwe-id": "CWE-671", "rdfs:label": "Lack of Administrator Control over Security", "rdfs:subClassOf": { "@id": "d3f:CWE-657" } }, { "@id": "d3f:Reference-CAR-2021-05-011%3ACreateRemoteThreadIntoLSASS_MITRE", "@type": [ "owl:NamedIndividual", "d3f:ExternalKnowledgeBase" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://car.mitre.org/analytics/CAR-2021-05-011/" }, "d3f:kb-abstract": "Actors may create a remote thread into the LSASS service as part of a workflow to dump credentials.", "d3f:kb-author": "MITRE", "d3f:kb-organization": "MITRE", "d3f:kb-reference-of": { "@id": "d3f:SystemCallAnalysis" }, "d3f:kb-reference-title": "CAR-2021-05-011: Create Remote Thread into LSASS", "rdfs:label": "Reference - CAR-2021-05-011: Create Remote Thread into LSASS - MITRE" }, { "@id": "d3f:NTFSLink", "@type": "owl:Class", "d3f:definition": "The NTFS filesystem defines various ways to link files, i.e. to make a file point to another file or its contents. The object being pointed to is called the target. There are three classes of NTFS links: (a) Hard links, which have files share the same MFT entry (inode), in the same filesystem; (b) Symbolic links, which record the path of another file that the links contents should show and can accept relative paths; and (c) Junction points, which are similar to symlinks but defined only for directories and only accepts local absolute paths", "rdfs:label": "NTFS Link", "rdfs:subClassOf": [ { "@id": "d3f:File" }, { "@id": "d3f:FileSystemLink" } ] }, { "@id": "d3f:ImageSegment", "@type": "owl:Class", "d3f:definition": "Image segments are distinct partitions of an object file. Both data and code segments are examples of image segments.", "rdfs:label": "Image Segment", "rdfs:seeAlso": [ { "@id": "dbr:Object_file" }, "Object File" ], "rdfs:subClassOf": [ { "@id": "d3f:BinarySegment" }, { "@id": "d3f:FileSection" } ] }, { "@id": "d3f:GetSystemConfigValue", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:reads": { "@id": "d3f:SystemConfigurationDatabaseRecord" }, "rdfs:label": "Get System Config Value", "rdfs:seeAlso": "https://docs.microsoft.com/en-us/windows/win32/api/winreg/nf-winreg-regopenkeyexa", "rdfs:subClassOf": [ { "@id": "d3f:SystemConfigSystemCall" }, { "@id": "_:N1a6d709acf594e0081aa9c36e1776d6c" } ] }, { "@id": "_:N1a6d709acf594e0081aa9c36e1776d6c", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:reads" }, "owl:someValuesFrom": { "@id": "d3f:SystemConfigurationDatabaseRecord" } }, { "@id": "d3f:CAPEC-663", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:CommonAttackPattern" ], "d3f:capec-id": "CAPEC-553", "rdfs:isDefinedBy": "https://capec.mitre.org/data/definitions/663.html", "rdfs:label": "Exploitation of Transient Instruction Execution", "rdfs:subClassOf": { "@id": "d3f:CommonAttackPattern" } }, { "@id": "d3f:CapabilityFeatureClaim", "@type": "owl:Class", "rdfs:label": "Capability Feature Claim", "rdfs:subClassOf": [ { "@id": "d3f:Statement" }, { "@id": "_:N4b15304cc8dc4fd999fa69dcf41e8680" }, { "@id": "_:N50ceb737936c4c3e9dd599d5f70cecde" }, { "@id": "_:N351a83e2bdf74282beda8253587a6d34" }, { "@id": "_:Ne0cdd4b725204c19ae68bf125e7368b1" }, { "@id": "_:N7f90d4de68ac4bfb99b7bbf883571fd7" }, { "@id": "_:N25185c5a8d474fa19c7e25780511a063" } ], "skos:altLabel": "Provider Claim" }, { "@id": "_:N4b15304cc8dc4fd999fa69dcf41e8680", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:assessed-by" }, "owl:someValuesFrom": { "@id": "d3f:DefensiveTechniqueAssessment" } }, { "@id": "_:N50ceb737936c4c3e9dd599d5f70cecde", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:author" }, "owl:someValuesFrom": { "@id": "d3f:Agent" } }, { "@id": "_:N351a83e2bdf74282beda8253587a6d34", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:implemented-by" }, "owl:someValuesFrom": { "@id": "d3f:CapabilityImplementation" } }, { "@id": "_:Ne0cdd4b725204c19ae68bf125e7368b1", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:comments" }, "owl:someValuesFrom": { "@id": "xsd:string" } }, { "@id": "_:N7f90d4de68ac4bfb99b7bbf883571fd7", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:created" }, "owl:someValuesFrom": { "@id": "xsd:dateTime" } }, { "@id": "_:N25185c5a8d474fa19c7e25780511a063", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modified" }, "owl:someValuesFrom": { "@id": "xsd:dateTime" } }, { "@id": "d3f:Reference-CAR-2020-11-009%3ACompiledHTMLAccess_MITRE", "@type": [ "owl:NamedIndividual", "d3f:ExternalKnowledgeBase" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://car.mitre.org/analytics/CAR-2020-11-009/" }, "d3f:kb-abstract": "Adversaries may hide malicious code in .chm compiled HTML files. When these files are read, Windows uses the HTML help executable named hh.exe, which is the signature for this analytic.", "d3f:kb-author": "MITRE", "d3f:kb-organization": "MITRE", "d3f:kb-reference-of": { "@id": "d3f:ProcessSpawnAnalysis" }, "d3f:kb-reference-title": "CAR-2020-11-009: Compiled HTML Access", "rdfs:label": "Reference - CAR-2020-11-009: Compiled HTML Access - MITRE" }, { "@id": "d3f:T1218.009", "@type": "owl:Class", "d3f:attack-id": "T1218.009", "rdfs:label": "Regsvcs/Regasm Execution", "rdfs:subClassOf": { "@id": "d3f:T1218" } }, { "@id": "d3f:ExternalControl", "@type": "owl:Class", "rdfs:label": "External Control", "rdfs:subClassOf": [ { "@id": "d3f:D3FENDThing" }, { "@id": "_:N29a32a1aa7254c018ec7a09642fb9bc7" }, { "@id": "_:Nf751f923177f4688877b2806622b18a7" } ] }, { "@id": "_:N29a32a1aa7254c018ec7a09642fb9bc7", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:member-of" }, "owl:someValuesFrom": { "@id": "d3f:ControlCatalog" } }, { "@id": "_:Nf751f923177f4688877b2806622b18a7", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:semantic-relation" }, "owl:someValuesFrom": { "@id": "d3f:DefensiveTechnique" } }, { "@id": "d3f:d3fend-display-property", "@type": "owl:DatatypeProperty", "d3f:definition": "x d3fend-display-property y: An object x should be displayed using the display property y, when it applies.", "rdfs:label": "d3fend-display-property", "rdfs:subPropertyOf": { "@id": "d3f:d3fend-data-property" } }, { "@id": "d3f:Boosting", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-BOO", "d3f:definition": "Boosting is a sequential process where each subsequent model attempts to correct the errors of the previous model", "d3f:kb-article": "## How it works\nBoosting consists of using sequentially weak learners where each iteration’s training focuses on previously misclassified instances in order to improve on the previous iteration. This process is continued iteratively until the final prediction is made by aggregating the previous predictions.\n\n## Considerations\nBoosting can be computationally expensive, prone to overfitting, and slower to train compared to other ensemble methods.\n\nThere are three main types of Boosting algorithms\n - Adaptive Boosting\nAdaptive Boosting (sometimes called AdaBoost) works by adding equal importance to each piece of a dataset and running it through the base learning algorithms. Every algorithm that errors, the boosting algorithm assigns a higher importance to. This continues until an acceptable level of confidence is reached.\n - Gradient Boosting\nGradient Boosting starts by training multiple models simultaneously to gather a strong estimate of strength to build new base learning algorithms.\n - XGBoosting\nXGBoosting is a scalable tree boosting model. Using decision trees, weight is assigned to each variable and put into a decision tree. Outputs that are classified by the algorithm as wrong or weak are put into a second decision tree and the results form a stronger model.\n\n## References\nSciencedirect. (n.d.). Semi-supervised learning: An overview. [Link](https://www.sciencedirect.com/science/article/pii/S1319157823000228)", "rdfs:label": "Boosting", "rdfs:subClassOf": { "@id": "d3f:EnsembleLearning" } }, { "@id": "d3f:OSAPIGetSystemTime", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:invokes": { "@id": "d3f:GetSystemTime" }, "rdfs:label": "OS API Get System Time", "rdfs:subClassOf": [ { "@id": "d3f:OSAPIFunction" }, { "@id": "_:N15841d1a2f844de786874e1456bfd7ec" } ] }, { "@id": "_:N15841d1a2f844de786874e1456bfd7ec", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:invokes" }, "owl:someValuesFrom": { "@id": "d3f:GetSystemTime" } }, { "@id": "d3f:UnlockAccount", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:RestoreUserAccountAccess" ], "d3f:d3fend-id": "D3-ULA", "d3f:definition": "Restoring a user account's access to resources by unlocking a locked User Account.", "d3f:kb-reference": { "@id": "d3f:Reference-CybersecurityIncidentandVulnerabilityResponsePlaybooks" }, "d3f:restores": { "@id": "d3f:UserAccount" }, "rdfs:label": "Unlock Account", "rdfs:subClassOf": [ { "@id": "d3f:RestoreUserAccountAccess" }, { "@id": "_:N744cc1217a784578a640dc4e7a078fe9" } ] }, { "@id": "_:N744cc1217a784578a640dc4e7a078fe9", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:restores" }, "owl:someValuesFrom": { "@id": "d3f:UserAccount" } }, { "@id": "d3f:Reference-DeadCodeElimination", "@type": [ "owl:NamedIndividual", "d3f:AcademicPaperReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://nebelwelt.net/files/15LangSec.pdf" }, "d3f:kb-abstract": "There is a significant body of work devoted to testing, verifying, and certifying the correctness of optimizing compilers. The focus of such work is to determine if source code and optimized code have the same functional semantics. In this paper, we introduce the correctness-security gap, which arises when a compiler optimization preserves the functionality of but violates a security guarantee made by source code. We show with concrete code examples that several standard optimizations, which have been formally proved correct, inhabit this correctness-security gap. We analyze this gap and conclude that it arises due to techniques that model the state of the program but not the state of the underlying machine. We propose a broad research program whose goal is to identify, understand, and mitigate the impact of security errors introduced by compiler optimizations. Our proposal includes research in testing, program analysis, theorem proving, and the development of new, accurate machine models for reasoning about the impact of compiler optimizations on security.", "d3f:kb-author": "Vijay D'Silva, Mathias Payer, Dawn Song", "d3f:kb-organization": "Google Inc, Purdue University, UC Berkeley", "d3f:kb-reference-of": { "@id": "d3f:DeadCodeElimination" }, "d3f:kb-reference-title": "The Correctness-Security Gap in Compiler Optimization", "rdfs:label": "Reference - Dead code elimination" }, { "@id": "d3f:Reference-CAR-2020-11-005%3AClearPowershellConsoleCommandHistory_MITRE", "@type": [ "owl:NamedIndividual", "d3f:ExternalKnowledgeBase" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://car.mitre.org/analytics/CAR-2020-11-005/" }, "d3f:kb-abstract": "Adversaries may attempt to conceal their tracks by deleting the history of commands run within the Powershell console, or turning off history saving to begin with. This analytic looks for several commands that would do this. This does not capture the event if it is done within the console itself; only commandline-based commands are detected. Note that the command to remove the history file directly may very a bit if the history file is not saved in the default path on a particular system.", "d3f:kb-author": "MITRE", "d3f:kb-organization": "MITRE", "d3f:kb-reference-of": { "@id": "d3f:ProcessSpawnAnalysis" }, "d3f:kb-reference-title": "CAR-2020-11-005: Clear Powershell Console Command History", "rdfs:label": "Reference - CAR-2020-11-005: Clear Powershell Console Command History - MITRE" }, { "@id": "d3f:MailServer", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "Within the Internet email system, a message transfer agent or mail transfer agent (MTA) or mail relay is software that transfers electronic mail messages from one computer to another using SMTP. The terms mail server, mail exchanger, and MX host are also used in some contexts. Messages exchanged across networks are passed between mail servers, including any attached data files (such as images, multimedia or documents). These servers also often keep mailboxes for email. Access to this email by end users is typically either via webmail or an email client.", "d3f:runs": { "@id": "d3f:MessageTransferAgent" }, "rdfs:isDefinedBy": { "@id": "dbr:Message_transfer_agent" }, "rdfs:label": "Mail Server", "rdfs:subClassOf": [ { "@id": "d3f:Server" }, { "@id": "_:N8fd61c58f705479e94eccf9f3a5dc67e" } ], "skos:altLabel": [ "MX Host", "Mail Exchanger", "Email Server Resource", "MTA", "Message transfer agent", "Mail transfer agent" ] }, { "@id": "_:N8fd61c58f705479e94eccf9f3a5dc67e", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:runs" }, "owl:someValuesFrom": { "@id": "d3f:MessageTransferAgent" } }, { "@id": "d3f:T1560", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1560", "d3f:creates": { "@id": "d3f:ArchiveFile" }, "rdfs:label": "Archive Collected Data", "rdfs:subClassOf": [ { "@id": "d3f:CollectionTechnique" }, { "@id": "_:N64a781c7170642848425e43609b22be5" } ] }, { "@id": "_:N64a781c7170642848425e43609b22be5", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:creates" }, "owl:someValuesFrom": { "@id": "d3f:ArchiveFile" } }, { "@id": "d3f:UserToUserMessage", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "Personal message, private message (PM), direct message (DM), or personal chat (PC) is a private form of messaging between different members on a given platform. It is only seen and accessible by the users participating in the message.", "d3f:has-recipient": { "@id": "d3f:UserAccount" }, "d3f:has-sender": { "@id": "d3f:UserAccount" }, "d3f:may-contain": { "@id": "d3f:Email" }, "rdfs:isDefinedBy": { "@id": "dbr:Personal_message" }, "rdfs:label": "User to User Message", "rdfs:subClassOf": [ { "@id": "d3f:DigitalArtifact" }, { "@id": "_:N4b89a2056afd46a8856a00f798b4327c" }, { "@id": "_:Nb38a6e3c4cf1410baf0d43c0b53eda05" }, { "@id": "_:N8de687f150d94a74ac276b52527b10ab" } ], "skos:altLabel": [ "Private Message", "Personal Message" ] }, { "@id": "_:N4b89a2056afd46a8856a00f798b4327c", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:has-recipient" }, "owl:someValuesFrom": { "@id": "d3f:UserAccount" } }, { "@id": "_:Nb38a6e3c4cf1410baf0d43c0b53eda05", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:has-sender" }, "owl:someValuesFrom": { "@id": "d3f:UserAccount" } }, { "@id": "_:N8de687f150d94a74ac276b52527b10ab", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-contain" }, "owl:someValuesFrom": { "@id": "d3f:Email" } }, { "@id": "d3f:T1186", "@type": "owl:Class", "d3f:attack-id": "T1186", "rdfs:label": "Process Doppelgänging", "rdfs:subClassOf": { "@id": "d3f:DefenseEvasionTechnique" } }, { "@id": "d3f:CramersV", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-CV", "d3f:definition": "Cramér's V (sometimes referred to as Cramér's phi and denoted as φc) is a measure of association between two nominal variables, giving a value between 0 and +1 (inclusive) and is based on Pearson's chi-squared statistic.", "d3f:kb-article": "## References\nWikipedia. (n.d.). Cramér's V. [Link](https://en.wikipedia.org/wiki/Cram%C3%A9r%27s_V)", "d3f:synonym": "Cramer's Phi", "rdfs:label": "Cramer's V", "rdfs:subClassOf": { "@id": "d3f:Correlation" } }, { "@id": "d3f:CWE-913", "@type": "owl:Class", "d3f:cwe-id": "CWE-913", "rdfs:label": "Improper Control of Dynamically-Managed Code Resources", "rdfs:subClassOf": { "@id": "d3f:CWE-664" } }, { "@id": "d3f:Reference-RunDLL32.exeMonitoring_MITRE", "@type": [ "owl:NamedIndividual", "d3f:ExternalKnowledgeBase" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://car.mitre.org/analytics/CAR-2014-03-006/" }, "d3f:kb-abstract": "Adversaries may find it necessary to use Dyanamic-link Libraries (DLLs) to evade defenses. One way these DLLs can be \"executed\" is through the use of the built-in Windows utility RunDLL32, which allows a user to execute code in a DLL, providing the name and optional arguments to an exported entry point. Windows uses RunDll32 legitimately in its normal operation, but with a proper baseline and understanding of the environment, monitoring its usage could be fruitful.", "d3f:kb-author": "MITRE", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "MITRE", "d3f:kb-reference-of": { "@id": "d3f:ProcessSpawnAnalysis" }, "d3f:kb-reference-title": "CAR-2014-03-006: RunDLL32.exe monitoring", "rdfs:label": "Reference - CAR-2014-03-006: RunDLL32.exe monitoring - MITRE" }, { "@id": "d3f:cited-by", "@type": "owl:ObjectProperty", "owl:inverseOf": { "@id": "d3f:cites" }, "rdfs:label": "cited-by", "rdfs:subPropertyOf": { "@id": "d3f:d3fend-catalog-object-property" } }, { "@id": "d3f:CWE-637", "@type": "owl:Class", "d3f:cwe-id": "CWE-637", "rdfs:label": "Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')", "rdfs:subClassOf": { "@id": "d3f:CWE-657" } }, { "@id": "d3f:DeveloperApplication", "@type": "owl:Class", "d3f:definition": "An application used to develop computer software including applications used for software construction, analysis, testing, packaging, or management.", "rdfs:label": "Developer Application", "rdfs:seeAlso": [ { "@id": "dbr:Application_development" }, { "@id": "dbr:Application_software" } ], "rdfs:subClassOf": { "@id": "d3f:UserApplication" } }, { "@id": "d3f:T1059.003", "@type": "owl:Class", "d3f:attack-id": "T1059.003", "rdfs:label": "Windows Command Shell Execution", "rdfs:subClassOf": { "@id": "d3f:T1059" } }, { "@id": "d3f:CWE-920", "@type": "owl:Class", "d3f:cwe-id": "CWE-920", "rdfs:label": "Improper Restriction of Power Consumption", "rdfs:subClassOf": { "@id": "d3f:CWE-400" } }, { "@id": "d3f:Reference-PlatformFirmwareResiliencyGuidelines_NIST", "@type": [ "owl:NamedIndividual", "d3f:GuidelineReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-193.pdf" }, "d3f:kb-abstract": "This document provides technical guidelines and recommendations supporting resiliency of platform firmware and data against potentially destructive attacks. The platform is a collection of fundamental hardware and firmware components needed to boot and operate a system. A successful attack on platform firmware could render a system inoperable, perhaps permanently, or requiring reprogramming by the original manufacturer, resulting in significant disruptions to users. The technical guidelines in this document promote resiliency in the platform by describing security mechanisms for protecting the platform against unauthorized changes, detecting unauthorized changes that occur, and recovering from attacks rapidly and securely. Implementers, including Original Equipment Manufacturers (OEMs) and component/device suppliers, can use these guidelines to build stronger security mechanisms into platforms. System administrators, security professionals, and users can use this document to guide procurement strategies and priorities for future systems.", "d3f:kb-author": "NIST", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "NIST", "d3f:kb-reference-of": { "@id": "d3f:FirmwareVerification" }, "d3f:kb-reference-title": "Platform Firmware Resiliency Guidelines", "rdfs:label": "Reference - Platform Firmware Resiliency Guidelines - NIST" }, { "@id": "d3f:OSAPICreateThread", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:invokes": { "@id": "d3f:CreateThread" }, "rdfs:label": "OS API Create Thread", "rdfs:subClassOf": [ { "@id": "d3f:OSAPIFunction" }, { "@id": "_:Nedbda0a7b78543eead6b62414d87511c" } ] }, { "@id": "_:Nedbda0a7b78543eead6b62414d87511c", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:invokes" }, "owl:someValuesFrom": { "@id": "d3f:CreateThread" } }, { "@id": "d3f:T1588.003", "@type": "owl:Class", "d3f:attack-id": "T1588.003", "rdfs:label": "Code Signing Certificates", "rdfs:subClassOf": { "@id": "d3f:T1588" } }, { "@id": "d3f:CWE-93", "@type": "owl:Class", "d3f:cwe-id": "CWE-93", "rdfs:label": "Improper Neutralization of CRLF Sequences ('CRLF Injection')", "rdfs:subClassOf": { "@id": "d3f:CWE-74" } }, { "@id": "d3f:NIST_SP_800-53_R5_IA-2_2", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:control-name": "Identification and Authentication (organizational Users) | Multi-factor Authentication to Non-privileged Accounts", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "d3f:narrower": { "@id": "d3f:Multi-factorAuthentication" }, "rdfs:label": "IA-2(2)" }, { "@id": "d3f:ConfigurationResource", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A resource used to configure a system including software and hardware.", "rdfs:label": "Configuration Resource", "rdfs:subClassOf": { "@id": "d3f:Resource" } }, { "@id": "d3f:CWE-117", "@type": "owl:Class", "d3f:cwe-id": "CWE-117", "rdfs:label": "Improper Output Neutralization for Logs", "rdfs:subClassOf": { "@id": "d3f:CWE-116" } }, { "@id": "d3f:CertificatePinning", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:CredentialHardening" ], "d3f:authenticates": { "@id": "d3f:PublicKey" }, "d3f:d3fend-id": "D3-CP", "d3f:definition": "Persisting either a server's X.509 certificate or their public key and comparing that to server's presented identity to allow for greater client confidence in the remote server's identity for SSL connections.", "d3f:kb-article": "## How it works\nPinning allows for a trusted copy of a certificate or public key to be associated with a server and thus reducing the likelihood of frequently visited sites being subjected to man-in-the-middle attacks. Certificates or public keys can be pinned after a trusted connection has been established or the pinning can be preloaded in an application, which is the preferred method for mobile applications.\n\nPinning can take the form of certificate pinning or public key pinning.\n\n## Forms of Pinning\n* Certificate Pinning (CP) allows for the client to verify the X.509 certificate with a preloaded certificate. Typically, this is involves storing a hash of the certificate and using the stored hash for comparison to the hash of the certificate submitted during the SSL handshake.\n\n* Public Key Pinning (PKP) requires the extraction of a public key from server's certificate. The stored public key is compared to the server's presented public key. A public key is expected to rotate less frequently than an X.509 certificate and is generally favored over certificate pinning.\n\nAn extension of PKP is Subject Public Key Information Pinning (SPKI) includes public key pinning plus additional information for SSL connections. The additional information can include preferred algorithms.\n\n## Considerations\n\n* With pinned certificates whenever a server updates its certificate, the pinned certificates will also need to be updated\n* With pinned public keys the extracted key may be subject to key refresh policies but much less frequently\n* Servers can become unavailable if pinned objects are set and not updated with the rotated identities. This may require a pinning strategy to be developed.\n* The application of this technique within web browser applications has been [deprecated](https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning) by popular web browser developers. They now favor certificate analysis via public certificate transparency logs, and the EXPECT-CT HTTP header.", "d3f:kb-reference": [ { "@id": "d3f:Reference-CertificateAndPublicKeyPinning" }, { "@id": "d3f:Reference-End-to-endCertificatePinning" }, { "@id": "d3f:Reference-PublicKeyPinningExtensionForHTTP" } ], "rdfs:label": "Certificate Pinning", "rdfs:subClassOf": [ { "@id": "d3f:CredentialHardening" }, { "@id": "_:Nd4c05cbd699d41799839e8b73ea06cfb" } ] }, { "@id": "_:Nd4c05cbd699d41799839e8b73ea06cfb", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:authenticates" }, "owl:someValuesFrom": { "@id": "d3f:PublicKey" } }, { "@id": "d3f:Grid-CNN", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-GC", "d3f:definition": "A class of neural networks that specializes in processing data that has a grid-like topology, such as an image.", "d3f:kb-article": "## References\nTalukdar, P. (2020, June 10). Convolutional Neural Networks Explained. Towards Data Science. [Link](https://towardsdatascience.com/convolutional-neural-networks-explained-9cc5188c4939)", "rdfs:label": "Grid-CNN", "rdfs:subClassOf": { "@id": "d3f:ConvolutionalNeuralNetwork" } }, { "@id": "d3f:Perturbation-basedLearning", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-PBL", "d3f:definition": "Perturbation based methods are proposed under the smoothness assumption, which indicates that two data points close to each other in feature space are likely to have the same label.", "d3f:kb-article": "## References\nZheng, Y., & Song, Y. (2021). An Effective Perturbation-Based Semi-Supervised Learning Method for Acoustic Event Classification. IEEE/ACM Transactions on Audio, Speech, and Language Processing, 29, 3580-3591. [Link](https://www.semanticscholar.org/paper/An-Effective-Perturbation-Based-Semi-Supervised-for-Zheng-Song/b75ae37d137ac354eb2ed42917e461b4dccdc977).\n\nEngelen, S., & Hoos, H. (2020). A survey on semi-supervised learning. Machine Learning, 109(2), 299-337. [Link](https://link.springer.com/article/10.1007/s10994-019-05855-6).", "rdfs:label": "Perturbation-based Learning", "rdfs:subClassOf": { "@id": "d3f:IntrinsicallySemi-supervisedLearning" } }, { "@id": "d3f:SystemServiceSoftware", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:contains": { "@id": "d3f:OperatingSystemFile" }, "d3f:definition": "Software services provided as part of the operating system, typically accessed through system calls.", "rdfs:label": "System Service Software", "rdfs:seeAlso": { "@id": "https://www.os-book.com/OS9/slide-dir/PPT-dir/ch2.ppt" }, "rdfs:subClassOf": [ { "@id": "d3f:Software" }, { "@id": "_:Ndf7190e55ac74abba0e6f5a54129ecb3" } ] }, { "@id": "_:Ndf7190e55ac74abba0e6f5a54129ecb3", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:contains" }, "owl:someValuesFrom": { "@id": "d3f:OperatingSystemFile" } }, { "@id": "d3f:Reference-CAR-2020-11-006%3ALocalPermissionGroupDiscovery_MITRE", "@type": [ "owl:NamedIndividual", "d3f:ExternalKnowledgeBase" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://car.mitre.org/analytics/CAR-2020-11-006/" }, "d3f:kb-abstract": "Cyber actors frequently enumerate local or domain permissions groups. The net utility is usually used for this purpose. This analytic looks for any instances of net.exe, which is not normally used for benign purposes, although system administrator actions may trigger false positives.", "d3f:kb-author": "MITRE", "d3f:kb-organization": "MITRE", "d3f:kb-reference-of": { "@id": "d3f:ProcessSpawnAnalysis" }, "d3f:kb-reference-title": "CAR-2020-11-006: Local Permission Group Discovery", "rdfs:label": "Reference - CAR-2020-11-006: Local Permission Group Discovery - MITRE" }, { "@id": "d3f:T1173", "@type": "owl:Class", "d3f:attack-id": "T1173", "rdfs:label": "Dynamic Data Exchange", "rdfs:subClassOf": { "@id": "d3f:ExecutionTechnique" } }, { "@id": "d3f:kb-article", "@type": "owl:AnnotationProperty", "d3f:definition": "The technique x has the kb-article y, where y is written in Markdown.", "rdfs:domain": { "@id": "d3f:Technique" }, "rdfs:label": "kb-article", "rdfs:range": { "@id": "xsd:string" }, "rdfs:subPropertyOf": { "@id": "d3f:d3fend-kb-reference-annotation" } }, { "@id": "d3f:PassivePhysicalLinkMapping", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:PhysicalLinkMapping" ], "d3f:d3fend-id": "D3-PPLM", "d3f:definition": "Passive physical link mapping only listens to network traffic as a means to map the physical layer.", "d3f:synonym": "Passive Physical Layer Mapping", "rdfs:label": "Passive Physical Link Mapping", "rdfs:subClassOf": { "@id": "d3f:PhysicalLinkMapping" } }, { "@id": "d3f:Reference-Tripwire", "@type": [ "owl:NamedIndividual", "d3f:UserManualReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://linux.die.net/man/8/tripwire" }, "d3f:kb-reference-of": { "@id": "d3f:FileIntegrityMonitoring" }, "d3f:kb-reference-title": "Reference - Tripwire", "rdfs:label": "Reference - Tripwire" }, { "@id": "d3f:CWE-31", "@type": "owl:Class", "d3f:cwe-id": "CWE-31", "rdfs:label": "Path Traversal: 'dir\\..\\..\\filename'", "rdfs:subClassOf": { "@id": "d3f:CWE-23" } }, { "@id": "d3f:IntranetFileTransferTraffic", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "Intranet file transfer traffic is file transfer traffic that does not cross a given network's boundaries and uses a standard file transfer protocol.", "rdfs:label": "Intranet File Transfer Traffic", "rdfs:seeAlso": [ { "@id": "dbr:Intranet" }, { "@id": "dbr:File_transfer" } ], "rdfs:subClassOf": [ { "@id": "d3f:FileTransferNetworkTraffic" }, { "@id": "d3f:IntranetNetworkTraffic" } ] }, { "@id": "d3f:CWE-761", "@type": "owl:Class", "d3f:cwe-id": "CWE-761", "rdfs:label": "Free of Pointer not at Start of Buffer", "rdfs:subClassOf": { "@id": "d3f:CWE-763" } }, { "@id": "d3f:C5.0", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-C5.", "d3f:definition": "C5.0 is the next version of C4.5, which in turn is the upgrade from ID3. The only difference between C5.0 and C4.5 is some improvements made to C5.0.", "d3f:kb-article": "## References\nC4.5 algorithm. Wikipedia. [Link](https://en.wikipedia.org/wiki/C4.5_algorithm).", "rdfs:label": "C5.0", "rdfs:subClassOf": { "@id": "d3f:DecisionTree" } }, { "@id": "d3f:CWE-584", "@type": "owl:Class", "d3f:cwe-id": "CWE-584", "rdfs:label": "Return Inside Finally Block", "rdfs:subClassOf": { "@id": "d3f:CWE-705" } }, { "@id": "d3f:may-be-accessed-by", "@type": "owl:ObjectProperty", "rdfs:label": "may-be-accessed-by", "rdfs:subPropertyOf": { "@id": "d3f:may-be-associated-with" } }, { "@id": "d3f:T1554", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1554", "d3f:modifies": { "@id": "d3f:ClientApplication" }, "rdfs:label": "Compromise Client Software Binary", "rdfs:subClassOf": [ { "@id": "d3f:PersistenceTechnique" }, { "@id": "_:Nd019f5370b4142968e2c97952aedb11d" } ] }, { "@id": "_:Nd019f5370b4142968e2c97952aedb11d", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:ClientApplication" } }, { "@id": "d3f:VideoInputDevice", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "Video input devices are used to digitize images or video from the outside world into the computer. The information can be stored in a multitude of formats depending on the user's requirement.", "rdfs:isDefinedBy": { "@id": "http://dbpedia.org/resource/Input_device#Video_input_devices" }, "rdfs:label": "Video Input Device", "rdfs:subClassOf": { "@id": "d3f:InputDevice" } }, { "@id": "d3f:Identifier", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "An identifier is a name that identifies (that is, labels the identity of) either a unique object or a unique class of objects, where the \"object\" or class may be an idea, physical [countable] object (or class thereof), or physical [noncountable] substance (or class thereof). The abbreviation ID often refers to identity, identification (the process of identifying), or an identifier (that is, an instance of identification). An identifier may be a word, number, letter, symbol, or any combination of those.", "rdfs:isDefinedBy": { "@id": "dbr:Identifier" }, "rdfs:label": "Identifier", "rdfs:subClassOf": { "@id": "d3f:DigitalArtifact" }, "skos:altLabel": "ID" }, { "@id": "d3f:obfuscates", "@type": "owl:ObjectProperty", "d3f:definition": "x obfuscates y: The technique x makes the digital artifact y unclear or obscure. Typically obfuscation is a way to hide a digital artifact from discovery, use, or both.", "rdfs:isDefinedBy": { "@id": "http://wordnet-rdf.princeton.edu/id/00942245-v" }, "rdfs:label": "obfuscates", "rdfs:seeAlso": { "@id": "dbr:Obfuscation_(software)" }, "rdfs:subPropertyOf": [ { "@id": "d3f:evicts" }, { "@id": "d3f:modifies" } ] }, { "@id": "d3f:CWE-832", "@type": "owl:Class", "d3f:cwe-id": "CWE-832", "rdfs:label": "Unlock of a Resource that is not Locked", "rdfs:subClassOf": { "@id": "d3f:CWE-667" } }, { "@id": "d3f:Reference-ComputingApparatusWithAutomaticIntegrityReferenceGenerationAndMaintenance_Tripwire,Inc.", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US20040060046A1" }, "d3f:kb-abstract": "An apparatus is equipped to automatically update one or more integrity references of a software entity, when the software entity is installed onto the apparatus. The apparatus is further equipped to periodically determine whether the integrity of the apparatus has been compromised based at least in part on the one or more integrity references of the software entity that are automatically updated during installation of the software entity.", "d3f:kb-author": "Thomas Good, Robert DiFalco, Gene Kim", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "Tripwire, Inc.", "d3f:kb-reference-of": { "@id": "d3f:ExecutableAllowlisting" }, "d3f:kb-reference-title": "Computing apparatus with automatic integrity reference generation and maintenance", "rdfs:label": "Reference - Computing apparatus with automatic integrity reference generation and maintenance - Tripwire, Inc." }, { "@id": "d3f:T1589.003", "@type": "owl:Class", "d3f:attack-id": "T1589.003", "rdfs:label": "Employee Names", "rdfs:subClassOf": { "@id": "d3f:T1589" } }, { "@id": "d3f:Reference-IdentificationOfVisualInternationalDomainNameCollisions-VerisignInc", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US10599836B2/en" }, "d3f:kb-abstract": "Fuzzy OCR to detect domain name homoglyph attacks.\n\nVarious embodiments of the invention disclosed herein provide techniques for detecting a homograph attack. An IDN collision detection server retrieves a first domain name that includes a punycode element. The IDN collision detection server converts the first domain into a second domain name that includes a Unicode character corresponding to the punycode element. The IDN collision detection server converts the second domain name into an image. The IDN collision detection server performs one or more optical character recognition operations on the image to generate a textual string associated with the image. The IDN collision detection server determines that the textual string matches at least a portion of a third domain name.", "d3f:kb-author": "Ben McCarty, Preston Zeh", "d3f:kb-mitre-analysis": "MITRE Analysis was not found.", "d3f:kb-organization": "Verisign Inc", "d3f:kb-reference-of": { "@id": "d3f:HomoglyphDetection" }, "d3f:kb-reference-title": "Identification of visual international domain name collisions", "rdfs:label": "Reference - Identification of visual international domain name collisions - Verisign Inc" }, { "@id": "d3f:T1218.008", "@type": "owl:Class", "d3f:attack-id": "T1218.008", "rdfs:label": "Odbcconf Execution", "rdfs:subClassOf": { "@id": "d3f:T1218" } }, { "@id": "d3f:LinearLogicProgramming", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-LLP", "d3f:definition": "Linear logic programming is a form of logic programming that uses linear logic, that is, it emphasizes the use of formulas as resources.", "d3f:kb-article": "## References\n1. Cosmo, R. and Miller D. (2019, May 24). _Linear logic_. Stanford Encyclopedia of Philosophy. [Link](https://plato.stanford.edu/entries/logic-linear/#LinLogComSci)\n2. Linear logic programming. (2023, May 16). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Logic_programming#Linear_logic_programming)", "rdfs:label": "Linear Logic Programming", "rdfs:subClassOf": { "@id": "d3f:LogicProgramming" } }, { "@id": "d3f:T1204.002", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1204.002", "d3f:executes": { "@id": "d3f:ExecutableFile" }, "rdfs:label": "Malicious File Execution", "rdfs:subClassOf": [ { "@id": "d3f:T1204" }, { "@id": "_:Nc9aa7432d986499dbe333de7f06b3366" } ] }, { "@id": "_:Nc9aa7432d986499dbe333de7f06b3366", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:executes" }, "owl:someValuesFrom": { "@id": "d3f:ExecutableFile" } }, { "@id": "d3f:LinuxSocketcallArgumentSYS_SOCKET", "@type": "owl:Class", "rdfs:isDefinedBy": "https://man7.org/linux/man-pages/man2/socketcall.2.html", "rdfs:label": "Linux Socketcall Argument SYS_SOCKET", "rdfs:subClassOf": { "@id": "d3f:OSAPICreateSocket" } }, { "@id": "d3f:MachineLearning", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-ML", "d3f:definition": "Machine learning techniques are computational methods that combine statistics, probability, and optimization to make accurate predictions and/or improve performance.", "d3f:kb-article": "## References\nMachine learning.\" Wikipedia. [Link](https://en.wikipedia.org/wiki/Machine_learning).", "rdfs:label": "Machine Learning", "rdfs:subClassOf": { "@id": "d3f:AnalyticTechnique" } }, { "@id": "d3f:installs", "@type": "owl:ObjectProperty", "d3f:definition": "x installs y: An entity x sets up a digital artifact y for subsequent use. For example, an installation program can install application software.", "rdfs:isDefinedBy": { "@id": "http://wordnet-rdf.princeton.edu/id/01572394-v" }, "rdfs:label": "installs", "rdfs:subPropertyOf": { "@id": "d3f:associated-with" } }, { "@id": "d3f:DHCPServer", "@type": "owl:Class", "d3f:definition": "A Dynamic Host Configuration Protocol (DHCP) server is a type of server that assigns IP addresses to computers. DHCP servers are used to assign IP addresses to computers and other devices automatically. The DHCP server is responsible for assigning the unique IP address to each device.", "rdfs:isDefinedBy": { "@id": "dbr:Dynamic_Host_Configuration_Protocol" }, "rdfs:label": "DHCP Server", "rdfs:subClassOf": { "@id": "d3f:Server" } }, { "@id": "d3f:T1081", "@type": "owl:Class", "d3f:attack-id": "T1081", "rdfs:label": "Credentials in Files", "rdfs:subClassOf": { "@id": "d3f:CredentialAccessTechnique" } }, { "@id": "d3f:CWE-710", "@type": "owl:Class", "d3f:cwe-id": "CWE-710", "rdfs:label": "Improper Adherence to Coding Standards", "rdfs:subClassOf": { "@id": "d3f:Weakness" } }, { "@id": "d3f:K-CenterClustering", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-KCC", "d3f:definition": "K-center Clustering is a type of clustering based on an combinatorial optimization methods. It clusters a set of points so as to minimize the maximum intercluster distance.", "d3f:kb-article": "## How it works\n\nAn example K-center Clustering problem is to mimimize the number of points in a set that are necessary so that a every other point in the set is within some fixed distance of those points. For instance, given n cities with specified distances, one wants to build k warehouses in different cities and minimize the maximum distance of a city to a warehouse.\n\n## Considerations\n\n- **Scalability**: Exact solutions are NP-hard. However, algorithms\n that have been proven effective and create no more than 2x the\n optimal set of clusters can run in O(kn) proportional to k*n where\n k is the minimum number of clusters and n is the number of data\n points being clustered.\n\n## Key Test Considerations\n\n- **Unsupervised Learning**:\n\n - **Number of Clusters**: The Gonzalez (Gon) algorithm guarantees\n creating no more than twice the optimal number of clusters,\n where the optimal number is the minimum number of clusters to\n minimize total distance between representative points in the\n clusters [1].\n\n- **Cluster Analysis**:\n\n - **Rand Index and Adjusted Rand Index**: Given ground truth set\n of class labels for the data, the Rand Index is a measure of the\n similarity between two data clusterings. The Rand Index is the\n accuracy of determining if a link belongs within a cluster or\n not. A form of the Rand Index may be defined that is adjusted\n for the chance grouping of elements, this is the Adjusted Rand\n Index [5].\n\n - **Adjusted Mutual Information**: Given ground truth set of class\n labels for the data, Adjusted Mutual Information corrects the\n effect of agreement solely due to chance between clusterings,\n similar to the way the Adjusted Rand Index corrects the Rand\n Index [6].\n\n- **Connection-based Clustering**:\n\n - **Choice of Distance Metric**: The outcome can vary significantly depending on the chosen distance metric (e.g., Euclidean, Manhattan).\n\n - **Sensitivity**: Connection-based method can be sensitive to outliers, which might affect the quality of the clusters formed.\n\n- **K-center Clustering**:\n\n - **Silhouette Score**: The silhouette score refers to a scoring\n method that helps validate the consistency between clusters of\n data. The evaluation technique also produces a concise graphical\n representation of how well each object appear to have been\n classified. It is suited to K-centric Clustering in that it also\n works for different metric spaces.\n\n - **Distance Metric**: The distance measure must be a true metric (see\n [2]). Differences in the metric chosen may (e.g., Euclidean,a\n Manhattan) affect results significantly.\n\n - **Sensitivity**: Greedy implementations may be sensitive to\n outliers.\n\n## Platforms, Tools, or Libraries\n\nN/A. _Note that this algorithm is relatively simple and so it is\nusually implemented from scratch by those incorporating this algorithm\ninto a system._\n\n## References\n\n1. Gonzalez, T.F. (1985). Clustering to Minimize the Maximum Intercluster Distance. Theor. Comput. Sci., 38, 293-306.\n[Link](https://www.sciencedirect.com/science/article/pii/0304397585902245?via%3Dihub).\n\n1. Weisstein, Eric W. (n.d.). \"Metric.\" From MathWorld--A Wolfram Web Resource. [Link](https://mathworld.wolfram.com/Metric.html).\n\n1. Wikipedia. (8 Aug 2023). Metric k-center [Link](https://en.wikipedia.org/wiki/Metric_k-center).\n\n1. Wikipedia. (14 Aug 2023). Vertex k-center problem. [Link](https://en.wikipedia.org/wiki/Vertex_k-center_problem).\n\n1. Wikipedia. (n.d.). Rand Index. [Link](https://en.wikipedia.org/wiki/Rand_index).\n\n1. Wikipedia. (n.d.). Adjusted Mutual Information. [Link](https://en.wikipedia.org/wiki/Adjusted_mutual_information).\n\n1. Wikipedia. (1 Aug 2023). Silhouette (clustering). [Link](https://en.wikipedia.org/wiki/Silhouette_(clustering)).", "rdfs:label": "K-Center Clustering", "rdfs:subClassOf": { "@id": "d3f:Graph-basedClustering" } }, { "@id": "d3f:DescriptionLogic", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-DL", "d3f:definition": "A description logic (DL) is a form of logic usually more expressive than propositional logic but less expressive than first-order logic.", "d3f:kb-article": "## How it works\nThe core reasoning problems for description logics (DLs) are (usually) decidable, and efficient decision procedures have been designed and implemented for these problems. There are general, spatial, temporal, spatiotemporal, and fuzzy description logics, and each description logic features a different balance between expressive power and reasoning complexity by supporting different sets of mathematical constructors.\n\nDLs are used in artificial intelligence to describe and reason about the relevant concepts of an application domain (known as terminological knowledge). It is of particular importance in providing a logical formalism for ontologies and the Semantic Web: the Web Ontology Language (OWL) and its profiles are based on DLs.\n\n## References\n1. Description logic. (2023, April 16). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Description_logic)", "rdfs:label": "Description Logic", "rdfs:subClassOf": { "@id": "d3f:SymbolicAI" } }, { "@id": "d3f:CCI-000192_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system enforces password complexity by the minimum number of upper case characters used.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:StrongPasswordPolicy" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-15T00:00:00" }, "rdfs:label": "CCI-000192" }, { "@id": "d3f:T1098.003", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1098.003", "d3f:modifies": { "@id": "d3f:GlobalUserAccount" }, "rdfs:label": "Add Office 365 Global Administrator Role", "rdfs:subClassOf": [ { "@id": "d3f:T1098" }, { "@id": "_:N0502f49b45c94f8bb6579d2ea5d89667" } ] }, { "@id": "_:N0502f49b45c94f8bb6579d2ea5d89667", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:GlobalUserAccount" } }, { "@id": "d3f:CWE-158", "@type": "owl:Class", "d3f:cwe-id": "CWE-158", "rdfs:label": "Improper Neutralization of Null Byte or NUL Character", "rdfs:subClassOf": { "@id": "d3f:CWE-138" } }, { "@id": "d3f:CWE-105", "@type": "owl:Class", "d3f:cwe-id": "CWE-105", "rdfs:label": "Struts: Form Field Without Validator", "rdfs:subClassOf": { "@id": "d3f:CWE-1173" } }, { "@id": "d3f:WindowsNtSetInformationFileArgumentFileDispositionInformation", "@type": "owl:Class", "d3f:definition": "Request to delete the file when it is closed or cancel a previously requested deletion.", "rdfs:label": "Windows NtSetInformationFile Argument FileDispositionInformation", "rdfs:seeAlso": "https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-ntsetinformationfile", "rdfs:subClassOf": [ { "@id": "d3f:OSAPIDeleteFile" }, { "@id": "d3f:OSAPIPrivateFunction" } ] }, { "@id": "d3f:CWE-56", "@type": "owl:Class", "d3f:cwe-id": "CWE-56", "rdfs:label": "Path Equivalence: 'filedir*' (Wildcard)", "rdfs:subClassOf": [ { "@id": "d3f:CWE-155" }, { "@id": "d3f:CWE-41" } ] }, { "@id": "d3f:LinuxProcess", "@type": [ "owl:NamedIndividual", "d3f:Process" ], "rdfs:label": "Linux Process" }, { "@id": "d3f:Catalog", "@type": "owl:Class", "d3f:definition": "A catalog is a complete list of things; usually arranged systematically.", "rdfs:isDefinedBy": "http://wordnet-rdf.princeton.edu/id/06499734-n", "rdfs:label": "Catalog", "rdfs:subClassOf": { "@id": "d3f:InformationContentEntity" } }, { "@id": "d3f:SessionCookie", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A session cookie, also known as an in-memory cookie, transient cookie or non-persistent cookie, exists only in temporary memory while the user navigates the website. Web browsers normally delete session cookies when the user closes the browser. Unlike other cookies, session cookies do not have an expiration date assigned to them, which is how the browser knows to treat them as session cookies.", "rdfs:isDefinedBy": { "@id": "https://schema.ocsf.io/objects/http_cookie" }, "rdfs:label": "Session Cookie", "rdfs:seeAlso": [ "https://schema.ocsf.io/objects/http_cookie", { "@id": "dbr:HTTP_cookie" } ], "rdfs:subClassOf": { "@id": "d3f:Credential" }, "skos:altLabel": [ "Transient Cookie", "Web Session Cookie", "In-memory Cookie", "Non-persistent Cookie" ] }, { "@id": "d3f:CCI-000057_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system initiates a session lock after the organization-defined time period of inactivity.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:AccountLocking" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-05-19T00:00:00" }, "rdfs:label": "CCI-000057" }, { "@id": "d3f:has-evidence", "@type": "owl:ObjectProperty", "rdfs:label": "has-evidence", "rdfs:subPropertyOf": { "@id": "d3f:d3fend-catalog-object-property" } }, { "@id": "d3f:ApplicationProcessConfiguration", "@type": "owl:Class", "d3f:definition": "The current configuration of an application process, stored in memory. It may have been sourced from other types of application configurations, e.g. Application Configuration Files or Application Configuration Database Records.", "rdfs:label": "Application Process Configuration", "rdfs:subClassOf": { "@id": "d3f:ApplicationConfiguration" } }, { "@id": "d3f:CWE-403", "@type": "owl:Class", "d3f:cwe-id": "CWE-403", "rdfs:label": "Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')", "rdfs:subClassOf": { "@id": "d3f:CWE-402" } }, { "@id": "d3f:d3fend-kb-annotation-property", "@type": "owl:AnnotationProperty", "d3f:definition": "x d3fend-kb-annotation-property y: The entity x had the d3fend kb annotation y.", "rdfs:label": "d3fend-kb-annotation-property", "rdfs:subPropertyOf": { "@id": "d3f:d3fend-annotation" } }, { "@id": "d3f:CWE-207", "@type": "owl:Class", "d3f:cwe-id": "CWE-207", "rdfs:label": "Observable Behavioral Discrepancy With Equivalent Products", "rdfs:subClassOf": { "@id": "d3f:CWE-205" } }, { "@id": "d3f:CWE-1110", "@type": "owl:Class", "d3f:cwe-id": "CWE-1110", "rdfs:label": "Incomplete Design Documentation", "rdfs:subClassOf": { "@id": "d3f:CWE-1059" } }, { "@id": "d3f:T1615", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1615", "d3f:reads": { "@id": "d3f:GroupPolicy" }, "rdfs:label": "Group Policy Discovery", "rdfs:subClassOf": [ { "@id": "d3f:DiscoveryTechnique" }, { "@id": "_:Nd67026842915465aacc38818d82ebdb7" } ] }, { "@id": "_:Nd67026842915465aacc38818d82ebdb7", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:reads" }, "owl:someValuesFrom": { "@id": "d3f:GroupPolicy" } }, { "@id": "d3f:CCI-001991_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system, for PKI-based authentication, implements a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via the network.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:Certificate-basedAuthentication" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-05-03T00:00:00" }, "rdfs:label": "CCI-001991" }, { "@id": "d3f:T1482", "@type": "owl:Class", "d3f:attack-id": "T1482", "rdfs:label": "Domain Trust Discovery", "rdfs:subClassOf": { "@id": "d3f:DiscoveryTechnique" } }, { "@id": "d3f:CWE-64", "@type": "owl:Class", "d3f:cwe-id": "CWE-64", "rdfs:label": "Windows Shortcut Following (.LNK)", "rdfs:subClassOf": { "@id": "d3f:CWE-59" } }, { "@id": "d3f:T1542.005", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1542.005", "d3f:creates": { "@id": "d3f:TFTPNetworkTraffic" }, "rdfs:label": "TFTP Boot", "rdfs:subClassOf": [ { "@id": "d3f:T1542" }, { "@id": "_:Nd382e6ae1e384308bc7ec52264fe2d92" } ] }, { "@id": "_:Nd382e6ae1e384308bc7ec52264fe2d92", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:creates" }, "owl:someValuesFrom": { "@id": "d3f:TFTPNetworkTraffic" } }, { "@id": "d3f:CWE-248", "@type": "owl:Class", "d3f:cwe-id": "CWE-248", "rdfs:label": "Uncaught Exception", "rdfs:subClassOf": [ { "@id": "d3f:CWE-703" }, { "@id": "d3f:CWE-705" } ] }, { "@id": "d3f:SoftwareArtifactServer", "@type": "owl:Class", "d3f:definition": "A software artifact server provides access to the software artifacts in a software repository. A software repository, or \"repo\" for short, is a storage location for software packages. Often a table of contents is stored, as well as metadata. Repositories group packages. Sometimes the grouping is for a programming language, such as CPAN for the Perl programming language, sometimes for an entire operating system, sometimes the license of the contents is the criteria. At client side, a package manager helps installing from and updating the repositories.", "rdfs:label": "Software Artifact Server", "rdfs:seeAlso": [ { "@id": "dbr:Software_repository" }, { "@id": "dbr:Artifact_(software_development)" } ], "rdfs:subClassOf": { "@id": "d3f:ArtifactServer" } }, { "@id": "d3f:DNSLookup", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A Domain Name System (DNS) lookup is a record returned from a DNS resolver after querying a DNS name server. Typically considered an A or AAAA record, where a domain name is resolved to an IPv4 or IPv6 address, respectively.", "rdfs:label": "DNS Lookup", "rdfs:seeAlso": [ { "@id": "dbr:List_of_DNS_record_types" }, "https://schema.ocsf.io/objects/dns_query", { "@id": "dbr:Domain_Name_System" } ], "rdfs:subClassOf": [ { "@id": "d3f:DigitalArtifact" }, { "@id": "d3f:DigitalEvent" } ] }, { "@id": "d3f:T1530", "@type": "owl:Class", "d3f:attack-id": "T1530", "rdfs:label": "Data from Cloud Storage Object", "rdfs:subClassOf": { "@id": "d3f:CollectionTechnique" } }, { "@id": "d3f:recorded-in", "@type": "owl:ObjectProperty", "rdfs:label": "recorded-in", "rdfs:subPropertyOf": { "@id": "d3f:associated-with" } }, { "@id": "d3f:CWE-1263", "@type": "owl:Class", "d3f:cwe-id": "CWE-1263", "rdfs:label": "Improper Physical Access Control", "rdfs:subClassOf": { "@id": "d3f:CWE-284" } }, { "@id": "d3f:CWE-798", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:cwe-id": "CWE-798", "d3f:weakness-of": { "@id": "d3f:AuthenticationFunction" }, "rdfs:label": "Use of Hard-coded Credentials", "rdfs:subClassOf": [ { "@id": "d3f:CWE-1391" }, { "@id": "d3f:CWE-344" }, { "@id": "d3f:CWE-671" }, { "@id": "_:N696aafe62ee94ad49a7505129c350dcd" } ] }, { "@id": "_:N696aafe62ee94ad49a7505129c350dcd", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:weakness-of" }, "owl:someValuesFrom": { "@id": "d3f:AuthenticationFunction" } }, { "@id": "d3f:T1595.002", "@type": "owl:Class", "d3f:attack-id": "T1595.002", "rdfs:label": "Vulnerability Scanning", "rdfs:subClassOf": { "@id": "d3f:T1595" } }, { "@id": "d3f:T1118", "@type": "owl:Class", "d3f:attack-id": "T1118", "rdfs:label": "InstallUtil", "rdfs:subClassOf": [ { "@id": "d3f:DefenseEvasionTechnique" }, { "@id": "d3f:ExecutionTechnique" } ] }, { "@id": "d3f:comments", "@type": [ "owl:DatatypeProperty", "owl:FunctionalProperty" ], "d3f:definition": "x comments y: x claim has provider comments y.", "rdfs:domain": { "@id": "d3f:CapabilityFeatureClaim" }, "rdfs:label": "comments", "rdfs:range": { "@id": "xsd:string" }, "rdfs:subPropertyOf": { "@id": "d3f:d3fend-catalog-data-property" } }, { "@id": "d3f:T1092", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1092", "d3f:modifies": { "@id": "d3f:RemovableMediaDevice" }, "rdfs:label": "Communication Through Removable Media", "rdfs:subClassOf": [ { "@id": "d3f:CommandAndControlTechnique" }, { "@id": "_:N8bd3fc689a964f0f8d9bba6b3300f748" } ] }, { "@id": "_:N8bd3fc689a964f0f8d9bba6b3300f748", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:RemovableMediaDevice" } }, { "@id": "d3f:DeserializationFunction", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "Function with an input of serialized data which deserializes that data, usually with data parsing methods.", "rdfs:label": "Deserialization Function", "rdfs:subClassOf": { "@id": "d3f:Subroutine" } }, { "@id": "d3f:T1144", "@type": "owl:Class", "d3f:attack-id": "T1144", "rdfs:label": "Gatekeeper Bypass", "rdfs:subClassOf": { "@id": "d3f:DefenseEvasionTechnique" } }, { "@id": "d3f:addresses", "@type": "owl:ObjectProperty", "d3f:definition": "x addresses y: Relates a pointer x to a digital artifact y located in the address space to which x points. The address space is part of some digital store, whether it be in memory, an image, or a persistent storage device.", "rdfs:domain": { "@id": "d3f:Identifier" }, "rdfs:label": "addresses", "rdfs:range": { "@id": "d3f:Resource" }, "rdfs:seeAlso": [ { "@id": "dbr:Pointer_(computer_programming)" }, { "@id": "http://wordnet-rdf.princeton.edu/id/02253826-v" } ], "rdfs:subPropertyOf": { "@id": "d3f:associated-with" }, "skos:altLabel": "points-to" }, { "@id": "d3f:CWE-1278", "@type": "owl:Class", "d3f:cwe-id": "CWE-1278", "rdfs:label": "Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques", "rdfs:subClassOf": { "@id": "d3f:CWE-693" } }, { "@id": "d3f:CWE-942", "@type": "owl:Class", "d3f:cwe-id": "CWE-942", "rdfs:label": "Permissive Cross-domain Policy with Untrusted Domains", "rdfs:subClassOf": [ { "@id": "d3f:CWE-183" }, { "@id": "d3f:CWE-923" } ] }, { "@id": "d3f:CWE-269", "@type": "owl:Class", "d3f:cwe-id": "CWE-269", "rdfs:label": "Improper Privilege Management", "rdfs:subClassOf": { "@id": "d3f:CWE-284" } }, { "@id": "d3f:Client-serverPayloadProfiling", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:NetworkTrafficAnalysis" ], "d3f:analyzes": { "@id": "d3f:NetworkTraffic" }, "d3f:d3fend-id": "D3-CSPP", "d3f:definition": "Comparing client-server request and response payloads to a baseline profile to identify outliers.", "d3f:kb-article": "## How it works\nProfiling request and response payloads across multiple clients to a single server to develop a baseline of their characteristics. May take into account request/response sizes, entropy, frequency, and rhythm. Finally, identify outliers as they may indicate a malicious payload delivery and subsequent server exploitation.\n\n\n## Considerations\n* Collecting metrics to establish a profile can be challenging since user behavior can change easily.\n* Employees may work different hours or inconsistent schedules which will cause false positives.\n* Collection of network activity to generate metrics is a computationally intensive process.\n* Users may log into different workstations which may cause false positives.", "d3f:kb-reference": { "@id": "d3f:Reference-MethodAndSystemForDetectingMaliciousPayloads_VectraNetworksInc" }, "rdfs:label": "Client-server Payload Profiling", "rdfs:subClassOf": [ { "@id": "d3f:NetworkTrafficAnalysis" }, { "@id": "_:N31a605d578644c20b7d54feee731135e" } ] }, { "@id": "_:N31a605d578644c20b7d54feee731135e", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:analyzes" }, "owl:someValuesFrom": { "@id": "d3f:NetworkTraffic" } }, { "@id": "d3f:T1161", "@type": "owl:Class", "d3f:attack-id": "T1161", "rdfs:label": "LC_LOAD_DYLIB Addition", "rdfs:subClassOf": { "@id": "d3f:PersistenceTechnique" } }, { "@id": "d3f:T1056.001", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:accesses": { "@id": "d3f:KeyboardInputDevice" }, "d3f:attack-id": "T1056.001", "rdfs:label": "Keylogging", "rdfs:subClassOf": [ { "@id": "d3f:T1056" }, { "@id": "_:Nf121884e24e649fa8b300a8d4d3e417c" } ] }, { "@id": "_:Nf121884e24e649fa8b300a8d4d3e417c", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:accesses" }, "owl:someValuesFrom": { "@id": "d3f:KeyboardInputDevice" } }, { "@id": "d3f:Reference-SystemAndMethodForInternetSecurity_CylanceInc", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US20120117644A1" }, "d3f:kb-abstract": "A computer implemented method for preventing SQL injection attacks comprises intercepting a web request associated with a web service at a first software hook in a first web service execution context, persisting at least a portion of the intercepted web request in a storage location associated with the first software hook and accessible to at least one additional execution context, intercepting a database query generated by at least one web service processing operation at a second software hook associated with the execution of the query, wherein the query is generated in response to the intercepted web request and the second hook retrieves the persisted portion of the intercepted web request, comparing a portion of the persisted portion of the intercepted web request with at least a portion of the intercepted database query, and determining, prior to the query being executed, whether the query corresponds to a potential SQL injection attack.", "d3f:kb-author": "Derek A. Soeder", "d3f:kb-mitre-analysis": "This patent describes a technique for detecting SQL injection attacks. Software hooks are installed in a web service or application to intercept function calls, events, or messages that are passed between software components. Intercepted database queries associated with a web request are analyzed character by character and if it contains a character that would modify the syntax the query is rejected or sanitized. Security rules and policies may also determine rejection. For example, an administrator or developer may implement a rule that rejects any database query that is excessively long or that contains a particular string, such as \"Xp cmdshell\".", "d3f:kb-organization": "Cylance Inc", "d3f:kb-reference-of": { "@id": "d3f:DatabaseQueryStringAnalysis" }, "d3f:kb-reference-title": "System and method for internet security", "rdfs:label": "Reference - System and method for internet security - Cylance Inc" }, { "@id": "d3f:Activity", "@type": "owl:Class", "d3f:definition": "An activity is a specific behavior representing a set of actions that may be accomplished by an agent.", "rdfs:label": "Activity", "rdfs:seeAlso": [ "http://wordnet-rdf.princeton.edu/id/00408356-n", "https://en.wikipedia.org/wiki/Business_Process_Model_and_Notation", "https://en.wikipedia.org/wiki/IDEF0", "https://enterpriseintegrationlab.github.io/icity/Activity/doc/index-en.html" ], "rdfs:subClassOf": { "@id": "d3f:D3FENDThing" } }, { "@id": "d3f:T1204", "@type": "owl:Class", "d3f:attack-id": "T1204", "rdfs:label": "User Execution", "rdfs:subClassOf": { "@id": "d3f:ExecutionTechnique" } }, { "@id": "d3f:IntervalEstimation", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-IE", "d3f:definition": "Interval estimation is the use of sample data to estimate an interval of possible values of a parameter of interest.", "d3f:kb-article": "## References\nWikipedia. (n.d.). Interval estimation. [Link](https://en.wikipedia.org/wiki/Interval_estimation)", "rdfs:label": "Interval Estimation", "rdfs:subClassOf": { "@id": "d3f:Estimation" } }, { "@id": "d3f:Reference-SinkholingBadNetworkDomainsByRegisteringTheBadNetworkDomainsOnTheInternet_PaloAltoNetworksInc", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US20160381065A1" }, "d3f:kb-abstract": "Techniques for sinkholing bad network domains by registering the bad network domains on the Internet are provided. In some embodiments, sinkholing bad network domains by registering the bad network domains on the Internet includes determining a network domain is a bad network domain, in which the bad network domain is determined to be associated with an identified malware (e.g., malware that has been identified and has been determined to be associated with the bad domain), and the bad network domain is sinkholed by registering the bad network domain with a sinkholed IP address; and identifying a host that is infected with the identified malware based on an attempt by the host to connect to the sinkholed IP address.", "d3f:kb-author": "Huagang Xie; Wei Xu; Nir Zuk", "d3f:kb-mitre-analysis": "This patent describes a technique to identify bad domains that are associated with malware and sinkhole the bad domain. Bad domains are identified by receiving malware samples and executing the malware sample in a virtual execution environment to identify network domains that the malware sample attempts to connect to during execution. Network domains that are identified during malware execution are then generated into signatures to identity bad domains for other hosts. Once identified, the bad domains are sinkholed by translating the domain to a valid IP address that is associated with a device controlled by a cloud security provider.", "d3f:kb-organization": "Palo Alto Networks Inc", "d3f:kb-reference-of": { "@id": "d3f:DNSTrafficAnalysis" }, "d3f:kb-reference-title": "Sinkholing bad network domains by registering the bad network domains on the internet", "rdfs:label": "Reference - Sinkholing bad network domains by registering the bad network domains on the internet - Palo Alto Networks Inc" }, { "@id": "d3f:CWE-316", "@type": "owl:Class", "d3f:cwe-id": "CWE-316", "rdfs:label": "Cleartext Storage of Sensitive Information in Memory", "rdfs:subClassOf": { "@id": "d3f:CWE-312" } }, { "@id": "d3f:CWE-1087", "@type": "owl:Class", "d3f:cwe-id": "CWE-1087", "rdfs:label": "Class with Virtual Method without a Virtual Destructor", "rdfs:subClassOf": { "@id": "d3f:CWE-1076" } }, { "@id": "d3f:Reference-AnomalyDetectionUsingAdaptiveBehavioralProfiles_SecuronixInc", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US20160226901A1" }, "d3f:kb-abstract": "The invention provides a system and method for automatic creation of adaptive behavioral profiles for observables associated with resource states and events in a computer network (IT) infrastructure of an enterprise and for detecting anomalies that represent potential malicious activity and threats as deviations from normal behavior. Separate profiles may be created for each behavioral indicator, as well as for each time series of measurements, and aggregated to create an overall behavioral profile. An anomaly probability is determined from the behavioral profile and used to evaluate the data values of observables. Outlier data values which deviate from normal behavior by more than a predetermined probability threshold are identified for risk analysis as possible threats while inliers within the range of normal behavior are used to update the behavioral profile. Behavioral profiles are created for behavioral indicators based upon observables measured over predetermined time periods using algorithms employing statistical analysis approaches that work for any type of data distribution, and profiles are adapted over time using data aging to more closely represent current behavior. Algorithm parameters for creating profiles are based on the type of data, i.e., its metadata.", "d3f:kb-author": "Igor A. Baikalov; Tanuj Gulati; Sachin Nayyar; Anjaneya Shenoy; Ganpatrao H. Patwardhan", "d3f:kb-mitre-analysis": "The patent describes a technique for detecting anomalous activity within an organization's IT infrastructure to identify threats. Behavioral profiles can be grouped by peer groups that identify functionally similar groups of actors (users or resources) based on their attributes and pre-defined grouping rules. For example, users can be grouped by their job title, organizational hierarchy, or location and can be observed for similarities in access patterns, based on granted access entitlements or actual logged resource access.\n\nBehavioral profiles are created from measurements of events over a time period for example:\n\n* Transaction counts\n* Concurrent users per hour\n* Daily volume of data\n\nOutlier data values which deviate from behavioral profile by more than a predetermined probability threshold are identified for risk analysis as possible threats.", "d3f:kb-organization": "Securonix Inc", "d3f:kb-reference-of": { "@id": "d3f:JobFunctionAccessPatternAnalysis" }, "d3f:kb-reference-title": "Anomaly Detection Using Adaptive Behavioral Profiles", "rdfs:label": "Reference - Anomaly Detection Using Adaptive Behavioral Profiles - Securonix Inc" }, { "@id": "d3f:BERT", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-BER", "d3f:definition": "Bidirectional Encoder Representations from Transformers (BERT) is based on a deep learning model in which every output element is connected to every input element, and the weightings between them are dynamically calculated based upon their connection.", "d3f:kb-article": "## References\nBERT (language model). (n.d.). In TechTarget. [Link](https://www.techtarget.com/searchenterpriseai/definition/BERT-language-model)\nBERT (language model). (n.d.). In Wikipedia. [Link](https://en.wikipedia.org/wiki/BERT_(language_model))", "d3f:synonym": "Bidirectional Encoder Representations from Transformers", "rdfs:label": "BERT", "rdfs:subClassOf": { "@id": "d3f:Transformer-basedLearning" } }, { "@id": "d3f:CWE-1326", "@type": "owl:Class", "d3f:cwe-id": "CWE-1326", "rdfs:label": "Missing Immutable Root of Trust in Hardware", "rdfs:subClassOf": { "@id": "d3f:CWE-693" } }, { "@id": "d3f:T1078.002", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1078.002", "d3f:uses": { "@id": "d3f:DomainUserAccount" }, "rdfs:label": "Domain Accounts", "rdfs:subClassOf": [ { "@id": "d3f:T1078" }, { "@id": "_:Nd4d34f58b2be4c0e9f922eea0c4a27c3" } ] }, { "@id": "_:Nd4d34f58b2be4c0e9f922eea0c4a27c3", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:uses" }, "owl:someValuesFrom": { "@id": "d3f:DomainUserAccount" } }, { "@id": "d3f:CCI-001953_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:broader": [ { "@id": "d3f:BiometricAuthentication" }, { "@id": "d3f:Certificate-basedAuthentication" } ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system accepts Personal Identity Verification (PIV) credentials.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-05-03T00:00:00" }, "rdfs:label": "CCI-001953" }, { "@id": "d3f:non-real-time-analytic", "@type": [ "owl:NamedIndividual", "d3f:AnalyticLatency" ], "rdfs:label": "non-real-time-analytic" }, { "@id": "d3f:CWE-1117", "@type": "owl:Class", "d3f:cwe-id": "CWE-1117", "rdfs:label": "Callable with Insufficient Behavioral Summary", "rdfs:subClassOf": { "@id": "d3f:CWE-1078" } }, { "@id": "d3f:Grouping", "@type": "owl:Class", "rdfs:label": "Grouping", "rdfs:subClassOf": { "@id": "d3f:Summarizing" } }, { "@id": "d3f:T1013", "@type": "owl:Class", "d3f:attack-id": "T1013", "rdfs:label": "Port Monitors", "rdfs:subClassOf": [ { "@id": "d3f:PersistenceTechnique" }, { "@id": "d3f:PrivilegeEscalationTechnique" } ] }, { "@id": "d3f:CWE-201", "@type": "owl:Class", "d3f:cwe-id": "CWE-201", "rdfs:label": "Insertion of Sensitive Information Into Sent Data", "rdfs:subClassOf": { "@id": "d3f:CWE-200" } }, { "@id": "d3f:CWE-55", "@type": "owl:Class", "d3f:cwe-id": "CWE-55", "rdfs:label": "Path Equivalence: '/./' (Single Dot Directory)", "rdfs:subClassOf": { "@id": "d3f:CWE-41" } }, { "@id": "d3f:narrower-transitive", "@type": "owl:ObjectProperty", "rdfs:label": "narrower-transitive", "rdfs:subPropertyOf": { "@id": "d3f:semantic-relation" } }, { "@id": "d3f:CWE-1174", "@type": "owl:Class", "d3f:cwe-id": "CWE-1174", "rdfs:label": "ASP.NET Misconfiguration: Improper Model Validation", "rdfs:subClassOf": { "@id": "d3f:CWE-1173" } }, { "@id": "d3f:Reference-MethodAndSystemForDetectingAlgorithm-generatedDomains_VECTRANETWORKSInc", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US20150264070A1" }, "d3f:kb-abstract": "A method and system for detecting algorithm-generated domains (AGDs) is disclosed wherein domain names requested by an internal host are categorized or classified using curated data sets, active services (e.g. Internet services), and certainty scores to match domain names to domain names or IP addresses used by command and control servers.", "d3f:kb-author": "James Patrick HARLACHER; Aditya Sood; Oskar Ibatullin", "d3f:kb-mitre-analysis": "This patent describes detecting algorithm generated domains (AGD). DNS requests and responses are analyzed by first checking whether the domain matches existing data sets that specify different types of AGDs with known characteristics, such as Evil Twin Domains, Sinkholed domains, sleeper cells, ghost domains, parked domains, and/or bulk-registered domains. In addition to comparing domains against known data sets, the following information is collected to perform analysis:\n\n* IP Information: checks for information known about the IP addresses returned in the DNS response, including the number of IP addresses returned, the registered owners of the IP addresses, or different IP addresses returned for the same domain (IP fluxing)\n* Domain Registration: examines the domain registration date, domain update date, domain expiration date, registrant identity, and authorized name servers associated with a specific domain name.\n* Domain Popularity: provides information on the popularity of a domain name.\n\nBased on analysis of these factors a score is developed; if the score is above a certain threshold, an alert is generated.", "d3f:kb-organization": "VECTRA NETWORKS Inc", "d3f:kb-reference-of": { "@id": "d3f:DNSTrafficAnalysis" }, "d3f:kb-reference-title": "Method and system for detecting algorithm-generated domains", "rdfs:label": "Reference - Method and system for detecting algorithm-generated domains - VECTRA NETWORKS Inc" }, { "@id": "d3f:encrypts", "@type": "owl:ObjectProperty", "d3f:definition": "x encrypts y: The entity x converts the ordinary representation of a digital artifact y into a secret code.", "rdfs:isDefinedBy": { "@id": "http://wordnet-rdf.princeton.edu/id/00996121-v" }, "rdfs:label": "encrypts", "rdfs:subPropertyOf": [ { "@id": "d3f:associated-with" }, { "@id": "d3f:hardens" } ] }, { "@id": "d3f:CWE-164", "@type": "owl:Class", "d3f:cwe-id": "CWE-164", "rdfs:label": "Improper Neutralization of Internal Special Elements", "rdfs:subClassOf": { "@id": "d3f:CWE-138" } }, { "@id": "d3f:attack-id", "@type": "owl:AnnotationProperty", "d3f:definition": "x attack-id y: The offensive technique x has the att&ck unique id of y.", "rdfs:domain": { "@id": "d3f:OffensiveTechnique" }, "rdfs:label": "attack-id", "rdfs:range": { "@id": "xsd:string" }, "rdfs:subPropertyOf": { "@id": "d3f:attack-kb-annotation" } }, { "@id": "d3f:AdminFeatureAssessment", "@type": "owl:Class", "rdfs:label": "Admin Feature Assessment", "rdfs:subClassOf": [ { "@id": "d3f:FeatureAssessment" }, { "@id": "_:N3df073456560482f8d98b6f10489cdf7" } ] }, { "@id": "_:N3df073456560482f8d98b6f10489cdf7", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:assesses" }, "owl:someValuesFrom": { "@id": "d3f:AdminFeatureClaim" } }, { "@id": "d3f:impairs", "@type": "owl:ObjectProperty", "rdfs:label": "impairs", "rdfs:subPropertyOf": { "@id": "d3f:associated-with" } }, { "@id": "d3f:T1218.007", "@type": "owl:Class", "d3f:attack-id": "T1218.007", "rdfs:label": "Msiexec Execution", "rdfs:subClassOf": { "@id": "d3f:T1218" } }, { "@id": "d3f:Enclave", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "Network enclaves consist of standalone assets that do not interact with other information systems or networks. A major difference between a DMZ or demilitarized zone and a network enclave is a DMZ allows inbound and outbound traffic access, where firewall boundaries are traversed. In an enclave, firewall boundaries are not traversed. Enclave protection tools can be used to provide protection within specific security domains. These mechanisms are installed as part of an Intranet to connect networks that have similar security requirements.", "d3f:may-contain": { "@id": "d3f:LocalAreaNetwork" }, "rdfs:isDefinedBy": { "@id": "dbr:Network_enclave" }, "rdfs:label": "Enclave", "rdfs:subClassOf": [ { "@id": "d3f:DigitalArtifact" }, { "@id": "_:Ne80cc0316627466bb5bd04d81ff6975b" } ], "skos:altLabel": "Network Enclave" }, { "@id": "_:Ne80cc0316627466bb5bd04d81ff6975b", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-contain" }, "owl:someValuesFrom": { "@id": "d3f:LocalAreaNetwork" } }, { "@id": "d3f:T1216", "@type": "owl:Class", "d3f:attack-id": "T1216", "rdfs:label": "Signed Script Proxy Execution", "rdfs:subClassOf": [ { "@id": "d3f:DefenseEvasionTechnique" }, { "@id": "d3f:ExecutionTechnique" } ] }, { "@id": "d3f:ExternalKnowledgeBase", "@type": "owl:Class", "d3f:pref-label": "External Knowledge Base", "rdfs:label": "External Knowledge Base", "rdfs:subClassOf": [ { "@id": "d3f:InformationContentEntity" }, { "@id": "d3f:TechniqueReference" } ] }, { "@id": "d3f:CWE-1090", "@type": "owl:Class", "d3f:cwe-id": "CWE-1090", "rdfs:label": "Method Containing Access of a Member Element from Another Class", "rdfs:subClassOf": { "@id": "d3f:CWE-1061" } }, { "@id": "d3f:T1496", "@type": "owl:Class", "d3f:attack-id": "T1496", "rdfs:label": "Resource Hijacking", "rdfs:subClassOf": { "@id": "d3f:ImpactTechnique" } }, { "@id": "d3f:MessageTransferAgent", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A message transfer agent or mail transfer agent (MTA) or mail relay is software that transfers electronic mail messages from one computer to another using a client-server application architecture. An MTA implements both the client (sending) and server (receiving) portions of the Simple Mail Transfer Protocol.", "rdfs:label": "Message Transfer Agent", "rdfs:seeAlso": { "@id": "dbr:Message_transfer_agent" }, "rdfs:subClassOf": { "@id": "d3f:MailService" }, "skos:altLabel": [ "Mail Transfer Agent", "MTA" ] }, { "@id": "d3f:CWE-74", "@type": "owl:Class", "d3f:cwe-id": "CWE-74", "rdfs:label": "Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", "rdfs:subClassOf": { "@id": "d3f:CWE-707" } }, { "@id": "d3f:CWE-175", "@type": "owl:Class", "d3f:cwe-id": "CWE-175", "rdfs:label": "Improper Handling of Mixed Encoding", "rdfs:subClassOf": { "@id": "d3f:CWE-172" } }, { "@id": "d3f:CWE-34", "@type": "owl:Class", "d3f:cwe-id": "CWE-34", "rdfs:label": "Path Traversal: '....//'", "rdfs:subClassOf": { "@id": "d3f:CWE-23" } }, { "@id": "d3f:T1217", "@type": "owl:Class", "d3f:attack-id": "T1217", "rdfs:label": "Browser Bookmark Discovery", "rdfs:subClassOf": { "@id": "d3f:DiscoveryTechnique" } }, { "@id": "d3f:T1556.001", "@type": "owl:Class", "d3f:attack-id": "T1556.001", "rdfs:label": "Domain Controller Authentication", "rdfs:subClassOf": { "@id": "d3f:T1556" } }, { "@id": "d3f:CWE-1098", "@type": "owl:Class", "d3f:cwe-id": "CWE-1098", "rdfs:label": "Data Element containing Pointer Item without Proper Copy Control Element", "rdfs:subClassOf": { "@id": "d3f:CWE-1076" } }, { "@id": "d3f:CCI-002460_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system enforces organization-defined actions prior to executing mobile code.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:ExecutableDenylisting" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-07-02T00:00:00" }, "rdfs:label": "CCI-002460" }, { "@id": "d3f:CWE-298", "@type": "owl:Class", "d3f:cwe-id": "CWE-298", "rdfs:label": "Improper Validation of Certificate Expiration", "rdfs:subClassOf": [ { "@id": "d3f:CWE-295" }, { "@id": "d3f:CWE-672" } ] }, { "@id": "d3f:HTTPURL", "@type": [ "owl:NamedIndividual", "d3f:URL" ], "rdfs:label": "HTTP URL" }, { "@id": "d3f:T1574.008", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1574.008", "d3f:creates": { "@id": "d3f:ExecutableFile" }, "rdfs:label": "Path Interception by Search Order Hijacking", "rdfs:subClassOf": [ { "@id": "d3f:T1574" }, { "@id": "_:N123ce7acb2744a5a996cce39c429a4ec" } ] }, { "@id": "_:N123ce7acb2744a5a996cce39c429a4ec", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:creates" }, "owl:someValuesFrom": { "@id": "d3f:ExecutableFile" } }, { "@id": "d3f:T1588", "@type": "owl:Class", "d3f:attack-id": "T1588", "rdfs:label": "Obtain Capabilities", "rdfs:subClassOf": { "@id": "d3f:ResourceDevelopmentTechnique" } }, { "@id": "d3f:NIST_SP_800-53_R5_IR-4_13", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:control-name": "Incident Handling | Behavior Analysis", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "d3f:related": [ { "@id": "d3f:DecoyEnvironment" }, { "@id": "d3f:DecoyObject" } ], "rdfs:label": "IR-4(13)" }, { "@id": "d3f:T1053", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1053", "d3f:definition": "The sub-techniques of this are specific software implementations of scheduling capabilities", "d3f:executes": { "@id": "d3f:ScheduledJob" }, "d3f:invokes": { "@id": "d3f:CreateProcess" }, "d3f:modifies": { "@id": "d3f:JobSchedule" }, "rdfs:label": "Scheduled Task/Job Execution", "rdfs:subClassOf": [ { "@id": "d3f:ExecutionTechnique" }, { "@id": "d3f:PersistenceTechnique" }, { "@id": "d3f:PrivilegeEscalationTechnique" }, { "@id": "_:Nef93776e089c4fdf9489c3b7631ad68b" }, { "@id": "_:Ne801ca99d9dc4b7fb2f215a0c90fe82d" }, { "@id": "_:N21d1d57ac7b3484a9485f6fe19595738" } ] }, { "@id": "_:Nef93776e089c4fdf9489c3b7631ad68b", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:executes" }, "owl:someValuesFrom": { "@id": "d3f:ScheduledJob" } }, { "@id": "_:Ne801ca99d9dc4b7fb2f215a0c90fe82d", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:invokes" }, "owl:someValuesFrom": { "@id": "d3f:CreateProcess" } }, { "@id": "_:N21d1d57ac7b3484a9485f6fe19595738", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:JobSchedule" } }, { "@id": "d3f:CWE-349", "@type": "owl:Class", "d3f:cwe-id": "CWE-349", "rdfs:label": "Acceptance of Extraneous Untrusted Data With Trusted Data", "rdfs:subClassOf": { "@id": "d3f:CWE-345" } }, { "@id": "d3f:T1073", "@type": "owl:Class", "d3f:attack-id": "T1073", "rdfs:label": "DLL Side-Loading", "rdfs:subClassOf": { "@id": "d3f:DefenseEvasionTechnique" } }, { "@id": "d3f:CWE-615", "@type": "owl:Class", "d3f:cwe-id": "CWE-615", "rdfs:label": "Inclusion of Sensitive Information in Source Code Comments", "rdfs:subClassOf": { "@id": "d3f:CWE-540" } }, { "@id": "d3f:JavaArchive", "@type": "owl:Class", "d3f:definition": "A JAR (Java ARchive) is a package file format typically used to aggregate many Java class files and associated metadata and resources (text, images, etc.) into one file for distribution.", "rdfs:label": "Java Archive", "rdfs:seeAlso": { "@id": "https://dbpedia.org/page/JAR_(file_format)" }, "rdfs:subClassOf": [ { "@id": "d3f:ArchiveFile" }, { "@id": "d3f:SoftwarePackage" } ] }, { "@id": "d3f:CWE-313", "@type": "owl:Class", "d3f:cwe-id": "CWE-313", "rdfs:label": "Cleartext Storage in a File or on Disk", "rdfs:subClassOf": { "@id": "d3f:CWE-312" } }, { "@id": "d3f:Reference-PointerAuthenticationProjectZero", "@type": [ "owl:NamedIndividual", "d3f:InternetArticleReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://googleprojectzero.blogspot.com/2019/02/examining-pointer-authentication-on.html" }, "d3f:kb-abstract": "In this post I examine Apple's implementation of Pointer Authentication on the A12 SoC used in the iPhone XS, with a focus on how Apple has improved over the ARM standard. I then demonstrate a way to use an arbitrary kernel read/write primitive to forge kernel PAC signatures for the A keys, which is sufficient to execute arbitrary code in the kernel using JOP. The technique I discovered was (mostly) fixed in iOS 12.1.3. In fact, this fix first appeared in the 16D5032a beta while my research was still ongoing.", "d3f:kb-author": "Brandon Azad", "d3f:kb-organization": "Project Zero, Google, Inc", "d3f:kb-reference-of": { "@id": "d3f:PointerAuthentication" }, "d3f:kb-reference-title": "Examining Pointer Authentication on the iPhone XS", "rdfs:label": "Reference - Pointer Authentication Project Zero" }, { "@id": "d3f:Centroid-basedClustering", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-CBC", "d3f:definition": "Centroid-based clustering organizes the data into non-hierarchical clusters, in contrast to hierarchical clustering defined below. K-means is the most widely-used centroid-based clustering algorithm. Centroid-based algorithms are efficient but sensitive to initial conditions and outliers.", "d3f:kb-article": "## References\nGoogle Developers. (n.d.). Clustering Algorithms. [Link](https://developers.google.com/machine-learning/clustering/clustering-algorithms)", "rdfs:label": "Centroid-based Clustering", "rdfs:subClassOf": { "@id": "d3f:ClusterAnalysis" } }, { "@id": "d3f:CodeAnalyzer", "@type": "owl:Class", "d3f:definition": "Code analyzers automatically analyze the composition or behavior of computer programs regarding a property such as correctness, robustness, security, and safety. Program analysis can be performed without executing the program (static program analysis), during runtime (dynamic program analysis) or in a combination of both.", "rdfs:label": "Code Analyzer", "rdfs:seeAlso": { "@id": "dbr:Program_analysis" }, "rdfs:subClassOf": { "@id": "d3f:DeveloperApplication" }, "skos:altLabel": "Program Analysis Tool" }, { "@id": "d3f:T1555.003", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:accesses": { "@id": "d3f:DatabaseFile" }, "d3f:attack-id": "T1555.003", "d3f:may-access": { "@id": "d3f:In-memoryPasswordStore" }, "d3f:may-invoke": { "@id": "d3f:ReadFile" }, "rdfs:label": "Credentials from Web Browsers", "rdfs:subClassOf": [ { "@id": "d3f:T1555" }, { "@id": "_:Na7e39a14715c429e8e9673db23aa5f66" }, { "@id": "_:N0903e6a780f346bda2bd9918c3b57dd7" }, { "@id": "_:Ne262ead5b2bb4d838b78897c06643a17" } ] }, { "@id": "_:Na7e39a14715c429e8e9673db23aa5f66", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:accesses" }, "owl:someValuesFrom": { "@id": "d3f:DatabaseFile" } }, { "@id": "_:N0903e6a780f346bda2bd9918c3b57dd7", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-access" }, "owl:someValuesFrom": { "@id": "d3f:In-memoryPasswordStore" } }, { "@id": "_:Ne262ead5b2bb4d838b78897c06643a17", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-invoke" }, "owl:someValuesFrom": { "@id": "d3f:ReadFile" } }, { "@id": "d3f:T1041", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1041", "d3f:may-transfer": { "@id": "d3f:CertificateFile" }, "d3f:produces": { "@id": "d3f:InternetNetworkTraffic" }, "rdfs:label": "Exfiltration Over C2 Channel", "rdfs:subClassOf": [ { "@id": "d3f:ExfiltrationTechnique" }, { "@id": "_:N48f8621f41ef4f798b1ac0ae604d6f8f" }, { "@id": "_:N35c8a97219fc41c3b95697703ac0e29e" } ] }, { "@id": "_:N48f8621f41ef4f798b1ac0ae604d6f8f", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-transfer" }, "owl:someValuesFrom": { "@id": "d3f:CertificateFile" } }, { "@id": "_:N35c8a97219fc41c3b95697703ac0e29e", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:produces" }, "owl:someValuesFrom": { "@id": "d3f:InternetNetworkTraffic" } }, { "@id": "d3f:NIST_SP_800-53_R5_AC-3_8", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:control-name": "Access Enforcement | Revocation of Access Authorizations", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "d3f:narrower": [ { "@id": "d3f:MandatoryAccessControl" }, { "@id": "d3f:SystemCallFiltering" } ], "rdfs:label": "AC-3(8)" }, { "@id": "d3f:OSAPIReadFile", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:invokes": { "@id": "d3f:ReadFile" }, "rdfs:label": "OS API Read File", "rdfs:subClassOf": [ { "@id": "d3f:OSAPIFunction" }, { "@id": "_:Nb565e5d65fbc4f19860c492a14269738" } ] }, { "@id": "_:Nb565e5d65fbc4f19860c492a14269738", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:invokes" }, "owl:someValuesFrom": { "@id": "d3f:ReadFile" } }, { "@id": "d3f:UseCaseProcedure", "@type": "owl:Class", "rdfs:label": "Use Case Procedure", "rdfs:subClassOf": [ { "@id": "d3f:D3FENDUseCaseThing" }, { "@id": "d3f:Procedure" } ] }, { "@id": "d3f:may-execute", "@type": "owl:ObjectProperty", "d3f:definition": "x may execute y: The subject x might take the action of carrying out (executing) y, which is a single software module, function, or instruction.", "rdfs:label": "may-execute", "rdfs:subPropertyOf": { "@id": "d3f:may-be-associated-with" } }, { "@id": "d3f:CWE-1301", "@type": "owl:Class", "d3f:cwe-id": "CWE-1301", "rdfs:label": "Insufficient or Incomplete Data Removal within Hardware Component", "rdfs:subClassOf": { "@id": "d3f:CWE-226" } }, { "@id": "d3f:CWE-342", "@type": "owl:Class", "d3f:cwe-id": "CWE-342", "rdfs:label": "Predictable Exact Value from Previous Values", "rdfs:subClassOf": { "@id": "d3f:CWE-340" } }, { "@id": "d3f:T1480", "@type": "owl:Class", "d3f:attack-id": "T1480", "rdfs:label": "Execution Guardrails", "rdfs:subClassOf": { "@id": "d3f:DefenseEvasionTechnique" } }, { "@id": "d3f:CCI-001083_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system prevents the presentation of information system management-related functionality at an interface for non-privileged users.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": [ { "@id": "d3f:LocalFilePermissions" }, { "@id": "d3f:MandatoryAccessControl" }, { "@id": "d3f:SystemConfigurationPermissions" } ], "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-21T00:00:00" }, "rdfs:label": "CCI-001083" }, { "@id": "d3f:Reference-CiscoASR9000AccessListCommands", "@type": [ "owl:NamedIndividual", "d3f:UserManualReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k_r4-0/addr_serv/command/reference/ir40asrbook_chapter1.html" }, "d3f:kb-abstract": "An access control list (ACL) consists of one or more access control entries (ACEs) that collectively define the network traffic profile. This profile can then be referenced by Cisco IOS XR Software software features such as traffic filtering, priority or custom queueing, and dynamic access control. Each ACL includes an action element (permit or deny) and a filter element based on criteria such as source address, destination address, protocol, and protocol-specific parameters.", "d3f:kb-organization": "Cisco", "d3f:kb-reference-of": { "@id": "d3f:NetworkTrafficPolicyMapping" }, "d3f:kb-reference-title": "Cisco ASR 9000 Series Aggregation Services Routers - Access List Commands", "rdfs:label": "Reference - Cisco ASR 9000 Series Aggregation Services Routers - Access List Commands" }, { "@id": "d3f:T1071.004", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1071.004", "d3f:produces": { "@id": "d3f:OutboundInternetDNSLookupTraffic" }, "rdfs:label": "DNS", "rdfs:subClassOf": [ { "@id": "d3f:T1071" }, { "@id": "_:N0c86f159fa4140a49f6110f44be6b9aa" } ] }, { "@id": "_:N0c86f159fa4140a49f6110f44be6b9aa", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:produces" }, "owl:someValuesFrom": { "@id": "d3f:OutboundInternetDNSLookupTraffic" } }, { "@id": "d3f:injects", "@type": "owl:ObjectProperty", "d3f:definition": "x injects y: The subject x takes the action of exploiting a security flaw by introducing (injecting) y, which is code or data that will change the course of execution or state of a computing process to an alternate course or state. Typically code injection is associated with adversaries intending the alternate course to facilitate a malevolent purpose; however, code injection can be unintentional or the intentions behind it may be good or benign.", "rdfs:label": "injects", "rdfs:seeAlso": [ { "@id": "dbr:Code_injection" }, { "@id": "http://wordnet-rdf.princeton.edu/id/00916722-v" } ], "rdfs:subPropertyOf": { "@id": "d3f:executes" } }, { "@id": "d3f:OutputDevice", "@type": "owl:Class", "d3f:definition": "An output device is any piece of computer hardware equipment which converts information into human-readable form. It can be text, graphics, tactile, audio, and video. Some of the output devices are Visual Display Units (VDU) i.e. a Monitor, Printer, Graphic Output devices, Plotters, Speakers etc. A new type of Output device is been developed these days, known as Speech synthesizer, a mechanism attached to the computer which produces verbal output sounding almost like human speeches.", "rdfs:isDefinedBy": { "@id": "dbr:Output_device" }, "rdfs:label": "Output Device", "rdfs:subClassOf": { "@id": "d3f:HardwareDevice" } }, { "@id": "d3f:CWE-121", "@type": "owl:Class", "d3f:cwe-id": "CWE-121", "rdfs:label": "Stack-based Buffer Overflow", "rdfs:subClassOf": [ { "@id": "d3f:CWE-787" }, { "@id": "d3f:CWE-788" } ] }, { "@id": "d3f:CCI-001428_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:broader": [ { "@id": "d3f:MandatoryAccessControl" }, { "@id": "d3f:UserAccountPermissions" } ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system displays security attributes in human-readable form on each object that the system transmits to output devices to identify organization-identified special dissemination, handling, or distribution instructions using organization-identified human-readable, standard naming conventions.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-25T00:00:00" }, "rdfs:label": "CCI-001428" }, { "@id": "d3f:Reference-UsingSpanningTreeProtocolSTPToEnhanceLayer2NetworkTopologyMaps", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US8045488B2" }, "d3f:kb-abstract": "Spanning Tree Protocol (STP) data is obtained via network switch (SNMP) queries to enhance identification of switch-to-switch links in Layer-2 mapping. In particular, by analyzing the STP data, ambiguity in determining switch uplink ports may be reduced. Specifically, the STP data can be used in conjunction with other topography data to provide Layer-2 connectivity for nodes on a network topology. Layer-2 address mapping tables are collected from a topology mapping, and STP data is collected, along with address translation tables (ARP) tables. Using this information, switches are identified using Layer-2 address tables. The STP data can be correlated by comparing data in switches, identifying switch ports directly connected to other switch ports, and eliminating direct switch-to-switch port connections from consideration for further Layer-2 node mappings.", "d3f:kb-author": "Michael Jon Swan", "d3f:kb-organization": "SolarWinds Worldwide LLC", "d3f:kb-reference-of": { "@id": "d3f:ActivePhysicalLinkMapping" }, "d3f:kb-reference-title": "Using spanning tree protocol (STP) to enhance layer-2 topology maps", "rdfs:label": "Reference - Using spanning tree protocol (STP) to enhance layer-2 topology maps" }, { "@id": "d3f:loads", "@type": "owl:ObjectProperty", "d3f:definition": "x loads y: The technique or process x transfers a software from a storage y to a computer's memory for subsequent execution.", "rdfs:isDefinedBy": { "@id": "http://wordnet-rdf.princeton.edu/id/02236692-v" }, "rdfs:label": "loads", "rdfs:subPropertyOf": { "@id": "d3f:associated-with" } }, { "@id": "d3f:PersistenceTechnique", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:enables": { "@id": "d3f:Persistence" }, "rdfs:label": "Persistence Technique", "rdfs:subClassOf": [ { "@id": "d3f:OffensiveTechnique" }, { "@id": "_:N71e2f727c9744d6babead13f0ae78cfa" } ] }, { "@id": "_:N71e2f727c9744d6babead13f0ae78cfa", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:enables" }, "owl:someValuesFrom": { "@id": "d3f:Persistence" } }, { "@id": "d3f:CWE-343", "@type": "owl:Class", "d3f:cwe-id": "CWE-343", "rdfs:label": "Predictable Value Range from Previous Values", "rdfs:subClassOf": { "@id": "d3f:CWE-340" } }, { "@id": "d3f:T1584.001", "@type": "owl:Class", "d3f:attack-id": "T1584.001", "rdfs:label": "Domains", "rdfs:subClassOf": { "@id": "d3f:T1584" } }, { "@id": "d3f:Prolog", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-PRO", "d3f:definition": "Prolog has its roots in first-order logic, a formal logic, and unlike many other programming languages.", "d3f:kb-article": "## How it works\nProlog is intended primarily as a declarative programming language: the program logic is expressed in terms of relations, represented as facts and rules. A computation is initiated by running a query over these relations.\n\n## References\n1. Prolog. (2023, April 5). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Prolog)", "rdfs:label": "Prolog", "rdfs:subClassOf": { "@id": "d3f:LogicProgramming" } }, { "@id": "d3f:restricted-by", "@type": "owl:ObjectProperty", "owl:inverseOf": { "@id": "d3f:restricts" }, "rdfs:label": "restricted-by", "rdfs:subPropertyOf": { "@id": "d3f:associated-with" } }, { "@id": "d3f:T1137", "@type": "owl:Class", "d3f:attack-id": "T1137", "rdfs:label": "Office Application Startup", "rdfs:subClassOf": { "@id": "d3f:PersistenceTechnique" } }, { "@id": "d3f:FileEncryption", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:PlatformHardening" ], "d3f:d3fend-id": "D3-FE", "d3f:definition": "Encrypting a file using a cryptographic key.", "d3f:encrypts": { "@id": "d3f:File" }, "d3f:kb-article": "## How it Works\nFiles are encrypted using either a single key for both encryption and decryption or separate keys. Single key encryption is symmetric encryption and using two key distinct keys is asymmetric encryption.\n\n### Symmetric Cryptography\nSymmetric encryption uses the same cryptographic key for both the encryption and decryption a file. Managing keys at scale sometimes uses asymmetric key exchange protocols such as Diffie-Hellman can be used to share the symmetric cryptographic key with the others.\n\n### Asymmetric Cryptography\nAsymmetric encryption is typically accomplished using public and private key certificates based on the X.509 standard. Files are encrypted using the public key and decrypted using their private key. Asymmetric encryption is typically slower than symmetric encryption and not widely used for large file encryption, but is popular for key wrapping, key exchanges, and digital signatures.\n\n## Considerations\n- Continuous monitoring to ensure private keys are not compromised and the certificate authority (CA) is trusted.\n- Secure transfer of private keys between multiple devices.", "d3f:kb-reference": { "@id": "d3f:Reference-MethodForFileEncryption" }, "rdfs:label": "File Encryption", "rdfs:subClassOf": [ { "@id": "d3f:PlatformHardening" }, { "@id": "_:N54ed391b87034b6fa04447858b2d7fe8" } ] }, { "@id": "_:N54ed391b87034b6fa04447858b2d7fe8", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:encrypts" }, "owl:someValuesFrom": { "@id": "d3f:File" } }, { "@id": "d3f:T1097", "@type": "owl:Class", "d3f:attack-id": "T1097", "rdfs:label": "Pass the Ticket", "rdfs:subClassOf": { "@id": "d3f:LateralMovementTechnique" } }, { "@id": "d3f:ProcessorComponent", "@type": "owl:Class", "rdfs:label": "Processor Component", "rdfs:subClassOf": { "@id": "d3f:HardwareDevice" } }, { "@id": "d3f:RFTransmitter", "@type": "owl:Class", "rdfs:label": "RF Transmitter", "rdfs:subClassOf": { "@id": "d3f:RFNode" } }, { "@id": "d3f:CCI-002749_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system audits the use of the manual override capability.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:DatabaseQueryStringAnalysis" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-07-11T00:00:00" }, "rdfs:label": "CCI-002749" }, { "@id": "d3f:CWE-536", "@type": "owl:Class", "d3f:cwe-id": "CWE-536", "rdfs:label": "Servlet Runtime Error Message Containing Sensitive Information", "rdfs:subClassOf": { "@id": "d3f:CWE-211" } }, { "@id": "d3f:T1039", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:accesses": { "@id": "d3f:NetworkFileShareResource" }, "d3f:attack-id": "T1039", "rdfs:label": "Data from Network Shared Drive", "rdfs:subClassOf": [ { "@id": "d3f:CollectionTechnique" }, { "@id": "_:N0e23011a13c04817b56cffce9a7bea99" } ] }, { "@id": "_:N0e23011a13c04817b56cffce9a7bea99", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:accesses" }, "owl:someValuesFrom": { "@id": "d3f:NetworkFileShareResource" } }, { "@id": "d3f:CCI-002711_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:broader": { "@id": "d3f:TPMBootIntegrity" }, "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system performs an integrity check of organization-defined firmware at startup, at organization-defined transitional states or security-relevant events, or on an organization-defined frequency.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-07-11T00:00:00" }, "rdfs:label": "CCI-002711" }, { "@id": "d3f:Appliance", "@type": "owl:Class", "rdfs:label": "Appliance", "rdfs:subClassOf": { "@id": "d3f:Product" } }, { "@id": "d3f:UserManual", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:ReferenceType" ], "rdfs:label": "User Manual", "rdfs:subClassOf": { "@id": "d3f:Document" } }, { "@id": "d3f:UserInitConfigurationFile", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A user initialization configuration file is a file containing the information necessary to configure that part of a user's environment which is common to all applications and actions. User configurations may be overridden by more specific configuration information (such as that found in a application configuration file.)", "rdfs:label": "User Init Configuration File", "rdfs:subClassOf": [ { "@id": "d3f:ConfigurationFile" }, { "@id": "d3f:UserLogonInitResource" } ], "skos:altLabel": "User Configuration File" }, { "@id": "d3f:T1137.003", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:adds": { "@id": "d3f:OfficeApplicationFile" }, "d3f:attack-id": "T1137.003", "rdfs:label": "Outlook Forms", "rdfs:subClassOf": [ { "@id": "d3f:T1137" }, { "@id": "_:N3c4e02d6385f431eb32a2f1ed37707b4" } ] }, { "@id": "_:N3c4e02d6385f431eb32a2f1ed37707b4", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:adds" }, "owl:someValuesFrom": { "@id": "d3f:OfficeApplicationFile" } }, { "@id": "d3f:Reference-LsassProcessDumpViaProcdump_MITRE", "@type": [ "owl:NamedIndividual", "d3f:ExternalKnowledgeBase" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://car.mitre.org/analytics/CAR-2019-07-002/" }, "d3f:kb-abstract": "ProcDump is a sysinternal command-line utility whose primary purpose is monitoring an application for CPU spikes and generating crash dumps during a spike that an administrator or developer can use to determine the cause of the spike.\n\nProcDump may be used to dump the memory space of lsass.exe to disk for processing with a credential access tool such as Mimikatz. This is performed by launching procdump.exe as a privileged user with command line options indicating that lsass.exe should be dumped to a file with an arbitrary name.", "d3f:kb-author": "MITRE", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "MITRE", "d3f:kb-reference-of": { "@id": "d3f:ProcessSpawnAnalysis" }, "d3f:kb-reference-title": "CAR-2019-07-002: Lsass Process Dump via Procdump", "rdfs:label": "Reference - CAR-2019-07-002: Lsass Process Dump via Procdump - MITRE" }, { "@id": "d3f:T1574.007", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1574.007", "d3f:creates": { "@id": "d3f:ExecutableFile" }, "rdfs:label": "Path Interception by PATH Environment Variable", "rdfs:subClassOf": [ { "@id": "d3f:T1574" }, { "@id": "_:N5d74d0c8727548e6b23920d22c1ba9ba" } ] }, { "@id": "_:N5d74d0c8727548e6b23920d22c1ba9ba", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:creates" }, "owl:someValuesFrom": { "@id": "d3f:ExecutableFile" } }, { "@id": "d3f:RestoreAccess", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:DefensiveTechnique" ], "d3f:d3fend-id": "D3-RA", "d3f:definition": "Restoring an entity's access to resources.", "d3f:enables": { "@id": "d3f:Restore" }, "d3f:kb-reference": { "@id": "d3f:Reference-CybersecurityIncidentandVulnerabilityResponsePlaybooks" }, "rdfs:label": "Restore Access", "rdfs:subClassOf": [ { "@id": "d3f:DefensiveTechnique" }, { "@id": "_:Nd24012a07e674575bcf6f319f7e4ca55" } ] }, { "@id": "_:Nd24012a07e674575bcf6f319f7e4ca55", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:enables" }, "owl:someValuesFrom": { "@id": "d3f:Restore" } }, { "@id": "d3f:T1492", "@type": "owl:Class", "d3f:attack-id": "T1492", "rdfs:label": "Stored Data Manipulation", "rdfs:subClassOf": { "@id": "d3f:ImpactTechnique" } }, { "@id": "d3f:isolates", "@type": "owl:ObjectProperty", "d3f:definition": "x isolates y: The technique or agent x sets digital artifact y apart from other digital artifacts, sequestering y.", "rdfs:isDefinedBy": { "@id": "http://wordnet-rdf.princeton.edu/id/00496744-v" }, "rdfs:label": "isolates", "rdfs:subPropertyOf": [ { "@id": "d3f:associated-with" }, { "@id": "d3f:d3fend-tactical-verb-property" } ] }, { "@id": "d3f:CWE-554", "@type": "owl:Class", "d3f:cwe-id": "CWE-554", "rdfs:label": "ASP.NET Misconfiguration: Not Using Input Validation Framework", "rdfs:subClassOf": { "@id": "d3f:CWE-1173" } }, { "@id": "d3f:CWE-500", "@type": "owl:Class", "d3f:cwe-id": "CWE-500", "rdfs:label": "Public Static Field Not Marked Final", "rdfs:subClassOf": { "@id": "d3f:CWE-493" } }, { "@id": "d3f:CommandHistoryLog", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A log of commands run in an operating system shell.", "rdfs:label": "Command History Log", "rdfs:seeAlso": [ { "@id": "dbr:Command_history" }, "d3f:CommandLineInterface" ], "rdfs:subClassOf": { "@id": "d3f:EventLog" } }, { "@id": "d3f:SegmentAddressOffsetRandomization", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:ApplicationHardening" ], "d3f:d3fend-id": "D3-SAOR", "d3f:definition": "Randomizing the base (start) address of one or more segments of memory during the initialization of a process.", "d3f:kb-article": "## How it works\n\nMany application exploits rely on an attacker specifying a location in memory, which points to data or code used by the attacker. If the addresses are changed each time the program is run, then it becomes more difficult for the attacker to determine the location that will contain the code they wish to run.\n\nImported modules may be similarly realigned if their default memory addresses conflict with other modules, in a process known as \"rebasing.\" Just as not all code is built for participation in ASLR, not all modules can be rebased; instead, modules must indicate whether they implement support for rebasing. Such information to relocate the executable is typically stored in the \".reloc\" segment -- each of the addresses pointed to in this segment has its address increased by the amount of the offset.\n(An alternative method for relocation would be to add an amount to a global variable each time -- leading to less overhead in the module load, but more for each access. Still another implementation could instead contain code to deference each changeable memory location on the fly, so that each of the references do not need to be updated.\n\n\n## Considerations\n\nAs the offset for each segment is constant, it is possible to guess at the value of the address given the address of another variable. Alternatively, memory pointers may be kept around, which contain the address of another variable.\nAnother bypass technique is known as an \"egg hunt,\" whereby the attacker searches for a rather unique piece of the data or code in memory to determine its likely address.\n\nThe program needs to store these addresses for the functions somewhere. In Linux, the PLT contains a \"trampoline\" to these addresses. If an attacker desires to jump to the start of an existing function, they can jump directly to the trampoline anyway, and may have the opportunity to provide their own stack frame to the function with a write to the stack. If they overwrite a saved stack pointer which is loaded back into memory, or execute a function, that changes the address of a stack pointer.\n\nIf an attacker wants to inject some data into the program, for example as a parameter to a known function that is not under ASLR or a pointer to a trampoline function in the PLT, then they can repeat the data until they exceed the range of ASLR coverage, which on 32-bit systems is accomplishable in a few seconds with a heap spray. Microsoft's EMET and Windows 10 Exploit Guard can pre-allocate particular addresses that are commonly used in heap sprays. However, in many products, there does not seem to be nearly a complete coverage of such addresses, which only need to be executable and in the range of the heap; 0x0c0c0c0c is such an address that is commonly used for the x86 processor architecture, as when executed it only performs a numeric operation to a register four times.", "d3f:kb-reference": [ { "@id": "d3f:Reference-DYNAMICBASE_UseAddressSpaceLayoutRandomization_MicrosoftDocs" }, { "@id": "d3f:Reference-HowASLRProtectsLinuxSystemsFromBufferOverflowAttacks_NetworkWorld" } ], "d3f:obfuscates": { "@id": "d3f:ProcessSegment" }, "d3f:synonym": [ "Address Space Layout Randomization", "ASLR" ], "rdfs:label": "Segment Address Offset Randomization", "rdfs:subClassOf": [ { "@id": "d3f:ApplicationHardening" }, { "@id": "_:N0a08c4b0e4a9401d8c70f23171f109c5" } ] }, { "@id": "_:N0a08c4b0e4a9401d8c70f23171f109c5", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:obfuscates" }, "owl:someValuesFrom": { "@id": "d3f:ProcessSegment" } }, { "@id": "d3f:CWE-150", "@type": "owl:Class", "d3f:cwe-id": "CWE-150", "rdfs:label": "Improper Neutralization of Escape, Meta, or Control Sequences", "rdfs:subClassOf": { "@id": "d3f:CWE-138" } }, { "@id": "d3f:contributor", "@type": "owl:ObjectProperty", "rdfs:range": { "@id": "owl:Thing" }, "rdfs:subPropertyOf": { "@id": "d3f:d3fend-catalog-object-property" } }, { "@id": "d3f:KerberosTicketGrantingServiceTicket", "@type": "owl:Class", "d3f:definition": "A Kerberos ticket-granting service (TGS) ticket is given in response to requesting a Kerberos TGS request.", "rdfs:label": "Kerberos Ticket Granting Service Ticket", "rdfs:subClassOf": { "@id": "d3f:KerberosTicket" }, "skos:altLabel": "TGS Ticket" }, { "@id": "d3f:RegOpenKeyTransactedW", "@type": [ "owl:NamedIndividual", "d3f:GetSystemConfigValue" ] }, { "@id": "d3f:CWE-362", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:cwe-id": "CWE-362", "d3f:weakness-of": { "@id": "d3f:SharedResourceAccessFunction" }, "rdfs:label": "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "rdfs:subClassOf": [ { "@id": "d3f:CWE-691" }, { "@id": "_:N5dc30052756847f18d92407c24d61e50" } ] }, { "@id": "_:N5dc30052756847f18d92407c24d61e50", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:weakness-of" }, "owl:someValuesFrom": { "@id": "d3f:SharedResourceAccessFunction" } }, { "@id": "d3f:may-be-tactically-associated-with", "@type": "owl:ObjectProperty", "d3f:definition": "x may-be-tactically-associated-with y: the defensive technique x may be a tactic that counters offensive technique y.", "rdfs:domain": { "@id": "d3f:DefensiveTechnique" }, "rdfs:label": "may-be-tactically-associated-with", "rdfs:range": { "@id": "d3f:OffensiveTechnique" }, "rdfs:subPropertyOf": { "@id": "d3f:may-be-associated-with" } }, { "@id": "d3f:T1580", "@type": "owl:Class", "d3f:attack-id": "T1580", "rdfs:label": "Cloud Infrastructure Discovery", "rdfs:subClassOf": { "@id": "d3f:DiscoveryTechnique" } }, { "@id": "d3f:CWE-911", "@type": "owl:Class", "d3f:cwe-id": "CWE-911", "rdfs:label": "Improper Update of Reference Count", "rdfs:subClassOf": { "@id": "d3f:CWE-664" } }, { "@id": "d3f:MailNetworkTraffic", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:contains": { "@id": "d3f:Email" }, "d3f:definition": "Mail traffic is network traffic that uses a standard mail transfer protocol.", "rdfs:label": "Mail Network Traffic", "rdfs:subClassOf": [ { "@id": "d3f:NetworkTraffic" }, { "@id": "_:N3696868463ad4e768e3c9c581e8d481b" } ] }, { "@id": "_:N3696868463ad4e768e3c9c581e8d481b", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:contains" }, "owl:someValuesFrom": { "@id": "d3f:Email" } }, { "@id": "d3f:Reference-RFC7489-Domain-basedMessageAuthentication-Reporting-AndConformance-DMARC", "@type": [ "owl:NamedIndividual", "d3f:SpecificationReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://tools.ietf.org/html/rfc7489" }, "d3f:kb-abstract": "Domain-based Message Authentication, Reporting, and Conformance(DMARC) is a scalable mechanism by which a mail-originating organization can express domain-level policies and preferences for message validation, disposition, and reporting, that a mail-receiving organization can use to improve mail handling.\n\nOriginators of Internet Mail need to be able to associate reliable and authenticated domain identifiers with messages, communicate policies about messages that use those identifiers, and report about mail using those identifiers. These abilities have several benefits: Receivers can provide feedback to Domain Owners about the use of their domains; this feedback can provide valuable insight about the management of internal operations and the presence of external domain name abuse.\n\nDMARC does not produce or encourage elevated delivery privilege of authenticated email. DMARC is a mechanism for policy distribution that enables increasingly strict handling of messages that fail authentication checks, ranging from no action, through altered\ndelivery, up to message rejection.", "d3f:kb-author": "M. Kucherawy, E. Zwicky", "d3f:kb-organization": "Internet Engineering Task Force (IETF)", "d3f:kb-reference-of": { "@id": "d3f:TransferAgentAuthentication" }, "d3f:kb-reference-title": "RFC 7489: Domain-based Message Authentication, Reporting, and Conformance (DMARC)", "rdfs:label": "Reference - RFC 7489: Domain-based Message Authentication, Reporting, and Conformance (DMARC) - IETF" }, { "@id": "d3f:CWE-238", "@type": "owl:Class", "d3f:cwe-id": "CWE-238", "rdfs:label": "Improper Handling of Incomplete Structural Elements", "rdfs:subClassOf": { "@id": "d3f:CWE-237" } }, { "@id": "d3f:version", "@type": [ "owl:DatatypeProperty", "owl:FunctionalProperty" ], "d3f:definition": "x version y: The product or service x has the version y.", "rdfs:domain": { "@id": "_:Nfd43980ec7c245a887397e0dc8e5e9e8" }, "rdfs:label": { "@language": "en", "@value": "version" }, "rdfs:range": { "@id": "_:Nd32655b774534603bb38fdce0536326d" }, "rdfs:subPropertyOf": [ { "@id": "d3f:d3fend-catalog-data-property" }, { "@id": "d3f:d3fend-external-control-data-property" } ] }, { "@id": "_:Nfd43980ec7c245a887397e0dc8e5e9e8", "@type": "owl:Class", "owl:unionOf": { "@list": [ { "@id": "d3f:CapabilityImplementation" }, { "@id": "d3f:ControlCatalog" } ] } }, { "@id": "_:Nd32655b774534603bb38fdce0536326d", "@type": "rdfs:Datatype", "owl:unionOf": { "@list": [ { "@id": "xsd:integer" }, { "@id": "xsd:string" } ] } }, { "@id": "d3f:ResidualNeuralNetwork", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-RNN", "d3f:definition": "A residual neural network (ResNet) is an artificial neural network (ANN). It is a gateless or open-gated variant of the HighwayNet, the first working very deep feedforward neural network with hundreds of layers, much deeper than previous neural networks.", "d3f:kb-article": "## References\nWikipedia contributors. (2021, August 23). Residual neural network. In Wikipedia, The Free Encyclopedia. [Link](https://en.wikipedia.org/wiki/Residual_neural_network)", "rdfs:label": "Residual Neural Network", "rdfs:subClassOf": { "@id": "d3f:ConvolutionalNeuralNetwork" } }, { "@id": "d3f:Reference-DaggerModelingAndVisualizationForMissionImpactSituationalAwareness", "@type": [ "owl:NamedIndividual", "d3f:AcademicPaperReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://ieeexplore.ieee.org/document/7795296" }, "d3f:kb-abstract": "Dagger is a modeling and visualization framework that addresses the challenge of representing knowledge and information for decision-makers, enabling them to better comprehend the operational context of network security data. It allows users to answer critical questions such as “Given that I care about mission X, is there any reason I should be worried about what is going on in cyberspace?” or “If this system fails, will I still be able to accomplish my mission?”.", "d3f:kb-author": "Elisha Peterson", "d3f:kb-organization": "JHU APL", "d3f:kb-reference-of": { "@id": "d3f:OperationalDependencyMapping" }, "d3f:kb-reference-title": "Dagger: Modeling and visualization for mission impact situational awareness", "rdfs:label": "Reference - Dagger: Modeling and visualization for mission impact situational awareness" }, { "@id": "d3f:T1114.002", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:accesses": { "@id": "d3f:MailServer" }, "d3f:attack-id": "T1114.002", "rdfs:label": "Remote Email Collection", "rdfs:subClassOf": [ { "@id": "d3f:T1114" }, { "@id": "_:Ne1bf7b7d0f9349f8944f6172b3a03482" } ] }, { "@id": "_:Ne1bf7b7d0f9349f8944f6172b3a03482", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:accesses" }, "owl:someValuesFrom": { "@id": "d3f:MailServer" } }, { "@id": "d3f:CWE-834", "@type": "owl:Class", "d3f:cwe-id": "CWE-834", "rdfs:label": "Excessive Iteration", "rdfs:subClassOf": { "@id": "d3f:CWE-691" } }, { "@id": "d3f:ConnectionAttemptAnalysis", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:NetworkTrafficAnalysis" ], "d3f:analyzes": { "@id": "d3f:IntranetNetworkTraffic" }, "d3f:d3fend-id": "D3-CAA", "d3f:definition": "Analyzing failed connections in a network to detect unauthorized activity.", "d3f:kb-article": "## How it works\nConnection Attempt Analysis in multiple ways.\n\n### Monitoring traffic to unallocated IP space\nOne approach looks for failed connection attempts against unallocated IP space. First, network traffic is captured to map out the network to identify network assets as well as unallocated IP space. The map is then used to determine if connection attempts are being made to the unallocated IP space.\n\n### Monitoring for sequentially transmitted traffic\nAnother approach passively inspects network traffic with application protocol analyzers observing network activity characteristics such as volume of packets sent/ received, TCP session attributes, and connection information between hosts (start time, source/destination host, services, etc.). Then using pattern matching to identify traffic which appears to be probing for network hosts.\n\n## Considerations\n\n* Implementations that rely on analysis of unallocated IP address space increase in their complexity with network size and decentralized network infrastructure.\n* Inventory of unallocated IP space should should be continuously updated to mitigate the risk of false positives.\n* IPv6 also introduces challenges including IPv6 traffic bypassing IPv4 specific protection systems (ex. firewalls and IDS) and complexity in managing both IPv6 and IPv4 addresses.", "d3f:kb-reference": { "@id": "d3f:Reference-DetectingNetworkReconnaissanceByTrackingIntranetDark-netCommunications_VECTRANETWORKSInc" }, "d3f:synonym": "Network Scan Detection", "rdfs:label": "Connection Attempt Analysis", "rdfs:subClassOf": [ { "@id": "d3f:NetworkTrafficAnalysis" }, { "@id": "_:Ncce5f0815fb64ff799df03de88beca67" } ] }, { "@id": "_:Ncce5f0815fb64ff799df03de88beca67", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:analyzes" }, "owl:someValuesFrom": { "@id": "d3f:IntranetNetworkTraffic" } }, { "@id": "d3f:CCI-002403_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system only allows incoming communications from organization-defined authorized sources routed to organization-defined authorized destinations.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": [ { "@id": "d3f:InboundTrafficFiltering" }, { "@id": "d3f:OutboundTrafficFiltering" } ], "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-07-02T00:00:00" }, "rdfs:label": "CCI-002403" }, { "@id": "d3f:InstantMessagingClient", "@type": "owl:Class", "d3f:definition": "Client software used to engage in Instant Messaging, a type of online chat that offers real-time text transmission over the Internet. A LAN messenger operates in a similar way over a local area network. Short messages are typically transmitted between two parties, when each user chooses to complete a thought and select \"send\". Some IM applications can use push technology to provide real-time text, which transmits messages character by character, as they are composed. More advanced instant messaging can add file transfer, clickable hyperlinks, Voice over IP, or video chat.", "rdfs:isDefinedBy": { "@id": "https://dbpedia.org/wiki/Instant_messaging" }, "rdfs:label": "Instant Messaging Client", "rdfs:subClassOf": { "@id": "d3f:CollaborativeSoftware" } }, { "@id": "d3f:CWE-425", "@type": "owl:Class", "d3f:cwe-id": "CWE-425", "rdfs:label": "Direct Request ('Forced Browsing')", "rdfs:subClassOf": [ { "@id": "d3f:CWE-288" }, { "@id": "d3f:CWE-424" }, { "@id": "d3f:CWE-862" } ] }, { "@id": "d3f:WindowsNtReadFileScatter", "@type": "owl:Class", "d3f:definition": "Reads specified block from file into multiple buffers. Each buffer must have one page length.", "rdfs:label": "Windows NtReadFileScatter", "rdfs:seeAlso": "https://j00ru.vexillium.org/syscalls/nt/64/", "rdfs:subClassOf": [ { "@id": "d3f:OSAPIPrivateFunction" }, { "@id": "d3f:OSAPIReadFile" } ] }, { "@id": "d3f:T1093", "@type": "owl:Class", "d3f:attack-id": "T1093", "rdfs:label": "Process Hollowing", "rdfs:subClassOf": { "@id": "d3f:DefenseEvasionTechnique" } }, { "@id": "d3f:CWE-1296", "@type": "owl:Class", "d3f:cwe-id": "CWE-1296", "rdfs:label": "Incorrect Chaining or Granularity of Debug Components", "rdfs:subClassOf": { "@id": "d3f:CWE-284" } }, { "@id": "d3f:Reference-SystemAndMethodsThereofForIdentificationOfSuspiciousSystemProcesses_PaloAltoNetworksInc", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US20170286683A1/en?oq=US-2017286683-A1" }, "d3f:kb-abstract": "A computerized method for identification of suspicious processes executing on an end-point device communicatively connected to network, the network communicatively connected to a server, the method comprising receiving, by the server, a record of at least one process, initiated by and executing on by the end-point device. One or more parameters associated with the at least one process are identified. A first time pointer is identified corresponding to the identified one or more parameters, a first time pointer. A second time pointer at which a user associated with the end-point device initiated a user dependent process is identified. Whether the second time pointer occurred before the first time pointer is identified. It is determined whether the at least one process was initiated by the user based on identification of user dependent processes and corresponding attribution. An action is performed based on the above determination.", "d3f:kb-author": "Gil BARAK", "d3f:kb-mitre-analysis": "The patent describes detecting malicious processes by identifying the order of process initiation. The start of a user initiated process (user query, opening an application, etc.) is compared with the start of processes initiated by the device (ex. during boot). In addition, a determination is made on whether processes are not initiated by a user by examining process parameters such as type of process, its creator, source, etc. If it is determined that a user initiated process was started before a process initiated by the device and a process was not initiated by the user, the process is marked as suspicious.", "d3f:kb-organization": "Palo Alto Networks Inc", "d3f:kb-reference-of": { "@id": "d3f:ProcessLineageAnalysis" }, "d3f:kb-reference-title": "System and methods thereof for identification of suspicious system processes", "rdfs:label": "Reference - System and methods thereof for identification of suspicious system processes - Palo Alto Networks Inc" }, { "@id": "d3f:CWE-471", "@type": "owl:Class", "d3f:cwe-id": "CWE-471", "rdfs:label": "Modification of Assumed-Immutable Data (MAID)", "rdfs:subClassOf": { "@id": "d3f:CWE-664" } }, { "@id": "d3f:Reference-CredentialDumpingViaMimikatz_MITRE", "@type": [ "owl:NamedIndividual", "d3f:ExternalKnowledgeBase" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://car.mitre.org/analytics/CAR-2019-04-004/" }, "d3f:kb-abstract": "Credential dumpers like Mimikatz can be loaded into memory and from there read data from another processes. This analytic looks for instances where processes are requesting specific permissions to read parts of the LSASS process in order to detect when credential dumping is occurring. One weakness is that all current implementations are \"overtuned\" to look for common access patterns used by Mimikatz.", "d3f:kb-author": "MITRE", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "MITRE", "d3f:kb-reference-of": { "@id": "d3f:ProcessSpawnAnalysis" }, "d3f:kb-reference-title": "CAR-2019-04-004: Credential Dumping via Mimikatz", "rdfs:label": "Reference - CAR-2019-04-004: Credential Dumping via Mimikatz - MITRE" }, { "@id": "d3f:CWE-1264", "@type": "owl:Class", "d3f:cwe-id": "CWE-1264", "rdfs:label": "Hardware Logic with Insecure De-Synchronization between Control and Data Channels", "rdfs:subClassOf": { "@id": "d3f:CWE-821" } }, { "@id": "d3f:OutboundInternetMailTraffic", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "Outbound internet DNS lookup traffic is network traffic using a standard email protocol on an outgoing connection initiated from a host within a network to a host outside the network.", "rdfs:label": "Outbound Internet Mail Traffic", "rdfs:seeAlso": { "@id": "dbr:Internetworking" }, "rdfs:subClassOf": { "@id": "d3f:OutboundInternetNetworkTraffic" }, "skos:altLabel": "Outbound Internet Email Traffic" }, { "@id": "d3f:RawMemoryAccessFunction", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:accesses": { "@id": "d3f:MemoryBlock" }, "d3f:definition": "A function which accesses raw memory, usually using memory addresses.", "rdfs:label": "Raw Memory Access Function", "rdfs:subClassOf": [ { "@id": "d3f:Subroutine" }, { "@id": "_:Ne9c7f39b40d04f59835e7055e3560529" } ] }, { "@id": "_:Ne9c7f39b40d04f59835e7055e3560529", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:accesses" }, "owl:someValuesFrom": { "@id": "d3f:MemoryBlock" } }, { "@id": "d3f:DNN-basedClustering", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-DBC", "d3f:definition": "DNNs serve for clustering as mappings to better representations. The features of these representations can be drawn from different layers of the network or even from several layers.", "d3f:kb-article": "## References\nOpenReview. (n.d.). Unsupervised Clustering using Pseudo Ensemble Models. [Link](https://openreview.net/pdf?id=B1eT9VMgOX)", "rdfs:label": "DNN-based Clustering", "rdfs:subClassOf": { "@id": "d3f:ANN-basedClustering" } }, { "@id": "d3f:T1056.003", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1056.003", "d3f:modifies": { "@id": "d3f:WebServerApplication" }, "rdfs:label": "Web Portal Capture", "rdfs:subClassOf": [ { "@id": "d3f:T1056" }, { "@id": "_:Nb250a37d84484a6f9effada1e6f51a60" } ] }, { "@id": "_:Nb250a37d84484a6f9effada1e6f51a60", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:WebServerApplication" } }, { "@id": "d3f:may-disable", "@type": "owl:ObjectProperty", "rdfs:label": "may-disable", "rdfs:subPropertyOf": { "@id": "d3f:may-evict" } }, { "@id": "d3f:AssetVulnerabilityEnumeration", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:AssetInventory" ], "d3f:d3fend-id": "D3-AVE", "d3f:definition": "Asset vulnerability enumeration enriches inventory items with knowledge identifying their vulnerabilities.", "d3f:evaluates": [ { "@id": "d3f:PhysicalArtifact" }, { "@id": "d3f:Software" } ], "d3f:identifies": { "@id": "d3f:Vulnerability" }, "d3f:kb-reference": [ { "@id": "d3f:Reference-AutomatedComputerVulnerabilityResolutionSystem" }, { "@id": "d3f:Reference-SecurityVulnerabilityInformationAggregation" }, { "@id": "d3f:Reference-SystemAndMethodForVulnerabilityRiskAssessment" } ], "rdfs:label": "Asset Vulnerability Enumeration", "rdfs:subClassOf": [ { "@id": "d3f:AssetInventory" }, { "@id": "_:N4a3a7beaa5ec4ee89e9cc9a5cfafbf24" }, { "@id": "_:N2a99059144f64783a202406cdb8ff19f" }, { "@id": "_:Nac9b040f95c2454baf66beca1af92c77" } ] }, { "@id": "_:N4a3a7beaa5ec4ee89e9cc9a5cfafbf24", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:evaluates" }, "owl:someValuesFrom": { "@id": "d3f:PhysicalArtifact" } }, { "@id": "_:N2a99059144f64783a202406cdb8ff19f", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:evaluates" }, "owl:someValuesFrom": { "@id": "d3f:Software" } }, { "@id": "_:Nac9b040f95c2454baf66beca1af92c77", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:identifies" }, "owl:someValuesFrom": { "@id": "d3f:Vulnerability" } }, { "@id": "d3f:CCI-000029_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system enforces organization-defined limitations on the embedding of data types within other data types.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": [ { "@id": "d3f:InboundTrafficFiltering" }, { "@id": "d3f:OutboundTrafficFiltering" } ], "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-05-13T00:00:00" }, "rdfs:label": "CCI-000029" }, { "@id": "d3f:M1029", "@type": [ "owl:NamedIndividual", "d3f:ATTACKMitigation" ], "d3f:d3fend-comment": "IT disaster recovery plans are outside the current scope of D3FEND.", "rdfs:label": "Remote Data Storage" }, { "@id": "d3f:rating", "@type": [ "owl:DatatypeProperty", "owl:FunctionalProperty" ], "rdfs:label": "rating", "rdfs:subPropertyOf": { "@id": "d3f:d3fend-catalog-data-property" } }, { "@id": "d3f:T1606.002", "@type": "owl:Class", "d3f:attack-id": "T1606.002", "rdfs:label": "SAML Tokens", "rdfs:subClassOf": { "@id": "d3f:T1606" } }, { "@id": "d3f:NIST_SP_800-53_R5_AC-4_12", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:control-name": "Information Flow Enforcement | Data Type Identifiers", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "d3f:narrower": [ { "@id": "d3f:InboundTrafficFiltering" }, { "@id": "d3f:OutboundTrafficFiltering" } ], "rdfs:label": "AC-4(12)" }, { "@id": "d3f:CWE-357", "@type": "owl:Class", "d3f:cwe-id": "CWE-357", "rdfs:label": "Insufficient UI Warning of Dangerous Operations", "rdfs:subClassOf": { "@id": "d3f:CWE-693" } }, { "@id": "d3f:RemoteTerminalSession", "@type": "owl:Class", "d3f:definition": "A remote terminal session is a session that provides a user access from one host to another host via a terminal.", "rdfs:label": "Remote Terminal Session", "rdfs:subClassOf": { "@id": "d3f:NetworkSession" } }, { "@id": "d3f:T1565.002", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1565.002", "d3f:may-modify": { "@id": "d3f:NetworkTraffic" }, "rdfs:label": "Transmitted Data Manipulation", "rdfs:subClassOf": [ { "@id": "d3f:T1565" }, { "@id": "_:N891e443721624101bac93bb77e463624" } ] }, { "@id": "_:N891e443721624101bac93bb77e463624", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-modify" }, "owl:someValuesFrom": { "@id": "d3f:NetworkTraffic" } }, { "@id": "d3f:CWE-434", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:cwe-id": "CWE-434", "d3f:weakness-of": { "@id": "d3f:UserInputFunction" }, "rdfs:label": "Unrestricted Upload of File with Dangerous Type", "rdfs:subClassOf": [ { "@id": "d3f:CWE-669" }, { "@id": "_:N8adde31101264b3081242a673d817d64" } ] }, { "@id": "_:N8adde31101264b3081242a673d817d64", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:weakness-of" }, "owl:someValuesFrom": { "@id": "d3f:UserInputFunction" } }, { "@id": "d3f:CWE-628", "@type": "owl:Class", "d3f:cwe-id": "CWE-628", "rdfs:label": "Function Call with Incorrectly Specified Arguments", "rdfs:subClassOf": { "@id": "d3f:CWE-573" } }, { "@id": "d3f:T1526", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1526", "d3f:reads": { "@id": "d3f:CloudConfiguration" }, "rdfs:label": "Cloud Service Discovery", "rdfs:subClassOf": [ { "@id": "d3f:DiscoveryTechnique" }, { "@id": "_:N623c54ab64d4487791d4433c947b7cad" } ] }, { "@id": "_:N623c54ab64d4487791d4433c947b7cad", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:reads" }, "owl:someValuesFrom": { "@id": "d3f:CloudConfiguration" } }, { "@id": "d3f:CWE-337", "@type": "owl:Class", "d3f:cwe-id": "CWE-337", "rdfs:label": "Predictable Seed in Pseudo-Random Number Generator (PRNG)", "rdfs:subClassOf": { "@id": "d3f:CWE-335" } }, { "@id": "d3f:AcademicArticle", "@type": "owl:Class", "rdfs:label": "Academic Article", "rdfs:subClassOf": { "@id": "d3f:Article" } }, { "@id": "d3f:CWE-1286", "@type": "owl:Class", "d3f:cwe-id": "CWE-1286", "rdfs:label": "Improper Validation of Syntactic Correctness of Input", "rdfs:subClassOf": { "@id": "d3f:CWE-20" } }, { "@id": "d3f:CWE-11", "@type": "owl:Class", "d3f:cwe-id": "CWE-11", "rdfs:label": "ASP.NET Misconfiguration: Creating Debug Binary", "rdfs:subClassOf": { "@id": "d3f:CWE-489" } }, { "@id": "d3f:T1053.007", "@type": "owl:Class", "d3f:attack-id": "T1053.007", "rdfs:label": "Container Orchestration Job", "rdfs:subClassOf": { "@id": "d3f:T1053" } }, { "@id": "d3f:T1165", "@type": "owl:Class", "d3f:attack-id": "T1165", "rdfs:label": "Startup Items", "rdfs:subClassOf": [ { "@id": "d3f:PersistenceTechnique" }, { "@id": "d3f:PrivilegeEscalationTechnique" } ] }, { "@id": "d3f:PolicyReference", "@type": "owl:Class", "d3f:pref-label": "Policy", "rdfs:label": "Policy Reference", "rdfs:subClassOf": { "@id": "d3f:TechniqueReference" } }, { "@id": "d3f:T1023", "@type": "owl:Class", "d3f:attack-id": "T1023", "rdfs:label": "Shortcut Modification", "rdfs:subClassOf": { "@id": "d3f:PersistenceTechnique" } }, { "@id": "d3f:T1485", "@type": "owl:Class", "d3f:attack-id": "T1485", "rdfs:label": "Data Destruction", "rdfs:subClassOf": { "@id": "d3f:ImpactTechnique" } }, { "@id": "d3f:T1076", "@type": "owl:Class", "d3f:attack-id": "T1076", "rdfs:label": "Remote Desktop Protocol", "rdfs:subClassOf": { "@id": "d3f:LateralMovementTechnique" } }, { "@id": "d3f:T1557.002", "@type": "owl:Class", "d3f:attack-id": "T1557.002", "rdfs:label": "ARP Cache Poisoning", "rdfs:subClassOf": { "@id": "d3f:T1557" } }, { "@id": "d3f:WindowsNtFreeVirtualMemory", "@type": "owl:Class", "rdfs:label": "Windows NtFreeVirtualMemory", "rdfs:seeAlso": "https://j00ru.vexillium.org/syscalls/nt/64/", "rdfs:subClassOf": [ { "@id": "d3f:OSAPIFreeMemory" }, { "@id": "d3f:OSAPIPrivateFunction" } ] }, { "@id": "d3f:AverageAbsoluteDeviation", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-AAD", "d3f:definition": "The average absolute deviation (AAD) of a data set is the average of the absolute deviations from a central point.", "d3f:kb-article": "## References\nWikipedia. (n.d.). Average absolute deviation. [Link](https://en.wikipedia.org/wiki/Average_absolute_deviation)", "rdfs:label": "Average Absolute Deviation", "rdfs:subClassOf": { "@id": "d3f:Variability" } }, { "@id": "d3f:Datalog", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-DAT", "d3f:definition": "Datalog is a declarative logic programming language that is a syntactically a subset of Prolog.", "d3f:kb-article": "## How it works\nDatalog generally uses a bottom-up rather than top-down evaluation model. This difference yields significantly different behavior and properties from Prolog. It is often used as a query language for deductive databases. Datalog has been applied to problems in data integration, networking, program analysis, and more.\n\n## References\n1. Datalog. (2023, April 20). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Datalog)", "rdfs:label": "Datalog", "rdfs:subClassOf": { "@id": "d3f:LogicProgramming" } }, { "@id": "d3f:ForwardResolutionDomainDenylisting", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:DNSDenylisting" ], "d3f:blocks": { "@id": "d3f:OutboundInternetDNSLookupTraffic" }, "d3f:d3fend-id": "D3-FRDDL", "d3f:definition": "Blocking a lookup based on the query's domain name value.", "d3f:kb-article": "## How it works\n\nPolicies are created that filter DNS queries using fully qualified domain name (FQDN) of record in the query. A DNS policy can be created for blocking DNS queries from FQDNs that have been identified as unauthorized.\n\n## Considerations\n\nContinuous maintenance of unauthorized domain lists is needed to keep up to date as updates occur.", "d3f:kb-reference": { "@id": "d3f:Reference-UseDNSPolicyForApplyingFiltersOnDNSQueries" }, "d3f:synonym": "Forward Resolution Domain Blacklisting", "rdfs:label": "Forward Resolution Domain Denylisting", "rdfs:subClassOf": [ { "@id": "d3f:DNSDenylisting" }, { "@id": "_:N5ada7d2d225d45688874bf08481470d2" } ] }, { "@id": "_:N5ada7d2d225d45688874bf08481470d2", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:blocks" }, "owl:someValuesFrom": { "@id": "d3f:OutboundInternetDNSLookupTraffic" } }, { "@id": "d3f:WindowsNtQuerySystemTime", "@type": "owl:Class", "d3f:definition": "Returns current time in Coordinated Universal Time (UTC) 8-bytes format.", "rdfs:label": "Windows NtQuerySystemTime", "rdfs:seeAlso": "https://j00ru.vexillium.org/syscalls/nt/64/", "rdfs:subClassOf": [ { "@id": "d3f:OSAPIGetSystemTime" }, { "@id": "d3f:OSAPIPrivateFunction" } ] }, { "@id": "d3f:Reference-CAR-2020-11-003%3ADLLInjectionWithMavinject_MITRE", "@type": [ "owl:NamedIndividual", "d3f:ExternalKnowledgeBase" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://car.mitre.org/analytics/CAR-2020-11-003/" }, "d3f:kb-abstract": "Injecting a malicious DLL into a process is a common adversary TTP. Although the ways of doing this are numerous, mavinject.exe is a commonly used tool for doing so because it roles up many of the necessary steps into one, and is available within Windows. Attackers may rename the executable, so we also use the common argument “INJECTRUNNING” as a related signature here. Whitelisting certain applications may be necessary to reduce noise for this analytic.", "d3f:kb-author": "MITRE", "d3f:kb-organization": "MITRE", "d3f:kb-reference-of": { "@id": "d3f:ProcessSpawnAnalysis" }, "d3f:kb-reference-title": "CAR-2020-11-003: DLL Injection with Mavinject", "rdfs:label": "Reference - CAR-2020-11-003: DLL Injection with Mavinject - MITRE" }, { "@id": "d3f:CWE-223", "@type": "owl:Class", "d3f:cwe-id": "CWE-223", "rdfs:label": "Omission of Security-relevant Information", "rdfs:subClassOf": { "@id": "d3f:CWE-221" } }, { "@id": "d3f:T1033", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1033", "d3f:may-access": [ { "@id": "d3f:DirectoryService" }, { "@id": "d3f:GetSystemConfigValue" }, { "@id": "d3f:PasswordFile" }, { "@id": "d3f:ProcessSegment" } ], "d3f:may-invoke": [ { "@id": "d3f:CopyToken" }, { "@id": "d3f:CreateProcess" } ], "rdfs:label": "System Owner/User Discovery", "rdfs:subClassOf": [ { "@id": "d3f:DiscoveryTechnique" }, { "@id": "_:Nfc66c5d285f545cda451f959fd32031a" }, { "@id": "_:Nf9f4f3c1d0a84394949ba67a66c53711" }, { "@id": "_:N79f8af06d8e54e2f876a2789fdd284d9" }, { "@id": "_:Nbbc9298fc6b44166bc5e8c7e912f3468" }, { "@id": "_:N74d65bea33184c63812ba7c4a8e58b5f" }, { "@id": "_:N79f6cbab320e4f72b16d4836bbd0eae7" } ] }, { "@id": "_:Nfc66c5d285f545cda451f959fd32031a", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-access" }, "owl:someValuesFrom": { "@id": "d3f:DirectoryService" } }, { "@id": "_:Nf9f4f3c1d0a84394949ba67a66c53711", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-access" }, "owl:someValuesFrom": { "@id": "d3f:GetSystemConfigValue" } }, { "@id": "_:N79f8af06d8e54e2f876a2789fdd284d9", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-access" }, "owl:someValuesFrom": { "@id": "d3f:PasswordFile" } }, { "@id": "_:Nbbc9298fc6b44166bc5e8c7e912f3468", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-access" }, "owl:someValuesFrom": { "@id": "d3f:ProcessSegment" } }, { "@id": "_:N74d65bea33184c63812ba7c4a8e58b5f", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-invoke" }, "owl:someValuesFrom": { "@id": "d3f:CopyToken" } }, { "@id": "_:N79f6cbab320e4f72b16d4836bbd0eae7", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-invoke" }, "owl:someValuesFrom": { "@id": "d3f:CreateProcess" } }, { "@id": "d3f:M1030", "@type": [ "owl:NamedIndividual", "d3f:ATTACKMitigation" ], "d3f:related": [ { "@id": "d3f:BroadcastDomainIsolation" }, { "@id": "d3f:EncryptedTunnels" }, { "@id": "d3f:InboundSessionVolumeAnalysis" }, { "@id": "d3f:InboundTrafficFiltering" } ], "rdfs:label": "Network Segmentation" }, { "@id": "d3f:CCI-002290_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:broader": [ { "@id": "d3f:MandatoryAccessControl" }, { "@id": "d3f:UserAccountPermissions" } ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system supports the association of organization-defined security attributes with organization-defined objects by authorized individuals (or processes acting on behalf of individuals).", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-06-24T00:00:00" }, "rdfs:label": "CCI-002290" }, { "@id": "d3f:CWE-1101", "@type": "owl:Class", "d3f:cwe-id": "CWE-1101", "rdfs:label": "Reliance on Runtime Component in Generated Code", "rdfs:subClassOf": { "@id": "d3f:CWE-710" } }, { "@id": "d3f:associated-with", "@type": "owl:ObjectProperty", "d3f:definition": "x associated-with y: The subject x and object y are associated in some way. This is the most general definite relationship in d3fend (i.e., most general relationship that is not prefixed by 'may-'.)", "rdfs:label": "associated-with", "rdfs:seeAlso": { "@id": "http://wordnet-rdf.princeton.edu/id/13804981-n" }, "rdfs:subPropertyOf": { "@id": "d3f:may-be-associated-with" } }, { "@id": "d3f:FileSystem", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:contains": [ { "@id": "d3f:Directory" }, { "@id": "d3f:File" }, { "@id": "d3f:FileSystemLink" }, { "@id": "d3f:FileSystemMetadata" } ], "d3f:definition": "In computing, a file system or filesystem is used to control how data is stored and retrieved. Without a file system, information placed in a storage medium would be one large body of data with no way to tell where one piece of information stops and the next begins. By separating the data into pieces and giving each piece a name, the information is easily isolated and identified. Taking its name from the way paper-based information systems are named, each group of data is called a \"file\". The structure and logic rules used to manage the groups of information and their names is called a \"file system\".", "rdfs:isDefinedBy": { "@id": "dbr:File_system" }, "rdfs:label": "File System", "rdfs:subClassOf": [ { "@id": "d3f:DigitalArtifact" }, { "@id": "_:Nb050df9267e9495c97426083764d3062" }, { "@id": "_:N9500c4600eea4e3787bc70f4de243964" }, { "@id": "_:N0dda92939c9d4c28b77d2198a3039454" }, { "@id": "_:N6f0cea92c1044f8a853e6d2634e800b5" } ] }, { "@id": "_:Nb050df9267e9495c97426083764d3062", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:contains" }, "owl:someValuesFrom": { "@id": "d3f:Directory" } }, { "@id": "_:N9500c4600eea4e3787bc70f4de243964", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:contains" }, "owl:someValuesFrom": { "@id": "d3f:File" } }, { "@id": "_:N0dda92939c9d4c28b77d2198a3039454", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:contains" }, "owl:someValuesFrom": { "@id": "d3f:FileSystemLink" } }, { "@id": "_:N6f0cea92c1044f8a853e6d2634e800b5", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:contains" }, "owl:someValuesFrom": { "@id": "d3f:FileSystemMetadata" } }, { "@id": "d3f:T1071.002", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1071.002", "d3f:produces": { "@id": "d3f:OutboundInternetFileTransferTraffic" }, "rdfs:label": "File Transfer Protocols", "rdfs:subClassOf": [ { "@id": "d3f:T1071" }, { "@id": "_:N84880384584449469c9028417bdb3b14" } ] }, { "@id": "_:N84880384584449469c9028417bdb3b14", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:produces" }, "owl:someValuesFrom": { "@id": "d3f:OutboundInternetFileTransferTraffic" } }, { "@id": "d3f:NIST_SP_800-53_R5_AU-4", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:control-name": "Audit Log Storage Capacity", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "d3f:narrower": { "@id": "d3f:LocalAccountMonitoring" }, "rdfs:label": "AU-4" }, { "@id": "d3f:PlatformMonitoring", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:DefensiveTechnique" ], "d3f:d3fend-id": "D3-PM", "d3f:definition": "Monitoring platform components such as operating systems software, hardware devices, or firmware.", "d3f:enables": { "@id": "d3f:Detect" }, "d3f:kb-article": "Platform monitoring consists of the analysis and monitoring of system level devices and low-level components, including hardware devices, to detect unauthorized modifications or suspicious activity.\n\nMonitored platform components includes system files and embedded devices such as:\n\n * Kernel software modules\n * Boot process code and load logic\n * Operating system components and device files\n * System libraries and dynamically loaded files\n * Hardware device drivers\n * Embedded firmware devices", "rdfs:label": "Platform Monitoring", "rdfs:subClassOf": [ { "@id": "d3f:DefensiveTechnique" }, { "@id": "_:Nbdcdb36cf6a0426ea6b4ae8a58e44c78" } ] }, { "@id": "_:Nbdcdb36cf6a0426ea6b4ae8a58e44c78", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:enables" }, "owl:someValuesFrom": { "@id": "d3f:Detect" } }, { "@id": "d3f:DomainTrustPolicy", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:CredentialHardening" ], "d3f:d3fend-id": "D3-DTP", "d3f:definition": "Restricting inter-domain trust by modifying domain configuration.", "d3f:kb-reference": { "@id": "d3f:Reference-HowTrustRelationshipsWorkForResourceForestsInAzureActiveDirectoryDomainServices" }, "d3f:restricts": [ { "@id": "d3f:DirectoryService" }, { "@id": "d3f:T1087.002" } ], "rdfs:label": "Domain Trust Policy", "rdfs:subClassOf": [ { "@id": "d3f:CredentialHardening" }, { "@id": "_:Ne85e0b6680cf4f05a8c2c6c52d338237" }, { "@id": "_:N1882819553f148ae84a2d22fca7b87ff" } ] }, { "@id": "_:Ne85e0b6680cf4f05a8c2c6c52d338237", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:restricts" }, "owl:someValuesFrom": { "@id": "d3f:DirectoryService" } }, { "@id": "_:N1882819553f148ae84a2d22fca7b87ff", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:restricts" }, "owl:someValuesFrom": { "@id": "d3f:T1087.002" } }, { "@id": "d3f:Reference-InstantProcessTerminationToolToRecoverControlOfAnInformationHandlingSystem_DellProductsLP", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US20060236108A1/en" }, "d3f:kb-abstract": "A method and system for automatic termination of unauthorized malevolent processes operating on an information handling system. A list of authenticated and essential process list is stored on the information handling system. Unauthorized processes not contained on the list can be automatically terminated by the user by invoking the present invention with a single click of a mouse or pointer device on an icon residing on the display screen of the information handling system. The offending processes are immediately terminated without generating a user prompt, which would ordinarily provide sufficient time for the malware to spawn additional offending processes. The present invention also provides significant means to recover control of a malware-infected information handling system in order to use repair tools and utilities. The present invention can be deployed at the time of manufacture of an information handling system or independently installed by a user.", "d3f:kb-author": "Carlton Andrews", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "Dell Products LP", "d3f:kb-reference-of": { "@id": "d3f:ProcessTermination" }, "d3f:kb-reference-title": "Instant process termination tool to recover control of an information handling system", "rdfs:label": "Reference - Instant process termination tool to recover control of an information handling system - Dell Products LP" }, { "@id": "d3f:ExecutableFile", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:contains": { "@id": "d3f:Subroutine" }, "d3f:definition": "In computing, executable code or an executable file or executable program, sometimes simply an executable, causes a computer \"to perform indicated tasks according to encoded instructions,\" as opposed to a data file that must be parsed by a program to be meaningful. These instructions are traditionally machine code instructions for a physical CPU. However, in a more general sense, a file containing instructions (such as bytecode) for a software interpreter may also be considered executable; even a scripting language source file may therefore be considered executable in this sense. The exact interpretation depends upon the use; while the term often refers only to machine code files, in the context of protection against computer viruses all files which cause potentially hazardous instruction", "rdfs:isDefinedBy": { "@id": "dbr:Executable" }, "rdfs:label": "Executable File", "rdfs:subClassOf": [ { "@id": "d3f:File" }, { "@id": "_:Nbbc1a29fd93b445ab98d2d156a6adf86" } ], "skos:altLabel": "Executable" }, { "@id": "_:Nbbc1a29fd93b445ab98d2d156a6adf86", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:contains" }, "owl:someValuesFrom": { "@id": "d3f:Subroutine" } }, { "@id": "d3f:CWE-1049", "@type": "owl:Class", "d3f:cwe-id": "CWE-1049", "rdfs:label": "Excessive Data Query Operations in a Large Data Table", "rdfs:subClassOf": { "@id": "d3f:CWE-1176" } }, { "@id": "d3f:T1548.004", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1548.004", "d3f:creates": { "@id": "d3f:SystemConfigurationDatabase" }, "d3f:invokes": { "@id": "d3f:SystemCall" }, "rdfs:label": "Elevated Execution with Prompt", "rdfs:subClassOf": [ { "@id": "d3f:T1548" }, { "@id": "_:Na75c418d5f8b481286148962c154de2a" }, { "@id": "_:Nbd73999211634e02816af6f7689c3cca" } ] }, { "@id": "_:Na75c418d5f8b481286148962c154de2a", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:creates" }, "owl:someValuesFrom": { "@id": "d3f:SystemConfigurationDatabase" } }, { "@id": "_:Nbd73999211634e02816af6f7689c3cca", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:invokes" }, "owl:someValuesFrom": { "@id": "d3f:SystemCall" } }, { "@id": "d3f:CWE-446", "@type": "owl:Class", "d3f:cwe-id": "CWE-446", "rdfs:label": "UI Discrepancy for Security Feature", "rdfs:subClassOf": { "@id": "d3f:CWE-684" } }, { "@id": "d3f:Reference-CAR-2021-01-006%3AUnusualChildProcessSpawnedUsingDDEExploit_MITRE", "@type": [ "owl:NamedIndividual", "d3f:ExternalKnowledgeBase" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://car.mitre.org/analytics/CAR-2021-01-006/" }, "d3f:kb-abstract": "Adversaries may use Windows Dynamic Data Exchange (DDE) to execute arbitrary commands. DDE is a client-server protocol for one-time and/or continuous inter-process communication (IPC) between applications. Once a link is established, applications can autonomously exchange transactions consisting of strings, warm data links (notifications when a data item changes), hot data links (duplications of changes to a data item), and requests for command execution.", "d3f:kb-author": "MITRE", "d3f:kb-organization": "MITRE", "d3f:kb-reference-of": { "@id": "d3f:ProcessSpawnAnalysis" }, "d3f:kb-reference-title": "CAR-2021-01-006: Unusual Child Process spawned using DDE exploit", "rdfs:label": "Reference - CAR-2021-01-006: Unusual Child Process spawned using DDE exploit - MITRE" }, { "@id": "d3f:T1596.004", "@type": "owl:Class", "d3f:attack-id": "T1596.004", "rdfs:label": "CDNs", "rdfs:subClassOf": { "@id": "d3f:T1596" } }, { "@id": "d3f:T1487", "@type": "owl:Class", "d3f:attack-id": "T1487", "rdfs:label": "Disk Structure Wipe", "rdfs:subClassOf": { "@id": "d3f:ImpactTechnique" } }, { "@id": "d3f:Parameter-basedTransferLearning", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-PBTL", "d3f:definition": "The idea behind parameter-based methods is that a well-trained model on the source domain has learned a well-defined structure, and if two tasks are related, this structure can be transferred to the target model.", "d3f:kb-article": "## References\nGeorgian Impact Blog. (n.d.). Transfer Learning Part 1. [Link](https://medium.com/georgian-impact-blog/transfer-learning-part-1-ed0c174ad6e7#:~:text=Homogeneous%20Transfer%20Learning-,1.,the%20target%20domain%20for%20training).", "rdfs:label": "Parameter-based Transfer Learning", "rdfs:subClassOf": { "@id": "d3f:HomogenousTransferLearning" } }, { "@id": "d3f:NIST_SP_800-53_R5_AC-24", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:control-name": "Access Control Decisions", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "d3f:narrower": { "@id": "d3f:MandatoryAccessControl" }, "rdfs:label": "AC-24" }, { "@id": "d3f:CWE-76", "@type": "owl:Class", "d3f:cwe-id": "CWE-76", "rdfs:label": "Improper Neutralization of Equivalent Special Elements", "rdfs:subClassOf": { "@id": "d3f:CWE-75" } }, { "@id": "d3f:CWE-318", "@type": "owl:Class", "d3f:cwe-id": "CWE-318", "rdfs:label": "Cleartext Storage of Sensitive Information in Executable", "rdfs:subClassOf": { "@id": "d3f:CWE-312" } }, { "@id": "d3f:WindowsNtReadFile", "@type": "owl:Class", "rdfs:label": "Windows NtReadFile", "rdfs:seeAlso": "https://j00ru.vexillium.org/syscalls/nt/64/", "rdfs:subClassOf": [ { "@id": "d3f:OSAPIPrivateFunction" }, { "@id": "d3f:OSAPIReadFile" } ] }, { "@id": "d3f:T1486", "@type": "owl:Class", "d3f:attack-id": "T1486", "rdfs:label": "Data Encrypted for Impact", "rdfs:subClassOf": { "@id": "d3f:ImpactTechnique" } }, { "@id": "d3f:CWE-69", "@type": "owl:Class", "d3f:cwe-id": "CWE-69", "rdfs:label": "Improper Handling of Windows ::DATA Alternate Data Stream", "rdfs:subClassOf": { "@id": "d3f:CWE-66" } }, { "@id": "d3f:CWE-9", "@type": "owl:Class", "d3f:cwe-id": "CWE-9", "rdfs:label": "J2EE Misconfiguration: Weak Access Permissions for EJB Methods", "rdfs:subClassOf": { "@id": "d3f:CWE-266" } }, { "@id": "d3f:T1136.001", "@type": "owl:Class", "d3f:attack-id": "T1136.001", "rdfs:label": "Local Account", "rdfs:subClassOf": { "@id": "d3f:T1136" } }, { "@id": "d3f:CCI-002421_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:broader": { "@id": "d3f:EncryptedTunnels" }, "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system implements cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission unless otherwise protected by organization-defined alternative physical safeguards.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-07-02T00:00:00" }, "rdfs:label": "CCI-002421" }, { "@id": "d3f:T1608.002", "@type": "owl:Class", "d3f:attack-id": "T1608.002", "rdfs:label": "Upload Tool", "rdfs:subClassOf": { "@id": "d3f:T1608" } }, { "@id": "d3f:HardwareDevice", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "Hardware devices are the physical artifacts that constitute a network or computer system. Hardware devices are the physical parts or components of a computer, such as the monitor, keyboard, computer data storage, hard disk drive (HDD), graphic cards, sound cards, memory (RAM), motherboard, and so on, all of which are tangible physical objects. By contrast, software is instructions that can be stored and run by hardware. Hardware is directed by the software to execute any command or instruction. A combination of hardware and software forms a usable computing system.", "rdfs:isDefinedBy": { "@id": "dbr:Computer_hardware" }, "rdfs:label": "Hardware Device", "rdfs:seeAlso": { "@id": "https://schema.ocsf.io/objects/device_hw_info" }, "rdfs:subClassOf": [ { "@id": "d3f:DigitalArtifact" }, { "@id": "d3f:PhysicalArtifact" } ] }, { "@id": "d3f:DatabaseServer", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:contains": { "@id": "d3f:Database" }, "d3f:definition": "A database server is a server which uses a database application that provides database services to other computer programs or to computers, as defined by the client-server model. Database management systems (DBMSs) frequently provide database-server functionality, and some database management systems (such as MySQL) rely exclusively on the client-server model for database access (while others e.g. SQLite are meant for using as an embedded database). For clarification, a database server is simply a server that maintains services related to clients via database applications.", "rdfs:isDefinedBy": { "@id": "dbr:Database_server" }, "rdfs:label": "Database Server", "rdfs:subClassOf": [ { "@id": "d3f:Server" }, { "@id": "_:N75800f1b19b44a409ff9f139137c4bb7" } ], "skos:altLabel": "Network Database Resource" }, { "@id": "_:N75800f1b19b44a409ff9f139137c4bb7", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:contains" }, "owl:someValuesFrom": { "@id": "d3f:Database" } }, { "@id": "d3f:operating-system", "@type": "owl:DatatypeProperty", "d3f:definition": "x operating-system y: The product x is supported on operating system y.", "rdfs:domain": { "@id": "d3f:CapabilityImplementation" }, "rdfs:label": { "@language": "en", "@value": "operating-system" }, "rdfs:range": { "@id": "xsd:string" }, "rdfs:subPropertyOf": { "@id": "d3f:d3fend-catalog-data-property" } }, { "@id": "d3f:Reference-CAR-2021-01-002%3AUnusuallyLongCommandLineStrings_MITRE", "@type": [ "owl:NamedIndividual", "d3f:ExternalKnowledgeBase" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://car.mitre.org/analytics/CAR-2021-01-002/" }, "d3f:kb-abstract": "Often, after a threat actor gains access to a system, they will attempt to run some kind of malware to further infect the victim machine. These malware often have long command line strings, which could be a possible indicator of attack. Here, we use sysmon and Splunk to first find the average command string length and search for command strings that stretch over multiple lines, thus identifying anomalies and possibly malicious commands.", "d3f:kb-author": "MITRE", "d3f:kb-organization": "MITRE", "d3f:kb-reference-of": { "@id": "d3f:ProcessSpawnAnalysis" }, "d3f:kb-reference-title": "CAR-2021-01-002: Unusually Long Command Line Strings", "rdfs:label": "Reference - CAR-2021-01-002: Unusually Long Command Line Strings - MITRE" }, { "@id": "d3f:ProcessAnalysis", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:DefensiveTechnique" ], "d3f:d3fend-id": "D3-PA", "d3f:definition": "Process Analysis consists of observing a running application process and analyzing it to watch for certain behaviors or conditions which may indicate adversary activity. Analysis can occur inside of the process or through a third-party monitoring application. Examples include monitoring system and privileged calls, monitoring process initiation chains, and memory boundary allocations.", "d3f:enables": { "@id": "d3f:Detect" }, "rdfs:label": "Process Analysis", "rdfs:subClassOf": [ { "@id": "d3f:DefensiveTechnique" }, { "@id": "_:N4b5b657654e04536b4d4461535ef28c7" } ] }, { "@id": "_:N4b5b657654e04536b4d4461535ef28c7", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:enables" }, "owl:someValuesFrom": { "@id": "d3f:Detect" } }, { "@id": "d3f:LinuxKillArgumentSIGKILL", "@type": "owl:Class", "d3f:definition": "Send SIGKILL signal to a process.", "rdfs:isDefinedBy": "https://man7.org/linux/man-pages/man2/kill.2.html", "rdfs:label": "Linux Kill Argument SIGKILL", "rdfs:subClassOf": { "@id": "d3f:OSAPITerminateProcess" } }, { "@id": "d3f:CWE-1096", "@type": "owl:Class", "d3f:cwe-id": "CWE-1096", "rdfs:label": "Singleton Class Instance Creation without Proper Locking or Synchronization", "rdfs:subClassOf": { "@id": "d3f:CWE-820" } }, { "@id": "d3f:Reference-VirtualizedProcessIsolation_AdvancedMicroDevicesInc", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US20180081829A1" }, "d3f:kb-abstract": "Systems, apparatuses, and methods for implementing virtualized process isolation are disclosed. A system includes a kernel and multiple guest VMs executing on the system's processing hardware. Each guest VM includes a vShim layer for managing kernel accesses to user space and guest accesses to kernel space. The vShim layer also maintains a separate set of page tables from the kernel page tables. In one embodiment, data in the user space is encrypted and the kernel goes through the vShim layer to access user space data. When the kernel attempts to access a user space address, the kernel exits and the vShim layer is launched to process the request. If the kernel has permission to access the address, the vShim layer copies the data to a region in kernel space and then returns execution to the kernel.", "d3f:kb-author": "David A. Kaplan", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "Advanced Micro Devices Inc", "d3f:kb-reference-of": { "@id": "d3f:Hardware-basedProcessIsolation" }, "d3f:kb-reference-title": "Virtualized process isolation", "rdfs:label": "Reference - Virtualized process isolation - Advanced Micro Devices Inc" }, { "@id": "d3f:Reference-HeuristicBotnetDetection_PaloAltoNetworksInc", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US20160156644A1" }, "d3f:kb-abstract": "In some embodiments, heuristic botnet detection is provided. In some embodiments, heuristic botnet detection includes monitoring network traffic to identify suspicious network traffic; and detecting a bot based on a heuristic analysis of the suspicious network traffic behavior using a processor, in which the suspicious network traffic behavior includes command and control traffic associated with a bot master. In some embodiments, heuristic botnet detection further includes assigning a score to the monitored network traffic, in which the score corresponds to a botnet risk characterization of the monitored network traffic (e.g., based on one or more heuristic botnet detection techniques); increasing the score based on a correlation of additional suspicious behaviors associated with the monitored network traffic (e.g., based on one or more heuristic botnet detection techniques); and determining the suspicious behavior is associated with a botnet based on the score.", "d3f:kb-author": "Xinran Wang; Huagang Xie", "d3f:kb-mitre-analysis": "This patent describes detecting botnets using heuristic analysis techniques on collected network flows. The heuristic techniques include:\n\n* Identifying suspicious traffic patterns to detect command and control traffic ex. periodically visiting a known malware URL, a host visiting a malware domain twice every 5 hour and 14 minutes (this is a specific pattern for a variant of Swizzor botnets).\n* Identifying non-standard behaviors such as connecting to a non-standard HTTP port for HTTP traffic, visiting a non-existent domain, downloading executable files with non-standard executable file extensions, communicating using HTTP header with a shorter than common length\n* Analyzing visited domain information to identify the following: visiting a domain with a domain name that is longer than a common domain name length, visiting a dynamic DNS domain, visiting a fast-flux domain, and visiting a recently created domain.\n\nA score is determined based on these factors and if the score is over a threshold, a responsive action is performed.", "d3f:kb-organization": "Palo Alto Networks Inc", "d3f:kb-reference-of": { "@id": "d3f:DNSTrafficAnalysis" }, "d3f:kb-reference-title": "Heuristic botnet detection", "rdfs:label": "Reference - Heuristic botnet detection - Palo Alto Networks Inc" }, { "@id": "d3f:CCI-002233_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system prevents organization-defined software from executing at higher privilege levels than users executing the software.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:ExecutableDenylisting" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-06-24T00:00:00" }, "rdfs:label": "CCI-002233" }, { "@id": "d3f:CWE-268", "@type": "owl:Class", "d3f:cwe-id": "CWE-268", "rdfs:label": "Privilege Chaining", "rdfs:subClassOf": { "@id": "d3f:CWE-269" } }, { "@id": "d3f:CWE-524", "@type": "owl:Class", "d3f:cwe-id": "CWE-524", "rdfs:label": "Use of Cache Containing Sensitive Information", "rdfs:subClassOf": { "@id": "d3f:CWE-668" } }, { "@id": "d3f:T1573.001", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1573.001", "d3f:creates": { "@id": "d3f:OutboundInternetEncryptedTraffic" }, "rdfs:label": "Symmetric Cryptography", "rdfs:subClassOf": [ { "@id": "d3f:T1573" }, { "@id": "_:Nad6a07cbc83e4bb28b4db979be87078b" } ] }, { "@id": "_:Nad6a07cbc83e4bb28b4db979be87078b", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:creates" }, "owl:someValuesFrom": { "@id": "d3f:OutboundInternetEncryptedTraffic" } }, { "@id": "d3f:may-harden", "@type": "owl:ObjectProperty", "d3f:pref-label": "may harden", "rdfs:label": "may-harden", "rdfs:subPropertyOf": { "@id": "d3f:may-counter-attack" } }, { "@id": "d3f:CWE-281", "@type": "owl:Class", "d3f:cwe-id": "CWE-281", "rdfs:label": "Improper Preservation of Permissions", "rdfs:subClassOf": { "@id": "d3f:CWE-732" } }, { "@id": "d3f:T1058", "@type": "owl:Class", "d3f:attack-id": "T1058", "rdfs:label": "Service Registry Permissions Weakness", "rdfs:subClassOf": [ { "@id": "d3f:PersistenceTechnique" }, { "@id": "d3f:PrivilegeEscalationTechnique" } ] }, { "@id": "d3f:CWE-673", "@type": "owl:Class", "d3f:cwe-id": "CWE-673", "rdfs:label": "External Influence of Sphere Definition", "rdfs:subClassOf": { "@id": "d3f:CWE-664" } }, { "@id": "d3f:authorizes", "@type": "owl:ObjectProperty", "d3f:definition": "x authorizes y: A subject x grants authorization or clearance for an agent y to use an object. This relation indicates an authorization event has occurred.", "rdfs:isDefinedBy": { "@id": "http://wordnet-rdf.princeton.edu/id/00804987-v" }, "rdfs:label": "authorizes", "rdfs:seeAlso": { "@id": "http://wordnet-rdf.princeton.edu/id/00805664-v" }, "rdfs:subPropertyOf": [ { "@id": "d3f:associated-with" }, { "@id": "d3f:hardens" } ] }, { "@id": "d3f:may-isolate", "@type": "owl:ObjectProperty", "d3f:pref-label": "may isolate", "rdfs:label": "may-isolate", "rdfs:subPropertyOf": { "@id": "d3f:may-counter-attack" } }, { "@id": "d3f:CCI-001082_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:broader": [ { "@id": "d3f:LocalFilePermissions" }, { "@id": "d3f:MandatoryAccessControl" }, { "@id": "d3f:SystemConfigurationPermissions" } ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system separates user functionality (including user interface services) from information system management functionality.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-21T00:00:00" }, "rdfs:label": "CCI-001082" }, { "@id": "d3f:ActiveCertificateAnalysis", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:ActiveCertificateAnalysis", "d3f:CertificateAnalysis" ], "d3f:created": { "@type": "xsd:dateTime", "@value": "2020-08-05T00:00:00" }, "d3f:d3fend-id": "D3-ACA", "d3f:definition": "Actively collecting PKI certificates by connecting to the server and downloading its server certificates for analysis.", "d3f:kb-article": "## How it works\nAnalysis of server certificates using active methods to detect if certificates have been misconfigured or spoofed by using elements of the certificate, certificate authorities and signatures.\n\n### Certificate validity analysis\nThis can be accomplished by verifying the digital signature on certificate.\n\n### Certificate path analysis\nThe client's browser can perform path verification to ensure that the server's certificate contains a valid trust anchor.\n\n### Certificate configuration analysis\nSome browsers can be configured to implement the key-usage extensions contained certificates. This can help to prevent a certificate from being misused.\n\n### Certificate revocation status analysis\nUsing either Certificate Revocation Lists (CRLs) or Online Certificate Status Protocol (OCSP) to determine the revocation status. OCSP Stapling, binding the status with the certificate, helps to mitigate potential delay in status verifications.\n\n## Considerations\n* Management of the PKI across the enterprise typically requires automation to maintain scalability and flexibility\n* If the certificate authority, issuing the certificate, is compromised then all of the certificates issued by the CA are suspect\n* There may be delays associated with updates to certificates\n* Revoked certificates give the appearance of valid certificates until they are published to a trusted revocation service (OCSP or CRL)\n* The revocation service (OCSP or CRL) may be down during our connection and a browser will need to make a decision will need to be made about trusting the connection", "d3f:kb-reference": { "@id": "d3f:Reference-SecuringWebTransactions" }, "rdfs:label": "Active Certificate Analysis", "rdfs:subClassOf": { "@id": "d3f:CertificateAnalysis" } }, { "@id": "d3f:CWE-804", "@type": "owl:Class", "d3f:cwe-id": "CWE-804", "rdfs:label": "Guessable CAPTCHA", "rdfs:subClassOf": [ { "@id": "d3f:CWE-1390" }, { "@id": "d3f:CWE-863" } ] }, { "@id": "d3f:T1055.005", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1055.005", "d3f:invokes": { "@id": "d3f:SystemCall" }, "rdfs:label": "Thread Local Storage", "rdfs:subClassOf": [ { "@id": "d3f:T1055" }, { "@id": "_:Nf2091555d631402bb095e174747358c0" } ] }, { "@id": "_:Nf2091555d631402bb095e174747358c0", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:invokes" }, "owl:someValuesFrom": { "@id": "d3f:SystemCall" } }, { "@id": "d3f:CWE-396", "@type": "owl:Class", "d3f:cwe-id": "CWE-396", "rdfs:label": "Declaration of Catch for Generic Exception", "rdfs:subClassOf": [ { "@id": "d3f:CWE-221" }, { "@id": "d3f:CWE-705" }, { "@id": "d3f:CWE-755" } ] }, { "@id": "d3f:PartialMatching", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-PM", "d3f:definition": "Partial string pattern matching is a special case of string pattern matching where one seeks to find a pattern within a larger string (text). It allows for the detection of patterns that occur as substrings or partial segments within the full string, rather than requiring an exact match across the entire string.", "d3f:kb-article": [ "## References\n1. String-searching algorithm. (2023, April 8). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/String-searching_algorithm)", "Numeric pattern matching is a method of matching some defined pattern specification against a numeric value." ], "rdfs:label": "Partial Matching", "rdfs:subClassOf": { "@id": "d3f:StringPatternMatching" } }, { "@id": "d3f:T1543.002", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1543.002", "d3f:may-create": { "@id": "d3f:OperatingSystemConfigurationFile" }, "d3f:may-modify": { "@id": "d3f:OperatingSystemConfigurationFile" }, "rdfs:label": "Systemd Service", "rdfs:subClassOf": [ { "@id": "d3f:T1543" }, { "@id": "_:N871b14a8b33e4804a40e47f77af4c1c4" }, { "@id": "_:Na72227c294084a97b493e27bddcebd3d" } ] }, { "@id": "_:N871b14a8b33e4804a40e47f77af4c1c4", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-create" }, "owl:someValuesFrom": { "@id": "d3f:OperatingSystemConfigurationFile" } }, { "@id": "_:Na72227c294084a97b493e27bddcebd3d", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-modify" }, "owl:someValuesFrom": { "@id": "d3f:OperatingSystemConfigurationFile" } }, { "@id": "d3f:M1056", "@type": [ "owl:NamedIndividual", "d3f:ATTACKMitigation" ], "d3f:related": [ { "@id": "d3f:DecoyEnvironment" }, { "@id": "d3f:DecoyObject" } ], "rdfs:label": "Pre-compromise" }, { "@id": "d3f:NIST_SP_800-53_R5_AC-4_1", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:control-name": "Information Flow Enforcement | Object Security and Privacy Attributes", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "d3f:narrower": [ { "@id": "d3f:InboundTrafficFiltering" }, { "@id": "d3f:OutboundTrafficFiltering" } ], "rdfs:label": "AC-4(1)" }, { "@id": "d3f:DriverLoadIntegrityChecking", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:PlatformHardening" ], "d3f:authenticates": { "@id": "d3f:HardwareDriver" }, "d3f:d3fend-id": "D3-DLIC", "d3f:definition": "Ensuring the integrity of drivers loaded during initialization of the operating system.", "d3f:kb-article": "## How it works\nThis technique can be accomplished in a number of ways:\n\n* A kernel level security agent installed on a host machine ensures that the driver associated with the agent is first in the initialization order. A dependent DLL associated with the driver is configured to be processed before other dependent DLLs and executes a number of operations to ensure the driver associated with the security agent is initialized first.\n\n* Kernel components can be signed by a certificate obtained by a third party to verify the source of the component and whether it has been modified. When signed, the component will include a signature block implemented as a hash value of the component header and can also include a certificate chain. The signature and certificate data are typically added before the kernel component is distributed to the public.\n\n\n## Considerations\n\n* The private keys to sign certificates as reputable companies have been stolen in the past -- in cases such as where certificates from Adobe, Realtek, and JMicron have been used to sign malicious executables. (Source: https://resources.infosecinstitute.com/cybercrime-exploits-digital-certificates/#gref)\n\n* Trusted Root Certificate Authorities have been compromised, yielding the ability to use the compromised keys to generate certificates with an arbitrary company name.\n\n* It may not be difficult for an attacker to start an organization which can obtain a signed certificate.\n\n* A root certificate authority (CA) whose certificate is trusted in the verification logic could generate incorrect certificates, if they are lax or have ulterior motives.", "d3f:kb-reference": [ { "@id": "d3f:Reference-IntegrityAssuranceThroughEarlyLoadingInTheBootPhase_CrowdstrikeInc" }, { "@id": "d3f:Reference-ProtectedComputingEnvironment_MicrosoftTechnologyLicensingLLC" } ], "rdfs:label": "Driver Load Integrity Checking", "rdfs:subClassOf": [ { "@id": "d3f:PlatformHardening" }, { "@id": "_:N93a36d962fad4e24a62c0fab7e2f192c" } ] }, { "@id": "_:N93a36d962fad4e24a62c0fab7e2f192c", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:authenticates" }, "owl:someValuesFrom": { "@id": "d3f:HardwareDriver" } }, { "@id": "d3f:BayesianEstimation", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-BE", "d3f:definition": "A Bayes estimator or a Bayes action is an estimator or decision rule that minimizes the posterior expected value of a loss function (i.e., the posterior expected loss).", "d3f:kb-article": "## References\nWikipedia. (n.d.). Bayes estimator. [Link](https://en.wikipedia.org/wiki/Bayes_estimator)", "rdfs:label": "Bayesian Estimation", "rdfs:subClassOf": { "@id": "d3f:BayesianMethod" } }, { "@id": "d3f:Reference-TenablePassiveNetworkMonitoring", "@type": [ "owl:NamedIndividual", "d3f:InternetArticleReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://www.tenable.com/sites/default/files/solution-briefs/SB-Passive-Network-Monitoring.pdf" }, "d3f:kb-abstract": "Tenable Nessus® Network Monitor (NNM), a passive monitoring sensor, continuously discovers active assets on the network and assesses them for vulnerabilities. NNM is based on patented network discovery and vulnerability analysis technology that continuously monitors and profiles non-intrusively. It monitors IPv4, IPv6 and mixed network traffic at the packet layer to determine topology, services and vulnerabilities.", "d3f:kb-organization": "Tenable", "d3f:kb-reference-of": [ { "@id": "d3f:PassiveLogicalLinkMapping" }, { "@id": "d3f:PassivePhysicalLinkMapping" } ], "d3f:kb-reference-title": "Tenable Passive Network Monitoring", "rdfs:label": "Reference - Tenable Passive Network Monitoring" }, { "@id": "d3f:CWE-178", "@type": "owl:Class", "d3f:cwe-id": "CWE-178", "rdfs:label": "Improper Handling of Case Sensitivity", "rdfs:subClassOf": { "@id": "d3f:CWE-706" } }, { "@id": "d3f:process-user", "@type": "owl:ObjectProperty", "d3f:definition": "x process-user y: The process x has been executed by the user y.", "rdfs:label": "process-user", "rdfs:subPropertyOf": { "@id": "d3f:process-property" }, "skos:altLabel": "processUser" }, { "@id": "d3f:CWE-1093", "@type": "owl:Class", "d3f:cwe-id": "CWE-1093", "rdfs:label": "Excessively Complex Data Representation", "rdfs:subClassOf": { "@id": "d3f:CWE-710" } }, { "@id": "d3f:WebAuthentication", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A request-response comprising a user credential presentation to a system and a verification response where the verifying party is a web server.", "d3f:may-create": { "@id": "d3f:SessionCookie" }, "rdfs:label": "Web Authentication", "rdfs:subClassOf": [ { "@id": "d3f:Authentication" }, { "@id": "_:N6408d354768744b4b2805563212b2ef1" } ] }, { "@id": "_:N6408d354768744b4b2805563212b2ef1", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-create" }, "owl:someValuesFrom": { "@id": "d3f:SessionCookie" } }, { "@id": "d3f:Reference-Reg.exeCalledFromCommandShell_MITRE", "@type": [ "owl:NamedIndividual", "d3f:ExternalKnowledgeBase" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://car.mitre.org/analytics/CAR-2013-03-001/" }, "d3f:kb-abstract": "Registry modifications are often essential in establishing persistence via known Windows mechanisms. Many legitimate modifications are done graphically via regedit.exe or by using the corresponding channels, or even calling the Registry APIs directly. The built-in utility reg.exe provides a command-line interface to the registry, so that queries and modifications can be performed from a shell, such as cmd.exe. When a user is responsible for these actions, the parent of cmd.exe will likely be explorer.exe. Occasionally, power users and administrators write scripts that do this behavior as well, but likely from a different process tree. These background scripts must be learned so they can be tuned out accordingly.", "d3f:kb-author": "MITRE", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "MITRE", "d3f:kb-reference-of": [ { "@id": "d3f:ProcessLineageAnalysis" }, { "@id": "d3f:ProcessSpawnAnalysis" } ], "d3f:kb-reference-title": "CAR-2013-03-001: Reg.exe called from Command Shell", "rdfs:label": "Reference - CAR-2013-03-001: Reg.exe called from Command Shell - MITRE" }, { "@id": "d3f:ShortcutFile", "@type": "owl:Class", "d3f:definition": "A shortcut file, or shortcut, is a handle that allows the user to find a file or resource located in a different directory or folder from the place where the shortcut is located.\n\nShortcuts, which are supported by the graphical file browsers of some operating systems, may resemble symbolic links but differ in a number of important ways. One difference is what type of software is able to follow them:\n\n - Symbolic links are automatically resolved by the file system. Any software program, upon accessing a symbolic link, will see the target instead, whether the program is aware of symbolic links or not.\n\n - Shortcuts are treated like ordinary files by the file system and by software programs that are not aware of them. Only software programs that understand shortcuts (such as the Windows shell and file browsers) treat them as references to other files.\n\nAnother difference are the capabilities of the mechanism:\n\n - Microsoft Windows shortcuts normally refer to a destination by an absolute path (starting from the root directory), whereas POSIX symbolic links can refer to destinations via either an absolute or a relative path. The latter is useful if both the location and destination of the symbolic link share a common path prefix[clarification needed], but that prefix is not yet known when the symbolic link is created (e.g., in an archive file that can be unpacked anywhere).\n\n- Microsoft Windows application shortcuts contain additional metadata that can be associated with the destination, whereas POSIX symbolic links are just strings that will be interpreted as absolute or relative pathnames.\n\n- Unlike symbolic links, Windows shortcuts maintain their references to their targets even when the target is moved or renamed. Windows domain clients may subscribe to a Windows service called Distributed Link Tracking to track the changes in files and folders to which they are interested. The service maintains the integrity of shortcuts, even when files and folders are moved across the network.[14] Additionally, in Windows 9x and later, Windows shell tries to find the target of a broken shortcut before proposing to delete it.", "rdfs:label": "Shortcut File", "rdfs:seeAlso": [ { "@id": "dbr:Shortcut_(computing)" }, { "@id": "http://dbpedia.org/resource/Symbolic_link#Shortcuts" } ], "rdfs:subClassOf": { "@id": "d3f:File" } }, { "@id": "d3f:CWE-1051", "@type": "owl:Class", "d3f:cwe-id": "CWE-1051", "rdfs:label": "Initialization with Hard-Coded Network Resource Configuration Data", "rdfs:subClassOf": { "@id": "d3f:CWE-665" } }, { "@id": "d3f:CCI-001125_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system enforces adherence to protocol format.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": [ { "@id": "d3f:InboundTrafficFiltering" }, { "@id": "d3f:OutboundTrafficFiltering" } ], "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-21T00:00:00" }, "rdfs:label": "CCI-001125" }, { "@id": "d3f:D3FENDThing", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "D3FEND things are concepts defined in the core D3FEND Framework.", "rdfs:label": "D3FEND Thing" }, { "@id": "d3f:CWE-1234", "@type": "owl:Class", "d3f:cwe-id": "CWE-1234", "rdfs:label": "Hardware Internal or Debug Modes Allow Override of Locks", "rdfs:subClassOf": { "@id": "d3f:CWE-667" } }, { "@id": "d3f:T1585.001", "@type": "owl:Class", "d3f:attack-id": "T1585.001", "rdfs:label": "Social Media Accounts", "rdfs:subClassOf": { "@id": "d3f:T1585" } }, { "@id": "d3f:CWE-543", "@type": "owl:Class", "d3f:cwe-id": "CWE-543", "rdfs:label": "Use of Singleton Pattern Without Synchronization in a Multithreaded Context", "rdfs:subClassOf": { "@id": "d3f:CWE-820" } }, { "@id": "d3f:SymmetricKey", "@type": "owl:Class", "d3f:definition": "A symmetric key is a single key used for both encryption and decryption and used with a symmetric-key algorithm. Symmetric-key algorithms are algorithms for cryptography that use the same cryptographic keys for both encryption of plaintext and decryption of ciphertext. The keys may be identical or there may be a simple transformation to go between the two keys. The keys, in practice, represent a shared secret between two or more parties that can be used to maintain a private information link. This requirement that both parties have access to the secret key is one of the main drawbacks of symmetric key encryption, in comparison to public-key encrytption (also known as asymmetric key encryption).", "rdfs:label": "Symmetric Key", "rdfs:seeAlso": { "@id": "dbr:Symmetric-key_algorithm" }, "rdfs:subClassOf": { "@id": "d3f:CryptographicKey" } }, { "@id": "d3f:PropositionalLogic", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-PL", "d3f:definition": "Propositional logic deals with statements (i.e., propositions, which can be true or false) and relations between propositions, including the construction of arguments based on them.", "d3f:kb-article": "## How it works\nCompound propositions are formed by connecting propositions by logical connectives. Propositions that contain no logical connectives are called atomic propositions.\n\n## References\n1. Propositional Calculus. (2022, May 31). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Propositional_calculus)", "d3f:synonym": "Propositional Calculus", "rdfs:label": "Propositional Logic", "rdfs:subClassOf": { "@id": "d3f:SymbolicAI" } }, { "@id": "d3f:MoveFile", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A system call to rename or move a file. Linux's rename() is an example of this kind of system call. Another way of handling it is to call a copy file system call followed by a delete file system call.", "d3f:modifies": { "@id": "d3f:FileSystemMetadata" }, "rdfs:label": "Move File", "rdfs:seeAlso": { "@id": "https://man7.org/linux/man-pages/man2/rename.2.html" }, "rdfs:subClassOf": [ { "@id": "d3f:SystemCall" }, { "@id": "_:Nba844d5e2e0245ce8b1ee323d9daa3a2" } ], "skos:altLabel": "Rename File" }, { "@id": "_:Nba844d5e2e0245ce8b1ee323d9daa3a2", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:FileSystemMetadata" } }, { "@id": "d3f:CWE-283", "@type": "owl:Class", "d3f:cwe-id": "CWE-283", "rdfs:label": "Unverified Ownership", "rdfs:subClassOf": { "@id": "d3f:CWE-282" } }, { "@id": "d3f:SystemConfigurationDatabaseRecord", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A database record holding information used to configure the services, parameters, and initial settings for an operating system.", "rdfs:label": "System Configuration Database Record", "rdfs:subClassOf": [ { "@id": "d3f:ConfigurationDatabaseRecord" }, { "@id": "d3f:OperatingSystemConfigurationComponent" } ] }, { "@id": "d3f:MSGEmailFile", "@type": [ "owl:NamedIndividual", "d3f:Email" ], "rdfs:label": "MSG Email File" }, { "@id": "d3f:CommonAttackPattern", "@type": "owl:Class", "d3f:definition": "A common attack pattern that is in the CAPEC knowledge base.", "rdfs:label": "Common Attack Pattern", "rdfs:subClassOf": { "@id": "d3f:CAPECThing" } }, { "@id": "d3f:CWE-1245", "@type": "owl:Class", "d3f:cwe-id": "CWE-1245", "rdfs:label": "Improper Finite State Machines (FSMs) in Hardware Logic", "rdfs:subClassOf": { "@id": "d3f:CWE-684" } }, { "@id": "d3f:CWE-35", "@type": "owl:Class", "d3f:cwe-id": "CWE-35", "rdfs:label": "Path Traversal: '.../...//'", "rdfs:subClassOf": { "@id": "d3f:CWE-23" } }, { "@id": "d3f:license", "@type": "owl:ObjectProperty", "rdfs:label": "license", "rdfs:range": { "@id": "_:Nf11d6abe3f50445bb2643a2cff56e155" }, "rdfs:subPropertyOf": { "@id": "d3f:d3fend-catalog-object-property" } }, { "@id": "_:Nf11d6abe3f50445bb2643a2cff56e155", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:license" }, "owl:someValuesFrom": { "@id": "d3f:License" } }, { "@id": "d3f:T1601.001", "@type": "owl:Class", "d3f:attack-id": "T1601.001", "rdfs:label": "Patch System Image", "rdfs:subClassOf": { "@id": "d3f:T1601" } }, { "@id": "d3f:DesktopComputer", "@type": "owl:Class", "d3f:definition": "A desktop computer is a personal computer designed for regular use at a single location on or near a desk or table due to its size and power requirements. The most common configuration has a case that houses the power supply, motherboard (a printed circuit board with a microprocessor as the central processing unit (CPU), memory, bus, and other electronic components, disk storage (usually one or more hard disk drives, solid state drives, optical disc drives, and in early models a floppy disk drive); a keyboard and mouse for input; and a computer monitor, speakers, and, often, a printer for output. The case may be oriented horizontally or vertically and placed either underneath, beside, or on top of a desk.", "rdfs:isDefinedBy": { "@id": "dbr:Desktop_computer" }, "rdfs:label": "Desktop Computer", "rdfs:subClassOf": { "@id": "d3f:PersonalComputer" } }, { "@id": "d3f:CWE-126", "@type": "owl:Class", "d3f:cwe-id": "CWE-126", "rdfs:label": "Buffer Over-read", "rdfs:subClassOf": [ { "@id": "d3f:CWE-125" }, { "@id": "d3f:CWE-788" } ] }, { "@id": "dcterms:description", "@type": "owl:AnnotationProperty", "rdfs:label": "description" }, { "@id": "d3f:T1592.002", "@type": "owl:Class", "d3f:attack-id": "T1592.002", "rdfs:label": "Software", "rdfs:subClassOf": { "@id": "d3f:T1592" } }, { "@id": "d3f:HomoglyphDenylisting", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:ForwardResolutionDomainDenylisting" ], "d3f:d3fend-id": "D3-HDL", "d3f:definition": "Blocking DNS queries that are deceptively similar to legitimate domain names.", "d3f:kb-article": "## How it works\n\nHomoglyph domain blacklisting considers the domain and subdomain structure of a lookup and compares the named components to blacklisted named components. The blacklisted named components are typically crafted modifications of known good domains, e.g., gooogle.com versus google.com. The blacklisted domains typically resemble trusted domains, but have been altered slightly to deceive users.\n\nThe blacklisted named components also include consideration for fonts or Unicode characters that can make certain characters appear very similar (zero vs capital O and the letter l vs the number one). The blacklisted domains under certain fonts will appear to be a trusted domain.\n\n## Considerations\n* Maintaining the currency of the list can be a challenge especially with newly registered domain entries.\n* Blacklists should have identified maintenance cycles to ensure lists are not stale.", "d3f:kb-reference": { "@id": "d3f:Reference-DetectionOfMaliciousIDNHomoglyphDomains" }, "d3f:synonym": "Homoglyph Blacklisting", "rdfs:label": "Homoglyph Denylisting", "rdfs:subClassOf": { "@id": "d3f:ForwardResolutionDomainDenylisting" } }, { "@id": "d3f:display-order", "@type": "owl:AnnotationProperty", "d3f:definition": "x display-order y: An object x should be displayed in ordinal position y when placed or listed in a d3fend display with other objects of its kind.", "rdfs:label": "display-order", "rdfs:subPropertyOf": { "@id": "d3f:d3fend-display-annotation" } }, { "@id": "d3f:CWE-194", "@type": "owl:Class", "d3f:cwe-id": "CWE-194", "rdfs:label": "Unexpected Sign Extension", "rdfs:subClassOf": { "@id": "d3f:CWE-681" } }, { "@id": "d3f:PythonScriptFile", "@type": "owl:Class", "rdfs:label": "Python Script File", "rdfs:subClassOf": { "@id": "d3f:ExecutableScript" } }, { "@id": "d3f:LocalFilePermissions", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:PlatformHardening" ], "d3f:d3fend-id": "D3-LFP", "d3f:definition": "Restricting access to a local file by configuring operating system functionality.", "d3f:kb-reference": { "@id": "d3f:Reference-FileAndFolderPermissions" }, "d3f:restricts": [ { "@id": "d3f:Directory" }, { "@id": "d3f:File" } ], "rdfs:label": "Local File Permissions", "rdfs:subClassOf": [ { "@id": "d3f:PlatformHardening" }, { "@id": "_:N0b781161242b483c8b21cb39ea470da6" }, { "@id": "_:N75313196a2e84f5b93f0ad2c3f163cfb" } ] }, { "@id": "_:N0b781161242b483c8b21cb39ea470da6", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:restricts" }, "owl:someValuesFrom": { "@id": "d3f:Directory" } }, { "@id": "_:N75313196a2e84f5b93f0ad2c3f163cfb", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:restricts" }, "owl:someValuesFrom": { "@id": "d3f:File" } }, { "@id": "d3f:CWE-1279", "@type": "owl:Class", "d3f:cwe-id": "CWE-1279", "rdfs:label": "Cryptographic Operations are run Before Supporting Units are Ready", "rdfs:subClassOf": { "@id": "d3f:CWE-665" } }, { "@id": "d3f:CWE-828", "@type": "owl:Class", "d3f:cwe-id": "CWE-828", "rdfs:label": "Signal Handler with Functionality that is not Asynchronous-Safe", "rdfs:subClassOf": { "@id": "d3f:CWE-364" } }, { "@id": "d3f:CWE-627", "@type": "owl:Class", "d3f:cwe-id": "CWE-627", "rdfs:label": "Dynamic Variable Evaluation", "rdfs:subClassOf": { "@id": "d3f:CWE-914" } }, { "@id": "d3f:Expectation-maximizationClustering", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-EMC", "d3f:definition": "An unsupervised clustering algorithm and extends to NLP applications like Latent Dirichlet Allocation, the Baum-Welch algorithm for Hidden Markov Models, and medical imaging.", "d3f:kb-article": "## References\nTowards Data Science. (n.d.). Expectation Maximization Explained. [Link](https://towardsdatascience.com/expectation-maximization-explained-c82f5ed438e5#:~:text=Expectation%20Maximization%20(EM)%20is%20a,Markov%20Models%2C%20and%20medical%20imaging.)", "rdfs:label": "Expectation-maximization Clustering", "rdfs:subClassOf": { "@id": "d3f:Distribution-basedClustering" } }, { "@id": "d3f:CCI-002358_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system implements a reference monitor for organization-defined access control policies that is always invoked.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": [ { "@id": "d3f:MandatoryAccessControl" }, { "@id": "d3f:UserAccountPermissions" } ], "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-06-25T00:00:00" }, "rdfs:label": "CCI-002358" }, { "@id": "d3f:T1187", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1187", "d3f:may-modify": { "@id": "d3f:WindowsShortcutFile" }, "d3f:modifies": { "@id": "d3f:AuthenticationLog" }, "d3f:produces": { "@id": "d3f:Authentication" }, "rdfs:label": "Forced Authentication", "rdfs:subClassOf": [ { "@id": "d3f:CredentialAccessTechnique" }, { "@id": "_:Na693706f2a3c4344b2c6eb9853fbd3e0" }, { "@id": "_:Nc6d81f4df74f432183f90dc8953ca068" }, { "@id": "_:N6ef5f512e2dc43e78ec05a0d819d136a" } ] }, { "@id": "_:Na693706f2a3c4344b2c6eb9853fbd3e0", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-modify" }, "owl:someValuesFrom": { "@id": "d3f:WindowsShortcutFile" } }, { "@id": "_:Nc6d81f4df74f432183f90dc8953ca068", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:AuthenticationLog" } }, { "@id": "_:N6ef5f512e2dc43e78ec05a0d819d136a", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:produces" }, "owl:someValuesFrom": { "@id": "d3f:Authentication" } }, { "@id": "d3f:CWE-83", "@type": "owl:Class", "d3f:cwe-id": "CWE-83", "rdfs:label": "Improper Neutralization of Script in Attributes in a Web Page", "rdfs:subClassOf": { "@id": "d3f:CWE-79" } }, { "@id": "d3f:Reference-UserActivityFromClearingEventLogs_MITRE", "@type": [ "owl:NamedIndividual", "d3f:ExternalKnowledgeBase" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://car.mitre.org/analytics/CAR-2016-04-002/" }, "d3f:kb-abstract": "It is unlikely that event log data would be cleared during normal operations, and it is likely that malicious attackers may try to cover their tracks by clearing an event log. When an event log gets cleared, it is suspicious. Alerting when a \"Clear Event Log\" is generated could point to this intruder technique. Centrally collecting events has the added benefit of making it much harder for attackers to cover their tracks. Event Forwarding permits sources to forward multiple copies of a collected event to multiple collectors, thus enabling redundant event collection. Using a redundant event collection model can minimize the single point of failure risk.", "d3f:kb-author": "MITRE", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "MITRE", "d3f:kb-reference-of": { "@id": "d3f:SystemFileAnalysis" }, "d3f:kb-reference-title": "CAR-2016-04-002: User Activity from Clearing Event Logs", "rdfs:label": "Reference - CAR-2016-04-002: User Activity from Clearing Event Logs - MITRE" }, { "@id": "d3f:Reference-MethodAndSystemForDetectingThreatsUsingPassiveClusterMapping_VectraNetworksInc", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US20160149936A1" }, "d3f:kb-abstract": "An approach for detecting network threats is disclosed, that may involve receiving network traffic, plotting the network traffic in a n-dimensional feature space to form a network map, generating a client signature at least by placing new client points in the map, setting a threshold, and generating an alarm if one or more client activity points exceed the threshold. In some embodiments, the network map and the client signature are updated using sliding windows and distance calculations.", "d3f:kb-author": "David Lopes PEGNA; Nicolas Beauchesne", "d3f:kb-mitre-analysis": "This patent describes detecting network threats by first passively collecting network traffic and storing it for processing. The stored network traffic data is used to map network events to create a cluster map. Events are network activity associated with clients, servers, or control modules such as a Kerberos Domain Controller (KDC); account information; services accessed by the client; or the number of times a service is accessed. Events that exceed a threshold from a center of gravity point of a cluster are identified as suspicious activity and an alert is generated.", "d3f:kb-organization": "Vectra Networks Inc", "d3f:kb-reference-of": { "@id": "d3f:ProtocolMetadataAnomalyDetection" }, "d3f:kb-reference-title": "Method and system for detecting threats using passive cluster mapping", "rdfs:label": "Reference - Method and system for detecting threats using passive cluster mapping - Vectra Networks Inc" }, { "@id": "d3f:SystemTimeApplication", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A system time utility is utility software that can get the system time, such as the Unix date command or Windows' Net utility.", "rdfs:label": "System Time Application", "rdfs:subClassOf": { "@id": "d3f:UtilitySoftware" } }, { "@id": "d3f:NetworkProtocolAnalyzer", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "Monitors and parses network protocols to extract values from various network protocol layers.", "d3f:monitors": { "@id": "d3f:NetworkTraffic" }, "rdfs:label": "Network Protocol Analyzer", "rdfs:subClassOf": [ { "@id": "d3f:NetworkSensor" }, { "@id": "_:N2c3e9663a10c4c79a36626d1857548df" } ] }, { "@id": "_:N2c3e9663a10c4c79a36626d1857548df", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:monitors" }, "owl:someValuesFrom": { "@id": "d3f:NetworkTraffic" } }, { "@id": "d3f:T1583.003", "@type": "owl:Class", "d3f:attack-id": "T1583.003", "rdfs:label": "Virtual Private Server", "rdfs:subClassOf": { "@id": "d3f:T1583" } }, { "@id": "d3f:CCI-001356_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The organization monitors for atypical usage of information system accounts.", "d3f:exactly": [ { "@id": "d3f:AuthenticationEventThresholding" }, { "@id": "d3f:AuthorizationEventThresholding" } ], "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-22T00:00:00" }, "rdfs:label": "CCI-001356" }, { "@id": "d3f:T1556.003", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1556.003", "d3f:may-modify": [ { "@id": "d3f:OperatingSystemConfigurationFile" }, { "@id": "d3f:OperatingSystemSharedLibraryFile" } ], "rdfs:label": "Pluggable Authentication Modules", "rdfs:subClassOf": [ { "@id": "d3f:T1556" }, { "@id": "_:Nd92fdeccb5af4a5685d7ed0653852840" }, { "@id": "_:Nabda05e0cdb0485989d712234ec009f2" } ] }, { "@id": "_:Nd92fdeccb5af4a5685d7ed0653852840", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-modify" }, "owl:someValuesFrom": { "@id": "d3f:OperatingSystemConfigurationFile" } }, { "@id": "_:Nabda05e0cdb0485989d712234ec009f2", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-modify" }, "owl:someValuesFrom": { "@id": "d3f:OperatingSystemSharedLibraryFile" } }, { "@id": "d3f:PartitionTable", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:addresses": { "@id": "d3f:Partition" }, "d3f:definition": "A partition is a fixed-size subset of a storage device which is treated as a unit by the operating system. A partition table is a table maintained on the storage device by the operating system describing the partitions on that device. The terms partition table and partition map are most commonly associated with the MBR partition table of a Master Boot Record (MBR) in IBM PC compatibles, but it may be used generically to refer to other \"formats\" that divide a disk drive into partitions, such as: GUID Partition Table (GPT), Apple partition map (APM), or BSD disklabel.", "rdfs:isDefinedBy": { "@id": "dbr:Partition_table" }, "rdfs:label": "Partition Table", "rdfs:subClassOf": [ { "@id": "d3f:DigitalArtifact" }, { "@id": "_:Naef1e7e7c0ab4f2caa3d8b6ff2644d03" } ] }, { "@id": "_:Naef1e7e7c0ab4f2caa3d8b6ff2644d03", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:addresses" }, "owl:someValuesFrom": { "@id": "d3f:Partition" } }, { "@id": "d3f:EncryptedCredential", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A credential that is encrypted.", "rdfs:label": "Encrypted Credential", "rdfs:subClassOf": { "@id": "d3f:Credential" } }, { "@id": "d3f:d3fend-external-control-data-property", "@type": "owl:DatatypeProperty", "rdfs:label": "d3fend-external-control-data-property", "rdfs:subPropertyOf": { "@id": "d3f:d3fend-data-property" } }, { "@id": "d3f:T1589.002", "@type": "owl:Class", "d3f:attack-id": "T1589.002", "rdfs:label": "Email Addresses", "rdfs:subClassOf": { "@id": "d3f:T1589" } }, { "@id": "d3f:InterprocessCommunication", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "In computer science, inter-process communication or inter-process communication (IPC) refers specifically to the mechanisms an operating system provides to allow processes it manages to share data. Typically, applications can use IPC categorized as clients and servers, where the client requests data and the server responds to client requests. Many applications are both clients and servers, as commonly seen in distributed computing. Methods for achieving IPC are divided into categories which vary based on software requirements, such as performance and modularity requirements, and system circumstances, such as network bandwidth and latency.", "rdfs:isDefinedBy": { "@id": "dbr:Inter-process_communication" }, "rdfs:label": "Interprocess Communication", "rdfs:subClassOf": { "@id": "d3f:DigitalArtifact" } }, { "@id": "d3f:CWE-113", "@type": "owl:Class", "d3f:cwe-id": "CWE-113", "rdfs:label": "Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')", "rdfs:subClassOf": [ { "@id": "d3f:CWE-436" }, { "@id": "d3f:CWE-93" } ] }, { "@id": "d3f:NIST_SP_800-53_R5_AC-2_3", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:broader": { "@id": "d3f:AccountLocking" }, "d3f:control-name": "Account Management | Disable Accounts", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "rdfs:label": "AC-2(3)" }, { "@id": "d3f:CCI-001401_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:broader": [ { "@id": "d3f:MandatoryAccessControl" }, { "@id": "d3f:UserAccountPermissions" } ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system supports and maintains the binding of organization-defined security attributes to information in transmission.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-22T00:00:00" }, "rdfs:label": "CCI-001401" }, { "@id": "d3f:CCI-000027_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system enforces dynamic information flow control based on organization-defined policies.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": [ { "@id": "d3f:InboundTrafficFiltering" }, { "@id": "d3f:OutboundTrafficFiltering" } ], "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-05-13T00:00:00" }, "rdfs:label": "CCI-000027" }, { "@id": "d3f:ForwardResolutionIPDenylisting", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:DNSDenylisting" ], "d3f:blocks": { "@id": "d3f:InboundInternetDNSResponseTraffic" }, "d3f:d3fend-id": "D3-FRIDL", "d3f:definition": "Blocking a DNS lookup's answer's IP address value.", "d3f:kb-article": "## How it works\n\nThis technique prevents a client from learning IP addresses deemed to be potentially malicious, which would have been delivered via forward resolution responses.\n\nResponses to forward resolution requests (that is, requests where a domain is sent and IP(s) are returned) are collected, and the IP address(es) included as a response are examined. If the IP address(es) are in a range included in the blacklist, then the response is dropped and not forwarded to the client.\n\nThe DNS lookup can be blocked by either dropping the network traffic with an inline device, or modifying the value of the response sent by the DNS server. To transparently prevent client applications from hanging on a request, it is common practice to replace malicious values with addresses in the range 127.0.0.0/8 or the address of a honeypot maintained by the network administrators.\n\n## Considerations\n\n* This technique does not prevent the client from contacting the blacklisted IP, only from learning about this IP address via a nameserver lookup request.\n* DNS Response traffic can be transmitted over many different protocols, which presents a challenge to implementing methods to extract all DNS answer IP address value(s).\n * DNS has historically used UDP port 53, with TCP port 53 instead used for responses over 512 bytes or after a lack of response over UDP.\n * Usage of new protocols to provide confidentiality for DNS traffic, such as DoH (DNS over HTTPS) and DoT (DNS over TLS), complicates collection of the IP address(es) in DNS responses. These protocols have often been enabled in browser settings transparently after a browser update, with DNS requests proxied over one of these cryptographic protocols through a specified host.\n* This technique must be implemented logically between the application that receives the response and the server which sent the response.\n * DNS responses sent in an encrypted manner, such as those using DoH or DoT, will require interception of the TLS connections in order to determine the IP address(es) in the response.\n* Replacing the response is not effective in the case that the nameserver uses a technique to provide integrity of its responses, such as DNSSEC for DNS responses.", "d3f:kb-reference": { "@id": "d3f:Reference-UseDNSPolicyForApplyingFiltersOnDNSQueries" }, "d3f:synonym": "Forward Resolution IP Blacklisting", "rdfs:label": "Forward Resolution IP Denylisting", "rdfs:subClassOf": [ { "@id": "d3f:DNSDenylisting" }, { "@id": "_:Nd5bc3265c166431a81d79b8d5a3c27a3" } ] }, { "@id": "_:Nd5bc3265c166431a81d79b8d5a3c27a3", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:blocks" }, "owl:someValuesFrom": { "@id": "d3f:InboundInternetDNSResponseTraffic" } }, { "@id": "d3f:T1484.002", "@type": "owl:Class", "d3f:attack-id": "T1484.002", "rdfs:label": "Domain Trust Modification", "rdfs:subClassOf": { "@id": "d3f:T1484" } }, { "@id": "d3f:CertificateFile", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:contains": { "@id": "d3f:Certificate" }, "d3f:definition": "A file containing a digital certificate. In cryptography, a public key certificate (also known as a digital certificate or identity certificate) is an electronic document used to prove the ownership of a public key. The certificate includes information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner.", "rdfs:isDefinedBy": { "@id": "dbr:Public_key_certificate" }, "rdfs:label": "Certificate File", "rdfs:subClassOf": [ { "@id": "d3f:File" }, { "@id": "_:N5ab8d26b92624efb8d4ee67b7f84f1c4" } ] }, { "@id": "_:N5ab8d26b92624efb8d4ee67b7f84f1c4", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:contains" }, "owl:someValuesFrom": { "@id": "d3f:Certificate" } }, { "@id": "d3f:T1218.011", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1218.011", "d3f:invokes": { "@id": "d3f:CreateProcess" }, "d3f:loads": { "@id": "d3f:SharedLibraryFile" }, "rdfs:label": "Rundll32 Execution", "rdfs:subClassOf": [ { "@id": "d3f:T1218" }, { "@id": "_:N2713eafe610843bea09fa1dee40af99a" }, { "@id": "_:N38cada212c7d455098f1bf225a698546" } ] }, { "@id": "_:N2713eafe610843bea09fa1dee40af99a", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:invokes" }, "owl:someValuesFrom": { "@id": "d3f:CreateProcess" } }, { "@id": "_:N38cada212c7d455098f1bf225a698546", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:loads" }, "owl:someValuesFrom": { "@id": "d3f:SharedLibraryFile" } }, { "@id": "d3f:DomainRegistration", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A domain registration, or domain name registration data, is the relevant registration data from Internet resources such as domain names, IP addresses, and autonomous system numbers. Registration data is typically retrieved by means of either the Registration Data Access Protocol (RDAP) or its predecessor, the WHOIS protocol.", "d3f:may-contain": { "@id": "d3f:DomainName" }, "rdfs:label": "Domain Registration", "rdfs:seeAlso": [ { "@id": "dbr:Domain_registration" }, { "@id": "dbr:WHOIS" } ], "rdfs:subClassOf": [ { "@id": "d3f:DigitalArtifact" }, { "@id": "_:Nb5e93bc3412c4e26a3a6f5f86e41b65e" } ], "skos:altLabel": "Domain Name Registration Data" }, { "@id": "_:Nb5e93bc3412c4e26a3a6f5f86e41b65e", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-contain" }, "owl:someValuesFrom": { "@id": "d3f:DomainName" } }, { "@id": "d3f:ActivityDependency", "@type": "owl:Class", "d3f:definition": "An activity dependency is a dependency that indicates an activity has an activity or agent which relies on it in order to be functional.", "rdfs:label": "Activity Dependency", "rdfs:subClassOf": { "@id": "d3f:Dependency" } }, { "@id": "d3f:CCI-001118_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:broader": { "@id": "d3f:NetworkIsolation" }, "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system implements host-based boundary protection mechanisms for servers, workstations, and mobile devices.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-21T00:00:00" }, "rdfs:label": "CCI-001118" }, { "@id": "d3f:CCI-000143_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system provides a warning when allocated audit record storage volume reaches an organization-defined percentage of maximum audit record storage capacity.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:SystemDaemonMonitoring" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-05-20T00:00:00" }, "rdfs:label": "CCI-000143" }, { "@id": "d3f:NetworkResourceAccess", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:accesses": [ { "@id": "d3f:NetworkResource" }, { "@id": "d3f:Resource" } ], "d3f:definition": "Ephemeral digital artifact comprising a request of a network resource and any response from that network resource.", "rdfs:label": "Network Resource Access", "rdfs:subClassOf": [ { "@id": "d3f:ResourceAccess" }, { "@id": "_:Ndd9c7712a1b54a9fb25d6805d4a490a9" }, { "@id": "_:N8bb1ee372ae14eae8a672b95022b75c7" } ] }, { "@id": "_:Ndd9c7712a1b54a9fb25d6805d4a490a9", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:accesses" }, "owl:someValuesFrom": { "@id": "d3f:NetworkResource" } }, { "@id": "_:N8bb1ee372ae14eae8a672b95022b75c7", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:accesses" }, "owl:someValuesFrom": { "@id": "d3f:Resource" } }, { "@id": "d3f:T1067", "@type": "owl:Class", "d3f:attack-id": "T1067", "rdfs:label": "Bootkit", "rdfs:subClassOf": { "@id": "d3f:PersistenceTechnique" } }, { "@id": "d3f:CWE-1059", "@type": "owl:Class", "d3f:cwe-id": "CWE-1059", "rdfs:label": "Insufficient Technical Documentation", "rdfs:subClassOf": { "@id": "d3f:CWE-710" } }, { "@id": "d3f:InputDevice", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "In computing, an input device is a piece of equipment used to provide data and control signals to an information processing system such as a computer or information appliance. Examples of input devices include keyboards, mouse, scanners, digital cameras, joysticks, and microphones. Input devices can be categorized based on:", "rdfs:isDefinedBy": { "@id": "dbr:Input_device" }, "rdfs:label": "Input Device", "rdfs:subClassOf": [ { "@id": "d3f:HardwareDevice" }, { "@id": "d3f:LocalResource" } ] }, { "@id": "d3f:CWE-647", "@type": "owl:Class", "d3f:cwe-id": "CWE-647", "rdfs:label": "Use of Non-Canonical URL Paths for Authorization Decisions", "rdfs:subClassOf": { "@id": "d3f:CWE-863" } }, { "@id": "d3f:T1134.004", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1134.004", "d3f:invokes": { "@id": "d3f:CreateProcess" }, "rdfs:label": "Parent PID Spoofing", "rdfs:subClassOf": [ { "@id": "d3f:T1134" }, { "@id": "_:N3924fd446f1d4fb19c45bd9f2fdceb05" } ] }, { "@id": "_:N3924fd446f1d4fb19c45bd9f2fdceb05", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:invokes" }, "owl:someValuesFrom": { "@id": "d3f:CreateProcess" } }, { "@id": "d3f:CWE-923", "@type": "owl:Class", "d3f:cwe-id": "CWE-923", "rdfs:label": "Improper Restriction of Communication Channel to Intended Endpoints", "rdfs:subClassOf": { "@id": "d3f:CWE-284" } }, { "@id": "d3f:LocalAreaNetworkTraffic", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "Intranet local area network (LAN) traffic is network traffic that does not cross a given network's boundaries; where that network is defined as a LAN.", "rdfs:label": "Local Area Network Traffic", "rdfs:seeAlso": { "@id": "dbr:Intranet" }, "rdfs:subClassOf": { "@id": "d3f:IntranetNetworkTraffic" } }, { "@id": "d3f:RemoteAuthenticationService", "@type": "owl:Class", "d3f:definition": "A remote authentication service provides for the authentication of a user across a network (i.e., remotely).", "rdfs:label": "Remote Authentication Service", "rdfs:subClassOf": [ { "@id": "d3f:AuthenticationService" }, { "@id": "d3f:NetworkService" } ] }, { "@id": "d3f:WindowsNtSuspendThread", "@type": "owl:Class", "rdfs:label": "Windows NtSuspendThread", "rdfs:seeAlso": "https://j00ru.vexillium.org/syscalls/nt/64/", "rdfs:subClassOf": [ { "@id": "d3f:OSAPIPrivateFunction" }, { "@id": "d3f:OSAPISuspendThread" } ] }, { "@id": "d3f:Reference-FirmwareVerificationEclypsium", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US20200074086A1/en" }, "d3f:kb-abstract": "Systems and methods are provided herein for monitoring and identifying potential security vulnerabilities in hardware and / or firmware of host devices .", "d3f:kb-author": "Yuriy Bulygin, Oleksandr Bazhaniuk", "d3f:kb-organization": "ECLYPSIUM , Inc", "d3f:kb-reference-of": { "@id": "d3f:FirmwareVerification" }, "d3f:kb-reference-title": "Methods and systems for hardware and firmware security monitoring", "rdfs:label": "Reference - Firmware Verification Eclypsium" }, { "@id": "d3f:JavaScriptBlob", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A JavaScript Blob is a Blob that was created by a JavaScript Blob() constructor call or equivalent function.", "rdfs:label": "JavaScript Blob", "rdfs:subClassOf": { "@id": "d3f:BinaryLargeObject" } }, { "@id": "d3f:runs", "@type": "owl:ObjectProperty", "d3f:definition": "x runs y: To carry out a process or program y, as on a computer or a machine x; where y may be a large software assembly or a specific module or instruction. Examples: \"run a new program on the Mac\"; \"the computer runs the application software\".", "rdfs:label": "runs", "rdfs:seeAlso": { "@id": "http://wordnet-rdf.princeton.edu/id/02569242-v" }, "rdfs:subPropertyOf": [ { "@id": "d3f:associated-with" }, { "@id": "d3f:may-run" } ] }, { "@id": "d3f:Reference-AccountMonitoring_ForescoutTechnologies", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US20190205511A1" }, "d3f:kb-abstract": "Systems, methods, and related technologies for account access monitoring are described. In certain aspects, a login request associated with a device can be analyzed and a score determined. The score and a threshold can be used to determine whether to initiate an action.", "d3f:kb-author": "Chunhui Zhan, Siying Yang", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "Forescout Technologies", "d3f:kb-reference-of": { "@id": "d3f:AccountLocking" }, "d3f:kb-reference-title": "Account monitoring", "rdfs:label": "Reference - Account monitoring - Forescout Technologies" }, { "@id": "d3f:CCI-002382_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:broader": [ { "@id": "d3f:Hardware-basedProcessIsolation" }, { "@id": "d3f:Kernel-basedProcessIsolation" } ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The organization implements security functions as largely independent modules that maximize internal cohesiveness within modules and minimize coupling between modules.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-07-02T00:00:00" }, "rdfs:label": "CCI-002382" }, { "@id": "d3f:Skewness", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-SKE", "d3f:definition": "Skewness is a measure of the asymmetry of the probability distribution of a real-valued random variable about its mean. The standardized moment of a probability distribution function.", "d3f:kb-article": "## References\nWikipedia. (n.d.). Skewness. [Link](https://en.wikipedia.org/wiki/Skewness)", "rdfs:label": "Skewness", "rdfs:subClassOf": { "@id": "d3f:DistributionProperties" } }, { "@id": "d3f:T1553.001", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1553.001", "d3f:modifies": { "@id": "d3f:FileSystemMetadata" }, "rdfs:label": "Gatekeeper Bypass", "rdfs:subClassOf": [ { "@id": "d3f:T1553" }, { "@id": "_:Na57cafe30fc042da9d0c2afae5bb50f1" } ] }, { "@id": "_:Na57cafe30fc042da9d0c2afae5bb50f1", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:FileSystemMetadata" } }, { "@id": "d3f:CWE-1386", "@type": "owl:Class", "d3f:cwe-id": "CWE-1386", "rdfs:label": "Insecure Operation on Windows Junction / Mount Point", "rdfs:subClassOf": { "@id": "d3f:CWE-59" } }, { "@id": "d3f:LinuxELFFile32bit", "@type": [ "owl:NamedIndividual", "d3f:ExecutableBinary" ], "d3f:definition": "test", "rdfs:label": "Linux ELF File 32bit" }, { "@id": "d3f:ProcessEviction", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:DefensiveTechnique" ], "d3f:d3fend-id": "D3-PE", "d3f:definition": "Process eviction techniques terminate or remove running process.", "d3f:enables": { "@id": "d3f:Evict" }, "rdfs:label": "Process Eviction", "rdfs:subClassOf": [ { "@id": "d3f:DefensiveTechnique" }, { "@id": "_:Nd2ec6995176f4f1aa66a04fa2260e644" } ] }, { "@id": "_:Nd2ec6995176f4f1aa66a04fa2260e644", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:enables" }, "owl:someValuesFrom": { "@id": "d3f:Evict" } }, { "@id": "d3f:WebNetworkTraffic", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "Web network traffic is network traffic that uses a standard web protocol.", "rdfs:label": "Web Network Traffic", "rdfs:subClassOf": { "@id": "d3f:NetworkTraffic" } }, { "@id": "d3f:OSAPIFreeMemory", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:invokes": { "@id": "d3f:FreeMemory" }, "rdfs:label": "OS API Free Memory", "rdfs:subClassOf": [ { "@id": "d3f:OSAPIFunction" }, { "@id": "_:Nd5818d38ce254b36969c8b1b6f290549" } ] }, { "@id": "_:Nd5818d38ce254b36969c8b1b6f290549", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:invokes" }, "owl:someValuesFrom": { "@id": "d3f:FreeMemory" } }, { "@id": "d3f:NetworkDirectoryResource", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:contains": { "@id": "d3f:Directory" }, "d3f:definition": "A directory resource made available from one host to other hosts on a computer network.", "rdfs:label": "Network Directory Resource", "rdfs:subClassOf": [ { "@id": "d3f:NetworkFileShareResource" }, { "@id": "_:N8f2f9f1dd7d74aa8a9b947c28269603b" } ] }, { "@id": "_:N8f2f9f1dd7d74aa8a9b947c28269603b", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:contains" }, "owl:someValuesFrom": { "@id": "d3f:Directory" } }, { "@id": "d3f:ID3", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-ID3", "d3f:definition": "ID3 stands for Iterative Dichotomiser 3 and is named such because the algorithm iteratively (repeatedly) dichotomizes(divides) features into two or more groups at each step.", "d3f:kb-article": "## Addtional Consiterations\nID3 is the basis of C4.5, and is best used in natural language processing.\n\n## References\nDecision Trees for Classification: ID3 Algorithm Explained. Towards Data Science. [Link](https://towardsdatascience.com/decision-trees-for-classification-id3-algorithm-explained-89df76e72df1).", "rdfs:label": "ID3", "rdfs:subClassOf": { "@id": "d3f:DecisionTree" } }, { "@id": "d3f:CWE-200", "@type": "owl:Class", "d3f:cwe-id": "CWE-200", "rdfs:label": "Exposure of Sensitive Information to an Unauthorized Actor", "rdfs:subClassOf": { "@id": "d3f:CWE-668" } }, { "@id": "d3f:TransferLearning", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-TL", "d3f:definition": "Transfer learning (TL) is a research problem in machine learning (ML) that focuses on storing knowledge gained while solving one problem and applying it to a different but related problem.", "d3f:kb-article": "## References\nTransfer learning. Wikipedia. [Link](https://en.wikipedia.org/wiki/Transfer_learning).", "rdfs:label": "Transfer Learning", "rdfs:seeAlso": [ "https://arxiv.org/abs/1808.01974", "https://journalofbigdata.springeropen.com/articles/10.1186/s40537-016-0043-6", "https://arxiv.org/abs/1911.02685" ], "rdfs:subClassOf": { "@id": "d3f:MachineLearning" } }, { "@id": "d3f:User", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A user is a person [or agent] who uses a computer or network service. Users generally use a system or a software product without the technical expertise required to fully understand it. Power users use advanced features of programs, though they are not necessarily capable of computer programming and system administration. A user often has a user account and is identified to the system by a username (or user name). Other terms for username include login name, screenname (or screen name), nickname (or nick) and handle, which is derived from the identical Citizen's Band radio term. Some software products provide services to other systems and have no direct end users.", "d3f:has-account": { "@id": "d3f:UserAccount" }, "d3f:restricted-by": { "@id": "d3f:AccessControlList" }, "rdfs:isDefinedBy": { "@id": "dbr:User_(computing)" }, "rdfs:label": "User", "rdfs:seeAlso": [ "UserAccount", { "@id": "http://wordnet-rdf.princeton.edu/id/10761247-n" } ], "rdfs:subClassOf": [ { "@id": "d3f:DigitalArtifact" }, { "@id": "_:Nbbd4343fc3d94057ac5c95277bc62e29" }, { "@id": "_:N6e66af8760dc4502b05f5f0945f1a8b5" } ] }, { "@id": "_:Nbbd4343fc3d94057ac5c95277bc62e29", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:has-account" }, "owl:someValuesFrom": { "@id": "d3f:UserAccount" } }, { "@id": "_:N6e66af8760dc4502b05f5f0945f1a8b5", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:restricted-by" }, "owl:someValuesFrom": { "@id": "d3f:AccessControlList" } }, { "@id": "d3f:NIST_SP_800-53_R5_AC-6_5", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:control-name": "Least Privilege | Privileged Accounts", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "d3f:narrower": [ { "@id": "d3f:LocalFilePermissions" }, { "@id": "d3f:MandatoryAccessControl" }, { "@id": "d3f:SystemConfigurationPermissions" } ], "rdfs:label": "AC-6(5)" }, { "@id": "d3f:CWE-784", "@type": "owl:Class", "d3f:cwe-id": "CWE-784", "rdfs:label": "Reliance on Cookies without Validation and Integrity Checking in a Security Decision", "rdfs:subClassOf": [ { "@id": "d3f:CWE-565" }, { "@id": "d3f:CWE-807" } ] }, { "@id": "d3f:CCI-002263_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:broader": [ { "@id": "d3f:MandatoryAccessControl" }, { "@id": "d3f:UserAccountPermissions" } ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The organization provides the means to associate organization-defined types of security attributes having organization-defined security attribute values with information in process.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-06-24T00:00:00" }, "rdfs:label": "CCI-002263" }, { "@id": "d3f:CCI-002235_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": [ { "@id": "d3f:MandatoryAccessControl" }, { "@id": "d3f:SystemConfigurationPermissions" } ], "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-06-24T00:00:00" }, "rdfs:label": "CCI-002235" }, { "@id": "d3f:NIST_SP_800-53_R5_AC-7_4", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:broader": { "@id": "d3f:AccountLocking" }, "d3f:control-name": "Unsuccessful Logon Attempts | Use of Alternate Authentication Factor", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "rdfs:label": "AC-7(4)" }, { "@id": "d3f:Reference-RFC2289-AOne-TimePasswordSystem", "@type": [ "owl:NamedIndividual", "d3f:SpecificationReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://tools.ietf.org/html/rfc2289" }, "d3f:kb-organization": "Internet Engineering Task Force (IETF)", "d3f:kb-reference-of": { "@id": "d3f:One-timePassword" }, "d3f:kb-reference-title": "A One-Time Password System", "rdfs:label": "Reference - RFC 2289 - A One-Time Password System" }, { "@id": "d3f:EmailRule", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A configuration of an email application which is used to apply logical or data processing functions to data processed by the email application.", "rdfs:label": "Email Rule", "rdfs:subClassOf": { "@id": "d3f:ApplicationRule" } }, { "@id": "d3f:HardwareComponentInventory", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:AssetInventory" ], "d3f:d3fend-id": "D3-HCI", "d3f:definition": "Hardware component inventorying identifies and records the hardware items in the organization's architecture.", "d3f:inventories": { "@id": "d3f:HardwareDevice" }, "d3f:kb-article": "## How it works\nAdministrators collect information on hardware devices such as peripherals, NICs, processors, and memory devices that are components of the computers in their architecture using a variety of administrative and management tools that query for this information. In some cases, where such queries are not supported or provide specific information of interest, an administrator may also collect this information through remote adminstration tools and system commands, either manually or using scripts.\n\n## Considerations\n* Scanning and probing techniques using mapping tools can result in side effects to information technology (IT) and operational technology (OT) systems.\n* An adversary conducting network enumeration may engage in activities that parallel normal hardware inventorying activities, but would require escalating to admin privileges for most of the operations requiting administrative tools\n\n## Examples\n* Bus discovery\n * Admin-scripted PCI Bus inventory using ssh and pciutils\n* Application-layer discovery\n * Simple Network Management Protocol (SNMP) collects MIB information\n * Web-based Enterprise Management (WBEM) collects CIM information\n * Windows Management Instrumentation (WMI)\n * Windows Management Infrastructure (MI)", "d3f:kb-reference": { "@id": "d3f:Reference-AdvancedDeviceMatchingSystem" }, "d3f:synonym": [ "Hardware Component Discovery", "Hardware Component Inventorying" ], "rdfs:label": "Hardware Component Inventory", "rdfs:subClassOf": [ { "@id": "d3f:AssetInventory" }, { "@id": "_:N8bfba0385c3a432b8f04e75e3310f4e4" } ] }, { "@id": "_:N8bfba0385c3a432b8f04e75e3310f4e4", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:inventories" }, "owl:someValuesFrom": { "@id": "d3f:HardwareDevice" } }, { "@id": "d3f:CWE-1392", "@type": "owl:Class", "d3f:cwe-id": "CWE-1392", "rdfs:label": "Use of Default Credentials", "rdfs:subClassOf": { "@id": "d3f:CWE-1391" } }, { "@id": "d3f:T1560.002", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1560.002", "d3f:creates": { "@id": "d3f:ArchiveFile" }, "rdfs:label": "Archive via Library", "rdfs:subClassOf": [ { "@id": "d3f:T1560" }, { "@id": "_:N872e533f9aff433f835204387cb084fc" } ] }, { "@id": "_:N872e533f9aff433f835204387cb084fc", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:creates" }, "owl:someValuesFrom": { "@id": "d3f:ArchiveFile" } }, { "@id": "d3f:NetworkTraffic", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "Network traffic or data traffic is the data, or alternatively the amount of data, moving across a network at a given point of time. Network data in computer networks is mostly encapsulated in network packets, which provide the load in the network.", "d3f:may-contain": { "@id": "d3f:DomainName" }, "d3f:originates-from": { "@id": "d3f:PhysicalLocation" }, "rdfs:label": "Network Traffic", "rdfs:seeAlso": [ { "@id": "dbr:Network_traffic" }, "https://schema.ocsf.io/objects/network_traffic" ], "rdfs:subClassOf": [ { "@id": "d3f:DigitalArtifact" }, { "@id": "_:Nadc835d5a0044495b6df1af571d2f4b6" }, { "@id": "_:N959c7abe06054e35b6526d43524ea49d" } ], "skos:altLabel": "Data Traffic" }, { "@id": "_:Nadc835d5a0044495b6df1af571d2f4b6", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-contain" }, "owl:someValuesFrom": { "@id": "d3f:DomainName" } }, { "@id": "_:N959c7abe06054e35b6526d43524ea49d", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:originates-from" }, "owl:someValuesFrom": { "@id": "d3f:PhysicalLocation" } }, { "@id": "d3f:CCI-002381_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:broader": [ { "@id": "d3f:Hardware-basedProcessIsolation" }, { "@id": "d3f:Kernel-basedProcessIsolation" } ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The organization minimizes the number of nonsecurity functions included within the isolation boundary containing security functions.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-07-02T00:00:00" }, "rdfs:label": "CCI-002381" }, { "@id": "d3f:CCI-000199_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system enforces maximum password lifetime restrictions.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:StrongPasswordPolicy" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-15T00:00:00" }, "rdfs:label": "CCI-000199" }, { "@id": "d3f:NetworkFileShareResource", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A shared file resource, or network file share, is a computer file made available from one host to other hosts on a computer network. Network sharing is made possible by inter-process communication over the network. It includes both files and directories.", "rdfs:label": "Network File Share Resource", "rdfs:subClassOf": { "@id": "d3f:NetworkResource" } }, { "@id": "d3f:T1070", "@type": "owl:Class", "d3f:attack-id": "T1070", "rdfs:label": "Indicator Removal on Host", "rdfs:subClassOf": { "@id": "d3f:DefenseEvasionTechnique" } }, { "@id": "d3f:ThreadStartFunction", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A function which invokes a create thread system call.", "d3f:executes": { "@id": "d3f:Thread" }, "rdfs:label": "Thread Start Function", "rdfs:subClassOf": [ { "@id": "d3f:Subroutine" }, { "@id": "_:N57776e2d4d444e7dac79292528aa341a" } ] }, { "@id": "_:N57776e2d4d444e7dac79292528aa341a", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:executes" }, "owl:someValuesFrom": { "@id": "d3f:Thread" } }, { "@id": "d3f:Reference-Technical_Specifications_for_Construction_and_Management_of_Sensitive_Compartmented_Information_Facilities", "@type": [ "owl:NamedIndividual", "d3f:SpecificationReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://www.dni.gov/files/Governance/IC-Tech-Specs-for-Const-and-Mgmt-of-SCIFs-v15.pdf" }, "d3f:kb-author": "National Counterintelligence and Security Center", "d3f:kb-reference-of": { "@id": "d3f:RFShielding" }, "d3f:kb-reference-title": "Technical Specifications for Construction and Management of Sensitive Compartmented Information Facilities", "rdfs:label": "Reference - Technical Specifications for Construction and Management of Sensitive Compartmented Information Facilities" }, { "@id": "d3f:CWE-786", "@type": "owl:Class", "d3f:cwe-id": "CWE-786", "rdfs:label": "Access of Memory Location Before Start of Buffer", "rdfs:subClassOf": { "@id": "d3f:CWE-119" } }, { "@id": "d3f:CWE-795", "@type": "owl:Class", "d3f:cwe-id": "CWE-795", "rdfs:label": "Only Filtering Special Elements at a Specified Location", "rdfs:subClassOf": { "@id": "d3f:CWE-791" } }, { "@id": "d3f:CWE-1239", "@type": "owl:Class", "d3f:cwe-id": "CWE-1239", "rdfs:label": "Improper Zeroization of Hardware Register", "rdfs:subClassOf": { "@id": "d3f:CWE-226" } }, { "@id": "d3f:HardLink", "@type": "owl:Class", "d3f:definition": "In computing, a hard link is a directory entry that associates a name with a file on a file system. All directory-based file systems must have at least one hard link giving the original name for each file. The term \"hard link\" is usually only used in file systems that allow more than one hard link for the same file. Multiple hard links -- that is, multiple directory entries to the same file -- are supported by POSIX-compliant and partially POSIX-compliant operating systems, such as Linux, Android, macOS, and also Windows NT4 and later Windows NT operating systems.", "rdfs:isDefinedBy": { "@id": "dbr:Hard_link" }, "rdfs:label": "Hard Link", "rdfs:subClassOf": { "@id": "d3f:FileSystemLink" } }, { "@id": "d3f:Service", "@type": "owl:Class", "rdfs:label": "Service", "rdfs:subClassOf": { "@id": "d3f:CapabilityImplementation" } }, { "@id": "d3f:CCI-000016_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system automatically removes or disables temporary accounts after an organization-defined time period for each type of account.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:AccountLocking" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-05-13T00:00:00" }, "rdfs:label": "CCI-000016" }, { "@id": "d3f:NIST_SP_800-53_R5_SA-10_5", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:control-name": "Developer Configuration Management | Mapping Integrity for Version Control", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "d3f:related": [ { "@id": "d3f:FirmwareVerification" }, { "@id": "d3f:PlatformHardening" } ], "rdfs:label": "SA-10(5)" }, { "@id": "d3f:T1218.010", "@type": "owl:Class", "d3f:attack-id": "T1218.010", "rdfs:label": "Regsvr32 Execution", "rdfs:subClassOf": { "@id": "d3f:T1218" } }, { "@id": "d3f:CacheMemory", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:accessed-by": { "@id": "d3f:CentralProcessingUnit" }, "d3f:definition": "Cache memory is temporary storage that is more readily available to the processor than the computer's main memory source, located between the main memory and the processor. It is typically either integrated directly into the CPU chip (level 1 cache) or placed on a separate chip with a bus interconnect with the CPU (level 2 cache).", "d3f:may-contain": { "@id": "d3f:ProcessSegment" }, "d3f:modifies": { "@id": "d3f:CacheMemory" }, "rdfs:isDefinedBy": "https://whatis.techtarget.com/definition/memory", "rdfs:label": "Processor Cache Memory", "rdfs:seeAlso": "https://dbpedia.org/page/CPU_cache", "rdfs:subClassOf": [ { "@id": "d3f:PrimaryStorage" }, { "@id": "_:Ncba32b94a9914b9880eb096624227b67" }, { "@id": "_:N7750d8cd5ba842cbaac5151b22b1a496" }, { "@id": "_:N47f65d2528cd4e4f8ba88f49042c25a3" } ] }, { "@id": "_:Ncba32b94a9914b9880eb096624227b67", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:accessed-by" }, "owl:someValuesFrom": { "@id": "d3f:CentralProcessingUnit" } }, { "@id": "_:N7750d8cd5ba842cbaac5151b22b1a496", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-contain" }, "owl:someValuesFrom": { "@id": "d3f:ProcessSegment" } }, { "@id": "_:N47f65d2528cd4e4f8ba88f49042c25a3", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:CacheMemory" } }, { "@id": "d3f:T1558.004", "@type": "owl:Class", "d3f:attack-id": "T1558.004", "rdfs:label": "AS-REP Roasting", "rdfs:subClassOf": { "@id": "d3f:T1558" } }, { "@id": "d3f:LocalAccountMonitoring", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:UserBehaviorAnalysis" ], "d3f:analyzes": { "@id": "d3f:LocalUserAccount" }, "d3f:d3fend-id": "D3-LAM", "d3f:definition": "Analyzing local user accounts to detect unauthorized activity.", "d3f:kb-reference": [ { "@id": "d3f:Reference-AuditUserAccountManagement" }, { "@id": "d3f:Reference-CAR-2016-04-004_SuccessfulLocalAccountLogin" }, { "@id": "d3f:Reference-OSQueryWindowsUserCollectionCode" } ], "rdfs:label": "Local Account Monitoring", "rdfs:subClassOf": [ { "@id": "d3f:UserBehaviorAnalysis" }, { "@id": "_:N0aa635662a8a4e0d88d25dc4ce4c70a5" } ] }, { "@id": "_:N0aa635662a8a4e0d88d25dc4ce4c70a5", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:analyzes" }, "owl:someValuesFrom": { "@id": "d3f:LocalUserAccount" } }, { "@id": "d3f:CWE-1037", "@type": "owl:Class", "d3f:cwe-id": "CWE-1037", "rdfs:label": "Processor Optimization Removal or Modification of Security-critical Code", "rdfs:subClassOf": { "@id": "d3f:CWE-1038" } }, { "@id": "d3f:MovingAverageModel", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-MAM", "d3f:definition": "the moving-average model (MA model) is an approach for modeling univariate time series and specifies that the output variable is cross-correlated with a non-identical to itself random-variable.", "d3f:kb-article": "## Refrences\nWikipedia. (n.d.). Moving average model. [Link](https://en.wikipedia.org/wiki/Moving_average_model)", "d3f:synonym": "MA Model", "rdfs:label": "Moving Average Model", "rdfs:subClassOf": { "@id": "d3f:TimeSeriesAnalysis" } }, { "@id": "d3f:M1054", "@type": [ "owl:NamedIndividual", "d3f:ATTACKMitigation" ], "d3f:related": [ { "@id": "d3f:ApplicationConfigurationHardening" }, { "@id": "d3f:CertificatePinning" } ], "rdfs:label": "Software Configuration" }, { "@id": "d3f:DNSNetworkTraffic", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "DNS network traffic is network traffic related to queries and responses involving the Domain Name System. DNS traffic can involve clients, servers such as relays or resolvers. This includes only network traffic conforming to standard DNS protocol; not custom protocols.", "rdfs:label": "DNS Network Traffic", "rdfs:subClassOf": { "@id": "d3f:NetworkTraffic" } }, { "@id": "d3f:CWE-555", "@type": "owl:Class", "d3f:cwe-id": "CWE-555", "rdfs:label": "J2EE Misconfiguration: Plaintext Password in Configuration File", "rdfs:subClassOf": { "@id": "d3f:CWE-260" } }, { "@id": "d3f:CWE-165", "@type": "owl:Class", "d3f:cwe-id": "CWE-165", "rdfs:label": "Improper Neutralization of Multiple Internal Special Elements", "rdfs:subClassOf": { "@id": "d3f:CWE-164" } }, { "@id": "d3f:CCI-002631_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system issues a warning, audits the command execution, or prevents the execution of the command when organization-defined unauthorized operating system commands are detected.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:ScriptExecutionAnalysis" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-07-11T00:00:00" }, "rdfs:label": "CCI-002631" }, { "@id": "d3f:CWE-109", "@type": "owl:Class", "d3f:cwe-id": "CWE-109", "rdfs:label": "Struts: Validator Turned Off", "rdfs:subClassOf": { "@id": "d3f:CWE-1173" } }, { "@id": "d3f:T1030", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1030", "d3f:produces": { "@id": "d3f:InternetNetworkTraffic" }, "rdfs:label": "Data Transfer Size Limits", "rdfs:subClassOf": [ { "@id": "d3f:ExfiltrationTechnique" }, { "@id": "_:N9e89efd8da614e44a2ebc8d96677e5a0" } ] }, { "@id": "_:N9e89efd8da614e44a2ebc8d96677e5a0", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:produces" }, "owl:someValuesFrom": { "@id": "d3f:InternetNetworkTraffic" } }, { "@id": "d3f:T1002", "@type": "owl:Class", "d3f:attack-id": "T1002", "rdfs:label": "Data Compressed", "rdfs:subClassOf": { "@id": "d3f:ExfiltrationTechnique" } }, { "@id": "d3f:T1167", "@type": "owl:Class", "d3f:attack-id": "T1167", "rdfs:label": "Securityd Memory", "rdfs:subClassOf": { "@id": "d3f:CredentialAccessTechnique" } }, { "@id": "d3f:T1077", "@type": "owl:Class", "d3f:attack-id": "T1077", "rdfs:label": "Windows Admin Shares", "rdfs:subClassOf": { "@id": "d3f:LateralMovementTechnique" } }, { "@id": "d3f:Reference-SystemAndMethodForDetectingMalwareInjectedIntoMemoryOfAComputingDevice_EndgameInc", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US20190018958A1/en?oq=US20190018958-A1" }, "d3f:kb-abstract": "In the embodiments described herein, a malicious code detection module identifies potentially malicious instructions in memory of a computing device. The malicious code detection module examines the call stack for each thread running within the operating system of the computing device. Within each call stack, the malicious code detection module identifies the originating module for each stack frame and determines whether the originating module is backed by an image on disk. If an originating module is not backed by an image on disk, the thread containing that originating module is flagged as potentially malicious, execution of the thread optionally is suspended, and an alert is generated for the user or administrator.", "d3f:kb-author": "Joseph W. Desimone", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "Endgame Inc", "d3f:kb-reference-of": { "@id": "d3f:ProcessCodeSegmentVerification" }, "d3f:kb-reference-title": "System and method for detecting malware injected into memory of a computing device", "rdfs:label": "Reference - System and method for detecting malware injected into memory of a computing device - Endgame Inc" }, { "@id": "d3f:ExecutableBinary", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:contains": [ { "@id": "d3f:ImageCodeSegment" }, { "@id": "d3f:ImageDataSegment" } ], "d3f:definition": "An executable binary contains machine code instructions for a physical CPU. D3FEND also considers byte code for a virtual machine to be binary code. This is in contrast to executable scripts written in a scripting language.", "d3f:may-interpret": { "@id": "d3f:ExecutableScript" }, "rdfs:label": "Executable Binary", "rdfs:seeAlso": { "@id": "dbr:Executable" }, "rdfs:subClassOf": [ { "@id": "d3f:ExecutableFile" }, { "@id": "_:N00b354bd31964b24b8ac392b432b64fb" }, { "@id": "_:N58c98bad573349c297cf82aa30df9e76" }, { "@id": "_:N96cd300ec2774557a052b3de501ad800" } ] }, { "@id": "_:N00b354bd31964b24b8ac392b432b64fb", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:contains" }, "owl:someValuesFrom": { "@id": "d3f:ImageCodeSegment" } }, { "@id": "_:N58c98bad573349c297cf82aa30df9e76", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:contains" }, "owl:someValuesFrom": { "@id": "d3f:ImageDataSegment" } }, { "@id": "_:N96cd300ec2774557a052b3de501ad800", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-interpret" }, "owl:someValuesFrom": { "@id": "d3f:ExecutableScript" } }, { "@id": "d3f:Capability", "@type": "owl:Class", "rdfs:isDefinedBy": { "@id": "dbr:Capability_(systems_engineering)" }, "rdfs:label": "Capability", "rdfs:seeAlso": { "@id": "https://web.archive.org/web/20081123014953/http://www.dtic.mil/doctrine/jel/new_pubs/jp1_02.pdf" }, "rdfs:subClassOf": [ { "@id": "d3f:D3FENDThing" }, { "@id": "_:N80ba9256cb514dcc9fe3d3f95a67e22c" }, { "@id": "_:N5f7dafb7b2cd435b80f42b288cca150a" } ] }, { "@id": "_:N80ba9256cb514dcc9fe3d3f95a67e22c", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:assessed-by" }, "owl:someValuesFrom": { "@id": "d3f:CapabilityAssessment" } }, { "@id": "_:N5f7dafb7b2cd435b80f42b288cca150a", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:has-feature" }, "owl:someValuesFrom": { "@id": "d3f:CapabilityFeature" } }, { "@id": "d3f:CWE-257", "@type": "owl:Class", "d3f:cwe-id": "CWE-257", "rdfs:label": "Storing Passwords in a Recoverable Format", "rdfs:subClassOf": { "@id": "d3f:CWE-522" } }, { "@id": "d3f:CWE-1192", "@type": "owl:Class", "d3f:cwe-id": "CWE-1192", "rdfs:label": "System-on-Chip (SoC) Using Components without Unique, Immutable Identifiers", "rdfs:subClassOf": { "@id": "d3f:CWE-657" } }, { "@id": "d3f:T1502", "@type": "owl:Class", "d3f:attack-id": "T1502", "rdfs:label": "Parent PID Spoofing", "rdfs:subClassOf": [ { "@id": "d3f:DefenseEvasionTechnique" }, { "@id": "d3f:PrivilegeEscalationTechnique" } ] }, { "@id": "d3f:CWE-648", "@type": "owl:Class", "d3f:cwe-id": "CWE-648", "rdfs:label": "Incorrect Use of Privileged APIs", "rdfs:subClassOf": { "@id": "d3f:CWE-269" } }, { "@id": "d3f:Reference-MethodAndSystemForDetectingRestrictedContentAssociatedWithRetrievedContent_SophosLtd", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US20160359883A1" }, "d3f:kb-abstract": "In embodiments of the present invention improved capabilities are described for detecting restricted content associated with retrieved content. The method and system may include receiving a client request for content, saving contextual information from the client request, presenting retrieved content in response to the client request, and presenting the contextual information from the client request, and retrieved content, to a scanning facility. The scanning facility may utilize the contextual information from the client request to aid in the detection of restricted content associated with retrieved content.", "d3f:kb-author": "Fraser Howard; Paul Baccas; Vanja Svajcer; Benjamin John Godwood; William James McCourt", "d3f:kb-mitre-analysis": "This patent describes analyzing contextual information of a Uniform Resource Identifier (URI), such as source or origin of the request URI, patterns in the way the URI is delivered, and the locale of the URI. The contextual information is sent to a scanning facility which uses that information along with a blacklist of known malicious domain names, locations, patterns, etc. to block retrieved content associated with the request URI.", "d3f:kb-organization": "Sophos Ltd", "d3f:kb-reference-of": { "@id": "d3f:URLAnalysis" }, "d3f:kb-reference-title": "Method and system for detecting restricted content associated with retrieved content", "rdfs:label": "Reference - Method and system for detecting restricted content associated with retrieved content - Sophos Ltd" }, { "@id": "d3f:WebResource", "@type": "owl:Class", "d3f:definition": "A web resource is a resource identified by a Uniform Resource Identifier (URI) and made available from one host to another host via a web protocol and across a network or networks.", "rdfs:label": "Web Resource", "rdfs:seeAlso": "http://dbpedia.org/resource/Web_resource", "rdfs:subClassOf": { "@id": "d3f:NetworkResource" } }, { "@id": "d3f:CWE-394", "@type": "owl:Class", "d3f:cwe-id": "CWE-394", "rdfs:label": "Unexpected Status Code or Return Value", "rdfs:subClassOf": { "@id": "d3f:CWE-754" } }, { "@id": "d3f:First-stageBootLoader", "@type": "owl:Class", "d3f:definition": "The very first routine run in order to load the operating system.", "rdfs:label": "First-stage Boot Loader", "rdfs:subClassOf": { "@id": "d3f:BootLoader" } }, { "@id": "d3f:Reference-PublicKeyPinningExtensionForHTTP", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://datatracker.ietf.org/doc/html/rfc7469" }, "d3f:kb-abstract": "RFC 7469 describes an HTTP extension that allows web host operators to instruct user agents to remember ('pin') the hosts' cryptographic identities over a period of time. This decreases the risk of MITM attacks due to compromised Certificate Authorities.", "d3f:kb-author": "C. Evans, C. Palmer, R. Sleevi", "d3f:kb-organization": "Internet Engineering Task Force (IETF)", "d3f:kb-reference-of": { "@id": "d3f:CertificatePinning" }, "d3f:kb-reference-title": "Public Key Pinning Extension for HTTP", "rdfs:label": "Reference - Public Key Pinning Extension for HTTP" }, { "@id": "d3f:DeepNeuralNetClassification", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-DNNC", "d3f:definition": "A deep neural network (DNN) is an artificial neural network (ANN) with multiple layers between the input and output layers. There are different types of neural networks but they always consist of the same components: neurons, synapses, weights, biases, and functions. These components as a whole function similarly to a human brain, and can be trained like any other ML algorithm", "d3f:kb-article": "## References\nDeep learning. Wikipedia. [Link](https://en.wikipedia.org/wiki/Deep_learning).", "rdfs:label": "Deep Neural Network Classification", "rdfs:subClassOf": { "@id": "d3f:ArtificialNeuralNetClassification" } }, { "@id": "d3f:WindowsNtCreateProcess", "@type": "owl:Class", "rdfs:label": "Windows NtCreateProcess", "rdfs:seeAlso": "https://j00ru.vexillium.org/syscalls/nt/64/", "rdfs:subClassOf": [ { "@id": "d3f:OSAPICreateProcess" }, { "@id": "d3f:OSAPIPrivateFunction" } ] }, { "@id": "d3f:WindowsNtWriteFileGather", "@type": "owl:Class", "d3f:definition": "Writes specified block of file with data from memory pages.", "rdfs:label": "Windows NtWriteFileGather", "rdfs:seeAlso": "https://j00ru.vexillium.org/syscalls/nt/64/", "rdfs:subClassOf": [ { "@id": "d3f:OSAPIPrivateFunction" }, { "@id": "d3f:OSAPIWriteFile" } ] }, { "@id": "d3f:date", "@type": "owl:DatatypeProperty", "d3f:definition": "A point or period of time associated with an event in the lifecycle of the resource.", "rdfs:label": { "@language": "en", "@value": "date" }, "rdfs:range": { "@id": "xsd:dateTime" }, "rdfs:seeAlso": { "@type": "xsd:anyURI", "@value": "https://www.w3.org/wiki/Good_Ontologies#The_Dublin_Core_.28DC.29_ontology" }, "rdfs:subPropertyOf": { "@id": "d3f:d3fend-data-property" } }, { "@id": "d3f:StackFrameCanaryValidation", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:ApplicationHardening" ], "d3f:d3fend-id": "D3-SFCV", "d3f:definition": "Comparing a value stored in a stack frame with a known good value in order to prevent or detect a memory segment overwrite.", "d3f:kb-article": "## How it works\n\nThis defense must be applied at compile-time, or via a patch to the program binary. Stack Frame Canary Verification inserts instructions at the prologue and epilogue of desired functions. In the prologue, a canary value, typically with the same size as the register size, is stored in the system of record and on the stack. Typically, the canary is loaded to where it has a memory address just below that of the saved instruction pointer and base pointer. In the epilogue, the canary value stored on the stack and, is compared to the canary value in the system of record. If the values are different, other techniques such as those in Process Eviction might be invoked, such as Process Termination to end the current process, or Executable Blacklisting to blacklist the potentially vulnerable or malfunctioning executable.\n\nStack Frame Canary Verification is commonly used to detect potential tampering of a saved register value on the stack before it has been restored. Examples of registers with values commonly saved to the stack include the instruction pointer and the base pointer.\n\nThe canary should be stored between where the start of a buffer overrun is likely, and the data to protect, in cases where the buffer size increases it will overwrite the data to be protected.\n\nOn most processor architectures, including x86, x64, and ARM, a \"push\" operation to store data to the stack grows the stack towards a lower memory address. As in these architectures, saved register values are stored to the stack at a point in time just before space is made for the local function variables, the saved register values have a higher address than that of the local function variables. Values at increasing indexes of a buffer are written to increasing memory addresses; therefore, an overwrite in the local variable buffer could overwrite saved register values, and a stack canary between these two would be useful in detecting an overwrite.\n\nOn some other processor architectures such as the B5000, the stack grows towards increasing memory addresses, and some architectures, such as System Z and RCA1802A, stack direction can be chosen. If the stack grows towards increasing memory addresses, while this architecture inherently provides more protection against a saved register being overwritten, other data including local function variables might be overwritten.\n\n\n## Considerations\n\nThere are several ways that the protection provided by a canary could be rendered ineffective.\n\n### Performing a malicious action before the canary is checked\n\nIf the attacker alters the memory in such a way that it performs a malicious action before the epilogue is called, then this protection will not be effective. This includes altering the logic of the program by altering the values of local variables stored on the function stack, or by causing an exception and exploiting the exception mechanism such as the SEH (Structured Exception Handling) mechanism on Windows.\n\n### Determining the canary value\n\nDetermining the canary value is possible through reading memory either for the code used to check the canary, or from the stored canary value itself in a stack frame.\n\n### Changing the canary value\n\nA vulnerability such as a write-what-where condition that allows one to write data after the canary in the stack, would allow control of the value of the saved instruction pointer without needing to know the canary value.", "d3f:kb-reference": [ { "@id": "d3f:Reference-GS_BufferSecurityCheck_MicrosoftDocs" }, { "@id": "d3f:Reference-StackSmashingProtection_StackGuard_RedHat" } ], "d3f:validates": { "@id": "d3f:StackFrame" }, "rdfs:label": "Stack Frame Canary Validation", "rdfs:subClassOf": [ { "@id": "d3f:ApplicationHardening" }, { "@id": "_:Nb1b07db42f0b4cc3ad45059f56c385d7" } ] }, { "@id": "_:Nb1b07db42f0b4cc3ad45059f56c385d7", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:validates" }, "owl:someValuesFrom": { "@id": "d3f:StackFrame" } }, { "@id": "d3f:Reference-DLLInjectionViaLoadLibrary_MITRE", "@type": [ "owl:NamedIndividual", "d3f:ExternalKnowledgeBase" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://car.mitre.org/analytics/CAR-2013-10-002/" }, "d3f:kb-abstract": "Microsoft Windows allows for processes to remotely create threads within other processes of the same privilege level. This functionality is provided via the Windows API CreateRemoteThread. Both Windows and third-party software use this ability for legitimate purposes. For example, the Windows process csrss.exe creates threads in programs to send signals to registered callback routines. Both adversaries and host-based security software use this functionality to inject DLLs, but for very different purposes. An adversary is likely to inject into a program to evade defenses or bypass User Account Control, but a security program might do this to gain increased monitoring of API calls. One of the most common methods of DLL Injection is through the Windows API LoadLibrary.\n\nAllocate memory in the target program with VirtualAllocEx\nWrite the name of the DLL to inject into this program with WriteProcessMemory\nCreate a new thread and set its entry point to LoadLibrary using the API CreateRemoteThread.\nThis behavior can be detected by looking for thread creations across processes, and resolving the entry point to determine the function name. If the function is LoadLibraryA or LoadLibraryW, then the intent of the remote thread is clearly to inject a DLL. When this is the case, the source process must be examined so that it can be ignored when it is both expected and a trusted process.", "d3f:kb-author": "MITRE", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "MITRE", "d3f:kb-reference-of": { "@id": "d3f:SystemCallAnalysis" }, "d3f:kb-reference-title": "CAR-2013-10-002: DLL Injection via Load Library", "rdfs:label": "Reference - CAR-2013-10-002: DLL Injection via Load Library - MITRE" }, { "@id": "d3f:FastSymbolicLink", "@type": "owl:Class", "d3f:definition": "Fast symbolic links, allow storage of the target path within the data structures used for storing file information on disk (e.g., within the inodes). This space normally stores a list of disk block addresses allocated to a file. Thus, symlinks with short target paths are accessed quickly. Systems with fast symlinks often fall back to using the original method if the target path exceeds the available inode space.", "owl:disjointWith": { "@id": "d3f:SlowSymbolicLink" }, "rdfs:isDefinedBy": { "@id": "http://dbpedia.org/resource/Symbolic_link#Storage_of_symbolic_links" }, "rdfs:label": "Fast Symbolic Link", "rdfs:seeAlso": { "@id": "http://dbpedia.org/resource/Symbolic_link#Storage_of_symbolic_links" }, "rdfs:subClassOf": [ { "@id": "d3f:SymbolicLink" }, { "@id": "d3f:UnixLink" } ], "skos:altLabel": "Fast Symlink" }, { "@id": "d3f:T1514", "@type": "owl:Class", "d3f:attack-id": "T1514", "rdfs:label": "Elevated Execution with Prompt", "rdfs:subClassOf": { "@id": "d3f:PrivilegeEscalationTechnique" } }, { "@id": "d3f:Reference-SystemAndMethodsThereofForPreventingRansomwareFromEncryptingDataElementsStoredInAMemoryOfAComputer-basedSystem_PaloAltoNetworksInc", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US20170308711A1/en?oq=US-2017308711-A1" }, "d3f:kb-abstract": "A computerized method for preventing ransomware from encrypting data elements stored in a memory of a computer-based system, the method comprising identifying at least one identifier for a data element, wherein the at least one identifier indicates at least a position of the data element within the memory. An optimal number of virtual traps is determined for the data element corresponding to the at least one identifier. An optimal position for each of the virtual traps is determined corresponding to the at least one identifier. The virtual traps are send to the determined optimal position within the memory.", "d3f:kb-author": "Gil BARAK", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "Palo Alto Networks Inc", "d3f:kb-reference-of": { "@id": "d3f:DecoyFile" }, "d3f:kb-reference-title": "System and methods thereof for preventing ransomware from encrypting data elements stored in a memory of a computer-based system", "rdfs:label": "Reference - System and methods thereof for preventing ransomware from encrypting data elements stored in a memory of a computer-based system - Palo Alto Networks Inc" }, { "@id": "d3f:CWE-831", "@type": "owl:Class", "d3f:cwe-id": "CWE-831", "rdfs:label": "Signal Handler Function Associated with Multiple Signals", "rdfs:subClassOf": { "@id": "d3f:CWE-364" } }, { "@id": "d3f:claims", "@type": "owl:ObjectProperty", "rdfs:label": "claims", "rdfs:subPropertyOf": { "@id": "d3f:d3fend-catalog-object-property" } }, { "@id": "d3f:DiskEncryption", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:PlatformHardening" ], "d3f:d3fend-id": "D3-DENCR", "d3f:definition": "Encrypting a hard disk partition to prevent cleartext access to a file system.", "d3f:encrypts": { "@id": "d3f:Storage" }, "d3f:kb-reference": { "@id": "d3f:Reference-LUKS1On-DiskFormatSpecificationVersion1.2.3" }, "rdfs:label": "Disk Encryption", "rdfs:subClassOf": [ { "@id": "d3f:PlatformHardening" }, { "@id": "_:N2eaf6a2e2cb34f7f9931771f432c1b49" } ] }, { "@id": "_:N2eaf6a2e2cb34f7f9931771f432c1b49", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:encrypts" }, "owl:someValuesFrom": { "@id": "d3f:Storage" } }, { "@id": "d3f:RPCTrafficAnalysis", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:NetworkTrafficAnalysis" ], "d3f:analyzes": { "@id": "d3f:RPCNetworkTraffic" }, "d3f:d3fend-id": "D3-RTA", "d3f:definition": "Monitoring the activity of remote procedure calls in communication traffic to establish standard protocol operations and potential attacker activities.", "d3f:kb-article": "## How it works\nA remote procedure call (RPC) enables one computer to execute a specific function on another computer, as if it were a local application process. There are numerous RPC specifications and implementations. RPC capabilities can be abused by attackers in order to achieve a variety of tactical objectives including execution, persistence, initial access, and more. RPC proxies may be used to collect and store RPC traffic. RPCs can occur over network sockets or named pipes.\n\nAnalytics look for unauthorized behavior such as:\n\n* Processes being launched or scheduled remotely\n* System configurations being changed remotely\n* Unauthorized file read activity\n\nExample RPC Protocols:\n\n* DCE/RPC\n* CORBA\n* Open Network Computing Remote Procedure Call\n* D-Bus\n* XML-RPC\n* JSON-RPC\n* SOAP\n* Apache Thrift\n\n## Considerations\n* RPC is widely used in enterprise environments, and significant data filtering may be required in large environments to enable analytic processing.\n* RPC traffic may occur over a pipe, or within a host over loopback interface, thus making network collection difficult.", "d3f:kb-reference": [ { "@id": "d3f:Reference-CAR-2014-11-007-RemoteWindowsManagementInstrumentation_WMI_OverRPC_MITRE" }, { "@id": "d3f:Reference-CreateRemoteProcessViaWMIC_MITRE_Other" }, { "@id": "d3f:Reference-RPCCallInterception_CrowdstrikeInc" }, { "@id": "d3f:Reference-RemotelyLaunchedExecutablesViaServices_MITRE" }, { "@id": "d3f:Reference-RemotelyLaunchedExecutablesViaWMI_MITRE" }, { "@id": "d3f:Reference-RemotelyScheduledTasksViaSchtasks_MITRE" }, { "@id": "d3f:Reference-SMBWriteRequest-NamedPipes_MITRE" }, { "@id": "d3f:Reference-CAR-2014-05-001%3ARPCActivity_MITRE" } ], "d3f:synonym": "RPC Protocol Analysis", "rdfs:label": "RPC Traffic Analysis", "rdfs:subClassOf": [ { "@id": "d3f:NetworkTrafficAnalysis" }, { "@id": "_:N37944e46b0d740d0a4de886390e3b4a6" } ] }, { "@id": "_:N37944e46b0d740d0a4de886390e3b4a6", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:analyzes" }, "owl:someValuesFrom": { "@id": "d3f:RPCNetworkTraffic" } }, { "@id": "d3f:RestoreDatabase", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:RestoreObject" ], "d3f:d3fend-id": "D3-RD", "d3f:definition": "Restoring the data in a database.", "d3f:kb-reference": { "@id": "d3f:Reference-CybersecurityIncidentandVulnerabilityResponsePlaybooks" }, "d3f:restores": { "@id": "d3f:Database" }, "rdfs:label": "Restore Database", "rdfs:subClassOf": [ { "@id": "d3f:RestoreObject" }, { "@id": "_:N02bc7a4eb91e4234b5e212c8ffb3d1bd" } ] }, { "@id": "_:N02bc7a4eb91e4234b5e212c8ffb3d1bd", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:restores" }, "owl:someValuesFrom": { "@id": "d3f:Database" } }, { "@id": "d3f:TemporalLogic", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-TL", "d3f:definition": "Temporal logic addresses the semantics of tense; i.e., qualifying expressions of when.", "d3f:kb-article": "## References\n1. Temporal logic. (2023, June 4). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Modal_logic#Temporal_logic)", "rdfs:label": "Temporal Logic", "rdfs:subClassOf": { "@id": "d3f:ModalLogic" } }, { "@id": "d3f:CWE-690", "@type": "owl:Class", "d3f:cwe-id": "CWE-690", "rdfs:label": "Unchecked Return Value to NULL Pointer Dereference", "rdfs:subClassOf": { "@id": "d3f:CWE-476" } }, { "@id": "d3f:Reference-FirmwareVerificationTrapezoid", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US9674183B2/en" }, "d3f:kb-abstract": "A trust control management method for security, operable on a computer system generates a unique Trust ID value by combining user-defined values with hardware-specific values associated with the user's computer system and storing the Trust ID value in a memory register physically associated with the hardware of the computer system.", "d3f:kb-author": "Michael J. Dyer, Jose E. Gonzalez, Albert Caballero", "d3f:kb-organization": "Trapezoid, Inc", "d3f:kb-reference-of": { "@id": "d3f:FirmwareVerification" }, "d3f:kb-reference-title": "System and method for hardware-based trust control management", "rdfs:label": "Reference - Firmware Verification Trapezoid" }, { "@id": "d3f:CWE-1056", "@type": "owl:Class", "d3f:cwe-id": "CWE-1056", "rdfs:label": "Invokable Control Element with Variadic Parameters", "rdfs:subClassOf": { "@id": "d3f:CWE-1120" } }, { "@id": "d3f:CCI-001399_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:broader": [ { "@id": "d3f:MandatoryAccessControl" }, { "@id": "d3f:UserAccountPermissions" } ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system supports and maintains the binding of organization-defined security attributes to information in storage.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-22T00:00:00" }, "rdfs:label": "CCI-001399" }, { "@id": "d3f:CCI-002272_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:broader": [ { "@id": "d3f:MandatoryAccessControl" }, { "@id": "d3f:UserAccountPermissions" } ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system dynamically associates security attributes with organization-defined objects in accordance with organization-defined security policies as information is created and combined.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-06-24T00:00:00" }, "rdfs:label": "CCI-002272" }, { "@id": "d3f:NIST_SP_800-53_R5_SA-10_6", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:control-name": "Developer Configuration Management | Trusted Distribution", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "d3f:related": [ { "@id": "d3f:FirmwareVerification" }, { "@id": "d3f:PlatformHardening" } ], "rdfs:label": "SA-10(6)" }, { "@id": "d3f:T1070.001", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1070.001", "d3f:modifies": { "@id": "d3f:EventLog" }, "rdfs:label": "Clear Windows Event Logs", "rdfs:subClassOf": [ { "@id": "d3f:T1070" }, { "@id": "_:N91fe1737961b47c1a20157bfe4ca7124" } ] }, { "@id": "_:N91fe1737961b47c1a20157bfe4ca7124", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:EventLog" } }, { "@id": "d3f:CWE-181", "@type": "owl:Class", "d3f:cwe-id": "CWE-181", "rdfs:label": "Incorrect Behavior Order: Validate Before Filter", "rdfs:subClassOf": { "@id": "d3f:CWE-179" } }, { "@id": "d3f:AllocateMemory", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:creates": { "@id": "d3f:MemoryBlock" }, "rdfs:label": "Allocate Memory", "rdfs:subClassOf": [ { "@id": "d3f:SystemCall" }, { "@id": "_:N592ab73e0e1f41f1835d20fd2601f6f4" } ] }, { "@id": "_:N592ab73e0e1f41f1835d20fd2601f6f4", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:creates" }, "owl:someValuesFrom": { "@id": "d3f:MemoryBlock" } }, { "@id": "d3f:CWE-12", "@type": "owl:Class", "d3f:cwe-id": "CWE-12", "rdfs:label": "ASP.NET Misconfiguration: Missing Custom Error Page", "rdfs:subClassOf": { "@id": "d3f:CWE-756" } }, { "@id": "d3f:Graph-basedClustering", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-GBC", "d3f:definition": "Graph-based Clustering is a form of clustering where data is represented with graphs to identify clusters. We include Connection-based Clustering in this class.", "d3f:kb-article": "## References\n1. Jagota, A. (13 Dec 2020). Density-based and Graph-based Clustering. towardsdatascience.com. [Link](https://towardsdatascience.com/density-based-and-graph-based-clustering-a1f0d45ff5fb)\n\n1. Connectivity-Based Clustering. Sarang, P. (2023) in Thinking Data Science. The Springer Series in Applied Machine Learning. Springer, Cham. [Link](https://doi.org/10.1007/978-3-031-02363-7_10).", "d3f:synonym": "Connection-based Clustering", "rdfs:label": "Graph-based Clustering", "rdfs:subClassOf": { "@id": "d3f:ClusterAnalysis" } }, { "@id": "d3f:CWE-1333", "@type": "owl:Class", "d3f:cwe-id": "CWE-1333", "rdfs:label": "Inefficient Regular Expression Complexity", "rdfs:subClassOf": { "@id": "d3f:CWE-407" } }, { "@id": "d3f:OSAPITerminateProcess", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:invokes": { "@id": "d3f:TerminateProcess" }, "rdfs:label": "OS API Terminate Process", "rdfs:subClassOf": [ { "@id": "d3f:OSAPIFunction" }, { "@id": "_:N25cd0010fd0943a292aa13ec7ee24aad" } ] }, { "@id": "_:N25cd0010fd0943a292aa13ec7ee24aad", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:invokes" }, "owl:someValuesFrom": { "@id": "d3f:TerminateProcess" } }, { "@id": "d3f:M1041", "@type": [ "owl:NamedIndividual", "d3f:ATTACKMitigation" ], "d3f:related": [ { "@id": "d3f:DiskEncryption" }, { "@id": "d3f:EncryptedTunnels" }, { "@id": "d3f:FileEncryption" }, { "@id": "d3f:MessageEncryption" } ], "rdfs:label": "Encrypt Sensitive Information" }, { "@id": "d3f:Agent", "@type": "owl:Class", "rdfs:label": "Agent", "rdfs:subClassOf": { "@id": "d3f:D3FENDCatalogThing" } }, { "@id": "d3f:UserGroup", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:contains": { "@id": "d3f:User" }, "d3f:definition": "User groups are a way to collect user accounts and/or computer accounts into manageable units. Administrators can assign permissions, roles, or access to resources, as well as modify group membership, depending on the operating system.", "d3f:synonym": "Security Group", "rdfs:label": "User Group", "rdfs:subClassOf": [ { "@id": "d3f:AccessControlGroup" }, { "@id": "_:N07c1b0e472ea4c7ca0c10e221f456122" } ] }, { "@id": "_:N07c1b0e472ea4c7ca0c10e221f456122", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:contains" }, "owl:someValuesFrom": { "@id": "d3f:User" } }, { "@id": "d3f:T1038", "@type": "owl:Class", "d3f:attack-id": "T1038", "rdfs:label": "DLL Search Order Hijacking", "rdfs:subClassOf": [ { "@id": "d3f:DefenseEvasionTechnique" }, { "@id": "d3f:PersistenceTechnique" }, { "@id": "d3f:PrivilegeEscalationTechnique" } ] }, { "@id": "d3f:Reference-FileAndFolderPermissions", "@type": [ "owl:NamedIndividual", "d3f:UserManualReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/bb727008(v=technet.10)?redirectedfrom=MSDN" }, "d3f:kb-organization": "Microsoft", "d3f:kb-reference-of": { "@id": "d3f:LocalFilePermissions" }, "d3f:kb-reference-title": "File and Folder Permissions", "rdfs:label": "Reference - File and Folder Permissions" }, { "@id": "d3f:may-interpret", "@type": "owl:ObjectProperty", "d3f:definition": "x may-interpret y: They entity x may interpret the thing y; that is, 'x interprets y' may be true.", "rdfs:label": "may-interpret", "rdfs:subPropertyOf": { "@id": "d3f:may-be-associated-with" } }, { "@id": "d3f:Reference-RemotelyScheduledTasksViaSchtasks_MITRE", "@type": [ "owl:NamedIndividual", "d3f:ExternalKnowledgeBase" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://car.mitre.org/analytics/CAR-2015-04-002/" }, "d3f:kb-abstract": "An adversary can move laterally using the schtasks command to remotely schedule tasks. Although these events can be detected with command line analytics CAR-2013-08-001, it is possible for an adversary to use the API directly, via the Task Scheduler GUI or with a scripting language such as PowerShell. In this cases, an additional source of data becomes necessary to detect adversarial behavior. When scheduled tasks are created remotely, Windows uses RPC (135/tcp) to communicate with the Task Scheduler on the remote machine. Once an RPC connection is established (CAR-2014-05-001), the client communicates with the Scheduled Tasks endpoint, which runs within the service group netsvcs. With packet capture and the right packet decoders or byte-stream based signatures, remote invocations of these functions can be identified.\n\nCertain strings can be identifiers of the schtasks, by looking up the interface UUID of ITaskSchedulerService in different formats\n\n* UUID 86d35949-83c9-4044-b424-db363231fd0c (decoded)\n* Hex 49 59 d3 86 c9 83 44 40 b4 24 db 36 32 31 fd 0c (raw)\n* ASCII IYD@$621 (printable bytes only)\n\nThis identifier is present three times during the RPC request phase. Any sensor that has access to the byte code as raw, decoded, or ASCII could implement this analytic.", "d3f:kb-author": "MITRE", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "MITRE", "d3f:kb-reference-of": { "@id": "d3f:RPCTrafficAnalysis" }, "d3f:kb-reference-title": "CAR-2015-04-002: Remotely Scheduled Tasks via Schtasks", "rdfs:label": "Reference - CAR-2015-04-002: Remotely Scheduled Tasks via Schtasks - MITRE" }, { "@id": "d3f:Pix2Pix", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-PIX", "d3f:definition": "Pix2Pix is based on condtional GAN architecture and are trained on paired set of images or scenes from two domains to be used for translation.", "d3f:kb-article": "## References\nEsri. (n.d.). How Pix2Pix Works. [Link](https://developers.arcgis.com/python/guide/how-pix2pix-works/)", "rdfs:label": "Pix2Pix", "rdfs:subClassOf": { "@id": "d3f:Image-to-ImageTranslationGAN" } }, { "@id": "d3f:CWE-639", "@type": "owl:Class", "d3f:cwe-id": "CWE-639", "rdfs:label": "Authorization Bypass Through User-Controlled Key", "rdfs:subClassOf": { "@id": "d3f:CWE-863" } }, { "@id": "d3f:CWE-623", "@type": "owl:Class", "d3f:cwe-id": "CWE-623", "rdfs:label": "Unsafe ActiveX Control Marked Safe For Scripting", "rdfs:subClassOf": { "@id": "d3f:CWE-267" } }, { "@id": "d3f:CWE-1310", "@type": "owl:Class", "d3f:cwe-id": "CWE-1310", "rdfs:label": "Missing Ability to Patch ROM Code", "rdfs:subClassOf": { "@id": "d3f:CWE-1329" } }, { "@id": "d3f:CWE-80", "@type": "owl:Class", "d3f:cwe-id": "CWE-80", "rdfs:label": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)", "rdfs:subClassOf": { "@id": "d3f:CWE-79" } }, { "@id": "d3f:step-1", "@type": [ "owl:NamedIndividual", "d3f:Step" ], "d3f:invokes": { "@id": "d3f:CopyToken" }, "d3f:next": { "@id": "d3f:step-2" }, "rdfs:label": "Step 1 - Copy Token" }, { "@id": "d3f:NetworkSensor", "@type": "owl:Class", "rdfs:label": "Network Sensor", "rdfs:subClassOf": { "@id": "d3f:Sensor" } }, { "@id": "d3f:CWE-625", "@type": "owl:Class", "d3f:cwe-id": "CWE-625", "rdfs:label": "Permissive Regular Expression", "rdfs:subClassOf": { "@id": "d3f:CWE-185" } }, { "@id": "d3f:CWE-450", "@type": "owl:Class", "d3f:cwe-id": "CWE-450", "rdfs:label": "Multiple Interpretations of UI Input", "rdfs:subClassOf": { "@id": "d3f:CWE-357" } }, { "@id": "d3f:Reference-ContinuousAuthenticationByAnalysisOfKeyboardTypingCharacteristics_BradfordUniv.,UK", "@type": [ "owl:NamedIndividual", "d3f:AcademicPaperReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://ieeexplore.ieee.org/document/491588?reload=true&arnumber=491588" }, "d3f:kb-abstract": "This paper describes a simple, software based keyboard monitoring system for the IBM PC for the continuous analysis of the typing characteristics of the user for the purpose of continuous authentication. By exploiting the electrical characteristics of the PC keyboard interface together with modifications to the internal system timer, very accurate measurements can be made of keystroke interval and duration, including measurements of rollover. Rollover patterns, particularly when typing common diphthongs, can be highly characteristic of individual users and provide quite an accurate indication of the users identity.\nPublished in: European Convention on Security and Detection, 1995.", "d3f:kb-author": "S.J. Shepherd", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "Bradford Univ., UK", "d3f:kb-reference-of": { "@id": "d3f:InputDeviceAnalysis" }, "d3f:kb-reference-title": "Continuous authentication by analysis of keyboard typing characteristics", "rdfs:label": "Reference - Continuous authentication by analysis of keyboard typing characteristics - Bradford Univ., UK" }, { "@id": "d3f:T1048.003", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1048.003", "d3f:produces": { "@id": "d3f:OutboundInternetNetworkTraffic" }, "rdfs:label": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "rdfs:subClassOf": [ { "@id": "d3f:T1048" }, { "@id": "_:Nd1c1473b014c4606b73a1a74c8d412e1" } ] }, { "@id": "_:Nd1c1473b014c4606b73a1a74c8d412e1", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:produces" }, "owl:someValuesFrom": { "@id": "d3f:OutboundInternetNetworkTraffic" } }, { "@id": "d3f:IPCNetworkTraffic", "@type": "owl:Class", "d3f:definition": "IPC network traffic is network traffic related to inter-process communication (IPC) between network nodes..This includes only network traffic conforming to a standard IPC protocol; not custom protocols.", "rdfs:label": "IPC Network Traffic", "rdfs:subClassOf": { "@id": "d3f:NetworkTraffic" } }, { "@id": "d3f:AnalyticalPurpose", "@type": "owl:Class", "rdfs:label": "Analytical Purpose", "rdfs:subClassOf": { "@id": "d3f:D3FENDThing" } }, { "@id": "d3f:T1483", "@type": "owl:Class", "d3f:attack-id": "T1483", "rdfs:label": "Domain Generation Algorithms", "rdfs:subClassOf": { "@id": "d3f:CommandAndControlTechnique" } }, { "@id": "d3f:CWE-270", "@type": "owl:Class", "d3f:cwe-id": "CWE-270", "rdfs:label": "Privilege Context Switching Error", "rdfs:subClassOf": { "@id": "d3f:CWE-269" } }, { "@id": "d3f:Reference-ProtectingAgainstDistributedDenialOfServiceAttacks-CiscoTechnologyInc.", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US7171683B2" }, "d3f:kb-abstract": "A method for authenticating packet communication traffic includes receiving a data packet sent over a network from a source address to a destination address and reading from the packet a value of a field that is indicative of a number of hops traversed by the packet since having been sent from the source address. The authenticity of the source address is assessed responsive to the value.", "d3f:kb-author": "Guy Pazi, Anat Bremler-Bar, Rami Rivlin, Dan Touitou", "d3f:kb-organization": "Cisco Technologies Inc.", "d3f:kb-reference-of": { "@id": "d3f:InboundSessionVolumeAnalysis" }, "d3f:kb-reference-title": "Protecting against distributed denial of service attacks", "rdfs:label": "Reference - Protecting against distributed denial of service attacks - Cisco Technology Inc." }, { "@id": "d3f:NISTSP800-53ControlCatalog", "@type": "owl:Class", "d3f:definition": "A NIST SP 800-53 control catalog provides the entire set of security and privacy controls for a version of NIST SP 800-53.", "rdfs:label": "NIST SP 800-53 Control Catalog", "rdfs:seeAlso": "https://doi.org/10.6028/NIST.SP.800-53r5", "rdfs:subClassOf": [ { "@id": "d3f:ControlCatalog" }, { "@id": "_:Na67a6ac8264f4e7b98d602b1aa2c1713" } ] }, { "@id": "_:Na67a6ac8264f4e7b98d602b1aa2c1713", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:has-member" }, "owl:someValuesFrom": { "@id": "d3f:NISTControl" } }, { "@id": "d3f:CWE-547", "@type": "owl:Class", "d3f:cwe-id": "CWE-547", "rdfs:label": "Use of Hard-coded, Security-relevant Constants", "rdfs:subClassOf": { "@id": "d3f:CWE-1078" } }, { "@id": "d3f:Reference-ProtectedComputingEnvironment_MicrosoftTechnologyLicensingLLC", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US20060242406A1" }, "d3f:kb-abstract": "A method of establishing a protected environment within a computing device including validating a kernel component loaded into a kernel of the computing device, establishing a security state for the kernel based on the validation, creating a secure process and loading a software component into the secure process, periodically checking the security state of the kernel, and notifying the secure process when the security state of the kernel has changed.", "d3f:kb-author": "Sumedh Barde, Jonathan Schwartz, Reid Kuhn, Alexandre Grigorovitch, Kirt Debique, Chadd Knowlton, James Alkove, Geoffrey Dunbar, Michael Grier, Ming Ma, Chaitanya Upadhyay, Adil Sherwani, Arun Kishan", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "Microsoft Technology Licensing LLC", "d3f:kb-reference-of": { "@id": "d3f:DriverLoadIntegrityChecking" }, "d3f:kb-reference-title": "Protected computing environment", "rdfs:label": "Reference - Protected computing environment - Microsoft Technology Licensing LLC" }, { "@id": "d3f:CCI-000040_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:broader": [ { "@id": "d3f:AuthorizationEventThresholding" }, { "@id": "d3f:LocalAccountMonitoring" } ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The organization audits any use of privileged accounts, or roles, with access to organization-defined security functions or security-relevant information, when accessing other system functions.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-14T00:00:00" }, "rdfs:label": "CCI-000040" }, { "@id": "d3f:CWE-667", "@type": "owl:Class", "d3f:cwe-id": "CWE-667", "rdfs:label": "Improper Locking", "rdfs:subClassOf": { "@id": "d3f:CWE-662" } }, { "@id": "d3f:T1584.004", "@type": "owl:Class", "d3f:attack-id": "T1584.004", "rdfs:label": "Server", "rdfs:subClassOf": { "@id": "d3f:T1584" } }, { "@id": "d3f:CWE-1336", "@type": "owl:Class", "d3f:cwe-id": "CWE-1336", "rdfs:label": "Improper Neutralization of Special Elements Used in a Template Engine", "rdfs:subClassOf": { "@id": "d3f:CWE-94" } }, { "@id": "d3f:LinuxRename", "@type": "owl:Class", "d3f:definition": "Change the name or location of a file", "rdfs:isDefinedBy": "https://man7.org/linux/man-pages/man2/rename.2.html", "rdfs:label": "Linux Rename", "rdfs:subClassOf": { "@id": "d3f:OSAPIMoveFile" } }, { "@id": "d3f:T1063", "@type": "owl:Class", "d3f:attack-id": "T1063", "rdfs:label": "Security Software Discovery", "rdfs:subClassOf": { "@id": "d3f:DiscoveryTechnique" } }, { "@id": "d3f:Resource", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "In computing, a system resource, or simply resource, is any physical or virtual component of limited availability within a computer system. Every device connected to a computer system is a resource. Every internal system component is a resource. Virtual system resources include files (concretely file handles), network connections (concretely network sockets), and memory areas. Managing resources is referred to as resource management, and includes both preventing resource leaks (releasing a resource when a process has finished using it) and dealing with resource contention (when multiple processes wish to access a limited resource).", "rdfs:isDefinedBy": { "@id": "dbr:System_resource" }, "rdfs:label": "Resource", "rdfs:subClassOf": { "@id": "d3f:DigitalArtifact" } }, { "@id": "d3f:License", "@type": "owl:Class", "rdfs:label": "License", "rdfs:seeAlso": "http://dbpedia.org/resource/Software_license", "rdfs:subClassOf": { "@id": "d3f:InformationContentEntity" } }, { "@id": "d3f:CWE-184", "@type": "owl:Class", "d3f:cwe-id": "CWE-184", "rdfs:label": "Incomplete List of Disallowed Inputs", "rdfs:subClassOf": [ { "@id": "d3f:CWE-1023" }, { "@id": "d3f:CWE-693" } ] }, { "@id": "d3f:CWE-462", "@type": "owl:Class", "d3f:cwe-id": "CWE-462", "rdfs:label": "Duplicate Key in Associative List (Alist)", "rdfs:subClassOf": { "@id": "d3f:CWE-694" } }, { "@id": "d3f:CWE-1084", "@type": "owl:Class", "d3f:cwe-id": "CWE-1084", "rdfs:label": "Invokable Control Element with Excessive File or Data Access Operations", "rdfs:subClassOf": { "@id": "d3f:CWE-405" } }, { "@id": "d3f:NIST_SP_800-53_R5_AC-2_7", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:control-name": "Account Management | Privileged User Accounts", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "d3f:narrower": { "@id": "d3f:UserAccountPermissions" }, "rdfs:label": "AC-2(7)" }, { "@id": "d3f:M1026", "@type": [ "owl:NamedIndividual", "d3f:ATTACKMitigation" ], "d3f:related": [ { "@id": "d3f:DomainAccountMonitoring" }, { "@id": "d3f:LocalAccountMonitoring" }, { "@id": "d3f:StrongPasswordPolicy" } ], "rdfs:label": "Privileged Account Management" }, { "@id": "d3f:T1003.003", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:accesses": { "@id": "d3f:EncryptedCredential" }, "d3f:attack-id": "T1003.003", "rdfs:label": "NTDS", "rdfs:subClassOf": [ { "@id": "d3f:T1003" }, { "@id": "_:N265c135aeb494224b177cb301f4a66c7" } ] }, { "@id": "_:N265c135aeb494224b177cb301f4a66c7", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:accesses" }, "owl:someValuesFrom": { "@id": "d3f:EncryptedCredential" } }, { "@id": "d3f:CWE-24", "@type": "owl:Class", "d3f:cwe-id": "CWE-24", "rdfs:label": "Path Traversal: '../filedir'", "rdfs:subClassOf": { "@id": "d3f:CWE-23" } }, { "@id": "d3f:NIST_SP_800-53_R5_AC-4_15", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:control-name": "Information Flow Enforcement | Detection of Unsanctioned Information", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "d3f:narrower": [ { "@id": "d3f:InboundTrafficFiltering" }, { "@id": "d3f:OutboundTrafficFiltering" } ], "rdfs:label": "AC-4(15)" }, { "@id": "d3f:T1059.004", "@type": "owl:Class", "d3f:attack-id": "T1059.004", "rdfs:label": "Unix Shell Execution", "rdfs:subClassOf": { "@id": "d3f:T1059" }, "skos:altLabel": "Bash Execution" }, { "@id": "d3f:T1543.004", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1543.004", "d3f:modifies": { "@id": "d3f:PropertyListFile" }, "rdfs:label": "Launch Daemon", "rdfs:subClassOf": [ { "@id": "d3f:T1543" }, { "@id": "_:N1aae2a1a47684b4ab55e005c9c0e0de0" } ] }, { "@id": "_:N1aae2a1a47684b4ab55e005c9c0e0de0", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:PropertyListFile" } }, { "@id": "d3f:NetworkTrafficAnalysisSoftware", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:DigitalArtifact" ], "d3f:definition": "A packet analyzer, also known as packet sniffer, protocol analyzer, or network analyzer, is a computer program or computer hardware such as a packet capture appliance, that can intercept and log traffic that passes over a computer network or part of a network.", "rdfs:isDefinedBy": { "@id": "https://dbpedia.org/page/Packet_analyzer" }, "rdfs:label": "Network Traffic Analysis Software", "rdfs:seeAlso": { "@id": "https://dbpedia.org/resource/Category:Network_analyzers" }, "rdfs:subClassOf": { "@id": "d3f:DeveloperApplication" }, "skos:altLabel": "Network Sniffer" }, { "@id": "d3f:T1065", "@type": "owl:Class", "d3f:attack-id": "T1065", "rdfs:label": "Uncommonly Used Port", "rdfs:subClassOf": { "@id": "d3f:CommandAndControlTechnique" } }, { "@id": "d3f:copy-of", "@type": "owl:ObjectProperty", "d3f:definition": "x copy-of y: The subject x is a duplicate of the object y", "rdfs:label": "copy-of", "rdfs:subPropertyOf": { "@id": "d3f:associated-with" } }, { "@id": "d3f:CWE-108", "@type": "owl:Class", "d3f:cwe-id": "CWE-108", "rdfs:label": "Struts: Unvalidated Action Form", "rdfs:subClassOf": { "@id": "d3f:CWE-1173" } }, { "@id": "d3f:ActiveLogicalLinkMapping", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:LogicalLinkMapping" ], "d3f:d3fend-id": "D3-ALLM", "d3f:definition": "Active logical link mapping sends and receives network traffic as a means to map the whole data link layer, where the links represent logical data flows rather than physical connection", "d3f:kb-article": "## How it works\n\nActive logical link mapping establishes awareness of logical links in the network by sending data over the network to gather information about logical connections in the network.\n\nTypically this will be achieved through network telemetry coordinated for network management and monitoring and will use a link layer discovery protocol such as LLDP and the information gathered and aggregated a higher levels using an application protocol such as SNMP. The information may be polled by network management softare or configured once and then pushed from network sensors (or agents.)\n\nAnother means of establishing network connectivity is by means of sendingn traffic through the use of a tool such as traceroute, to determine the logical paths through the network architecture.\n\n## Considerations\n\n* Best practice is to encrypte network monitoring data and require authentication for queries or admin/management functions.\n* Push notifications reduce bandwidth necessary to capture and maintain information if reliable transport is used.\n* Special consideration should be made before using of active scanning in OT networks and OT-safe options chosen where available.", "d3f:kb-reference": [ { "@id": "d3f:Reference-IdentificationOfTracerouteNodesAndAssociatedDevices" }, { "@id": "d3f:Reference-SNMPNetworkAutoDiscovery" } ], "d3f:may-query": { "@id": "d3f:CollectorAgent" }, "rdfs:label": "Active Logical Link Mapping", "rdfs:subClassOf": [ { "@id": "d3f:LogicalLinkMapping" }, { "@id": "_:Ne6a052585e314c85b0edc8a9c6d41430" } ] }, { "@id": "_:Ne6a052585e314c85b0edc8a9c6d41430", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-query" }, "owl:someValuesFrom": { "@id": "d3f:CollectorAgent" } }, { "@id": "d3f:Non-ParametricTests", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-NPT", "d3f:definition": "A non-parametric test relies is used when the underlying distribution of data is non-symmetric (non-normal distribution).", "d3f:kb-article": "## References\nNewcastle University. (n.d.). Parametric Hypothesis Tests. [Link](https://www.ncl.ac.uk/webtemplate/ask-assets/external/maths-resources/psychology/non-parametric-hypothesis-tests.html)", "rdfs:label": "Non-Parametric Tests", "rdfs:subClassOf": { "@id": "d3f:HypothesisTesting" } }, { "@id": "d3f:Reference-SystemAndMethodForManagedSecurityAssessmentAndMitigation", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US9544324B2" }, "d3f:kb-abstract": "In an embodiment of the invention, a system for assessing vulnerabilities includes: a security management system; a network device in a system under test (SUT), wherein the network device is privy to traffic in the SUT; and wherein the SMS is privy to traffic that is known by the network device and/or to one or more traffic observations that is known by the network device.", "d3f:kb-author": "Scott Parcel", "d3f:kb-organization": "Cenzic Inc, Trustwave Holdings Inc", "d3f:kb-reference-of": { "@id": "d3f:NetworkVulnerabilityAssessment" }, "d3f:kb-reference-title": "System and method for managed security assessment and mitigation", "rdfs:label": "Reference - System and method for managed security assessment and mitigation" }, { "@id": "d3f:CWE-1109", "@type": "owl:Class", "d3f:cwe-id": "CWE-1109", "rdfs:label": "Use of Same Variable for Multiple Purposes", "rdfs:subClassOf": { "@id": "d3f:CWE-1078" } }, { "@id": "d3f:CWE-392", "@type": "owl:Class", "d3f:cwe-id": "CWE-392", "rdfs:label": "Missing Report of Error Condition", "rdfs:subClassOf": [ { "@id": "d3f:CWE-684" }, { "@id": "d3f:CWE-703" } ] }, { "@id": "d3f:CWE-358", "@type": "owl:Class", "d3f:cwe-id": "CWE-358", "rdfs:label": "Improperly Implemented Security Check for Standard", "rdfs:subClassOf": [ { "@id": "d3f:CWE-573" }, { "@id": "d3f:CWE-693" } ] }, { "@id": "d3f:has-audience", "@type": "owl:ObjectProperty", "rdfs:subPropertyOf": { "@id": "d3f:d3fend-use-case-object-property" } }, { "@id": "d3f:NIST_SP_800-53_R5_AC-7", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:control-name": "Unsuccessful Logon Attempts", "d3f:exactly": { "@id": "d3f:AccountLocking" }, "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "rdfs:label": "AC-7" }, { "@id": "d3f:Reference-DecoyAndDeceptiveDataObjectTechnology_Cymmetria,Inc.", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US20170134423A1" }, "d3f:kb-abstract": "A computer implemented method of detecting unauthorized access to a protected network by monitoring a dynamically updated deception environment, comprising launching, on one or more decoy endpoints, one or more decoy operating system (OS) managing one or more of a plurality of deception applications mapping a plurality of applications executed in a protected network, updating dynamically a usage indication for a plurality of deception data objects deployed in the protected network to emulate usage of the plurality of deception data objects for accessing the deception application(s) wherein the plurality of deception data objects are configured to trigger an interaction with the deception application(s) when used, detecting usage of data contained in the deception data object(s) by monitoring the interaction and identifying one or more potential unauthorized operations based on analysis of the detection.\n\nIn order to convince the potential attacker that the deception environment is the real (valid) processing environment and/or part thereof, the campaign manager may construct the false identity according to the public information of the certain user that may typically be available to the potential attacker. By exposing the real (public) information of the certain user to the potential attacker, the false identity may seem consistent and legitimate to the potential attacker. For example, the campaign manager may create a false account, for example, a Facebook account of the certain user that includes the same public information that is publicly available to other Facebook users from the real (genuine) Facebook account of the certain user. The fake company account may include information specific to the role and/or job title of certain user within the company, for example, a programmer, an accountant, an IT person and/or the like.", "d3f:kb-author": "Dean Sysman, Gadi Evron, Imri Goldberg, Itamar Sher, Shmuel Ur", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "Cymmetria, Inc.", "d3f:kb-reference-of": { "@id": "d3f:DecoyPersona" }, "d3f:kb-reference-title": "Decoy and deceptive data object technology", "rdfs:label": "Reference - Decoy and deceptive data object technology - Cymmetria, Inc." }, { "@id": "d3f:may-be-detected-by", "@type": "owl:ObjectProperty", "d3f:pref-label": "may be detected by", "owl:inverseOf": { "@id": "d3f:may-detect" }, "rdfs:label": "may-be-detected-by", "rdfs:subPropertyOf": { "@id": "d3f:attack-may-be-countered-by" } }, { "@id": "d3f:IntegrationTestExecutionTool", "@type": "owl:Class", "d3f:definition": "An integration test execution tool automatically performs integration testing. Integration testing (sometimes called integration and testing, abbreviated I&T) is the phase in software testing in which individual software modules are combined and tested as a group.", "rdfs:label": "Integration Test Execution Tool", "rdfs:seeAlso": { "@id": "dbr:Integration_testing" }, "rdfs:subClassOf": { "@id": "d3f:TestExecutionTool" } }, { "@id": "d3f:AutoregressiveModel", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-AM", "d3f:definition": "An autoregressive (AR) model is a representation of a type of random process; as such, it is used to describe certain time-varying processes in nature, economics, behavior, etc.", "d3f:kb-article": "## References\nWikipedia. (n.d.). Autoregressive model. [Link](https://en.wikipedia.org/wiki/Autoregressive_model)", "d3f:synonym": "AR Model", "rdfs:label": "Autoregressive Model", "rdfs:subClassOf": { "@id": "d3f:TimeSeriesAnalysis" } }, { "@id": "d3f:ControlCorrelationIdentifierCatalog", "@type": "owl:Class", "d3f:definition": "A control correlation identifier (CCI) catalog provides a catalog of CCIs for a given release date.", "rdfs:label": "Control Correlation Identifier Catalog", "rdfs:seeAlso": "https://public.cyber.mil/stigs/cci/", "rdfs:subClassOf": [ { "@id": "d3f:ControlCatalog" }, { "@id": "_:N504478573c074ee885b980d53fb19cd0" } ] }, { "@id": "_:N504478573c074ee885b980d53fb19cd0", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:has-member" }, "owl:someValuesFrom": { "@id": "d3f:CCIControl" } }, { "@id": "d3f:T1588.002", "@type": "owl:Class", "d3f:attack-id": "T1588.002", "rdfs:label": "Tool", "rdfs:subClassOf": { "@id": "d3f:T1588" } }, { "@id": "d3f:CWE-531", "@type": "owl:Class", "d3f:cwe-id": "CWE-531", "rdfs:label": "Inclusion of Sensitive Information in Test Code", "rdfs:subClassOf": { "@id": "d3f:CWE-540" } }, { "@id": "d3f:CWE-435", "@type": "owl:Class", "d3f:cwe-id": "CWE-435", "rdfs:label": "Improper Interaction Between Multiple Correctly-Behaving Entities", "rdfs:subClassOf": { "@id": "d3f:Weakness" } }, { "@id": "d3f:Proposition", "@type": "owl:Class", "rdfs:isDefinedBy": { "@id": "http://semanticscience.org/resource/SIO_000256" }, "rdfs:label": "Proposition", "rdfs:subClassOf": { "@id": "d3f:D3FENDCatalogThing" } }, { "@id": "d3f:CCI-000198_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system enforces minimum password lifetime restrictions.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:StrongPasswordPolicy" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-15T00:00:00" }, "rdfs:label": "CCI-000198" }, { "@id": "d3f:NIST_SP_800-53_R5_SC-3", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:broader": [ { "@id": "d3f:ExecutionIsolation" }, { "@id": "d3f:NetworkIsolation" } ], "d3f:control-name": "Security Function Isolation", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "rdfs:label": "SC-3" }, { "@id": "d3f:may-map", "@type": "owl:ObjectProperty", "rdfs:label": "may-map", "rdfs:subPropertyOf": { "@id": "d3f:may-be-associated-with" } }, { "@id": "d3f:T1055.011", "@type": "owl:Class", "d3f:attack-id": "T1055.011", "rdfs:label": "Extra Window Memory Injection", "rdfs:subClassOf": { "@id": "d3f:T1055" } }, { "@id": "d3f:PublicKey", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A public key can be disseminated widely as part of an asymmetric cryptography framework and be used to encrypt messages to send to the public key's owner or to authenticate signed messages from that sender.", "rdfs:label": "Public Key", "rdfs:seeAlso": { "@id": "dbr:Public-key_cryptography" }, "rdfs:subClassOf": { "@id": "d3f:AsymmetricKey" } }, { "@id": "d3f:CCI-001377_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system uniquely authenticates source domains for information transfer.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:DomainTrustPolicy" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-22T00:00:00" }, "rdfs:label": "CCI-001377" }, { "@id": "d3f:T1142", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:accesses": { "@id": "d3f:EncryptedCredential" }, "d3f:attack-id": "T1142", "rdfs:label": "Keychain", "rdfs:subClassOf": [ { "@id": "d3f:CredentialAccessTechnique" }, { "@id": "_:Nb1f77325617a4f649c7627c7126d4d49" } ] }, { "@id": "_:Nb1f77325617a4f649c7627c7126d4d49", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:accesses" }, "owl:someValuesFrom": { "@id": "d3f:EncryptedCredential" } }, { "@id": "d3f:T1491.002", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1491.002", "d3f:modifies": { "@id": "d3f:NetworkResource" }, "rdfs:label": "External Defacement", "rdfs:subClassOf": [ { "@id": "d3f:T1491" }, { "@id": "_:Ne3c51d2b22ee41f18ae5e847cf0215a6" } ] }, { "@id": "_:Ne3c51d2b22ee41f18ae5e847cf0215a6", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:NetworkResource" } }, { "@id": "d3f:CWE-643", "@type": "owl:Class", "d3f:cwe-id": "CWE-643", "rdfs:label": "Improper Neutralization of Data within XPath Expressions ('XPath Injection')", "rdfs:subClassOf": [ { "@id": "d3f:CWE-91" }, { "@id": "d3f:CWE-943" } ] }, { "@id": "d3f:NIST_SP_800-53_R5_CM-5", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:control-name": "Access Restrictions for Change", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "d3f:narrower": [ { "@id": "d3f:ExecutableAllowlisting" }, { "@id": "d3f:ExecutableDenylisting" }, { "@id": "d3f:LocalAccountMonitoring" }, { "@id": "d3f:MandatoryAccessControl" } ], "rdfs:label": "CM-5" }, { "@id": "d3f:Reference-WhatIsNX_XDFeature_RedHat", "@type": [ "owl:NamedIndividual", "d3f:InternetArticleReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://access.redhat.com/solutions/2936741" }, "d3f:kb-abstract": "What is NX/XD feature ?\nHow to check whether NX/XD is enabled ?\nHow to enable or disable NX/XD?\n\nNX/XD is a hardware cpu feature which is provided in almost all the hardware. Some BIOS has advanced option of enabling or disabling it.\nNX stands for No eXecute and XD stands for eXecute Disable. Both are same and is a technology used in processors to prevent execution of certain types of code.", "d3f:kb-author": "Red Hat", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "Red Hat", "d3f:kb-reference-of": { "@id": "d3f:ProcessSegmentExecutionPrevention" }, "d3f:kb-reference-title": "What is NX/XD feature?", "rdfs:label": "Reference - What is NX/XD feature?" }, { "@id": "d3f:NIST_SP_800-53_R5_AU-2", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:control-name": "Event Logging", "d3f:exactly": { "@id": "d3f:LocalAccountMonitoring" }, "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "rdfs:label": "AU-2" }, { "@id": "d3f:KernelModule", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A loadable kernel module (LKM) is an object file that contains code to extend the running kernel, or so-called base kernel, of an operating system. LKMs are typically used to add support for new hardware (as device drivers) and/or filesystems, or for adding system calls. When the functionality provided by a LKM is no longer required, it can be unloaded in order to free memory and other resources.\n\nMost current Unix-like systems and Microsoft Windows support loadable kernel modules, although they might use a different name for them, such as kernel loadable module (kld) in FreeBSD, kernel extension (kext) in macOS,[1] kernel extension module in AIX, kernel-mode driver in Windows NT[2] and downloadable kernel module (DKM) in VxWorks. They are also known as kernel loadable modules (or KLM), and simply as kernel modules (KMOD).", "rdfs:isDefinedBy": { "@id": "dbr:Loadable_kernel_module" }, "rdfs:label": "Kernel Module", "rdfs:seeAlso": "https://schema.ocsf.io/objects/kernel_driver", "rdfs:subClassOf": { "@id": "d3f:ObjectFile" }, "skos:altLabel": [ "LKM", "Loadable Kernel Module" ] }, { "@id": "d3f:SuspendProcess", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:suspends": { "@id": "d3f:Process" }, "rdfs:label": "Suspend Process", "rdfs:subClassOf": [ { "@id": "d3f:SystemCall" }, { "@id": "_:N85ebc0296cfd4f8b9a831d8925784c8a" } ] }, { "@id": "_:N85ebc0296cfd4f8b9a831d8925784c8a", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:suspends" }, "owl:someValuesFrom": { "@id": "d3f:Process" } }, { "@id": "d3f:NIST_SP_800-53_R5_AC-3_7", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:control-name": "Access Enforcement | Role-based Access Control", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "d3f:narrower": { "@id": "d3f:MandatoryAccessControl" }, "rdfs:label": "AC-3(7)" }, { "@id": "d3f:T1036.004", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1036.004", "d3f:modifies": { "@id": "d3f:JobSchedule" }, "rdfs:label": "Masquerade Task or Service", "rdfs:subClassOf": [ { "@id": "d3f:T1036" }, { "@id": "_:N6491b25bc4ca4de69b36e89434842575" } ] }, { "@id": "_:N6491b25bc4ca4de69b36e89434842575", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:JobSchedule" } }, { "@id": "d3f:CWE-1061", "@type": "owl:Class", "d3f:cwe-id": "CWE-1061", "rdfs:label": "Insufficient Encapsulation", "rdfs:subClassOf": { "@id": "d3f:CWE-710" } }, { "@id": "d3f:CCI-000060_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system conceals, via the session lock, information previously visible on the display with a publicly viewable image.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:AccountLocking" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-05-19T00:00:00" }, "rdfs:label": "CCI-000060" }, { "@id": "d3f:Reference-Windows10STIG", "@type": [ "owl:NamedIndividual", "d3f:GuidelineReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://www.stigviewer.com/stig/windows_10/" }, "d3f:kb-abstract": "Windows 10 STIG guidance.", "d3f:kb-reference-of": { "@id": "d3f:ApplicationConfigurationHardening" }, "d3f:kb-reference-title": "Windows 10 Security Technical Implementation Guide", "rdfs:label": "Reference - Windows 10 STIG" }, { "@id": "d3f:CWE-473", "@type": "owl:Class", "d3f:cwe-id": "CWE-473", "rdfs:label": "PHP External Variable Modification", "rdfs:subClassOf": { "@id": "d3f:CWE-471" } }, { "@id": "d3f:CCI-000020_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:broader": { "@id": "d3f:MandatoryAccessControl" }, "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system dynamically manages user privileges and associated access authorizations.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-14T00:00:00" }, "rdfs:label": "CCI-000020" }, { "@id": "d3f:AdobePDFFile1.3", "@type": [ "owl:NamedIndividual", "d3f:DocumentFile" ], "d3f:may-contain": { "@id": "d3f:JavascriptFile" }, "rdfs:label": "Adobe PDF File 1.3" }, { "@id": "d3f:dependent", "@type": "owl:ObjectProperty", "d3f:definition": "x dependent y: A dependent y is an entity that requires the fulfillment of the requirements specified in dependency x.", "rdfs:isDefinedBy": "http://wordnet-rdf.princeton.edu/id/00729216-a", "rdfs:label": "dependent", "rdfs:subPropertyOf": { "@id": "d3f:associated-with" } }, { "@id": "d3f:AuthenticationEventThresholding", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:UserBehaviorAnalysis" ], "d3f:analyzes": { "@id": "d3f:Authentication" }, "d3f:created": { "@type": "xsd:dateTime", "@value": "2020-08-05T00:00:00" }, "d3f:d3fend-id": "D3-ANET", "d3f:definition": "Collecting authentication events, creating a baseline user profile, and determining whether authentication events are consistent with the baseline profile.", "d3f:kb-article": "## How it works\nAuthentication event data is collected (logon information such as device id, time of day, day of week, geo-location, etc.) to create an activity baseline. Then, a threshold is determined either through a manually specified configuration, or a statistical analysis of deviations in historical data. New authentication events are evaluated to determine if a threshold is exceeded. Thresholds can be static or dynamic.\n\n### Actions\nAs a result of the analysis, actions taken could include:\n\n* [Account Locking](/technique/d3f:AccountLocking)\n* Raising an alert\n\n### Example data sources\n * Directory server logs\n * VPN Server logs\n * IDAM Capability logs\n * NAC logs\n * Authentication client logs\n * Kerberos network traffic\n * LDAP network traffic\n\n## Considerations\n\nThis technique covers statistical outliers. Though depending on the complexity or dimensionality of the data considered, outliers may not be obvious to a human analyst reviewing events in simplistic analytic views. If the malicious activity is not statistically different from benign activity, an alert threshold will not be met.", "d3f:kb-reference": [ { "@id": "d3f:Reference-MethodAndApparatusForNetworkFraudDetectionAndRemediationThroughAnalytics_IdaptiveLLC" }, { "@id": "d3f:Reference-SimultaneousLoginsOnAHost_MITRE" }, { "@id": "d3f:Reference-UserLoggedInToMultipleHosts_MITRE" }, { "@id": "d3f:Reference-UserLoginActivityMonitoring_MITRE" }, { "@id": "d3f:Reference-System,Method,AndComputerProgramProductForDetectingAndAssessingSecurityRisksInANetwork_ExabeamInc" } ], "rdfs:label": "Authentication Event Thresholding", "rdfs:subClassOf": [ { "@id": "d3f:UserBehaviorAnalysis" }, { "@id": "_:N45b9c7d1f49e45f381749c04d8cb4c7b" } ] }, { "@id": "_:N45b9c7d1f49e45f381749c04d8cb4c7b", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:analyzes" }, "owl:someValuesFrom": { "@id": "d3f:Authentication" } }, { "@id": "d3f:T1128", "@type": "owl:Class", "d3f:attack-id": "T1128", "rdfs:label": "Netsh Helper DLL", "rdfs:subClassOf": { "@id": "d3f:PersistenceTechnique" } }, { "@id": "d3f:CWE-47", "@type": "owl:Class", "d3f:cwe-id": "CWE-47", "rdfs:label": "Path Equivalence: ' filename' (Leading Space)", "rdfs:subClassOf": { "@id": "d3f:CWE-41" } }, { "@id": "d3f:M1055", "@type": [ "owl:NamedIndividual", "d3f:ATTACKMitigation" ], "rdfs:label": "Do Not Mitigate" }, { "@id": "d3f:CoefficientOfVariation", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-COV", "d3f:definition": "The coefficient of variation (CV), also known as relative standard deviation (RSD), is a standardized measure of dispersion of a probability distribution or frequency distribution.\n\nThe coefficient of variation (CV) is defined as the ratio of the standard deviation to the mean .", "d3f:kb-article": "## References\nWikipedia. (n.d.). Coefficient of variation. [Link](https://en.wikipedia.org/wiki/Coefficient_of_variation)", "d3f:synonym": [ "RSD", "Relative Standard Deviation" ], "rdfs:label": "Coefficient of Variation", "rdfs:subClassOf": { "@id": "d3f:Variability" } }, { "@id": "d3f:PhysicalArtifact", "@type": [ "owl:Class", "owl:NamedIndividual" ], "rdfs:label": "Physical Artifact", "rdfs:subClassOf": [ { "@id": "d3f:Artifact" }, { "@id": "d3f:PhysicalObject" } ] }, { "@id": "d3f:T1117", "@type": "owl:Class", "d3f:attack-id": "T1117", "rdfs:label": "Regsvr32", "rdfs:subClassOf": [ { "@id": "d3f:DefenseEvasionTechnique" }, { "@id": "d3f:ExecutionTechnique" } ] }, { "@id": "d3f:CWE-777", "@type": "owl:Class", "d3f:cwe-id": "CWE-777", "rdfs:label": "Regular Expression without Anchors", "rdfs:subClassOf": { "@id": "d3f:CWE-625" } }, { "@id": "d3f:NIST_SP_800-53_R5_SC-2_1", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:control-name": "Separation of System and User Functionality | Interfaces for Non-privileged Users", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "d3f:narrower": [ { "@id": "d3f:LocalFilePermissions" }, { "@id": "d3f:MandatoryAccessControl" }, { "@id": "d3f:SystemConfigurationPermissions" } ], "rdfs:label": "SC-2(1)" }, { "@id": "d3f:IntranetNetworkTraffic", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "Intranet network traffic is network traffic traversing that does not traverse a given network's boundaries.", "rdfs:label": "Intranet Network Traffic", "rdfs:seeAlso": { "@id": "dbr:Intranet" }, "rdfs:subClassOf": { "@id": "d3f:NetworkTraffic" } }, { "@id": "d3f:T1050", "@type": "owl:Class", "d3f:attack-id": "T1050", "rdfs:label": "New Service", "rdfs:subClassOf": [ { "@id": "d3f:PersistenceTechnique" }, { "@id": "d3f:PrivilegeEscalationTechnique" } ] }, { "@id": "d3f:CCI-000071_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The organization monitors for unauthorized remote connections to the information system on an organization-defined frequency.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:RemoteTerminalSessionDetection" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-05-19T00:00:00" }, "rdfs:label": "CCI-000071" }, { "@id": "d3f:LogonUser", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:authenticates": { "@id": "d3f:UserAccount" }, "rdfs:label": "Logon User", "rdfs:subClassOf": [ { "@id": "d3f:SystemCall" }, { "@id": "_:N4ec3ff920ff0427299193fcba986f844" } ] }, { "@id": "_:N4ec3ff920ff0427299193fcba986f844", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:authenticates" }, "owl:someValuesFrom": { "@id": "d3f:UserAccount" } }, { "@id": "d3f:CWE-835", "@type": "owl:Class", "d3f:cwe-id": "CWE-835", "rdfs:label": "Loop with Unreachable Exit Condition ('Infinite Loop')", "rdfs:subClassOf": { "@id": "d3f:CWE-834" } }, { "@id": "d3f:CWE-672", "@type": "owl:Class", "d3f:cwe-id": "CWE-672", "rdfs:label": "Operation on a Resource after Expiration or Release", "rdfs:subClassOf": { "@id": "d3f:CWE-666" } }, { "@id": "d3f:T1110.004", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1110.004", "d3f:may-create": { "@id": "d3f:IntranetAdministrativeNetworkTraffic" }, "d3f:modifies": { "@id": "d3f:AuthenticationLog" }, "d3f:produces": { "@id": "d3f:Authentication" }, "rdfs:label": "Credential Stuffing", "rdfs:subClassOf": [ { "@id": "d3f:T1110" }, { "@id": "_:N64c7dae1b4fb4f44b3088e07cc3ec0ec" }, { "@id": "_:Ne796b8ba87b448edbb5b24a6bd057894" }, { "@id": "_:N1cbc2a80b0be44a88ef43cdbc1429c73" } ] }, { "@id": "_:N64c7dae1b4fb4f44b3088e07cc3ec0ec", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-create" }, "owl:someValuesFrom": { "@id": "d3f:IntranetAdministrativeNetworkTraffic" } }, { "@id": "_:Ne796b8ba87b448edbb5b24a6bd057894", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:AuthenticationLog" } }, { "@id": "_:N1cbc2a80b0be44a88ef43cdbc1429c73", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:produces" }, "owl:someValuesFrom": { "@id": "d3f:Authentication" } }, { "@id": "d3f:CWE-339", "@type": "owl:Class", "d3f:cwe-id": "CWE-339", "rdfs:label": "Small Seed Space in PRNG", "rdfs:subClassOf": { "@id": "d3f:CWE-335" } }, { "@id": "d3f:CWE-469", "@type": "owl:Class", "d3f:cwe-id": "CWE-469", "rdfs:label": "Use of Pointer Subtraction to Determine Size", "rdfs:subClassOf": { "@id": "d3f:CWE-682" } }, { "@id": "d3f:CCI-001556_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system uniquely authenticates destination domains for information transfer.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:DomainTrustPolicy" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2010-05-11T00:00:00" }, "rdfs:label": "CCI-001556" }, { "@id": "d3f:CCI-002281_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:broader": [ { "@id": "d3f:MandatoryAccessControl" }, { "@id": "d3f:UserAccountPermissions" } ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system maintains the association of organization-defined security attributes to organization-defined subjects.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-06-24T00:00:00" }, "rdfs:label": "CCI-002281" }, { "@id": "d3f:CCI-001555_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system uniquely identifies destination domains for information transfer.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:DomainTrustPolicy" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2010-05-11T00:00:00" }, "rdfs:label": "CCI-001555" }, { "@id": "d3f:CloudServiceAuthentication", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A request-response comprising a user credential presentation to a system and a verification response where the verifying party is a cloud service.", "rdfs:label": "Cloud Service Authentication", "rdfs:subClassOf": { "@id": "d3f:WebAuthentication" } }, { "@id": "d3f:CWE-416", "@type": "owl:Class", "d3f:cwe-id": "CWE-416", "rdfs:label": "Use After Free", "rdfs:subClassOf": { "@id": "d3f:CWE-825" } }, { "@id": "d3f:NIST_SP_800-53_R5_AC-3_13", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:control-name": "Access Enforcement | Attribute-based Access Control", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "d3f:narrower": { "@id": "d3f:MandatoryAccessControl" }, "rdfs:label": "AC-3(13)" }, { "@id": "d3f:CWE-455", "@type": "owl:Class", "d3f:cwe-id": "CWE-455", "rdfs:label": "Non-exit on Failed Initialization", "rdfs:subClassOf": [ { "@id": "d3f:CWE-636" }, { "@id": "d3f:CWE-665" }, { "@id": "d3f:CWE-705" } ] }, { "@id": "d3f:T1583.002", "@type": "owl:Class", "d3f:attack-id": "T1583.002", "rdfs:label": "DNS Server", "rdfs:subClassOf": { "@id": "d3f:T1583" } }, { "@id": "d3f:T1056.004", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1056.004", "d3f:may-modify": { "@id": "d3f:ProcessCodeSegment" }, "rdfs:label": "Credential API Hooking", "rdfs:subClassOf": [ { "@id": "d3f:T1056" }, { "@id": "_:N262040d793d64ee9acf476b2a76fb54c" } ] }, { "@id": "_:N262040d793d64ee9acf476b2a76fb54c", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-modify" }, "owl:someValuesFrom": { "@id": "d3f:ProcessCodeSegment" } }, { "@id": "d3f:CWE-192", "@type": "owl:Class", "d3f:cwe-id": "CWE-192", "rdfs:label": "Integer Coercion Error", "rdfs:subClassOf": { "@id": "d3f:CWE-681" } }, { "@id": "d3f:CWE-1240", "@type": "owl:Class", "d3f:cwe-id": "CWE-1240", "rdfs:label": "Use of a Cryptographic Primitive with a Risky Implementation", "rdfs:subClassOf": { "@id": "d3f:CWE-327" } }, { "@id": "d3f:CWE-585", "@type": "owl:Class", "d3f:cwe-id": "CWE-585", "rdfs:label": "Empty Synchronized Block", "rdfs:subClassOf": { "@id": "d3f:CWE-1071" } }, { "@id": "d3f:NIST_SP_800-53_R5_MA-6_3", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:control-name": "Timely Maintenance | Automated Support for Predictive Maintenance", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "d3f:narrower": { "@id": "d3f:SoftwareUpdate" }, "rdfs:label": "MA-6(3)" }, { "@id": "d3f:CCI-001589_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The organization incorporates detection of unauthorized, security-relevant configuration changes into the organization‚Äôs incident response capability to ensure they are tracked.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:OperatingSystemMonitoring" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2010-05-12T00:00:00" }, "rdfs:label": "CCI-001589" }, { "@id": "d3f:HarmonicMean", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-HM", "d3f:definition": "The reciprocal of the arithmetic mean of the reciprocals of the data values. This measure too is valid only for data that are measured absolutely on a strictly positive scale.", "d3f:kb-article": "## References\nWikipedia. (n.d.). Central tendency. [Link](https://en.wikipedia.org/wiki/Central_tendency)", "rdfs:label": "Harmonic Mean", "rdfs:subClassOf": { "@id": "d3f:CentralTendency" } }, { "@id": "d3f:PolicyGradient", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-PG", "d3f:definition": "The objective of a Reinforcement Learning Policy Gradient agent is to maximize the “expected” reward when following a policy", "d3f:kb-article": "## References\nPolicy Gradients in a Nutshell. Towards Data Science. [Link](https://towardsdatascience.com/policy-gradients-in-a-nutshell-8b72f9743c5d).", "rdfs:label": "Policy Gradient", "rdfs:subClassOf": { "@id": "d3f:Model-freeReinforcementLearning" } }, { "@id": "d3f:T1558.003", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1558.003", "d3f:definition": "Service Provider Name (SPN) scanning is one way to gather hashes, which results in RPC calls conforming to the NSPI protocol.", "d3f:may-produce": { "@id": "d3f:RPCNetworkTraffic" }, "rdfs:label": "Kerberoasting", "rdfs:seeAlso": { "@id": "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nspi/6dd0a3ea-b4d4-4a73-a857-add03a89a543" }, "rdfs:subClassOf": [ { "@id": "d3f:T1558" }, { "@id": "_:N1a941c3499014a9089b838a6d3aac549" } ] }, { "@id": "_:N1a941c3499014a9089b838a6d3aac549", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-produce" }, "owl:someValuesFrom": { "@id": "d3f:RPCNetworkTraffic" } }, { "@id": "d3f:Reference-SupplyChainCyber-deception_Cymmetria,Inc.", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/WO2017187379A1" }, "d3f:kb-abstract": "A computer implemented method of detecting unauthorized access to a protected network from external endpoints, comprising monitoring, at a protected network, communication with one or more external endpoints using one or more access clients to access one or more of a plurality of resources of the protected networked, where one or more deception resources created in the protected network map one or more of the plurality of resources, detecting usage of data contained in one or more of a plurality of deception data objects deployed in the one or more access clients by monitoring an interaction triggered by one or more of the deception data objects with the one or more deception resources when used and identifying one or more potential unauthorized operations based on analysis of the detection.", "d3f:kb-author": "Gadi EVRON; Dean SYSMAN; Imri Goldberg; Shmuel Ur", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "Cymmetria, Inc.", "d3f:kb-reference-of": { "@id": "d3f:DecoyFile" }, "d3f:kb-reference-title": "Supply chain cyber-deception", "rdfs:label": "Reference - Supply chain cyber-deception - Cymmetria, Inc." }, { "@id": "d3f:CWE-793", "@type": "owl:Class", "d3f:cwe-id": "CWE-793", "rdfs:label": "Only Filtering One Instance of a Special Element", "rdfs:subClassOf": { "@id": "d3f:CWE-792" } }, { "@id": "d3f:CWE-1082", "@type": "owl:Class", "d3f:cwe-id": "CWE-1082", "rdfs:label": "Class Instance Self Destruction Control Element", "rdfs:subClassOf": { "@id": "d3f:CWE-1076" } }, { "@id": "d3f:CWE-441", "@type": "owl:Class", "d3f:cwe-id": "CWE-441", "rdfs:label": "Unintended Proxy or Intermediary ('Confused Deputy')", "rdfs:subClassOf": { "@id": "d3f:CWE-610" } }, { "@id": "d3f:NTFSHardLink", "@type": "owl:Class", "d3f:definition": "An NTFS hard link points to another file, and files share the same MFT entry (inode), in the same filesystem.", "rdfs:isDefinedBy": { "@id": "dbr:NTFS_links" }, "rdfs:label": "NTFS Hard Link", "rdfs:seeAlso": { "@id": "dbr:Hard_link" }, "rdfs:subClassOf": [ { "@id": "d3f:HardLink" }, { "@id": "d3f:NTFSLink" } ] }, { "@id": "d3f:T1491.001", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1491.001", "d3f:modifies": { "@id": "d3f:Resource" }, "rdfs:label": "Internal Defacement", "rdfs:subClassOf": [ { "@id": "d3f:T1491" }, { "@id": "_:Nc77c9ba15e704b56839e2041350877fe" } ] }, { "@id": "_:Nc77c9ba15e704b56839e2041350877fe", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:Resource" } }, { "@id": "d3f:Reference-CommandLineUsageOfArchivingSoftware_MITRE", "@type": [ "owl:NamedIndividual", "d3f:ExternalKnowledgeBase" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://car.mitre.org/analytics/CAR-2013-07-005/" }, "d3f:kb-abstract": "Before exfiltrating data that an adversary has collected, it is very likely that a compressed archive will be created, so that transfer times are minimized and fewer files are transmitted. There is variety between the tools used to compress data, but the command line usage and context of archiving tools, such as ZIP, RAR, and 7ZIP, should be monitored.\n\nIn addition to looking for RAR or 7z program names, command line usage of 7Zip or RAR can be detected with the flag usage of \"\\* a \\*\". This is helpful, as adversaries may change program names.", "d3f:kb-author": "", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "", "d3f:kb-reference-of": { "@id": "d3f:ProcessSpawnAnalysis" }, "d3f:kb-reference-title": "CAR-2013-07-005: Command Line Usage of Archiving Software", "rdfs:label": "Reference - CAR-2013-07-005: Command Line Usage of Archiving Software - MITRE" }, { "@id": "d3f:CCI-002041_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system allows the use of a temporary password for system logons with an immediate change to a permanent password.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:StrongPasswordPolicy" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-05-03T00:00:00" }, "rdfs:label": "CCI-002041" }, { "@id": "d3f:Relational-basedTransferLearning", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-RBTL", "d3f:definition": "Relational-based Transfer Learning is a subfield of machine learning where knowledge and patterns learned from one domain, characterized by relational and structured data, are transferred to enhance the learning of another related domain. This approach leverages shared concepts, relations, and structures across domains, taking advantage of the rich semantic knowledge within relational data to improve learning performance in the target task.", "d3f:kb-article": "## References\nV7 Labs. (n.d.). Transfer Learning Guide. [Link](https://www.v7labs.com/blog/transfer-learning-guide#:~:text=Relational%2Dbased%20transfer%20learning%20approaches,domain%20to%20the%20target%20domain).", "rdfs:label": "Relational-based Transfer Learning", "rdfs:subClassOf": { "@id": "d3f:HomogenousTransferLearning" } }, { "@id": "d3f:CWE-601", "@type": "owl:Class", "d3f:cwe-id": "CWE-601", "rdfs:label": "URL Redirection to Untrusted Site ('Open Redirect')", "rdfs:subClassOf": { "@id": "d3f:CWE-610" } }, { "@id": "d3f:ParentProcess", "@type": "owl:Class", "d3f:definition": "In computing, a parent process is a process that has created one or more child processes.", "rdfs:isDefinedBy": { "@id": "dbr:Parent_process" }, "rdfs:label": "Parent Process", "rdfs:seeAlso": { "@id": "dbr:Child_process" }, "rdfs:subClassOf": { "@id": "d3f:Process" } }, { "@id": "d3f:T1564.007", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1564.007", "d3f:modifies": { "@id": "d3f:OfficeApplicationFile" }, "rdfs:label": "VBA Stomping", "rdfs:subClassOf": [ { "@id": "d3f:T1564" }, { "@id": "_:Naf4dcd4643714b2e91a7d797a0f22171" } ] }, { "@id": "_:Naf4dcd4643714b2e91a7d797a0f22171", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:OfficeApplicationFile" } }, { "@id": "d3f:CWE-48", "@type": "owl:Class", "d3f:cwe-id": "CWE-48", "rdfs:label": "Path Equivalence: 'file name' (Internal Whitespace)", "rdfs:subClassOf": { "@id": "d3f:CWE-41" } }, { "@id": "d3f:CWE-522", "@type": "owl:Class", "d3f:cwe-id": "CWE-522", "rdfs:label": "Insufficiently Protected Credentials", "rdfs:subClassOf": [ { "@id": "d3f:CWE-1390" }, { "@id": "d3f:CWE-668" } ] }, { "@id": "d3f:NIST_SP_800-53_R5_IA-2_4", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:control-name": "Identification and Authentication (organizational Users) | Local Access to Non-privileged Accounts", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "d3f:narrower": { "@id": "d3f:LocalAccountMonitoring" }, "rdfs:label": "IA-2(4)" }, { "@id": "d3f:CWE-829", "@type": "owl:Class", "d3f:cwe-id": "CWE-829", "rdfs:label": "Inclusion of Functionality from Untrusted Control Sphere", "rdfs:subClassOf": { "@id": "d3f:CWE-669" } }, { "@id": "d3f:CCI-002630_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:broader": { "@id": "d3f:ScriptExecutionAnalysis" }, "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system detects organization-defined unauthorized operating system commands through the kernel application programming interface at organization-defined information system hardware components.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-07-11T00:00:00" }, "rdfs:label": "CCI-002630" }, { "@id": "d3f:DNSDenylisting", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:NetworkIsolation" ], "d3f:blocks": { "@id": "d3f:DNSNetworkTraffic" }, "d3f:d3fend-id": "D3-DNSDL", "d3f:definition": "Blocking DNS Network Traffic based on criteria such as IP address, domain name, or DNS query type.", "d3f:kb-article": "## How it works\nRules are implemented that filter DNS queries using criteria such as:\n- Client subnet\n- Type of network protocol used in query\n- Fully qualified domain name (FQDN) of record in the query\n- DNS Server IP address that received the DNS request\n- Type of DNS record being queried\n- Time of day the query is received\n- Size of the response\n\nFor example, a DNS policy can be created for blocking DNS queries for FQDNs that have been identified as unauthorized.\n\n## Considerations\n- Implementation considerations for DNS filtering policies to avoid over-blocking or under-blocking domains.\n- Continuous maintenance of unauthorized domain lists is needed to keep up to date with possible site content changes.\n- File sharing or content delivery networks may require other filtering techniques that are more fine-grained (URL blocking).\n- Access to malicious websites or other network resources directly by IP instead of by DNS record, or after alteration of local DNS hosts file, may not result in DNS network traffic.", "d3f:kb-reference": { "@id": "d3f:Reference-UseDNSPolicyForApplyingFiltersOnDNSQueries" }, "d3f:synonym": "DNS Blacklisting", "rdfs:label": "DNS Denylisting", "rdfs:subClassOf": [ { "@id": "d3f:NetworkIsolation" }, { "@id": "_:N44861ade351342a0924f0bb2a55c6d9d" } ] }, { "@id": "_:N44861ade351342a0924f0bb2a55c6d9d", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:blocks" }, "owl:someValuesFrom": { "@id": "d3f:DNSNetworkTraffic" } }, { "@id": "d3f:Open-sourceDeveloper", "@type": "owl:Class", "rdfs:label": "Open-source Developer", "rdfs:subClassOf": { "@id": "d3f:ProductDeveloper" } }, { "@id": "d3f:end", "@type": "owl:ObjectProperty", "rdfs:label": "end", "rdfs:subPropertyOf": { "@id": "d3f:d3fend-process-object-property" } }, { "@id": "d3f:BootSector", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A boot record [boot sector] is the sector of a persistent data storage device (e.g., hard disk, floppy disk, optical disc, etc.) which contains machine code to be loaded into random-access memory (RAM) and then executed by a computer system's built-in firmware (e.g., the BIOS, Das U-Boot, etc.).", "rdfs:label": "Boot Sector", "rdfs:seeAlso": { "@id": "dbr:Boot_sector" }, "rdfs:subClassOf": { "@id": "d3f:BootRecord" } }, { "@id": "d3f:CWE-918", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:cwe-id": "CWE-918", "d3f:weakness-of": { "@id": "d3f:UserInputFunction" }, "rdfs:label": "Server-Side Request Forgery (SSRF)", "rdfs:subClassOf": [ { "@id": "d3f:CWE-441" }, { "@id": "_:N151907fbffca4c42a75ca4fbec2662e0" } ] }, { "@id": "_:N151907fbffca4c42a75ca4fbec2662e0", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:weakness-of" }, "owl:someValuesFrom": { "@id": "d3f:UserInputFunction" } }, { "@id": "rdfs:label", "@type": "owl:AnnotationProperty" }, { "@id": "d3f:CWE-528", "@type": "owl:Class", "d3f:cwe-id": "CWE-528", "rdfs:label": "Exposure of Core Dump File to an Unauthorized Control Sphere", "rdfs:subClassOf": { "@id": "d3f:CWE-552" } }, { "@id": "d3f:CWE-927", "@type": "owl:Class", "d3f:cwe-id": "CWE-927", "rdfs:label": "Use of Implicit Intent for Sensitive Communication", "rdfs:subClassOf": [ { "@id": "d3f:CWE-285" }, { "@id": "d3f:CWE-668" } ] }, { "@id": "d3f:CWE-179", "@type": "owl:Class", "d3f:cwe-id": "CWE-179", "rdfs:label": "Incorrect Behavior Order: Early Validation", "rdfs:subClassOf": [ { "@id": "d3f:CWE-20" }, { "@id": "d3f:CWE-696" } ] }, { "@id": "d3f:CWE-610", "@type": "owl:Class", "d3f:cwe-id": "CWE-610", "rdfs:label": "Externally Controlled Reference to a Resource in Another Sphere", "rdfs:subClassOf": { "@id": "d3f:CWE-664" } }, { "@id": "d3f:CWE-260", "@type": "owl:Class", "d3f:cwe-id": "CWE-260", "rdfs:label": "Password in Configuration File", "rdfs:subClassOf": { "@id": "d3f:CWE-522" } }, { "@id": "d3f:CWE-374", "@type": "owl:Class", "d3f:cwe-id": "CWE-374", "rdfs:label": "Passing Mutable Objects to an Untrusted Method", "rdfs:subClassOf": { "@id": "d3f:CWE-668" } }, { "@id": "d3f:Reference-MethodAndApparatusForIncreasingTheSpeedAtWhichComputerVirusesAreDetected_McAfeeLLC", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US5502815A" }, "d3f:kb-abstract": "The method and apparatus for increasing the speed at which computer viruses are detected stores initial state information concerning the file or volume which is being examined for a virus. This information is stored in a cache in a non-volatile storage medium and when files are subsequently scanned for viruses, the current state information is compared to the initial state information stored in the cache. If the initial state information differs from the current state information then the file or volume is scanned for viruses which change the state information of the file or volume. If the initial state information and current state information is the same then the file or volume is scanned for a subset of viruses which do not change the state information.", "d3f:kb-author": "Paul D. Cozza", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "McAfee LLC", "d3f:kb-reference-of": { "@id": "d3f:ExecutableDenylisting" }, "d3f:kb-reference-title": "Method and apparatus for increasing the speed at which computer viruses are detected", "rdfs:label": "Reference - Method and apparatus for increasing the speed at which computer viruses are detected - McAfee LLC" }, { "@id": "d3f:T1531", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1531", "d3f:modifies": { "@id": "d3f:UserAccount" }, "rdfs:label": "Account Access Removal", "rdfs:subClassOf": [ { "@id": "d3f:ImpactTechnique" }, { "@id": "_:N4fbeb4d8562d419bad771f836bcce777" } ] }, { "@id": "_:N4fbeb4d8562d419bad771f836bcce777", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:UserAccount" } }, { "@id": "d3f:T1498.002", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1498.002", "d3f:produces": { "@id": "d3f:InboundInternetNetworkTraffic" }, "rdfs:label": "Reflection Amplification", "rdfs:subClassOf": [ { "@id": "d3f:T1498" }, { "@id": "_:N4ddc5e03ef61400d8af6fdd1d44e6ddd" } ] }, { "@id": "_:N4ddc5e03ef61400d8af6fdd1d44e6ddd", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:produces" }, "owl:someValuesFrom": { "@id": "d3f:InboundInternetNetworkTraffic" } }, { "@id": "d3f:Reference-CAR-2021-05-009%3ACertUtilWithDecodeArgument_MITRE", "@type": [ "owl:NamedIndividual", "d3f:ExternalKnowledgeBase" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://car.mitre.org/analytics/CAR-2021-05-009/" }, "d3f:kb-abstract": "CertUtil.exe may be used to encode and decode a file, including PE and script code. Encoding will convert a file to base64 with -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- tags. Malicious usage will include decoding a encoded file that was downloaded. Once decoded, it will be loaded by a parallel process. Note that there are two additional command switches that may be used - encodehex and decodehex. Similarly, the file will be encoded in HEX and later decoded for further execution. During triage, identify the source of the file being decoded. Review its contents or execution behavior for further analysis.", "d3f:kb-author": "MITRE", "d3f:kb-organization": "MITRE", "d3f:kb-reference-of": { "@id": "d3f:ProcessSpawnAnalysis" }, "d3f:kb-reference-title": "CAR-2021-05-009: CertUtil With Decode Argument", "rdfs:label": "Reference - CAR-2021-05-009: CertUtil With Decode Argument - MITRE" }, { "@id": "d3f:T1021.001", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1021.001", "d3f:creates": { "@id": "d3f:RDPSession" }, "d3f:produces": { "@id": "d3f:AdministrativeNetworkTraffic" }, "rdfs:label": "Remote Desktop Protocol", "rdfs:subClassOf": [ { "@id": "d3f:T1021" }, { "@id": "_:Ne7b2bd3862f0468b98d82e7bcaff37a3" }, { "@id": "_:Nffd11ab97dac4a8a9cecf4788f04247f" } ] }, { "@id": "_:Ne7b2bd3862f0468b98d82e7bcaff37a3", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:creates" }, "owl:someValuesFrom": { "@id": "d3f:RDPSession" } }, { "@id": "_:Nffd11ab97dac4a8a9cecf4788f04247f", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:produces" }, "owl:someValuesFrom": { "@id": "d3f:AdministrativeNetworkTraffic" } }, { "@id": "d3f:T1145", "@type": "owl:Class", "d3f:attack-id": "T1145", "rdfs:label": "Private Keys", "rdfs:subClassOf": { "@id": "d3f:CredentialAccessTechnique" } }, { "@id": "d3f:NIST_SP_800-53_R5_IA-2_6", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:control-name": "Identification and Authentication (organizational Users) | Access to Accounts —separate Device", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "d3f:narrower": { "@id": "d3f:Multi-factorAuthentication" }, "rdfs:label": "IA-2(6)" }, { "@id": "d3f:CWE-535", "@type": "owl:Class", "d3f:cwe-id": "CWE-535", "rdfs:label": "Exposure of Information Through Shell Error Message", "rdfs:subClassOf": { "@id": "d3f:CWE-211" } }, { "@id": "d3f:CWE-843", "@type": "owl:Class", "d3f:cwe-id": "CWE-843", "rdfs:label": "Access of Resource Using Incompatible Type ('Type Confusion')", "rdfs:subClassOf": { "@id": "d3f:CWE-704" } }, { "@id": "d3f:CCI-001405_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system automatically audits account removal actions.", "d3f:exactly": { "@id": "d3f:DomainAccountMonitoring" }, "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-24T00:00:00" }, "rdfs:label": "CCI-001405" }, { "@id": "d3f:PredicateLogic", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-PL", "d3f:definition": "Predicate logic is is collection of formal systems used in mathematics, philosophy, linguistics, and computer science. First-order logic and Higher-order logic both incorporate predicate logic.", "d3f:kb-article": "## References\n1. First-order logic. (2023, May 26). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/First-order_logic)\n2. Higher-order logic. (2023, May 13)\n[Link](https://en.wikipedia.org/wiki/Higher-order_logic)", "rdfs:label": "Predicate Logic", "rdfs:subClassOf": { "@id": "d3f:SymbolicAI" } }, { "@id": "d3f:M1039", "@type": [ "owl:NamedIndividual", "d3f:ATTACKMitigation" ], "d3f:related": [ { "@id": "d3f:ApplicationConfigurationHardening" }, { "@id": "d3f:SystemFileAnalysis" } ], "rdfs:label": "Environment Variable Permissions" }, { "@id": "d3f:CCI-001499_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The organization limits privileges to change software resident within software libraries.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": [ { "@id": "d3f:SystemConfigurationPermissions" }, { "@id": "d3f:UserAccountPermissions" } ], "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-29T00:00:00" }, "rdfs:label": "CCI-001499" }, { "@id": "d3f:CWE-141", "@type": "owl:Class", "d3f:cwe-id": "CWE-141", "rdfs:label": "Improper Neutralization of Parameter/Argument Delimiters", "rdfs:subClassOf": { "@id": "d3f:CWE-140" } }, { "@id": "d3f:T1564.005", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1564.005", "d3f:may-modify": { "@id": "d3f:SystemConfigurationDatabase" }, "d3f:modifies": { "@id": "d3f:Storage" }, "rdfs:label": "Hidden File System", "rdfs:subClassOf": [ { "@id": "d3f:T1564" }, { "@id": "_:N16ba648ce2ed44509f48b13b24e11c5b" }, { "@id": "_:N0cbb5dae85d647feafd3a174f72b21f2" } ] }, { "@id": "_:N16ba648ce2ed44509f48b13b24e11c5b", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-modify" }, "owl:someValuesFrom": { "@id": "d3f:SystemConfigurationDatabase" } }, { "@id": "_:N0cbb5dae85d647feafd3a174f72b21f2", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:Storage" } }, { "@id": "d3f:CWE-67", "@type": "owl:Class", "d3f:cwe-id": "CWE-67", "rdfs:label": "Improper Handling of Windows Device Names", "rdfs:subClassOf": { "@id": "d3f:CWE-66" } }, { "@id": "d3f:T1215", "@type": "owl:Class", "d3f:attack-id": "T1215", "rdfs:label": "Kernel Modules and Extensions", "rdfs:subClassOf": { "@id": "d3f:PersistenceTechnique" } }, { "@id": "d3f:Weakness", "@type": "owl:Class", "d3f:definition": "A weakness is a condition in a software, firmware, hardware, or service component that, under certain circumstances, could contribute to the introduction of vulnerabilities.", "rdfs:label": "Weakness", "rdfs:subClassOf": { "@id": "d3f:D3FENDThing" } }, { "@id": "d3f:SystemFirewallConfiguration", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:configures": { "@id": "d3f:Host-basedFirewall" }, "d3f:definition": "The configuration for a individual host operating system's firewall.", "rdfs:label": "System Firewall Configuration", "rdfs:seeAlso": { "@id": "dbr:Firewall_(computing)" }, "rdfs:subClassOf": [ { "@id": "d3f:OperatingSystemConfigurationComponent" }, { "@id": "_:N81f0600e4ace40559cbff2986705617f" } ] }, { "@id": "_:N81f0600e4ace40559cbff2986705617f", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:configures" }, "owl:someValuesFrom": { "@id": "d3f:Host-basedFirewall" } }, { "@id": "d3f:NIST_SP_800-53_R5_SI-4", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:broader": { "@id": "d3f:OperatingSystemMonitoring" }, "d3f:control-name": "System Monitoring", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "rdfs:label": "SI-4" }, { "@id": "d3f:CWE-515", "@type": "owl:Class", "d3f:cwe-id": "CWE-515", "rdfs:label": "Covert Storage Channel", "rdfs:subClassOf": { "@id": "d3f:CWE-514" } }, { "@id": "d3f:CCI-000034_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:broader": [ { "@id": "d3f:InboundTrafficFiltering" }, { "@id": "d3f:OutboundTrafficFiltering" } ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system provides the capability for a privileged administrator to enable/disable organization-defined security policy filters under organization-defined conditions.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-05-13T00:00:00" }, "rdfs:label": "CCI-000034" }, { "@id": "d3f:Network", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A network is a group of computers that use a set of common communication protocols over digital interconnections for the purpose of sharing resources located on or provided by the network nodes. The interconnections between nodes are formed from a broad spectrum of telecommunication network technologies, based on physically wired, optical, and wireless radio-frequency methods that may be arranged in a variety of network topologies.", "rdfs:label": "Network", "rdfs:seeAlso": { "@id": "http://wordnet-rdf.princeton.edu/id/03826490-n" }, "rdfs:subClassOf": { "@id": "d3f:DigitalArtifact" }, "skos:altLabel": "Computer Network" }, { "@id": "d3f:CCI-000194_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system enforces password complexity by the minimum number of numeric characters used.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:StrongPasswordPolicy" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-15T00:00:00" }, "rdfs:label": "CCI-000194" }, { "@id": "d3f:CWE-1303", "@type": "owl:Class", "d3f:cwe-id": "CWE-1303", "rdfs:label": "Non-Transparent Sharing of Microarchitectural Resources", "rdfs:subClassOf": [ { "@id": "d3f:CWE-1189" }, { "@id": "d3f:CWE-203" } ] }, { "@id": "d3f:OperationalDependencyMapping", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:OperationalActivityMapping" ], "d3f:d3fend-id": "D3-ODM", "d3f:definition": "Operational dependency mapping identifies and models the dependencies of the organization's activities on each other and on the organization's performers (people, systems, and services.) This may include modeling the higher- and lower-level activities of an organization forming a hierarchy, or layering, of the dependencies in an organization's activities.", "d3f:kb-reference": [ { "@id": "d3f:Reference-CatiaUAFPlugin" }, { "@id": "d3f:Reference-CyberCommandSystemCYCS" }, { "@id": "d3f:Reference-DaggerFactSheet" }, { "@id": "d3f:Reference-DaggerModelingAndVisualizationForMissionImpactSituationalAwareness" }, { "@id": "d3f:Reference-MissionDependencyModelingForCyberSituationalAwareness" }, { "@id": "d3f:Reference-UnifiedArchitectureFrameworkUAF" } ], "d3f:maps": [ { "@id": "d3f:Dependency" }, { "@id": "d3f:OrganizationalActivity" } ], "rdfs:label": "Operational Dependency Mapping", "rdfs:subClassOf": [ { "@id": "d3f:OperationalActivityMapping" }, { "@id": "_:N692efd8352274637b5b0b18a29326f51" }, { "@id": "_:Nb8e55193b1354a3db74d2b44ab935e75" } ] }, { "@id": "_:N692efd8352274637b5b0b18a29326f51", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:maps" }, "owl:someValuesFrom": { "@id": "d3f:Dependency" } }, { "@id": "_:Nb8e55193b1354a3db74d2b44ab935e75", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:maps" }, "owl:someValuesFrom": { "@id": "d3f:OrganizationalActivity" } }, { "@id": "d3f:latency", "@type": "owl:ObjectProperty", "rdfs:label": "latency", "rdfs:range": { "@id": "_:N65e3b57a7ecd4635b757e6d7acc19827" }, "rdfs:subPropertyOf": { "@id": "d3f:d3fend-catalog-object-property" } }, { "@id": "_:N65e3b57a7ecd4635b757e6d7acc19827", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:latency" }, "owl:someValuesFrom": { "@id": "d3f:Latency" } }, { "@id": "d3f:M1042", "@type": [ "owl:NamedIndividual", "d3f:ATTACKMitigation" ], "d3f:related": [ { "@id": "d3f:ApplicationConfigurationHardening" }, { "@id": "d3f:ExecutableDenylisting" }, { "@id": "d3f:MandatoryAccessControl" } ], "rdfs:label": "Disable or Remove Feature or Program" }, { "@id": "d3f:Reference-Computer-implementedMethodsAndSystemsForIdentifyingVisuallySimilarTextCharacterStrings_GreathornInc", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US10320815B2/en?oq=US-10320815-B2" }, "d3f:kb-abstract": "Methods and systems are disclosed for selecting text character strings from a corpus of relevant strings that would commonly be considered to be visually similar to human viewer to an input string. The initial corpus may be any sufficiently broad or specific source of text, e.g., the names of users in a computer application system. The character strings in the corpus are classified such that direct, character-by-character comparisons may be limited to a small subset of likely-similar strings. The input string is then directly compared to strings that are likely to be similar to it, taking into account individual characters' similarities, combinations of characters that look similar to individual characters, transposition of characters, and simple additions and deletions.", "d3f:kb-author": "Raymond W. Wallace, III", "d3f:kb-mitre-analysis": "Text input is compared to an engine of look-alike sets of text characters. An estimate of similar characters based on the engine is conducted, and an alert is triggered if the estimated similarity is lower than a given threshold.", "d3f:kb-organization": "Greathorn Inc", "d3f:kb-reference-of": { "@id": "d3f:HomoglyphDetection" }, "d3f:kb-reference-title": "Computer-implemented methods and systems for identifying visually similar text character strings", "rdfs:label": "Reference - Computer-implemented methods and systems for identifying visually similar text character strings - Greathorn Inc" }, { "@id": "d3f:TemporalDifferenceLearning", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-TDL", "d3f:definition": "Temporal difference (TD) learning refers to a class of model-free reinforcement learning methods which learn by bootstrapping from the current estimate of the value function. These methods sample from the environment, like Monte Carlo methods, and perform updates based on current estimates, like dynamic programming methods", "d3f:kb-article": "## References\nTemporal difference learning. Wikipedia. [Link](https://en.wikipedia.org/wiki/Temporal_difference_learning).", "rdfs:comment": "Temporal difference (TD) learning refers to a class of model-free reinforcement learning methods which learn by bootstrapping from the current estimate of the value function.", "rdfs:label": "Temporal Difference Learning", "rdfs:subClassOf": { "@id": "d3f:Model-freeReinforcementLearning" } }, { "@id": "d3f:executed-by", "@type": "owl:ObjectProperty", "owl:inverseOf": { "@id": "d3f:executes" }, "rdfs:label": "executed-by", "rdfs:subPropertyOf": { "@id": "d3f:associated-with" } }, { "@id": "d3f:T1553.006", "@type": "owl:Class", "d3f:attack-id": "T1553.006", "rdfs:label": "Code Signing Policy Modification", "rdfs:subClassOf": { "@id": "d3f:T1553" } }, { "@id": "d3f:CWE-346", "@type": "owl:Class", "d3f:cwe-id": "CWE-346", "rdfs:label": "Origin Validation Error", "rdfs:subClassOf": [ { "@id": "d3f:CWE-284" }, { "@id": "d3f:CWE-345" } ] }, { "@id": "d3f:NetworkLink", "@type": "owl:Class", "d3f:definition": "A network link is a link within the network layer, which is responsible for packet forwarding including routing through intermediate routers.", "d3f:synonym": [ "Layer-3 Link", "Network Layer Link" ], "rdfs:label": "Network Link", "rdfs:seeAlso": [ "https://dbpedia.org/resource/Network_layer", "https://www.techtarget.com/searchnetworking/definition/Network-layer" ], "rdfs:subClassOf": { "@id": "d3f:LogicalLink" } }, { "@id": "d3f:T1059", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1059", "d3f:executes": { "@id": "d3f:ExecutableScript" }, "rdfs:label": "Command and Scripting Interpreter Execution", "rdfs:subClassOf": [ { "@id": "d3f:ExecutionTechnique" }, { "@id": "_:Nea818e666a0b42359ee1b6559e797faa" } ] }, { "@id": "_:Nea818e666a0b42359ee1b6559e797faa", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:executes" }, "owl:someValuesFrom": { "@id": "d3f:ExecutableScript" } }, { "@id": "d3f:CWE-272", "@type": "owl:Class", "d3f:cwe-id": "CWE-272", "rdfs:label": "Least Privilege Violation", "rdfs:subClassOf": { "@id": "d3f:CWE-271" } }, { "@id": "d3f:AdminFeatureClaim", "@type": "owl:Class", "rdfs:label": "Admin Feature Claim", "rdfs:subClassOf": [ { "@id": "d3f:CapabilityFeatureClaim" }, { "@id": "_:N81431de07c3b46c18eca9a3ecfdbd88a" }, { "@id": "_:Nebf90f87838245d4965553aea5b46d2d" }, { "@id": "_:Nb304e0dbfe6f4fa38be4711825349357" } ] }, { "@id": "_:N81431de07c3b46c18eca9a3ecfdbd88a", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:cites" }, "owl:someValuesFrom": { "@id": "d3f:InformationContentEntity" } }, { "@id": "_:Nebf90f87838245d4965553aea5b46d2d", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:claims" }, "owl:someValuesFrom": { "@id": "d3f:AdministrativeFeature" } }, { "@id": "_:Nb304e0dbfe6f4fa38be4711825349357", "@type": "owl:Restriction", "owl:allValuesFrom": { "@id": "d3f:AdministrativeFeature" }, "owl:onProperty": { "@id": "d3f:features" } }, { "@id": "d3f:Grid-basedClustering", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-GBC", "d3f:definition": "Divides the entire data space into a finite number of cells reducing the complexity of the data and focuses on the cells rather than the data.", "d3f:kb-article": "## References\nTechVidvan. (n.d.). Clustering in Machine Learning Tutorial. [Link](https://techvidvan.com/tutorials/clustering-in-machine-learning/)", "rdfs:label": "Grid-based Clustering", "rdfs:subClassOf": { "@id": "d3f:High-dimensionClustering" } }, { "@id": "d3f:d3fend-kb-reference-annotation", "@type": "owl:AnnotationProperty", "d3f:definition": "x d3fend-kb-data-property y: The reference x has the data property y.", "rdfs:domain": { "@id": "d3f:Reference" }, "rdfs:label": "d3fend-kb-reference-annotation", "rdfs:range": { "@id": "xsd:string" }, "rdfs:subPropertyOf": { "@id": "d3f:d3fend-kb-annotation-property" } }, { "@id": "d3f:CWE-240", "@type": "owl:Class", "d3f:cwe-id": "CWE-240", "rdfs:label": "Improper Handling of Inconsistent Structural Elements", "rdfs:subClassOf": [ { "@id": "d3f:CWE-237" }, { "@id": "d3f:CWE-707" } ] }, { "@id": "d3f:T1054", "@type": "owl:Class", "d3f:attack-id": "T1054", "rdfs:label": "Indicator Blocking", "rdfs:subClassOf": { "@id": "d3f:DefenseEvasionTechnique" } }, { "@id": "d3f:CWE-266", "@type": "owl:Class", "d3f:cwe-id": "CWE-266", "rdfs:label": "Incorrect Privilege Assignment", "rdfs:subClassOf": { "@id": "d3f:CWE-269" } }, { "@id": "d3f:may-transfer", "@type": "owl:ObjectProperty", "d3f:definition": "x may-transfer y: They entity x might send the thing y; that is, 'x transfers y' may be true.", "rdfs:label": "may-transfer", "rdfs:subPropertyOf": { "@id": "d3f:may-be-associated-with" } }, { "@id": "d3f:CCI-001297_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:broader": [ { "@id": "d3f:DriverLoadIntegrityChecking" }, { "@id": "d3f:FileHashing" }, { "@id": "d3f:PointerAuthentication" }, { "@id": "d3f:TPMBootIntegrity" } ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system detects unauthorized changes to software and information.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-22T00:00:00" }, "rdfs:label": "CCI-001297" }, { "@id": "d3f:CWE-587", "@type": "owl:Class", "d3f:cwe-id": "CWE-587", "rdfs:label": "Assignment of a Fixed Address to a Pointer", "rdfs:subClassOf": [ { "@id": "d3f:CWE-344" }, { "@id": "d3f:CWE-758" } ] }, { "@id": "d3f:CWE-220", "@type": "owl:Class", "d3f:cwe-id": "CWE-220", "rdfs:label": "Storage of File With Sensitive Data Under FTP Root", "rdfs:subClassOf": { "@id": "d3f:CWE-552" } }, { "@id": "d3f:DiscriminantAnalysis", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-DA", "d3f:definition": "Discriminant analysis attempts to establish whether a set of variables can be used to distinguish between two or more groups of cases.", "d3f:kb-article": "## References\nWikipedia. (n.d.). Multivariate statistics. [Link](https://en.wikipedia.org/wiki/Multivariate_statistics)", "rdfs:label": "Discriminant Analysis", "rdfs:subClassOf": { "@id": "d3f:MultivariateAnalysis" } }, { "@id": "d3f:GlobalUserAccount", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A type of user account in Microsoft Windows (NT) that has a domain-wide scope.defines that user's access to a logical group of network objects (computers, users, devices) that share the same Active Directory databases; that is, a user's access to the domain.", "rdfs:label": "Global User Account", "rdfs:seeAlso": { "@id": "https://networkencyclopedia.com/global-user-account" }, "rdfs:subClassOf": { "@id": "d3f:DomainUserAccount" } }, { "@id": "d3f:narrower", "@type": "owl:ObjectProperty", "rdfs:label": "narrower", "rdfs:subPropertyOf": { "@id": "d3f:semantic-relation" } }, { "@id": "d3f:modified", "@type": "owl:DatatypeProperty", "d3f:definition": "Date on which the resource was changed.", "rdfs:label": { "@language": "en", "@value": "date modified" }, "rdfs:range": { "@id": "xsd:dateTime" }, "rdfs:subPropertyOf": { "@id": "d3f:date" } }, { "@id": "d3f:CWE-291", "@type": "owl:Class", "d3f:cwe-id": "CWE-291", "rdfs:label": "Reliance on IP Address for Authentication", "rdfs:subClassOf": [ { "@id": "d3f:CWE-290" }, { "@id": "d3f:CWE-471" }, { "@id": "d3f:CWE-923" } ] }, { "@id": "d3f:OutboundInternetNetworkTraffic", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "Outbound internet network traffic is network traffic on an outgoing connection initiated from a host within a network to a host outside the network.", "rdfs:label": "Outbound Internet Network Traffic", "rdfs:seeAlso": { "@id": "dbr:Internetworking" }, "rdfs:subClassOf": [ { "@id": "d3f:InternetNetworkTraffic" }, { "@id": "d3f:OutboundNetworkTraffic" } ] }, { "@id": "d3f:MicrosoftWordDOCFile", "@type": [ "owl:NamedIndividual", "d3f:DocumentFile" ], "rdfs:label": "Microsoft Word DOC File" }, { "@id": "d3f:IPCTrafficAnalysis", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:NetworkTrafficAnalysis" ], "d3f:analyzes": { "@id": "d3f:IntranetIPCNetworkTraffic" }, "d3f:d3fend-id": "D3-IPCTA", "d3f:definition": "Analyzing standard inter process communication (IPC) protocols to detect deviations from normal protocol activity.", "d3f:kb-article": "## How it works\nInter process communication enables applications or threads to share data. This can involve one or more computers. Monitoring IPC in your environment can reveal abnormal or malicious activity.\nIPC can occur within a single computer or between multiple computers remotely through network protocols. Thus there are multiple ways to collect and monitor these exchanges between processes. A network protocol analyzer may monitor and parse SMB network traffic to record system activity. A host based monitoring agent may monitor IPC activity contained within a single host to look for deviations from standard usages.\n\n### Examples\n * SMB\n * Zeromq\n * Java RMI API\n\n## Considerations\n* IPC can generate substantial amounts of data, and it may not be feasible to collect all of it.\n* IPC may occur over loopback interfaces or direct memory access granted by the operating system.", "d3f:kb-reference": [ { "@id": "d3f:Reference-SMBCopyAndExecution_MITRE" }, { "@id": "d3f:Reference-SMBEventsMonitoring_MITRE" }, { "@id": "d3f:Reference-SMBSessionSetups_MITRE" }, { "@id": "d3f:Reference-SMBWriteRequest-NamedPipes_MITRE" }, { "@id": "d3f:Reference-SMBWriteRequest_MITRE" }, { "@id": "d3f:Reference-SecuritySystemWithMethodologyForInterprocessCommunicationControl_CheckPointSoftwareTechInc" }, { "@id": "d3f:Reference-CAR-2015-04-001%3ARemotelyScheduledTasksViaAT_MITRE" } ], "d3f:synonym": "IPC Analysis", "rdfs:label": "IPC Traffic Analysis", "rdfs:subClassOf": [ { "@id": "d3f:NetworkTrafficAnalysis" }, { "@id": "_:Nc1dd0a288a8e4627a73e52711f97e0f9" } ] }, { "@id": "_:Nc1dd0a288a8e4627a73e52711f97e0f9", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:analyzes" }, "owl:someValuesFrom": { "@id": "d3f:IntranetIPCNetworkTraffic" } }, { "@id": "d3f:T1134.003", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1134.003", "d3f:copies": { "@id": "d3f:AccessToken" }, "d3f:creates": { "@id": "d3f:LoginSession" }, "d3f:may-modify": { "@id": "d3f:EventLog" }, "rdfs:label": "Make and Impersonate Token", "rdfs:subClassOf": [ { "@id": "d3f:T1134" }, { "@id": "_:N37ded19fcd5147dbb957eab327e46de0" }, { "@id": "_:N9a562c3614f8439f948df8f6433a8aa7" }, { "@id": "_:N91468daf3e1b4e93bfffc4a14fcd6e69" } ] }, { "@id": "_:N37ded19fcd5147dbb957eab327e46de0", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:copies" }, "owl:someValuesFrom": { "@id": "d3f:AccessToken" } }, { "@id": "_:N9a562c3614f8439f948df8f6433a8aa7", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:creates" }, "owl:someValuesFrom": { "@id": "d3f:LoginSession" } }, { "@id": "_:N91468daf3e1b4e93bfffc4a14fcd6e69", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-modify" }, "owl:someValuesFrom": { "@id": "d3f:EventLog" } }, { "@id": "d3f:d3fend-data-property", "@type": "owl:DatatypeProperty", "rdfs:label": "d3fend-data-property", "rdfs:subPropertyOf": { "@id": "owl:topDataProperty" } }, { "@id": "d3f:CWE-644", "@type": "owl:Class", "d3f:cwe-id": "CWE-644", "rdfs:label": "Improper Neutralization of HTTP Headers for Scripting Syntax", "rdfs:subClassOf": { "@id": "d3f:CWE-116" } }, { "@id": "d3f:DNSTrafficAnalysis", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:NetworkTrafficAnalysis" ], "d3f:analyzes": { "@id": "d3f:OutboundInternetDNSLookupTraffic" }, "d3f:d3fend-id": "D3-DNSTA", "d3f:definition": "Analysis of domain name metadata, including name and DNS records, to determine whether the domain is likely to resolve to an undesirable host.", "d3f:kb-article": "## How it works\nThis technique can be accomplished in a number of ways.\n\n* One example analytic determines whether or not a domain name was generated with an algorithm. Domain generation algorithms (DGAs) are sometimes used to create a domain name automatically that will resolve to C2 infrastructure, without directly coding the domains in question into the malicious code.\n* Another method analyzes information about domains that have been visited, including whether a domain name is longer than a common length, if a dynamic DNS domain was visited, if a fast-flux domain was visited, and if a recently created domain was visited. These factors are used to develop a score and if that score is over a certain threshold, an alert is generated.\n* Collected malware samples can be executed in a virtual environment to identify network domains that are connected to during execution. The network domains are then generated into signatures to identity bad domains for other hosts.\n\nThis technique does not check for content hosted at the domain.\n\n## Considerations\n\n* DNS produces a large amount of traffic which can be resource-intensive to analyze in real time.\n* If a server is compromised, for example, as part of a watering hole attack, but the DNS information pointing to that server is not altered, this technique would not catch such an incident.", "d3f:kb-reference": [ { "@id": "d3f:Reference-DomainAgeRegistrationAlert_IncRapid7IncRAPID7Inc" }, { "@id": "d3f:Reference-HeuristicBotnetDetection_PaloAltoNetworksInc" }, { "@id": "d3f:Reference-MethodAndSystemForDetectingAlgorithm-generatedDomains_VECTRANETWORKSInc" }, { "@id": "d3f:Reference-PredictingDomainGenerationAlgorithmsWithLongShort-TermMemoryNetworks_" }, { "@id": "d3f:Reference-SinkholingBadNetworkDomainsByRegisteringTheBadNetworkDomainsOnTheInternet_PaloAltoNetworksInc" } ], "d3f:may-contain": { "@id": "d3f:DNSLookup" }, "d3f:synonym": "Domain Name Analysis", "rdfs:label": "DNS Traffic Analysis", "rdfs:subClassOf": [ { "@id": "d3f:NetworkTrafficAnalysis" }, { "@id": "_:N125e04702dfd482e88d5cf797b064eee" }, { "@id": "_:N6af25b0e4ea34740bf81362ed3ae1555" } ] }, { "@id": "_:N125e04702dfd482e88d5cf797b064eee", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:analyzes" }, "owl:someValuesFrom": { "@id": "d3f:OutboundInternetDNSLookupTraffic" } }, { "@id": "_:N6af25b0e4ea34740bf81362ed3ae1555", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-contain" }, "owl:someValuesFrom": { "@id": "d3f:DNSLookup" } }, { "@id": "d3f:used-by", "@type": "owl:ObjectProperty", "d3f:definition": "x used-by y: is inverse of y uses x.", "owl:inverseOf": { "@id": "d3f:uses" }, "rdfs:label": "used-by", "rdfs:subPropertyOf": { "@id": "d3f:associated-with" } }, { "@id": "d3f:CWE-624", "@type": "owl:Class", "d3f:cwe-id": "CWE-624", "rdfs:label": "Executable Regular Expression Error", "rdfs:subClassOf": { "@id": "d3f:CWE-77" } }, { "@id": "d3f:T1218", "@type": "owl:Class", "d3f:attack-id": "T1218", "rdfs:label": "Signed Binary Proxy Execution", "rdfs:subClassOf": [ { "@id": "d3f:DefenseEvasionTechnique" }, { "@id": "d3f:ExecutionTechnique" } ] }, { "@id": "d3f:Reference-ModificationOfAServerToMimicADeceptionMechanism_AcalvioTechnologiesInc", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US20170149825A1" }, "d3f:kb-abstract": "Provided are devices, computer-program products, and methods (e.g., methods implemented by a production system or security agent program or process) for providing services on a production system to mimic a deception mechanism. For example, a method can include determining a deception characteristic of a deception mechanism and determining a production characteristic of the production system. The method can further include determining an additional service or a modification of an existing service of the production system using the deception characteristic and the production characteristic. In some cases, the additional service and/or the modification can be a deterrent to potential attackers of the production system. The method can further include modifying the production system to mimic the deception mechanism, including adding the additional service to the production system or modifying the existing service using the modification.", "d3f:kb-author": "Sreenivas Gukal, Rammohan Varadarajan", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "Acalvio Technologies Inc", "d3f:kb-reference-of": { "@id": "d3f:ConnectedHoneynet" }, "d3f:kb-reference-title": "Modification of a Server to Mimic a Deception Mechanism", "rdfs:label": "Reference - Modification of a Server to Mimic a Deception Mechanism - Acalvio Technologies Inc" }, { "@id": "d3f:CWE-315", "@type": "owl:Class", "d3f:cwe-id": "CWE-315", "rdfs:label": "Cleartext Storage of Sensitive Information in a Cookie", "rdfs:subClassOf": { "@id": "d3f:CWE-312" } }, { "@id": "d3f:Record", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "In computer science, a record (also called struct or compound data) is a basic data structure. A record is a collection of fields, possibly of different data types, typically in fixed number and sequence . The fields of a record may also be called members, particularly in object-oriented programming. Fields may also be called elements, though these risk confusion with the elements of a collection. A tuple may or may not be considered a record, and vice versa, depending on conventions and the specific programming language.", "rdfs:isDefinedBy": { "@id": "dbr:Record_(computer_science)" }, "rdfs:label": "Record", "rdfs:subClassOf": { "@id": "d3f:DigitalArtifact" } }, { "@id": "d3f:stage", "@type": [ "owl:DatatypeProperty", "owl:FunctionalProperty" ], "rdfs:label": "stage", "rdfs:subPropertyOf": { "@id": "d3f:d3fend-catalog-data-property" } }, { "@id": "d3f:NIST_SP_800-53_R5_MA-6_2", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:control-name": "Timely Maintenance | Predictive Maintenance", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "d3f:narrower": { "@id": "d3f:SoftwareUpdate" }, "rdfs:label": "MA-6(2)" }, { "@id": "d3f:T1004", "@type": "owl:Class", "d3f:attack-id": "T1004", "rdfs:label": "Winlogon Helper DLL", "rdfs:subClassOf": { "@id": "d3f:PersistenceTechnique" } }, { "@id": "d3f:T1195.002", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1195.002", "d3f:modifies": { "@id": "d3f:Software" }, "rdfs:label": "Compromise Software Supply Chain", "rdfs:subClassOf": [ { "@id": "d3f:T1195" }, { "@id": "_:N0bc1ec03155145abb0edf75f1f26da4f" } ] }, { "@id": "_:N0bc1ec03155145abb0edf75f1f26da4f", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:Software" } }, { "@id": "d3f:StatisticalMethod", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-SM", "d3f:definition": "Building methods using the mathematical study of the likelihood and probability of events occurring based on known information and inferred by taking a limited number of samples.", "d3f:kb-article": "## References\nWolfram MathWorld. (n.d.). Statistics. [Link](https://mathworld.wolfram.com/Statistics.html)", "rdfs:label": "Statistical Method", "rdfs:subClassOf": { "@id": "d3f:AnalyticTechnique" } }, { "@id": "d3f:CWE-566", "@type": "owl:Class", "d3f:cwe-id": "CWE-566", "rdfs:label": "Authorization Bypass Through User-Controlled SQL Primary Key", "rdfs:subClassOf": { "@id": "d3f:CWE-639" } }, { "@id": "rdfs:isDefinedBy", "@type": "owl:AnnotationProperty", "rdfs:label": "isDefinedBy" }, { "@id": "d3f:T1546.009", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1546.009", "d3f:invokes": { "@id": "d3f:CreateProcess" }, "d3f:loads": { "@id": "d3f:SharedLibraryFile" }, "d3f:modifies": { "@id": "d3f:SystemConfigurationDatabaseRecord" }, "rdfs:label": "AppCert DLLs", "rdfs:subClassOf": [ { "@id": "d3f:T1546" }, { "@id": "_:N5685bcce9e4b4d439e21a4cc497fd07d" }, { "@id": "_:N6df92317b080440b9bb0c13c731a3890" }, { "@id": "_:N9a03513e54f8496cbba3dcb6f2c93043" } ] }, { "@id": "_:N5685bcce9e4b4d439e21a4cc497fd07d", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:invokes" }, "owl:someValuesFrom": { "@id": "d3f:CreateProcess" } }, { "@id": "_:N6df92317b080440b9bb0c13c731a3890", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:loads" }, "owl:someValuesFrom": { "@id": "d3f:SharedLibraryFile" } }, { "@id": "_:N9a03513e54f8496cbba3dcb6f2c93043", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:SystemConfigurationDatabaseRecord" } }, { "@id": "d3f:BootloaderAuthentication", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:PlatformHardening" ], "d3f:authenticates": { "@id": "d3f:BootLoader" }, "d3f:d3fend-id": "D3-BA", "d3f:definition": "Cryptographically authenticating the bootloader software before system boot.", "d3f:kb-reference": { "@id": "d3f:Reference-UEFIPlatformInitialization-Specification" }, "d3f:synonym": "Secure Boot", "rdfs:label": "Bootloader Authentication", "rdfs:subClassOf": [ { "@id": "d3f:PlatformHardening" }, { "@id": "_:Nac115791a81d458e819365d45bae8b19" } ] }, { "@id": "_:Nac115791a81d458e819365d45bae8b19", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:authenticates" }, "owl:someValuesFrom": { "@id": "d3f:BootLoader" } }, { "@id": "d3f:CCI-002690_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:broader": { "@id": "d3f:FileContentRules" }, "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system distributes indicators of compromise.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-07-11T00:00:00" }, "rdfs:label": "CCI-002690" }, { "@id": "d3f:T1047", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1047", "d3f:may-create": { "@id": "d3f:IntranetAdministrativeNetworkTraffic" }, "d3f:may-invoke": { "@id": "d3f:CreateProcess" }, "rdfs:label": "Windows Management Instrumentation Execution", "rdfs:subClassOf": [ { "@id": "d3f:ExecutionTechnique" }, { "@id": "_:N56f48022f9f646218f255e229cfb5c92" }, { "@id": "_:N14c53556bc57403e96397c4c1e290c7c" } ] }, { "@id": "_:N56f48022f9f646218f255e229cfb5c92", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-create" }, "owl:someValuesFrom": { "@id": "d3f:IntranetAdministrativeNetworkTraffic" } }, { "@id": "_:N14c53556bc57403e96397c4c1e290c7c", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-invoke" }, "owl:someValuesFrom": { "@id": "d3f:CreateProcess" } }, { "@id": "d3f:T1089", "@type": "owl:Class", "d3f:attack-id": "T1089", "rdfs:label": "Disabling Security Tools", "rdfs:subClassOf": { "@id": "d3f:DefenseEvasionTechnique" } }, { "@id": "d3f:CCI-001124_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:broader": { "@id": "d3f:BroadcastDomainIsolation" }, "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system prevents discovery of specific system components composing a managed interface.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-21T00:00:00" }, "rdfs:label": "CCI-001124" }, { "@id": "d3f:CWE-666", "@type": "owl:Class", "d3f:cwe-id": "CWE-666", "rdfs:label": "Operation on Resource in Wrong Phase of Lifetime", "rdfs:subClassOf": { "@id": "d3f:CWE-664" } }, { "@id": "d3f:DecoyPublicRelease", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:DecoyObject" ], "d3f:d3fend-id": "D3-DPR", "d3f:definition": "Issuing publicly released media to deceive adversaries.", "d3f:kb-article": "## How it works\nPublicly released media includes press release, videos, or other marketing collateral. The media may include URLs, points of contact, or other identifiers to entice interaction from adversaries.\n\n## Considerations\n* Information used in decoy public released media must contain enough realism to deceive and provide interaction from adversaries.\n* Continuous development, creation, and distribution of media and identifiers are needed to ensure adversary interaction continues over time.\n* Decoy public releases could be placed on platforms with different degrees of ownership, including entirely enterprise-owned infrastructure, IaaS, and SaaS (including social applications). Platforms that are not entirely enterprise-owned may be more likely to gather information", "d3f:kb-reference": { "@id": "d3f:Reference-MockAttackCybersecurityTrainingSystemAndMethods_WOMBATSECURITYTECHNOLOGIESInc" }, "rdfs:label": "Decoy Public Release", "rdfs:subClassOf": { "@id": "d3f:DecoyObject" } }, { "@id": "d3f:X86CodeSegment", "@type": [ "owl:NamedIndividual", "d3f:ImageCodeSegment", "d3f:ProcessCodeSegment" ], "rdfs:label": "X86 Code Segment" }, { "@id": "d3f:DefenseEvasion", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:OffensiveTactic" ], "d3f:display-order": 5, "rdfs:label": "Defense Evasion", "rdfs:subClassOf": { "@id": "d3f:OffensiveTactic" } }, { "@id": "d3f:CWE-196", "@type": "owl:Class", "d3f:cwe-id": "CWE-196", "rdfs:label": "Unsigned to Signed Conversion Error", "rdfs:subClassOf": { "@id": "d3f:CWE-681" } }, { "@id": "d3f:CWE-1112", "@type": "owl:Class", "d3f:cwe-id": "CWE-1112", "rdfs:label": "Incomplete Documentation of Program Execution", "rdfs:subClassOf": { "@id": "d3f:CWE-1059" } }, { "@id": "d3f:CWE-347", "@type": "owl:Class", "d3f:cwe-id": "CWE-347", "rdfs:label": "Improper Verification of Cryptographic Signature", "rdfs:subClassOf": { "@id": "d3f:CWE-345" } }, { "@id": "d3f:CCI-002384_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system prevents unauthorized information transfer via shared resources in accordance with organization-defined procedures when system processing explicitly switches between different information classification levels or security categories.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:NetworkTrafficFiltering" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-07-02T00:00:00" }, "rdfs:label": "CCI-002384" }, { "@id": "d3f:WHOISCompatibleDomainRegistration", "@type": [ "owl:NamedIndividual", "d3f:DomainRegistration" ], "rdfs:label": "WHOIS Compatible Domain Registration" }, { "@id": "d3f:T1558", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1558", "d3f:may-access": { "@id": "d3f:KerberosTicket" }, "d3f:may-create": { "@id": "d3f:KerberosTicket" }, "rdfs:label": "Steal or Forge Kerberos Tickets", "rdfs:subClassOf": [ { "@id": "d3f:CredentialAccessTechnique" }, { "@id": "_:N400223a89c914215ac9d3d105a183683" }, { "@id": "_:N266b189d8dc34e7faf644d4df99adfe2" } ] }, { "@id": "_:N400223a89c914215ac9d3d105a183683", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-access" }, "owl:someValuesFrom": { "@id": "d3f:KerberosTicket" } }, { "@id": "_:N266b189d8dc34e7faf644d4df99adfe2", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-create" }, "owl:someValuesFrom": { "@id": "d3f:KerberosTicket" } }, { "@id": "d3f:CWE-681", "@type": "owl:Class", "d3f:cwe-id": "CWE-681", "rdfs:label": "Incorrect Conversion between Numeric Types", "rdfs:subClassOf": { "@id": "d3f:CWE-704" } }, { "@id": "d3f:NIST_SP_800-53_R5_AC-3_3", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:control-name": "Access Enforcement | Mandatory Access Control", "d3f:exactly": { "@id": "d3f:MandatoryAccessControl" }, "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "rdfs:label": "AC-3(3)" }, { "@id": "d3f:Semi-supervisedCo-training", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-SSCT", "d3f:definition": "Multi-view co-training involves training the classifiers in completely different views of training data. On the other hand, single-view co-training methods are generally applied as ensemble methods.", "d3f:kb-article": "## References\nJashish Shrestha. (n.d.). Beginner's Guide to Semi-Supervised Learning. [Link](http://jashish.com.np/blog/posts/beginners-guide-to-semi-supervised-learning/)", "rdfs:label": "Semi-supervised Co-training", "rdfs:subClassOf": { "@id": "d3f:Semi-supervisedWrapperMethod" } }, { "@id": "d3f:T1568.003", "@type": "owl:Class", "d3f:attack-id": "T1568.003", "rdfs:label": "DNS Calculation", "rdfs:subClassOf": { "@id": "d3f:T1568" } }, { "@id": "d3f:T1566.002", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1566.002", "d3f:produces": [ { "@id": "d3f:Email" }, { "@id": "d3f:InboundInternetMailTraffic" }, { "@id": "d3f:URL" } ], "rdfs:label": "Spearphishing Link", "rdfs:subClassOf": [ { "@id": "d3f:T1566" }, { "@id": "_:N368b09cea6954ad9a80ad9feeb57651a" }, { "@id": "_:N7238e58f9c5d4f5a9d8f8b69c8c3a331" }, { "@id": "_:N77a82be9b89f4db289e9bb4b07db04a9" } ] }, { "@id": "_:N368b09cea6954ad9a80ad9feeb57651a", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:produces" }, "owl:someValuesFrom": { "@id": "d3f:Email" } }, { "@id": "_:N7238e58f9c5d4f5a9d8f8b69c8c3a331", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:produces" }, "owl:someValuesFrom": { "@id": "d3f:InboundInternetMailTraffic" } }, { "@id": "_:N77a82be9b89f4db289e9bb4b07db04a9", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:produces" }, "owl:someValuesFrom": { "@id": "d3f:URL" } }, { "@id": "d3f:AnswerSetProgramming", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-ASP", "d3f:definition": "Answer set programming is a form of declarative programming based on the stable model (answer set) semantics of logic programming.", "d3f:kb-article": "## How it works\nAnswer set programming (ASP) is oriented towards difficult (primarily NP-hard) search problems. The computational process employed in the design of many answer set solvers is an enhancement of the DPLL algorithm and, in principle, it always terminates (unlike Prolog query evaluation, which may lead to an infinite loop).\n\nIn a more general sense, ASP includes all applications of answer sets to knowledge representation and the use of Prolog-style query evaluation for solving problems arising in these applications.\n\n## References\n1. Answer set programming. (2023, April 27). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Answer_set_programming)", "d3f:synonym": "ASP", "rdfs:label": "Answer Set Programming", "rdfs:subClassOf": { "@id": "d3f:LogicProgramming" } }, { "@id": "d3f:ROM", "@type": "owl:Class", "d3f:definition": "Read-only memory (ROM) is a type of non-volatile memory used in computers and other electronic devices. Data stored in ROM cannot be electronically modified after the manufacture of the memory device. Read-only memory is useful for storing software that is rarely changed during the life of the system, also known as firmware.", "d3f:synonym": "Read-only Memory", "rdfs:isDefinedBy": "https://dbpedia.org/page/Read-only_memory", "rdfs:label": "ROM", "rdfs:subClassOf": { "@id": "d3f:PrimaryStorage" } }, { "@id": "d3f:RemoteResource", "@type": "owl:Class", "d3f:definition": "In computing, a remote resource is a computer resource made available from one host to other hosts on a computer network. It is a device or piece of information on a computer that can be remotely accessed from another computer, typically via a local area network or an enterprise intranet.", "rdfs:label": "Remote Resource", "rdfs:seeAlso": { "@id": "d3f:NetworkResource" }, "rdfs:subClassOf": { "@id": "d3f:Resource" } }, { "@id": "d3f:AdaptiveResonanceTheoryClustering", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-ARTC", "d3f:definition": "Adaptive Resonance Theory (ART) Clustering is a neural network algorithm used for clustering data and is open to new learning(i.e. adaptive) without discarding the previous or the old information(i.e. resonance).", "d3f:kb-article": "## References\nGeeksforGeeks. (n.d.). Adaptive Resonance Theory (ART). [Link](https://www.geeksforgeeks.org/adaptive-resonance-theory-art/)", "rdfs:label": "Adaptive Resonance Theory Clustering", "rdfs:subClassOf": { "@id": "d3f:ANN-basedClustering" } }, { "@id": "d3f:CWE-1299", "@type": "owl:Class", "d3f:cwe-id": "CWE-1299", "rdfs:label": "Missing Protection Mechanism for Alternate Hardware Interface", "rdfs:subClassOf": [ { "@id": "d3f:CWE-288" }, { "@id": "d3f:CWE-420" } ] }, { "@id": "d3f:Correlation", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-COR", "d3f:definition": "Correlation is the degree to which two or more quantities are linearly associated.", "d3f:kb-article": "Wolfram MathWorld. (n.d.). Correlation. [Link](https://mathworld.wolfram.com/Correlation.html)", "rdfs:label": "Correlation", "rdfs:subClassOf": { "@id": "d3f:DescriptiveStatistics" } }, { "@id": "d3f:NIST_SP_800-53_R5_MA-6_1", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:control-name": "Timely Maintenance | Preventive Maintenance", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "d3f:narrower": { "@id": "d3f:SoftwareUpdate" }, "rdfs:label": "MA-6(1)" }, { "@id": "d3f:CCI-001452_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system enforces the organization-defined time period during which the limit of consecutive invalid access attempts by a user is counted.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:AccountLocking" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-05-25T00:00:00" }, "rdfs:label": "CCI-001452" }, { "@id": "d3f:SuspendThread", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "Suspending a thread causes the thread to stop executing user-mode code.", "d3f:suspends": { "@id": "d3f:Thread" }, "rdfs:label": "Suspend Thread", "rdfs:seeAlso": "https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-suspendthread", "rdfs:subClassOf": [ { "@id": "d3f:SystemCall" }, { "@id": "_:Nc977260f004b4b7b83d54c4d2c566c84" } ] }, { "@id": "_:Nc977260f004b4b7b83d54c4d2c566c84", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:suspends" }, "owl:someValuesFrom": { "@id": "d3f:Thread" } }, { "@id": "d3f:CWE-1302", "@type": "owl:Class", "d3f:cwe-id": "CWE-1302", "rdfs:label": "Missing Security Identifier", "rdfs:subClassOf": { "@id": "d3f:CWE-1294" } }, { "@id": "d3f:CWE-1298", "@type": "owl:Class", "d3f:cwe-id": "CWE-1298", "rdfs:label": "Hardware Logic Contains Race Conditions", "rdfs:subClassOf": { "@id": "d3f:CWE-362" } }, { "@id": "d3f:Reference-BroadcastIsolationAndLevel3NetworkSwitch_HewlettPackardEnterpriseDevelopmentLP", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US5920699A" }, "d3f:kb-abstract": "A network switch comprising a switching Application Specific Integrated Circuit (ASIC) and a Virtual Switching Engine (VSE) connected to a plurality of ports. The switching ASIC has a high-speed memory table which enables it to look up addresses that it has previously obtained and to forward unicast packets to said addresses. The VSE is a CPU that makes switching decisions outside of the ASIC and keeps track of any unknown addresses, forwarding the packets out the appropriate ports and answers broadcast packets by proxy for all known addresses without forwarding any of the packets down the VLANs, thereby freeing the VLAN bandwidth from excessive traffic. The system requires no user configuration because the switching methodology is self-adaptive to the network in which it is inserted and has the ability to perform router functions such as level 2 and 3 switching, spanning tree protocols and compatibility with Internetwork Packet and Internetwork Packet Exchange networks.", "d3f:kb-author": "Ballard C. Bare", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "Hewlett Packard Enterprise Development LP", "d3f:kb-reference-of": { "@id": "d3f:BroadcastDomainIsolation" }, "d3f:kb-reference-title": "Broadcast isolation and level 3 network switch", "rdfs:label": "Reference - Broadcast isolation and level 3 network switch - Hewlett Packard Enterprise Development LP" }, { "@id": "d3f:CCI-000774_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system uses organization-defined replay-resistant authentication mechanisms for network access to privileged accounts.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:One-timePassword" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-17T00:00:00" }, "rdfs:label": "CCI-000774" }, { "@id": "d3f:CWE-645", "@type": "owl:Class", "d3f:cwe-id": "CWE-645", "rdfs:label": "Overly Restrictive Account Lockout Mechanism", "rdfs:subClassOf": { "@id": "d3f:CWE-287" } }, { "@id": "d3f:CWE-307", "@type": "owl:Class", "d3f:cwe-id": "CWE-307", "rdfs:label": "Improper Restriction of Excessive Authentication Attempts", "rdfs:subClassOf": [ { "@id": "d3f:CWE-1390" }, { "@id": "d3f:CWE-799" } ] }, { "@id": "d3f:T1562.006", "@type": "owl:Class", "d3f:attack-id": "T1562.006", "rdfs:label": "Indicator Blocking", "rdfs:subClassOf": { "@id": "d3f:T1562" } }, { "@id": "d3f:Sensor", "@type": "owl:Class", "rdfs:label": "Sensor", "rdfs:subClassOf": [ { "@id": "d3f:D3FENDThing" }, { "@id": "d3f:DigitalArtifact" } ] }, { "@id": "d3f:CCI-001373_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system, when transferring information between different security domains, examines the information for the presence of organization-defined unsanctioned information.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": [ { "@id": "d3f:InboundTrafficFiltering" }, { "@id": "d3f:OutboundTrafficFiltering" } ], "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-22T00:00:00" }, "rdfs:label": "CCI-001373" }, { "@id": "d3f:Linux_Exit", "@type": "owl:Class", "d3f:definition": "Terminate the calling process.", "rdfs:isDefinedBy": "https://man7.org/linux/man-pages/man2/exit.2.html", "rdfs:label": "Linux _Exit", "rdfs:subClassOf": { "@id": "d3f:OSAPITerminateProcess" } }, { "@id": "d3f:Reference-Hardware-assistedSystemAndMethodForDetectingAndAnalyzingSystemCallsMadeToAnOpertingSystemKernel_EndgameInc", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US20180032728A1/en?oq=US20180032728-A1" }, "d3f:kb-abstract": "The present disclosure relates to a system and method for monitoring system calls to an operating system kernel. A performance monitoring unit is used to monitor system calls and to gather information about each system call. The information is gathered upon interrupting the system call and can include system call type, parameters, and information about the calling thread/process, in order to determine whether the system call was generated by malicious software code. Potentially malicious software code is nullified by a malicious code counter-attack module.", "d3f:kb-author": "Matthew D. Spisak", "d3f:kb-mitre-analysis": "This patent describes a technique for monitoring system calls to detect malicious software code. A system call monitoring module operates at the kernel level and traps system calls.\nMonitoring data includes:\n\n* information about the path to the file to be accessed by a system call.\n* the memory address or range of addresses to be accessed by a system call.\n* the context for the thread within operating system that will be interrupted by a system call.\n* the type of system call information about the socket that is being used by system call in order to send or receive data.\n* the history of system calls in order to monitor for specific sequences of system calls.\n* the frequency or periodicity of a particular system call or set of systems calls.\n\nCaptured system call data is analyzed using data analysis algorithms such as machine learning algorithms, artificial intelligence algorithms, pattern recognition algorithms, or other known data analysis techniques. An alert is generated if it is likely that the system call was generated by malicious software code.", "d3f:kb-organization": "Endgame Inc", "d3f:kb-reference-of": { "@id": "d3f:SystemCallAnalysis" }, "d3f:kb-reference-title": "Hardware-assisted system and method for detecting and analyzing system calls made to an operting system kernel", "rdfs:label": "Reference - Hardware-assisted system and method for detecting and analyzing system calls made to an operting system kernel - Endgame Inc" }, { "@id": "d3f:T1568", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1568", "d3f:produces": { "@id": "d3f:OutboundInternetDNSLookupTraffic" }, "rdfs:label": "Dynamic Resolution", "rdfs:subClassOf": [ { "@id": "d3f:CommandAndControlTechnique" }, { "@id": "_:Nd8e172e582f54644bc07aee1581196dd" } ] }, { "@id": "_:Nd8e172e582f54644bc07aee1581196dd", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:produces" }, "owl:someValuesFrom": { "@id": "d3f:OutboundInternetDNSLookupTraffic" } }, { "@id": "d3f:RestoreSoftware", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:RestoreObject" ], "d3f:d3fend-id": "D3-RS", "d3f:definition": "Restoring software to a host.", "d3f:kb-reference": { "@id": "d3f:Reference-CybersecurityIncidentandVulnerabilityResponsePlaybooks" }, "d3f:restores": { "@id": "d3f:Software" }, "rdfs:label": "Restore Software", "rdfs:subClassOf": [ { "@id": "d3f:RestoreObject" }, { "@id": "_:N4ee15dc2bc8143ed819fc08fdf66cf24" } ] }, { "@id": "_:N4ee15dc2bc8143ed819fc08fdf66cf24", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:restores" }, "owl:someValuesFrom": { "@id": "d3f:Software" } }, { "@id": "d3f:HomoglyphDetection", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:IdentifierAnalysis" ], "d3f:analyzes": [ { "@id": "d3f:Email" }, { "@id": "d3f:URL" } ], "d3f:d3fend-id": "D3-HD", "d3f:definition": "Comparing strings using a variety of techniques to determine if a deceptive or malicious string is being presented to a user.", "d3f:kb-article": "## How it works\nA homoglyph, in this context, is a deceptive string or word which looks like a trusted word, but is composed of different characters, for example: goooogle.com versus google.com. This is commonly found in phishing and typo squatting attacks where a human exploiting through a social engineering campaign.\n\n## Considerations\n* In very large environments processing DNS queries can be computationally expensive due to the amount of traffic that is generated\n* Legitimate companies and products use non-dictionary words in their names that could result in many false positives", "d3f:kb-reference": [ { "@id": "d3f:Reference-Computer-implementedMethodsAndSystemsForIdentifyingVisuallySimilarTextCharacterStrings_GreathornInc" }, { "@id": "d3f:Reference-SystemAndMethodForDetectingHomoglyphAttacksWithASiameseConvolutionalNeuralNetwork_EndgameInc" } ], "rdfs:label": "Homoglyph Detection", "rdfs:subClassOf": [ { "@id": "d3f:IdentifierAnalysis" }, { "@id": "_:N82cb7828df4a48dbb8637b0f503e5ddf" }, { "@id": "_:N13d0f8455d104abea00808938fc9df01" } ] }, { "@id": "_:N82cb7828df4a48dbb8637b0f503e5ddf", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:analyzes" }, "owl:someValuesFrom": { "@id": "d3f:Email" } }, { "@id": "_:N13d0f8455d104abea00808938fc9df01", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:analyzes" }, "owl:someValuesFrom": { "@id": "d3f:URL" } }, { "@id": "d3f:Reference-www.biometric-solutions.com_keystroke-dynamics", "@type": [ "owl:NamedIndividual", "d3f:InternetArticleReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "http://www.biometric-solutions.com/keystroke-dynamics.html" }, "d3f:kb-abstract": "Keystroke dynamics or typing dynamics refers to the automated method of identifying or confirming the identity of an individual based on the manner and the rhythm of typing on a keyboard. Keystroke dynamics is a behavioral biometric, this means that the biometric factor is 'something you do'.\n\nAlready during the second world war a technique known as The Fist of the Sender was used by military intelligence to distinguish based on the rhythm whether a morse code message was send by ally or enemy. These days each household has at least one computer keyboard, making keystroke dynamics the easiest biometric solution to implement in terms of hardware.\n\nWith keystroke dynamics the biometric template used to identify an individual is based on the typing pattern, the rhythm and the speed of typing on a keyboard. The raw measurements used for keystroke dynamics are dwell time and flight time.", "d3f:kb-author": "Biometric Solutions", "d3f:kb-organization": "Biometric Solutions", "d3f:kb-reference-of": { "@id": "d3f:InputDeviceAnalysis" }, "d3f:kb-reference-title": "Keystroke Dynamics", "rdfs:label": "Reference - http://www.biometric-solutions.com/keystroke-dynamics.html - biometric-solutions.com" }, { "@id": "d3f:CWE-294", "@type": "owl:Class", "d3f:cwe-id": "CWE-294", "rdfs:label": "Authentication Bypass by Capture-replay", "rdfs:subClassOf": { "@id": "d3f:CWE-1390" } }, { "@id": "d3f:CCI-002531_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:broader": { "@id": "d3f:Hardware-basedProcessIsolation" }, "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system implements underlying hardware separation mechanisms to facilitate process separation.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-07-02T00:00:00" }, "rdfs:label": "CCI-002531" }, { "@id": "d3f:Reference-CreateRemoteProcessViaWMIC_MITRE_Other", "@type": [ "owl:NamedIndividual", "d3f:ExternalKnowledgeBase" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://car.mitre.org/analytics/CAR-2016-03-002/" }, "d3f:kb-abstract": "Adversaries may use Windows Management Instrumentation (WMI) to move laterally, by launching executables remotely.The analytic CAR-2014-12-001 describes how to detect these processes with network traffic monitoring and process monitoring on the target host. However, if the command line utility wmic.exe is used on the source host, then it can additionally be detected on an analytic. The command line on the source host is constructed into something like wmic.exe /node:\"\\\" process call create \"\\\". It is possible to also connect via IP address, in which case the string \"\\\" would instead look like IP Address.\n\nAlthough this analytic was created after CAR-2014-12-001, it is a much simpler (although more limited) approach. Processes can be created remotely via WMI in a few other ways, such as more direct API access or the built-in utility PowerShell.", "d3f:kb-author": "MITRE", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "MITRE", "d3f:kb-reference-of": [ { "@id": "d3f:ProcessSpawnAnalysis" }, { "@id": "d3f:RPCTrafficAnalysis" } ], "d3f:kb-reference-title": "CAR-2016-03-002: Create Remote Process via WMIC", "rdfs:label": "Reference - CAR-2016-03-002: Create Remote Process via WMIC - MITRE" }, { "@id": "d3f:NIST_SP_800-53_R5_AC-24_2", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:control-name": "Access Control Decisions | No User or Process Identity", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "d3f:narrower": [ { "@id": "d3f:MandatoryAccessControl" }, { "@id": "d3f:UserAccountPermissions" } ], "rdfs:label": "AC-24(2)" }, { "@id": "d3f:T1087.001", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1087.001", "d3f:creates": { "@id": "d3f:LocalUserAccount" }, "rdfs:label": "Local Account", "rdfs:subClassOf": [ { "@id": "d3f:T1136" }, { "@id": "_:Ndee510f384504eb6b75f7c16d6cac51a" } ] }, { "@id": "_:Ndee510f384504eb6b75f7c16d6cac51a", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:creates" }, "owl:someValuesFrom": { "@id": "d3f:LocalUserAccount" } }, { "@id": "d3f:T1055.008", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1055.008", "d3f:invokes": { "@id": "d3f:SystemCall" }, "rdfs:label": "Ptrace System Calls", "rdfs:subClassOf": [ { "@id": "d3f:T1055" }, { "@id": "_:N531e795c700645cbb1710c4629646c73" } ] }, { "@id": "_:N531e795c700645cbb1710c4629646c73", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:invokes" }, "owl:someValuesFrom": { "@id": "d3f:SystemCall" } }, { "@id": "d3f:accesses", "@type": "owl:ObjectProperty", "d3f:definition": "x accesses y: An subject x takes the action of reading from, writing into, or executing the stored information in the object y. Reads, writes, and executes are specific cases of accesses.", "rdfs:isDefinedBy": { "@id": "http://wordnet-rdf.princeton.edu/id/02673854-n" }, "rdfs:label": "accesses", "rdfs:range": { "@id": "d3f:NetworkResource" }, "rdfs:subPropertyOf": [ { "@id": "d3f:associated-with" }, { "@id": "d3f:may-access" } ] }, { "@id": "d3f:T1087.004", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1087.004", "d3f:creates": { "@id": "d3f:CloudUserAccount" }, "rdfs:label": "Cloud Account", "rdfs:subClassOf": [ { "@id": "d3f:T1136" }, { "@id": "_:N85d2b83222ee4a879aecb496b48e5ee5" } ] }, { "@id": "_:N85d2b83222ee4a879aecb496b48e5ee5", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:creates" }, "owl:someValuesFrom": { "@id": "d3f:CloudUserAccount" } }, { "@id": "d3f:DataExchangeMapping", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:SystemMapping" ], "d3f:d3fend-id": "D3-DEM", "d3f:definition": "Data exchange mapping identifies and models the organization's intended design for the flows of the data types, formats, and volumes between systems at the application layer.", "d3f:kb-reference": [ { "@id": "d3f:Reference-CatiaUAFPlugin" }, { "@id": "d3f:Reference-TivoliApplicationDependencyDiscoverManager7_3_0DependenciesBetweenResources" }, { "@id": "d3f:Reference-UnifiedArchitectureFrameworkUAF" } ], "d3f:maps": { "@id": "d3f:DataDependency" }, "d3f:synonym": [ "Data Flow Mapping", "Information Exchange Mapping" ], "rdfs:label": "Data Exchange Mapping", "rdfs:subClassOf": [ { "@id": "d3f:SystemMapping" }, { "@id": "_:Nbe0e12738f1742d0b2602f7a8529e786" } ] }, { "@id": "_:Nbe0e12738f1742d0b2602f7a8529e786", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:maps" }, "owl:someValuesFrom": { "@id": "d3f:DataDependency" } }, { "@id": "d3f:CCI-001454_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The organization ensures that remote sessions for accessing an organization-defined list of security functions and security-relevant information are audited.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:RemoteTerminalSessionDetection" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-29T00:00:00" }, "rdfs:label": "CCI-001454" }, { "@id": "d3f:Reference-SynchronizingAHoneyNetworkConfigurationToReflectATargetNetworkEnvironment_PaloAltoNetworksInc", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US20170019425A1" }, "d3f:kb-abstract": "Techniques for synchronizing a honey network configuration to reflect a target network environment are disclosed. In some embodiments, a system for synchronizing a honey network configuration to reflect a target network environment includes a device profile data store that includes a plurality of attributes of each of a plurality of devices in the target network environment; a virtual machine (VM) image library that includes one or more VM images; and a virtual clone manager executed on a processor that instantiates a virtual clone of one or more devices in the target enterprise network using a VM image selected from the VM image library that is customized based on one or more attributes for a target device in the device profile data store.", "d3f:kb-author": "Taylor Ettema, Huagang Xie", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "Palo Alto Networks Inc", "d3f:kb-reference-of": { "@id": "d3f:IntegratedHoneynet" }, "d3f:kb-reference-title": "Synchronizing a honey network configuration to reflect a target network environment", "rdfs:label": "Reference - Synchronizing a honey network configuration to reflect a target network environment - Palo Alto Networks Inc" }, { "@id": "d3f:RankCorrelationCoefficient", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-RC", "d3f:definition": "A rank correlation is any of several statistics that measure an ordinal association-the relationship between rankings of different ordinal variables or different rankings of the same variable, where a \"ranking\" is the assignment of the ordering labels \"first\", \"second\", \"third\", etc. to different observations of a particular variable.", "d3f:kb-article": "Wikipedia. (n.d.). Rank correlation. [Link](https://en.wikipedia.org/wiki/Rank_correlation)", "rdfs:label": "Rank Correlation", "rdfs:subClassOf": { "@id": "d3f:Correlation" } }, { "@id": "d3f:CWE-168", "@type": "owl:Class", "d3f:cwe-id": "CWE-168", "rdfs:label": "Improper Handling of Inconsistent Special Elements", "rdfs:subClassOf": [ { "@id": "d3f:CWE-159" }, { "@id": "d3f:CWE-703" } ] }, { "@id": "d3f:SystemFirmwareVerification", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:FirmwareVerification" ], "d3f:d3fend-id": "D3-SFV", "d3f:definition": "Cryptographically verifying installed system firmware integrity.", "d3f:kb-article": "## How it works\nCryptographic hash values are computed for system firmware. The hash values are compared against precomputed firmware hash values to determine if the firmware has been tampered with.\n\nWhen system firmware verification fails a set of predefined responses is typically invoked. The responses may direct the system to disable some devices or operations.\n\n## Considerations\n* Requires the use of system provided security modules\n* Secure hash values will need to be computed for firmware", "d3f:kb-reference": [ { "@id": "d3f:Reference-FirmwareVerificationEclypsium" }, { "@id": "d3f:Reference-PlatformFirmwareResiliencyGuidelines_NIST" } ], "d3f:verifies": { "@id": "d3f:SystemFirmware" }, "rdfs:label": "System Firmware Verification", "rdfs:subClassOf": [ { "@id": "d3f:FirmwareVerification" }, { "@id": "_:N662e4ebfe3fb4956ab926fc290d28d63" } ] }, { "@id": "_:N662e4ebfe3fb4956ab926fc290d28d63", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:verifies" }, "owl:someValuesFrom": { "@id": "d3f:SystemFirmware" } }, { "@id": "d3f:CWE-1190", "@type": "owl:Class", "d3f:cwe-id": "CWE-1190", "rdfs:label": "DMA Device Enabled Too Early in Boot Phase", "rdfs:subClassOf": { "@id": "d3f:CWE-696" } }, { "@id": "d3f:MultipleRegression", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-MR", "d3f:definition": "Multiple (linear) regression attempts to model the relationship between two or more explanatory variables and a response variable by fitting a linear equation to observed data.", "d3f:kb-article": "## References\nYale University Department of Statistics. (1997-98). Linear regression and multivariate analysis. [Link](http://www.stat.yale.edu/Courses/1997-98/101/linmult.htm)", "d3f:synonym": "Multiple Linear Regression", "rdfs:label": "Multiple Regression", "rdfs:subClassOf": { "@id": "d3f:RegressionAnalysis" } }, { "@id": "d3f:MicrosoftWordDOCMFile", "@type": [ "owl:NamedIndividual", "d3f:DocumentFile" ], "rdfs:label": "Microsoft Word DOCM File" }, { "@id": "d3f:CCI-002201_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system, when transferring information between different security domains, uses organization-defined data type identifiers to validate data essential for information flow decisions.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:DomainTrustPolicy" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-06-24T00:00:00" }, "rdfs:label": "CCI-002201" }, { "@id": "d3f:CWE-778", "@type": "owl:Class", "d3f:cwe-id": "CWE-778", "rdfs:label": "Insufficient Logging", "rdfs:subClassOf": [ { "@id": "d3f:CWE-223" }, { "@id": "d3f:CWE-693" } ] }, { "@id": "d3f:Reference-RPCCallInterception_CrowdstrikeInc", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US20150163109" }, "d3f:kb-abstract": "A service proxy is described herein. The service proxy is configured to act as an intermediary between a client and a service. The service proxy may observe communications, modify communications, log communications, or the like, particularly so as to enhance the security and reliability of the host device. In some implementations, the service proxy may cooperate with an operating system to take over a named port object. In some implementations, the service proxy may receive messages as an intermediary between the client and the server. In some implementations, the service proxy may attach to a shared memory to intercept communications. In some implementations, the service proxy may be injected into a client process to appear to be the client itself.", "d3f:kb-author": "Ion-Alexandru Ionescu", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "Crowdstrike Inc", "d3f:kb-reference-of": { "@id": "d3f:RPCTrafficAnalysis" }, "d3f:kb-reference-title": "RPC call interception", "rdfs:label": "Reference - RPC call interception - Crowdstrike Inc" }, { "@id": "d3f:Reference-FirmwareBehaviorAnalysisConFirm", "@type": [ "owl:NamedIndividual", "d3f:AcademicPaperReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "http://sites.nyuad.nyu.edu/moma/pdfs/pubs/C22.pdf" }, "d3f:kb-abstract": "The modernization of various critical infrastructure components has dictated the use of microprocessor-based\nembedded control systems in critical applications. It is often\ninfeasible, however, to employ the same level of security measures used in general purpose computing systems, due to the stringent\nperformance and resource constraints of embedded devices. Furthermore, as software relies on the firmware for proper operation,\nno software-level technique can detect malicious behavior of\nthe firmware. In this work, we propose ConFirm, a low-cost\ntechnique to detect malicious modifications in the firmware\nof embedded systems by measuring the number of low-level hardware events that occur during the execution of the firmware.", "d3f:kb-author": "Xueyang Wang, Charalambos Konstantinou, Michail Maniatakos, Ramesh Karri", "d3f:kb-organization": "Department of Electrical and Computer Engineering, Polytechnic School of Engineering, New York University and Department of Electrical and Computer Engineering, New York University Abu Dhabi", "d3f:kb-reference-of": { "@id": "d3f:FirmwareBehaviorAnalysis" }, "d3f:kb-reference-title": "ConFirm: Detecting Firmware Modifications in Embedded Systems\nusing Hardware Performance Counters", "rdfs:label": "Reference - Firmware Behavior Analysis ConFirm" }, { "@id": "d3f:High-dimensionClustering", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-HDC", "d3f:definition": "The cluster analysis of data with anywhere from a few dozen to many thousands of dimensions.", "d3f:kb-article": "## References\nWikipedia. (n.d.). Clustering high-dimensional data. [Link](https://en.wikipedia.org/wiki/Clustering_high-dimensional_data)", "rdfs:label": "High-dimension Clustering", "rdfs:subClassOf": { "@id": "d3f:ClusterAnalysis" } }, { "@id": "d3f:CWE-1334", "@type": "owl:Class", "d3f:cwe-id": "CWE-1334", "rdfs:label": "Unauthorized Error Injection Can Degrade Hardware Redundancy", "rdfs:subClassOf": { "@id": "d3f:CWE-284" } }, { "@id": "d3f:T1222.002", "@type": "owl:Class", "d3f:attack-id": "T1222.002", "rdfs:label": "Linux and Mac File and Directory Permissions Modification", "rdfs:subClassOf": { "@id": "d3f:T1222" } }, { "@id": "d3f:Reference-AutomaticallyGeneratingNetworkResourceGroupsAndAssigningCustomizedDecoyPoliciesThereto_IllusiveNetworksLtd", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US20170310689A1" }, "d3f:kb-abstract": "A cyber security system comprising circuitry of a decoy deployer planting one or more decoy lateral attack vectors in each of a first and a second group of resources within a common enterprise network of resources, the first and second groups of resources having different characteristics in terms of subnets, naming conventions, DNS aliases, listening ports, users and their privileges, and installed applications, wherein a lateral attack vector is an object of a first resource within the network that has a potential to be used by an attacker who discovered the first resource to further discover information regarding a second resource within the network, the second resource being previously undiscovered by the attacker, and wherein the decoy lateral attack vectors in the first group conform to the characteristics of the first group, and the decoy lateral attack vectors in the second group conform to the characteristics of the second group.", "d3f:kb-author": "Shlomo Touboul; Hanan Levin; Stephane Roubach; Assaf Mischari; Itai Ben David; Itay Avraham; Adi Ozer; Chen Kazaz; Ofer Israeli; Olga Vingurt; Liad Gareh; Israel Grimberg; Cobby Cohen; Sharon Sultan; Matan Kubovsky", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "Illusive Networks Ltd", "d3f:kb-reference-of": { "@id": "d3f:DecoyNetworkResource" }, "d3f:kb-reference-title": "Automatically generating network resource groups and assigning customized decoy policies thereto", "rdfs:label": "Reference - Automatically generating network resource groups and assigning customized decoy policies thereto - Illusive Networks Ltd" }, { "@id": "_:N7e70a6265c2f4247909a73923c3862b6", "@type": "owl:AllDisjointClasses", "owl:members": { "@list": [ { "@id": "d3f:D3FENDUseCase" }, { "@id": "d3f:TargetAudience" }, { "@id": "d3f:UseCaseGoal" }, { "@id": "d3f:UseCasePrerequisite" }, { "@id": "d3f:UseCaseProcedure" }, { "@id": "d3f:UseCaseStep" } ] } }, { "@id": "d3f:DynamicAnalysisTool", "@type": "owl:Class", "d3f:definition": "Dynamic program analysis is the analysis of computer software that is performed by executing programs on a real or virtual processor.", "rdfs:isDefinedBy": { "@id": "dbr:Dynamic_program_analysis" }, "rdfs:label": "Dynamic Analysis Tool", "rdfs:subClassOf": { "@id": "d3f:CodeAnalyzer" } }, { "@id": "d3f:MultipleRegressionLearning", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-MRL", "d3f:definition": "A supervised learning method that builds a multiple regression model using training data.", "d3f:kb-article": "## References\nYale University Department of Statistics. (1997-98). Linear regression and multivariate analysis. [Link](http://www.stat.yale.edu/Courses/1997-98/101/linmult.htm)", "rdfs:label": "Multiple Regression Learning", "rdfs:seeAlso": "http://d3fend.mitre.org/ontologies/d3fend.owl#MultipleRegression", "rdfs:subClassOf": { "@id": "d3f:RegressionAnalysisLearning" } }, { "@id": "d3f:CCI-001427_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:broader": [ { "@id": "d3f:MandatoryAccessControl" }, { "@id": "d3f:UserAccountPermissions" } ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system allows authorized users to associate security attributes with information.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-25T00:00:00" }, "rdfs:label": "CCI-001427" }, { "@id": "d3f:Reference-CAR-2020-05-003%3ARareLolBASCommandLines_MITRE", "@type": [ "owl:NamedIndividual", "d3f:ExternalKnowledgeBase" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://car.mitre.org/analytics/CAR-2020-05-003/" }, "d3f:kb-abstract": "LoLBAS are binaries and scripts that are built in to Windows, frequently are signed by Microsoft, and may be used by an attacker. Some LoLBAS are used very rarely and it might be possible to alert every time they’re used (this would depend on your environment), but many others are very common and can’t be simply alerted on.\n\nThis analytic takes all instances of LoLBAS execution and then looks for instances of command lines that are not normal in the environment. This can detect attackers (which will tend to need the binaries for something different than normal usage) but will also tend to have false positives.\n\nThe analytic needs to be tuned. The 1.5 in the query is the number of standard deviations away to look. It can be tuned up to filter out more noise and tuned down to get more results. This means it is probably best as a hunting analytic when you have analysts looking at the screen and able to tune the analytic up and down, because the threshold may not be stable for very long.", "d3f:kb-author": "MITRE", "d3f:kb-organization": "MITRE", "d3f:kb-reference-of": { "@id": "d3f:ProcessSpawnAnalysis" }, "d3f:kb-reference-title": "CAR-2020-05-003: Rare LolBAS Command Lines", "rdfs:label": "Reference - CAR-2020-05-003: Rare LolBAS Command Lines - MITRE" }, { "@id": "d3f:CWE-1067", "@type": "owl:Class", "d3f:cwe-id": "CWE-1067", "rdfs:label": "Excessive Execution of Sequential Searches of Data Resource", "rdfs:subClassOf": { "@id": "d3f:CWE-1176" } }, { "@id": "d3f:TFTPNetworkTraffic", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "TFTP Network Traffic is network traffic typically used to automatically transfer configuration or boot files between machines.", "rdfs:label": "TFTP Network Traffic", "rdfs:subClassOf": { "@id": "d3f:NetworkTraffic" } }, { "@id": "d3f:RadioModem", "@type": "owl:Class", "d3f:definition": "A radio modem provides the means to send digital data wirelessly. Radio modems are used to communicate by direct broadcast satellite, WiFi, WiMax, mobile phones, GPS, Bluetooth and NFC. Modern telecommunications and data networks also make extensive use of radio modems where long distance data links are required. Such systems are an important part of the PSTN, and are also in common use for high-speed computer network links to outlying areas where fiber optic is not economical.", "rdfs:isDefinedBy": { "@id": "http://dbpedia.org/resource/Modem#Radio" }, "rdfs:label": "Radio Modem", "rdfs:subClassOf": { "@id": "d3f:Modem" } }, { "@id": "d3f:Reference-RemotelyLaunchedExecutablesViaWMI_MITRE", "@type": [ "owl:NamedIndividual", "d3f:ExternalKnowledgeBase" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://car.mitre.org/analytics/CAR-2014-12-001/" }, "d3f:kb-abstract": "Adversaries can use Windows Management Instrumentation (WMI) to move laterally by launching executables remotely. For adversaries to achieve this, they must open a WMI connection to a remote host. This RPC activity is currently detected by CAR-2014-11-007. After the WMI connection has been initialized, a process can be remotely launched using the command: wmic /node:\"\" process call create \"\", which is detected via CAR-2016-03-002.\n\nThis leaves artifacts at both a network (RPC) and process (command line) level. When wmic.exe (or the schtasks API) is used to remotely create processes, Windows uses RPC (135/tcp) to communicate with the the remote machine.\n\nAfter RPC authenticates, the RPC endpoint mapper opens a high port connection, through which the schtasks Remote Procedure Call is actually implemented. With the right packet decoders, or by looking for certain byte streams in raw data, these functions can be identified.\n\nWhen the command line is executed, it has the parent process of C:\\windows\\system32\\wbem\\WmiPrvSE.exe. This analytic looks for these two events happening in sequence, so that the network connection and target process are output.", "d3f:kb-author": "MITRE", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "MITRE", "d3f:kb-reference-of": [ { "@id": "d3f:ProcessLineageAnalysis" }, { "@id": "d3f:RPCTrafficAnalysis" } ], "d3f:kb-reference-title": "CAR-2014-12-001: Remotely Launched Executables via WMI", "rdfs:label": "Reference - CAR-2014-12-001: Remotely Launched Executables via WMI - MITRE" }, { "@id": "d3f:AccessControlConfiguration", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "Information about what access permissions are granted to particular users for particular objects", "rdfs:label": "Access Control Configuration", "rdfs:seeAlso": { "@id": "dbr:Access-control_list" }, "rdfs:subClassOf": { "@id": "d3f:ConfigurationResource" } }, { "@id": "d3f:JavascriptFile", "@type": [ "owl:NamedIndividual", "d3f:ExecutableScript" ], "rdfs:label": "Javascript File" }, { "@id": "d3f:CWE-820", "@type": "owl:Class", "d3f:cwe-id": "CWE-820", "rdfs:label": "Missing Synchronization", "rdfs:subClassOf": { "@id": "d3f:CWE-662" } }, { "@id": "d3f:Reference-Windows-Management-Instrumentation", "@type": [ "owl:NamedIndividual", "d3f:SpecificationReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://docs.microsoft.com/en-us/windows/win32/wmisdk/wmi-start-page" }, "d3f:kb-organization": "Microsoft", "d3f:kb-reference-of": [ { "@id": "d3f:ConfigurationInventory" }, { "@id": "d3f:HardwareComponentInventory" }, { "@id": "d3f:NetworkNodeInventory" }, { "@id": "d3f:SoftwareInventory" } ], "d3f:kb-reference-title": "Windows Management Instrumentation", "rdfs:label": "Reference - Windows Management Instrumentation (WMI)" }, { "@id": "d3f:CWE-329", "@type": "owl:Class", "d3f:cwe-id": "CWE-329", "rdfs:label": "Generation of Predictable IV with CBC Mode", "rdfs:subClassOf": [ { "@id": "d3f:CWE-1204" }, { "@id": "d3f:CWE-573" } ] }, { "@id": "d3f:Reference-FirewallForProcessingConnection-orientedAndConnectionlessDatagramsOverAConnection-orientedNetwork_NationalSecurityAgency", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US6615358B1" }, "d3f:kb-abstract": "The present invention is a device for and method of accessing an information network by initializing a database, an ATM approved list, an IP approved list, and an IP disapproved list; receiving a datagram; discarding the datagram if it is not on the ATM approved list; determining the datagram's type; allowing access to the network and comparing the connection request, if any, to the database if the datagram is ATM signaling; discarding the datagram if the datagram is ATM signaling and the database denies the request; adding the request to the ATM approved list if the datagram is ATM signaling and the database allows the request; allowing access to the network if the datagram is ATM data that excludes IP data and the request is on the ATM approved list; computing a flow tag if the datagram is ATM data that includes IP data; discarding the datagram if the flow tag is on the IP disapproved list; allowing access to the network if the flow tag is on the IP approved list; comparing the flow tag to the database if the flow tag is neither on the IP approved list nor on the IP disapproved list; discarding the datagram and adding the flow tag to the IP disapproved list if the database rejects the flow tag; and allowing access to the network and adding the flow tag to the corresponding approved list if the database accepts the flow tag; and performing these steps on the next datagram", "d3f:kb-author": "Patrick W. Dowd, John T. McHenry", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "National Security Agency", "d3f:kb-reference-of": { "@id": "d3f:InboundTrafficFiltering" }, "d3f:kb-reference-title": "Firewall for processing connection-oriented and connectionless datagrams over a connection-oriented network", "rdfs:label": "Reference - Firewall for processing connection-oriented and connectionless datagrams over a connection-oriented network - National Security Agency" }, { "@id": "d3f:Reference-Securing_Web_Transactions__TLS_Server_Certificate_Management_Appendix_A_Passive_Inspection", "@type": [ "owl:NamedIndividual", "d3f:GuidelineReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://www.nccoe.nist.gov/publication/1800-16/VolD/vol-d-appendix.html" }, "d3f:kb-abstract": "The example implementation demonstrates the ability to perform passive inspection of encrypted TLS connections. The question of whether or not to perform such an inspection is complex. There are important tradeoffs between traffic security and traffic visibility that each organization should consider. Some organizations prefer to decrypt internal TLS traffic, so it can be inspected to detect attacks that may be hiding within encrypted connections. Such inspection can detect intrusion, malware, and fraud, and can conduct troubleshooting, forensics, and performance monitoring. For these organizations, TLS inspection may serve as both a standard practice and a critical component of their threat detection and service assurance strategies.", "d3f:kb-author": "NIST", "d3f:kb-reference-of": { "@id": "d3f:PassiveCertificateAnalysis" }, "d3f:kb-reference-title": "Securing Web Transactions TLS Server Certificate Management - Appendix A Passive Inspection", "rdfs:label": "Reference - Securing Web Transactions TLS Server Certificate Management - Appendix A Passive Inspection" }, { "@id": "d3f:Hybrid-basedTransferLearning", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-HBTL", "d3f:definition": "This method creates an asymmetric mapping from the target to the source and takes into account bias issues of cross-domain correspondences.", "d3f:kb-article": "## References\nDay, O., & Khoshgoftaar, T.M. (2017). A survey on heterogeneous transfer learning. Journal of Big Data, 4(1), 29. [Link](https://doi.org/10.1186/s40537-017-0089-0).", "rdfs:label": "Hybrid-based Transfer Learning", "rdfs:subClassOf": { "@id": "d3f:HomogenousTransferLearning" } }, { "@id": "d3f:UtilitySoftware", "@type": "owl:Class", "d3f:definition": "Utility applications are software applications designed to help to analyze, configure, optimize or maintain a computer. It is used to support the computer infrastructure - in contrast to application software, which is aimed at directly performing tasks that benefit ordinary users. However, utilities often form part of the application systems. For example, a batch job may run user-written code to update a database and may then include a step that runs a utility to back up the database, or a job may run a utility to compress a disk before copying files.", "rdfs:isDefinedBy": { "@id": "dbr:Utility_software" }, "rdfs:label": "Utility Software", "rdfs:subClassOf": { "@id": "d3f:Software" }, "skos:altLabel": "Utility Application" }, { "@id": "d3f:M1047", "@type": [ "owl:NamedIndividual", "d3f:ATTACKMitigation" ], "d3f:d3fend-comment": "M1047 scope is broad, touches on an wide variety of techniques in d3fend.", "d3f:related": [ { "@id": "d3f:DomainAccountMonitoring" }, { "@id": "d3f:LocalAccountMonitoring" }, { "@id": "d3f:SystemFileAnalysis" } ], "rdfs:label": "Audit" }, { "@id": "d3f:CCI-001662_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system takes organization-defined corrective action when organization-defined unacceptable mobile code is identified.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": [ { "@id": "d3f:DynamicAnalysis" }, { "@id": "d3f:EmulatedFileAnalysis" }, { "@id": "d3f:FileContentRules" } ], "d3f:published": { "@type": "xsd:dateTime", "@value": "2010-05-12T00:00:00" }, "rdfs:label": "CCI-001662" }, { "@id": "d3f:CWE-785", "@type": "owl:Class", "d3f:cwe-id": "CWE-785", "rdfs:label": "Use of Path Manipulation Function without Maximum-sized Buffer", "rdfs:subClassOf": [ { "@id": "d3f:CWE-120" }, { "@id": "d3f:CWE-676" } ] }, { "@id": "d3f:T1555.002", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:accesses": { "@id": "d3f:In-memoryPasswordStore" }, "d3f:attack-id": "T1555.002", "rdfs:label": "Securityd Memory", "rdfs:subClassOf": [ { "@id": "d3f:T1555" }, { "@id": "_:Nc6d57a59f286446a841154024e3a194f" } ] }, { "@id": "_:Nc6d57a59f286446a841154024e3a194f", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:accesses" }, "owl:someValuesFrom": { "@id": "d3f:In-memoryPasswordStore" } }, { "@id": "d3f:ExpectedErrorReduction", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-EER", "d3f:definition": "Expected Error Reduction (EER) follows similar ideas as EMC, but again looks at the model output instead of the model itself and also takes the other data into account. In particular, a sample x is considered useful, if we can expect that knowing the label will reduce the future error on unseen samples", "d3f:kb-article": "## References\nIntro to Active Learning. inovex Blog. [Link](https://www.inovex.de/de/blog/intro-to-active-learning/).", "rdfs:label": "Expected Error Reduction", "rdfs:subClassOf": { "@id": "d3f:ActiveLearning" } }, { "@id": "d3f:T1090.001", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1090.001", "d3f:produces": { "@id": "d3f:IntranetNetworkTraffic" }, "rdfs:label": "Internal Proxy", "rdfs:subClassOf": [ { "@id": "d3f:T1090" }, { "@id": "_:Nfb9e538a4bda4f21b3c0c07a59071019" } ] }, { "@id": "_:Nfb9e538a4bda4f21b3c0c07a59071019", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:produces" }, "owl:someValuesFrom": { "@id": "d3f:IntranetNetworkTraffic" } }, { "@id": "d3f:T1130", "@type": "owl:Class", "d3f:attack-id": "T1130", "rdfs:label": "Install Root Certificate", "rdfs:subClassOf": { "@id": "d3f:DefenseEvasionTechnique" } }, { "@id": "d3f:LinuxOpenArgumentO_CREAT", "@type": "owl:Class", "d3f:definition": "Create a regular file.", "rdfs:isDefinedBy": "https://man7.org/linux/man-pages/man2/open.2.html", "rdfs:label": "Linux Open Argument O_CREAT", "rdfs:subClassOf": { "@id": "d3f:OSAPICreateFile" } }, { "@id": "d3f:Variability", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-VAR", "d3f:definition": "Dispersion (also called variability, scatter, or spread) is the extent to which a distribution is stretched or squeezed. A measure of statistical dispersion is a nonnegative real number that is zero if all the data are the same and increases as the data become more diverse.", "d3f:kb-article": "## References\nWikipedia. (n.d.). Statistical dispersion. [Link](https://en.wikipedia.org/wiki/Statistical_dispersion)", "rdfs:label": "Variability", "rdfs:subClassOf": { "@id": "d3f:DescriptiveStatistics" } }, { "@id": "d3f:NIST_SP_800-53_R5_SI-4_2", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:control-name": "System Monitoring | Automated Tools and Mechanisms for Real-time Analysis", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "d3f:narrower": { "@id": "d3f:NetworkTrafficAnalysis" }, "rdfs:label": "SI-4(2)" }, { "@id": "d3f:CWE-583", "@type": "owl:Class", "d3f:cwe-id": "CWE-583", "rdfs:label": "finalize() Method Declared Public", "rdfs:subClassOf": { "@id": "d3f:CWE-668" } }, { "@id": "d3f:PrivateKey", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A private key can be used to decrypt messages encrypted using the corresponding public key, or used to sign a message that can be authenticated with the corresponding public key.", "rdfs:label": "Private Key", "rdfs:seeAlso": { "@id": "dbr:Public-key_cryptography" }, "rdfs:subClassOf": { "@id": "d3f:AsymmetricKey" } }, { "@id": "d3f:LinuxUnlinkat", "@type": "owl:Class", "d3f:definition": "Delete a name and possibly the file it refers to. Different parameter handling than Linux Unlink", "rdfs:isDefinedBy": "https://man7.org/linux/man-pages/man2/unlinkat.2.html", "rdfs:label": "Linux Unlinkat", "rdfs:subClassOf": { "@id": "d3f:OSAPIDeleteFile" } }, { "@id": "d3f:ApproximateStringMatching", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-ASM", "d3f:definition": "Approximate string matching is a form of string matching that allows errrors.", "d3f:kb-article": "## References\n1. Navarro, G. (2001). A guided tour to approximate string matching. _ACM Computing Surveys_, 33(1), 31-88. [Link](https://doi.org/10.1145/375360.375365)", "rdfs:label": "Approximate String Matching", "rdfs:subClassOf": { "@id": "d3f:PartialMatching" } }, { "@id": "d3f:CWE-1113", "@type": "owl:Class", "d3f:cwe-id": "CWE-1113", "rdfs:label": "Inappropriate Comment Style", "rdfs:subClassOf": { "@id": "d3f:CWE-1078" } }, { "@id": "d3f:M1024", "@type": [ "owl:NamedIndividual", "d3f:ATTACKMitigation" ], "d3f:related": { "@id": "d3f:SystemConfigurationPermissions" }, "rdfs:label": "Restrict Registry Permission" }, { "@id": "d3f:NIST_SP_800-53_R5_RA-5_5", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:control-name": "Vulnerability Monitoring and Scanning | Privileged Access", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "d3f:narrower": { "@id": "d3f:PlatformHardening" }, "rdfs:label": "RA-5(5)" }, { "@id": "d3f:CWE-1108", "@type": "owl:Class", "d3f:cwe-id": "CWE-1108", "rdfs:label": "Excessive Reliance on Global Variables", "rdfs:subClassOf": { "@id": "d3f:CWE-1076" } }, { "@id": "d3f:CWE-805", "@type": "owl:Class", "d3f:cwe-id": "CWE-805", "rdfs:label": "Buffer Access with Incorrect Length Value", "rdfs:subClassOf": { "@id": "d3f:CWE-119" } }, { "@id": "d3f:T1001", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1001", "d3f:produces": { "@id": "d3f:OutboundInternetNetworkTraffic" }, "rdfs:label": "Data Obfuscation", "rdfs:subClassOf": [ { "@id": "d3f:CommandAndControlTechnique" }, { "@id": "_:Ne6784a860d694ce0accebb8857c5fad2" } ] }, { "@id": "_:Ne6784a860d694ce0accebb8857c5fad2", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:produces" }, "owl:someValuesFrom": { "@id": "d3f:OutboundInternetNetworkTraffic" } }, { "@id": "d3f:T1070.004", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1070.004", "d3f:deletes": { "@id": "d3f:File" }, "d3f:may-modify": { "@id": "d3f:File" }, "rdfs:label": "File Deletion", "rdfs:subClassOf": [ { "@id": "d3f:T1070" }, { "@id": "_:N2002872b757d41caaf9cb33a1768f8ef" }, { "@id": "_:Nfb225b9289804e6b9610e408f96da2d0" } ] }, { "@id": "_:N2002872b757d41caaf9cb33a1768f8ef", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:deletes" }, "owl:someValuesFrom": { "@id": "d3f:File" } }, { "@id": "_:Nfb225b9289804e6b9610e408f96da2d0", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-modify" }, "owl:someValuesFrom": { "@id": "d3f:File" } }, { "@id": "d3f:CWE-81", "@type": "owl:Class", "d3f:cwe-id": "CWE-81", "rdfs:label": "Improper Neutralization of Script in an Error Message Web Page", "rdfs:subClassOf": { "@id": "d3f:CWE-79" } }, { "@id": "d3f:SoftwareProduct", "@type": "owl:Class", "rdfs:label": "Software Product", "rdfs:subClassOf": { "@id": "d3f:Product" }, "skos:altLabel": "SaaP" }, { "@id": "d3f:CWE-642", "@type": "owl:Class", "d3f:cwe-id": "CWE-642", "rdfs:label": "External Control of Critical State Data", "rdfs:subClassOf": { "@id": "d3f:CWE-668" } }, { "@id": "d3f:T1547.004", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1547.004", "d3f:modifies": { "@id": "d3f:SystemConfigurationDatabaseRecord" }, "rdfs:label": "Winlogon Helper DLL", "rdfs:subClassOf": [ { "@id": "d3f:T1547" }, { "@id": "_:N75b5147f90ef44c79413213950544451" } ] }, { "@id": "_:N75b5147f90ef44c79413213950544451", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:SystemConfigurationDatabaseRecord" } }, { "@id": "d3f:CWE-546", "@type": "owl:Class", "d3f:cwe-id": "CWE-546", "rdfs:label": "Suspicious Comment", "rdfs:subClassOf": { "@id": "d3f:CWE-1078" } }, { "@id": "d3f:CWE-1088", "@type": "owl:Class", "d3f:cwe-id": "CWE-1088", "rdfs:label": "Synchronous Access of Remote Resource without Timeout", "rdfs:subClassOf": { "@id": "d3f:CWE-821" } }, { "@id": "d3f:CWE-605", "@type": "owl:Class", "d3f:cwe-id": "CWE-605", "rdfs:label": "Multiple Binds to the Same Port", "rdfs:subClassOf": [ { "@id": "d3f:CWE-666" }, { "@id": "d3f:CWE-675" } ] }, { "@id": "d3f:NIST_SP_800-53_R4", "@type": [ "owl:NamedIndividual", "d3f:NISTSP800-53ControlCatalog" ], "d3f:archived-at": { "@type": "xsd:anyURI", "@value": "https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/archive/2013-04-30" }, "d3f:version": 4, "rdfs:label": "NIST SP 800-53 R4", "rdfs:seeAlso": "https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/archive/2015-01-22" }, { "@id": "d3f:CWE-160", "@type": "owl:Class", "d3f:cwe-id": "CWE-160", "rdfs:label": "Improper Neutralization of Leading Special Elements", "rdfs:subClassOf": { "@id": "d3f:CWE-138" } }, { "@id": "d3f:MemoryWord", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A memory word is the natural unit of data used by a particular computer processor design; a fixed-size piece of data handled as a unit by the instruction set or the hardware of the processor.", "rdfs:isDefinedBy": "https://dbpedia.org/page/Word_(computer_architecture)", "rdfs:label": "Memory Word", "rdfs:subClassOf": { "@id": "d3f:MemoryExtent" } }, { "@id": "d3f:owns", "@type": "owl:ObjectProperty", "d3f:definition": "x owns y: The subject x has ownership or possession of some object y.", "rdfs:isDefinedBy": { "@id": "http://wordnet-rdf.princeton.edu/id/02209474-v" }, "rdfs:label": "owns", "rdfs:seeAlso": { "@id": "dbr:Ownership" }, "rdfs:subPropertyOf": { "@id": "d3f:associated-with" }, "skos:altLabel": "possesses" }, { "@id": "d3f:CWE-242", "@type": "owl:Class", "d3f:cwe-id": "CWE-242", "rdfs:label": "Use of Inherently Dangerous Function", "rdfs:subClassOf": { "@id": "d3f:CWE-1177" } }, { "@id": "d3f:CWE-1070", "@type": "owl:Class", "d3f:cwe-id": "CWE-1070", "rdfs:label": "Serializable Data Element Containing non-Serializable Item Elements", "rdfs:subClassOf": { "@id": "d3f:CWE-710" } }, { "@id": "d3f:CCI-000047_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system delays next login prompt according to the organization-defined delay algorithm, when the maximum number of unsuccessful attempts is exceeded, automatically locks the account/node for an organization-defined time period or locks the account/node until released by an Administrator IAW organizational policy.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:AccountLocking" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-14T00:00:00" }, "rdfs:label": "CCI-000047" }, { "@id": "d3f:Reference-SystemAndMethodForIdentifyingThePresenceOfMalwareUsingMini-trapsSetAtNetworkEndpoints_FidelisCybersecuritySolutionsInc", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US9807114B2/en?oq=US-9807114-B2" }, "d3f:kb-abstract": "A system for identifying the presence of advanced persistent threats on a network including a plurality of resources, interconnected to form a network, at least one decoy resource, at least one mini-trap installed on at least one of the plurality of resources and functionally associated with at one of the at least one decoy resource, the at least one mini-trap comprising deceptive information directing malware accessing the at least one mini-trap to the decoy resource associated therewith, and a manager node forming part of the network, locally or remotely, and configured to manage placement of the at least one mini-trap on the at least one of the plurality of resources and association between the at least one mini-trap and the decoy resource associated therewith.", "d3f:kb-author": "Doron Kolton; Rami Mizrahi; Omer Zohar; Benny Ben-Rabi; Alex Barbalat; Shlomi Gabai", "d3f:kb-mitre-analysis": "Questionable or all files (as determined by the enterprise) are forwarded to the decoy network. Using a manager node user interface, you can setup fake information (ex. IP address of a decoy FTP server)\nand deploy decoy physical or virtual endpoints.", "d3f:kb-organization": "Fidelis Cybersecurity Solutions Inc", "d3f:kb-reference-of": [ { "@id": "d3f:DecoyNetworkResource" }, { "@id": "d3f:DecoyUserCredential" } ], "d3f:kb-reference-title": "System and method for identifying the presence of malware using mini-traps set at network endpoints", "rdfs:label": "Reference - System and method for identifying the presence of malware using mini-traps set at network endpoints - Fidelis Cybersecurity Solutions Inc" }, { "@id": "d3f:IntrusionDetectionSystem", "@type": "owl:Class", "d3f:definition": "An intrusion detection system (IDS) is a device or software application that monitors a network or systems for malicious activity or policy violations. Any intrusion activity or violation is typically reported either to an administrator or collected centrally using a security information and event management (SIEM) system. A SIEM system combines outputs from multiple sources and uses alarm filtering techniques to distinguish malicious activity from false alarms.", "rdfs:isDefinedBy": { "@id": "dbr:Intrusion_detection_system" }, "rdfs:label": "Intrusion Detection System", "rdfs:subClassOf": { "@id": "d3f:DigitalArtifact" }, "skos:altLabel": "IDS" }, { "@id": "d3f:WebAPIResource", "@type": "owl:Class", "d3f:definition": "A web API resource is an API resource identified by a Uniform Resource Identifier (URI) and made available from one host to another host via a web protocol and across a network or networks.", "rdfs:label": "Web API Resource", "rdfs:subClassOf": { "@id": "d3f:WebResource" } }, { "@id": "d3f:WirelessAccessPoint", "@type": "owl:Class", "d3f:definition": "In computer networking, a wireless access point (WAP), or more generally just access point (AP), is a networking hardware device that allows other Wi-Fi devices to connect to a wired network. The AP usually connects to a router (via a wired network) as a standalone device, but it can also be an integral component of the router itself. An AP is differentiated from a hotspot which is a physical location where Wi-Fi access is available.", "rdfs:isDefinedBy": { "@id": "dbr:Wireless_access_point" }, "rdfs:label": "Wireless Access Point", "rdfs:subClassOf": [ { "@id": "d3f:NetworkNode" }, { "@id": "d3f:RFTransceiver" } ], "skos:altLabel": "WAP" }, { "@id": "d3f:NIST_SP_800-53_R5_CM-14", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:control-name": "Signed Components", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "d3f:related": [ { "@id": "d3f:DriverLoadIntegrityChecking" }, { "@id": "d3f:MessageAuthentication" } ], "rdfs:label": "CM-14" }, { "@id": "d3f:CWE-636", "@type": "owl:Class", "d3f:cwe-id": "CWE-636", "rdfs:label": "Not Failing Securely ('Failing Open')", "rdfs:subClassOf": [ { "@id": "d3f:CWE-657" }, { "@id": "d3f:CWE-755" } ] }, { "@id": "d3f:T1037.003", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1037.003", "d3f:definition": "Group Policy Object / Active Directory Users and Computers are both Active Directory-based", "d3f:modifies": { "@id": "d3f:NetworkInitScriptFileResource" }, "rdfs:label": "Network Logon Script", "rdfs:subClassOf": [ { "@id": "d3f:T1037" }, { "@id": "_:N06c359d75ea241179ed7478b0530981c" } ] }, { "@id": "_:N06c359d75ea241179ed7478b0530981c", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:NetworkInitScriptFileResource" } }, { "@id": "d3f:CWE-1331", "@type": "owl:Class", "d3f:cwe-id": "CWE-1331", "rdfs:label": "Improper Isolation of Shared Resources in Network On Chip (NoC)", "rdfs:subClassOf": [ { "@id": "d3f:CWE-653" }, { "@id": "d3f:CWE-668" } ] }, { "@id": "d3f:T1036.003", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1036.003", "d3f:may-create": { "@id": "d3f:ExecutableFile" }, "d3f:may-modify": { "@id": "d3f:OperatingSystemExecutableFile" }, "rdfs:label": "Rename System Utilities", "rdfs:subClassOf": [ { "@id": "d3f:T1036" }, { "@id": "_:N352b656309c64432987600cb71fdd984" }, { "@id": "_:Nb7bed02dfb3948a78c75c5b1c30797e6" } ] }, { "@id": "_:N352b656309c64432987600cb71fdd984", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-create" }, "owl:someValuesFrom": { "@id": "d3f:ExecutableFile" } }, { "@id": "_:Nb7bed02dfb3948a78c75c5b1c30797e6", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-modify" }, "owl:someValuesFrom": { "@id": "d3f:OperatingSystemExecutableFile" } }, { "@id": "d3f:NIST_SP_800-53_R5_AC-3", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:control-name": "Access Enforcement", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "d3f:narrower": [ { "@id": "d3f:ExecutableAllowlisting" }, { "@id": "d3f:ExecutableDenylisting" }, { "@id": "d3f:MandatoryAccessControl" } ], "rdfs:label": "AC-3" }, { "@id": "d3f:CWE-325", "@type": "owl:Class", "d3f:cwe-id": "CWE-325", "rdfs:label": "Missing Cryptographic Step", "rdfs:subClassOf": { "@id": "d3f:CWE-573" } }, { "@id": "d3f:CCI-001233_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The organization employs automated mechanisms on an organization-defined frequency to determine the state of information system components with regard to flaw remediation.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:SoftwareUpdate" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-22T00:00:00" }, "rdfs:label": "CCI-001233" }, { "@id": "d3f:Reference-AccessPermissionModification_MITRE", "@type": [ "owl:NamedIndividual", "d3f:ExternalKnowledgeBase" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://car.mitre.org/analytics/CAR-2019-07-001/" }, "d3f:kb-abstract": "Adversaries sometimes modify object access rights at the operating system level. There are varying motivations behind this action - they may not want some files/objects to be changed on systems for persistence reasons and therefore provide admin only rights; also, they may want files to be accessible with lower levels of permissions.", "d3f:kb-author": "MITRE", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "MITRE", "d3f:kb-reference-of": { "@id": "d3f:SystemFileAnalysis" }, "d3f:kb-reference-title": "CAR-2019-07-001: Access Permission Modification", "rdfs:label": "Reference - CAR-2019-07-001: Access Permission Modification - MITRE" }, { "@id": "d3f:DecoyUserCredential", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:DecoyObject" ], "d3f:d3fend-id": "D3-DUC", "d3f:definition": "A Credential created for the purpose of deceiving an adversary.", "d3f:kb-article": "## How it works\nA detection analytic is developed to determine when a user uses decoy credentials. Subsequent actions by that user may be monitored or controlled by the defender.\n\nA credential may be:\n * Domain username and password\n * Local system username and password\n\n## Considerations\n* Decoy credentials should be integrated with a larger decoy environment to ensure that when decoy credentials are compromised, the credentials are used to interact with a decoy asset that is being monitored.\n* Continuous maintenance and updates are needed to ensure the legitimacy of the larger decoy environment and specifically the assets that utilize the decoy credentials.", "d3f:kb-reference": [ { "@id": "d3f:Reference-DecoyAndDeceptiveDataObjectTechnology_CymmetriaInc" }, { "@id": "d3f:Reference-DecoyNetwork-BasedServiceForDeceivingAttackers-AmazonTechnologies" }, { "@id": "d3f:Reference-SystemAndMethodForIdentifyingThePresenceOfMalwareUsingMini-trapsSetAtNetworkEndpoints_FidelisCybersecuritySolutionsInc" } ], "d3f:spoofs": { "@id": "d3f:Credential" }, "rdfs:label": "Decoy User Credential", "rdfs:subClassOf": [ { "@id": "d3f:DecoyObject" }, { "@id": "_:Nb3ec08b3c59c4fa3957d9635661df119" } ] }, { "@id": "_:Nb3ec08b3c59c4fa3957d9635661df119", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:spoofs" }, "owl:someValuesFrom": { "@id": "d3f:Credential" } }, { "@id": "d3f:FileSystemMetadata", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "Metadata about the files and directories in a file system. For example file name, file length, time modified, group and user ids, and other file attributes.", "rdfs:label": "File System Metadata", "rdfs:seeAlso": { "@id": "http://dbpedia.org/resource/File_system#Metadata" }, "rdfs:subClassOf": { "@id": "d3f:Metadata" } }, { "@id": "d3f:Reference-ComputerMotherboardHavingPeripheralSecurityFunctions", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US8869308B2/en" }, "d3f:kb-abstract": "A secure motherboard for a computer, wherein each user accessible peripheral port is protected by hardware based peripheral protection circuitry soldered to the motherboard.", "d3f:kb-author": "Aviv Soffer", "d3f:kb-organization": "High Sec Labs Ltd", "d3f:kb-reference-of": { "@id": "d3f:IOPortRestriction" }, "d3f:kb-reference-title": "Computer motherboard having peripheral security functions", "rdfs:label": "Reference - Computer motherboard having peripheral security functions" }, { "@id": "d3f:T1583.001", "@type": "owl:Class", "d3f:attack-id": "T1583.001", "rdfs:label": "Domains", "rdfs:subClassOf": { "@id": "d3f:T1583" } }, { "@id": "d3f:DigitalEvent", "@type": "owl:Class", "rdfs:label": "Digital Event", "rdfs:subClassOf": { "@id": "d3f:D3FENDThing" } }, { "@id": "d3f:NIST_SP_800-53_R5_RA-3_3", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:broader": [ { "@id": "d3f:FileAnalysis" }, { "@id": "d3f:IdentifierAnalysis" }, { "@id": "d3f:MessageAnalysis" }, { "@id": "d3f:NetworkTrafficAnalysis" }, { "@id": "d3f:PlatformMonitoring" }, { "@id": "d3f:ProcessAnalysis" }, { "@id": "d3f:UserBehaviorAnalysis" } ], "d3f:control-name": "Risk Assessment | Dynamic Threat Awareness", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "rdfs:label": "RA-3(3)" }, { "@id": "d3f:CWE-1052", "@type": "owl:Class", "d3f:cwe-id": "CWE-1052", "rdfs:label": "Excessive Use of Hard-Coded Literals in Initialization", "rdfs:subClassOf": { "@id": "d3f:CWE-665" } }, { "@id": "d3f:NIST_SP_800-53_R5_CM-5_3", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:control-name": "Access Restrictions for Change | Signed Components", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "d3f:narrower": [ { "@id": "d3f:LocalAccountMonitoring" }, { "@id": "d3f:SystemConfigurationPermissions" } ], "rdfs:label": "CM-5(3)" }, { "@id": "d3f:CWE-301", "@type": "owl:Class", "d3f:cwe-id": "CWE-301", "rdfs:label": "Reflection Attack in an Authentication Protocol", "rdfs:subClassOf": { "@id": "d3f:CWE-1390" } }, { "@id": "d3f:CWE-640", "@type": "owl:Class", "d3f:cwe-id": "CWE-640", "rdfs:label": "Weak Password Recovery Mechanism for Forgotten Password", "rdfs:subClassOf": { "@id": "d3f:CWE-1390" } }, { "@id": "d3f:CCI-002179_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system enforces the revocation of access authorizations resulting from changes to the security attributes of objects based on organization-defined rules governing the timing of revocations of access authorizations.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": [ { "@id": "d3f:MandatoryAccessControl" }, { "@id": "d3f:SystemCallFiltering" } ], "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-06-24T00:00:00" }, "rdfs:label": "CCI-002179" }, { "@id": "d3f:CCI-001749_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system prevents the installation of organization-defined software components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": [ { "@id": "d3f:ExecutableAllowlisting" }, { "@id": "d3f:ExecutableDenylisting" } ], "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-02-28T00:00:00" }, "rdfs:label": "CCI-001749" }, { "@id": "d3f:T1213", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:accesses": { "@id": "d3f:Resource" }, "d3f:attack-id": "T1213", "rdfs:label": "Data from Information Repositories", "rdfs:subClassOf": [ { "@id": "d3f:CollectionTechnique" }, { "@id": "d3f:DiscoveryTechnique" }, { "@id": "_:N25b5af562dca409ab816f769f10efa5b" } ] }, { "@id": "_:N25b5af562dca409ab816f769f10efa5b", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:accesses" }, "owl:someValuesFrom": { "@id": "d3f:Resource" } }, { "@id": "d3f:Reference-Squiblydoo_MITRE", "@type": [ "owl:NamedIndividual", "d3f:ExternalKnowledgeBase" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://car.mitre.org/analytics/CAR-2019-04-003/" }, "d3f:kb-abstract": "Squiblydoo is a specific usage of regsvr32.dll to load a COM scriptlet directly from the internet and execute it in a way that bypasses application whitelisting. It can be seen by looking for regsvr32.exe executions that load the scrobj.dll (which execute the COM scriptlet) or, if that is too noisy, those that also load content directly via HTTP or HTTPS.", "d3f:kb-author": "MITRE", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "MITRE", "d3f:kb-reference-of": { "@id": "d3f:ProcessSpawnAnalysis" }, "d3f:kb-reference-title": "CAR-2019-04-003: Squiblydoo", "rdfs:label": "Reference - CAR-2019-04-003: Squiblydoo - MITRE" }, { "@id": "d3f:Artifact", "@type": "owl:Class", "d3f:definition": [ { "@id": "http://www.ontologyrepository.com/CommonCoreOntologies/Artifact" }, "A man-made object taken as a whole." ], "rdfs:label": "Artifact", "rdfs:seeAlso": [ { "@id": "http://d3fend.mitre.org/ontologies/d3fend.owl" }, { "@id": "http://wordnet-rdf.princeton.edu/id/00022119-n" }, "Asset" ], "rdfs:subClassOf": { "@id": "d3f:D3FENDThing" } }, { "@id": "d3f:CCI-001237_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The organization employs automated patch management tools to facilitate flaw remediation to organization-defined information system components.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:SoftwareUpdate" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-22T00:00:00" }, "rdfs:label": "CCI-001237" }, { "@id": "d3f:CWE-649", "@type": "owl:Class", "d3f:cwe-id": "CWE-649", "rdfs:label": "Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking", "rdfs:subClassOf": { "@id": "d3f:CWE-345" } }, { "@id": "d3f:T1069.003", "@type": "owl:Class", "d3f:attack-id": "T1069.003", "rdfs:label": "Cloud Groups", "rdfs:subClassOf": { "@id": "d3f:T1069" } }, { "@id": "d3f:has-dependent", "@type": "owl:ObjectProperty", "rdfs:label": "has-dependent", "rdfs:subPropertyOf": { "@id": "d3f:associated-with" } }, { "@id": "d3f:Storage", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "Computer data storage, often called storage or memory, is a technology consisting of computer components and recording media used to retain digital data. It is a core function and fundamental component of computers. In the Von Neumann architecture, the CPU consists of two main parts: The control unit and the arithmetic / logic unit (ALU). The former controls the flow of data between the CPU and memory, while the latter performs arithmetic and logical operations on data.", "d3f:may-contain": { "@id": "d3f:FileSystem" }, "d3f:synonym": [ "Storage", "Computer data storage" ], "rdfs:isDefinedBy": { "@id": "dbr:Computer_data_storage" }, "rdfs:label": "Storage", "rdfs:subClassOf": [ { "@id": "d3f:DigitalArtifact" }, { "@id": "_:N533b0de249b74020a35165a2326e3fb0" } ] }, { "@id": "_:N533b0de249b74020a35165a2326e3fb0", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-contain" }, "owl:someValuesFrom": { "@id": "d3f:FileSystem" } }, { "@id": "d3f:RegSetValueExW", "@type": [ "owl:NamedIndividual", "d3f:SetSystemConfigValue" ] }, { "@id": "d3f:T1564.003", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1564.003", "d3f:may-modify": [ { "@id": "d3f:PropertyListFile" }, { "@id": "d3f:SystemConfigurationDatabase" } ], "rdfs:label": "Hidden Window", "rdfs:subClassOf": [ { "@id": "d3f:T1564" }, { "@id": "_:N149a3aa35c12495badd7fcc1dfa3e55d" }, { "@id": "_:Nb83ef7d092c04c039145ef5002c5849b" } ] }, { "@id": "_:N149a3aa35c12495badd7fcc1dfa3e55d", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-modify" }, "owl:someValuesFrom": { "@id": "d3f:PropertyListFile" } }, { "@id": "_:Nb83ef7d092c04c039145ef5002c5849b", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-modify" }, "owl:someValuesFrom": { "@id": "d3f:SystemConfigurationDatabase" } }, { "@id": "d3f:ApplicationConfiguration", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "Information used to configure the parameters and initial settings for an application.", "rdfs:label": "Application Configuration", "rdfs:seeAlso": { "@id": "http://wordnet-rdf.princeton.edu/id/05739724-n" }, "rdfs:subClassOf": { "@id": "d3f:ConfigurationResource" } }, { "@id": "d3f:CWE-926", "@type": "owl:Class", "d3f:cwe-id": "CWE-926", "rdfs:label": "Improper Export of Android Application Components", "rdfs:subClassOf": { "@id": "d3f:CWE-285" } }, { "@id": "d3f:OutboundInternetDNSLookupTraffic", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "Outbound internet DNS lookup traffic is network traffic using the DNS protocol on an outgoing connection initiated from a host within a network to a host outside the network.", "d3f:may-contain": { "@id": "d3f:DNSLookup" }, "rdfs:label": "Outbound Internet DNS Lookup Traffic", "rdfs:seeAlso": { "@id": "dbr:Internetworking" }, "rdfs:subClassOf": [ { "@id": "d3f:DNSNetworkTraffic" }, { "@id": "d3f:OutboundInternetNetworkTraffic" }, { "@id": "d3f:OutboundNetworkTraffic" }, { "@id": "_:Nd6d5c56858fc4f40b1577cb35f921d91" } ] }, { "@id": "_:Nd6d5c56858fc4f40b1577cb35f921d91", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-contain" }, "owl:someValuesFrom": { "@id": "d3f:DNSLookup" } }, { "@id": "d3f:OperatingSystemConfiguration", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "Information used to configure the services, parameters, and initial settings for an operating system.", "rdfs:label": "Operating System Configuration", "rdfs:subClassOf": { "@id": "d3f:ConfigurationResource" } }, { "@id": "d3f:T1612", "@type": "owl:Class", "d3f:attack-id": "T1612", "rdfs:label": "Build Image on Host", "rdfs:subClassOf": { "@id": "d3f:DefenseEvasionTechnique" } }, { "@id": "d3f:has-procedure", "@type": "owl:ObjectProperty", "rdfs:label": "has-procedure", "rdfs:subPropertyOf": { "@id": "d3f:d3fend-general-object-property" } }, { "@id": "d3f:CCI-000017_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system automatically disables inactive accounts after an organization-defined time period.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:AccountLocking" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-05-13T00:00:00" }, "rdfs:label": "CCI-000017" }, { "@id": "d3f:CWE-1121", "@type": "owl:Class", "d3f:cwe-id": "CWE-1121", "rdfs:label": "Excessive McCabe Cyclomatic Complexity", "rdfs:subClassOf": { "@id": "d3f:CWE-1120" } }, { "@id": "d3f:DataArtifactServer", "@type": "owl:Class", "d3f:definition": "A data artifact server provides access services to content in a content repository. The content repository or content store is a database of digital content with an associated set of data management, search and access methods allowing application-independent access to the content, rather like a digital library, but with the ability to store and modify content in addition to searching and retrieving. The content repository acts as the storage engine for a larger application such as a content management system or a document management system, which adds a user interface on top of the repository's application programming interface.", "rdfs:label": "Data Artifact Server", "rdfs:seeAlso": { "@id": "dbr:Content_repository" }, "rdfs:subClassOf": { "@id": "d3f:ArtifactServer" } }, { "@id": "d3f:has-link", "@type": "owl:DatatypeProperty", "d3f:definition": "x has-link y: The d3fend analysis x has the link y.", "rdfs:label": "has-link", "rdfs:range": { "@id": "xsd:anyURI" }, "rdfs:subPropertyOf": { "@id": "d3f:d3fend-kb-data-property" } }, { "@id": "d3f:T1564.010", "@type": "owl:Class", "d3f:attack-id": "T1564.010", "rdfs:label": "Process Argument Spoofing", "rdfs:subClassOf": { "@id": "d3f:T1564" } }, { "@id": "d3f:CWE-1251", "@type": "owl:Class", "d3f:cwe-id": "CWE-1251", "rdfs:label": "Mirrored Regions with Different Values", "rdfs:subClassOf": { "@id": "d3f:CWE-1250" } }, { "@id": "d3f:CWE-781", "@type": "owl:Class", "d3f:cwe-id": "CWE-781", "rdfs:label": "Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code", "rdfs:subClassOf": { "@id": "d3f:CWE-1285" } }, { "@id": "d3f:T1552.006", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:accesses": { "@id": "d3f:GroupPolicy" }, "d3f:attack-id": "T1552.006", "rdfs:label": "Group Policy Preferences", "rdfs:subClassOf": [ { "@id": "d3f:T1552" }, { "@id": "_:N541112f7ddd94862b930e2a19942c2e4" } ] }, { "@id": "_:N541112f7ddd94862b930e2a19942c2e4", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:accesses" }, "owl:someValuesFrom": { "@id": "d3f:GroupPolicy" } }, { "@id": "d3f:T1599.001", "@type": "owl:Class", "d3f:attack-id": "T1599.001", "rdfs:label": "Network Address Translation Traversal", "rdfs:subClassOf": { "@id": "d3f:T1599" } }, { "@id": "d3f:CCI-002282_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:broader": [ { "@id": "d3f:MandatoryAccessControl" }, { "@id": "d3f:UserAccountPermissions" } ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system maintains the association of organization-defined security attributes to organization-defined objects.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-06-24T00:00:00" }, "rdfs:label": "CCI-002282" }, { "@id": "d3f:NumericPatternMatching", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-NPM", "d3f:definition": "Numeric pattern matching uses a pattern specification and sees if the numeric value matches that pattern--simple forms include exact matching and range matching.", "rdfs:label": "Numeric Pattern Matching", "rdfs:subClassOf": { "@id": "d3f:PatternMatching" } }, { "@id": "d3f:FileAnalysis", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:DefensiveTechnique" ], "d3f:analyzes": { "@id": "d3f:File" }, "d3f:d3fend-id": "D3-FA", "d3f:definition": "File Analysis is an analytic process to determine a file's status. For example: virus, trojan, benign, malicious, trusted, unauthorized, sensitive, etc.", "d3f:enables": { "@id": "d3f:Detect" }, "d3f:kb-article": "## Technique Overview\nSome techniques use file signatures or file metadata to compare against historical collections of malware. Files may also be compared against a source of ground truth such as cryptographic signatures. Examining files for potential malware using pattern matching against file contents/file behavior. Binary code may be dissembled and analyzed for predictive malware behavior, such as API call signatures. Analysis might occur within a protected environment such as a sandbox or live system.", "rdfs:label": "File Analysis", "rdfs:subClassOf": [ { "@id": "d3f:DefensiveTechnique" }, { "@id": "_:Nc83b682783db45eba0fd6108e97837b2" }, { "@id": "_:N17e8bf7c26d64c0091f83f9ef2fe9742" } ] }, { "@id": "_:Nc83b682783db45eba0fd6108e97837b2", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:analyzes" }, "owl:someValuesFrom": { "@id": "d3f:File" } }, { "@id": "_:N17e8bf7c26d64c0091f83f9ef2fe9742", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:enables" }, "owl:someValuesFrom": { "@id": "d3f:Detect" } }, { "@id": "d3f:T1222.001", "@type": "owl:Class", "d3f:attack-id": "T1222.001", "rdfs:label": "Windows File and Directory Permissions Modification", "rdfs:subClassOf": { "@id": "d3f:T1222" } }, { "@id": "d3f:CWE-432", "@type": "owl:Class", "d3f:cwe-id": "CWE-432", "rdfs:label": "Dangerous Signal Handler not Disabled During Sensitive Operations", "rdfs:subClassOf": { "@id": "d3f:CWE-364" } }, { "@id": "d3f:CCI-002165_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system enforces organization-defined discretionary access control policies over defined subjects and objects.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:MandatoryAccessControl" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-06-24T00:00:00" }, "rdfs:label": "CCI-002165" }, { "@id": "d3f:T1137.004", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1137.004", "d3f:modifies": { "@id": "d3f:ApplicationConfigurationDatabase" }, "rdfs:label": "Outlook Home Page", "rdfs:subClassOf": [ { "@id": "d3f:T1137" }, { "@id": "_:N77ba5ab91422453b9a3c04738047f7e0" } ] }, { "@id": "_:N77ba5ab91422453b9a3c04738047f7e0", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:ApplicationConfigurationDatabase" } }, { "@id": "d3f:CWE-1320", "@type": "owl:Class", "d3f:cwe-id": "CWE-1320", "rdfs:label": "Improper Protection for Outbound Error Messages and Alert Signals", "rdfs:subClassOf": { "@id": "d3f:CWE-284" } }, { "@id": "d3f:CWE-134", "@type": "owl:Class", "d3f:cwe-id": "CWE-134", "rdfs:label": "Use of Externally-Controlled Format String", "rdfs:subClassOf": { "@id": "d3f:CWE-668" } }, { "@id": "d3f:has-feature", "@type": "owl:ObjectProperty", "rdfs:label": "has-feature", "rdfs:subPropertyOf": { "@id": "d3f:d3fend-catalog-object-property" } }, { "@id": "d3f:BrowserExtension", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A browser extension is a plug-in that extends the functionality of a web browser in some way. Some extensions are authored using web technologies such as HTML, JavaScript, and CSS. Browser extensions can change the user interface of the web browser without directly affecting viewable content of a web page; for example, by adding a \"toolbar.\"", "d3f:extends": { "@id": "d3f:Browser" }, "rdfs:isDefinedBy": { "@id": "dbr:Browser_extension" }, "rdfs:label": "Browser Extension", "rdfs:subClassOf": [ { "@id": "d3f:UserApplication" }, { "@id": "_:Na56943a6134e4e98838f3d1461b19031" } ] }, { "@id": "_:Na56943a6134e4e98838f3d1461b19031", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:extends" }, "owl:someValuesFrom": { "@id": "d3f:Browser" } }, { "@id": "d3f:T1160", "@type": "owl:Class", "d3f:attack-id": "T1160", "rdfs:label": "Launch Daemon", "rdfs:subClassOf": [ { "@id": "d3f:PersistenceTechnique" }, { "@id": "d3f:PrivilegeEscalationTechnique" } ] }, { "@id": "d3f:Persistence", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:OffensiveTactic" ], "d3f:display-order": 3, "rdfs:label": "Persistence", "rdfs:subClassOf": { "@id": "d3f:OffensiveTactic" } }, { "@id": "d3f:CWE-732", "@type": "owl:Class", "d3f:cwe-id": "CWE-732", "rdfs:label": "Incorrect Permission Assignment for Critical Resource", "rdfs:subClassOf": [ { "@id": "d3f:CWE-285" }, { "@id": "d3f:CWE-668" } ] }, { "@id": "d3f:T1583.005", "@type": "owl:Class", "d3f:attack-id": "T1583.005", "rdfs:label": "Botnet", "rdfs:subClassOf": { "@id": "d3f:T1583" } }, { "@id": "d3f:T1596.005", "@type": "owl:Class", "d3f:attack-id": "T1596.005", "rdfs:label": "Scan Databases", "rdfs:subClassOf": { "@id": "d3f:T1596" } }, { "@id": "d3f:CCI-001086_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system isolates security functions enforcing access and information flow control from both nonsecurity functions and from other security functions.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:SystemConfigurationPermissions" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-21T00:00:00" }, "rdfs:label": "CCI-001086" }, { "@id": "d3f:T1608.001", "@type": "owl:Class", "d3f:attack-id": "T1608.001", "rdfs:label": "Upload Malware", "rdfs:subClassOf": { "@id": "d3f:T1608" } }, { "@id": "d3f:NetworkVulnerabilityAssessment", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:NetworkMapping" ], "d3f:d3fend-id": "D3-NVA", "d3f:definition": "Network vulnerability assessment relates all the vulnerabilities of a network's components in the context of their configuration and interdependencies and can also include assessing risk emerging from the network's design as a whole, not just the sum of individual network node or network segment vulnerabilities.", "d3f:evaluates": { "@id": "d3f:Network" }, "d3f:identifies": { "@id": "d3f:Vulnerability" }, "rdfs:label": "Network Vulnerability Assessment", "rdfs:subClassOf": [ { "@id": "d3f:NetworkMapping" }, { "@id": "_:Na1c5f03e1b7946858fa63fc49bab3c0d" }, { "@id": "_:Nb7be190b0b0c4c95a4caf5af2dc3d0b9" } ] }, { "@id": "_:Na1c5f03e1b7946858fa63fc49bab3c0d", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:evaluates" }, "owl:someValuesFrom": { "@id": "d3f:Network" } }, { "@id": "_:Nb7be190b0b0c4c95a4caf5af2dc3d0b9", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:identifies" }, "owl:someValuesFrom": { "@id": "d3f:Vulnerability" } }, { "@id": "d3f:T1003.006", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1003.006", "d3f:may-modify": { "@id": "d3f:EventLog" }, "d3f:produces": { "@id": "d3f:IntranetAdministrativeNetworkTraffic" }, "rdfs:label": "DCSync", "rdfs:subClassOf": [ { "@id": "d3f:T1003" }, { "@id": "_:N9b58ebd127df4665860d5b433c2c5676" }, { "@id": "_:Ne78dfdeca7264763ace83ca7fb07537e" } ] }, { "@id": "_:N9b58ebd127df4665860d5b433c2c5676", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-modify" }, "owl:someValuesFrom": { "@id": "d3f:EventLog" } }, { "@id": "_:Ne78dfdeca7264763ace83ca7fb07537e", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:produces" }, "owl:someValuesFrom": { "@id": "d3f:IntranetAdministrativeNetworkTraffic" } }, { "@id": "d3f:AssetInventory", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:DefensiveTechnique" ], "d3f:d3fend-id": "D3-AI", "d3f:definition": "Asset inventorying identifies and records the organization's assets and enriches each inventory item with knowledge about their vulnerabilities.", "d3f:display-order": 1, "d3f:enables": { "@id": "d3f:Model" }, "d3f:synonym": [ "Asset Discovery", "Asset Inventorying" ], "rdfs:label": "Asset Inventory", "rdfs:subClassOf": [ { "@id": "d3f:DefensiveTechnique" }, { "@id": "_:N11bf927a9ac54d6aba22a1ee67e9999a" } ] }, { "@id": "_:N11bf927a9ac54d6aba22a1ee67e9999a", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:enables" }, "owl:someValuesFrom": { "@id": "d3f:Model" } }, { "@id": "d3f:SystemConfigSystemCall", "@type": "owl:Class", "rdfs:label": "System Config System Call", "rdfs:subClassOf": { "@id": "d3f:SystemCall" } }, { "@id": "d3f:FileSystemSensor", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "Collects files and file metadata on an endpoint.", "d3f:monitors": { "@id": "d3f:File" }, "rdfs:label": "File System Sensor", "rdfs:subClassOf": [ { "@id": "d3f:EndpointSensor" }, { "@id": "_:N18a2c7da445741e0bf60fdf87771cef5" } ] }, { "@id": "_:N18a2c7da445741e0bf60fdf87771cef5", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:monitors" }, "owl:someValuesFrom": { "@id": "d3f:File" } }, { "@id": "d3f:NIST_SP_800-53_R5_AC-2_6", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:broader": { "@id": "d3f:MandatoryAccessControl" }, "d3f:control-name": "Account Management | Dynamic Privilege Management", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "rdfs:label": "AC-2(6)" }, { "@id": "d3f:ConsoleOutputFunction", "@type": "owl:Class", "d3f:definition": "Outputs characters to a computer console.", "rdfs:label": "Console Output Function", "rdfs:subClassOf": { "@id": "d3f:Subroutine" } }, { "@id": "d3f:Reference-CAR-2020-04-001%3AShadowCopyDeletion_MITRE", "@type": [ "owl:NamedIndividual", "d3f:ExternalKnowledgeBase" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://car.mitre.org/analytics/CAR-2020-04-001/" }, "d3f:kb-abstract": "The Windows Volume Shadow Copy Service is a built-in OS feature that can be used to create backup copies of files and volumes.\n\nAdversaries may delete these shadow copies, typically through the usage of system utilities such as vssadmin.exe or wmic.exe, in order prevent file and data recovery. This technique is commonly employed for this purpose by ransomware.", "d3f:kb-author": "MITRE", "d3f:kb-organization": "MITRE", "d3f:kb-reference-of": { "@id": "d3f:ProcessSpawnAnalysis" }, "d3f:kb-reference-title": "CAR-2020-04-001: Shadow Copy Deletion", "rdfs:label": "Reference - CAR-2020-04-001: Shadow Copy Deletion - MITRE" }, { "@id": "d3f:display-priority", "@type": "owl:AnnotationProperty", "rdfs:label": "display-priority", "rdfs:subPropertyOf": { "@id": "d3f:d3fend-display-annotation" } }, { "@id": "d3f:T1213.003", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1213.003", "d3f:reads": { "@id": "d3f:CodeRepository" }, "rdfs:label": "Code Repositories", "rdfs:subClassOf": [ { "@id": "d3f:T1213" }, { "@id": "_:Nc7ed4475b6db43839e8a38b18c367c80" } ] }, { "@id": "_:Nc7ed4475b6db43839e8a38b18c367c80", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:reads" }, "owl:someValuesFrom": { "@id": "d3f:CodeRepository" } }, { "@id": "d3f:CWE-597", "@type": "owl:Class", "d3f:cwe-id": "CWE-597", "rdfs:label": "Use of Wrong Operator in String Comparison", "rdfs:subClassOf": [ { "@id": "d3f:CWE-480" }, { "@id": "d3f:CWE-595" } ] }, { "@id": "d3f:CredentialHardening", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:DefensiveTechnique" ], "d3f:d3fend-id": "D3-CH", "d3f:definition": "Credential Hardening techniques modify system or network properties in order to protect system or network/domain credentials.", "d3f:enables": { "@id": "d3f:Harden" }, "rdfs:label": "Credential Hardening", "rdfs:subClassOf": [ { "@id": "d3f:DefensiveTechnique" }, { "@id": "_:Nb1d727fce8b44313b2f21e5dee8000b7" } ] }, { "@id": "_:Nb1d727fce8b44313b2f21e5dee8000b7", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:enables" }, "owl:someValuesFrom": { "@id": "d3f:Harden" } }, { "@id": "d3f:CWE-99", "@type": "owl:Class", "d3f:cwe-id": "CWE-99", "rdfs:label": "Improper Control of Resource Identifiers ('Resource Injection')", "rdfs:subClassOf": { "@id": "d3f:CWE-74" } }, { "@id": "d3f:ApplicationInventorySensor", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "Collects information on applications on an endpoint.", "d3f:monitors": { "@id": "d3f:Application" }, "rdfs:label": "Application Inventory Sensor", "rdfs:subClassOf": [ { "@id": "d3f:EndpointSensor" }, { "@id": "_:Nf3379ba1eb3741a18b8161a6779e8bcc" } ] }, { "@id": "_:Nf3379ba1eb3741a18b8161a6779e8bcc", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:monitors" }, "owl:someValuesFrom": { "@id": "d3f:Application" } }, { "@id": "d3f:KernelProcessTable", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A data structure in the kernel which is a table containing all of the information that must be saved when the CPU switches from running one process to another in a multitasking system. It allows the operating system to track all the process's execution status, and contains the For every process managed by the kernel, there is a process control block (PCB) in the process table.", "rdfs:isDefinedBy": { "@id": "https://encyclopedia2.thefreedictionary.com/process+table" }, "rdfs:label": "Kernel Process Table", "rdfs:seeAlso": [ { "@id": "dbr:Process_(computing)" }, { "@id": "https://www.geeksforgeeks.org/process-table-and-process-control-block-pcb/" } ], "rdfs:subClassOf": { "@id": "d3f:DigitalArtifact" } }, { "@id": "d3f:Reference-MethodAndSystemForDetectingExternalControlOfCompromisedHosts_VECTRANETWORKSInc", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US9407647B2/en?oq=US-9407647-B2" }, "d3f:kb-abstract": "A detection engine may be implemented by receiving network traffic and processing the traffic into one or more session datasets. Sessions not initiated by an internal host may be discarded. The frequency between the communication packets from the internal host to external host may be grouped or processed into rapid-exchange instances. The number of rapid-exchange instances, the time intervals between them, and/or the rhythm and directions of the initiation of the instances may be analyzed to determine that a human actor is manually controlling the external host. In some embodiments, when it is determined that only one human actor is involved, alarm data may be generated that indicates that a network intrusion involving manual remote control has occurred or is underway.", "d3f:kb-author": "Nicolas BEAUCHESNE; Ryan James PRENGER", "d3f:kb-mitre-analysis": "This patent describes detecting an external attacker taking remote control of an internal host. Detection includes identifying sessions where the external host controls the internal host in the opposite direction the session was initiated. The number of rapid-exchange communication instances (i.e, communications that occur between the two hosts with little silence gap), the time intervals between them, and/or the rhythm and direction of the instances, are analyzed to determine if an external human actor is manually controlling the internal host.", "d3f:kb-organization": "VECTRA NETWORKS Inc", "d3f:kb-reference-of": { "@id": "d3f:RemoteTerminalSessionDetection" }, "d3f:kb-reference-title": "Method and system for detecting external control of compromised hosts", "rdfs:label": "Reference - Method and system for detecting external control of compromised hosts - VECTRA NETWORKS Inc" }, { "@id": "d3f:Reference-SNMPNetworkAutoDiscovery", "@type": [ "owl:NamedIndividual", "d3f:UserManualReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://docs.device42.com/auto-discovery/network-auto-discovery/" }, "d3f:kb-abstract": "SNMP, or Simple Network Management Protocol, is a protocol and a standard that is supported by just about any managed network-connected hardware. There are three widely deployed versions: SNMP v1, v2c (most commonly used), and v3. SNMP is typically utilized read-only, but supports read/write, and by default utilized port 161. SNMP exposes management data in the form of ‘variables’, which are organized in what is known as a MIB, or “Management Information Base”. A MIB essentially describes the variables available on a given system, each of which can be remotely queried via SNMP.", "d3f:kb-organization": "Device 42", "d3f:kb-reference-of": { "@id": "d3f:ActiveLogicalLinkMapping" }, "d3f:kb-reference-title": "SNMP - Network Auto Discovery", "rdfs:label": "Reference - SNMP - Network Auto-Discovery" }, { "@id": "d3f:T1134.005", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1134.005", "d3f:modifies": { "@id": "d3f:AccessControlConfiguration" }, "rdfs:label": "SID-History Injection", "rdfs:subClassOf": [ { "@id": "d3f:T1134" }, { "@id": "_:Nedd25fd871914e50b5a2aa64773b21f2" } ] }, { "@id": "_:Nedd25fd871914e50b5a2aa64773b21f2", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:AccessControlConfiguration" } }, { "@id": "d3f:Reference-AutomaticallyGeneratingRulesForConnectionSecurity_Microsoft", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US20120054825" }, "d3f:kb-abstract": "A method and system for creating security policies for firewall and connection policies in an integrated manner is provided. The security system provides a user interface through which a user can define a security rule that specifies both a firewall policy and a connection policy. After the security rule is specified, the security system automatically generates a firewall rule and a connection rule to implement the security rule. The security system provides the firewall rule to a firewall engine that is responsible for enforcing the firewall rules and provides the connection rule to an IPsec engine that is responsible for enforcing the connection rules", "d3f:kb-author": "Charles D. Bassett; Eran Yariv; Ian M. Carbaugh; Lokesh Srinivas Koppolu; Maksim Noy; Sarah A. Wahlert; Pradeep Bahl", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "Microsoft", "d3f:kb-reference-of": [ { "@id": "d3f:InboundTrafficFiltering" }, { "@id": "d3f:OutboundTrafficFiltering" } ], "d3f:kb-reference-title": "Automatically generating rules for connection security", "rdfs:label": "Reference - Automatically generating rules for connection security - Microsoft" }, { "@id": "d3f:CWE-128", "@type": "owl:Class", "d3f:cwe-id": "CWE-128", "rdfs:label": "Wrap-around Error", "rdfs:subClassOf": { "@id": "d3f:CWE-682" } }, { "@id": "d3f:OperatingSystemMonitoring", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:PlatformMonitoring" ], "d3f:d3fend-id": "D3-OSM", "d3f:definition": "The operating system software, for D3FEND's purposes, includes the kernel and its process management functions, hardware drivers, initialization or boot logic. It also includes and other key system daemons and their configuration. The monitoring or analysis of these components for unauthorized activity constitute **Operating System Monitoring**.", "d3f:enables": { "@id": "d3f:Detect" }, "d3f:kb-article": "## Technique Overview\n\n\"An operating system (OS) is system software that manages computer hardware and software resources and provides common services for computer programs.\" [1]\n\nOperating System Monitoring Techniques have varied implementations including built-in kernel modules, third-party privileged system daemons, or even standard systems administration tools included with an operating system.\n\n1. http://dbpedia.org/resource/Operating_system", "d3f:kb-reference": [ { "@id": "d3f:Reference-HostIntrusionPreventionSystemUsingSoftwareAndUserBehaviorAnalysis_SophosLtd" }, { "@id": "d3f:Reference-UserActivityFromClearingEventLogs_MITRE" } ], "rdfs:label": "Operating System Monitoring", "rdfs:subClassOf": { "@id": "d3f:PlatformMonitoring" } }, { "@id": "d3f:T1098.001", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1098.001", "d3f:creates": { "@id": "d3f:Credential" }, "d3f:produces": { "@id": "d3f:IntranetAdministrativeNetworkTraffic" }, "rdfs:label": "Additional Azure Service Principal Credentials", "rdfs:subClassOf": [ { "@id": "d3f:T1098" }, { "@id": "_:Naaed771bc306407ebb24ca2b330f496d" }, { "@id": "_:N2245112f9c3f41de806a984342e68cd2" } ] }, { "@id": "_:Naaed771bc306407ebb24ca2b330f496d", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:creates" }, "owl:someValuesFrom": { "@id": "d3f:Credential" } }, { "@id": "_:N2245112f9c3f41de806a984342e68cd2", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:produces" }, "owl:someValuesFrom": { "@id": "d3f:IntranetAdministrativeNetworkTraffic" } }, { "@id": "d3f:T1218.004", "@type": "owl:Class", "d3f:attack-id": "T1218.004", "rdfs:label": "InstallUtil Execution", "rdfs:subClassOf": { "@id": "d3f:T1218" } }, { "@id": "d3f:T1562.010", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:accesses": { "@id": "d3f:LegacySystem" }, "d3f:attack-id": "T1562.010", "rdfs:label": "Downgrade Attack", "rdfs:subClassOf": [ { "@id": "d3f:T1562" }, { "@id": "_:N9e9cdca42f6c40bf83913f1c9cddc454" } ] }, { "@id": "_:N9e9cdca42f6c40bf83913f1c9cddc454", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:accesses" }, "owl:someValuesFrom": { "@id": "d3f:LegacySystem" } }, { "@id": "d3f:CWE-1054", "@type": "owl:Class", "d3f:cwe-id": "CWE-1054", "rdfs:label": "Invocation of a Control Element at an Unnecessarily Deep Horizontal Layer", "rdfs:subClassOf": { "@id": "d3f:CWE-1061" } }, { "@id": "d3f:NIST_SP_800-53_R5_AC-4_3", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:control-name": "Information Flow Enforcement | Dynamic Information Flow Control", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "d3f:narrower": [ { "@id": "d3f:InboundTrafficFiltering" }, { "@id": "d3f:OutboundTrafficFiltering" } ], "rdfs:label": "AC-4(3)" }, { "@id": "d3f:spoofs", "@type": "owl:ObjectProperty", "d3f:definition": "x spoofs y: The technique x creates a fake instance of a digital artifact y; that is, y is a decoy, fake, or counterfeit.", "rdfs:label": "spoofs", "rdfs:seeAlso": [ { "@id": "dbr:Spoof" }, { "@id": "http://wordnet-rdf.princeton.edu/id/03323383-n" } ], "rdfs:subPropertyOf": [ { "@id": "d3f:associated-with" }, { "@id": "d3f:deceives-with" } ] }, { "@id": "d3f:T1592.001", "@type": "owl:Class", "d3f:attack-id": "T1592.001", "rdfs:label": "Hardware", "rdfs:subClassOf": { "@id": "d3f:T1592" } }, { "@id": "d3f:RFReceiver", "@type": "owl:Class", "rdfs:label": "RF Receiver", "rdfs:subClassOf": { "@id": "d3f:RFNode" } }, { "@id": "d3f:CWE-691", "@type": "owl:Class", "d3f:cwe-id": "CWE-691", "rdfs:label": "Insufficient Control Flow Management", "rdfs:subClassOf": { "@id": "d3f:Weakness" } }, { "@id": "d3f:T1037", "@type": "owl:Class", "d3f:attack-id": "T1037", "rdfs:label": "Boot or Logon Initialization Scripts", "rdfs:subClassOf": [ { "@id": "d3f:PersistenceTechnique" }, { "@id": "d3f:PrivilegeEscalationTechnique" } ] }, { "@id": "d3f:T1574.002", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1574.002", "d3f:may-create": { "@id": "d3f:SharedLibraryFile" }, "d3f:may-modify": { "@id": "d3f:SharedLibraryFile" }, "rdfs:label": "DLL Side-Loading", "rdfs:subClassOf": [ { "@id": "d3f:T1574" }, { "@id": "_:N26154523067d4595aca87bce8a3866d6" }, { "@id": "_:N9ff12cdfb45d4446b175f867ad3c46f3" } ] }, { "@id": "_:N26154523067d4595aca87bce8a3866d6", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-create" }, "owl:someValuesFrom": { "@id": "d3f:SharedLibraryFile" } }, { "@id": "_:N9ff12cdfb45d4446b175f867ad3c46f3", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-modify" }, "owl:someValuesFrom": { "@id": "d3f:SharedLibraryFile" } }, { "@id": "d3f:DigitalSystem", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A digital system is a group of interacting or interrelated digital artifacts that act according to a set of rules to form a unified whole. A digital system, surrounded and influenced by its environment, is described by its boundaries, structure and purpose and expressed in its functioning. Systems are the subjects of study of systems theory.", "rdfs:label": "Digital System", "rdfs:seeAlso": { "@id": "dbr:System" }, "rdfs:subClassOf": [ { "@id": "d3f:DigitalArtifact" }, { "@id": "d3f:System" } ] }, { "@id": "d3f:CWE-575", "@type": "owl:Class", "d3f:cwe-id": "CWE-575", "rdfs:label": "EJB Bad Practices: Use of AWT Swing", "rdfs:subClassOf": { "@id": "d3f:CWE-695" } }, { "@id": "d3f:T1003.007", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:accesses": [ { "@id": "d3f:OperatingSystemFile" }, { "@id": "d3f:ProcessImage" } ], "d3f:attack-id": "T1003.007", "rdfs:label": "Proc Filesystem", "rdfs:subClassOf": [ { "@id": "d3f:T1003" }, { "@id": "_:N85b9e448d9ac4336bfa40d0f91496771" }, { "@id": "_:Na5bd57323b644f0da44c4f1a47a19720" } ] }, { "@id": "_:N85b9e448d9ac4336bfa40d0f91496771", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:accesses" }, "owl:someValuesFrom": { "@id": "d3f:OperatingSystemFile" } }, { "@id": "_:Na5bd57323b644f0da44c4f1a47a19720", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:accesses" }, "owl:someValuesFrom": { "@id": "d3f:ProcessImage" } }, { "@id": "d3f:CWE-544", "@type": "owl:Class", "d3f:cwe-id": "CWE-544", "rdfs:label": "Missing Standardized Error Handling Mechanism", "rdfs:subClassOf": { "@id": "d3f:CWE-755" } }, { "@id": "d3f:CCI-001368_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system enforces approved authorizations for controlling the flow of information within the system based on organization-defined information flow control policies.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": [ { "@id": "d3f:InboundTrafficFiltering" }, { "@id": "d3f:OutboundTrafficFiltering" } ], "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-22T00:00:00" }, "rdfs:label": "CCI-001368" }, { "@id": "d3f:In-memoryPasswordStore", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A password store held in memory.", "rdfs:label": "In-memory Password Store", "rdfs:subClassOf": { "@id": "d3f:PasswordStore" } }, { "@id": "d3f:CCI-002729_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:broader": [ { "@id": "d3f:DriverLoadIntegrityChecking" }, { "@id": "d3f:TPMBootIntegrity" } ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system implements organization-defined security safeguards to protect the integrity of boot firmware in organization-defined devices.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-07-11T00:00:00" }, "rdfs:label": "CCI-002729" }, { "@id": "d3f:CCI-002411_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:broader": [ { "@id": "d3f:Hardware-basedProcessIsolation" }, { "@id": "d3f:IOPortRestriction" }, { "@id": "d3f:Kernel-basedProcessIsolation" } ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system provides the capability to dynamically isolate/segregate organization-defined information system components from other components of the system.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-07-02T00:00:00" }, "rdfs:label": "CCI-002411" }, { "@id": "d3f:RegexMatching", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-RM", "d3f:definition": "Regular expression matching is type of partial string matching using a regular expression, which is a sequence of characters that specifies a match pattern in text.", "d3f:kb-article": "## How it works\n\nA regular expression (shortened as regex or regexp) is a sequence of characters that specifies a match pattern in text. Usually such patterns are used by string-searching algorithms for \"find\" or \"find and replace\" operations on strings, or for input validation.\n\n## Key Test Considerations\n\n- **External review of regular expressions**: Regular expressions used in rules should be reviewed by a independent developer SME. Regex testing and visualization tools may be used to aid this review. Back-tests for failure modes identified during the review shoud be developed. Regular expressions are easy to get wrong and may appear to work on limited tests; small mistakes can lead to unintended misses and matches.]\n\n- **Processing Performance Review**: Review of resource-intensive rules may be necessary if system performance degraded. Look for cases of “exponential backtracking” Some regexes are computationally expensive.\n\n## References\n1. Regular expression. (2023, June 1). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Regular_expression).\n2. String-searching algorithm. (2023, April 8). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/String-searching_algorithm).", "d3f:synonym": [ "Regexp", "Regex" ], "rdfs:label": "Regex Matching", "rdfs:subClassOf": { "@id": "d3f:PartialMatching" } }, { "@id": "d3f:CWE-1318", "@type": "owl:Class", "d3f:cwe-id": "CWE-1318", "rdfs:label": "Missing Support for Security Features in On-chip Fabrics or Buses", "rdfs:subClassOf": { "@id": "d3f:CWE-693" } }, { "@id": "d3f:GNUGCCStackGuard", "@type": [ "owl:NamedIndividual", "d3f:StackFrameCanaryValidation" ], "rdfs:label": "GNU GCC StackGuard" }, { "@id": "d3f:produces", "@type": "owl:ObjectProperty", "d3f:definition": "x produces y: The subject entity x or process produces a data object y, which may be discrete digital object or a stream (e.g., a stream such as network traffic.)", "rdfs:isDefinedBy": { "@id": "http://wordnet-rdf.princeton.edu/id/01625832-v" }, "rdfs:label": "produces", "rdfs:seeAlso": "creates", "rdfs:subPropertyOf": [ { "@id": "d3f:associated-with" }, { "@id": "d3f:d3fend-catalog-object-property" }, { "@id": "d3f:may-produce" } ], "skos:altLabel": "outputs" }, { "@id": "d3f:regenerates", "@type": "owl:ObjectProperty", "d3f:definition": "x regenerates y: The entity x discards the current digital artifact y and creates a new version that serves the same function.", "rdfs:isDefinedBy": "http://wordnet-rdf.princeton.edu/id/00167632-v", "rdfs:label": "regenerates", "rdfs:subPropertyOf": [ { "@id": "d3f:associated-with" }, { "@id": "d3f:hardens" } ] }, { "@id": "d3f:CWE-451", "@type": "owl:Class", "d3f:cwe-id": "CWE-451", "rdfs:label": "User Interface (UI) Misrepresentation of Critical Information", "rdfs:subClassOf": [ { "@id": "d3f:CWE-221" }, { "@id": "d3f:CWE-684" } ] }, { "@id": "d3f:loaded-by", "@type": "owl:ObjectProperty", "owl:inverseOf": { "@id": "d3f:loads" }, "rdfs:label": "loaded-by", "rdfs:subPropertyOf": { "@id": "d3f:associated-with" } }, { "@id": "d3f:CCI-001019_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The organization employs cryptographic mechanisms to protect information in storage.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": [ { "@id": "d3f:DiskEncryption" }, { "@id": "d3f:FileEncryption" } ], "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-21T00:00:00" }, "rdfs:label": "CCI-001019" }, { "@id": "d3f:Router", "@type": "owl:Class", "d3f:definition": "A router is a networking device that forwards data packets between computer networks. Routers perform the traffic directing functions on the Internet. Data sent through the internet, such as a web page or email, is in the form of data packets. A packet is typically forwarded from one router to another router through the networks that constitute an internetwork (e.g. the Internet) until it reaches its destination node.", "rdfs:isDefinedBy": { "@id": "dbr:Router_(computing)" }, "rdfs:label": "Router", "rdfs:subClassOf": { "@id": "d3f:NetworkNode" } }, { "@id": "d3f:Reference-CAR-2014-11-007-RemoteWindowsManagementInstrumentation_WMI_OverRPC_MITRE", "@type": [ "owl:NamedIndividual", "d3f:ExternalKnowledgeBase" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "" }, "d3f:kb-abstract": "As described in ATT&CK, an adversary can use Windows Management Instrumentation (WMI) to view or manipulate objects on a remote host. It can be used to remotely edit configuration, start services, query files, and anything that can be done with a WMI class. When remote WMI requests are over RPC (CAR-2014-05-001), it connects to a DCOM interface within the RPC group netsvcs. To detect this activity, a sensor is needed at the network level that can decode RPC traffic or on the host where the communication can be detected more natively, such as Event Tracing for Windows. Using wireshark/tshark decoders, the WMI interfaces can be extracted so that WMI activity over RPC can be detected.\n\nAlthough the description details how to detect remote WMI precisely, a decent estimate has been to look for the string RPCSS within the initial RPC connection on 135/tcp. It returns a superset of this activity, and will trigger on all DCOM-related services running within RPC, which is likely to also be activity that should be detected between hosts. More about RPCSS at : rpcss_dcom_interfaces.html", "d3f:kb-author": "MITRE", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "MITRE", "d3f:kb-reference-of": { "@id": "d3f:RPCTrafficAnalysis" }, "d3f:kb-reference-title": "CAR-2014-11-007: Remote Windows Management Instrumentation (WMI) over RPC", "rdfs:label": "Reference - CAR-2014-11-007: Remote Windows Management Instrumentation (WMI) over RPC - MITRE" }, { "@id": "d3f:CWE-824", "@type": "owl:Class", "d3f:cwe-id": "CWE-824", "rdfs:label": "Access of Uninitialized Pointer", "rdfs:subClassOf": { "@id": "d3f:CWE-119" } }, { "@id": "d3f:T1570", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1570", "d3f:produces": { "@id": "d3f:IntranetFileTransferTraffic" }, "rdfs:label": "Lateral Tool Transfer", "rdfs:subClassOf": [ { "@id": "d3f:LateralMovementTechnique" }, { "@id": "_:Nad88b3f7732a4b2cb1c7174c3d6085d7" } ] }, { "@id": "_:Nad88b3f7732a4b2cb1c7174c3d6085d7", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:produces" }, "owl:someValuesFrom": { "@id": "d3f:IntranetFileTransferTraffic" } }, { "@id": "d3f:ProcessLineageAnalysis", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:ProcessSpawnAnalysis" ], "d3f:analyzes": [ { "@id": "d3f:Process" }, { "@id": "d3f:ProcessTree" } ], "d3f:d3fend-id": "D3-PLA", "d3f:definition": "Identification of suspicious processes executing on an end-point device by examining the ancestry and siblings of a process, and the associated metadata of each node on the tree, such as process execution, duration, and order relative to siblings and ancestors.", "d3f:kb-article": "## How it works\nProcess tree analysis techniques gather information on how a process was initiated to determine if a process is malicious. For example, if a process was not initiated from boot or not initiated by another process, that process is identified as suspicious. Also, if a new process was started before a process initiated by the device (ex. during boot) and that new process was not initiated by a user (which can be determined by examining process parameters such as type of process, its creator, source, etc.) the process is identified as suspicious.\n\nFor example, Microsoft Word may block execution of any subprocess that is not in an approved path.\n\n## Considerations\n* Attackers may spoof the parent PID (https://attack.mitre.org/techniques/T1502/), rendering such after-the-fact analysis on process lineage ineffective.\n* Processes may hide from various means of detection; an example on Linux is where a rootkit might remove key files for the process from its directory in /proc.\n* Zombie processes.", "d3f:kb-reference": [ { "@id": "d3f:Reference-CommandLaunchedFromWinLogon_MITRE" }, { "@id": "d3f:Reference-DebuggersForAccessibilityApplications_MITRE" }, { "@id": "d3f:Reference-GenericRegsvr32_MITRE" }, { "@id": "d3f:Reference-OutlierParentsOfCmd_MITRE" }, { "@id": "d3f:Reference-ProcessesSpawningCmd.exe_MITRE" }, { "@id": "d3f:Reference-QuickExecutionOfASeriesOfSuspiciousCommands_MITRE" }, { "@id": "d3f:Reference-Reg.exeCalledFromCommandShell_MITRE" }, { "@id": "d3f:Reference-RemotelyLaunchedExecutablesViaWMI_MITRE" }, { "@id": "d3f:Reference-ServiceOutlierExecutables_MITRE" }, { "@id": "d3f:Reference-ServiceSearchPathInterception_MITRE" }, { "@id": "d3f:Reference-ServicesLaunchingCmd_MITRE" }, { "@id": "d3f:Reference-SystemAndMethodsThereofForCausalityIdentificationAndAttributionsDeterminationOfProcessesInANetwork_PaloAltoNetworksIncCyberSecdoLtd" }, { "@id": "d3f:Reference-SystemAndMethodsThereofForIdentificationOfSuspiciousSystemProcesses_PaloAltoNetworksInc" }, { "@id": "d3f:Reference-UACBypass_MITRE" }, { "@id": "d3f:Reference-CAR-2020-11-002%3ALocalNetworkSniffing_MITRE" }, { "@id": "d3f:Reference-CAR-2020-11-004%3AProcessesStartedFromIrregularParent_MITRE" }, { "@id": "d3f:Reference-CAR-2021-02-002%3AGetSystemElevation_MITRE" }, { "@id": "d3f:Reference-CAR-2021-05-003%3ABCDEditFailureRecoveryModification_MITRE" } ], "d3f:synonym": "Process Tree Analysis", "rdfs:label": "Process Lineage Analysis", "rdfs:subClassOf": [ { "@id": "d3f:ProcessSpawnAnalysis" }, { "@id": "_:N0373210772e9406a91a5d3e7c6514886" }, { "@id": "_:N608a73d6b3f04d2597921a2109efac12" } ] }, { "@id": "_:N0373210772e9406a91a5d3e7c6514886", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:analyzes" }, "owl:someValuesFrom": { "@id": "d3f:Process" } }, { "@id": "_:N608a73d6b3f04d2597921a2109efac12", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:analyzes" }, "owl:someValuesFrom": { "@id": "d3f:ProcessTree" } }, { "@id": "d3f:One-timePassword", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:CredentialHardening" ], "d3f:authenticates": { "@id": "d3f:UserAccount" }, "d3f:d3fend-id": "D3-OTP", "d3f:definition": "A one-time password is valid for only one user authentication.", "d3f:kb-article": "## How it works\n\nWhen a user initiates authentication, they are asked for a one-time password, often in addition to other credentials such as a traditional password or smart card. The one-time password may be from a list provided in advance, sent via a channel such as SMS or HTTPS to an app, or a generated token.\n\nIn the case of a physical token which generates one-time passwords incrementally based on time elapsed, that token device need not be connected to the internet. In different implementations, an administrator of the system, or a user with additional verification, can adjust for clock skew between the token and the verification system as needed.\n\n## Considerations\n\n### Compromise of delivery channel\n- SIM Swapping\n- Secure token visual compromise\n- Insecure delivery channel\n\n### Compromise of delivery device\nPhysical loss of One-time Password device.\n\n### Compromise of long-term backup codes\nThese are often provided in the form of a downloadable document with a regular name, which can be searched for in the case that the user forgets where they put them. This digital file or printed document could be stolen.\nAdditionally, after the code file is printed, it could be recovered from the system printer spool unless the spooler cache is cleared.", "d3f:kb-reference": { "@id": "d3f:Reference-RFC2289-AOne-TimePasswordSystem" }, "d3f:synonym": "OTP", "d3f:use-limits": { "@id": "d3f:Password" }, "rdfs:label": "One-time Password", "rdfs:seeAlso": { "@id": "dbr:One-time_password" }, "rdfs:subClassOf": [ { "@id": "d3f:CredentialHardening" }, { "@id": "_:N9f016e917a1d42a8a97d89886073580d" }, { "@id": "_:N43a64606f83642e5a75ecda4e64c5fc5" } ] }, { "@id": "_:N9f016e917a1d42a8a97d89886073580d", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:authenticates" }, "owl:someValuesFrom": { "@id": "d3f:UserAccount" } }, { "@id": "_:N43a64606f83642e5a75ecda4e64c5fc5", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:use-limits" }, "owl:someValuesFrom": { "@id": "d3f:Password" } }, { "@id": "d3f:PointerAuthentication", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:ApplicationHardening" ], "d3f:authenticates": { "@id": "d3f:Pointer" }, "d3f:d3fend-id": "D3-PAN", "d3f:definition": "Comparing the cryptographic hash or derivative of a pointer's value to an expected value.", "d3f:kb-article": "## How It Works\n\nPointer Authentication (frequently referred to as PAC, although the technique is properly Pointer Authentication) is a security feature to provide protection against attackers with memory read/write access. A Pointer Authentication Code (PAC) is a cryptographic hash or derivative computed on the value of a pointer and some additional context information which can then provide a cryptographically strong guarantee about the likelihood that a pointer has been tampered with by an attacker.\n\nAlthough pointers are 64 bits, most systems have a substantially smaller virtual address space, leaving unused bits in pointers that can store the value of the PAC, this can be done to reduce memory space requirements. One implementation is in ARMv8.3-A. A PAC is computed over the 64-bit pointer value and a 64-bit context value. Instructions are introduced to deal with pointers: one category to compute and insert the PAC into a pointer, another category to verify the pointer and invalidate the pointer if the PAC does not check, and a third category to remove the pointer and restore the original value without verifying.\n\nThe ARM standard specifies a cryptographic algorithm called QARMA-64 (designed by Qualcomm) to compute the signature, although this algorithm is not required. The architecture provides for five secret 128-bit Pointer Authentication keys: two for instruction pointers, two for data pointers, and a general key for signing larger blocks of data.\n\n## Considerations\n\nIn the ARM implementation, the mechanisms above for manipulating PACS are provided, but it is up to the code developer to manage the keys for the cryptographic algorithm.\n\n\nA known potential limitation of PACs concerns signing gadgets. Under certain circumstances PACs can be bypassed by forcing the system to run a signing gadget which will allow the signing of arbitrary pointers to occur.", "d3f:kb-reference": [ { "@id": "d3f:Reference-PointerAuthenticationOnARMv8.3" }, { "@id": "d3f:Reference-PointerAuthenticationProjectZero" } ], "rdfs:label": "Pointer Authentication", "rdfs:subClassOf": [ { "@id": "d3f:ApplicationHardening" }, { "@id": "_:N32fd310a44b4440e89367552a5107dcc" } ] }, { "@id": "_:N32fd310a44b4440e89367552a5107dcc", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:authenticates" }, "owl:someValuesFrom": { "@id": "d3f:Pointer" } }, { "@id": "d3f:CWE-51", "@type": "owl:Class", "d3f:cwe-id": "CWE-51", "rdfs:label": "Path Equivalence: '/multiple//internal/slash'", "rdfs:subClassOf": { "@id": "d3f:CWE-41" } }, { "@id": "d3f:CWE-130", "@type": "owl:Class", "d3f:cwe-id": "CWE-130", "rdfs:label": "Improper Handling of Length Parameter Inconsistency", "rdfs:subClassOf": { "@id": "d3f:CWE-240" } }, { "@id": "d3f:CWE-941", "@type": "owl:Class", "d3f:cwe-id": "CWE-941", "rdfs:label": "Incorrectly Specified Destination in a Communication Channel", "rdfs:subClassOf": { "@id": "d3f:CWE-923" } }, { "@id": "d3f:RestoreFile", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:RestoreObject" ], "d3f:d3fend-id": "D3-RF", "d3f:definition": "Restoring a file for an entity to access.", "d3f:kb-reference": { "@id": "d3f:Reference-CybersecurityIncidentandVulnerabilityResponsePlaybooks" }, "d3f:restores": { "@id": "d3f:File" }, "rdfs:label": "Restore File", "rdfs:subClassOf": [ { "@id": "d3f:RestoreObject" }, { "@id": "_:Ncfc1eef642e846fba6c47ae9b62558c1" } ] }, { "@id": "_:Ncfc1eef642e846fba6c47ae9b62558c1", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:restores" }, "owl:someValuesFrom": { "@id": "d3f:File" } }, { "@id": "d3f:CWE-472", "@type": "owl:Class", "d3f:cwe-id": "CWE-472", "rdfs:label": "External Control of Assumed-Immutable Web Parameter", "rdfs:subClassOf": [ { "@id": "d3f:CWE-471" }, { "@id": "d3f:CWE-642" } ] }, { "@id": "d3f:hides", "@type": "owl:ObjectProperty", "d3f:definition": "x hides y: A technique or operation x conceals the digital artifact y.", "rdfs:label": "hides", "rdfs:range": { "@id": "d3f:DigitalArtifact" }, "rdfs:subPropertyOf": { "@id": "d3f:associated-with" } }, { "@id": "d3f:CWE-1191", "@type": "owl:Class", "d3f:cwe-id": "CWE-1191", "rdfs:label": "On-Chip Debug and Test Interface With Improper Access Control", "rdfs:subClassOf": { "@id": "d3f:CWE-284" } }, { "@id": "d3f:MobilePhone", "@type": "owl:Class", "d3f:definition": "A mobile phone, cellular phone, cell phone, cellphone or hand phone, sometimes shortened to simply mobile, cell or just phone, is a portable telephone that can make and receive calls over a radio frequency link while the user is moving within a telephone service area. The radio frequency link establishes a connection to the switching systems of a mobile phone operator, which provides access to the public switched telephone network (PSTN). Modern mobile telephone services use a cellular network architecture and, therefore, mobile telephones are called cellular telephones or cell phones in North America. In addition to telephony, digital mobile phones (2G) support a variety of other services, such as text messaging, MMS, email, Internet access, short-range wireless communications (infrared,", "rdfs:isDefinedBy": { "@id": "dbr:Mobile_phone" }, "rdfs:label": "Mobile Phone", "rdfs:subClassOf": { "@id": "d3f:PersonalComputer" }, "skos:altLabel": [ "Cellphone", "Cellular Phone" ] }, { "@id": "d3f:CCI-001144_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system implements required cryptographic protections using cryptographic modules that comply with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": [ { "@id": "d3f:DiskEncryption" }, { "@id": "d3f:FileEncryption" } ], "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-21T00:00:00" }, "rdfs:label": "CCI-001144" }, { "@id": "d3f:SystemStartupDirectory", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A system startup directory is a directory containing executable files or links to executable files which are run when the system starts.", "rdfs:label": "System Startup Directory", "rdfs:subClassOf": [ { "@id": "d3f:Directory" }, { "@id": "d3f:SystemConfigurationInitResource" }, { "@id": "d3f:SystemInitConfiguration" } ] }, { "@id": "d3f:FileHash", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:identifies": { "@id": "d3f:File" }, "rdfs:label": "File Hash", "rdfs:subClassOf": [ { "@id": "d3f:DigitalFingerprint" }, { "@id": "_:N0d952955a38a4d918a34b4c0b01ec34f" } ] }, { "@id": "_:N0d952955a38a4d918a34b4c0b01ec34f", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:identifies" }, "owl:someValuesFrom": { "@id": "d3f:File" } }, { "@id": "d3f:CCI-001305_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:broader": [ { "@id": "d3f:MessageAuthentication" }, { "@id": "d3f:SenderMTAReputationAnalysis" }, { "@id": "d3f:SenderReputationAnalysis" }, { "@id": "d3f:TransferAgentAuthentication" } ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The organization employs spam protection mechanisms at information system entry and exit points to detect and take action on unsolicited messages transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-22T00:00:00" }, "rdfs:label": "CCI-001305" }, { "@id": "d3f:T1553.005", "@type": "owl:Class", "d3f:attack-id": "T1553.005", "rdfs:label": "Mark-of-the-Web Bypass", "rdfs:subClassOf": { "@id": "d3f:T1553" } }, { "@id": "d3f:T1547.014", "@type": "owl:Class", "d3f:attack-id": "T1547.014", "rdfs:label": "Active Setup", "rdfs:subClassOf": { "@id": "d3f:T1547" } }, { "@id": "d3f:DefensiveTechniqueAssessment", "@type": "owl:Class", "d3f:definition": "Assessing how well a capability implementation's capability feature functions as a countermeasure.", "rdfs:label": "Defensive Technique Assessment", "rdfs:subClassOf": [ { "@id": "d3f:FeatureAssessment" }, { "@id": "_:Nee5b63e86a414df5a2a17a7d78ba0f1f" }, { "@id": "_:Nbe7056e30e4548b2bc512c88c7d8d7f5" }, { "@id": "_:N93c87e0d3f2f41ffbd718b2278584998" }, { "@id": "_:N5fb2bd4e08434c8c9887f13cbc15c00e" }, { "@id": "_:N5446a66a5de94697acadb28d772cea83" }, { "@id": "_:N4eb851fcda11408abe574f4452e97274" }, { "@id": "_:N225d333175c343bc9a6f3662ccc15e97" } ] }, { "@id": "_:Nee5b63e86a414df5a2a17a7d78ba0f1f", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:assesses" }, "owl:someValuesFrom": { "@id": "d3f:DefensiveTechniqueClaim" } }, { "@id": "_:Nbe7056e30e4548b2bc512c88c7d8d7f5", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:counters" }, "owl:someValuesFrom": { "@id": "d3f:OffensiveTechnique" } }, { "@id": "_:N93c87e0d3f2f41ffbd718b2278584998", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:confidence" }, "owl:someValuesFrom": { "@id": "xsd:integer" } }, { "@id": "_:N5fb2bd4e08434c8c9887f13cbc15c00e", "@type": "owl:Restriction", "owl:allValuesFrom": { "@id": "_:Nfa01e8f5517445319783493a4e688339" }, "owl:onProperty": { "@id": "d3f:rating" } }, { "@id": "_:Nfa01e8f5517445319783493a4e688339", "@type": "rdfs:Datatype", "owl:oneOf": { "@list": [ "0", "1", "2", "3" ] } }, { "@id": "_:N5446a66a5de94697acadb28d772cea83", "@type": "owl:Restriction", "owl:allValuesFrom": { "@id": "_:Nc317846e1e564b358670345f9e4ed8dc" }, "owl:onProperty": { "@id": "d3f:stage" } }, { "@id": "_:Nc317846e1e564b358670345f9e4ed8dc", "@type": "rdfs:Datatype", "owl:oneOf": { "@list": [ "Deceive", "Detect", "Evict", "Harden", "Isolate" ] } }, { "@id": "_:N4eb851fcda11408abe574f4452e97274", "@type": "owl:Restriction", "owl:cardinality": { "@type": "xsd:nonNegativeInteger", "@value": "1" }, "owl:onProperty": { "@id": "d3f:rating" } }, { "@id": "_:N225d333175c343bc9a6f3662ccc15e97", "@type": "owl:Restriction", "owl:onDataRange": { "@id": "xsd:string" }, "owl:onProperty": { "@id": "d3f:stage" }, "owl:qualifiedCardinality": { "@type": "xsd:nonNegativeInteger", "@value": "1" } }, { "@id": "d3f:OffensiveTactic", "@type": "owl:Class", "d3f:definition": "Per ATT&CK, these are defined as Tactical Goals, not Tactics per se. Many children also fit definition of tactics. Some are neither tactics or tactical goals really (e.g., Execution, which is a useful grouping, but an action, not really a tactic or technique.", "rdfs:isDefinedBy": { "@id": "https://attack.mitre.org/docs/ATTACK_Design_and_Philosophy_March_2020.pdf" }, "rdfs:label": "Offensive Tactic", "rdfs:subClassOf": [ { "@id": "d3f:ATTACKThing" }, { "@id": "_:Nacb92f7859fc4bc7bb876f9192502bc4" } ] }, { "@id": "_:Nacb92f7859fc4bc7bb876f9192502bc4", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:enabled-by" }, "owl:someValuesFrom": { "@id": "d3f:OffensiveTechnique" } }, { "@id": "d3f:Reference-ActiveFirewallSystemAndMethodology_McAfeeLLC", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US6550012B1" }, "d3f:kb-abstract": "System and methodology providing automated or \"proactive\" network security (\"active\" firewall) are described. The system implements methodology for verifying or authenticating communications, especially between network security components thereby allowing those components to share information. In one embodiment, a system implementing an active firewall is provided which includes methodology for verifying or authenticating communications between network components (e.g., sensor(s), arbiter, and actor(s)), using cryptographic keys or digital certificates. Certificates may be used to digitally sign a message or file and, in a complementary manner, to verify a digital signature. At the outset, particular software components that may participate in authenticated communication are specified, including creating a digital certificate for each such software component. Upon detection by a sensor that an event of interest that has occurred in the computer network system, the system may initiate authenticated communication between the sensor component and a central arbiter (e.g., \"event orchestrator\") component, so that the sensor may report the event to the arbiter or \"brain.\" Thereafter, the arbiter (if it chooses to act on that information) initiates authenticated communication between itself and a third software component, an \"actor\" component (e.g., \"firewall\"). The arbiter may indicate to the actor how it should handle the event. The actor or firewall, upon receiving the information, may now undertake appropriate action, such as dynamically creating or modifying rules for appropriately handling the event, or it may choose to simply ignore the information.", "d3f:kb-author": "Emilio Villa, Adrian Zidaritz, Michael David Varga, Gerhard Eschelbeck, Michael Kevin Jones, Mark James McArdle", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "McAfee LLC", "d3f:kb-reference-of": { "@id": "d3f:InboundTrafficFiltering" }, "d3f:kb-reference-title": "Active firewall system and methodology", "rdfs:label": "Reference - Active firewall system and methodology - McAfee LLC" }, { "@id": "d3f:NIST_SP_800-53_R5_IR-4_12", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:control-name": "Incident Handling | Malicious Code and Forensic Analysis", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "d3f:related": { "@id": "d3f:DynamicAnalysis" }, "rdfs:label": "IR-4(12)" }, { "@id": "d3f:CWE-836", "@type": "owl:Class", "d3f:cwe-id": "CWE-836", "rdfs:label": "Use of Password Hash Instead of Password for Authentication", "rdfs:subClassOf": { "@id": "d3f:CWE-1390" } }, { "@id": "d3f:WindowsNtWriteFile", "@type": "owl:Class", "rdfs:label": "Windows NtWriteFile", "rdfs:seeAlso": "https://j00ru.vexillium.org/syscalls/nt/64/", "rdfs:subClassOf": [ { "@id": "d3f:OSAPIPrivateFunction" }, { "@id": "d3f:OSAPIWriteFile" } ] }, { "@id": "d3f:CWE-1395", "@type": "owl:Class", "d3f:cwe-id": "CWE-1395", "rdfs:label": "Dependency on Vulnerable Third-Party Component", "rdfs:subClassOf": { "@id": "d3f:CWE-657" } }, { "@id": "d3f:CWE-46", "@type": "owl:Class", "d3f:cwe-id": "CWE-46", "rdfs:label": "Path Equivalence: 'filename ' (Trailing Space)", "rdfs:subClassOf": [ { "@id": "d3f:CWE-162" }, { "@id": "d3f:CWE-41" } ] }, { "@id": "d3f:CCI-002607_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The organization installs security-relevant firmware updates within an organization-defined time period of the release of the updates.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:SoftwareUpdate" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-07-11T00:00:00" }, "rdfs:label": "CCI-002607" }, { "@id": "d3f:T1016.001", "@type": "owl:Class", "d3f:attack-id": "T1016.001", "rdfs:label": "Internet Connection Discovery", "rdfs:subClassOf": { "@id": "d3f:T1016" } }, { "@id": "d3f:InferentialStatistics", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-IS", "d3f:definition": "Statistical inference is the process of using data analysis to infer properties of an underlying distribution of probability.", "d3f:kb-article": "## References\nWikipedia. (n.d.). Statistical inference. [Link](https://en.wikipedia.org/wiki/Statistical_inference)", "rdfs:label": "Inferential Statistics", "rdfs:subClassOf": { "@id": "d3f:StatisticalMethod" } }, { "@id": "d3f:CWE-794", "@type": "owl:Class", "d3f:cwe-id": "CWE-794", "rdfs:label": "Incomplete Filtering of Multiple Instances of Special Elements", "rdfs:subClassOf": { "@id": "d3f:CWE-792" } }, { "@id": "d3f:CallStack", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:contains": { "@id": "d3f:StackFrame" }, "d3f:definition": "In computer science, a call stack is a stack data structure that stores information about the active subroutines of a computer program. This kind of stack is also known as an execution stack, program stack, control stack, run-time stack, or machine stack, and is often shortened to just \"the stack\". Although maintenance of the call stack is important for the proper functioning of most software, the details are normally hidden and automatic in high-level programming languages. Many computer instruction sets provide special instructions for manipulating stacks.", "rdfs:isDefinedBy": { "@id": "dbr:Call_stack" }, "rdfs:label": "Call Stack", "rdfs:subClassOf": [ { "@id": "d3f:DigitalArtifact" }, { "@id": "_:N010782e2c00a499da38a9f29cbb4b6cc" } ] }, { "@id": "_:N010782e2c00a499da38a9f29cbb4b6cc", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:contains" }, "owl:someValuesFrom": { "@id": "d3f:StackFrame" } }, { "@id": "d3f:T1114.001", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1114.001", "d3f:reads": { "@id": "d3f:Email" }, "rdfs:label": "Local Email Collection", "rdfs:subClassOf": [ { "@id": "d3f:T1114" }, { "@id": "_:Nd2d4bd1d10684f9b9752238cfb25dc47" } ] }, { "@id": "_:Nd2d4bd1d10684f9b9752238cfb25dc47", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:reads" }, "owl:someValuesFrom": { "@id": "d3f:Email" } }, { "@id": "d3f:Semi-supervisedInductiveLearning", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-SSIL", "d3f:definition": "The goal of inductive learning is to infer the correct mapping from\nX to Y", "d3f:kb-article": "## References\nSemi-Supervised Learning. Wikipedia. [Link](https://en.wikipedia.org/wiki/Semi-Supervised_Learning#Semi-supervised_learning).\n\nZhou, D., & Li, M. (2005). Semi-supervised learning by higher order regularization. In Proceedings of the 43rd Annual Meeting of the Association for Computational Linguistics (ACL) (pp. 1-9). [Link](https://www.cs.sfu.ca/~anoop/papers/pdf/semisup_naacl.pdf).", "rdfs:label": "Semi-supervised Inductive Learning", "rdfs:subClassOf": { "@id": "d3f:Semi-SupervisedLearning" } }, { "@id": "d3f:T1621", "@type": "owl:Class", "d3f:attack-id": "T1621", "rdfs:label": "Multi-Factor Authentication Request Generation", "rdfs:subClassOf": { "@id": "d3f:CredentialAccessTechnique" } }, { "@id": "d3f:CWE-1393", "@type": "owl:Class", "d3f:cwe-id": "CWE-1393", "rdfs:label": "Use of Default Password", "rdfs:subClassOf": { "@id": "d3f:CWE-1392" } }, { "@id": "d3f:T1622", "@type": "owl:Class", "d3f:attack-id": "T1622", "rdfs:label": "Debugger Evasion", "rdfs:subClassOf": [ { "@id": "d3f:DefenseEvasionTechnique" }, { "@id": "d3f:DiscoveryTechnique" } ] }, { "@id": "d3f:valid", "@type": "owl:DatatypeProperty", "d3f:definition": "Date (often a range) of validity of a resource.", "rdfs:label": { "@language": "en", "@value": "date valid" }, "rdfs:range": { "@id": "xsd:dateTime" }, "rdfs:subPropertyOf": { "@id": "d3f:date" } }, { "@id": "d3f:CWE-588", "@type": "owl:Class", "d3f:cwe-id": "CWE-588", "rdfs:label": "Attempt to Access Child of a Non-structure Pointer", "rdfs:subClassOf": [ { "@id": "d3f:CWE-704" }, { "@id": "d3f:CWE-758" } ] }, { "@id": "d3f:Reference-DNSWhitelist-DNSWL-EmailAuthenticationMethodExtension", "@type": [ "owl:NamedIndividual", "d3f:SpecificationReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://datatracker.ietf.org/doc/html/rfc8904" }, "d3f:kb-reference-of": { "@id": "d3f:DNSAllowlisting" }, "d3f:kb-reference-title": "DNS Whitelist (DNSWL) Email Authentication Method Extension", "rdfs:label": "Reference - DNS Whitelist (DNSWL) Email Authentication Method Extension" }, { "@id": "d3f:limits", "@type": "owl:ObjectProperty", "d3f:definition": "x limits y: An entity x specifies a designated limit beyond which some entity y cannot function or must be terminated.", "rdfs:isDefinedBy": { "@id": "http://wordnet-rdf.princeton.edu/id/13781154-n" }, "rdfs:label": "limits", "rdfs:seeAlso": { "@id": "http://wordnet-rdf.princeton.edu/id/13780436-n" }, "rdfs:subPropertyOf": { "@id": "d3f:restricts" }, "skos:altLabel": "cutoff" }, { "@id": "d3f:Reference-ServiceBinaryModifications_MITRE", "@type": [ "owl:NamedIndividual", "d3f:ExternalKnowledgeBase" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://car.mitre.org/analytics/CAR-2014-02-001/" }, "d3f:kb-abstract": "Adversaries may modify the binary file for an existing service to achieve Persistence while potentially evading defenses. If a newly created or modified runs as a service, it may indicate APT activity. However, services are frequently installed by legitimate software. A well-tuned baseline is essential to differentiating between benign and malicious service modifications.", "d3f:kb-author": "MITRE", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "MITRE", "d3f:kb-reference-of": { "@id": "d3f:ServiceBinaryVerification" }, "d3f:kb-reference-title": "CAR-2014-02-001: Service Binary Modifications", "rdfs:label": "Reference - CAR-2014-02-001: Service Binary Modifications - MITRE" }, { "@id": "d3f:Organization", "@type": [ "owl:Class", "owl:NamedIndividual" ], "rdfs:label": "Organization", "rdfs:subClassOf": [ { "@id": "d3f:Agent" }, { "@id": "_:N4cc14449eef446e388bd0c10f0956f50" } ] }, { "@id": "_:N4cc14449eef446e388bd0c10f0956f50", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:has-member" }, "owl:someValuesFrom": { "@id": "d3f:Person" } }, { "@id": "d3f:CWE-230", "@type": "owl:Class", "d3f:cwe-id": "CWE-230", "rdfs:label": "Improper Handling of Missing Values", "rdfs:subClassOf": { "@id": "d3f:CWE-229" } }, { "@id": "d3f:macOSProcess", "@type": [ "owl:NamedIndividual", "d3f:Process" ], "rdfs:label": "macOS Process" }, { "@id": "d3f:NIST_SP_800-53_R5_AC-4_11", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:broader": [ { "@id": "d3f:InboundTrafficFiltering" }, { "@id": "d3f:OutboundTrafficFiltering" } ], "d3f:control-name": "Information Flow Enforcement | Configuration of Security or Privacy Policy Filters", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "rdfs:label": "AC-4(11)" }, { "@id": "d3f:T1547.005", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1547.005", "d3f:modifies": { "@id": "d3f:SystemConfigurationDatabaseRecord" }, "rdfs:label": "Security Support Provider", "rdfs:subClassOf": [ { "@id": "d3f:T1547" }, { "@id": "_:N674130082e4848eb9859526e9c714285" } ] }, { "@id": "_:N674130082e4848eb9859526e9c714285", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:SystemConfigurationDatabaseRecord" } }, { "@id": "d3f:MemoryAddressSpace", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:contains": { "@id": "d3f:MemoryAddress" }, "d3f:definition": "A memory address space is a space containing memory addresses.", "rdfs:label": "Memory Address Space", "rdfs:subClassOf": [ { "@id": "d3f:AddressSpace" }, { "@id": "_:Ncb45353cdc264cd9848d2e8c2209d62b" } ] }, { "@id": "_:Ncb45353cdc264cd9848d2e8c2209d62b", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:contains" }, "owl:someValuesFrom": { "@id": "d3f:MemoryAddress" } }, { "@id": "d3f:CCI-002284_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:broader": [ { "@id": "d3f:MandatoryAccessControl" }, { "@id": "d3f:UserAccountPermissions" } ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system maintains the integrity of organization-defined security attributes associated with organization-defined objects.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-06-24T00:00:00" }, "rdfs:label": "CCI-002284" }, { "@id": "d3f:Document", "@type": "owl:Class", "d3f:definition": "A document is a written, drawn, presented or recorded representation of thoughts.", "rdfs:label": "Document", "rdfs:subClassOf": { "@id": "d3f:InformationContentEntity" } }, { "@id": "d3f:may-modify", "@type": "owl:ObjectProperty", "d3f:definition": "x may-modify y: They entity x may modify the thing y; that is, 'x modifies y' may be true.", "rdfs:label": "may-modify", "rdfs:subPropertyOf": { "@id": "d3f:may-be-associated-with" } }, { "@id": "d3f:T1498.001", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1498.001", "d3f:creates": { "@id": "d3f:InboundInternetNetworkTraffic" }, "rdfs:label": "Direct Network Flood", "rdfs:subClassOf": [ { "@id": "d3f:T1498" }, { "@id": "_:N46f39656d69246fa856eab9bf4f46418" } ] }, { "@id": "_:N46f39656d69246fa856eab9bf4f46418", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:creates" }, "owl:someValuesFrom": { "@id": "d3f:InboundInternetNetworkTraffic" } }, { "@id": "d3f:may-be-deceived-by", "@type": "owl:ObjectProperty", "d3f:pref-label": "may be deceived by", "owl:inverseOf": { "@id": "d3f:may-deceive" }, "rdfs:label": "may-be-deceived-by", "rdfs:subPropertyOf": { "@id": "d3f:attack-may-be-countered-by" } }, { "@id": "d3f:CWE-383", "@type": "owl:Class", "d3f:cwe-id": "CWE-383", "rdfs:label": "J2EE Bad Practices: Direct Use of Threads", "rdfs:subClassOf": { "@id": "d3f:CWE-695" } }, { "@id": "d3f:GraphicalUserInterface", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A graphical user interface (GUI) is a type of user interface that allows users to interact with electronic devices through graphical icons and visual indicators such as secondary notation, instead of text-based user interfaces, typed command labels or text navigation. GUIs were introduced in reaction to the perceived steep learning curve of command-line interfaces (CLIs), which require commands to be typed on a computer keyboard.", "rdfs:isDefinedBy": { "@id": "dbr:Graphical_user_interface" }, "rdfs:label": "Graphical User Interface", "rdfs:subClassOf": { "@id": "d3f:UserInterface" }, "skos:altLabel": "GUI" }, { "@id": "d3f:CWE-97", "@type": "owl:Class", "d3f:cwe-id": "CWE-97", "rdfs:label": "Improper Neutralization of Server-Side Includes (SSI) Within a Web Page", "rdfs:subClassOf": { "@id": "d3f:CWE-96" } }, { "@id": "d3f:modified-by", "@type": "owl:ObjectProperty", "owl:inverseOf": { "@id": "d3f:modifies" }, "rdfs:label": "modified-by", "rdfs:subPropertyOf": [ { "@id": "d3f:associated-with" }, { "@id": "d3f:may-be-modified-by" } ] }, { "@id": "d3f:T1562.004", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1562.004", "d3f:modifies": { "@id": "d3f:SystemFirewallConfiguration" }, "rdfs:label": "Disable or Modify System Firewall", "rdfs:subClassOf": [ { "@id": "d3f:T1562" }, { "@id": "_:N7c15a80f9998406683f8f1aff507ca04" } ] }, { "@id": "_:N7c15a80f9998406683f8f1aff507ca04", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:SystemFirewallConfiguration" } }, { "@id": "d3f:T1602.001", "@type": "owl:Class", "d3f:attack-id": "T1602.001", "rdfs:label": "SNMP (MIB Dump)", "rdfs:subClassOf": { "@id": "d3f:T1602" } }, { "@id": "d3f:M1033", "@type": [ "owl:NamedIndividual", "d3f:ATTACKMitigation" ], "d3f:related": [ { "@id": "d3f:ExecutableAllowlisting" }, { "@id": "d3f:ExecutableDenylisting" } ], "rdfs:label": "Limit Software Installation" }, { "@id": "d3f:CWE-1086", "@type": "owl:Class", "d3f:cwe-id": "CWE-1086", "rdfs:label": "Class with Excessive Number of Child Classes", "rdfs:subClassOf": { "@id": "d3f:CWE-1093" } }, { "@id": "d3f:T1552.002", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:accesses": { "@id": "d3f:SystemConfigurationDatabase" }, "d3f:attack-id": "T1552.002", "rdfs:label": "Credentials in Registry", "rdfs:subClassOf": [ { "@id": "d3f:T1552" }, { "@id": "_:N71bae41d74a640b1b8a14f52486c1f47" } ] }, { "@id": "_:N71bae41d74a640b1b8a14f52486c1f47", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:accesses" }, "owl:someValuesFrom": { "@id": "d3f:SystemConfigurationDatabase" } }, { "@id": "d3f:Reference-HowToChangeRegistryValuesOrPermissionsFromACommandLineOrAScript", "@type": [ "owl:NamedIndividual", "d3f:InternetArticleReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://docs.microsoft.com/en-us/troubleshoot/windows-client/application-management/change-registry-values-permissions" }, "d3f:kb-abstract": "This article describes how to change registry values or permissions from a command line or a script.\n\nApplies to: Windows 10 - all editions, Windows Server 2012 R2\nOriginal KB number: 264584", "d3f:kb-organization": "Microsoft", "d3f:kb-reference-title": "How to change registry values or permissions from a command line or a script", "rdfs:label": "Reference - How to change registry values or permissions from a command line or a script" }, { "@id": "d3f:CWE-369", "@type": "owl:Class", "d3f:cwe-id": "CWE-369", "rdfs:label": "Divide By Zero", "rdfs:subClassOf": { "@id": "d3f:CWE-682" } }, { "@id": "d3f:CWE-1289", "@type": "owl:Class", "d3f:cwe-id": "CWE-1289", "rdfs:label": "Improper Validation of Unsafe Equivalence in Input", "rdfs:subClassOf": { "@id": "d3f:CWE-20" } }, { "@id": "d3f:Reference-Network-levelPolymorphicShellcodeDetectionUsingEmulation", "@type": [ "owl:NamedIndividual", "d3f:AcademicPaperReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://www.cs.unc.edu/~fabian/course_papers/polymorphic-detect.pdf" }, "d3f:kb-author": "Michalis Polychronakis", "d3f:kb-reference-of": { "@id": "d3f:ByteSequenceEmulation" }, "d3f:kb-reference-title": "Network-level polymorphic shellcode detection using emulation", "rdfs:label": "Reference - Network-level polymorphic shellcode detection using emulation" }, { "@id": "d3f:Reference-AutomatedComputerVulnerabilityResolutionSystem", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US7308712B2" }, "d3f:kb-abstract": "A system and process for addressing computer security vulnerabilities. The system and process generally comprise aggregating vulnerability information on a plurality of computer vulnerabilities; constructing a remediation database of said plurality of computer vulnerabilities; constructing a remediation signature to address the computer vulnerabilities; and deploying said remediation signature to a client computer. The remediation signature essentially comprises a sequence of actions to address a corresponding vulnerability. A managed automated approach to the process is contemplated in which the system is capable of selective deployment of remediation signatures; selective resolution of vulnerabilities; scheduled deployment of remediation signatures; and scheduled scanning of client computers for vulnerabilities.", "d3f:kb-author": "Carl E. Banzhof", "d3f:kb-organization": "McAfee LLC", "d3f:kb-reference-of": { "@id": "d3f:AssetVulnerabilityEnumeration" }, "d3f:kb-reference-title": "Automated computer vulnerability resolution system", "rdfs:label": "Reference - Automated computer vulnerability resolution system" }, { "@id": "d3f:CCI-001092_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system protects against or limits the effects of the organization-defined or referenced types of denial of service attacks.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": [ { "@id": "d3f:InboundTrafficFiltering" }, { "@id": "d3f:OutboundTrafficFiltering" } ], "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-21T00:00:00" }, "rdfs:label": "CCI-001092" }, { "@id": "d3f:T1497.001", "@type": "owl:Class", "d3f:attack-id": "T1497.001", "rdfs:label": "System Checks", "rdfs:subClassOf": { "@id": "d3f:T1497" } }, { "@id": "d3f:CWE-616", "@type": "owl:Class", "d3f:cwe-id": "CWE-616", "rdfs:label": "Incomplete Identification of Uploaded File Variables (PHP)", "rdfs:subClassOf": { "@id": "d3f:CWE-345" } }, { "@id": "d3f:CWE-267", "@type": "owl:Class", "d3f:cwe-id": "CWE-267", "rdfs:label": "Privilege Defined With Unsafe Actions", "rdfs:subClassOf": { "@id": "d3f:CWE-269" } }, { "@id": "d3f:Image-to-ImageTranslationGAN", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-ITITG", "d3f:definition": "Image-to-image translation is the task of transferring styles and characteristics from one image domain to another.", "d3f:kb-article": "## References\nMathWorks. (n.d.). Get Started with GANs for Image-to-Image Translation. [Link](https://www.mathworks.com/help/images/get-started-with-gans-for-image-to-image-translation.html)", "rdfs:label": "Image-to-Image Translation GAN", "rdfs:subClassOf": { "@id": "d3f:GenerativeAdversarialNetwork" } }, { "@id": "d3f:executes", "@type": "owl:ObjectProperty", "d3f:definition": "x executes y: The subject x takes the action of carrying out (executing) y, which is a single software module, function, or instruction.", "rdfs:isDefinedBy": { "@id": "http://wordnet-rdf.princeton.edu/id/02569242-v" }, "rdfs:label": "executes", "rdfs:subPropertyOf": [ { "@id": "d3f:accesses" }, { "@id": "d3f:may-execute" }, { "@id": "d3f:runs" } ] }, { "@id": "d3f:InternetNetwork", "@type": "owl:Class", "d3f:definition": "A network of multiple, connected networks. Internetworking is the practice of connecting a computer network with other networks through the use of gateways that provide a common method of routing information packets between the networks. The resulting system of interconnected networks are called an internetwork, or simply an internet. Internetworking is a combination of the words inter (\"between\") and networking; not internet-working or international-network.", "rdfs:isDefinedBy": { "@id": "dbr:Internetworking" }, "rdfs:label": "Internet Network", "rdfs:subClassOf": { "@id": "d3f:Network" }, "skos:altLabel": [ "Interconnected Network", "Internet", "Internetwork" ] }, { "@id": "d3f:LinearClassifier", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-LC", "d3f:definition": "A linear classifier is a model that makes a decision to categories a set of data points to a discrete class based on a linear combination of its explanatory variables", "d3f:kb-article": "## References\nA Look at the Maths Behind Linear Classification. Towards Data Science. [Link](https://towardsdatascience.com/a-look-at-the-maths-behind-linear-classification-166e99a9e5fb).", "rdfs:label": "Linear Classifier", "rdfs:subClassOf": { "@id": "d3f:Classification" } }, { "@id": "d3f:CWE-1231", "@type": "owl:Class", "d3f:cwe-id": "CWE-1231", "rdfs:label": "Improper Prevention of Lock Bit Modification", "rdfs:subClassOf": { "@id": "d3f:CWE-284" } }, { "@id": "d3f:CWE-581", "@type": "owl:Class", "d3f:cwe-id": "CWE-581", "rdfs:label": "Object Model Violation: Just One of Equals and Hashcode Defined", "rdfs:subClassOf": [ { "@id": "d3f:CWE-573" }, { "@id": "d3f:CWE-697" } ] }, { "@id": "d3f:CWE-140", "@type": "owl:Class", "d3f:cwe-id": "CWE-140", "rdfs:label": "Improper Neutralization of Delimiters", "rdfs:subClassOf": { "@id": "d3f:CWE-138" } }, { "@id": "d3f:Reference-Database_for_receiving_storing_and_compiling_information_about_email_messages", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US20050091319A1/" }, "d3f:kb-author": "Steven Kirsch", "d3f:kb-reference-of": [ { "@id": "d3f:DomainNameReputationAnalysis" }, { "@id": "d3f:IPReputationAnalysis" } ], "d3f:kb-reference-title": "Database for receiving, storing and compiling information about email messages", "rdfs:label": "Reference - Database for receiving, storing and compiling information about email messages" }, { "@id": "d3f:T1085", "@type": "owl:Class", "d3f:attack-id": "T1085", "rdfs:label": "Rundll32", "rdfs:subClassOf": [ { "@id": "d3f:DefenseEvasionTechnique" }, { "@id": "d3f:ExecutionTechnique" } ] }, { "@id": "d3f:CWE-1256", "@type": "owl:Class", "d3f:cwe-id": "CWE-1256", "rdfs:label": "Improper Restriction of Software Interfaces to Hardware Features", "rdfs:subClassOf": { "@id": "d3f:CWE-285" } }, { "@id": "d3f:T1599", "@type": "owl:Class", "d3f:attack-id": "T1599", "rdfs:label": "Network Boundary Bridging", "rdfs:subClassOf": { "@id": "d3f:DefenseEvasionTechnique" } }, { "@id": "d3f:AuthenticationLog", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A log of authentication events.", "d3f:records": { "@id": "d3f:Authentication" }, "rdfs:label": "Authentication Log", "rdfs:seeAlso": [ { "@id": "http://wordnet-rdf.princeton.edu/id/00155053-n" }, { "@id": "dbr:Authorization" } ], "rdfs:subClassOf": [ { "@id": "d3f:Log" }, { "@id": "_:N149d5eea43584447901205e28c06a123" } ] }, { "@id": "_:N149d5eea43584447901205e28c06a123", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:records" }, "owl:someValuesFrom": { "@id": "d3f:Authentication" } }, { "@id": "d3f:CCI-001619_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system enforces password complexity by the minimum number of special characters used.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:StrongPasswordPolicy" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2010-05-12T00:00:00" }, "rdfs:label": "CCI-001619" }, { "@id": "d3f:T1001.002", "@type": "owl:Class", "d3f:attack-id": "T1001.002", "rdfs:label": "Steganography", "rdfs:subClassOf": { "@id": "d3f:T1001" } }, { "@id": "d3f:KerberosTicketGrantingTicket", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A ticket granting ticket issued by a Kerberos system; that is, a ticket that grants a user domain admin access.", "rdfs:label": "Kerberos Ticket Granting Ticket", "rdfs:seeAlso": { "@id": "dbr:Ticket_Granting_Ticket" }, "rdfs:subClassOf": [ { "@id": "d3f:KerberosTicket" }, { "@id": "d3f:TicketGrantingTicket" } ] }, { "@id": "d3f:CCI-001404_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system automatically audits account disabling actions.", "d3f:exactly": { "@id": "d3f:DomainAccountMonitoring" }, "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-24T00:00:00" }, "rdfs:label": "CCI-001404" }, { "@id": "d3f:CCI-002423_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system implements cryptographic mechanisms to protect message externals (e.g., message headers and routing information) unless otherwise protected by organization-defined alternative physical safeguards.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:EncryptedTunnels" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-07-02T00:00:00" }, "rdfs:label": "CCI-002423" }, { "@id": "d3f:T1555", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:accesses": { "@id": "d3f:PasswordStore" }, "d3f:attack-id": "T1555", "d3f:may-access": { "@id": "d3f:DatabaseFile" }, "rdfs:label": "Credentials from Password Stores", "rdfs:subClassOf": [ { "@id": "d3f:CredentialAccessTechnique" }, { "@id": "_:Nf58cf941943e4a8e9b6e0e9843818b3b" }, { "@id": "_:Nc61bae39dd464eb5a2d9e769c2b0834d" } ] }, { "@id": "_:Nf58cf941943e4a8e9b6e0e9843818b3b", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:accesses" }, "owl:someValuesFrom": { "@id": "d3f:PasswordStore" } }, { "@id": "_:Nc61bae39dd464eb5a2d9e769c2b0834d", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-access" }, "owl:someValuesFrom": { "@id": "d3f:DatabaseFile" } }, { "@id": "d3f:CCIControl", "@type": "owl:Class", "rdfs:label": "CCI Control", "rdfs:subClassOf": [ { "@id": "d3f:ExternalControl" }, { "@id": "_:Na7ffc66ed7e34871978eb31d30d96927" }, { "@id": "_:N11746bde818046bba1caffe4db302ac5" }, { "@id": "_:N13ad5a8a3a39435a9d92d4dbe8c5d8e0" } ] }, { "@id": "_:Na7ffc66ed7e34871978eb31d30d96927", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:member-of" }, "owl:someValuesFrom": { "@id": "d3f:ControlCorrelationIdentifierCatalog" } }, { "@id": "_:N11746bde818046bba1caffe4db302ac5", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:control-name" }, "owl:someValuesFrom": { "@id": "xsd:string" } }, { "@id": "_:N13ad5a8a3a39435a9d92d4dbe8c5d8e0", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:published" }, "owl:someValuesFrom": { "@id": "xsd:dateTime" } }, { "@id": "d3f:Median", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-MED", "d3f:definition": "The middle value that separates the higher half from the lower half of the data set. The median and the mode are the only measures of central tendency that can be used for ordinal data, in which values are ranked relative to each other but are not measured absolutely.", "d3f:kb-article": "## References\nWikipedia. (n.d.). Central tendency. [Link](https://en.wikipedia.org/wiki/Central_tendency)", "rdfs:label": "Median", "rdfs:subClassOf": { "@id": "d3f:CentralTendency" } }, { "@id": "d3f:DNSServer", "@type": "owl:Class", "d3f:definition": "A Domain Name System (DNS) name server is a kind of name server. Domain names are one of the two principal namespaces of the Internet. The most important function of DNS servers is the translation (resolution) of human-memorable domain names and hostnames into the corresponding numeric Internet Protocol (IP) addresses, the second principal name space of the Internet which is used to identify and locate computer systems and resources on the Internet. (en).\n\nMore generally, a name server is a computer application that implements a network service for providing responses to queries against a directory service. It translates an often humanly meaningful, text-based identifier to a system-internal, often numeric identification or addressing component. This service is performed by the server in response to a service protocol request.", "rdfs:isDefinedBy": { "@id": "dbr:Name_server" }, "rdfs:label": "DNS Server", "rdfs:subClassOf": { "@id": "d3f:Server" } }, { "@id": "d3f:CWE-568", "@type": "owl:Class", "d3f:cwe-id": "CWE-568", "rdfs:label": "finalize() Method Without super.finalize()", "rdfs:subClassOf": [ { "@id": "d3f:CWE-459" }, { "@id": "d3f:CWE-573" } ] }, { "@id": "d3f:UnitTestExecutionTool", "@type": "owl:Class", "d3f:definition": "An unit test execution tool automatically performs unit testing. Unit testing is a software testing method by which individual units of source code are tested to determine whether they are fit for use. Unit test execution tools work with sets of one or more computer program modules together with associated control data, usage procedures, and operating procedures. This contrasts with integration testing, which tests inter-unit dependencies and the modules as a group.", "rdfs:label": "Unit Test Execution Tool", "rdfs:seeAlso": { "@id": "dbr:Unit_testing" }, "rdfs:subClassOf": { "@id": "d3f:TestExecutionTool" } }, { "@id": "d3f:CWE-541", "@type": "owl:Class", "d3f:cwe-id": "CWE-541", "rdfs:label": "Inclusion of Sensitive Information in an Include File", "rdfs:subClassOf": { "@id": "d3f:CWE-540" } }, { "@id": "d3f:PowerShellProfileScript", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A PowerShell profile script is a script that runs when PowerShell starts and can be used as a logon script to customize user environments.", "rdfs:label": "PowerShell Profile Script", "rdfs:seeAlso": { "@id": "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles?view=powershell-7.1" }, "rdfs:subClassOf": { "@id": "d3f:UserInitScript" } }, { "@id": "d3f:GetScreenCapture", "@type": [ "owl:Class", "owl:NamedIndividual" ], "rdfs:label": "Get Screen Capture", "rdfs:subClassOf": { "@id": "d3f:SystemCall" } }, { "@id": "d3f:CWE-58", "@type": "owl:Class", "d3f:cwe-id": "CWE-58", "rdfs:label": "Path Equivalence: Windows 8.3 Filename", "rdfs:subClassOf": { "@id": "d3f:CWE-41" } }, { "@id": "d3f:T1596.003", "@type": "owl:Class", "d3f:attack-id": "T1596.003", "rdfs:label": "Digital Certificates", "rdfs:subClassOf": { "@id": "d3f:T1596" } }, { "@id": "d3f:T1106", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1106", "d3f:invokes": { "@id": "d3f:SystemCall" }, "rdfs:label": "Native API Execution", "rdfs:subClassOf": [ { "@id": "d3f:ExecutionTechnique" }, { "@id": "_:N1232cca7db8f45a18f6396e27953d0ac" } ] }, { "@id": "_:N1232cca7db8f45a18f6396e27953d0ac", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:invokes" }, "owl:someValuesFrom": { "@id": "d3f:SystemCall" } }, { "@id": "d3f:CCI-000381_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:broader": { "@id": "d3f:PlatformHardening" }, "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The organization configures the information system to provide only essential capabilities.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-18T00:00:00" }, "rdfs:label": "CCI-000381" }, { "@id": "d3f:T1036.005", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1036.005", "d3f:invokes": { "@id": "d3f:MoveFile" }, "d3f:may-create": { "@id": "d3f:File" }, "rdfs:label": "Match Legitimate Name or Location", "rdfs:subClassOf": [ { "@id": "d3f:T1036" }, { "@id": "_:N9ebc7f817cb7467fa4bb0c392de30228" }, { "@id": "_:N378b8ae358fc4762ae6a8cec08ba5bfe" } ] }, { "@id": "_:N9ebc7f817cb7467fa4bb0c392de30228", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:invokes" }, "owl:someValuesFrom": { "@id": "d3f:MoveFile" } }, { "@id": "_:N378b8ae358fc4762ae6a8cec08ba5bfe", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-create" }, "owl:someValuesFrom": { "@id": "d3f:File" } }, { "@id": "d3f:CWE-501", "@type": "owl:Class", "d3f:cwe-id": "CWE-501", "rdfs:label": "Trust Boundary Violation", "rdfs:subClassOf": { "@id": "d3f:CWE-664" } }, { "@id": "d3f:T1561.001", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1561.001", "d3f:may-modify": [ { "@id": "d3f:BootSector" }, { "@id": "d3f:Partition" }, { "@id": "d3f:PartitionTable" }, { "@id": "d3f:Volume" } ], "d3f:modifies": { "@id": "d3f:BlockDevice" }, "rdfs:label": "Disk Content Wipe", "rdfs:subClassOf": [ { "@id": "d3f:T1561" }, { "@id": "_:N4feba214c1ce494c875c35d97c6b11e9" }, { "@id": "_:Nd452691a2a2442ac83f8e0eacb121d0f" }, { "@id": "_:Nf3f80b785d6e47cc849b83d9dbfe7fce" }, { "@id": "_:Nc4fd8aca83414a76b27d8722ba969a2d" }, { "@id": "_:Nea937d2d92494c3e853ff23b66a80f91" } ] }, { "@id": "_:N4feba214c1ce494c875c35d97c6b11e9", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-modify" }, "owl:someValuesFrom": { "@id": "d3f:BootSector" } }, { "@id": "_:Nd452691a2a2442ac83f8e0eacb121d0f", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-modify" }, "owl:someValuesFrom": { "@id": "d3f:Partition" } }, { "@id": "_:Nf3f80b785d6e47cc849b83d9dbfe7fce", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-modify" }, "owl:someValuesFrom": { "@id": "d3f:PartitionTable" } }, { "@id": "_:Nc4fd8aca83414a76b27d8722ba969a2d", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-modify" }, "owl:someValuesFrom": { "@id": "d3f:Volume" } }, { "@id": "_:Nea937d2d92494c3e853ff23b66a80f91", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:BlockDevice" } }, { "@id": "d3f:ExfiltrationTechnique", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:enables": { "@id": "d3f:Exfiltration" }, "rdfs:label": "Exfiltration Technique", "rdfs:subClassOf": [ { "@id": "d3f:OffensiveTechnique" }, { "@id": "_:N05b28894509b46b5a76dfef20eb70b2d" } ] }, { "@id": "_:N05b28894509b46b5a76dfef20eb70b2d", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:enables" }, "owl:someValuesFrom": { "@id": "d3f:Exfiltration" } }, { "@id": "d3f:TPMBootIntegrity", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:PlatformHardening" ], "d3f:d3fend-id": "D3-TBI", "d3f:definition": "Assuring the integrity of a platform by demonstrating that the boot process starts from a trusted combination of hardware and software and continues until the operating system has fully booted and applications are running. Sometimes called Static Root of Trust Measurement (STRM).", "d3f:kb-article": "## How it works\nDuring the boot process, the BIOS boot block (which with this defense enabled, is the Core Root of Trust for Measurement) measures boot components (firmware, ROM). The TPM hashes those measurements and stores the hashes in Platform Configuration Registers (PCRs). Upon a subsequent boot, these hashes are provided to a verifier which compares the stored measurements to the new boot measurements. Integrity of the boot components is assured if they match.\n\nAttestation of the secure boot occurs when a verifying entity requests a Quote which is a concatenation of the requested PCR values, hashed and signed by the TPM's unique RSA key. The TPM signature is trusted because the private key is stored securely in hardware and never leaves the TPM.\n\n## Considerations\n\n* The TPM does not perform the follow-on actions of acting on the PCR value information, it just provides the PCR stored information.\n* The current version of TPM is 2.0.; most existing implementations use TPM 1.2.\n\n## Citations\n[1] [TPM 2.0 Library](https://trustedcomputinggroup.org/resource/tpm-library-specification/)\n[2] [TCG Trusted Attestation Protocol (TAP) Use Cases for TPM Families 1.2 and 2.0 and DICE](https://trustedcomputinggroup.org/wp-content/uploads/TCG_TNC_TAP_Use_Cases_v1r0p35_published.pdf)", "d3f:kb-reference": [ { "@id": "d3f:Reference-TCGTrustedAttestationProtocolUseCasesForTPMFamilies1.2And2.0AndDICE" }, { "@id": "d3f:Reference-TrustedAttestationProtocolUseCases" }, { "@id": "d3f:Reference-TPM2.0LibrarySpecification_TrustedComputingGroup,Incorporated" } ], "d3f:synonym": [ "STRM", "Static Root of Trust Measurement" ], "rdfs:label": "TPM Boot Integrity", "rdfs:subClassOf": { "@id": "d3f:PlatformHardening" } }, { "@id": "d3f:AsymmetricFeature-basedTransferLearning", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-AFTL", "d3f:definition": "Homogeneous (where the metrics are the same for both source and target) asymmetric transformation mapping transforms the source feature space to align with that of the target or the target to that of the source. This, in effect, bridges the feature space gap and reduces the problem into a homogeneous transfer problem when further distribution differences need to be corrected.", "d3f:kb-article": "## References\nDay, O., & Khoshgoftaar, T.M. (2017). A survey on heterogeneous transfer learning. Journal of Big Data, 4(1), 29. [Link](https://doi.org/10.1186/s40537-017-0089-0).", "rdfs:label": "Asymmetric Feature-based Transfer Learning", "rdfs:subClassOf": { "@id": "d3f:HomogenousTransferLearning" } }, { "@id": "d3f:SystemConfigurationInitDatabaseRecord", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A database record holding information used to configure the services, parameters, and initial settings for an operating system at startup.", "rdfs:label": "System Configuration Init Database Record", "rdfs:subClassOf": [ { "@id": "d3f:SystemConfigurationDatabaseRecord" }, { "@id": "d3f:SystemConfigurationInitResource" }, { "@id": "d3f:SystemInitConfiguration" } ], "skos:altLabel": "System Configuration Startup Database Record" }, { "@id": "d3f:CWE-284", "@type": "owl:Class", "d3f:cwe-id": "CWE-284", "rdfs:label": "Improper Access Control", "rdfs:subClassOf": { "@id": "d3f:Weakness" } }, { "@id": "d3f:MicrosoftVCCLCompilerToolBufferSecurityCheck", "@type": [ "owl:NamedIndividual", "d3f:StackFrameCanaryValidation" ], "rdfs:label": "Microsoft VCCLCompilerTool BufferSecurityCheck" }, { "@id": "d3f:ArtificialNeuralNetClassification", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-annotation": "Classification ANNs seek to classify an observation as belonging to some discrete class as a function of the inputs. The input features (independent variables) can be categorical or numeric types, however, we require a categorical feature as the dependent variable.", "d3f:d3fend-id": "D3A-ANNC", "d3f:kb-article": "## References\nANN Classification. [Link](http://uc-r.github.io/ann_classification).", "rdfs:label": "Artificial Neural Network Classification", "rdfs:subClassOf": { "@id": "d3f:Classification" } }, { "@id": "d3f:CWE-102", "@type": "owl:Class", "d3f:cwe-id": "CWE-102", "rdfs:label": "Struts: Duplicate Validation Forms", "rdfs:subClassOf": [ { "@id": "d3f:CWE-1173" }, { "@id": "d3f:CWE-694" } ] }, { "@id": "dcterms:title", "@type": "owl:AnnotationProperty", "rdfs:label": "title" }, { "@id": "d3f:CWE-338", "@type": "owl:Class", "d3f:cwe-id": "CWE-338", "rdfs:label": "Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)", "rdfs:subClassOf": { "@id": "d3f:CWE-330" } }, { "@id": "d3f:Evict", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:DefensiveTactic" ], "d3f:definition": "The eviction tactic is used to remove an adversary from a computer network.", "d3f:display-order": 4, "d3f:display-priority": 0, "rdfs:label": "Evict", "rdfs:subClassOf": { "@id": "d3f:DefensiveTactic" } }, { "@id": "d3f:ConvolutionalNeuralNetwork", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-CNN", "d3f:definition": "A class of artificial neural network most commonly applied to analyze visual imagery.CNNs use a mathematical operation called convolution in place of general matrix multiplication in at least one of their layers.", "d3f:kb-article": "## References\nWikipedia. (n.d.). Convolutional neural network. [Link](https://en.wikipedia.org/wiki/Convolutional_neural_network)", "rdfs:label": "Convolutional Neural Network", "rdfs:subClassOf": { "@id": "d3f:DeepNeuralNetClassification" } }, { "@id": "d3f:CWE-1095", "@type": "owl:Class", "d3f:cwe-id": "CWE-1095", "rdfs:label": "Loop Condition Value Update within the Loop", "rdfs:subClassOf": { "@id": "d3f:CWE-1120" } }, { "@id": "d3f:HeterogeneousFeature-basedTransferLearning", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-HFBTL", "d3f:definition": "Symmetric transformation takes both the source feature space Xs and target feature space Xt and learns feature transformations as to project each onto a common subspace Xc for adaptation purposes. This derived subspace becomes a domain-invariant feature subspace to associate cross-domain data, and in effect, reduces marginal distribution differences.", "d3f:kb-article": "## References\nWang, Q., Mao, K. Z., Wang, B., & Guan, J. (2017). Big data clustering by hybrid optimization algorithm. Journal of Big Data, 4(1), 25. [Link](https://journalofbigdata.springeropen.com/articles/10.1186/s40537-017-0089-0).", "rdfs:label": "Heterogeneous Feature-based Transfer Learning", "rdfs:subClassOf": { "@id": "d3f:HeterogeneousTransferLearning" } }, { "@id": "d3f:CCI-002684_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:broader": [ { "@id": "d3f:NetworkTrafficAnalysis" }, { "@id": "d3f:PlatformMonitoring" } ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system audits and/or alerts organization-defined personnel when unauthorized network services are detected.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-07-11T00:00:00" }, "rdfs:label": "CCI-002684" }, { "@id": "d3f:CWE-595", "@type": "owl:Class", "d3f:cwe-id": "CWE-595", "rdfs:label": "Comparison of Object References Instead of Object Contents", "rdfs:subClassOf": { "@id": "d3f:CWE-1025" } }, { "@id": "d3f:unmounts", "@type": "owl:ObjectProperty", "d3f:definition": "x unmounts y: An operation x removes the access via computer system's file system the availability of files and directories on a storage artifact y. Unmounts reverse or undo prior mount operations.", "rdfs:label": "unmounts", "rdfs:seeAlso": { "@id": "dbr:Mount_(computing)" }, "rdfs:subPropertyOf": { "@id": "d3f:associated-with" } }, { "@id": "d3f:T1059.002", "@type": "owl:Class", "d3f:attack-id": "T1059.002", "rdfs:label": "AppleScript Execution", "rdfs:subClassOf": { "@id": "d3f:T1059" } }, { "@id": "d3f:T1566.003", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1566.003", "d3f:produces": [ { "@id": "d3f:File" }, { "@id": "d3f:URL" } ], "rdfs:label": "Spearphishing Via Service", "rdfs:subClassOf": [ { "@id": "d3f:T1566" }, { "@id": "_:N1499a3875377409eb9eb84357af32766" }, { "@id": "_:N40a47cf12a24474d9b13f06ccb1e3263" } ] }, { "@id": "_:N1499a3875377409eb9eb84357af32766", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:produces" }, "owl:someValuesFrom": { "@id": "d3f:File" } }, { "@id": "_:N40a47cf12a24474d9b13f06ccb1e3263", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:produces" }, "owl:someValuesFrom": { "@id": "d3f:URL" } }, { "@id": "d3f:PassiveCertificateAnalysis", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:CertificateAnalysis", "d3f:PassiveCertificateAnalysis" ], "d3f:d3fend-id": "D3-PCA", "d3f:definition": [ "Passively collecting certificates and analyzing them.", "Collecting host certificates from network traffic or other passive sources like a certificate transparency log and analyzing them for unauthorized activity." ], "d3f:kb-article": "## How it works\nCertificates are analyzed outside of a TLS server connection using third-party secure update logs, domain name analysis and analytics.\n\n### Secure update certificate logs\n* Certificate Logs\nThe key enabling feature is a secure service that maintains record logs of certificate activities. The logs allow users to only append certificates and never to delete or modify the log entries. The logs use Merkle Tree Hashes to ensure they have not been tampered with. The logging service also allows for public auditing by any user.\n\nThe logging service, upon receipt of a certificate to log, will respond with a signed certificate timestamp (SCT). The SCT guarantees the certificate will be added to the log within the time specified. The SCT must be present with the certificate during a TLS handshake.\n\n* Certificate Monitoring\nCertificate monitoring, of the logs, is typically done by the CA and they watch for suspicious certificate logging and unusual certificates or extensions or permissions. Monitors are also responsible for verifying the logs are accurate and public.\n\n* Certificate Auditors\nLog integrity is verified by log auditors. Auditors make use of log proofs are used to validate the cryptographic hashes (Merkle Trees) that the log employs are consistent. In order to ensure consistency throughout multiple monitors and auditors, sharing a common logging service, gossip protocol is employed.\n\n### Phishing domain name analysis\n* A curated corpus of known benign domains and phishing domain names is used as training text for machine learning. Through the use of feature set extraction, vectors labels are created with scoring to indicated if they are considered benign or phishing domains.\n\n* A stream of new or updated SSL certificates with fully qualified domain names (FQDN) is analyzed against the feature vectors and a predictive model determines a score for the domains. The scoring considers distance measures such as Levenshtein distance to help in determining the final label score. Supervised learning is also employed using the curated domains of benign and phishing domains.\n\n* Subdomain phishing analysis, prepending a trusted domain to a phishing domain, and regular expression comparisons are also used in the label scoring model. A tunable measure is used to determine the threshold for alerting. This measure helps to balance between precision and recall measures.\n\n## Considerations\n* Some entity will need to run the logging service and a trusted entity is preferred.\n* Certificate Authorities will likely need to monitor the logging service for consistency.\n* Certificate revocation is unchanged and remains outside of Certificate Transparency, but certificates needing to be revoked are visible.\n* Technique dependent of reliable feed of new and updated certificates\n* Some certificate authorities allow for certificates to be registered with wildcards in the FQDN and thus will fail some of the subdomain scoring\n* Phishing HTTP domains will not be discovered", "d3f:kb-reference": [ { "@id": "d3f:Reference-CertificateTransparency" }, { "@id": "d3f:Reference-StreamingPhish" } ], "rdfs:label": "Passive Certificate Analysis", "rdfs:subClassOf": { "@id": "d3f:CertificateAnalysis" } }, { "@id": "d3f:CorrelationClustering", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-CC", "d3f:definition": "Correlation clustering provides a method for clustering a set of objects into the optimum number of clusters without specifying that number in advance.", "d3f:kb-article": "## References\nWikipedia. (n.d.). Correlation clustering. [Link](https://en.wikipedia.org/wiki/Correlation_clustering)", "rdfs:label": "Correlation Clustering", "rdfs:subClassOf": { "@id": "d3f:High-dimensionClustering" } }, { "@id": "d3f:CWE-600", "@type": "owl:Class", "d3f:cwe-id": "CWE-600", "rdfs:label": "Uncaught Exception in Servlet", "rdfs:subClassOf": { "@id": "d3f:CWE-248" } }, { "@id": "d3f:CCI-002307_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:broader": [ { "@id": "d3f:MandatoryAccessControl" }, { "@id": "d3f:SystemConfigurationPermissions" }, { "@id": "d3f:UserAccountPermissions" } ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system provides authorized individuals the capability to define or change the value of security attributes available for association with subjects.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-06-24T00:00:00" }, "rdfs:label": "CCI-002307" }, { "@id": "d3f:ProcessTermination", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:ProcessEviction" ], "d3f:d3fend-id": "D3-PT", "d3f:definition": "Terminating a running application process on a computer system.", "d3f:kb-article": "## How it works\n\nProcesses are managed by the operating system kernel. Different operating system kernels manage the creation and termination of processes in a different manner, and expose this functionality via the kernel API.\n\nA running process might be terminated to mitigate its immediate effects if it is exhibiting anomalous, unauthorized, or malicious behavior; such as after detecting anomalous behavior via Administrative Network Activity Analysis, after a failed check from Stack Frame Canary Validation, or after System Call Analysis finds an attempt to execute an unauthorized system call.\n\n### Proprietary technology\nSecurity software might use proprietary technology to terminate processes, instead of the system-provided functions. Further research may provide specific detail on such methods used.\n\n### System-provided functions\n\n#### Windows tools\nIn Windows, `ExitProcess()` is used to send a signal to a process to request it to exit, and `TerminateProcess()` is used to force a process to exit.\n\nThe `taskkill` executable available in the cmd shell is used to kill a process, with the `/F` switch forcing termination as with `TerminateProcess()`. In PowerShell, `Stop-Process` is used, which is aliased by default to `spps` and `kill`. Processes started in the Windows Subsystem for Linux (WSL) environment may be terminated there with the `kill` command.\n\nIn some cases, existing drivers can also be leveraged to kill processes.\n\n#### Unix/Linux tools\nIn Unix-like systems, all process termination requests are handled using signals. The `kill` function takes the Process ID and signal to send, and is accessible with the `kill` command. Some shells have a `kill` builtin function which is separate than the `kill` binary, which can also kill background jobs in the shell and additionally perform the function faster, and can run from an existing instance of the shell if the process table is full. The signal SIGTERM specifies that the process to terminate may invoke a handler that it has defined instead of terminating, and the signal SIGKILL forces immediate termination.\n\nThe related command `xkill` terminates the connection of a program to the X window server, after which the user process may decide to terminate itself; however, termination is not guaranteed as the process, which could be on the same or different host, could then run in a terminal or reconnect to a different X server on any host. Emacs is such a program that would not terminate itself after its connection to the X server is terminated.\n\n## Considerations\n\n### Persistence Mechanisms\nTerminating a malicious process is not enough to stop an adversary that has already gained persistence in the host via any initial access mechanism, including through that process or another access mechanism.\n\n### Terminating Multiple Processes\nOn most operating systems, process termination operations typically occur independently of each other, without functionality provided to atomically terminate multiple processes. If there are multiple malicious processes which can make system calls to spawn other processes once one of them is closed, user session termination or system restart might be required.\n\n### Process Access Permissions\nUsers must have permissions to kill the process. On Unix-like systems, either root or the process user can kill the process. On Windows systems, process permissions are managed separately via process security tokens.\n\n### Process Resource Handles\n\n#### Terminating Processes with Open Resource Handles\n\nProcesses may have open resource handles, which could leave those resources in an undesired state if the process is forced to terminate. As such, most operating systems provide a means to send a signal to a process to inform it to gracefully terminate, and on most of these operating systems, it is the typical first step used to terminate a process.\n\n#### Signal Traps\nAs the process may have open resource handles, commonly-used methods of process termination involve sending a signal to the process to terminate.\nOn Windows, the `ExitProcess()` function is used for this purpose. Process instructions, as well as a third-party DLL can also cause the process to exit.\nOn Linux, the process is sent a signal on the occurrence of various events: when it loses the console, `SIGHUP`; when termination is requested, `SIGTERM`. The processor then redirects execution to the function registered to handle the signal.\n\nTherefore, sending a signal to the process to ask it to terminate may not always work.\n\n##### Avoiding Signal Traps\n\nOn Unix-like systems, sending the `SIGKILL` signal for a process does not send a message to the process or invoke an implementation-defined handler; instead, it immediately does not allow the process to execute any further processor instructions. On Windows `TerminateProcess()` instead of `ExitProcess()` performs the equivalent.\n\n#### Hang on System Call Execution\n\nEven still, as the operating system kernel manages the processes, kernel code may block process signals, including those which cannot be trapped, and does in certain circumstances. Signals are blocked and queued for the duration of the system call when interrupting the system call would result in a kernel invariant being violated, such as when an action results in a malformed data structure; this blocking is common for filesystem requests. Such system calls can hang when a filesystem has gone offline, leading to a long-term uninterruptible sleep, represented in POSIX command `ps` output as D state.\nAny malicious system calls or system call handlers are issues of a much larger problem (a kernel-level rootkit) and the system should be redeployed entirely or restored from a backup known to be prior to compromise, and other systems accessible directly and indirectly from that one should also be examined.\n\nA process that is truly hung in a system call may prevent the system from shutting down and leave it in an unresponsive state; a hard power off is required.\n\nTo speed up the action of terminating a process in uninterruptible sleep, the process resource accesses (handles) could be analyzed.\n\nOn Linux, [`sync` followed by `echo 3 > /proc/sys/vm/drop_caches`](https://www.kernel.org/doc/Documentation/sysctl/vm.txt) is a safe way to free up some inactive resource handles.\n\n\n#### Kernel Processes and Threads\nThe kernel may not allow kernel processes, which are created via methods other than user-space processes, to be terminated.\n\n#### Other Code using the Process\n\nTerminating a shared library can lead to unexpected errors; such shared libraries have their own mechanisms for termination.\n\nOn Windows, a DLL is unloaded when the reference count of the library reaches 0.\n\n#### Zombie process\n\nAfter a process has been terminated, it may still take up an entry in the operating system process table until another event occurs.\n\n##### Windows\nIn Windows, a process object is deleted when the last handle to the process is closed.\n\n##### Linux\nIn Linux, a process is removed from the process table when it is reaped by its parent process. If the parent terminates, historically the parent has been changed to pid 1; however, in the Linux kernel 3.4 and above, processes can set a different process as the subreaper using the `prctl()` system call.\n\nZombie processes and hung processes could be resolved with a restart of the system.\n\n#### System restart\nFinally a system restart might be required to kill a process.\nSystems which are only accessible via a remote in-band connection may become inaccessible if a process termination operation that is necessary for reboot does not complete.\n\n### Subsystems\nProcesses that are started in a subsystem might not be fully terminated if they are terminated using the command for that subsystem. For example, in the Windows Subsystem for Linux (WSL), processes started and terminated via WSL calls such as with the `kill` command in Bash may still have an entry in the Windows process table.", "d3f:kb-reference": [ { "@id": "d3f:Reference-InstantProcessTerminationToolToRecoverControlOfAnInformationHandlingSystem_DellProductsLP" }, { "@id": "d3f:Reference-MalwareDetectionUsingLocalComputationalModels_CrowdstrikeInc" } ], "d3f:terminates": { "@id": "d3f:Process" }, "rdfs:label": "Process Termination", "rdfs:subClassOf": [ { "@id": "d3f:ProcessEviction" }, { "@id": "_:Neec53d01c8ac45e4bcb1d06b90ab0dea" } ] }, { "@id": "_:Neec53d01c8ac45e4bcb1d06b90ab0dea", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:terminates" }, "owl:someValuesFrom": { "@id": "d3f:Process" } }, { "@id": "d3f:CWE-115", "@type": "owl:Class", "d3f:cwe-id": "CWE-115", "rdfs:label": "Misinterpretation of Input", "rdfs:subClassOf": { "@id": "d3f:CWE-436" } }, { "@id": "d3f:Reference-IdentifyingADenial-of-serviceAttackInACloud-basedProxyService-CloudfareInc.", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US8613089B1" }, "d3f:kb-abstract": "A cloud-based proxy service identifies a denial-of-service (DoS) attack including determining that there is a potential DoS attack being directed to an IP address of the cloud-based proxy service; and responsive to determining that there are a plurality of domains that resolve to that IP address, identifying the one of the plurality of domains that is the target of the DoS attack. The domain that is under attack is identified by scattering the plurality of domains to resolve to different IP addresses, where a result of the scattering is that each of those domains resolves to a different IP address, and identifying one of those plurality of domains as the target of the DoS attack by determining that there is an abnormally high amount of traffic being directed to the IP address in which that domain resolves.", "d3f:kb-author": "Lee Hahn Holloway, Srikanth N. Rao, Matthew Browning Prince, Matthieu Philippe Francois Tourne, Ian Gerald Pye, Ray Raymond Bejjani, Terry Paul Rodery, Jr.", "d3f:kb-organization": "Cloudfare Inc.", "d3f:kb-reference-of": { "@id": "d3f:InboundSessionVolumeAnalysis" }, "d3f:kb-reference-title": "Identifying a denial-of-service attack in a cloud-based proxy service", "rdfs:label": "Reference - Identifying a denial-of-service attack in a cloud-based proxy service - Cloudfare Inc." }, { "@id": "d3f:CWE-235", "@type": "owl:Class", "d3f:cwe-id": "CWE-235", "rdfs:label": "Improper Handling of Extra Parameters", "rdfs:subClassOf": { "@id": "d3f:CWE-233" } }, { "@id": "d3f:T1586.001", "@type": "owl:Class", "d3f:attack-id": "T1586.001", "rdfs:label": "Social Media Accounts", "rdfs:subClassOf": { "@id": "d3f:T1586" } }, { "@id": "d3f:T1102.001", "@type": "owl:Class", "d3f:attack-id": "T1102.001", "rdfs:label": "Dead Drop Resolver", "rdfs:subClassOf": { "@id": "d3f:T1102" } }, { "@id": "d3f:Software", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:contains": { "@id": "d3f:ExecutableFile" }, "d3f:definition": "Computer software, or simply software, is that part of a computer system that consists of encoded information or computer instructions, in contrast to the physical hardware from which the system is built.", "d3f:instructs": { "@id": "d3f:Process" }, "rdfs:isDefinedBy": { "@id": "dbr:Software" }, "rdfs:label": "Software", "rdfs:subClassOf": [ { "@id": "d3f:DigitalArtifact" }, { "@id": "_:Nbb97a3415de14655ae9a67e95c7499af" }, { "@id": "_:Nd642e5cc3ff945c69612fccc12e7df14" }, { "@id": "_:N145318b7c6cd4331aa38b46437067f3a" } ] }, { "@id": "_:Nbb97a3415de14655ae9a67e95c7499af", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:contains" }, "owl:someValuesFrom": { "@id": "d3f:ExecutableFile" } }, { "@id": "_:Nd642e5cc3ff945c69612fccc12e7df14", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:implements" }, "owl:someValuesFrom": { "@id": "d3f:Subroutine" } }, { "@id": "_:N145318b7c6cd4331aa38b46437067f3a", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:instructs" }, "owl:someValuesFrom": { "@id": "d3f:Process" } }, { "@id": "d3f:CCICatalog_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:ControlCorrelationIdentifierCatalog" ], "d3f:archived-at": { "@type": "xsd:anyURI", "@value": "https://public.cyber.mil/stigs/cci/" }, "d3f:has-member": [ { "@id": "d3f:CCI-000015_v2022-04-05" }, { "@id": "d3f:CCI-000016_v2022-04-05" }, { "@id": "d3f:CCI-000017_v2022-04-05" }, { "@id": "d3f:CCI-000018_v2022-04-05" }, { "@id": "d3f:CCI-000020_v2022-04-05" }, { "@id": "d3f:CCI-000022_v2022-04-05" }, { "@id": "d3f:CCI-000025_v2022-04-05" }, { "@id": "d3f:CCI-000027_v2022-04-05" }, { "@id": "d3f:CCI-000029_v2022-04-05" }, { "@id": "d3f:CCI-000030_v2022-04-05" }, { "@id": "d3f:CCI-000032_v2022-04-05" }, { "@id": "d3f:CCI-000034_v2022-04-05" }, { "@id": "d3f:CCI-000035_v2022-04-05" }, { "@id": "d3f:CCI-000037_v2022-04-05" }, { "@id": "d3f:CCI-000040_v2022-04-05" }, { "@id": "d3f:CCI-000044_v2022-04-05" }, { "@id": "d3f:CCI-000047_v2022-04-05" }, { "@id": "d3f:CCI-000056_v2022-04-05" }, { "@id": "d3f:CCI-000057_v2022-04-05" }, { "@id": "d3f:CCI-000058_v2022-04-05" }, { "@id": "d3f:CCI-000060_v2022-04-05" }, { "@id": "d3f:CCI-000066_v2022-04-05" }, { "@id": "d3f:CCI-000067_v2022-04-05" }, { "@id": "d3f:CCI-000068_v2022-04-05" }, { "@id": "d3f:CCI-000071_v2022-04-05" }, { "@id": "d3f:CCI-000139_v2022-04-05" }, { "@id": "d3f:CCI-000143_v2022-04-05" }, { "@id": "d3f:CCI-000144_v2022-04-05" }, { "@id": "d3f:CCI-000162_v2022-04-05" }, { "@id": "d3f:CCI-000163_v2022-04-05" }, { "@id": "d3f:CCI-000164_v2022-04-05" }, { "@id": "d3f:CCI-000185_v2022-04-05" }, { "@id": "d3f:CCI-000186_v2022-04-05" }, { "@id": "d3f:CCI-000187_v2022-04-05" }, { "@id": "d3f:CCI-000192_v2022-04-05" }, { "@id": "d3f:CCI-000193_v2022-04-05" }, { "@id": "d3f:CCI-000194_v2022-04-05" }, { "@id": "d3f:CCI-000195_v2022-04-05" }, { "@id": "d3f:CCI-000196_v2022-04-05" }, { "@id": "d3f:CCI-000197_v2022-04-05" }, { "@id": "d3f:CCI-000198_v2022-04-05" }, { "@id": "d3f:CCI-000199_v2022-04-05" }, { "@id": "d3f:CCI-000200_v2022-04-05" }, { "@id": "d3f:CCI-000205_v2022-04-05" }, { "@id": "d3f:CCI-000213_v2022-04-05" }, { "@id": "d3f:CCI-000218_v2022-04-05" }, { "@id": "d3f:CCI-000219_v2022-04-05" }, { "@id": "d3f:CCI-000226_v2022-04-05" }, { "@id": "d3f:CCI-000346_v2022-04-05" }, { "@id": "d3f:CCI-000352_v2022-04-05" }, { "@id": "d3f:CCI-000374_v2022-04-05" }, { "@id": "d3f:CCI-000381_v2022-04-05" }, { "@id": "d3f:CCI-000382_v2022-04-05" }, { "@id": "d3f:CCI-000386_v2022-04-05" }, { "@id": "d3f:CCI-000417_v2022-04-05" }, { "@id": "d3f:CCI-000663_v2022-04-05" }, { "@id": "d3f:CCI-000764_v2022-04-05" }, { "@id": "d3f:CCI-000765_v2022-04-05" }, { "@id": "d3f:CCI-000766_v2022-04-05" }, { "@id": "d3f:CCI-000767_v2022-04-05" }, { "@id": "d3f:CCI-000768_v2022-04-05" }, { "@id": "d3f:CCI-000771_v2022-04-05" }, { "@id": "d3f:CCI-000772_v2022-04-05" }, { "@id": "d3f:CCI-000774_v2022-04-05" }, { "@id": "d3f:CCI-000776_v2022-04-05" }, { "@id": "d3f:CCI-000804_v2022-04-05" }, { "@id": "d3f:CCI-000831_v2022-04-05" }, { "@id": "d3f:CCI-000877_v2022-04-05" }, { "@id": "d3f:CCI-000880_v2022-04-05" }, { "@id": "d3f:CCI-000884_v2022-04-05" }, { "@id": "d3f:CCI-000888_v2022-04-05" }, { "@id": "d3f:CCI-001009_v2022-04-05" }, { "@id": "d3f:CCI-001019_v2022-04-05" }, { "@id": "d3f:CCI-001067_v2022-04-05" }, { "@id": "d3f:CCI-001069_v2022-04-05" }, { "@id": "d3f:CCI-001082_v2022-04-05" }, { "@id": "d3f:CCI-001083_v2022-04-05" }, { "@id": "d3f:CCI-001084_v2022-04-05" }, { "@id": "d3f:CCI-001085_v2022-04-05" }, { "@id": "d3f:CCI-001086_v2022-04-05" }, { "@id": "d3f:CCI-001087_v2022-04-05" }, { "@id": "d3f:CCI-001089_v2022-04-05" }, { "@id": "d3f:CCI-001090_v2022-04-05" }, { "@id": "d3f:CCI-001092_v2022-04-05" }, { "@id": "d3f:CCI-001094_v2022-04-05" }, { "@id": "d3f:CCI-001096_v2022-04-05" }, { "@id": "d3f:CCI-001100_v2022-04-05" }, { "@id": "d3f:CCI-001109_v2022-04-05" }, { "@id": "d3f:CCI-001111_v2022-04-05" }, { "@id": "d3f:CCI-001115_v2022-04-05" }, { "@id": "d3f:CCI-001117_v2022-04-05" }, { "@id": "d3f:CCI-001118_v2022-04-05" }, { "@id": "d3f:CCI-001124_v2022-04-05" }, { "@id": "d3f:CCI-001125_v2022-04-05" }, { "@id": "d3f:CCI-001127_v2022-04-05" }, { "@id": "d3f:CCI-001128_v2022-04-05" }, { "@id": "d3f:CCI-001133_v2022-04-05" }, { "@id": "d3f:CCI-001144_v2022-04-05" }, { "@id": "d3f:CCI-001145_v2022-04-05" }, { "@id": "d3f:CCI-001146_v2022-04-05" }, { "@id": "d3f:CCI-001147_v2022-04-05" }, { "@id": "d3f:CCI-001150_v2022-04-05" }, { "@id": "d3f:CCI-001166_v2022-04-05" }, { "@id": "d3f:CCI-001169_v2022-04-05" }, { "@id": "d3f:CCI-001170_v2022-04-05" }, { "@id": "d3f:CCI-001178_v2022-04-05" }, { "@id": "d3f:CCI-001185_v2022-04-05" }, { "@id": "d3f:CCI-001199_v2022-04-05" }, { "@id": "d3f:CCI-001200_v2022-04-05" }, { "@id": "d3f:CCI-001210_v2022-04-05" }, { "@id": "d3f:CCI-001211_v2022-04-05" }, { "@id": "d3f:CCI-001233_v2022-04-05" }, { "@id": "d3f:CCI-001237_v2022-04-05" }, { "@id": "d3f:CCI-001239_v2022-04-05" }, { "@id": "d3f:CCI-001242_v2022-04-05" }, { "@id": "d3f:CCI-001262_v2022-04-05" }, { "@id": "d3f:CCI-001297_v2022-04-05" }, { "@id": "d3f:CCI-001305_v2022-04-05" }, { "@id": "d3f:CCI-001310_v2022-04-05" }, { "@id": "d3f:CCI-001350_v2022-04-05" }, { "@id": "d3f:CCI-001352_v2022-04-05" }, { "@id": "d3f:CCI-001356_v2022-04-05" }, { "@id": "d3f:CCI-001368_v2022-04-05" }, { "@id": "d3f:CCI-001372_v2022-04-05" }, { "@id": "d3f:CCI-001373_v2022-04-05" }, { "@id": "d3f:CCI-001374_v2022-04-05" }, { "@id": "d3f:CCI-001376_v2022-04-05" }, { "@id": "d3f:CCI-001377_v2022-04-05" }, { "@id": "d3f:CCI-001399_v2022-04-05" }, { "@id": "d3f:CCI-001400_v2022-04-05" }, { "@id": "d3f:CCI-001401_v2022-04-05" }, { "@id": "d3f:CCI-001403_v2022-04-05" }, { "@id": "d3f:CCI-001404_v2022-04-05" }, { "@id": "d3f:CCI-001405_v2022-04-05" }, { "@id": "d3f:CCI-001414_v2022-04-05" }, { "@id": "d3f:CCI-001424_v2022-04-05" }, { "@id": "d3f:CCI-001425_v2022-04-05" }, { "@id": "d3f:CCI-001426_v2022-04-05" }, { "@id": "d3f:CCI-001427_v2022-04-05" }, { "@id": "d3f:CCI-001428_v2022-04-05" }, { "@id": "d3f:CCI-001436_v2022-04-05" }, { "@id": "d3f:CCI-001452_v2022-04-05" }, { "@id": "d3f:CCI-001453_v2022-04-05" }, { "@id": "d3f:CCI-001454_v2022-04-05" }, { "@id": "d3f:CCI-001493_v2022-04-05" }, { "@id": "d3f:CCI-001494_v2022-04-05" }, { "@id": "d3f:CCI-001495_v2022-04-05" }, { "@id": "d3f:CCI-001496_v2022-04-05" }, { "@id": "d3f:CCI-001499_v2022-04-05" }, { "@id": "d3f:CCI-001555_v2022-04-05" }, { "@id": "d3f:CCI-001556_v2022-04-05" }, { "@id": "d3f:CCI-001557_v2022-04-05" }, { "@id": "d3f:CCI-001574_v2022-04-05" }, { "@id": "d3f:CCI-001589_v2022-04-05" }, { "@id": "d3f:CCI-001619_v2022-04-05" }, { "@id": "d3f:CCI-001632_v2022-04-05" }, { "@id": "d3f:CCI-001662_v2022-04-05" }, { "@id": "d3f:CCI-001668_v2022-04-05" }, { "@id": "d3f:CCI-001677_v2022-04-05" }, { "@id": "d3f:CCI-001682_v2022-04-05" }, { "@id": "d3f:CCI-001683_v2022-04-05" }, { "@id": "d3f:CCI-001684_v2022-04-05" }, { "@id": "d3f:CCI-001685_v2022-04-05" }, { "@id": "d3f:CCI-001686_v2022-04-05" }, { "@id": "d3f:CCI-001695_v2022-04-05" }, { "@id": "d3f:CCI-001744_v2022-04-05" }, { "@id": "d3f:CCI-001749_v2022-04-05" }, { "@id": "d3f:CCI-001762_v2022-04-05" }, { "@id": "d3f:CCI-001764_v2022-04-05" }, { "@id": "d3f:CCI-001767_v2022-04-05" }, { "@id": "d3f:CCI-001774_v2022-04-05" }, { "@id": "d3f:CCI-001811_v2022-04-05" }, { "@id": "d3f:CCI-001812_v2022-04-05" }, { "@id": "d3f:CCI-001813_v2022-04-05" }, { "@id": "d3f:CCI-001855_v2022-04-05" }, { "@id": "d3f:CCI-001858_v2022-04-05" }, { "@id": "d3f:CCI-001936_v2022-04-05" }, { "@id": "d3f:CCI-001937_v2022-04-05" }, { "@id": "d3f:CCI-001941_v2022-04-05" }, { "@id": "d3f:CCI-001953_v2022-04-05" }, { "@id": "d3f:CCI-001954_v2022-04-05" }, { "@id": "d3f:CCI-001957_v2022-04-05" }, { "@id": "d3f:CCI-001991_v2022-04-05" }, { "@id": "d3f:CCI-002005_v2022-04-05" }, { "@id": "d3f:CCI-002009_v2022-04-05" }, { "@id": "d3f:CCI-002010_v2022-04-05" }, { "@id": "d3f:CCI-002015_v2022-04-05" }, { "@id": "d3f:CCI-002016_v2022-04-05" }, { "@id": "d3f:CCI-002041_v2022-04-05" }, { "@id": "d3f:CCI-002145_v2022-04-05" }, { "@id": "d3f:CCI-002165_v2022-04-05" }, { "@id": "d3f:CCI-002169_v2022-04-05" }, { "@id": "d3f:CCI-002178_v2022-04-05" }, { "@id": "d3f:CCI-002179_v2022-04-05" }, { "@id": "d3f:CCI-002201_v2022-04-05" }, { "@id": "d3f:CCI-002205_v2022-04-05" }, { "@id": "d3f:CCI-002207_v2022-04-05" }, { "@id": "d3f:CCI-002211_v2022-04-05" }, { "@id": "d3f:CCI-002218_v2022-04-05" }, { "@id": "d3f:CCI-002233_v2022-04-05" }, { "@id": "d3f:CCI-002235_v2022-04-05" }, { "@id": "d3f:CCI-002238_v2022-04-05" }, { "@id": "d3f:CCI-002262_v2022-04-05" }, { "@id": "d3f:CCI-002263_v2022-04-05" }, { "@id": "d3f:CCI-002264_v2022-04-05" }, { "@id": "d3f:CCI-002272_v2022-04-05" }, { "@id": "d3f:CCI-002277_v2022-04-05" }, { "@id": "d3f:CCI-002281_v2022-04-05" }, { "@id": "d3f:CCI-002282_v2022-04-05" }, { "@id": "d3f:CCI-002283_v2022-04-05" }, { "@id": "d3f:CCI-002284_v2022-04-05" }, { "@id": "d3f:CCI-002289_v2022-04-05" }, { "@id": "d3f:CCI-002290_v2022-04-05" }, { "@id": "d3f:CCI-002302_v2022-04-05" }, { "@id": "d3f:CCI-002306_v2022-04-05" }, { "@id": "d3f:CCI-002307_v2022-04-05" }, { "@id": "d3f:CCI-002308_v2022-04-05" }, { "@id": "d3f:CCI-002309_v2022-04-05" }, { "@id": "d3f:CCI-002322_v2022-04-05" }, { "@id": "d3f:CCI-002346_v2022-04-05" }, { "@id": "d3f:CCI-002347_v2022-04-05" }, { "@id": "d3f:CCI-002353_v2022-04-05" }, { "@id": "d3f:CCI-002355_v2022-04-05" }, { "@id": "d3f:CCI-002357_v2022-04-05" }, { "@id": "d3f:CCI-002358_v2022-04-05" }, { "@id": "d3f:CCI-002359_v2022-04-05" }, { "@id": "d3f:CCI-002361_v2022-04-05" }, { "@id": "d3f:CCI-002363_v2022-04-05" }, { "@id": "d3f:CCI-002364_v2022-04-05" }, { "@id": "d3f:CCI-002381_v2022-04-05" }, { "@id": "d3f:CCI-002382_v2022-04-05" }, { "@id": "d3f:CCI-002384_v2022-04-05" }, { "@id": "d3f:CCI-002385_v2022-04-05" }, { "@id": "d3f:CCI-002394_v2022-04-05" }, { "@id": "d3f:CCI-002397_v2022-04-05" }, { "@id": "d3f:CCI-002400_v2022-04-05" }, { "@id": "d3f:CCI-002403_v2022-04-05" }, { "@id": "d3f:CCI-002409_v2022-04-05" }, { "@id": "d3f:CCI-002411_v2022-04-05" }, { "@id": "d3f:CCI-002420_v2022-04-05" }, { "@id": "d3f:CCI-002421_v2022-04-05" }, { "@id": "d3f:CCI-002422_v2022-04-05" }, { "@id": "d3f:CCI-002423_v2022-04-05" }, { "@id": "d3f:CCI-002425_v2022-04-05" }, { "@id": "d3f:CCI-002426_v2022-04-05" }, { "@id": "d3f:CCI-002460_v2022-04-05" }, { "@id": "d3f:CCI-002462_v2022-04-05" }, { "@id": "d3f:CCI-002463_v2022-04-05" }, { "@id": "d3f:CCI-002464_v2022-04-05" }, { "@id": "d3f:CCI-002465_v2022-04-05" }, { "@id": "d3f:CCI-002466_v2022-04-05" }, { "@id": "d3f:CCI-002467_v2022-04-05" }, { "@id": "d3f:CCI-002468_v2022-04-05" }, { "@id": "d3f:CCI-002470_v2022-04-05" }, { "@id": "d3f:CCI-002475_v2022-04-05" }, { "@id": "d3f:CCI-002476_v2022-04-05" }, { "@id": "d3f:CCI-002530_v2022-04-05" }, { "@id": "d3f:CCI-002531_v2022-04-05" }, { "@id": "d3f:CCI-002533_v2022-04-05" }, { "@id": "d3f:CCI-002536_v2022-04-05" }, { "@id": "d3f:CCI-002546_v2022-04-05" }, { "@id": "d3f:CCI-002605_v2022-04-05" }, { "@id": "d3f:CCI-002607_v2022-04-05" }, { "@id": "d3f:CCI-002613_v2022-04-05" }, { "@id": "d3f:CCI-002614_v2022-04-05" }, { "@id": "d3f:CCI-002617_v2022-04-05" }, { "@id": "d3f:CCI-002618_v2022-04-05" }, { "@id": "d3f:CCI-002630_v2022-04-05" }, { "@id": "d3f:CCI-002631_v2022-04-05" }, { "@id": "d3f:CCI-002661_v2022-04-05" }, { "@id": "d3f:CCI-002662_v2022-04-05" }, { "@id": "d3f:CCI-002684_v2022-04-05" }, { "@id": "d3f:CCI-002688_v2022-04-05" }, { "@id": "d3f:CCI-002689_v2022-04-05" }, { "@id": "d3f:CCI-002690_v2022-04-05" }, { "@id": "d3f:CCI-002691_v2022-04-05" }, { "@id": "d3f:CCI-002710_v2022-04-05" }, { "@id": "d3f:CCI-002711_v2022-04-05" }, { "@id": "d3f:CCI-002712_v2022-04-05" }, { "@id": "d3f:CCI-002715_v2022-04-05" }, { "@id": "d3f:CCI-002716_v2022-04-05" }, { "@id": "d3f:CCI-002717_v2022-04-05" }, { "@id": "d3f:CCI-002718_v2022-04-05" }, { "@id": "d3f:CCI-002723_v2022-04-05" }, { "@id": "d3f:CCI-002724_v2022-04-05" }, { "@id": "d3f:CCI-002726_v2022-04-05" }, { "@id": "d3f:CCI-002729_v2022-04-05" }, { "@id": "d3f:CCI-002740_v2022-04-05" }, { "@id": "d3f:CCI-002743_v2022-04-05" }, { "@id": "d3f:CCI-002746_v2022-04-05" }, { "@id": "d3f:CCI-002748_v2022-04-05" }, { "@id": "d3f:CCI-002749_v2022-04-05" }, { "@id": "d3f:CCI-002771_v2022-04-05" }, { "@id": "d3f:CCI-002824_v2022-04-05" }, { "@id": "d3f:CCI-002883_v2022-04-05" }, { "@id": "d3f:CCI-002890_v2022-04-05" }, { "@id": "d3f:CCI-002891_v2022-04-05" }, { "@id": "d3f:CCI-003014_v2022-04-05" }, { "@id": "d3f:CCI-003123_v2022-04-05" } ], "d3f:version": "2022-04-05", "rdfs:label": "CCI Catalog v2022-04-05", "rdfs:seeAlso": "https://public.cyber.mil/stigs/cci/" }, { "@id": "d3f:Reference-SMBWriteRequest-NamedPipes_MITRE", "@type": [ "owl:NamedIndividual", "d3f:ExternalKnowledgeBase" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://car.mitre.org/analytics/CAR-2014-03-001/" }, "d3f:kb-abstract": "An SMB write can be an indicator of lateral movement, especially when combined with other information such as execution of that written file. Named pipes are a subset of SMB write requests. Named pipes such as msftewds may not be alarming; however others, such as lsarpc, may.\n\nMonitoring SMB write requests still creates some noise, particularly with named pipes. As a result, SMB is now split between writing named pipes and writing other files.", "d3f:kb-author": "MITRE", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "MITRE", "d3f:kb-reference-of": [ { "@id": "d3f:IPCTrafficAnalysis" }, { "@id": "d3f:RPCTrafficAnalysis" } ], "d3f:kb-reference-title": "CAR-2014-03-001: SMB Write Request - NamedPipes", "rdfs:label": "Reference - CAR-2014-03-001: SMB Write Request - NamedPipes - MITRE" }, { "@id": "d3f:StackSegment", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:contains": { "@id": "d3f:StackFrame" }, "d3f:definition": "The stack segment contains the program stack, a last-in-first-out structure, typically allocated in the higher parts of memory for the process.", "rdfs:label": "Stack Segment", "rdfs:seeAlso": [ { "@id": "http://dbpedia.org/resource/Data_segment#Stack" }, { "@id": "dbr:Call_stack" } ], "rdfs:subClassOf": [ { "@id": "d3f:ProcessSegment" }, { "@id": "_:Nd3d9619429af435ca3392069c1fc7ab9" } ] }, { "@id": "_:Nd3d9619429af435ca3392069c1fc7ab9", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:contains" }, "owl:someValuesFrom": { "@id": "d3f:StackFrame" } }, { "@id": "d3f:CWE-229", "@type": "owl:Class", "d3f:cwe-id": "CWE-229", "rdfs:label": "Improper Handling of Values", "rdfs:subClassOf": { "@id": "d3f:CWE-228" } }, { "@id": "d3f:T1562.009", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1562.009", "d3f:disables": [ { "@id": "d3f:EndpointSensor" }, { "@id": "d3f:SystemConfigurationInitDatabaseRecord" } ], "d3f:may-modify": { "@id": "d3f:EndpointHealthBeacon" }, "rdfs:label": "Safe Mode Boot", "rdfs:subClassOf": [ { "@id": "d3f:T1562" }, { "@id": "_:N0aea0b3b27d84f4dba4c6a65c2ef0c3b" }, { "@id": "_:Nc677991108454eac97320202e88701e5" }, { "@id": "_:Na8a9ff983e7e4bbd9c18802db510949b" } ] }, { "@id": "_:N0aea0b3b27d84f4dba4c6a65c2ef0c3b", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:disables" }, "owl:someValuesFrom": { "@id": "d3f:EndpointSensor" } }, { "@id": "_:Nc677991108454eac97320202e88701e5", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:disables" }, "owl:someValuesFrom": { "@id": "d3f:SystemConfigurationInitDatabaseRecord" } }, { "@id": "_:Na8a9ff983e7e4bbd9c18802db510949b", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-modify" }, "owl:someValuesFrom": { "@id": "d3f:EndpointHealthBeacon" } }, { "@id": "d3f:CCI-000776_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system uses organization-defined replay-resistant authentication mechanisms for network access to non-privileged accounts.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:One-timePassword" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-17T00:00:00" }, "rdfs:label": "CCI-000776" }, { "@id": "d3f:CCI-002016_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system electronically verifies Personal Identity Verification-I (PIV-I) credentials.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": [ { "@id": "d3f:BiometricAuthentication" }, { "@id": "d3f:Certificate-basedAuthentication" } ], "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-05-03T00:00:00" }, "rdfs:label": "CCI-002016" }, { "@id": "d3f:LinuxELFFile64bit", "@type": [ "owl:NamedIndividual", "d3f:ExecutableBinary" ], "rdfs:label": "Linux ELF File 64bit" }, { "@id": "d3f:M1037", "@type": [ "owl:NamedIndividual", "d3f:ATTACKMitigation" ], "d3f:related": { "@id": "d3f:NetworkIsolation" }, "rdfs:label": "Filter Network Traffic" }, { "@id": "d3f:CWE-52", "@type": "owl:Class", "d3f:cwe-id": "CWE-52", "rdfs:label": "Path Equivalence: '/multiple/trailing/slash//'", "rdfs:subClassOf": [ { "@id": "d3f:CWE-163" }, { "@id": "d3f:CWE-41" } ] }, { "@id": "d3f:OrchestrationController", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:contains": { "@id": "d3f:ContainerOrchestrationSoftware" }, "d3f:definition": "An orchestration server provides orchestration services that automate the configuration, coordination, and management of computer systems and software.", "rdfs:label": "Orchestration Controller", "rdfs:subClassOf": [ { "@id": "d3f:OrchestrationServer" }, { "@id": "_:Na407c29343734d7c827e73ffc1056703" } ] }, { "@id": "_:Na407c29343734d7c827e73ffc1056703", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:contains" }, "owl:someValuesFrom": { "@id": "d3f:ContainerOrchestrationSoftware" } }, { "@id": "d3f:IndirectBranchCallAnalysis", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:ProcessAnalysis" ], "d3f:d3fend-id": "D3-IBCA", "d3f:definition": "Analyzing vendor specific branch call recording in order to detect ROP style attacks.", "d3f:kb-article": "## How it works\n\nThis technique is used to detect an attacker attempting to exploit and execute code on a target system's call stack using return-oriented programming (ROP). Modern processors that have the ability to maintain a list of the branching calls, e.g., Intel's Last Branch Recording (LBR), can be used to track and analyze indirect branching calls that are indicative of malicious activity.\n\nIn order to reduce the number of indirect branch calls to analyze to a manageable set it is assumed that malicious ROP activity will involve the use of system calls. The technique observes indirect branch calls that are part of paths that lead to system calls, all others are ignored. Branching calls chained together is often referred to as gadgets and gadgets are often used in ROP attacks. Indirect branch calls that involve a transfer from user-space to kernel-space are of interest for this technique.\n\nIdentification of potential ROP exploit execution includes:\n\n- Inspecting the LBR when a system function call is made\n\n - The LBR is configured to return only instruction of interest (ret, indirect jmp, indirect calls)\n\n\n- Behavior is analyzed for\n - Ret instructions that appear to target areas not preceded by the call sites\n - Sequences of small code fragments that appear to be chained through the indirect branching calls (gadgets)\n\n\n- Of interest are returns that appear to not render control back after calls\n - Typical ret-call are paired\n - gadgets will appear to have ret followed by instruction of next instruction of the following gadget\n\n\n## Considerations\n\n* May be operating system dependent since specific system calls are used to scope branching behavoir\n* Processors need to support access to a Last Branch Recording list feature\n* The size of the LBR stack can limit the expected size of the analyzed execution stack\n* If processor does not support LBR then overhead costs for the analysis can be significant", "d3f:kb-reference": { "@id": "d3f:Reference-IndirectBranchingCalls" }, "rdfs:label": "Indirect Branch Call Analysis", "rdfs:subClassOf": { "@id": "d3f:ProcessAnalysis" } }, { "@id": "d3f:Reference-RFC7208-SenderPolicyFramework-SPF-ForAuthorizingUseOfDomainsInEmail-IETF", "@type": [ "owl:NamedIndividual", "d3f:SpecificationReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://tools.ietf.org/html/rfc7208" }, "d3f:kb-abstract": "Email on the Internet can be forged in a number of ways. In particular, existing protocols place no restriction on what a sending host can use as the \"MAIL FROM\" of a message or the domain given on the SMTP HELO/EHLO commands. This document describes version 1 of the Sender Policy Framework (SPF) protocol, whereby Administrative Management Domains (ADMDs) can explicitly authorize the hosts that are allowed to use their domain names, and a receiving host can check such authorization.", "d3f:kb-author": "S. Kitterman", "d3f:kb-organization": "Internet Engineering Task Force (IETF)", "d3f:kb-reference-of": { "@id": "d3f:TransferAgentAuthentication" }, "d3f:kb-reference-title": "RFC 7208: Sender Policy Framework (SPF) for Authorizing Use of Domains in Email", "rdfs:label": "Reference - RFC 7208: Sender Policy Framework (SPF) for Authorizing Use of Domains in Email - IETF" }, { "@id": "d3f:T1036.001", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1036.001", "d3f:creates": { "@id": "d3f:ExecutableBinary" }, "rdfs:label": "Invalid Code Signature", "rdfs:subClassOf": [ { "@id": "d3f:T1036" }, { "@id": "_:Na51ed5003cc34bab92130c637188ec9c" } ] }, { "@id": "_:Na51ed5003cc34bab92130c637188ec9c", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:creates" }, "owl:someValuesFrom": { "@id": "d3f:ExecutableBinary" } }, { "@id": "d3f:CWE-1119", "@type": "owl:Class", "d3f:cwe-id": "CWE-1119", "rdfs:label": "Excessive Use of Unconditional Branching", "rdfs:subClassOf": { "@id": "d3f:CWE-1120" } }, { "@id": "d3f:Reference-PredictingDomainGenerationAlgorithmsWithLongShort-TermMemoryNetworks_", "@type": [ "owl:NamedIndividual", "d3f:AcademicPaperReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://arxiv.org/abs/1611.007911" }, "d3f:kb-abstract": "Various families of malware use domain generation algorithms (DGAs) to generate a large number of pseudo-random domain names to connect to a command and control (C&C) server. In order to block DGA C&C traffic, security organizations must first discover the algorithm by reverse engineering malware samples, then generating a list of domains for a given seed. The domains are then either preregistered or published in a DNS blacklist. This process is not only tedious, but can be readily circumvented by malware authors using a large number of seeds in algorithms with multivariate recurrence properties (e.g., banjori) or by using a dynamic list of seeds (e.g., bedep). Another technique to stop malware from using DGAs is to intercept DNS queries on a network and predict whether domains are DGA generated. Such a technique will alert network administrators to the presence of malware on their networks. In addition, if the predictor can also accurately predict the family of DGAs, then network administrators can also be alerted to the type of malware that is on their networks. This paper presents a DGA classifier that leverages long short-term memory (LSTM) networks to predict DGAs and their respective families without the need for a priori feature extraction. Results are significantly better than state-of-the-art techniques, providing 0.9993 area under the receiver operating characteristic curve for binary classification and a micro-averaged F1 score of 0.9906. In other terms, the LSTM technique can provide a 90% detection rate with a 1:10000 false positive (FP) rate---a twenty times FP improvement over comparable methods. Experiments in this paper are run on open datasets and code snippets are provided to reproduce the results.", "d3f:kb-author": "Jonathan Woodbridge, Hyrum S. Anderson, Anjum Ahuja, Daniel Grant", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "", "d3f:kb-reference-of": { "@id": "d3f:DNSTrafficAnalysis" }, "d3f:kb-reference-title": "Predicting Domain Generation Algorithms with Long Short-Term Memory Networks", "rdfs:label": "Reference - Predicting Domain Generation Algorithms with Long Short-Term Memory Networks" }, { "@id": "d3f:CWE-695", "@type": "owl:Class", "d3f:cwe-id": "CWE-695", "rdfs:label": "Use of Low-Level Functionality", "rdfs:subClassOf": { "@id": "d3f:CWE-573" } }, { "@id": "d3f:MemoryProtectionUnit", "@type": [ "owl:Class", "owl:NamedIndividual" ], "rdfs:label": "Memory Protection Unit", "rdfs:subClassOf": { "@id": "d3f:ProcessorComponent" } }, { "@id": "dcterms:license", "@type": "owl:AnnotationProperty", "rdfs:label": "license" }, { "@id": "d3f:Alias", "@type": "owl:Class", "d3f:definition": "In macOS, an alias is a small file that represents another object in a local, remote, or removable[1] file system and provides a dynamic link to it; the target object may be moved or renamed, and the alias will still link to it (unless the original file is recreated; such an alias is ambiguous and how it is resolved depends on the version of macOS).", "rdfs:isDefinedBy": { "@id": "dbr:Alias_(Mac_OS)" }, "rdfs:label": "Alias", "rdfs:subClassOf": { "@id": "d3f:SlowSymbolicLink" } }, { "@id": "d3f:Reference-DaggerFactSheet", "@type": [ "owl:NamedIndividual", "d3f:InternetArticleReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://www.jhuapl.edu/dagger/documents/DaggerFactSheet.pdf" }, "d3f:kb-abstract": "Dagger is a modeling and visualization tool suite that shows how system failures impact mission status. Updated with manual or real-time status, Dagger is used for mission/system planning, situational awareness during mission execution, and course-of-action analysis.", "d3f:kb-author": "Jackie Soenneker", "d3f:kb-organization": "JHU APL", "d3f:kb-reference-of": { "@id": "d3f:OperationalDependencyMapping" }, "d3f:kb-reference-title": "Dagger Fact Sheet", "rdfs:label": "Reference - Dagger Fact Sheet" }, { "@id": "d3f:UnsupervisedLearning", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-UL", "d3f:definition": "Unsupervised learning creates relationships with unlabeled data without the input of a human or other outside actor. Uses only input data. ", "d3f:kb-abstract": "## References\nUnsupervised learning. Wikipedia. [Link](https://en.wikipedia.org/wiki/Unsupervised_learning).", "rdfs:label": "Unsupervised Learning", "rdfs:subClassOf": { "@id": "d3f:MachineLearning" } }, { "@id": "d3f:CWE-244", "@type": "owl:Class", "d3f:cwe-id": "CWE-244", "rdfs:label": "Improper Clearing of Heap Memory Before Release ('Heap Inspection')", "rdfs:subClassOf": { "@id": "d3f:CWE-226" } }, { "@id": "d3f:instructed-by", "@type": "owl:ObjectProperty", "d3f:definition": "definition \"x instructed-by y: A subject x takes machine instructions from object y.\"", "rdfs:label": "instructed-by", "rdfs:subPropertyOf": { "@id": "d3f:associated-with" } }, { "@id": "d3f:T1591.002", "@type": "owl:Class", "d3f:attack-id": "T1591.002", "rdfs:label": "Business Relationships", "rdfs:subClassOf": { "@id": "d3f:T1591" } }, { "@id": "d3f:Reference-FirewallForInterentAccess_SecureComputingLLC", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/GB2317539A" }, "d3f:kb-abstract": "Regulating the flow of internetwork connections through a firewall (10) having a network protocol stack (14,16,18) which includes an Internet Protocol (IP) layer (16). A determination is made of the parameters characteristic of a connection request, including a netelement parameter characteristic of where the connection request came from. A query is generated and a determination is made whether there is a rule corresponding to that query. If there is a rule corresponding to the query, a determination is made whether authentication is required by the rule. If authentication is required by the rule, an authentication protocol is activated and the connection is activated if the authentication protocol is completed successfully.", "d3f:kb-author": "Edward B Stockwell, Alan E Klietz", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "Secure Computing LLC", "d3f:kb-reference-of": { "@id": "d3f:InboundTrafficFiltering" }, "d3f:kb-reference-title": "Firewall for interent access", "rdfs:label": "Reference - Firewall for interent access - Secure Computing LLC" }, { "@id": "d3f:T1188", "@type": "owl:Class", "d3f:attack-id": "T1188", "rdfs:label": "Multi-hop Proxy", "rdfs:subClassOf": { "@id": "d3f:CommandAndControlTechnique" } }, { "@id": "d3f:CWE-612", "@type": "owl:Class", "d3f:cwe-id": "CWE-612", "rdfs:label": "Improper Authorization of Index Containing Sensitive Information", "rdfs:subClassOf": { "@id": "d3f:CWE-1230" } }, { "@id": "d3f:CWE-91", "@type": "owl:Class", "d3f:cwe-id": "CWE-91", "rdfs:label": "XML Injection (aka Blind XPath Injection)", "rdfs:subClassOf": { "@id": "d3f:CWE-74" } }, { "@id": "d3f:control-name", "@type": "owl:DatatypeProperty", "d3f:definition": "The control (or control enhancement) name.", "rdfs:label": "control-name", "rdfs:subPropertyOf": { "@id": "d3f:d3fend-external-control-data-property" } }, { "@id": "d3f:Restore", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "The restore tactic is used to return the system to a better state.", "d3f:display-order": 5, "d3f:display-priority": 0, "rdfs:label": "Restore", "rdfs:subClassOf": { "@id": "d3f:DefensiveTactic" } }, { "@id": "d3f:CCI-002614_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The organization installs organization-defined security-relevant firmware updates automatically to organization-defined information system components.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:SoftwareUpdate" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-07-11T00:00:00" }, "rdfs:label": "CCI-002614" }, { "@id": "d3f:MicrosoftWordDOTXFile", "@type": [ "owl:NamedIndividual", "d3f:DocumentFile" ], "rdfs:label": "Microsoft Word DOTX File" }, { "@id": "d3f:T1211", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1211", "d3f:may-modify": [ { "@id": "d3f:ProcessCodeSegment" }, { "@id": "d3f:StackFrame" } ], "rdfs:label": "Exploitation for Defense Evasion", "rdfs:subClassOf": [ { "@id": "d3f:DefenseEvasionTechnique" }, { "@id": "_:N8f8d966c893a4c67a9d1d9568dc0975b" }, { "@id": "_:N13da7e191fd947909ceea54e854f8f5d" } ] }, { "@id": "_:N8f8d966c893a4c67a9d1d9568dc0975b", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-modify" }, "owl:someValuesFrom": { "@id": "d3f:ProcessCodeSegment" } }, { "@id": "_:N13da7e191fd947909ceea54e854f8f5d", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-modify" }, "owl:someValuesFrom": { "@id": "d3f:StackFrame" } }, { "@id": "d3f:Reference-FirewallForProcessingAConnectionlessNetworkPacket_NationalSecurityAgency", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US7073196B1" }, "d3f:kb-abstract": "The present invention is a device for and method of accessing a network by initializing a database, an approved list, and a disapproved list; receiving an connectionless network packet; computing a flow tag based on the connectionless network packet; discarding the connectionless network packet and returning to the second step if the flow tag is on the disapproved list; allowing access to the network and returning to the second step if the flow tag is on the approved list; comparing the flow tag to the database if the flow tag is not on the approved list or the disapproved list; discarding the connectionless network packet, adding the flow tag to the disapproved list, and returning to the second step if the database rejects the flow tag; and allowing access to the network, adding the flow tag to the approved list, and returning to the second step if the database accepts the flow tag.", "d3f:kb-author": "Patrick W. Dowd, John T. McHenry", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "National Security Agency", "d3f:kb-reference-of": { "@id": "d3f:InboundTrafficFiltering" }, "d3f:kb-reference-title": "Firewall for processing a connectionless network packet", "rdfs:label": "Reference - Firewall for processing a connectionless network packet - National Security Agency" }, { "@id": "d3f:T1080", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1080", "d3f:modifies": { "@id": "d3f:NetworkResource" }, "rdfs:label": "Taint Shared Content", "rdfs:subClassOf": [ { "@id": "d3f:LateralMovementTechnique" }, { "@id": "_:N58d417eb682248ccada71c1684eaaa70" } ] }, { "@id": "_:N58d417eb682248ccada71c1684eaaa70", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:NetworkResource" } }, { "@id": "d3f:Semi-supervisedPre-training", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-SSPT", "d3f:definition": "Pre-training methods are aimed to guide the parameters of a network towards interesting regions in model space using unlabeled data, before fine-tuning the parameters with the labeled data", "d3f:kb-article": "## References\nJashish Shrestha. (n.d.). Beginner's Guide to Semi-Supervised Learning. [Link](http://jashish.com.np/blog/posts/beginners-guide-to-semi-supervised-learning/)", "rdfs:label": "Semi-supervised Pre-training", "rdfs:subClassOf": { "@id": "d3f:UnsupervisedPreprocessing" } }, { "@id": "d3f:CWE-1039", "@type": "owl:Class", "d3f:cwe-id": "CWE-1039", "rdfs:label": "Automated Recognition Mechanism with Inadequate Detection or Handling of Adversarial Input Perturbations", "rdfs:subClassOf": [ { "@id": "d3f:CWE-693" }, { "@id": "d3f:CWE-697" } ] }, { "@id": "d3f:available", "@type": "owl:DatatypeProperty", "d3f:definition": "Date that the resource became or will become available.", "rdfs:label": { "@language": "en", "@value": "date available" }, "rdfs:range": { "@id": "xsd:dateTime" }, "rdfs:subPropertyOf": { "@id": "d3f:date" } }, { "@id": "d3f:T1206", "@type": "owl:Class", "d3f:attack-id": "T1206", "rdfs:label": "Sudo Caching", "rdfs:subClassOf": { "@id": "d3f:PrivilegeEscalationTechnique" } }, { "@id": "d3f:CWE-1332", "@type": "owl:Class", "d3f:cwe-id": "CWE-1332", "rdfs:label": "Improper Handling of Faults that Lead to Instruction Skips", "rdfs:subClassOf": { "@id": "d3f:CWE-1384" } }, { "@id": "d3f:SoftwareService", "@type": "owl:Class", "rdfs:label": "Software Service", "rdfs:subClassOf": { "@id": "d3f:Service" }, "skos:altLabel": "SaaS" }, { "@id": "d3f:NIST_SP_800-53_R5_SI-2_6", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:control-name": "Flaw Remediation | Removal of Previous Versions of Software and Firmware", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "d3f:narrower": [ { "@id": "d3f:FirmwareVerification" }, { "@id": "d3f:PeripheralFirmwareVerification" }, { "@id": "d3f:SoftwareUpdate" }, { "@id": "d3f:SystemFirmwareVerification" } ], "rdfs:label": "SI-2(6)" }, { "@id": "d3f:T1095", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1095", "d3f:produces": { "@id": "d3f:OutboundInternetNetworkTraffic" }, "rdfs:label": "Non-Application Layer Protocol", "rdfs:subClassOf": [ { "@id": "d3f:CommandAndControlTechnique" }, { "@id": "_:Nf13f1e0ce1a446709c163e5005814992" } ] }, { "@id": "_:Nf13f1e0ce1a446709c163e5005814992", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:produces" }, "owl:someValuesFrom": { "@id": "d3f:OutboundInternetNetworkTraffic" } }, { "@id": "d3f:T1562.001", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1562.001", "d3f:disables": { "@id": "d3f:OperatingSystemProcess" }, "rdfs:label": "Disable or Modify Tools", "rdfs:subClassOf": [ { "@id": "d3f:T1562" }, { "@id": "_:Nad6cf08754bd4b34af6efbc0ea30b7ff" } ] }, { "@id": "_:Nad6cf08754bd4b34af6efbc0ea30b7ff", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:disables" }, "owl:someValuesFrom": { "@id": "d3f:OperatingSystemProcess" } }, { "@id": "d3f:CWE-508", "@type": "owl:Class", "d3f:cwe-id": "CWE-508", "rdfs:label": "Non-Replicating Malicious Code", "rdfs:subClassOf": { "@id": "d3f:CWE-507" } }, { "@id": "d3f:CWE-333", "@type": "owl:Class", "d3f:cwe-id": "CWE-333", "rdfs:label": "Improper Handling of Insufficient Entropy in TRNG", "rdfs:subClassOf": [ { "@id": "d3f:CWE-331" }, { "@id": "d3f:CWE-703" } ] }, { "@id": "d3f:T1218.012", "@type": "owl:Class", "d3f:attack-id": "T1218.012", "rdfs:label": "Verclsid", "rdfs:subClassOf": { "@id": "d3f:T1218" } }, { "@id": "d3f:Reference-ServiceOutlierExecutables_MITRE", "@type": [ "owl:NamedIndividual", "d3f:ExternalKnowledgeBase" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://car.mitre.org/analytics/CAR-2013-09-005/" }, "d3f:kb-abstract": "New executables that are started as a service are suspicious. This analytic looks for anomalous service executables.", "d3f:kb-author": "", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "", "d3f:kb-reference-of": { "@id": "d3f:ProcessLineageAnalysis" }, "d3f:kb-reference-title": "CAR-2013-09-005: Service Outlier Executables", "rdfs:label": "Reference - CAR-2013-09-005: Service Outlier Executables - MITRE" }, { "@id": "d3f:CWE-44", "@type": "owl:Class", "d3f:cwe-id": "CWE-44", "rdfs:label": "Path Equivalence: 'file.name' (Internal Dot)", "rdfs:subClassOf": { "@id": "d3f:CWE-41" } }, { "@id": "d3f:T1563", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:accesses": { "@id": "d3f:RemoteSession" }, "d3f:attack-id": "T1563", "d3f:produces": { "@id": "d3f:AdministrativeNetworkTraffic" }, "rdfs:label": "Remote Service Session Hijacking", "rdfs:subClassOf": [ { "@id": "d3f:LateralMovementTechnique" }, { "@id": "_:N4ea3380895e94a85b7de42dcbab8e780" }, { "@id": "_:N61cf94e30e1c4807b95ddd67772cf680" } ] }, { "@id": "_:N4ea3380895e94a85b7de42dcbab8e780", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:accesses" }, "owl:someValuesFrom": { "@id": "d3f:RemoteSession" } }, { "@id": "_:N61cf94e30e1c4807b95ddd67772cf680", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:produces" }, "owl:someValuesFrom": { "@id": "d3f:AdministrativeNetworkTraffic" } }, { "@id": "d3f:WirelessRouter", "@type": "owl:Class", "d3f:definition": "A wireless router is a device that performs the functions of a router and also includes the functions of a wireless access point. It is used to provide access to the Internet or a private computer network. Depending on the manufacturer and model, it can function in a wired local area network, in a wireless-only LAN, or in a mixed wired and wireless network.", "rdfs:isDefinedBy": { "@id": "dbr:Wireless_router" }, "rdfs:label": "Wireless Router", "rdfs:seeAlso": "Wireless Access Point", "rdfs:subClassOf": [ { "@id": "d3f:Router" }, { "@id": "d3f:WirelessAccessPoint" } ] }, { "@id": "d3f:CCI-001109_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system at managed interfaces denies network communications traffic by default and allows network communications traffic by exception (i.e., deny all, permit by exception).", "d3f:exactly": [ { "@id": "d3f:InboundTrafficFiltering" }, { "@id": "d3f:OutboundTrafficFiltering" } ], "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-21T00:00:00" }, "rdfs:label": "CCI-001109" }, { "@id": "d3f:PrivilegeEscalationTechnique", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:enables": { "@id": "d3f:PrivilegeEscalation" }, "rdfs:label": "Privilege Escalation Technique", "rdfs:subClassOf": [ { "@id": "d3f:OffensiveTechnique" }, { "@id": "_:Nd5e1e840be1b4902a4cf1d420f2c482f" } ] }, { "@id": "_:Nd5e1e840be1b4902a4cf1d420f2c482f", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:enables" }, "owl:someValuesFrom": { "@id": "d3f:PrivilegeEscalation" } }, { "@id": "d3f:T1546.001", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1546.001", "d3f:modifies": { "@id": "d3f:SystemConfigurationDatabaseRecord" }, "rdfs:label": "Change Default File Association", "rdfs:subClassOf": [ { "@id": "d3f:T1546" }, { "@id": "_:N03766cd86aec4607b96aef3cc33c4701" } ] }, { "@id": "_:N03766cd86aec4607b96aef3cc33c4701", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:SystemConfigurationDatabaseRecord" } }, { "@id": "d3f:CWE-1104", "@type": "owl:Class", "d3f:cwe-id": "CWE-1104", "rdfs:label": "Use of Unmaintained Third Party Components", "rdfs:subClassOf": { "@id": "d3f:CWE-1357" } }, { "@id": "d3f:PeripheralHubFirmware", "@type": "owl:Class", "d3f:definition": "Firmware that is installed on peripheral hub device such as a USB or Firewire hub.", "rdfs:label": "Peripheral Hub Firmware", "rdfs:seeAlso": { "@id": "dbr:USB_hub" }, "rdfs:subClassOf": { "@id": "d3f:PeripheralFirmware" }, "skos:altLabel": "USB Hub Firmware" }, { "@id": "d3f:Reference-CyberCommandSystemCYCS", "@type": [ "owl:NamedIndividual", "d3f:InternetArticleReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://www.mitre.org/research/technology-transfer/technology-licensing/cyber-command-system-cycs" }, "d3f:kb-abstract": "MITRE’s Cyber Command System (CyCS) tool addresses the objective of improved mission assurance in cyberspace by enabling the mapping of mission operations to the network operations that support those missions. This tool provides mission-impact assessment through situational awareness and impact analysis. CyCS addresses mission-assurance challenges for highly distributed enterprise systems of systems through vulnerability, threat, and consequence management.", "d3f:kb-organization": "MITRE", "d3f:kb-reference-of": { "@id": "d3f:OperationalDependencyMapping" }, "d3f:kb-reference-title": "Cyber Command System (CYCS)", "rdfs:label": "Reference - Cyber Command System (CYCS)" }, { "@id": "d3f:CWE-1222", "@type": "owl:Class", "d3f:cwe-id": "CWE-1222", "rdfs:label": "Insufficient Granularity of Address Regions Protected by Register Locks", "rdfs:subClassOf": { "@id": "d3f:CWE-1220" } }, { "@id": "d3f:NIST_SP_800-53_R5_AC-2_5", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:control-name": "Account Management | Inactivity Logout", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "d3f:related": { "@id": "d3f:AccountLocking" }, "rdfs:label": "AC-2(5)" }, { "@id": "d3f:CWE-250", "@type": "owl:Class", "d3f:cwe-id": "CWE-250", "rdfs:label": "Execution with Unnecessary Privileges", "rdfs:subClassOf": [ { "@id": "d3f:CWE-269" }, { "@id": "d3f:CWE-657" } ] }, { "@id": "d3f:T1564.001", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1564.001", "d3f:modifies": { "@id": "d3f:FileSystemMetadata" }, "rdfs:label": "Hidden Files and Directories", "rdfs:subClassOf": [ { "@id": "d3f:T1564" }, { "@id": "_:N157e6f75a8414007baae9f79837af2db" } ] }, { "@id": "_:N157e6f75a8414007baae9f79837af2db", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:FileSystemMetadata" } }, { "@id": "d3f:CCI-002743_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:broader": [ { "@id": "d3f:SenderMTAReputationAnalysis" }, { "@id": "d3f:SenderReputationAnalysis" } ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system implements spam protection mechanisms with a learning capability to more effectively identify legitimate communications traffic.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-07-11T00:00:00" }, "rdfs:label": "CCI-002743" }, { "@id": "d3f:NetworkNodeInventory", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:AssetInventory" ], "d3f:d3fend-id": "D3-NNI", "d3f:definition": "Network node inventorying identifies and records all the network nodes (hosts, routers, switches, firewalls, etc.) in the organization's architecture.", "d3f:inventories": { "@id": "d3f:NetworkNode" }, "d3f:kb-article": "## How it works\nAdministrators collect information on network nodes in their architecture using a variety of administrative and management tools that query network devices and nodes for information. In some cases, where such queries are not supported or provide specific information of interest, an administrator may also collect this information through network enumeration methods to include host discovery and scanning for active ports and services.\n\n## Considerations\n* Scanning and probing techniques using mapping tools can result in side effects to information technology (IT) and operational technology (OT) systems.\n* An adversary conducting network enumeration may engage in activities that parallel normal network node inventorying activities, but would require escalating to admin privileges for most of the operations requiting administrative tools\n\n## Examples\n* Link-layer discovery\n * Link-layer Discovery Protocol (LLDP)\n * Cisco Discovery Protocol (CDP)\n* Application-layer discovery\n * Simple Network Management Protocol (SNMP) collects MIB information\n * Web-based Enterprise Management (WBEM) collects CIM information\n * Windows Management Instrumentation (WMI)\n * Windows Management Infrastructure (MI)", "d3f:kb-reference": [ { "@id": "d3f:Reference-IEEE-802_1AB-2016" }, { "@id": "d3f:Reference-QualysNetworkPassiveSensorGettingStartedGuide" }, { "@id": "d3f:Reference-RFC3411-AnArchitectureForDescribingSimpleNetworkManagementProtocolSNMPManagementFrameworks" }, { "@id": "d3f:Reference-Web-BasedEnterpriseManagement" }, { "@id": "d3f:Reference-Windows-Management-Infrastructure" }, { "@id": "d3f:Reference-Windows-Management-Instrumentation" } ], "d3f:synonym": [ "System Discovery", "System Inventorying" ], "rdfs:label": "Network Node Inventory", "rdfs:subClassOf": [ { "@id": "d3f:AssetInventory" }, { "@id": "_:N6d415db1ce6d48e09f5e1fd772a9286c" } ] }, { "@id": "_:N6d415db1ce6d48e09f5e1fd772a9286c", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:inventories" }, "owl:someValuesFrom": { "@id": "d3f:NetworkNode" } }, { "@id": "d3f:T1547.007", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1547.007", "d3f:modifies": { "@id": "d3f:ApplicationConfigurationFile" }, "rdfs:label": "Re-opened Applications", "rdfs:subClassOf": [ { "@id": "d3f:T1547" }, { "@id": "_:Nd53aef011d5b47cb843372ee0817ed5b" } ] }, { "@id": "_:Nd53aef011d5b47cb843372ee0817ed5b", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:ApplicationConfigurationFile" } }, { "@id": "d3f:M1035", "@type": [ "owl:NamedIndividual", "d3f:ATTACKMitigation" ], "d3f:related": { "@id": "d3f:NetworkIsolation" }, "rdfs:label": "Limit Access to Resource Over Network" }, { "@id": "d3f:WindowsRegistry", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:contains": { "@id": "d3f:WindowsRegistryKey" }, "d3f:definition": "The Windows Registry is a hierarchical database that stores low-level settings for the Microsoft Windows operating system and for applications that opt to use the registry. The kernel, device drivers, services, Security Accounts Manager, and user interface can all use the registry. The registry also allows access to counters for profiling system performance.", "rdfs:isDefinedBy": [ "https://learn.microsoft.com/en-us/troubleshoot/windows-server/performance/windows-registry-advanced-users", { "@id": "dbr:Windows_Registry" } ], "rdfs:label": "Windows Registry", "rdfs:subClassOf": [ { "@id": "d3f:SystemConfigurationDatabase" }, { "@id": "_:N718771f4f33f4e93ad5935a20aae40b0" } ] }, { "@id": "_:N718771f4f33f4e93ad5935a20aae40b0", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:contains" }, "owl:someValuesFrom": { "@id": "d3f:WindowsRegistryKey" } }, { "@id": "d3f:terminates", "@type": "owl:ObjectProperty", "d3f:definition": "x terminates y: The technique x brings to an end or halt to some activity y.", "d3f:synonym": "aborts", "rdfs:isDefinedBy": { "@id": "http://wordnet-rdf.princeton.edu/id/00353480-v" }, "rdfs:label": "terminates", "rdfs:seeAlso": { "@id": "http://wordnet-rdf.princeton.edu/id/00354493-v" }, "rdfs:subPropertyOf": [ { "@id": "d3f:associated-with" }, { "@id": "d3f:evicts" } ] }, { "@id": "d3f:Reference-ArchitectureOfTransparentNetworkSecurityForApplicationContainers_NeuvectorInc", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US20170093922A1" }, "d3f:kb-abstract": "A system comprises one or more application containers, each application container including computer-readable instructions and initiated via a container service and isolated using operating system-level virtualization. The system also comprises one or more virtual switches configured to route traffic from the application containers. The system further comprises one or more security containers, each security container configured to transparently intercept traffic from the one or more application containers for analysis of network security. The system further comprises a user interface (UI) container configured to receive configuration settings from a user. The system also comprises an analytics container configured to perform analysis on data received from the one or more security containers. The system also comprises a management container configured to configure settings for the one or more security containers and the analytics container.", "d3f:kb-author": "Gang Duan", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "Neuvector Inc", "d3f:kb-reference-of": { "@id": "d3f:MandatoryAccessControl" }, "d3f:kb-reference-title": "Architecture of transparent network security for application containers", "rdfs:label": "Reference - Architecture of transparent network security for application containers - Neuvector Inc" }, { "@id": "d3f:T1598.003", "@type": "owl:Class", "d3f:attack-id": "T1598.003", "rdfs:label": "Spearphishing Link", "rdfs:subClassOf": { "@id": "d3f:T1598" } }, { "@id": "d3f:T1558.001", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1558.001", "d3f:forges": { "@id": "d3f:KerberosTicketGrantingTicket" }, "rdfs:label": "Golden Ticket", "rdfs:subClassOf": [ { "@id": "d3f:T1558" }, { "@id": "_:Ne7124690a6c044b88c990213dc40768d" } ] }, { "@id": "_:Ne7124690a6c044b88c990213dc40768d", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:forges" }, "owl:someValuesFrom": { "@id": "d3f:KerberosTicketGrantingTicket" } }, { "@id": "d3f:CWE-303", "@type": "owl:Class", "d3f:cwe-id": "CWE-303", "rdfs:label": "Incorrect Implementation of Authentication Algorithm", "rdfs:subClassOf": { "@id": "d3f:CWE-1390" } }, { "@id": "d3f:broader-transitive", "@type": "owl:ObjectProperty", "rdfs:label": "broader-transitive", "rdfs:subPropertyOf": { "@id": "d3f:semantic-relation" } }, { "@id": "d3f:NIST_SP_800-53_R5_AC-4_14", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:control-name": "Information Flow Enforcement | Security or Privacy Policy Filter Constraints", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "d3f:narrower": [ { "@id": "d3f:InboundTrafficFiltering" }, { "@id": "d3f:OutboundTrafficFiltering" } ], "rdfs:label": "AC-4(14)" }, { "@id": "d3f:T1120", "@type": "owl:Class", "d3f:attack-id": "T1120", "rdfs:label": "Peripheral Device Discovery", "rdfs:subClassOf": { "@id": "d3f:DiscoveryTechnique" } }, { "@id": "d3f:CWE-402", "@type": "owl:Class", "d3f:cwe-id": "CWE-402", "rdfs:label": "Transmission of Private Resources into a New Sphere ('Resource Leak')", "rdfs:subClassOf": { "@id": "d3f:CWE-668" } }, { "@id": "d3f:Reference-CAR-2016-04-004_SuccessfulLocalAccountLogin", "@type": [ "owl:NamedIndividual", "d3f:ExternalKnowledgeBase" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://car.mitre.org/analytics/CAR-2016-04-004/" }, "d3f:kb-reference-of": { "@id": "d3f:LocalAccountMonitoring" }, "d3f:kb-reference-title": "Reference - CAR-2016-04-004: Successful Local Account Login", "rdfs:label": "Reference - CAR-2016-04-004: Successful Local Account Login" }, { "@id": "d3f:Reference-AutorunDifferences_MITRE", "@type": [ "owl:NamedIndividual", "d3f:ExternalKnowledgeBase" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://car.mitre.org/analytics/CAR-2013-01-002/" }, "d3f:kb-abstract": "The Sysinternals tool Autoruns checks the registry and file system for known identify persistence mechanisms. It will output any tools identified, including built-in or added-on Microsoft functionality and third party software. Many of these locations are known by adversaries and used to obtain Persistence. Running Autoruns periodically in an environment makes it possible to collect and monitor its output for differences, which may include the removal or addition of persistent tools. Depending on the persistence mechanism and location, legitimate software may be more likely to make changes than an adversary tool. Thus, this analytic may result in significant noise in a highly dynamic environment. While Autoruns is a convenient method to scan for programs using persistence mechanisms its scanning nature does not conform well to streaming based analytics. This analytic could be replaced with one that draws from sensors that collect registry and file information if streaming analytics are desired.\n\nUtilizes the Sysinternals autoruns tool (ignoring validated Microsoft entries). Primarily not a detection analytic by itself but through analysis of results by an analyst can be used for such. Building another analytic on top of this one identifying unusual entries would likely be a beneficial alternative.", "d3f:kb-author": "MITRE", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "MITRE", "d3f:kb-reference-of": { "@id": "d3f:SystemFileAnalysis" }, "d3f:kb-reference-title": "CAR-2013-01-002: Autorun Differences", "rdfs:label": "Reference - CAR-2013-01-002: Autorun Differences - MITRE" }, { "@id": "d3f:CWE-172", "@type": "owl:Class", "d3f:cwe-id": "CWE-172", "rdfs:label": "Encoding Error", "rdfs:subClassOf": { "@id": "d3f:CWE-707" } }, { "@id": "d3f:producer", "@type": "owl:ObjectProperty", "owl:inverseOf": { "@id": "d3f:produces" }, "rdfs:label": "producer", "rdfs:subPropertyOf": { "@id": "d3f:d3fend-catalog-object-property" } }, { "@id": "d3f:T1009", "@type": "owl:Class", "d3f:attack-id": "T1009", "rdfs:label": "Binary Padding", "rdfs:subClassOf": { "@id": "d3f:DefenseEvasionTechnique" } }, { "@id": "d3f:CWE-202", "@type": "owl:Class", "d3f:cwe-id": "CWE-202", "rdfs:label": "Exposure of Sensitive Information Through Data Queries", "rdfs:subClassOf": { "@id": "d3f:CWE-1230" } }, { "@id": "d3f:CWE-579", "@type": "owl:Class", "d3f:cwe-id": "CWE-579", "rdfs:label": "J2EE Bad Practices: Non-serializable Object Stored in Session", "rdfs:subClassOf": { "@id": "d3f:CWE-573" } }, { "@id": "d3f:CWE-514", "@type": "owl:Class", "d3f:cwe-id": "CWE-514", "rdfs:label": "Covert Channel", "rdfs:subClassOf": { "@id": "d3f:CWE-1229" } }, { "@id": "d3f:OSAPIPrivateFunction", "@type": "owl:Class", "rdfs:label": "OS API Private Function", "rdfs:subClassOf": { "@id": "d3f:Software" } }, { "@id": "d3f:PE32PLUSExecutableFile", "@type": [ "owl:NamedIndividual", "d3f:ExecutableBinary" ], "rdfs:label": "PE32+ Executable File" }, { "@id": "d3f:FileTransferNetworkTraffic", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "File transfer network traffic is network traffic related to file transfers between network nodes..This includes only network traffic conforming to standard file transfer protocols, not custom transfer protocols.", "rdfs:label": "File Transfer Network Traffic", "rdfs:subClassOf": { "@id": "d3f:NetworkTraffic" } }, { "@id": "d3f:EndpointSensor", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A sensor application installed on a endpoint (platform) to collect information on platform components.", "rdfs:label": "Endpoint Sensor", "rdfs:seeAlso": "d3f:Platform", "rdfs:subClassOf": { "@id": "d3f:Sensor" } }, { "@id": "d3f:T1003", "@type": "owl:Class", "d3f:attack-id": "T1003", "rdfs:label": "OS Credential Dumping", "rdfs:subClassOf": { "@id": "d3f:CredentialAccessTechnique" } }, { "@id": "d3f:T1619", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:accesses": { "@id": "d3f:CloudStorage" }, "d3f:attack-id": "T1619", "rdfs:label": "Cloud Storage Object Discovery", "rdfs:subClassOf": [ { "@id": "d3f:DiscoveryTechnique" }, { "@id": "_:N9442bfb639cc47a598995d7947cd42f0" } ] }, { "@id": "_:N9442bfb639cc47a598995d7947cd42f0", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:accesses" }, "owl:someValuesFrom": { "@id": "d3f:CloudStorage" } }, { "@id": "d3f:AccountLocking", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:CredentialEviction" ], "d3f:created": { "@type": "xsd:dateTime", "@value": "2020-08-05T00:00:00" }, "d3f:d3fend-id": "D3-AL", "d3f:definition": "The process of temporarily disabling user accounts on a system or domain.", "d3f:disables": { "@id": "d3f:UserAccount" }, "d3f:kb-article": "## How it works\nManagement servers with enterprise policies for account management provide the ability to enable and disable account for given rules. The rules may include specific periods of time (eg. weekend, plant shutdown, leave periods), specific user types or groups, or individual users.\n\n## Considerations\n* Local accounts caches vs centralized account management\n* Single Sign-on\n* Role based vs Attribute based systems\n\n## Examples of account configuration stores\n* Directory Services\n* Active Directory\n* RADIUS\n* LDAP\n* Oracle User Account Management\n* JumpCloud", "d3f:kb-reference": [ { "@id": "d3f:Reference-AccountMonitoring_ForescoutTechnologies" }, { "@id": "d3f:Reference-FrameworkForNotifyingADirectoryServiceOfAuthenticationEventsProcessedOutsideTheDirectoryService_OracleInternationalCorp" } ], "rdfs:label": "Account Locking", "rdfs:subClassOf": [ { "@id": "d3f:CredentialEviction" }, { "@id": "_:Ncc28b311540b466eb9a6980727dd0052" } ] }, { "@id": "_:Ncc28b311540b466eb9a6980727dd0052", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:disables" }, "owl:someValuesFrom": { "@id": "d3f:UserAccount" } }, { "@id": "d3f:T1196", "@type": "owl:Class", "d3f:attack-id": "T1196", "rdfs:label": "Control Panel Items", "rdfs:subClassOf": [ { "@id": "d3f:DefenseEvasionTechnique" }, { "@id": "d3f:ExecutionTechnique" } ] }, { "@id": "d3f:SoftwareInventory", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:AssetInventory" ], "d3f:d3fend-id": "D3-SWI", "d3f:definition": "Software inventorying identifies and records the software items in the organization's architecture.", "d3f:inventories": { "@id": "d3f:Software" }, "d3f:kb-article": "## How it works\nAdministrators collect information on software items in their architecture using a variety of administrative and management tools that query network nodes for information. In limited cases, where such queries are not supported or provide specific information of interest, an administrator may also collect this information through network enumeration methods to determine services responding on network nodes.\n\n## Considerations\n* Scanning and probing techniques using mapping tools can result in side effects to information technology (IT) and operational technology (OT) systems.\n* An adversary conducting network enumeration may engage in activities that parallel normal software inventorying activities, but would require escalating to admin privileges for most of the operations requiting administrative tools.\n\n## Examples\n\nApplication-layer discovery:\n\n* Simple Network Management Protocol (SNMP) collects MIB information\n* Web-based Enterprise Management (WBEM) collects CIM information\n * Windows Management Instrumentation (WMI)\n * Windows Management Infrastructure (MI)", "d3f:kb-reference": [ { "@id": "d3f:Reference-Web-BasedEnterpriseManagement" }, { "@id": "d3f:Reference-Windows-Management-Infrastructure" }, { "@id": "d3f:Reference-Windows-Management-Instrumentation" } ], "d3f:synonym": [ "Software Discovery", "Software Inventorying" ], "rdfs:label": "Software Inventory", "rdfs:subClassOf": [ { "@id": "d3f:AssetInventory" }, { "@id": "_:Nd0e4b6e4eda84142a8734e92072731dc" } ] }, { "@id": "_:Nd0e4b6e4eda84142a8734e92072731dc", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:inventories" }, "owl:someValuesFrom": { "@id": "d3f:Software" } }, { "@id": "d3f:CWE-72", "@type": "owl:Class", "d3f:cwe-id": "CWE-72", "rdfs:label": "Improper Handling of Apple HFS+ Alternate Data Stream Path", "rdfs:subClassOf": { "@id": "d3f:CWE-66" } }, { "@id": "d3f:AdministrativeNetworkActivityAnalysis", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:NetworkTrafficAnalysis" ], "d3f:analyzes": { "@id": "d3f:IntranetAdministrativeNetworkTraffic" }, "d3f:created": { "@type": "xsd:dateTime", "@value": "2020-08-05T00:00:00" }, "d3f:d3fend-id": "D3-ANAA", "d3f:definition": "Detection of unauthorized use of administrative network protocols by analyzing network activity against a baseline.", "d3f:kb-article": "## How it works\nNetwork protocols such as RDP, IPMI, SSH, SNMP, VNC, MOSH, NX, TeamViewer, SPICE, PCoIP, and others are used by system administrators to remotely manage servers. Defenders monitor administrative network activity to determine if the use of remote protocols is malicious. Attackers can abuse administrative protocols and leverage them for initial access to various endpoints. For example, an attacker with valid credentials will remotely SSH or RDP into a server and attempt to blend in with existing traffic from system administrators. By monitoring the traffic activity, it is possible to detect when the protocols are behaving differently from a known baseline of system administration activity.\n\n## Considerations\n* Administrative traffic can be encrypted, making network protocol analysis a challenge\n* False alarms can be mitigated by integration with inventory management systems", "d3f:kb-reference": [ { "@id": "d3f:Reference-MethodAndSystemForDetectingSuspiciousAdministrativeActivity_VectraNetworksInc" }, { "@id": "d3f:Reference-RemoteRegistry_MITRE" }, { "@id": "d3f:Reference-WindowsRemoteManagement_WinRM_MITRE" } ], "rdfs:label": "Administrative Network Activity Analysis", "rdfs:subClassOf": [ { "@id": "d3f:NetworkTrafficAnalysis" }, { "@id": "_:N381969dbd1824ab4b8f0f2e35f36f2e3" } ] }, { "@id": "_:N381969dbd1824ab4b8f0f2e35f36f2e3", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:analyzes" }, "owl:someValuesFrom": { "@id": "d3f:IntranetAdministrativeNetworkTraffic" } }, { "@id": "d3f:author", "@type": "owl:ObjectProperty", "rdfs:label": "author", "rdfs:subPropertyOf": { "@id": "d3f:creator" } }, { "@id": "d3f:IntegratedHoneynet", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:DecoyEnvironment" ], "d3f:d3fend-id": "D3-IHN", "d3f:definition": "The practice of setting decoys in a production environment to entice interaction from attackers.", "d3f:kb-article": "## How it works\nIntegrated honeynets use full production environments connected to the enterprise network, that utilize computing resources or software that attract attackers, and allow full interaction and access that provides a complete view of an attack.\n\n## Considerations\nAn attacker with control of a system on an Integrated Honeynet could:\n* try to attack other connected hosts on the network, its IP range of internal hosts not properly configured to react to connections from machines on the integrated honeynet, or position behind the firewall.\n* exploit its position by eavesdropping on network traffic\nIf an attacker manages to stop the processes used to log an attack without setting off any alarms. [1]\n\n1. Honeypots for Windows, Roger Grimes, 2005", "d3f:kb-reference": { "@id": "d3f:Reference-SynchronizingAHoneyNetworkConfigurationToReflectATargetNetworkEnvironment_PaloAltoNetworksInc" }, "d3f:spoofs": { "@id": "d3f:IntranetNetwork" }, "rdfs:label": "Integrated Honeynet", "rdfs:subClassOf": [ { "@id": "d3f:DecoyEnvironment" }, { "@id": "_:Nd0c6f3467a7e4e819f67e4e5cdcfbe80" } ] }, { "@id": "_:Nd0c6f3467a7e4e819f67e4e5cdcfbe80", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:spoofs" }, "owl:someValuesFrom": { "@id": "d3f:IntranetNetwork" } }, { "@id": "d3f:CWE-1389", "@type": "owl:Class", "d3f:cwe-id": "CWE-1389", "rdfs:label": "Incorrect Parsing of Numbers with Different Radices", "rdfs:subClassOf": { "@id": "d3f:CWE-704" } }, { "@id": "d3f:PrincipalComponentAnalysis", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-PCA", "d3f:definition": "Principal components analysis (PCA) creates a new set of orthogonal variables that contain the same information as the original set. It rotates the axes of variation to give a new set of orthogonal axes, ordered so that they summarize decreasing proportions of the variation.", "d3f:kb-article": "## References\nWikipedia. (n.d.). Multivariate statistics. [Link](https://en.wikipedia.org/wiki/Multivariate_statistics)", "d3f:synonym": "PCA", "rdfs:label": "Principal Component Analysis", "rdfs:subClassOf": { "@id": "d3f:MultivariateAnalysis" } }, { "@id": "d3f:CWE-1300", "@type": "owl:Class", "d3f:cwe-id": "CWE-1300", "rdfs:label": "Improper Protection of Physical Side Channels", "rdfs:subClassOf": { "@id": "d3f:CWE-203" } }, { "@id": "d3f:KerberosTicket", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "An access ticket/token issued by a Kerberos system.", "rdfs:label": "Kerberos Ticket", "rdfs:subClassOf": { "@id": "d3f:AccessToken" } }, { "@id": "d3f:CWE-825", "@type": "owl:Class", "d3f:cwe-id": "CWE-825", "rdfs:label": "Expired Pointer Dereference", "rdfs:subClassOf": [ { "@id": "d3f:CWE-119" }, { "@id": "d3f:CWE-672" } ] }, { "@id": "d3f:filters", "@type": "owl:ObjectProperty", "d3f:definition": "x filters y: An technique or agent x removes some specified set of of entities from the content of a digital artifact y, by passing an artifact's content through a filter. A filter is a device that removes something from whatever passes through it.", "rdfs:isDefinedBy": { "@id": "http://wordnet-rdf.princeton.edu/id/01461293-v" }, "rdfs:label": "filters", "rdfs:seeAlso": [ { "@id": "http://wordnet-rdf.princeton.edu/id/03344588-n" }, { "@id": "http://www.ontologyrepository.com/CommonCoreOntologies/Filter" } ], "rdfs:subPropertyOf": [ { "@id": "d3f:associated-with" }, { "@id": "d3f:isolates" } ] }, { "@id": "d3f:CWE-580", "@type": "owl:Class", "d3f:cwe-id": "CWE-580", "rdfs:label": "clone() Method Without super.clone()", "rdfs:subClassOf": [ { "@id": "d3f:CWE-573" }, { "@id": "d3f:CWE-664" } ] }, { "@id": "d3f:T1574.009", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1574.009", "d3f:creates": { "@id": "d3f:ExecutableFile" }, "rdfs:label": "Path Interception by Unquoted Path", "rdfs:subClassOf": [ { "@id": "d3f:T1574" }, { "@id": "_:N8e3eaa7fbfc1428d84202c35bc5a64fa" } ] }, { "@id": "_:N8e3eaa7fbfc1428d84202c35bc5a64fa", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:creates" }, "owl:someValuesFrom": { "@id": "d3f:ExecutableFile" } }, { "@id": "d3f:T1022", "@type": "owl:Class", "d3f:attack-id": "T1022", "rdfs:label": "Data Encrypted", "rdfs:subClassOf": { "@id": "d3f:ExfiltrationTechnique" } }, { "@id": "d3f:T1596.001", "@type": "owl:Class", "d3f:attack-id": "T1596.001", "rdfs:label": "DNS/Passive DNS", "rdfs:subClassOf": { "@id": "d3f:T1596" } }, { "@id": "_:N0a378ffaeb074de4879e034e31fea297", "@type": "owl:AllDisjointClasses", "owl:members": { "@list": [ { "@id": "d3f:GeometricMean" }, { "@id": "d3f:HarmonicMean" }, { "@id": "d3f:Mean" }, { "@id": "d3f:Median" }, { "@id": "d3f:Mode" }, { "@id": "d3f:TrimmedMean" }, { "@id": "d3f:WeightedMean" } ] } }, { "@id": "d3f:T1608.003", "@type": "owl:Class", "d3f:attack-id": "T1608.003", "rdfs:label": "Install Digital Certificate", "rdfs:subClassOf": { "@id": "d3f:T1608" } }, { "@id": "d3f:HardDiskFirmware", "@type": "owl:Class", "d3f:definition": "Firmware that is installed on a hard disk device.", "rdfs:label": "Hard Disk Firmware", "rdfs:seeAlso": { "@id": "dbr:Hard_disk_drive" }, "rdfs:subClassOf": { "@id": "d3f:PeripheralFirmware" }, "skos:altLabel": "Hard Drive Firmware" }, { "@id": "d3f:OWL", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-OWL", "d3f:definition": "The Web Ontology Language (OWL) is a family of knowledge representation languages for authoring ontologies.", "d3f:kb-article": "## How it works\nOntologies are a formal way to describe taxonomies and classification networks, essentially defining the structure of knowledge for various domains: the nouns representing classes of objects and the verbs representing relations between the objects.\n\nThe OWL languages are characterized by formal semantics. They are built upon the World Wide Web Consortium's (W3C) standard for objects called the Resource Description Framework (RDF). OWL classes correspond to description logic (DL) _concepts_. OWL properties to DL _roles_, and individuals are named the same way in OWL and other DLs.\n\n## References\n1. Web Ontology Language. (2023, April 23). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Web_Ontology_Language)", "d3f:synonym": "Web Ontology Language", "rdfs:label": "OWL", "rdfs:subClassOf": { "@id": "d3f:DescriptionLogic" } }, { "@id": "d3f:ContainerImageAnalysis", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:AssetVulnerabilityEnumeration" ], "d3f:analyzes": { "@id": "d3f:ContainerImage" }, "d3f:d3fend-id": "D3-CIA", "d3f:definition": "Analyzing a Container Image with respect to a set of policies.", "d3f:kb-article": "## How it works\n\nContainer images are standalone collections of the executable code and\ncontent that are used to populate a container environment.\nThey are usually created by either building a container from scratch or by\nbuilding on top of an existing image pulled from a repository.\n\nThroughout the container build workflow,\nimages should be scanned to identify:\n\n- outdated libraries,\n- known vulnerabilities,\n- or misconfigurations, such as insecure ports or permissions.\n\nScanning should also provide the flexibility to disregard false positives\nfor vulnerability detection where knowledgeable\ncybersecurity professionals have deemed alerts to be inaccurate.\n\nOne approach to implementing image scanning is to use an admission controller\nto block deployments if the image does not comply with the organization's\nsecurity policies.\n\nAn admission controller is a Container Orchestration feature that can intercept and\nprocess requests to the Container Orchestration API prior to persistence of the object,\nbut after the request is authenticated and authorized.\nA webhook can be implemented to scan any image before it is deployed in the orchestrator.\nThis admission controller\n\n## Considerations\n\n* Image scanning is key to ensuring deployed containers are secure.\n* Using trusted repositories to build containers is a critical part of the container build workflow.\n* This technique does not necessarly prevent the build process to add insecure or unsecured\n files to the Image.\n", "d3f:kb-reference": { "@id": "d3f:Reference-ContainerImageAnalysis" }, "d3f:synonym": "Container Image Scanning", "rdfs:label": "Container Image Analysis", "rdfs:subClassOf": [ { "@id": "d3f:AssetVulnerabilityEnumeration" }, { "@id": "_:Ne1f344e4ea6646a0804d9824c4bf0d19" } ] }, { "@id": "_:Ne1f344e4ea6646a0804d9824c4bf0d19", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:analyzes" }, "owl:someValuesFrom": { "@id": "d3f:ContainerImage" } }, { "@id": "d3f:T1590.005", "@type": "owl:Class", "d3f:attack-id": "T1590.005", "rdfs:label": "IP Addresses", "rdfs:subClassOf": { "@id": "d3f:T1590" } }, { "@id": "d3f:MemoryAllocationFunction", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "Reserves memory for a running process to use.", "d3f:invokes": { "@id": "d3f:AllocateMemory" }, "rdfs:label": "Memory Allocation Function", "rdfs:subClassOf": [ { "@id": "d3f:Subroutine" }, { "@id": "_:N0a59ab2526ce4bd9878042d368098567" } ] }, { "@id": "_:N0a59ab2526ce4bd9878042d368098567", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:invokes" }, "owl:someValuesFrom": { "@id": "d3f:AllocateMemory" } }, { "@id": "d3f:T1538", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:accesses": { "@id": "d3f:CloudConfiguration" }, "d3f:attack-id": "T1538", "rdfs:label": "Cloud Service Dashboard", "rdfs:subClassOf": [ { "@id": "d3f:DiscoveryTechnique" }, { "@id": "_:Nca0c043da67d42a388dc22b8e645e4e6" } ] }, { "@id": "_:Nca0c043da67d42a388dc22b8e645e4e6", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:accesses" }, "owl:someValuesFrom": { "@id": "d3f:CloudConfiguration" } }, { "@id": "d3f:CWE-167", "@type": "owl:Class", "d3f:cwe-id": "CWE-167", "rdfs:label": "Improper Handling of Additional Special Element", "rdfs:subClassOf": [ { "@id": "d3f:CWE-159" }, { "@id": "d3f:CWE-703" } ] }, { "@id": "d3f:FileCreationAnalysis", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:SystemCallAnalysis" ], "d3f:analyzes": { "@id": "d3f:CreateFile" }, "d3f:d3fend-id": "D3-FCA", "d3f:definition": "Analyzing the properties of file create system call invocations.", "d3f:kb-reference": [ { "@id": "d3f:Reference-LsassProcessDumpViaProcdump_MITRE" }, { "@id": "d3f:Reference-CAR-2020-09-001%3AScheduledTask-FileAccess_MITRE" } ], "rdfs:label": "File Creation Analysis", "rdfs:subClassOf": [ { "@id": "d3f:SystemCallAnalysis" }, { "@id": "_:N365de81019c1408bbd1c20a6173fc56c" } ] }, { "@id": "_:N365de81019c1408bbd1c20a6173fc56c", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:analyzes" }, "owl:someValuesFrom": { "@id": "d3f:CreateFile" } }, { "@id": "d3f:T1591.001", "@type": "owl:Class", "d3f:attack-id": "T1591.001", "rdfs:label": "Determine Physical Locations", "rdfs:subClassOf": { "@id": "d3f:T1591" } }, { "@id": "d3f:attack-kb-annotation", "@type": "owl:AnnotationProperty", "d3f:definition": "x attack-kb-annotation y: The offensive technique x has the kb annotation of y.", "rdfs:domain": { "@id": "d3f:OffensiveTechnique" }, "rdfs:label": "attack-kb-annotation", "rdfs:subPropertyOf": { "@id": "d3f:d3fend-annotation" } }, { "@id": "d3f:CWE-1229", "@type": "owl:Class", "d3f:cwe-id": "CWE-1229", "rdfs:label": "Creation of Emergent Resource", "rdfs:subClassOf": { "@id": "d3f:CWE-664" } }, { "@id": "d3f:T1595.003", "@type": "owl:Class", "d3f:attack-id": "T1595.003", "rdfs:label": "Wordlist Scanning", "rdfs:subClassOf": { "@id": "d3f:T1595" } }, { "@id": "d3f:NIST_SP_800-53_R5_AC-4_8", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:control-name": "Information Flow Enforcement | Security and Privacy Policy Filters", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "d3f:narrower": [ { "@id": "d3f:InboundTrafficFiltering" }, { "@id": "d3f:OutboundTrafficFiltering" } ], "rdfs:label": "AC-4(8)" }, { "@id": "d3f:T1053.005", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1053.005", "d3f:definition": "Renamed from ATT&CK to be consistent with at, launchd, cron siblings; name as is looks like parent. Not sure why parent is not just Scheduled Task [Execution[.", "d3f:executes": { "@id": "d3f:ScheduledJob" }, "rdfs:label": "Schtasks Execution", "rdfs:subClassOf": [ { "@id": "d3f:T1053" }, { "@id": "_:N51e26cd785b1415683b9856fc224c9c1" } ] }, { "@id": "_:N51e26cd785b1415683b9856fc224c9c1", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:executes" }, "owl:someValuesFrom": { "@id": "d3f:ScheduledJob" } }, { "@id": "d3f:CWE-532", "@type": "owl:Class", "d3f:cwe-id": "CWE-532", "rdfs:label": "Insertion of Sensitive Information into Log File", "rdfs:subClassOf": { "@id": "d3f:CWE-538" } }, { "@id": "d3f:CWE-618", "@type": "owl:Class", "d3f:cwe-id": "CWE-618", "rdfs:label": "Exposed Unsafe ActiveX Method", "rdfs:subClassOf": { "@id": "d3f:CWE-749" } }, { "@id": "d3f:ARMA_Model", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:TimeSeriesAnalysis" ], "d3f:d3fend-id": "D3-ARMA", "d3f:definition": "Autoregressive-moving-average (ARMA) models provide a parsimonious description of a (weakly) stationary stochastic process in terms of two polynomials, one for the autoregression (AR) and the second for the moving average (MA).", "d3f:kb-article": "## References\nWikipedia. (n.d.). Autoregressive-moving-average model. [Link](https://en.wikipedia.org/wiki/Autoregressive%E2%80%93moving-average_model)", "d3f:synonym": "Autoregressive moving average model", "rdfs:label": "ARMA Model", "rdfs:subClassOf": { "@id": "d3f:TimeSeriesAnalysis" } }, { "@id": "http://d3fend.mitre.org/ontologies/d3fend.owl", "@type": "owl:Ontology", "d3f:release-date": { "@type": "xsd:dateTime", "@value": "2024-01-26T00:00:00+00:00" }, "dcterms:description": "D3FEND is a framework which encodes a countermeasure knowledge base as a knowledge graph. The graph contains the types and relations that define key concepts in the cybersecurity countermeasure domain and the relations necessary to link those concepts to each other. Each of these concepts and relations are linked to references in the cybersecurity literature.", "dcterms:license": "MIT", "dcterms:title": "D3FEND™ - A knowledge graph of cybersecurity countermeasures", "owl:versionIRI": { "@id": "http://d3fend.mitre.org/ontologies/d3fend/0.14.0/d3fend.owl" }, "owl:versionInfo": "0.14.0", "rdfs:comment": "Use of the D3FEND Knowledge Graph, and the associated references from this ontology are subject to the Terms of Use. D3FEND is funded by the National Security Agency (NSA) Cybersecurity Directorate and managed by the National Security Engineering Center (NSEC) which is operated by The MITRE Corporation. D3FEND™ and the D3FEND logo are trademarks of The MITRE Corporation. This software was produced for the U.S. Government under Basic Contract No. W56KGU-18-D0004, and is subject to the Rights in Noncommercial Computer Software and Noncommercial Computer Software Documentation Clause 252.227-7014 (FEB 2012) Copyright 2022 The MITRE Corporation." }, { "@id": "d3f:Reference-CatiaUAFPlugin", "@type": [ "owl:NamedIndividual", "d3f:InternetArticleReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://www.3ds.com/products-services/catia/products/no-magic/addons/uaf-plugin/" }, "d3f:kb-abstract": "MagicDraw offers the most robust standards compliant [Unified Architecture Framework (UAF)], DoDAF 2.0, MODAF 1.2, NAF 3, and NAF 4 via a UAF standardized solution. And what's more, No Magic fully supports all architectural framework products ensuring you achieve project results. No Magic also leads the industry in usability and interoprability, ensuring that you avoid unnecessary cost, schedule and performance risk.", "d3f:kb-organization": "Dassault Systemes", "d3f:kb-reference-of": [ { "@id": "d3f:DataExchangeMapping" }, { "@id": "d3f:OperationalActivityMapping" }, { "@id": "d3f:OperationalDependencyMapping" }, { "@id": "d3f:OrganizationMapping" }, { "@id": "d3f:ServiceDependencyMapping" }, { "@id": "d3f:SystemDependencyMapping" } ], "d3f:kb-reference-title": "Catia UAF Plugin", "rdfs:label": "Reference - Catia UAF Plugin" }, { "@id": "d3f:CCI-000015_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:broader": [ { "@id": "d3f:AccountLocking" }, { "@id": "d3f:DomainAccountMonitoring" }, { "@id": "d3f:LocalAccountMonitoring" } ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The organization employs automated mechanisms to support the information system account management functions.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-05-13T00:00:00" }, "rdfs:label": "CCI-000015" }, { "@id": "d3f:T1135", "@type": "owl:Class", "d3f:attack-id": "T1135", "rdfs:label": "Network Share Discovery", "rdfs:subClassOf": { "@id": "d3f:DiscoveryTechnique" } }, { "@id": "d3f:expected-latency", "@type": "owl:ObjectProperty", "rdfs:label": "expected-latency", "rdfs:range": { "@id": "_:Nd695da69019d489abbd30cc77ee2f245" }, "rdfs:subPropertyOf": { "@id": "d3f:latency" } }, { "@id": "_:Nd695da69019d489abbd30cc77ee2f245", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:latency" }, "owl:someValuesFrom": { "@id": "d3f:Latency" } }, { "@id": "d3f:CCI-002005_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system, for biometric-based authentication, employs mechanisms that satisfy organization-defined biometric quality requirements.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:BiometricAuthentication" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-05-03T00:00:00" }, "rdfs:label": "CCI-002005" }, { "@id": "d3f:InitScript", "@type": "owl:Class", "d3f:definition": "An init script (or initialization script) is an executable script that initializes the an application, a process, or a service's state. Examples include scripts run at boot by Unix or Windows, or those run to initialize a shell.", "rdfs:label": "Init Script", "rdfs:seeAlso": [ { "@id": "dbr:Init" }, { "@id": "https://blog.opstree.com/2020/02/11/shell-initialization-files/" } ], "rdfs:subClassOf": { "@id": "d3f:ExecutableScript" }, "skos:altLabel": "Initialization Script" }, { "@id": "d3f:Model-basedValueIteration", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-MBVI", "d3f:definition": "Value Iteration effectively reducesthe evaluation stage down to a single sweep of the states. Additionally, to improve things further, it combines the Policy Evaluation and Policy Improvement stages into a single update.", "d3f:kb-article": "## References\nPolicy and Value Iteration. Towards Data Science. [Link](https://towardsdatascience.com/policy-and-value-iteration-78501afb41d2).", "d3f:synonym": "MBVI", "rdfs:label": "Model-based Value Iteration", "rdfs:subClassOf": { "@id": "d3f:Model-basedReinforcementLearning" } }, { "@id": "d3f:CCI-001557_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:broader": { "@id": "d3f:NetworkTrafficAnalysis" }, "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system tracks problems associated with the information transfer.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2010-05-11T00:00:00" }, "rdfs:label": "CCI-001557" }, { "@id": "d3f:CWE-111", "@type": "owl:Class", "d3f:cwe-id": "CWE-111", "rdfs:label": "Direct Use of Unsafe JNI", "rdfs:subClassOf": { "@id": "d3f:CWE-695" } }, { "@id": "d3f:CWE-155", "@type": "owl:Class", "d3f:cwe-id": "CWE-155", "rdfs:label": "Improper Neutralization of Wildcards or Matching Symbols", "rdfs:subClassOf": { "@id": "d3f:CWE-138" } }, { "@id": "d3f:T1096", "@type": "owl:Class", "d3f:attack-id": "T1096", "rdfs:label": "NTFS File Attributes", "rdfs:subClassOf": { "@id": "d3f:DefenseEvasionTechnique" } }, { "@id": "d3f:Collection", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:OffensiveTactic" ], "d3f:display-order": 9, "rdfs:label": "Collection", "rdfs:subClassOf": { "@id": "d3f:OffensiveTactic" } }, { "@id": "d3f:CCI-002546_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:broader": { "@id": "d3f:IOPortRestriction" }, "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The organization physically disables or removes organization-defined connection ports or input/output devices on organization-defined information systems or information system components.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-07-02T00:00:00" }, "rdfs:label": "CCI-002546" }, { "@id": "d3f:CWE-460", "@type": "owl:Class", "d3f:cwe-id": "CWE-460", "rdfs:label": "Improper Cleanup on Thrown Exception", "rdfs:subClassOf": [ { "@id": "d3f:CWE-459" }, { "@id": "d3f:CWE-755" } ] }, { "@id": "d3f:T1562", "@type": "owl:Class", "d3f:attack-id": "T1562", "rdfs:label": "Impair Defenses", "rdfs:subClassOf": { "@id": "d3f:DefenseEvasionTechnique" } }, { "@id": "d3f:CWE-26", "@type": "owl:Class", "d3f:cwe-id": "CWE-26", "rdfs:label": "Path Traversal: '/dir/../filename'", "rdfs:subClassOf": { "@id": "d3f:CWE-23" } }, { "@id": "d3f:CWE-146", "@type": "owl:Class", "d3f:cwe-id": "CWE-146", "rdfs:label": "Improper Neutralization of Expression/Command Delimiters", "rdfs:subClassOf": { "@id": "d3f:CWE-140" } }, { "@id": "d3f:CWE-367", "@type": "owl:Class", "d3f:cwe-id": "CWE-367", "rdfs:label": "Time-of-check Time-of-use (TOCTOU) Race Condition", "rdfs:subClassOf": { "@id": "d3f:CWE-362" } }, { "@id": "d3f:ProductDeveloper", "@type": "owl:Class", "rdfs:label": "Product Developer", "rdfs:subClassOf": [ { "@id": "d3f:Provider" }, { "@id": "_:N82f44eeb7cb248cdb57a12085ce97aa5" } ] }, { "@id": "_:N82f44eeb7cb248cdb57a12085ce97aa5", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:produces" }, "owl:someValuesFrom": { "@id": "d3f:Product" } }, { "@id": "d3f:seller", "@type": "owl:ObjectProperty", "owl:inverseOf": { "@id": "d3f:sells" }, "rdfs:label": "seller", "rdfs:subPropertyOf": { "@id": "d3f:d3fend-catalog-object-property" } }, { "@id": "d3f:HeterogeneousAsymmetricFeature-basedTransferLearning", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-HAFBTL", "d3f:definition": "Asymmetric transformation mapping transforms the source feature space to align with that of the target or the target to that of the source. This, in effect, bridges the feature space gap and reduces the problem into a homogeneous transfer problem when further distribution differences need to be corrected.", "d3f:kb-article": "## References\nWang, Q., Mao, K. Z., Wang, B., & Guan, J. (2017). Big data clustering by hybrid optimization algorithm. Journal of Big Data, 4(1), 25. [Link](https://journalofbigdata.springeropen.com/articles/10.1186/s40537-017-0089-0).", "rdfs:label": "Heterogeneous Asymmetric Feature-based Transfer Learning", "rdfs:subClassOf": { "@id": "d3f:HeterogeneousTransferLearning" } }, { "@id": "d3f:T1086", "@type": "owl:Class", "d3f:attack-id": "T1086", "rdfs:label": "PowerShell", "rdfs:subClassOf": { "@id": "d3f:ExecutionTechnique" } }, { "@id": "d3f:Reference-IdentificationOfTracerouteNodesAndAssociatedDevices", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US10079749B2/en" }, "d3f:kb-abstract": "Various embodiments pertain to communication network systems. In particular, various embodiments relate to multi-path probing in communication network systems that can be used to estimate the complete topology of the network. A method includes receiving data at a source node from a tracerouting probe in a network. The data includes information about at least one network node. The method also includes determining an identification for the at least one network node based on information. In addition, the method includes using the identification of the at least one network node to determine an identification of at least one device.", "d3f:kb-author": "Tomas KUBIK, Lan Li, Tomas RYBKA, Karlo ZATYLNY, Chris O'Brien", "d3f:kb-organization": "SolarWinds Worldwide LLC", "d3f:kb-reference-title": "Identification of traceroute nodes and associated devices", "rdfs:label": "Reference - Identification of traceroute nodes and associated devices" }, { "@id": "d3f:CCI-001094_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system restricts the ability of individuals to launch organization-defined denial of service attacks against other information systems.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": [ { "@id": "d3f:InboundTrafficFiltering" }, { "@id": "d3f:OutboundTrafficFiltering" } ], "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-21T00:00:00" }, "rdfs:label": "CCI-001094" }, { "@id": "d3f:CCI-002347_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:broader": [ { "@id": "d3f:FileAccessPatternAnalysis" }, { "@id": "d3f:InputDeviceAnalysis" }, { "@id": "d3f:ResourceAccessPatternAnalysis" }, { "@id": "d3f:UserDataTransferAnalysis" } ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The organization employs organization-defined data mining detection techniques for organization-defined data storage objects to adequately detect data mining attempts.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-06-25T00:00:00" }, "rdfs:label": "CCI-002347" }, { "@id": "d3f:SystemCallFiltering", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:Kernel-basedProcessIsolation" ], "d3f:d3fend-id": "D3-SCF", "d3f:definition": "Configuring a kernel to use an allow or deny list to filter kernel api calls.", "d3f:filters": { "@id": "d3f:SystemCall" }, "d3f:kb-reference": { "@id": "d3f:Reference-OverviewOfTheSeccompSandbox" }, "rdfs:label": "System Call Filtering", "rdfs:subClassOf": [ { "@id": "d3f:Kernel-basedProcessIsolation" }, { "@id": "_:N37b68abb88814af486bccf79d0792a04" } ] }, { "@id": "_:N37b68abb88814af486bccf79d0792a04", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:filters" }, "owl:someValuesFrom": { "@id": "d3f:SystemCall" } }, { "@id": "d3f:CWE-1287", "@type": "owl:Class", "d3f:cwe-id": "CWE-1287", "rdfs:label": "Improper Validation of Specified Type of Input", "rdfs:subClassOf": { "@id": "d3f:CWE-20" } }, { "@id": "d3f:RegressionAnalysisLearning", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-RAL", "d3f:definition": "Regression is used to understand the relationship between dependent and independent variables which is then used to make projections, such as for sales revenue for a given business.", "d3f:kb-article": "## References\nSupervised Learning. IBM. [Link](https://www.ibm.com/topics/supervised-learning).", "rdfs:label": "Regression Analysis Learning", "rdfs:subClassOf": { "@id": "d3f:SupervisedLearning" } }, { "@id": "d3f:ApplicationShim", "@type": "owl:Class", "d3f:definition": "An application shim adapts an application program to run on a version of a platform for which they were not originally created. Most commonly \"Application Shimming\" refers to use of The Windows Application Compatibility Toolkit (ACT) provides backward compatibility by simulating the behavior of older version of Windows.", "rdfs:label": "Application Shim", "rdfs:seeAlso": [ { "@id": "http://dbpedia.org/resource/Shim_(computing)#Examples" }, "d3f:Shim" ], "rdfs:subClassOf": { "@id": "d3f:Shim" } }, { "@id": "d3f:T1552.007", "@type": "owl:Class", "d3f:attack-id": "T1552.007", "rdfs:label": "Container API", "rdfs:subClassOf": { "@id": "d3f:T1552" } }, { "@id": "d3f:may-counter-attack", "@type": "owl:ObjectProperty", "rdfs:label": "may-counter-attack", "rdfs:subPropertyOf": { "@id": "d3f:may-be-tactically-associated-with" } }, { "@id": "d3f:PrintServer", "@type": "owl:Class", "d3f:definition": "A print server, or printer server, is a device that connects printers to client computers over a network. It accepts print jobs from the computers and sends the jobs to the appropriate printers, queuing the jobs locally to accommodate the fact that work may arrive more quickly than the printer can actually handle.", "rdfs:isDefinedBy": { "@id": "dbr:Print_server" }, "rdfs:label": "Print Server", "rdfs:subClassOf": { "@id": "d3f:Server" } }, { "@id": "d3f:CWE-174", "@type": "owl:Class", "d3f:cwe-id": "CWE-174", "rdfs:label": "Double Decoding of the Same Data", "rdfs:subClassOf": [ { "@id": "d3f:CWE-172" }, { "@id": "d3f:CWE-675" } ] }, { "@id": "d3f:suspends", "@type": "owl:ObjectProperty", "d3f:definition": "x suspends y: The agent or technique x pauses entity y.", "rdfs:isDefinedBy": "http://wordnet-rdf.princeton.edu/id/00543748-v", "rdfs:label": "suspends", "rdfs:subPropertyOf": { "@id": "d3f:evicts" } }, { "@id": "d3f:CCI-001744_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:broader": { "@id": "d3f:OperatingSystemMonitoring" }, "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system implements organization-defined security responses automatically if baseline configurations are changed in an unauthorized manner.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-02-28T00:00:00" }, "rdfs:label": "CCI-001744" }, { "@id": "d3f:T1574.005", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1574.005", "d3f:modifies": { "@id": "d3f:ServiceApplication" }, "rdfs:label": "Executable Installer File Permissions Weakness", "rdfs:subClassOf": [ { "@id": "d3f:T1574" }, { "@id": "_:N8a99ef4760b7486b9e1df73ef041fa0d" } ] }, { "@id": "_:N8a99ef4760b7486b9e1df73ef041fa0d", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:ServiceApplication" } }, { "@id": "d3f:VersionControlTool", "@type": "owl:Class", "d3f:definition": "Version control tools are tools that used to conduct version control. A component of software configuration management, version control, also known as revision control, source control, or source code management systems are systems responsible for the management of changes to documents, computer programs, large web sites, and other collections of information. Changes are usually identified by a number or letter code, termed the \"revision number\", \"revision level\", or simply \"revision\". For example, an initial set of files is \"revision 1\". When the first change is made, the resulting set is \"revision 2\", and so on. Each revision is associated with a timestamp and the person making the change. Revisions can be compared, restored, and with some types of files, merged.", "rdfs:isDefinedBy": { "@id": "dbr:Version_control" }, "rdfs:label": "Version Control Tool", "rdfs:seeAlso": { "@id": "dbr:Software_configuration_management" }, "rdfs:subClassOf": { "@id": "d3f:DeveloperApplication" }, "skos:altLabel": [ "Revision Control", "Source Control" ] }, { "@id": "d3f:T1601.002", "@type": "owl:Class", "d3f:attack-id": "T1601.002", "rdfs:label": "Downgrade System Image", "rdfs:subClassOf": { "@id": "d3f:T1601" } }, { "@id": "d3f:Point-biserialCorrelationCoefficient", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-PBCC", "d3f:definition": "The point biserial correlation coefficient (rpb) is a correlation coefficient used when one variable (e.g. Y) is dichotomous; Y can either be \"naturally\" dichotomous, like whether a coin lands heads or tails, or an artificially dichotomized variable.", "d3f:kb-article": "## References\nWikipedia. (n.d.). Point-biserial correlation coefficient. [Link](https://en.wikipedia.org/wiki/Point-biserial_correlation_coefficient)", "rdfs:label": "Point-biserial Correlation Coefficient", "rdfs:subClassOf": { "@id": "d3f:Correlation" } }, { "@id": "d3f:NetworkTrafficFiltering", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:NetworkIsolation" ], "d3f:d3fend-id": "D3-NTF", "d3f:definition": "Restricting network traffic originating from any location.", "d3f:filters": { "@id": "d3f:NetworkTraffic" }, "d3f:kb-reference": [ { "@id": "d3f:Reference-ActiveFirewallSystemAndMethodology_McAfeeLLC" }, { "@id": "d3f:Reference-AutomaticallyGeneratingRulesForConnectionSecurity_Microsoft" }, { "@id": "d3f:Reference-FWTK-FirewallToolkit_" }, { "@id": "d3f:Reference-FirewallForInterentAccess_SecureComputingLLC" }, { "@id": "d3f:Reference-FirewallForProcessingAConnectionlessNetworkPacket_NationalSecurityAgency" }, { "@id": "d3f:Reference-FirewallForProcessingConnection-orientedAndConnectionlessDatagramsOverAConnection-orientedNetwork_NationalSecurityAgency" }, { "@id": "d3f:Reference-FirewallsThatFilterBasedUponProtocolCommands_IntelCorp" }, { "@id": "d3f:Reference-MethodForControllingComputerNetworkSecurity_CheckpointSoftwareTechnologiesLtd" }, { "@id": "d3f:Reference-NetworkFirewallWithProxy_SecureComputingLLC" } ], "rdfs:label": "Network Traffic Filtering", "rdfs:subClassOf": [ { "@id": "d3f:NetworkIsolation" }, { "@id": "_:N2ea74713e8e44bb699dfbd811e29521c" } ] }, { "@id": "_:N2ea74713e8e44bb699dfbd811e29521c", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:filters" }, "owl:someValuesFrom": { "@id": "d3f:NetworkTraffic" } }, { "@id": "d3f:CCI-001372_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system, when transferring information between different security domains, implements organization-defined security policy filters requiring fully enumerated formats that restrict data structure and content.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": [ { "@id": "d3f:InboundTrafficFiltering" }, { "@id": "d3f:OutboundTrafficFiltering" } ], "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-22T00:00:00" }, "rdfs:label": "CCI-001372" }, { "@id": "d3f:CWE-148", "@type": "owl:Class", "d3f:cwe-id": "CWE-148", "rdfs:label": "Improper Neutralization of Input Leaders", "rdfs:subClassOf": { "@id": "d3f:CWE-138" } }, { "@id": "d3f:CWE-619", "@type": "owl:Class", "d3f:cwe-id": "CWE-619", "rdfs:label": "Dangling Database Cursor ('Cursor Injection')", "rdfs:subClassOf": { "@id": "d3f:CWE-402" } }, { "@id": "d3f:InboundSessionVolumeAnalysis", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:NetworkTrafficAnalysis" ], "d3f:analyzes": { "@id": "d3f:InboundInternetNetworkTraffic" }, "d3f:d3fend-id": "D3-ISVA", "d3f:definition": "Analyzing inbound network session or connection attempt volume.", "d3f:kb-article": "## How it works\nNetwork appliances are configured to alert on certain packets that typically are involved in DoS attacks. Typical packets include ICMP packets and SYN requests that are commonly used to flood networks. A sampling period is used to define a time window in which collected counts of the identified packets can be measured. If the collected number of packets exceeds a predefined limit then an alert is generated.\n\n## Considerations\nScalability as volume of attacks increase; single servers may not have the memory and storage resources to handle high volumes of network traffic.", "d3f:kb-reference": [ { "@id": "d3f:Reference-DetectingDDoSAttackUsingSnort" }, { "@id": "d3f:Reference-IdentifyingADenial-of-serviceAttackInACloud-basedProxyService-CloudfareInc." }, { "@id": "d3f:Reference-MethodAndSystemForUDPFloodAttackDetection-RioreyLLC" }, { "@id": "d3f:Reference-ProtectingAgainstDistributedDenialOfServiceAttacks-CiscoTechnologyInc." }, { "@id": "d3f:Reference-ProtectingAgainstDistributedNetworkFloodAttacks-JuniperNetworksInc." } ], "rdfs:label": "Inbound Session Volume Analysis", "rdfs:subClassOf": [ { "@id": "d3f:NetworkTrafficAnalysis" }, { "@id": "_:Nf38550a59ef74db19f8f5ea83506ed10" } ] }, { "@id": "_:Nf38550a59ef74db19f8f5ea83506ed10", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:analyzes" }, "owl:someValuesFrom": { "@id": "d3f:InboundInternetNetworkTraffic" } }, { "@id": "d3f:ChildProcess", "@type": "owl:Class", "d3f:definition": "A child process in computing is a process created by another process (the parent process). This technique pertains to multitasking operating systems, and is sometimes called a subprocess or traditionally a subtask. There are two major procedures for creating a child process: the fork system call (preferred in Unix-like systems and the POSIX standard) and the spawn (preferred in the modern (NT) kernel of Microsoft Windows, as well as in some historical operating systems).", "rdfs:isDefinedBy": { "@id": "dbr:Child_process" }, "rdfs:label": "Child Process", "rdfs:seeAlso": { "@id": "dbr:Parent_process" }, "rdfs:subClassOf": { "@id": "d3f:Process" } }, { "@id": "d3f:CWE-6", "@type": "owl:Class", "d3f:cwe-id": "CWE-6", "rdfs:label": "J2EE Misconfiguration: Insufficient Session-ID Length", "rdfs:subClassOf": { "@id": "d3f:CWE-334" } }, { "@id": "d3f:CWE-253", "@type": "owl:Class", "d3f:cwe-id": "CWE-253", "rdfs:label": "Incorrect Check of Function Return Value", "rdfs:subClassOf": [ { "@id": "d3f:CWE-573" }, { "@id": "d3f:CWE-754" } ] }, { "@id": "d3f:Reference-End-to-endCertificatePinning", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US9847992B2/en?q=certificate+pinning&oq=certificate+pinning" }, "d3f:kb-abstract": "Some embodiments implement end-to-end certificate pinning for content intake from various content providers and for content distribution to various end users. To ensure secure retrieval of content provider content, the content distributor pins the content provider to one or more certificate authorities.", "d3f:kb-author": "Tin Zaw, Reed Morrison, Robert J. Peters", "d3f:kb-organization": "Verizon Digital Media Services Inc", "d3f:kb-reference-of": { "@id": "d3f:CertificatePinning" }, "d3f:kb-reference-title": "End-to-end Certificate Pinning", "rdfs:label": "Reference - End-to-end certificate pinning" }, { "@id": "d3f:Server", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "In computing, a server is a piece of computer hardware or software (computer program) that provides functionality for other programs or devices, called \"clients\". This architecture is called the client-server model. Servers can provide various functionalities, often called \"services\", such as sharing data or resources among multiple clients, or performing computation for a client. A single server can serve multiple clients, and a single client can use multiple servers. A client process may run on the same device or may connect over a network to a server on a different device. Typical servers are database servers, file servers, mail servers, print servers, web servers, game servers, and application servers.", "d3f:manages": { "@id": "d3f:ServiceApplicationProcess" }, "d3f:runs": { "@id": "d3f:ServiceApplication" }, "rdfs:isDefinedBy": { "@id": "dbr:Server_(computing)" }, "rdfs:label": "Server", "rdfs:subClassOf": [ { "@id": "d3f:Host" }, { "@id": "_:N2a87e9f9ceb3474284af9fde2f42c36f" }, { "@id": "_:N15c77425a68540b099ffa3f09697ac75" } ] }, { "@id": "_:N2a87e9f9ceb3474284af9fde2f42c36f", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:manages" }, "owl:someValuesFrom": { "@id": "d3f:ServiceApplicationProcess" } }, { "@id": "_:N15c77425a68540b099ffa3f09697ac75", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:runs" }, "owl:someValuesFrom": { "@id": "d3f:ServiceApplication" } }, { "@id": "d3f:LogisticRegression", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-LR", "d3f:definition": "Logistic regression is estimating the parameters of a logistic model.", "d3f:kb-article": "## References\nWikipedia. (n.d.). Logistic regression. [Link](https://en.wikipedia.org/wiki/Logistic_regression)", "rdfs:label": "Logistic Regression", "rdfs:subClassOf": { "@id": "d3f:RegressionAnalysis" } }, { "@id": "d3f:CCI-002740_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system implements cryptographic mechanisms to authenticate organization-defined software or firmware components prior to installation.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:ExecutableAllowlisting" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-07-11T00:00:00" }, "rdfs:label": "CCI-002740" }, { "@id": "d3f:NIST_SP_800-53_R5_MA-3_5", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:control-name": "Maintenance Tools | Execution with Privilege", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "d3f:narrower": { "@id": "d3f:UserAccountPermissions" }, "rdfs:label": "MA-3(5)" }, { "@id": "d3f:Reference-CAR-2021-01-009%3ADetectingShadowCopyDeletionViaVssadmin.exe_MITRE", "@type": [ "owl:NamedIndividual", "d3f:ExternalKnowledgeBase" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://car.mitre.org/analytics/CAR-2021-01-009/" }, "d3f:kb-abstract": "After compromising a network of systems, threat actors often try to delete Shadow Copy in an attempt to prevent administrators from restoring the systems to versions present before the attack. This is often done via vssadmin, a legitimate Windows tool to interact with shadow copies. This non-detection of this technique, which is often employed by ransomware strains such as “Olympic Destroyer”, may lead to a failure in recovering systems after an attack.", "d3f:kb-author": "MITRE", "d3f:kb-organization": "MITRE", "d3f:kb-reference-of": { "@id": "d3f:ProcessSpawnAnalysis" }, "d3f:kb-reference-title": "CAR-2021-01-009: Detecting Shadow Copy Deletion via Vssadmin.exe", "rdfs:label": "Reference - CAR-2021-01-009: Detecting Shadow Copy Deletion via Vssadmin.exe - MITRE" }, { "@id": "d3f:GetSystemNetworkConfigValue", "@type": [ "owl:Class", "owl:NamedIndividual" ], "rdfs:label": "Get System Network Config Value", "rdfs:subClassOf": { "@id": "d3f:GetSystemConfigValue" } }, { "@id": "d3f:CWE-45", "@type": "owl:Class", "d3f:cwe-id": "CWE-45", "rdfs:label": "Path Equivalence: 'file...name' (Multiple Internal Dot)", "rdfs:subClassOf": [ { "@id": "d3f:CWE-165" }, { "@id": "d3f:CWE-44" } ] }, { "@id": "d3f:SharedLibraryFile", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A shared library file is a file that is intended to be shared by executable files and further shared library (object) files. Modules used by a program are loaded from individual shared objects into memory at load time or runtime, rather than being copied by a linker when it creates a single monolithic executable file for the program", "rdfs:isDefinedBy": { "@id": "http://dbpedia.org/resource/Library_(computing)#Shared_libraries" }, "rdfs:label": "Shared Library File", "rdfs:subClassOf": { "@id": "d3f:ObjectFile" }, "skos:altLabel": [ "Shared Library", "Shared Object" ] }, { "@id": "d3f:Reference-CAR-2021-01-004%3AUnusualChildProcessForSpoolsv.ExeOrConnhost.Exe_MITRE", "@type": [ "owl:NamedIndividual", "d3f:ExternalKnowledgeBase" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://car.mitre.org/analytics/CAR-2021-01-004/" }, "d3f:kb-abstract": "After gaining initial access to a system, threat actors attempt to escalate privileges as they may be operating within a lower privileged process which does not allow them to access protected information or carry out tasks which require higher permissions. A common way of escalating privileges in a system is by externally invoking and exploiting spoolsv or connhost executables, both of which are legitimate Windows applications. This query searches for an invocation of either of these executables by a user, thus alerting us of any potentially malicious activity.", "d3f:kb-author": "MITRE", "d3f:kb-organization": "MITRE", "d3f:kb-reference-of": { "@id": "d3f:ProcessSpawnAnalysis" }, "d3f:kb-reference-title": "CAR-2021-01-004: Unusual Child Process for Spoolsv.Exe or Connhost.Exe", "rdfs:label": "Reference - CAR-2021-01-004: Unusual Child Process for Spoolsv.Exe or Connhost.Exe - MITRE" }, { "@id": "d3f:UserGeolocationLogonPatternAnalysis", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:UserBehaviorAnalysis" ], "d3f:analyzes": { "@id": "d3f:NetworkTraffic" }, "d3f:d3fend-id": "D3-UGLPA", "d3f:definition": "Monitoring geolocation data of user logon attempts and comparing it to a baseline user behavior profile to identify anomalies in logon location.", "d3f:kb-article": "## How it works\nGeolocation data for each user logon attempt is collected and used to create a baseline user behavior profile. Current geolocation logon data is then compared against the user behavior profile. Logon activity that deviates from normal patterns and can help in identifying situations that may be indicative of a remote attacker using stolen credentials. For example:\n\n* logons from locations that are different from where a user usually logs in\n* logons from a location in which an enterprise has no users located\n* logon that is not physically possible given the elapsed time since a logon from another location.\n\n## Considerations\n* Potential for false positives from logon anomalies that are not associated with malicious activity.\n* Attackers may not differentiate their logon behavior enough to trigger an alert.", "d3f:kb-reference": [ { "@id": "d3f:Reference-MethodAndApparatusForNetworkFraudDetectionAndRemediationThroughAnalytics_IdaptiveLLC" }, { "@id": "d3f:Reference-System,Method,AndComputerProgramProductForDetectingAndAssessingSecurityRisksInANetwork_ExabeamInc" } ], "rdfs:label": "User Geolocation Logon Pattern Analysis", "rdfs:subClassOf": [ { "@id": "d3f:UserBehaviorAnalysis" }, { "@id": "_:N3e79f668f24a4b32966ca40ed791a809" } ] }, { "@id": "_:N3e79f668f24a4b32966ca40ed791a809", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:analyzes" }, "owl:someValuesFrom": { "@id": "d3f:NetworkTraffic" } }, { "@id": "d3f:CCI-001096_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system limits the use of resources by priority.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": [ { "@id": "d3f:LocalFilePermissions" }, { "@id": "d3f:SystemConfigurationPermissions" } ], "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-21T00:00:00" }, "rdfs:label": "CCI-001096" }, { "@id": "d3f:CWE-1193", "@type": "owl:Class", "d3f:cwe-id": "CWE-1193", "rdfs:label": "Power-On of Untrusted Execution Core Before Enabling Fabric Access Control", "rdfs:subClassOf": { "@id": "d3f:CWE-696" } }, { "@id": "d3f:Credential", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:authenticates": { "@id": "d3f:UserAccount" }, "d3f:definition": "A credential is a physical/tangible object, a piece of knowledge, or a facet of a person's physical being that enables an individual access to a given physical facility or computer-based information system. Typically, credentials can be something a person knows (such as a number or PIN), something they have (such as an access badge), something they are (such as a biometric feature), something they do (measurable behavioral patterns) or some combination of these items. This is known as multi-factor authentication. The typical credential is an access card or key-fob, and newer software can also turn users' smartphones into access devices.", "rdfs:isDefinedBy": { "@id": "http://dbpedia.org/resource/Access_control#Credential" }, "rdfs:label": "Credential", "rdfs:seeAlso": { "@id": "dbr:Access_control" }, "rdfs:subClassOf": [ { "@id": "d3f:DigitalArtifact" }, { "@id": "_:Nf4424b8267ce4bf5ad8f1f2b17db29f1" } ] }, { "@id": "_:Nf4424b8267ce4bf5ad8f1f2b17db29f1", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:authenticates" }, "owl:someValuesFrom": { "@id": "d3f:UserAccount" } }, { "@id": "d3f:NetworkInitScriptFileResource", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A computer file resource made available from one host to other hosts on a computer network that is also an initialization script.", "rdfs:label": "Network Init Script File Resource", "rdfs:subClassOf": [ { "@id": "d3f:InitScript" }, { "@id": "d3f:NetworkFileResource" } ] }, { "@id": "d3f:CWE-1394", "@type": "owl:Class", "d3f:cwe-id": "CWE-1394", "rdfs:label": "Use of Default Cryptographic Key", "rdfs:subClassOf": { "@id": "d3f:CWE-1392" } }, { "@id": "d3f:DNSAllowlisting", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:NetworkIsolation" ], "d3f:blocks": { "@id": "d3f:OutboundInternetDNSLookupTraffic" }, "d3f:d3fend-id": "D3-DNSAL", "d3f:definition": "Permitting only approved domains and their subdomains to be resolved.", "d3f:kb-reference": { "@id": "d3f:Reference-DNSWhitelist-DNSWL-EmailAuthenticationMethodExtension" }, "d3f:synonym": "DNS Whitelisting", "rdfs:label": "DNS Allowlisting", "rdfs:subClassOf": [ { "@id": "d3f:NetworkIsolation" }, { "@id": "_:N2a384a0fc2464a29b319dd5c28e8d918" } ] }, { "@id": "_:N2a384a0fc2464a29b319dd5c28e8d918", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:blocks" }, "owl:someValuesFrom": { "@id": "d3f:OutboundInternetDNSLookupTraffic" } }, { "@id": "d3f:T1048", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1048", "d3f:produces": { "@id": "d3f:InternetNetworkTraffic" }, "rdfs:label": "Exfiltration Over Alternative Protocol", "rdfs:subClassOf": [ { "@id": "d3f:ExfiltrationTechnique" }, { "@id": "_:Nf502fbc64cab46c7b4b82d92f483e828" } ] }, { "@id": "_:Nf502fbc64cab46c7b4b82d92f483e828", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:produces" }, "owl:someValuesFrom": { "@id": "d3f:InternetNetworkTraffic" } }, { "@id": "d3f:Latency", "@type": "owl:Class", "rdfs:label": "Latency", "rdfs:subClassOf": { "@id": "d3f:D3FENDThing" } }, { "@id": "d3f:T1547.012", "@type": "owl:Class", "d3f:attack-id": "T1547.012", "rdfs:label": "Print Processors", "rdfs:subClassOf": { "@id": "d3f:T1547" } }, { "@id": "d3f:CCI-000764_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:broader": [ { "@id": "d3f:BiometricAuthentication" }, { "@id": "d3f:Certificate-basedAuthentication" }, { "@id": "d3f:Multi-factorAuthentication" }, { "@id": "d3f:One-timePassword" } ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-17T00:00:00" }, "rdfs:label": "CCI-000764" }, { "@id": "d3f:BuildTool", "@type": "owl:Class", "d3f:definition": "A tool that automates the process of creating a software build and the associated processes including: compiling computer source code into binary code, packaging binary code, and running automated tests.", "rdfs:label": "Build Tool", "rdfs:seeAlso": { "@id": "dbr:Build_automation" }, "rdfs:subClassOf": { "@id": "d3f:DeveloperApplication" }, "skos:altLabel": "Build Automation Tool" }, { "@id": "d3f:d3fend-comment", "@type": "owl:DatatypeProperty", "d3f:definition": "x d3fend-comment y: The entity x has an D3FEND team written a public note about entity y.", "rdfs:label": "d3fend-comment", "rdfs:subPropertyOf": { "@id": "d3f:d3fend-kb-data-property" } }, { "@id": "d3f:Statement", "@type": "owl:Class", "d3f:definition": "A statement is a proposition that is either (a) a meaningful declarative sentence that is either true or false, or (b) that which a true or false declarative sentence asserts.", "rdfs:isDefinedBy": { "@id": "http://semanticscience.org/resource/SIO_001183" }, "rdfs:label": "Statement", "rdfs:subClassOf": { "@id": "d3f:Proposition" } }, { "@id": "d3f:T1600.002", "@type": "owl:Class", "d3f:attack-id": "T1600.002", "rdfs:label": "Disable Crypto Hardware", "rdfs:subClassOf": { "@id": "d3f:T1600" } }, { "@id": "d3f:CWE-1322", "@type": "owl:Class", "d3f:cwe-id": "CWE-1322", "rdfs:label": "Use of Blocking Code in Single-threaded, Non-blocking Context", "rdfs:subClassOf": { "@id": "d3f:CWE-834" } }, { "@id": "d3f:OSAPICreateSocket", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:invokes": { "@id": "d3f:CreateSocket" }, "rdfs:label": "OS API Create Socket", "rdfs:subClassOf": [ { "@id": "d3f:OSAPIFunction" }, { "@id": "_:N6d2097fa07ac422d82fb68cb0964291c" } ] }, { "@id": "_:N6d2097fa07ac422d82fb68cb0964291c", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:invokes" }, "owl:someValuesFrom": { "@id": "d3f:CreateSocket" } }, { "@id": "d3f:Reference-SecurityArchitectureForTheInternetProtocol", "@type": [ "owl:NamedIndividual", "d3f:SpecificationReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://datatracker.ietf.org/doc/html/rfc1825" }, "d3f:kb-abstract": "This memo describes the security mechanisms for IP version 4 (IPv4)\n and IP version 6 (IPv6) and the services that they provide. Each\n security mechanism is specified in a separate document. This\n document also describes key management requirements for systems\n implementing those security mechanisms. This document is not an\n overall Security Architecture for the Internet and is instead focused\n on IP-layer security.", "d3f:kb-author": "Randall Atkinson", "d3f:kb-reference-of": { "@id": "d3f:EncryptedTunnels" }, "d3f:kb-reference-title": "Security Architecture for the Internet Protocol", "rdfs:label": "Reference - Security Architecture for the Internet Protocol" }, { "@id": "d3f:Reference-CAR-2015-04-001%3ARemotelyScheduledTasksViaAT_MITRE", "@type": [ "owl:NamedIndividual", "d3f:ExternalKnowledgeBase" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://car.mitre.org/analytics/CAR-2015-04-001/" }, "d3f:kb-abstract": "When AT.exe is used to remotely schedule tasks, Windows uses named pipes over SMB to communicate with the API on the remote machine. After authentication over SMB, the Named Pipe “ATSVC” is opened, over which the JobAdd function is called. On the remote host, the job files are created by the Task Scheduler and follow the convention C:\\Windows\\System32\\AT. Unlike CAR-2013-05-004, this analytic specifically focuses on uses of AT that can be detected between hosts, indicating remotely gained execution.\n\nThis pipe activity could be discovered with a network decoder, such as that in wireshark, that can inspect SMB traffic to identify the use of pipes. It could also be detected by looking for raw packet capture streams or from a custom sensor on the host that hooks the appropriate API functions. If no network or API level of visibility is possible, this traffic may inferred by looking at SMB connections over 445/tcp followed by the creation of files matching the pattern C:\\Windows\\System32\\AT\\.", "d3f:kb-author": "MITRE", "d3f:kb-organization": "MITRE", "d3f:kb-reference-of": { "@id": "d3f:IPCTrafficAnalysis" }, "d3f:kb-reference-title": "CAR-2015-04-001: Remotely Scheduled Tasks via AT", "rdfs:label": "Reference - CAR-2015-04-001: Remotely Scheduled Tasks via AT - MITRE" }, { "@id": "d3f:updates", "@type": "owl:ObjectProperty", "d3f:definition": "x updates y: The technique x updates the software for component y.", "rdfs:label": "updates", "rdfs:subPropertyOf": [ { "@id": "d3f:hardens" }, { "@id": "d3f:modifies" } ] }, { "@id": "d3f:Reference-NIST-Special-Publication-800-53A-Revision-5", "@type": [ "owl:NamedIndividual", "d3f:GuidelineReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://doi.org/10.6028/NIST.SP.800-53Ar5" }, "d3f:kb-abstract": "This publication provides a methodology and set of procedures for conducting assessments of security and privacy controls employed within systems and organizations within an effective risk management framework. The assessment procedures, executed at various phases of the system development life cycle, are consistent with the security and privacy controls in NIST Special Publication 800-53, Revision 5. The procedures are customizable and can be easily tailored to provide organizations with the needed flexibility to conduct security and privacy control assessments that support organizational risk management processes and are aligned with the stated risk tolerance of the organization. Information on building effective security and privacy assessment plans is also provided with guidance on analyzing assessment results.", "d3f:kb-organization": "NIST", "d3f:kb-reference-of": { "@id": "d3f:OperationalRiskAssessment" }, "d3f:kb-reference-title": "NIST Special Publication 800-53A Revision 5 - Assessing Security and Privacy Controls in Information Systems and Organizations", "rdfs:label": "Reference - NIST Special Publication 800-53A Revision 5 - Assessing Security and Privacy Controls in Information Systems and Organizations" }, { "@id": "d3f:CCI-001085_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:broader": { "@id": "d3f:Hardware-basedProcessIsolation" }, "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system utilizes underlying hardware separation mechanisms to implement security function isolation.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-21T00:00:00" }, "rdfs:label": "CCI-001085" }, { "@id": "d3f:T1505.004", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:adds": { "@id": "d3f:Software" }, "d3f:attack-id": "T1505.004", "rdfs:label": "IIS Components", "rdfs:subClassOf": [ { "@id": "d3f:T1505" }, { "@id": "_:N7ac530a6709d4d6d8f8361c5139241bd" } ] }, { "@id": "_:N7ac530a6709d4d6d8f8361c5139241bd", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:adds" }, "owl:someValuesFrom": { "@id": "d3f:Software" } }, { "@id": "d3f:MailService", "@type": "owl:Class", "d3f:definition": "A mail service provides the ability to send and receive mail across a computer network. The mail service runs on message transfer agents (i.e., mail servers) and is accessed by users through an email client.", "rdfs:label": "Mail Service", "rdfs:seeAlso": [ { "@id": "dbr:Email" }, { "@id": "dbr:Message_transfer_agent" } ], "rdfs:subClassOf": { "@id": "d3f:NetworkService" }, "skos:altLabel": "Email Service" }, { "@id": "d3f:CWE-401", "@type": "owl:Class", "d3f:cwe-id": "CWE-401", "rdfs:label": "Missing Release of Memory after Effective Lifetime", "rdfs:subClassOf": { "@id": "d3f:CWE-772" } }, { "@id": "d3f:T1070.006", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1070.006", "d3f:forges": { "@id": "d3f:FileSystemMetadata" }, "rdfs:label": "Timestomp", "rdfs:subClassOf": [ { "@id": "d3f:T1070" }, { "@id": "_:Nc9b6016708b741af9e64859f3f5e958a" } ] }, { "@id": "_:Nc9b6016708b741af9e64859f3f5e958a", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:forges" }, "owl:someValuesFrom": { "@id": "d3f:FileSystemMetadata" } }, { "@id": "d3f:EmailAttachment", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attached-to": { "@id": "d3f:Email" }, "d3f:definition": "An email attachment is a computer file sent along with an email message. One or more files can be attached to any email message, and be sent along with it to the recipient. This is typically used as a simple method to share documents and images.", "rdfs:isDefinedBy": { "@id": "dbr:Email_attachment" }, "rdfs:label": "Email Attachment", "rdfs:subClassOf": [ { "@id": "d3f:DocumentFile" }, { "@id": "_:Ne84099f83b28407f9a7528c84cac2fed" } ] }, { "@id": "_:Ne84099f83b28407f9a7528c84cac2fed", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:attached-to" }, "owl:someValuesFrom": { "@id": "d3f:Email" } }, { "@id": "d3f:CWE-363", "@type": "owl:Class", "d3f:cwe-id": "CWE-363", "rdfs:label": "Race Condition Enabling Link Following", "rdfs:subClassOf": { "@id": "d3f:CWE-367" } }, { "@id": "d3f:T1584.003", "@type": "owl:Class", "d3f:attack-id": "T1584.003", "rdfs:label": "Virtual Private Server", "rdfs:subClassOf": { "@id": "d3f:T1584" } }, { "@id": "d3f:T1069.001", "@type": "owl:Class", "d3f:attack-id": "T1069.001", "rdfs:label": "Local Groups", "rdfs:subClassOf": { "@id": "d3f:T1069" } }, { "@id": "d3f:WebServer", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A web server is server software, or hardware dedicated to running this software, that can satisfy client requests on the World Wide Web. A web server can, in general, contain one or more websites. A web server processes incoming network requests over HTTP and several other related protocols. While the major function is to serve content, a full implementation of HTTP also includes ways of receiving content from clients. This feature is used for submitting web forms, including uploading of files.", "rdfs:isDefinedBy": { "@id": "dbr:Web_server" }, "rdfs:label": "Web Server", "rdfs:subClassOf": { "@id": "d3f:Server" } }, { "@id": "d3f:Reference-MissionDependencyModelingForCyberSituationalAwareness", "@type": [ "owl:NamedIndividual", "d3f:AcademicPaperReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://csis.gmu.edu/noel/pubs/2016_NATO_IST_148.pdf" }, "d3f:kb-abstract": "This paper describes a hierarchical graph-based model that captures mission dependencies at various levels of abstraction, showing interdependencies among mission objectives, tasks, information, and cyber assets. For this work, we employ established tools within a structured methodology for cyber resiliency analysis. Our model is focused on a strategic-level military scenario defined in a formal Request for Information (RFI) to industry and research partners by the NATO Multinational Cyber Defense Capability Development (MN CD2) Work Package 2 (WP2). We enhance this scenario with additional mission and operational context, and then build a mission dependency model for the enhanced scenario. It is anticipated that our mission dependency model will be part of an upcoming demonstration of cyber defense situational awareness capabilities in a NATO Communications and Information (NCI) Agency test environment, integrated with data sources that represent the operational military environment.", "d3f:kb-author": "William Heinbockel, Steven Noel, James Curbo", "d3f:kb-organization": "JHU APL", "d3f:kb-reference-of": { "@id": "d3f:OperationalDependencyMapping" }, "d3f:kb-reference-title": "Mission Dependency Modeling for Cyber Situational Awareness", "rdfs:label": "Reference - Mission Dependency Modeling for Cyber Situational Awareness" }, { "@id": "d3f:Browser", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A web browser (commonly referred to as a browser) is a software application for retrieving, presenting, and traversing information resources on the World Wide Web. An information resource is identified by a Uniform Resource Identifier (URI/URL) and may be a web page, image, video or other piece of content. Hyperlinks present in resources enable users easily to navigate their browsers to related resources. Although browsers are primarily intended to use the World Wide Web, they can also be used to access information provided by web servers in private networks or files in file systems.", "d3f:may-contain": { "@id": "d3f:BrowserExtension" }, "rdfs:isDefinedBy": { "@id": "dbr:Web_browser" }, "rdfs:label": "Browser", "rdfs:seeAlso": { "@id": "http://wordnet-rdf.princeton.edu/id/13376000-n" }, "rdfs:subClassOf": [ { "@id": "d3f:UserApplication" }, { "@id": "_:N3b4ff32293744b8d95dae949c476a41b" } ] }, { "@id": "_:N3b4ff32293744b8d95dae949c476a41b", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-contain" }, "owl:someValuesFrom": { "@id": "d3f:BrowserExtension" } }, { "@id": "d3f:T1174", "@type": "owl:Class", "d3f:attack-id": "T1174", "rdfs:label": "Password Filter DLL", "rdfs:subClassOf": { "@id": "d3f:CredentialAccessTechnique" } }, { "@id": "d3f:CWE-1076", "@type": "owl:Class", "d3f:cwe-id": "CWE-1076", "rdfs:label": "Insufficient Adherence to Expected Conventions", "rdfs:subClassOf": { "@id": "d3f:CWE-710" } }, { "@id": "d3f:ExecutionTechnique", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:enables": { "@id": "d3f:Execution" }, "rdfs:label": "Execution Technique", "rdfs:subClassOf": [ { "@id": "d3f:OffensiveTechnique" }, { "@id": "_:N3e10654ecf584c8c873417837938e61d" } ] }, { "@id": "_:N3e10654ecf584c8c873417837938e61d", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:enables" }, "owl:someValuesFrom": { "@id": "d3f:Execution" } }, { "@id": "d3f:T1552.003", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:accesses": { "@id": "d3f:CommandHistoryLogFile" }, "d3f:attack-id": "T1552.003", "rdfs:label": "Bash History", "rdfs:subClassOf": [ { "@id": "d3f:T1552" }, { "@id": "_:N35e180a2ed1a4dbe9e204b5f494887df" } ] }, { "@id": "_:N35e180a2ed1a4dbe9e204b5f494887df", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:accesses" }, "owl:someValuesFrom": { "@id": "d3f:CommandHistoryLogFile" } }, { "@id": "d3f:CWE-1127", "@type": "owl:Class", "d3f:cwe-id": "CWE-1127", "rdfs:label": "Compilation with Insufficient Warnings or Errors", "rdfs:subClassOf": { "@id": "d3f:CWE-710" } }, { "@id": "d3f:produced-by", "@type": "owl:ObjectProperty", "owl:inverseOf": { "@id": "d3f:produces" }, "rdfs:label": "produced-by", "rdfs:subPropertyOf": { "@id": "d3f:associated-with" } }, { "@id": "d3f:DomainName", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A domain name is an identification string that defines a realm of administrative autonomy, authority or control within the Internet. Domain names are formed by the rules and procedures of the Domain Name System (DNS). Any name registered in the DNS is a domain name.Domain names are used in various networking contexts and application-specific naming and addressing purposes. In general, a domain name represents an Internet Protocol (IP) resource, such as a personal computer used to access the Internet, a server computer hosting a web site, or the web site itself or any other service communicated via the Internet. In 2015, 294 million domain names had been registered.", "d3f:identifies": { "@id": "d3f:IPAddress" }, "rdfs:label": "Domain Name", "rdfs:subClassOf": [ { "@id": "d3f:Identifier" }, { "@id": "_:Nff84db3b12014c0a94a0adbe8b502c0e" } ] }, { "@id": "_:Nff84db3b12014c0a94a0adbe8b502c0e", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:identifies" }, "owl:someValuesFrom": { "@id": "d3f:IPAddress" } }, { "@id": "d3f:LinuxSocket", "@type": "owl:Class", "d3f:definition": "Create an endpoint for communication.", "rdfs:isDefinedBy": "https://man7.org/linux/man-pages/man2/socket.2.html", "rdfs:label": "Linux Socket", "rdfs:subClassOf": { "@id": "d3f:OSAPICreateSocket" } }, { "@id": "d3f:EmailFiltering", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:InboundTrafficFiltering" ], "d3f:d3fend-id": "D3-EF", "d3f:definition": "Filtering incoming email traffic based on specific criteria.", "d3f:filters": { "@id": "d3f:Email" }, "d3f:kb-article": "## How it works\n\nMail filters can be implemented to scan inbound email messages at the initial SMTP connection stage to detect and reject email containing spam and malware.\n\nThis technique is distinct from d3f:EmailDeletion because it prevents an email from reaching an user's inbox. This technique can also be used for outbound email traffic.\n\n## Considerations\n* The effectiveness of mail filters depend on the completeness of the filter policies", "d3f:kb-reference": { "@id": "d3f:Reference-SystemAndMethodForProvidingAnonymousRemailingAndFilteringOfElectronicMail_Nokia" }, "rdfs:label": "Email Filtering", "rdfs:subClassOf": [ { "@id": "d3f:InboundTrafficFiltering" }, { "@id": "_:N35a522f9681e4f0fa79d0fcfa507e7a8" } ] }, { "@id": "_:N35a522f9681e4f0fa79d0fcfa507e7a8", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:filters" }, "owl:someValuesFrom": { "@id": "d3f:Email" } }, { "@id": "d3f:Reference-SecureMultipurposeInternetMailExtensionsMIME-Version3.1", "@type": [ "owl:NamedIndividual", "d3f:SpecificationReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://tools.ietf.org/html/rfc3851" }, "d3f:kb-organization": "Internet Engineering Task Force (IETF)", "d3f:kb-reference-title": "Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.1 Message Specification", "rdfs:label": "Reference - Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.1" }, { "@id": "d3f:OSAPISuspendThread", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:invokes": { "@id": "d3f:SuspendThread" }, "rdfs:label": "OS API Suspend Thread", "rdfs:subClassOf": [ { "@id": "d3f:OSAPIFunction" }, { "@id": "_:Ne24ea1a61349480686ecd99b04c86c0c" } ] }, { "@id": "_:Ne24ea1a61349480686ecd99b04c86c0c", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:invokes" }, "owl:someValuesFrom": { "@id": "d3f:SuspendThread" } }, { "@id": "d3f:CWE-512", "@type": "owl:Class", "d3f:cwe-id": "CWE-512", "rdfs:label": "Spyware", "rdfs:subClassOf": { "@id": "d3f:CWE-506" } }, { "@id": "d3f:CWE-656", "@type": "owl:Class", "d3f:cwe-id": "CWE-656", "rdfs:label": "Reliance on Security Through Obscurity", "rdfs:subClassOf": [ { "@id": "d3f:CWE-657" }, { "@id": "d3f:CWE-693" } ] }, { "@id": "d3f:T1127", "@type": "owl:Class", "d3f:attack-id": "T1127", "rdfs:label": "Trusted Developer Utilities Proxy Execution", "rdfs:subClassOf": { "@id": "d3f:DefenseEvasionTechnique" } }, { "@id": "d3f:LinuxWrite", "@type": "owl:Class", "d3f:definition": "Write to a file descriptor.", "rdfs:isDefinedBy": "https://man7.org/linux/man-pages/man2/write.2.html", "rdfs:label": "Linux Write", "rdfs:subClassOf": { "@id": "d3f:OSAPIWriteFile" } }, { "@id": "d3f:BucketOfModels", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-BOM", "d3f:definition": "A \"bucket of models\" is an ensemble technique in which a model selection algorithm is used to choose the best model for each problem. When tested with only one problem, a bucket of models can produce no better results than the best model in the set, but when evaluated across many problems, it will typically produce much better results, on average, than any model in the set.", "d3f:kb-article": "## References\nEnsemble learning. Wikipedia. [Link](https://en.wikipedia.org/wiki/Ensemble_learning).", "rdfs:label": "Bucket of Models", "rdfs:subClassOf": { "@id": "d3f:EnsembleLearning" } }, { "@id": "d3f:ImageDataSegment", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "An image data segment (often denoted .data) is a portion of an object file that contains initialized static variables, that is, global variables and static local variables. The size of this segment is determined by the size of the values in the program's source code, and does not change at run time. This segmenting of the memory space into discrete blocks with specific tasks carried over into the programming languages of the day and the concept is still widely in use within modern programming languages.", "rdfs:label": "Image Data Segment", "rdfs:seeAlso": [ "Process Data Segment", { "@id": "dbr:Data_segment" } ], "rdfs:subClassOf": { "@id": "d3f:ImageSegment" } }, { "@id": "d3f:LocalUserAccount", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A user account on a given host is a local user account for that specific host.", "rdfs:label": "Local User Account", "rdfs:subClassOf": { "@id": "d3f:UserAccount" } }, { "@id": "d3f:CodeRepository", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:contains": { "@id": "d3f:SourceCode" }, "d3f:definition": "A code repository is a form of database where code, typically source code, is stored and managed. In revision control systems, a repository is a data structure that stores metadata for a set of files or directory structure. Depending on whether the version control system in use is distributed like (Git or Mercurial) or centralized like (Subversion, CVS, or Perforce), the whole set of information in the repository may be duplicated on every user's system or may be maintained on a single server.", "rdfs:isDefinedBy": { "@id": "dbr:Repository_(version_control)" }, "rdfs:label": "Code Repository", "rdfs:subClassOf": [ { "@id": "d3f:Database" }, { "@id": "_:Ne5b52d98d76c4540a3ddd4b10089aa2c" } ], "skos:altLabel": [ "Repository", "Version Control Repository" ] }, { "@id": "_:Ne5b52d98d76c4540a3ddd4b10089aa2c", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:contains" }, "owl:someValuesFrom": { "@id": "d3f:SourceCode" } }, { "@id": "d3f:GetSystemTime", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A system call that gets the system time. For POSIX.1 systems, time() invokes a call to get the system time.", "rdfs:label": "Get System Time", "rdfs:seeAlso": { "@id": "https://man7.org/linux/man-pages/man2/time.2.html" }, "rdfs:subClassOf": { "@id": "d3f:SystemCall" } }, { "@id": "d3f:CWE-356", "@type": "owl:Class", "d3f:cwe-id": "CWE-356", "rdfs:label": "Product UI does not Warn User of Unsafe Actions", "rdfs:subClassOf": { "@id": "d3f:CWE-221" } }, { "@id": "d3f:CWE-924", "@type": "owl:Class", "d3f:cwe-id": "CWE-924", "rdfs:label": "Improper Enforcement of Message Integrity During Transmission in a Communication Channel", "rdfs:subClassOf": { "@id": "d3f:CWE-345" } }, { "@id": "d3f:CWE-43", "@type": "owl:Class", "d3f:cwe-id": "CWE-43", "rdfs:label": "Path Equivalence: 'filename....' (Multiple Trailing Dot)", "rdfs:subClassOf": [ { "@id": "d3f:CWE-163" }, { "@id": "d3f:CWE-42" } ] }, { "@id": "d3f:CWE-703", "@type": "owl:Class", "d3f:cwe-id": "CWE-703", "rdfs:label": "Improper Check or Handling of Exceptional Conditions", "rdfs:subClassOf": { "@id": "d3f:Weakness" } }, { "@id": "d3f:ComputingServer", "@type": "owl:Class", "d3f:definition": "A compute server is a system specifically designed to undertake large amounts of computation, usually but not necessarily in a client/server environment.", "rdfs:isDefinedBy": { "@id": "https://www.encyclopedia.com/computing/dictionaries-thesauruses-pictures-and-press-releases/compute-server" }, "rdfs:label": "Computing Server", "rdfs:subClassOf": { "@id": "d3f:Server" } }, { "@id": "d3f:CWE-1077", "@type": "owl:Class", "d3f:cwe-id": "CWE-1077", "rdfs:label": "Floating Point Comparison with Incorrect Operator", "rdfs:subClassOf": { "@id": "d3f:CWE-697" } }, { "@id": "d3f:CWE-182", "@type": "owl:Class", "d3f:cwe-id": "CWE-182", "rdfs:label": "Collapse of Data into Unsafe Value", "rdfs:subClassOf": { "@id": "d3f:CWE-693" } }, { "@id": "d3f:CWE-42", "@type": "owl:Class", "d3f:cwe-id": "CWE-42", "rdfs:label": "Path Equivalence: 'filename.' (Trailing Dot)", "rdfs:subClassOf": [ { "@id": "d3f:CWE-162" }, { "@id": "d3f:CWE-41" } ] }, { "@id": "d3f:ApplicationConfigurationFile", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:contains": { "@id": "d3f:ApplicationConfiguration" }, "d3f:definition": "A file containing Information used to configure the parameters and initial settings for an application.. A plist file is an example of this type of file for macOS. Usually text-based.", "rdfs:label": "Application Configuration File", "rdfs:subClassOf": [ { "@id": "d3f:ConfigurationFile" }, { "@id": "_:Nfd3394b7631e44ff9d2120dbcd91e328" } ] }, { "@id": "_:Nfd3394b7631e44ff9d2120dbcd91e328", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:contains" }, "owl:someValuesFrom": { "@id": "d3f:ApplicationConfiguration" } }, { "@id": "d3f:Reference-FWTK-FirewallToolkit_", "@type": [ "owl:NamedIndividual", "d3f:InternetArticleReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://blogs.gartner.com/john_pescatore/2008/10/02/this-week-in-network-security-history-the-firewall-toolkit/" }, "d3f:kb-abstract": "delivered to DARPA in ~1993", "d3f:kb-author": "", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "", "d3f:kb-reference-title": "FWTK - Firewall Toolkit", "rdfs:label": "Reference - FWTK - Firewall Toolkit" }, { "@id": "d3f:CWE-127", "@type": "owl:Class", "d3f:cwe-id": "CWE-127", "rdfs:label": "Buffer Under-read", "rdfs:subClassOf": [ { "@id": "d3f:CWE-125" }, { "@id": "d3f:CWE-786" } ] }, { "@id": "d3f:CWE-1341", "@type": "owl:Class", "d3f:cwe-id": "CWE-1341", "rdfs:label": "Multiple Releases of Same Resource or Handle", "rdfs:subClassOf": { "@id": "d3f:CWE-675" } }, { "@id": "d3f:Modem", "@type": "owl:Class", "d3f:definition": "A modem -- a portmanteau of \"modulator-demodulator\" -- is a hardware device that converts data into a format suitable for a transmission medium so that it can be transmitted from one computer to another (historically along telephone wires). A modem modulates one or more carrier wave signals to encode digital information for transmission and demodulates signals to decode the transmitted information. The goal is to produce a signal that can be transmitted easily and decoded reliably to reproduce the original digital data. Modems can be used with almost any means of transmitting analog signals from light-emitting diodes to radio. A common type of modem is one that turns the digital data of a computer into modulated electrical signal for transmission over telephone lines and demodulated by another modem at the receiver side to recover the digital data.", "rdfs:isDefinedBy": { "@id": "dbr:Modem" }, "rdfs:label": "Modem", "rdfs:subClassOf": { "@id": "d3f:NetworkNode" } }, { "@id": "d3f:ProcessEnvironmentVariable", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "An environment variable is a dynamic-named value that can affect the way running processes will behave on a computer. They are part of the environment in which a process runs.", "rdfs:isDefinedBy": { "@id": "dbr:Environment_variable" }, "rdfs:label": "Process Environment Variable", "rdfs:subClassOf": { "@id": "d3f:ApplicationConfiguration" }, "skos:altLabel": "Environment Variable" }, { "@id": "d3f:TransportLink", "@type": "owl:Class", "rdfs:label": "Transport Link", "rdfs:subClassOf": { "@id": "d3f:LogicalLink" } }, { "@id": "d3f:T1071.001", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1071.001", "d3f:may-transfer": { "@id": "d3f:CertificateFile" }, "d3f:produces": { "@id": "d3f:OutboundInternetWebTraffic" }, "rdfs:label": "Web Protocols", "rdfs:subClassOf": [ { "@id": "d3f:T1071" }, { "@id": "_:N26d9958568e748c7ad62616161b8498b" }, { "@id": "_:Ne8cd548acae349fba1e3de754b01f576" } ] }, { "@id": "_:N26d9958568e748c7ad62616161b8498b", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-transfer" }, "owl:someValuesFrom": { "@id": "d3f:CertificateFile" } }, { "@id": "_:Ne8cd548acae349fba1e3de754b01f576", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:produces" }, "owl:someValuesFrom": { "@id": "d3f:OutboundInternetWebTraffic" } }, { "@id": "d3f:T1578.003", "@type": "owl:Class", "d3f:attack-id": "T1578.003", "rdfs:label": "Delete Cloud Instance", "rdfs:subClassOf": { "@id": "d3f:T1578" } }, { "@id": "d3f:CWE-733", "@type": "owl:Class", "d3f:cwe-id": "CWE-733", "rdfs:label": "Compiler Optimization Removal or Modification of Security-critical Code", "rdfs:subClassOf": { "@id": "d3f:CWE-1038" } }, { "@id": "d3f:CompilerConfigurationFile", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A file containing Information used to configure the parameters and initial settings for a compiler.", "rdfs:label": "Compiler Configuration File", "rdfs:subClassOf": { "@id": "d3f:ApplicationConfigurationFile" } }, { "@id": "d3f:NIST_SP_800-53_R5_AC-6_6", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:control-name": "Least Privilege | Privileged Access by Non-organizational Users", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "d3f:narrower": [ { "@id": "d3f:LocalFilePermissions" }, { "@id": "d3f:MandatoryAccessControl" }, { "@id": "d3f:SystemConfigurationPermissions" } ], "rdfs:label": "AC-6(6)" }, { "@id": "d3f:CWE-197", "@type": "owl:Class", "d3f:cwe-id": "CWE-197", "rdfs:label": "Numeric Truncation Error", "rdfs:subClassOf": { "@id": "d3f:CWE-681" } }, { "@id": "d3f:Maximum-marginLearning", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-MML", "d3f:definition": "Maximum-margin classifiers attempt to maximize the distance between the given data points and the decision boundary", "d3f:kb-article": "## References\nEngelen, S., & Hoos, H. (2020). A survey on semi-supervised learning. Machine Learning, 109(2), 299-337. [Link](https://link.springer.com/article/10.1007/s10994-019-05855-6).\n\nSupport Vector Machines for Machine Learning. [Link](https://machinelearningmastery.com/support-vector-machines-for-machine-learning/#:~:text=The%20distance%20between%20the%20line,called%20the%20Maximal%2DMargin%20hyperplane.)", "rdfs:label": "Maximum-margin Learning", "rdfs:subClassOf": { "@id": "d3f:IntrinsicallySemi-supervisedLearning" } }, { "@id": "d3f:ExceptionHandler", "@type": "owl:Class", "d3f:definition": "An exception handler is a code segment that processes an exception.", "rdfs:label": "Exception Handler", "rdfs:seeAlso": { "@id": "dbr:Exception_handling" }, "rdfs:subClassOf": { "@id": "d3f:Subroutine" } }, { "@id": "d3f:T1201", "@type": "owl:Class", "d3f:attack-id": "T1201", "rdfs:label": "Password Policy Discovery", "rdfs:subClassOf": { "@id": "d3f:DiscoveryTechnique" } }, { "@id": "d3f:T1055.003", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1055.003", "d3f:invokes": { "@id": "d3f:SystemCall" }, "d3f:may-add": { "@id": "d3f:ExecutableBinary" }, "rdfs:label": "Thread Execution Hijacking", "rdfs:subClassOf": [ { "@id": "d3f:T1055" }, { "@id": "_:N0dc9b330d4ce4bc19f02cbae478d279e" }, { "@id": "_:N2d181f9abb134a229c7a8ed1be1b5ed3" } ] }, { "@id": "_:N0dc9b330d4ce4bc19f02cbae478d279e", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:invokes" }, "owl:someValuesFrom": { "@id": "d3f:SystemCall" } }, { "@id": "_:N2d181f9abb134a229c7a8ed1be1b5ed3", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-add" }, "owl:someValuesFrom": { "@id": "d3f:ExecutableBinary" } }, { "@id": "d3f:NIST_SP_800-53_R5_CM-6_3", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:broader": { "@id": "d3f:ApplicationConfigurationHardening" }, "d3f:control-name": "Configuration Settings | Unauthorized Change Detection", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "rdfs:label": "CM-6(3)" }, { "@id": "d3f:TabletComputer", "@type": "owl:Class", "d3f:definition": "A tablet computer, commonly shortened to tablet, is a mobile device, typically with a mobile operating system and touchscreen display processing circuitry, and a rechargeable battery in a single, thin and flat package. Tablets, being computers, do what other personal computers do, but lack some input/output (I/O) abilities that others have. Modern tablets largely resemble modern smartphones, the only differences being that tablets are relatively larger than smartphones, with screens 7 inches (18 cm) or larger, measured diagonally, and may not support access to a cellular network.", "rdfs:isDefinedBy": { "@id": "dbr:Tablet_computer" }, "rdfs:label": "Tablet Computer", "rdfs:subClassOf": { "@id": "d3f:PersonalComputer" }, "skos:altLabel": "Tablet" }, { "@id": "d3f:d3fend-id", "@type": "owl:DatatypeProperty", "d3f:definition": "Unique identifier for a D3FEND technique. D3-[Acronym].", "rdfs:label": "d3fend-id", "rdfs:subPropertyOf": { "@id": "d3f:d3fend-kb-data-property" } }, { "@id": "d3f:CWE-1242", "@type": "owl:Class", "d3f:cwe-id": "CWE-1242", "rdfs:label": "Inclusion of Undocumented Features or Chicken Bits", "rdfs:subClassOf": { "@id": "d3f:CWE-284" } }, { "@id": "d3f:NIST_SP_800-53_R5_AC-2_2", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:broader": { "@id": "d3f:AccountLocking" }, "d3f:control-name": "Account Management | Automated Temporary and Emergency Account Management", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "rdfs:label": "AC-2(2)" }, { "@id": "d3f:CWE-344", "@type": "owl:Class", "d3f:cwe-id": "CWE-344", "rdfs:label": "Use of Invariant Value in Dynamically Changing Context", "rdfs:subClassOf": { "@id": "d3f:CWE-330" } }, { "@id": "d3f:Command", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "In computing, a command is a directive to a computer program acting as an interpreter of some kind, in order to perform a specific task. Most commonly a command is either a directive to some kind of command-line interface, such as a shell, or an event in a graphical user interface triggered by the user selecting an option in a menu.", "rdfs:isDefinedBy": { "@id": "dbr:Command_(computing)" }, "rdfs:label": "Command", "rdfs:subClassOf": [ { "@id": "d3f:DigitalArtifact" }, { "@id": "d3f:DigitalEvent" } ] }, { "@id": "d3f:T1578.004", "@type": "owl:Class", "d3f:attack-id": "T1578.004", "rdfs:label": "Revert Cloud Instance", "rdfs:subClassOf": { "@id": "d3f:T1578" } }, { "@id": "d3f:T1055.015", "@type": "owl:Class", "d3f:attack-id": "T1055.015", "rdfs:label": "ListPlanting", "rdfs:subClassOf": { "@id": "d3f:T1055" } }, { "@id": "d3f:Reference-NIST-RMF-Quick-Start-Guide-Assess-Step-FAQ", "@type": [ "owl:NamedIndividual", "d3f:InternetArticleReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://csrc.nist.gov/CSRC/media/Projects/risk-management/documents/05-Assess%20Step/NIST%20RMF%20Assess%20Step-FAQs.pdf" }, "d3f:kb-abstract": "Once security and privacy controls are implemented, they need to be evaluated for correctness and effectiveness. After the initial assessment is completed and the system enters the operations/maintenance phase of the system development life cycle, the controls are assessed on an ongoing basis according to the organization and system’s continuous monitoring plans. The ongoing assessment supports the authorizing official’s decision to continue or discontinue the system’s authorization to operate. Control effectiveness assessments are performed by an independent third-party assessor or assessment team if the system categorization is moderate or high.", "d3f:kb-organization": "NIST", "d3f:kb-reference-of": { "@id": "d3f:OperationalRiskAssessment" }, "d3f:kb-reference-title": "NIST RMF Quick Start Guide - Assess Step - Frequently Asked Questions (FAQ)", "rdfs:label": "Reference - NIST RMF Quick Start Guide - Assess Step - Frequently Asked Questions (FAQ)" }, { "@id": "d3f:PrivilegeEscalation", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:OffensiveTactic" ], "d3f:display-order": 4, "rdfs:label": "Privilege Escalation", "rdfs:subClassOf": { "@id": "d3f:OffensiveTactic" } }, { "@id": "d3f:FeatureAssessment", "@type": "owl:Class", "rdfs:label": "Feature Assessment", "rdfs:subClassOf": { "@id": "d3f:Assessment" } }, { "@id": "d3f:IntranetRPCNetworkTraffic", "@type": "owl:Class", "d3f:definition": "Intranet RPC network traffic is network traffic that does not cross a given network's boundaries and uses a standard remote procedure call (e.g., RFC 1050) protocol.", "rdfs:label": "Intranet RPC Network Traffic", "rdfs:seeAlso": [ { "@id": "dbr:Intranet" }, { "@id": "dbr:Remote_procedure_call" } ], "rdfs:subClassOf": [ { "@id": "d3f:IntranetNetworkTraffic" }, { "@id": "d3f:RPCNetworkTraffic" } ] }, { "@id": "d3f:PowershellScriptFile", "@type": [ "owl:NamedIndividual", "d3f:ExecutableScript" ], "rdfs:label": "Powershell Script File" }, { "@id": "d3f:CWE-185", "@type": "owl:Class", "d3f:cwe-id": "CWE-185", "rdfs:label": "Incorrect Regular Expression", "rdfs:subClassOf": { "@id": "d3f:CWE-697" } }, { "@id": "d3f:OSAPIDeleteFile", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:invokes": { "@id": "d3f:DeleteFile" }, "rdfs:label": "OS API Delete File", "rdfs:subClassOf": [ { "@id": "d3f:OSAPIFunction" }, { "@id": "_:N7097ba4e18d84a79b4911eb66c349cc3" } ] }, { "@id": "_:N7097ba4e18d84a79b4911eb66c349cc3", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:invokes" }, "owl:someValuesFrom": { "@id": "d3f:DeleteFile" } }, { "@id": "d3f:T1592.003", "@type": "owl:Class", "d3f:attack-id": "T1592.003", "rdfs:label": "Firmware", "rdfs:subClassOf": { "@id": "d3f:T1592" } }, { "@id": "d3f:SystemInitConfiguration", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "System initialization configuration information is configuration information used to configure the services, parameters, and initial settings for an operating system at startup.", "rdfs:label": "System Init Configuration", "rdfs:subClassOf": { "@id": "d3f:OperatingSystemConfigurationComponent" }, "skos:altLabel": "Autoruns" }, { "@id": "d3f:ReverseResolutionIPDenylisting", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:DNSDenylisting" ], "d3f:blocks": { "@id": "d3f:OutboundInternetDNSLookupTraffic" }, "d3f:d3fend-id": "D3-RRID", "d3f:definition": "Blocking a reverse lookup based on the query's IP address value.", "d3f:kb-article": "## How it works\nThis technique prevents a client from learning domains deemed to be potentially malicious, which would have been delivered via reverse resolution responses over the DNS protocol.\n\nQueries for reverse resolution requests (that is, requests where IP(s) are sent and a domain is returned) are collected, and the IP address(es) included in the query are examined. If the IP address(es) are in a range included in the blacklist, then the query is dropped.\n\n## Considerations\n- The blacklist will have to be maintained and will need to be kept up to date with identified maintenance cycles to ensure lists are not stale.\n- DNS query traffic can be transmitted over many different protocols, which presents a challenge to implementing methods to extract all DNS query IP address value(s).\n - DNS has historically used UDP port 53, with TCP port 53 instead used for responses over 512 bytes or after a lack of response over UDP.\n - Usage of new protocols to provide confidentiality for DNS traffic, such as DoH (DNS over HTTPS) and DoT (DNS over TLS), complicates collection of the IP address(es) in DNS queries. These protocols have often been enabled in browser settings transparently after a browser update, with DNS queries proxied over one of these cryptographic protocols through a specified host.", "d3f:kb-reference": { "@id": "d3f:Reference-UseDNSPolicyForApplyingFiltersOnDNSQueries" }, "d3f:synonym": "Reverse Resolution IP Blacklisting", "rdfs:label": "Reverse Resolution IP Denylisting", "rdfs:subClassOf": [ { "@id": "d3f:DNSDenylisting" }, { "@id": "_:N978a4344c6d94026a7c885f7bb8243a0" } ] }, { "@id": "_:N978a4344c6d94026a7c885f7bb8243a0", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:blocks" }, "owl:someValuesFrom": { "@id": "d3f:OutboundInternetDNSLookupTraffic" } }, { "@id": "d3f:DiscoveryTechnique", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:enables": { "@id": "d3f:Discovery" }, "rdfs:label": "Discovery Technique", "rdfs:subClassOf": [ { "@id": "d3f:OffensiveTechnique" }, { "@id": "_:N8145c41726d44bfca593e18f69e838c8" } ] }, { "@id": "_:N8145c41726d44bfca593e18f69e838c8", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:enables" }, "owl:someValuesFrom": { "@id": "d3f:Discovery" } }, { "@id": "d3f:CWE-477", "@type": "owl:Class", "d3f:cwe-id": "CWE-477", "rdfs:label": "Use of Obsolete Function", "rdfs:subClassOf": { "@id": "d3f:CWE-710" } }, { "@id": "d3f:CWE-427", "@type": "owl:Class", "d3f:cwe-id": "CWE-427", "rdfs:label": "Uncontrolled Search Path Element", "rdfs:subClassOf": { "@id": "d3f:CWE-668" } }, { "@id": "d3f:TicketGrantingTicket", "@type": "owl:Class", "d3f:definition": "In some computer security systems, a Ticket Granting Ticket or Ticket to Get Tickets (TGT) is a small, encrypted identification file with a limited validity period. After authentication, this file is granted to a user for data traffic protection by the key distribution center (KDC) subsystem of authentication services such as Kerberos. The TGT file contains the session key, its expiration date, and the user's IP address, which protects the user from man-in-the-middle attacks. The TGT is used to obtain a service ticket from Ticket Granting Service (TGS). User is granted access to network services only after this service ticket is provided.", "rdfs:isDefinedBy": { "@id": "dbr:Ticket_Granting_Ticket" }, "rdfs:label": "Ticket Granting Ticket", "rdfs:seeAlso": { "@id": "dbr:Charlie_and_the_Chocolate_Factory" }, "rdfs:subClassOf": { "@id": "d3f:AccessToken" }, "skos:altLabel": "Golden Ticket" }, { "@id": "d3f:CWE-839", "@type": "owl:Class", "d3f:cwe-id": "CWE-839", "rdfs:label": "Numeric Range Comparison Without Minimum Check", "rdfs:subClassOf": { "@id": "d3f:CWE-1023" } }, { "@id": "d3f:TraceProcess", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A trace system call provides a means by which one process (the \"tracer\") may observe and control the execution of another process (the \"tracee\"), and examine and change the tracee's memory and registers. It is primarily used to implement breakpoint debugging and system call tracing.", "d3f:monitors": { "@id": "d3f:Process" }, "rdfs:label": "Trace Process", "rdfs:seeAlso": [ { "@id": "https://dbpedia.org/resource/Ptrace" }, { "@id": "https://linux.die.net/man/2/ptrace" } ], "rdfs:subClassOf": [ { "@id": "d3f:SystemCall" }, { "@id": "_:N4ab76980d26e4dd4902444a43a03618a" } ], "skos:altLabel": "Open Process" }, { "@id": "_:N4ab76980d26e4dd4902444a43a03618a", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:monitors" }, "owl:someValuesFrom": { "@id": "d3f:Process" } }, { "@id": "d3f:T1189", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1189", "d3f:modifies": { "@id": "d3f:ProcessSegment" }, "d3f:produces": [ { "@id": "d3f:OutboundInternetNetworkTraffic" }, { "@id": "d3f:URL" } ], "rdfs:label": "Drive-by Compromise", "rdfs:subClassOf": [ { "@id": "d3f:InitialAccessTechnique" }, { "@id": "_:N3eec96b4147c499c8ed2b904205b51d1" }, { "@id": "_:Ne0d32977df974c42b9193102950e9a02" }, { "@id": "_:N0f5e317582b743949c7fd3fb11e4d282" } ] }, { "@id": "_:N3eec96b4147c499c8ed2b904205b51d1", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:ProcessSegment" } }, { "@id": "_:Ne0d32977df974c42b9193102950e9a02", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:produces" }, "owl:someValuesFrom": { "@id": "d3f:OutboundInternetNetworkTraffic" } }, { "@id": "_:N0f5e317582b743949c7fd3fb11e4d282", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:produces" }, "owl:someValuesFrom": { "@id": "d3f:URL" } }, { "@id": "d3f:mapped-by", "@type": "owl:ObjectProperty", "owl:inverseOf": { "@id": "d3f:maps" }, "rdfs:label": "mapped-by", "rdfs:subPropertyOf": { "@id": "d3f:associated-with" } }, { "@id": "d3f:CWE-120", "@type": "owl:Class", "d3f:cwe-id": "CWE-120", "rdfs:label": "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", "rdfs:subClassOf": { "@id": "d3f:CWE-119" } }, { "@id": "d3f:HTMLFile", "@type": "owl:Class", "d3f:definition": "A document file encoded in HTML.The HyperText Markup Language, or HTML is the standard markup language for documents designed to be displayed in a web browser. It can be assisted by technologies such as Cascading Style Sheets (CSS) and scripting languages such as JavaScript. Web browsers receive HTML documents from a web server or from local storage and render the documents into multimedia web pages. HTML describes the structure of a web page semantically and originally included cues for the appearance of the document.", "rdfs:label": "HTML File", "rdfs:seeAlso": { "@id": "dbr:HTML" }, "rdfs:subClassOf": { "@id": "d3f:DocumentFile" }, "skos:altLabel": "HTML File" }, { "@id": "d3f:T1480.001", "@type": "owl:Class", "d3f:attack-id": "T1480.001", "rdfs:label": "Environmental Keying", "rdfs:subClassOf": { "@id": "d3f:T1480" } }, { "@id": "d3f:CWE-1189", "@type": "owl:Class", "d3f:cwe-id": "CWE-1189", "rdfs:label": "Improper Isolation of Shared Resources on System-on-a-Chip (SoC)", "rdfs:subClassOf": [ { "@id": "d3f:CWE-653" }, { "@id": "d3f:CWE-668" } ] }, { "@id": "d3f:configures", "@type": "owl:ObjectProperty", "rdfs:label": "configures", "rdfs:subPropertyOf": [ { "@id": "d3f:associated-with" }, { "@id": "d3f:hardens" } ] }, { "@id": "d3f:CWE-433", "@type": "owl:Class", "d3f:cwe-id": "CWE-433", "rdfs:label": "Unparsed Raw Web Content Delivery", "rdfs:subClassOf": { "@id": "d3f:CWE-219" } }, { "@id": "d3f:CCI-000032_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system enforces information flow control using organization-defined security policy filters as a basis for flow control decisions for organization-defined information flows.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": [ { "@id": "d3f:InboundTrafficFiltering" }, { "@id": "d3f:OutboundTrafficFiltering" } ], "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-14T00:00:00" }, "rdfs:label": "CCI-000032" }, { "@id": "d3f:M1022", "@type": [ "owl:NamedIndividual", "d3f:ATTACKMitigation" ], "d3f:related": { "@id": "d3f:LocalFilePermissions" }, "rdfs:label": "Restrict File and Directory Permissions" }, { "@id": "d3f:CWE-1007", "@type": "owl:Class", "d3f:cwe-id": "CWE-1007", "rdfs:label": "Insufficient Visual Distinction of Homoglyphs Presented to User", "rdfs:subClassOf": { "@id": "d3f:CWE-451" } }, { "@id": "d3f:Reference-MethodUsingKernelModeAssistanceForTheDetectionAndRemovalOfThreatsWhichAreActivelyPreventingDetectionAndRemovalFromARunningSystem_SymantecCorporation", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US8239947B1" }, "d3f:kb-abstract": "A user mode application component invokes the assistance of a kernel mode driver component to detect and/or remediate malicious code on a computer system. The user mode application may include code that detects, for example, spyware and computer viruses, from user mode and when appropriate takes protective action when malicious code is detected. In one aspect, when the user mode application is unable to perform a selected operation in attempting to detect and/or take protective action, the user mode application invokes a kernel mode driver for assistance. The kernel mode driver assists user mode application in detecting malicious code and/or taking protective action by enabling or otherwise performing a selected operation for the user mode application.", "d3f:kb-author": "Adam Glick, Patrick Gardner, Pieter Viljoen", "d3f:kb-mitre-analysis": "This patent describes detecting registry changes using a prohibited change heuristic or a database of prohibited functions/function parameters.", "d3f:kb-organization": "Symantec Corporation", "d3f:kb-reference-of": { "@id": "d3f:SystemDaemonMonitoring" }, "d3f:kb-reference-title": "Method using kernel mode assistance for the detection and removal of threats which are actively preventing detection and removal from a running system", "rdfs:label": "Reference - Method using kernel mode assistance for the detection and removal of threats which are actively preventing detection and removal from a running system - Symantec Corporation" }, { "@id": "d3f:T1012", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:accesses": { "@id": "d3f:SystemConfigurationDatabase" }, "d3f:attack-id": "T1012", "d3f:may-invoke": { "@id": "d3f:GetSystemConfigValue" }, "rdfs:label": "Query Registry", "rdfs:subClassOf": [ { "@id": "d3f:DiscoveryTechnique" }, { "@id": "_:N972e4094defa4aec829ac8a50671bacf" }, { "@id": "_:Nb15add37330849a98460d1302671df11" } ] }, { "@id": "_:N972e4094defa4aec829ac8a50671bacf", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:accesses" }, "owl:someValuesFrom": { "@id": "d3f:SystemConfigurationDatabase" } }, { "@id": "_:Nb15add37330849a98460d1302671df11", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-invoke" }, "owl:someValuesFrom": { "@id": "d3f:GetSystemConfigValue" } }, { "@id": "d3f:CCI-002283_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:broader": [ { "@id": "d3f:MandatoryAccessControl" }, { "@id": "d3f:UserAccountPermissions" } ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system maintains the integrity of organization-defined security attributes associated with organization-defined subjects.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-06-24T00:00:00" }, "rdfs:label": "CCI-002283" }, { "@id": "d3f:CCI-001087_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The organization implements an information system isolation boundary to minimize the number of nonsecurity functions included within the boundary containing security functions.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:SystemConfigurationPermissions" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-21T00:00:00" }, "rdfs:label": "CCI-001087" }, { "@id": "d3f:CWE-1390", "@type": "owl:Class", "d3f:cwe-id": "CWE-1390", "rdfs:label": "Weak Authentication", "rdfs:subClassOf": { "@id": "d3f:CWE-287" } }, { "@id": "d3f:enabled-by", "@type": "owl:ObjectProperty", "d3f:definition": "x enabled-by y: A top level technique y enables a tactic x, that is, the property indicates that a technique y is used to put a particular tactic x into action. In other words, y renders x capable or able for some task. Inverse of enables.", "owl:inverseOf": { "@id": "d3f:enables" }, "rdfs:isDefinedBy": { "@id": "http://wordnet-rdf.princeton.edu/id/00513958-v" }, "rdfs:label": "enabled-by", "rdfs:subPropertyOf": { "@id": "d3f:associated-with" } }, { "@id": "d3f:T1006", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:accesses": { "@id": "d3f:Volume" }, "d3f:attack-id": "T1006", "rdfs:label": "Direct Volume Access", "rdfs:subClassOf": [ { "@id": "d3f:DefenseEvasionTechnique" }, { "@id": "_:N8921c378a9cb439ab84a4f13eb12abb0" } ] }, { "@id": "_:N8921c378a9cb439ab84a4f13eb12abb0", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:accesses" }, "owl:someValuesFrom": { "@id": "d3f:Volume" } }, { "@id": "d3f:Reference-FrameworkForNotifyingADirectoryServiceOfAuthenticationEventsProcessedOutsideTheDirectoryService_OracleInternationalCorp", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US20090077645A1" }, "d3f:kb-abstract": "Methods, systems and machine-readable media for authenticating an end user for a client application are disclosed. According to one embodiment of the invention, a method of authenticating an end user for a client application using a directory service having an authentication control policy that tracks failed authentication attempts and allows lock out of an account after a predetermined number of failures comprises receiving end user identity information and security information at the client application; sending a search request to the directory service for an entry associated with the end user identity information and, if a match is found, receiving a authentication token from the directory service associated with the end user identity information; comparing the received authentication token with the security information; if the authentication token matches the security information, sending a request to update the directory service to indicate that successful authentication of the end user has occurred; and if the authentication token does not match the security information, sending a request to update the directory service to indicate that a failed attempt at authentication of the end user has occurred.", "d3f:kb-author": "Buddhika Nandana Kottahachchi", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "Oracle International Corp", "d3f:kb-reference-of": { "@id": "d3f:AccountLocking" }, "d3f:kb-reference-title": "Framework for notifying a directory service of authentication events processed outside the directory service", "rdfs:label": "Reference - Framework for notifying a directory service of authentication events processed outside the directory service - Oracle International Corp" }, { "@id": "d3f:CCI-001242_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:broader": [ { "@id": "d3f:DynamicAnalysis" }, { "@id": "d3f:EmulatedFileAnalysis" }, { "@id": "d3f:FileContentRules" } ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The organization configures malicious code protection mechanisms to perform real-time scans of files from external sources at endpoints as the files are downloaded, opened, or executed in accordance with organizational security policy.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-22T00:00:00" }, "rdfs:label": "CCI-001242" }, { "@id": "d3f:BSDProcess", "@type": [ "owl:NamedIndividual", "d3f:Process" ], "rdfs:label": "BSD Process" }, { "@id": "d3f:d3fend-annotation", "@type": "owl:AnnotationProperty", "d3f:definition": "x d3fend-annotation y: The d3fend object x has the annotation y.", "rdfs:label": "d3fend-annotation" }, { "@id": "d3f:CWE-480", "@type": "owl:Class", "d3f:cwe-id": "CWE-480", "rdfs:label": "Use of Incorrect Operator", "rdfs:subClassOf": { "@id": "d3f:CWE-670" } }, { "@id": "d3f:Reference-UseDNSPolicyForApplyingFiltersOnDNSQueries", "@type": [ "owl:NamedIndividual", "d3f:UserManualReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://docs.microsoft.com/en-us/windows-server/networking/dns/deploy/apply-filters-on-dns-queries" }, "d3f:kb-organization": "Microsoft", "d3f:kb-reference-title": "Use DNS Policy for Applying Filters on DNS Queries", "rdfs:label": "Reference - Use DNS Policy for Applying Filters on DNS Queries" }, { "@id": "d3f:CWE-437", "@type": "owl:Class", "d3f:cwe-id": "CWE-437", "rdfs:label": "Incomplete Model of Endpoint Features", "rdfs:subClassOf": { "@id": "d3f:CWE-436" } }, { "@id": "d3f:Pipe", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "In Unix-like computer operating systems, a pipeline is a mechanism for inter-process communication using message passing. In the strictest sense, a pipe is a single segment of a pipeline, allowing one process to pass information forward to another. Network pipes allow processes on different hosts to interact.", "rdfs:isDefinedBy": { "@id": "http://www.linfo.org/pipe.html" }, "rdfs:label": "Pipe", "rdfs:seeAlso": { "@id": "dbr:Pipeline_(Unix)" }, "rdfs:subClassOf": { "@id": "d3f:InterprocessCommunication" }, "skos:altLabel": "Pipeline" }, { "@id": "d3f:Reference-SystemAndMethodForScanningRemoteServicesToLocateStoredObjectsWithMalware", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US11368475B1/" }, "d3f:kb-abstract": "A system and method for retrieval and analysis of stored objects for malware is described. The method involves receiving a scan request message from a customer to conduct analytics on one or more objects stored within a third-party controlled service. In response to receipt of the scan request message, the system generates a redirect message. The redirect message redirects the customer to an authentication portal of the third-party controlled service operating as a logon page and configures receipt by the system of access credentials for the third-party controlled service upon verification of the customer. Using the access credentials, the system is able to retrieve the one or more objects using the access credentials and performing analytics on each object of the one or more objects to classify each object as malicious or benign.", "d3f:kb-author": "Sai Vashisht", "d3f:kb-organization": "Mandiant Inc, FireEye Security Holdings US LLC", "d3f:kb-reference-of": { "@id": "d3f:EmailRemoval" }, "d3f:kb-reference-title": "System and method for scanning remote services to locate stored objects with malware", "rdfs:label": "Reference - System and method for scanning remote services to locate stored objects with malware" }, { "@id": "d3f:CCI-003014_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system enforces organization-defined mandatory access control policies over all subjects and objects.", "d3f:exactly": { "@id": "d3f:MandatoryAccessControl" }, "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-08-30T00:00:00" }, "rdfs:label": "CCI-003014" }, { "@id": "d3f:LocalAuthenticationService", "@type": "owl:Class", "d3f:definition": "A local authentication service running on a host can authenticate a user logged into just that local host computer.", "rdfs:label": "Local Authentication Service", "rdfs:subClassOf": [ { "@id": "d3f:AuthenticationService" }, { "@id": "d3f:SystemServiceSoftware" } ] }, { "@id": "d3f:CompositeTechnique", "@type": "owl:Class", "d3f:definition": "A commonly applied series of techniques which induce a greater effect than each individual technique. The techniques are applied in a strict sequence.", "rdfs:label": "Composite Technique", "rdfs:subClassOf": { "@id": "d3f:D3FENDThing" } }, { "@id": "d3f:CCI-001812_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system prohibits user installation of software without explicit privileged status.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": [ { "@id": "d3f:ExecutableAllowlisting" }, { "@id": "d3f:ExecutableDenylisting" } ], "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-03-01T00:00:00" }, "rdfs:label": "CCI-001812" }, { "@id": "d3f:Host-basedFirewall", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A software firewall which controls network inbound and outbound network traffic to the host computer.", "rdfs:label": "Host-based Firewall", "rdfs:subClassOf": { "@id": "d3f:SystemSoftware" } }, { "@id": "d3f:T1146", "@type": "owl:Class", "d3f:attack-id": "T1146", "rdfs:label": "Clear Command History", "rdfs:subClassOf": { "@id": "d3f:DefenseEvasionTechnique" } }, { "@id": "d3f:CWE-319", "@type": "owl:Class", "d3f:cwe-id": "CWE-319", "rdfs:label": "Cleartext Transmission of Sensitive Information", "rdfs:subClassOf": { "@id": "d3f:CWE-311" } }, { "@id": "d3f:CCI-000018_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system automatically audits account creation actions.", "d3f:exactly": { "@id": "d3f:DomainAccountMonitoring" }, "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-05-13T00:00:00" }, "rdfs:label": "CCI-000018" }, { "@id": "d3f:Reference-AnalysisOfTheWindowsVistaSecurityModel_SymantecCorporation", "@type": [ "owl:NamedIndividual", "d3f:AcademicPaperReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://web.archive.org/web/20140407025337/http://www.symantec.com/avcenter/reference/Windows_Vista_Security_Model_Analysis.pdf" }, "d3f:kb-abstract": "This paper provides an in-depth technical assessment of the security improvements implemented in Windows Vista, focusing primarily on the areas of User Account Protection and User Interface Privilege Isolation. This paper discusses these features and touches on several of their shortcomings. It then demonstrates how it is possible to combine these attacks to gain full control over the machine from low integrity, low privilege process.", "d3f:kb-author": "Matthew Conover", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "Symantec Corporation", "d3f:kb-reference-of": { "@id": "d3f:MandatoryAccessControl" }, "d3f:kb-reference-title": "Analysis of the Windows Vista Security Model", "rdfs:label": "Reference - Analysis of the Windows Vista Security Model - Symantec Corporation" }, { "@id": "d3f:CCI-002475_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system implements cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest on organization-defined information system components.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": [ { "@id": "d3f:DiskEncryption" }, { "@id": "d3f:FileEncryption" } ], "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-07-02T00:00:00" }, "rdfs:label": "CCI-002475" }, { "@id": "d3f:CWE-271", "@type": "owl:Class", "d3f:cwe-id": "CWE-271", "rdfs:label": "Privilege Dropping / Lowering Errors", "rdfs:subClassOf": { "@id": "d3f:CWE-269" } }, { "@id": "d3f:SymbolicLink", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:addresses": { "@id": "d3f:File" }, "d3f:definition": "A symbolic link (also symlink or soft link) is a term for any file that contains a reference to another file or directory in the form of an absolute or relative path and that affects pathname resolution.", "rdfs:isDefinedBy": { "@id": "dbr:Symbolic_link" }, "rdfs:label": "Symbolic Link", "rdfs:subClassOf": [ { "@id": "d3f:File" }, { "@id": "d3f:FileSystemLink" }, { "@id": "_:N7f09cdf07b714c19b46b651c303cc5b8" } ], "skos:altLabel": [ "Softlink", "Symlink", "Soft Link" ] }, { "@id": "_:N7f09cdf07b714c19b46b651c303cc5b8", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:addresses" }, "owl:someValuesFrom": { "@id": "d3f:File" } }, { "@id": "d3f:T1594", "@type": "owl:Class", "d3f:attack-id": "T1594", "rdfs:label": "Search Victim-Owned Websites", "rdfs:subClassOf": { "@id": "d3f:ReconnaissanceTechnique" } }, { "@id": "d3f:CWE-1024", "@type": "owl:Class", "d3f:cwe-id": "CWE-1024", "rdfs:label": "Comparison of Incompatible Types", "rdfs:subClassOf": { "@id": "d3f:CWE-697" } }, { "@id": "d3f:Reference-SystemAndMethodForNetworkSecurityIncludingDetectionOfAttacksThroughPartnerWebsites_EMCIPHoldingCoLLC", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US20110302653A1/en?oq=US+20110302653+A1" }, "d3f:kb-abstract": "A computer readable storage medium has instructions for execution on a computer. The instructions monitor transactions between a server and a set of clients. An evaluation of session indicators associated with the transactions is performed. Individual sessions between the server and individual clients of the plurality of clients are isolated in response to the evaluation.", "d3f:kb-author": "Matt Frantz; Andreas Wittenstein; Mike Eynon; Laura Mather; Jim Lloyd; James Schumacher; Duane Murphy", "d3f:kb-mitre-analysis": "This patent describes a technique for detecting man-in-the-browser attacks. Current user session data is compared with the average user session that is based on collected data representing average values across all user sessions over a data-collection period. User session data includes average time between clicks and the order in which website pages are viewed. The comparisons are combined to generate a score that indicates the likelihood that the current session is a man-in-the-browser attack.", "d3f:kb-organization": "EMC IP Holding Co LLC", "d3f:kb-reference-of": { "@id": "d3f:WebSessionActivityAnalysis" }, "d3f:kb-reference-title": "System and Method for Network Security Including Detection of Attacks Through Partner Websites", "rdfs:label": "Reference - System and Method for Network Security Including Detection of Attacks Through Partner Websites - EMC IP Holding Co LLC" }, { "@id": "d3f:Reference-PsSuspend", "@type": [ "owl:NamedIndividual", "d3f:SpecificationReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://learn.microsoft.com/en-us/sysinternals/downloads/pssuspend" }, "d3f:kb-author": "Mark Russinovich", "d3f:kb-organization": "Microsoft", "d3f:kb-reference-of": { "@id": "d3f:ProcessSuspension" }, "d3f:kb-reference-title": "PsSuspend", "rdfs:label": "Reference - PsSuspend - Microsoft" }, { "@id": "d3f:T1010", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1010", "d3f:may-invoke": [ { "@id": "d3f:CreateProcess" }, { "@id": "d3f:GetOpenWindows" } ], "rdfs:label": "Application Window Discovery", "rdfs:subClassOf": [ { "@id": "d3f:DiscoveryTechnique" }, { "@id": "_:N5a4f5db1d4aa43ac9fe637a4e9365a6e" }, { "@id": "_:N73da8e9bf8fc4b568537f132a008648d" } ] }, { "@id": "_:N5a4f5db1d4aa43ac9fe637a4e9365a6e", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-invoke" }, "owl:someValuesFrom": { "@id": "d3f:CreateProcess" } }, { "@id": "_:N73da8e9bf8fc4b568537f132a008648d", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-invoke" }, "owl:someValuesFrom": { "@id": "d3f:GetOpenWindows" } }, { "@id": "d3f:CWE-205", "@type": "owl:Class", "d3f:cwe-id": "CWE-205", "rdfs:label": "Observable Behavioral Discrepancy", "rdfs:subClassOf": { "@id": "d3f:CWE-203" } }, { "@id": "d3f:ServiceBinaryVerification", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:SystemFileAnalysis" ], "d3f:d3fend-id": "D3-SBV", "d3f:definition": "Analyzing changes in service binary files by comparing to a source of truth.", "d3f:kb-article": "## How it works\nSystem service applications may originate from the operating system installation or third-party applications installed with administrative privileges. These services have an entry point of some executable file-- a binary or a script. Attackers sometimes modify these executables to launch their own code. Analyzing changes in these files may uncover unauthorized activity.\n\n## Considerations\n* These files change for legitimate reasons when the system or software updates.\n* The source of truth must not be corrupted in order for this method to work.", "d3f:kb-reference": { "@id": "d3f:Reference-ServiceBinaryModifications_MITRE" }, "d3f:verifies": { "@id": "d3f:ServiceApplication" }, "rdfs:label": "Service Binary Verification", "rdfs:subClassOf": [ { "@id": "d3f:SystemFileAnalysis" }, { "@id": "_:N830a8627cb7540329668216dc7007412" } ] }, { "@id": "_:N830a8627cb7540329668216dc7007412", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:verifies" }, "owl:someValuesFrom": { "@id": "d3f:ServiceApplication" } }, { "@id": "d3f:Kernel", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:contains": { "@id": "d3f:KernelProcessTable" }, "d3f:definition": "The kernel is a computer program that constitutes the central core of a computer's operating system. It has complete control over everything that occurs in the system. As such, it is the first program loaded on startup, and then manages the remainder of the startup, as well as input/output requests from software, translating them into data processing instructions for the central processing unit. It is also responsible for managing memory, and for managing and communicating with computing peripherals, like printers, speakers, etc. The kernel is a fundamental part of a modern computer's operating system.", "d3f:loads": { "@id": "d3f:Application" }, "d3f:manages": [ { "@id": "d3f:OperatingSystemProcess" }, { "@id": "d3f:UserProcess" } ], "d3f:may-contain": [ { "@id": "d3f:HardwareDriver" }, { "@id": "d3f:KernelModule" } ], "rdfs:isDefinedBy": { "@id": "dbr:Kernel_(operating_system)" }, "rdfs:label": "Kernel", "rdfs:seeAlso": "https://schema.ocsf.io/objects/kernel", "rdfs:subClassOf": [ { "@id": "d3f:SystemSoftware" }, { "@id": "_:N207160381db041edafd42187f10c0fbd" }, { "@id": "_:N4eac81287fe049638eb3d24f315fe770" }, { "@id": "_:Nde6bc2ca86e747f59f95ee684dacfb52" }, { "@id": "_:Nf770b2e3254e4e10aa6500db4d625095" }, { "@id": "_:N0a24ac34800b4085816543f2c8053ca0" }, { "@id": "_:Neb7bddadb6bb41d6bbd1419b783cd071" } ] }, { "@id": "_:N207160381db041edafd42187f10c0fbd", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:contains" }, "owl:someValuesFrom": { "@id": "d3f:KernelProcessTable" } }, { "@id": "_:N4eac81287fe049638eb3d24f315fe770", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:loads" }, "owl:someValuesFrom": { "@id": "d3f:Application" } }, { "@id": "_:Nde6bc2ca86e747f59f95ee684dacfb52", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:manages" }, "owl:someValuesFrom": { "@id": "d3f:OperatingSystemProcess" } }, { "@id": "_:Nf770b2e3254e4e10aa6500db4d625095", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:manages" }, "owl:someValuesFrom": { "@id": "d3f:UserProcess" } }, { "@id": "_:N0a24ac34800b4085816543f2c8053ca0", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-contain" }, "owl:someValuesFrom": { "@id": "d3f:HardwareDriver" } }, { "@id": "_:Neb7bddadb6bb41d6bbd1419b783cd071", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-contain" }, "owl:someValuesFrom": { "@id": "d3f:KernelModule" } }, { "@id": "d3f:CWE-577", "@type": "owl:Class", "d3f:cwe-id": "CWE-577", "rdfs:label": "EJB Bad Practices: Use of Sockets", "rdfs:subClassOf": { "@id": "d3f:CWE-573" } }, { "@id": "d3f:LDIFRecord", "@type": [ "owl:NamedIndividual", "d3f:UserAccount" ], "rdfs:label": "LDIF Record" }, { "@id": "d3f:has-member", "@type": "owl:ObjectProperty", "owl:inverseOf": { "@id": "d3f:member-of" }, "rdfs:label": "has-member", "rdfs:subPropertyOf": { "@id": "d3f:d3fend-catalog-object-property" } }, { "@id": "d3f:RangeMatching", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-RM", "d3f:definition": "Numeric Range Matching determines if a value lies with an interval of values (i.e., within the range of values.)", "rdfs:label": "Range Matching", "rdfs:subClassOf": { "@id": "d3f:NumericPatternMatching" } }, { "@id": "d3f:SystemCall", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A system call is the programmatic way in which a computer program requests a service from the kernel of the operating system it is executed on. This may include hardware-related services (for example, accessing a hard disk drive), creation and execution of new processes, and communication with integral kernel services such as process scheduling. System calls provide an essential interface between a process and the operating system.", "d3f:executes": { "@id": "d3f:Subroutine" }, "d3f:synonym": "API Monitoring", "rdfs:isDefinedBy": { "@id": "dbr:System_call" }, "rdfs:label": "System Call", "rdfs:subClassOf": [ { "@id": "d3f:DigitalArtifact" }, { "@id": "d3f:DigitalEvent" }, { "@id": "_:N5cc0d6a7ff4b49799bac050afe10fe07" } ] }, { "@id": "_:N5cc0d6a7ff4b49799bac050afe10fe07", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:executes" }, "owl:someValuesFrom": { "@id": "d3f:Subroutine" } }, { "@id": "d3f:NIST_SP_800-53_R5_SA-11_8", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:control-name": "Developer Testing and Evaluation | Dynamic Code Analysis", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "d3f:related": { "@id": "d3f:ApplicationHardening" }, "rdfs:label": "SA-11(8)" }, { "@id": "d3f:PageTable", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:contains": [ { "@id": "d3f:PhysicalAddress" }, { "@id": "d3f:VirtualAddress" } ], "d3f:definition": "A page table is the data structure used by the MMU in a virtual memory computer system to store the mapping between virtual addresses (virtual pages) and physical addresses (page frames).", "rdfs:isDefinedBy": "Page table - Wikipedia", "rdfs:label": "Page Table", "rdfs:subClassOf": [ { "@id": "d3f:DigitalArtifact" }, { "@id": "_:N4b23c4c0046a4927a266df6721427819" }, { "@id": "_:N302c74cb5f5641f8ac0dd57ba2c9e95a" } ] }, { "@id": "_:N4b23c4c0046a4927a266df6721427819", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:contains" }, "owl:someValuesFrom": { "@id": "d3f:PhysicalAddress" } }, { "@id": "_:N302c74cb5f5641f8ac0dd57ba2c9e95a", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:contains" }, "owl:someValuesFrom": { "@id": "d3f:VirtualAddress" } }, { "@id": "d3f:CWE-159", "@type": "owl:Class", "d3f:cwe-id": "CWE-159", "rdfs:label": "Improper Handling of Invalid Use of Special Elements", "rdfs:subClassOf": { "@id": "d3f:CWE-138" } }, { "@id": "d3f:LinuxClone3", "@type": "owl:Class", "d3f:definition": "Creates a child process and provides more precise control over the data shared between the parent and child processes.\n\nNewer system call.", "rdfs:isDefinedBy": "https://man7.org/linux/man-pages/man2/clone3.2.html", "rdfs:label": "Linux Clone3", "rdfs:subClassOf": { "@id": "d3f:OSAPICreateProcess" } }, { "@id": "d3f:expectation-rating", "@type": "owl:DatatypeProperty", "rdfs:subPropertyOf": { "@id": "d3f:d3fend-catalog-data-property" } }, { "@id": "d3f:T1574", "@type": "owl:Class", "d3f:attack-id": "T1574", "rdfs:label": "Hijack Execution Flow", "rdfs:subClassOf": [ { "@id": "d3f:DefenseEvasionTechnique" }, { "@id": "d3f:PersistenceTechnique" }, { "@id": "d3f:PrivilegeEscalationTechnique" } ] }, { "@id": "d3f:CCI-002010_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system electronically verifies Personal Identity Verification (PIV) credentials from other federal agencies.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": [ { "@id": "d3f:BiometricAuthentication" }, { "@id": "d3f:Certificate-basedAuthentication" } ], "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-05-03T00:00:00" }, "rdfs:label": "CCI-002010" }, { "@id": "d3f:IntranetAdministrativeNetworkTraffic", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "Intranet administrative network traffic is administrative network traffic that does not cross a given network's boundaries and uses a standard administrative protocol.", "rdfs:label": "Intranet Administrative Network Traffic", "rdfs:seeAlso": { "@id": "dbr:Intranet" }, "rdfs:subClassOf": [ { "@id": "d3f:AdministrativeNetworkTraffic" }, { "@id": "d3f:IntranetNetworkTraffic" } ] }, { "@id": "d3f:InboundTrafficFiltering", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:NetworkTrafficFiltering" ], "d3f:d3fend-id": "D3-ITF", "d3f:definition": "Restricting network traffic originating from untrusted networks destined towards a private host or enclave.", "d3f:filters": { "@id": "d3f:InboundNetworkTraffic" }, "d3f:kb-article": "## How it works\nInbound Traffic, in this context, is network traffic originating from an untrusted network towards a private host or enclave.\nFor example:\n\n* An untrusted network host connecting to a internal commercial portal, shopping.example.com\n* An external mail server connecting to an internal mail server, mail.example.com\n\nFiltering policies are developed by administrators to meet business requirements and limit connectivity. These policies are implemented on edge devices such as firewalls, routers, and intrusion prevention systems. Examples of filters:\n\n* Blocking incoming traffic from spoofed internally facing IP addresses\n* Blocking specific ports and services from establishing connections\n* Limiting specific IP ranges from connecting to the network\n* Dynamic inbound filtering (Hole punching, STUN, NAT-T)\n\n## Considerations\n* Business requirements typically drive the development of filtering rulesets\n* Protocols using non-standard ports may circumvent filtering technology, which does not detect application protocol based on traffic content\n\n## Implementations\n* OpenWRT (Embedded)\n* Netfilter (Linux)\n* Windows Firewall\n* pf(BSD)", "d3f:kb-reference": [ { "@id": "d3f:Reference-ActiveFirewallSystemAndMethodology_McAfeeLLC" }, { "@id": "d3f:Reference-AutomaticallyGeneratingRulesForConnectionSecurity_Microsoft" }, { "@id": "d3f:Reference-FWTK-FirewallToolkit_" }, { "@id": "d3f:Reference-FirewallForInterentAccess_SecureComputingLLC" }, { "@id": "d3f:Reference-FirewallForProcessingAConnectionlessNetworkPacket_NationalSecurityAgency" }, { "@id": "d3f:Reference-FirewallForProcessingConnection-orientedAndConnectionlessDatagramsOverAConnection-orientedNetwork_NationalSecurityAgency" }, { "@id": "d3f:Reference-FirewallsThatFilterBasedUponProtocolCommands_IntelCorp" }, { "@id": "d3f:Reference-MethodForControllingComputerNetworkSecurity_CheckpointSoftwareTechnologiesLtd" }, { "@id": "d3f:Reference-NetworkFirewallWithProxy_SecureComputingLLC" } ], "rdfs:label": "Inbound Traffic Filtering", "rdfs:subClassOf": [ { "@id": "d3f:NetworkTrafficFiltering" }, { "@id": "_:Nfd1d0fb9350e4214ae90e7bf03d29eec" } ] }, { "@id": "_:Nfd1d0fb9350e4214ae90e7bf03d29eec", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:filters" }, "owl:someValuesFrom": { "@id": "d3f:InboundNetworkTraffic" } }, { "@id": "d3f:CWE-1329", "@type": "owl:Class", "d3f:cwe-id": "CWE-1329", "rdfs:label": "Reliance on Component That is Not Updateable", "rdfs:subClassOf": [ { "@id": "d3f:CWE-1357" }, { "@id": "d3f:CWE-664" } ] }, { "@id": "d3f:Histogramming", "@type": "owl:Class", "rdfs:label": "Histogramming", "rdfs:subClassOf": { "@id": "d3f:Summarizing" } }, { "@id": "d3f:CWE-1223", "@type": "owl:Class", "d3f:cwe-id": "CWE-1223", "rdfs:label": "Race Condition for Write-Once Attributes", "rdfs:subClassOf": { "@id": "d3f:CWE-362" } }, { "@id": "d3f:CWE-25", "@type": "owl:Class", "d3f:cwe-id": "CWE-25", "rdfs:label": "Path Traversal: '/../filedir'", "rdfs:subClassOf": { "@id": "d3f:CWE-23" } }, { "@id": "d3f:RemoteCommand", "@type": "owl:Class", "d3f:definition": "A remote command is a command sent from one computer to another to be executed on the remote computer. One example of this, is through a command-line interface (CLI) like using Invoke-Command from PowerShell or a command sent through an ssh session. This class generalizes to all means of sending a command through an established protocol to control capabilities on a remote computer.", "rdfs:label": "Remote Command", "rdfs:subClassOf": [ { "@id": "d3f:Command" }, { "@id": "d3f:NetworkSession" } ] }, { "@id": "d3f:CWE-594", "@type": "owl:Class", "d3f:cwe-id": "CWE-594", "rdfs:label": "J2EE Framework: Saving Unserializable Objects to Disk", "rdfs:subClassOf": { "@id": "d3f:CWE-710" } }, { "@id": "d3f:Reference-TechniquesForImpedingAndDetectingNetworkThreats_VerisignInc", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US10904273B1/" }, "d3f:kb-abstract": "Infinite DNS decoy trap resource to catch threats scanning for network resources to attack.\n\nIn various embodiments, a name server transmits a canonical name as resolution to another canonical name. In operation, when a resource name is requested for resolution, a determination is made that the resource name corresponds to a trap resource name. A first canonical name is transmitted as resolution to the trap resource name. The first canonical name is requested for resolution, and a second canonical name is transmitted as resolution. By providing trap canonical names as resolutions to trap canonical names, unauthorized software making the resolution requests is kept occupied with requesting resolution of canonical name after canonical name, impeding the ability of the unauthorized software from traversing a network.", "d3f:kb-author": "Ben McCarty, James Graham", "d3f:kb-mitre-analysis": "MITRE Analysis was not found.", "d3f:kb-organization": "Verisign Inc", "d3f:kb-reference-of": { "@id": "d3f:DecoyNetworkResource" }, "d3f:kb-reference-title": "Techniques for impeding and detecting network threats", "rdfs:label": "Reference - Techniques for impeding and detecting network threats - Verisign Inc" }, { "@id": "d3f:implements", "@type": "owl:ObjectProperty", "rdfs:domain": { "@id": "d3f:CapabilityImplementation" }, "rdfs:label": "implements", "rdfs:subPropertyOf": { "@id": "d3f:d3fend-catalog-object-property" } }, { "@id": "d3f:inventories", "@type": "owl:ObjectProperty", "rdfs:label": "inventories", "rdfs:subPropertyOf": { "@id": "d3f:associated-with" } }, { "@id": "d3f:FileEviction", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:DefensiveTechnique" ], "d3f:d3fend-id": "D3-FEV", "d3f:definition": "File eviction techniques evict files from system storage.", "d3f:enables": { "@id": "d3f:Evict" }, "rdfs:label": "File Eviction", "rdfs:subClassOf": [ { "@id": "d3f:DefensiveTechnique" }, { "@id": "_:Na120c6b0a3d349519ac06c6abc1e854c" } ] }, { "@id": "_:Na120c6b0a3d349519ac06c6abc1e854c", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:enables" }, "owl:someValuesFrom": { "@id": "d3f:Evict" } }, { "@id": "d3f:RecurrentNeuralNetwork", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-RNN", "d3f:definition": "Recurrent Nerual Networks (RNN) are a class of artificial neural networks where connections between nodes can create a cycle, allowing output from some nodes to affect subsequent input to the same nodes. This allows it to exhibit temporal dynamic behavior.", "d3f:kb-article": "## References\nWikipedia. (2021, September 7). Recurrent Neural Network. [Link](https://en.wikipedia.org/wiki/Recurrent_neural_network)", "rdfs:label": "Recurrent Neural Network", "rdfs:subClassOf": { "@id": "d3f:DeepNeuralNetClassification" } }, { "@id": "d3f:kb-abstract", "@type": "owl:AnnotationProperty", "d3f:definition": "x kb-abstract y: The reference x has the abstract y.", "rdfs:domain": { "@id": "d3f:Reference" }, "rdfs:label": "kb-abstract", "rdfs:range": { "@id": "xsd:string" }, "rdfs:subPropertyOf": { "@id": "d3f:d3fend-kb-reference-annotation" } }, { "@id": "d3f:HTTPSURL", "@type": [ "owl:NamedIndividual", "d3f:URL" ], "rdfs:label": "HTTPS URL" }, { "@id": "d3f:CommandAndControlTechnique", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:enables": { "@id": "d3f:CommandAndControl" }, "rdfs:label": "Command and Control Technique", "rdfs:subClassOf": [ { "@id": "d3f:OffensiveTechnique" }, { "@id": "_:N11f58fc99a4d43dc8fd2b5480fba98f6" } ] }, { "@id": "_:N11f58fc99a4d43dc8fd2b5480fba98f6", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:enables" }, "owl:someValuesFrom": { "@id": "d3f:CommandAndControl" } }, { "@id": "d3f:M1040", "@type": [ "owl:NamedIndividual", "d3f:ATTACKMitigation" ], "d3f:related": [ { "@id": "d3f:AuthenticationEventThresholding" }, { "@id": "d3f:AuthorizationEventThresholding" }, { "@id": "d3f:JobFunctionAccessPatternAnalysis" }, { "@id": "d3f:ResourceAccessPatternAnalysis" }, { "@id": "d3f:SessionDurationAnalysis" }, { "@id": "d3f:UserDataTransferAnalysis" }, { "@id": "d3f:UserGeolocationLogonPatternAnalysis" }, { "@id": "d3f:WebSessionActivityAnalysis" } ], "rdfs:label": "Behavior Prevention on Endpoint" }, { "@id": "d3f:monitors", "@type": "owl:ObjectProperty", "d3f:definition": "x monitors y: The technique or agent x keep tabs on; keeps an eye on; or keep the digital artifact y under surveillance.", "rdfs:isDefinedBy": { "@id": "http://wordnet-rdf.princeton.edu/id/02167732-v" }, "rdfs:label": "monitors", "rdfs:subPropertyOf": [ { "@id": "d3f:associated-with" }, { "@id": "d3f:detects" } ] }, { "@id": "d3f:WideAreaNetwork", "@type": "owl:Class", "d3f:definition": "By contrast to a local area network (LAN), a wide area network (WAN), not only covers a larger geographic distance, but also generally involves leased telecommunication circuits or Internet links.", "rdfs:isDefinedBy": { "@id": "dbr:Local_area_network" }, "rdfs:label": "Wide Area Network", "rdfs:subClassOf": { "@id": "d3f:Network" }, "skos:altLabel": "WAN" }, { "@id": "d3f:Reference-PowershellExecution_MITRE", "@type": [ "owl:NamedIndividual", "d3f:ExternalKnowledgeBase" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://car.mitre.org/analytics/CAR-2014-04-003/" }, "d3f:kb-abstract": "PowerShell is a scripting environment included with Windows that is used by both attackers and administrators. Execution of PowerShell scripts in most Windows versions is opaque and not typically secured by antivirus which makes using PowerShell an easy way to circumvent security measures. This analytic detects execution of PowerShell scripts.\n\nPowershell can be used to hide monitored command line execution such as:\n\n* net use\n* sc start", "d3f:kb-author": "MITRE", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "MITRE", "d3f:kb-reference-of": { "@id": "d3f:ProcessSpawnAnalysis" }, "d3f:kb-reference-title": "CAR-2014-04-003: Powershell Execution", "rdfs:label": "Reference - CAR-2014-04-003: Powershell Execution - MITRE" }, { "@id": "d3f:LinuxFork", "@type": "owl:Class", "d3f:definition": "Creates a child process with unique PID but retains parent PID as Parent Process Identifier (PPID)", "rdfs:isDefinedBy": "https://man7.org/linux/man-pages/man2/fork.2.html", "rdfs:label": "Linux Fork", "rdfs:subClassOf": { "@id": "d3f:OSAPICreateProcess" } }, { "@id": "d3f:CWE-621", "@type": "owl:Class", "d3f:cwe-id": "CWE-621", "rdfs:label": "Variable Extraction Error", "rdfs:subClassOf": { "@id": "d3f:CWE-914" } }, { "@id": "d3f:SeqGAN", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-SEQ", "d3f:definition": "Sequence Generation Framework (SeqGAN) models the data generator as a stochastic policy in reinforcement learning (RL), SeqGAN bypasses the generator differentiation problem by directly performing gradient policy update.", "d3f:kb-article": "## References\nYu, L., Zhang, W., Wang, J., & Yu, Y. (2017). SeqGAN: Sequence Generative Adversarial Nets with Policy Gradient. ArXiv preprint ArXiv:1609.05473. [Link](https://arxiv.org/abs/1609.05473)", "d3f:synonym": "Sequence GAN", "rdfs:label": "SeqGAN", "rdfs:subClassOf": { "@id": "d3f:GenerativeAdversarialNetwork" } }, { "@id": "d3f:SharedComputer", "@type": "owl:Class", "d3f:definition": "A computer whose resources are intended to be shared widely.", "rdfs:label": "Shared Computer", "rdfs:seeAlso": { "@id": "dbr:Time-sharing" }, "rdfs:subClassOf": { "@id": "d3f:ClientComputer" } }, { "@id": "d3f:Reference-DigitalIdentityGuidelines800-63-3", "@type": [ "owl:NamedIndividual", "d3f:GuidelineReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-3.pdf" }, "d3f:kb-author": "NIST", "d3f:kb-organization": "NIST", "d3f:kb-reference-of": { "@id": "d3f:StrongPasswordPolicy" }, "d3f:kb-reference-title": "Digital Identity Guidelines", "rdfs:label": "Reference - Digital Identity Guidelines 800-63-3" }, { "@id": "d3f:CCI-002533_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system maintains a separate execution domain for each thread in organization-defined multi-threaded processing.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:Kernel-basedProcessIsolation" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-07-02T00:00:00" }, "rdfs:label": "CCI-002533" }, { "@id": "d3f:T1037.004", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1037.004", "d3f:modifies": { "@id": "d3f:SystemInitScript" }, "rdfs:label": "Rc.common", "rdfs:subClassOf": [ { "@id": "d3f:T1037" }, { "@id": "_:Nf225fc6376f64e2c8c6c28cd85c29191" } ] }, { "@id": "_:Nf225fc6376f64e2c8c6c28cd85c29191", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:SystemInitScript" } }, { "@id": "d3f:T1087.003", "@type": "owl:Class", "d3f:attack-id": "T1087.003", "rdfs:label": "Email Account", "rdfs:subClassOf": { "@id": "d3f:T1087" } }, { "@id": "d3f:OperatingSystemFile", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "An operating system file is a file that is part of, or used to store information about, the operating system itself.", "rdfs:label": "Operating System File", "rdfs:seeAlso": [ { "@id": "dbr:System_file" }, { "@id": "dbr:Operating_system" } ], "rdfs:subClassOf": { "@id": "d3f:File" } }, { "@id": "d3f:CCI-002264_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:broader": [ { "@id": "d3f:MandatoryAccessControl" }, { "@id": "d3f:UserAccountPermissions" } ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The organization provides the means to associate organization-defined types of security attributes having organization-defined security attribute values with information in transmission.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-06-24T00:00:00" }, "rdfs:label": "CCI-002264" }, { "@id": "d3f:CWE-467", "@type": "owl:Class", "d3f:cwe-id": "CWE-467", "rdfs:label": "Use of sizeof() on a Pointer Type", "rdfs:subClassOf": { "@id": "d3f:CWE-131" } }, { "@id": "d3f:created", "@type": "owl:DatatypeProperty", "d3f:definition": "Date of creation of the resource.", "rdfs:label": { "@language": "en", "@value": "date created" }, "rdfs:range": { "@id": "xsd:dateTime" }, "rdfs:subPropertyOf": { "@id": "d3f:date" } }, { "@id": "d3f:BootstrapAggregating", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-BA", "d3f:definition": "Bootstrap aggregating, also called bagging (from bootstrap aggregating), is a machine learning ensemble meta-algorithm designed to improve the stability and accuracy of machine learning algorithms used in statistical classification and regression. It also reduces variance and helps to avoid overfitting. Although it is usually applied to decision tree methods, it can be used with any type of method. Bagging is a special case of the model averaging approach.", "d3f:kb-article": "## References\nBootstrap aggregating. Wikipedia. [Link](https://en.wikipedia.org/wiki/Bootstrap_aggregating).", "rdfs:label": "Bootstrap Aggregating", "rdfs:subClassOf": { "@id": "d3f:ResamplingEnsemble" } }, { "@id": "d3f:T1499", "@type": "owl:Class", "d3f:attack-id": "T1499", "rdfs:label": "Endpoint Denial of Service", "rdfs:subClassOf": { "@id": "d3f:ImpactTechnique" } }, { "@id": "d3f:RestoreEmail", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:RestoreFile" ], "d3f:d3fend-id": "D3-RE", "d3f:definition": "Restoring an email for an entity to access.", "d3f:kb-reference": { "@id": "d3f:Reference-CybersecurityIncidentandVulnerabilityResponsePlaybooks" }, "d3f:restores": { "@id": "d3f:Email" }, "rdfs:label": "Restore Email", "rdfs:subClassOf": [ { "@id": "d3f:RestoreFile" }, { "@id": "_:N6d51823f19e8453c95b3e95a66873dcd" } ] }, { "@id": "_:N6d51823f19e8453c95b3e95a66873dcd", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:restores" }, "owl:someValuesFrom": { "@id": "d3f:Email" } }, { "@id": "d3f:Matching", "@type": "owl:Class", "rdfs:label": "Matching", "rdfs:subClassOf": { "@id": "d3f:AnalyticalPurpose" } }, { "@id": "d3f:Reference-ExecutionWithAT_MITRE", "@type": [ "owl:NamedIndividual", "d3f:ExternalKnowledgeBase" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://car.mitre.org/analytics/CAR-2013-05-004/" }, "d3f:kb-abstract": "In order to gain persistence, privilege escalation, or remote execution, an adversary may use the Windows built-in command AT (at.exe) to schedule a command to be run at a specified time, date, and even host. This method has been used by adversaries and administrators alike. Its use may lead to detection of compromised hosts and compromised users if it is used to move laterally. The built-in Windows tool schtasks.exe (CAR-2013-08-001) offers greater flexibility when creating, modifying, and enumerating tasks. For these reasons, schtasks.exe is more commonly used by administrators, tools/scripts, and power users.", "d3f:kb-author": "", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "", "d3f:kb-reference-of": { "@id": "d3f:ScheduledJobAnalysis" }, "d3f:kb-reference-title": "CAR-2013-05-004: Execution with AT", "rdfs:label": "Reference - CAR-2013-05-004: Execution with AT - MITRE" }, { "@id": "d3f:capec-id", "@type": "owl:DatatypeProperty", "d3f:definition": "Unique identifier for a CAPEC technique, i.e. a common attack pattern identified by the pattern CAPEC-[number].", "rdfs:label": "capec-id", "rdfs:subPropertyOf": { "@id": "d3f:d3fend-kb-data-property" } }, { "@id": "d3f:CWE-550", "@type": "owl:Class", "d3f:cwe-id": "CWE-550", "rdfs:label": "Server-generated Error Message Containing Sensitive Information", "rdfs:subClassOf": { "@id": "d3f:CWE-209" } }, { "@id": "d3f:T1028", "@type": "owl:Class", "d3f:attack-id": "T1028", "rdfs:label": "Windows Remote Management", "rdfs:subClassOf": [ { "@id": "d3f:ExecutionTechnique" }, { "@id": "d3f:LateralMovementTechnique" } ] }, { "@id": "d3f:CWE-306", "@type": "owl:Class", "d3f:cwe-id": "CWE-306", "rdfs:label": "Missing Authentication for Critical Function", "rdfs:subClassOf": { "@id": "d3f:CWE-287" } }, { "@id": "d3f:CCI-002289_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:broader": [ { "@id": "d3f:MandatoryAccessControl" }, { "@id": "d3f:UserAccountPermissions" } ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system supports the association of organization-defined security attributes with organization-defined subjects by authorized individuals (or processes acting on behalf of individuals).", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-06-24T00:00:00" }, "rdfs:label": "CCI-002289" }, { "@id": "d3f:title", "@type": "owl:DatatypeProperty", "d3f:definition": "A name given to the resource.", "rdfs:label": { "@language": "en", "@value": "title" }, "rdfs:range": { "@id": "xsd:string" }, "rdfs:subPropertyOf": { "@id": "d3f:d3fend-catalog-data-property" } }, { "@id": "d3f:SystemSoftware", "@type": "owl:Class", "d3f:definition": "Computer software which enables operating system or platform functionality.", "rdfs:label": "System Software", "rdfs:subClassOf": { "@id": "d3f:Software" } }, { "@id": "d3f:LinuxVfork", "@type": "owl:Class", "d3f:definition": "Create child process that temp suspends parent process until it terminates", "rdfs:isDefinedBy": "https://man7.org/linux/man-pages/man2/vfork.2.html", "rdfs:label": "Linux Vfork", "rdfs:subClassOf": { "@id": "d3f:OSAPICreateProcess" } }, { "@id": "d3f:CCI-002724_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system, upon detection of a potential integrity violation, initiates one or more of the following actions: generates an audit record; alerts the current user; alerts organization-defined personnel or roles; and/or organization-defined other actions.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": [ { "@id": "d3f:DriverLoadIntegrityChecking" }, { "@id": "d3f:FileHashing" }, { "@id": "d3f:PointerAuthentication" }, { "@id": "d3f:TPMBootIntegrity" } ], "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-07-11T00:00:00" }, "rdfs:label": "CCI-002724" }, { "@id": "d3f:WriteFile", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "The write is one of the most basic routines provided by a Unix-like operating system kernel. It writes data from a buffer declared by the user to a given device, such as a file. This is the primary way to output data from a program by directly using a system call. The destination is identified by a numeric code. The data to be written, for instance a piece of text, is defined by a pointer and a size, given in number of bytes. write thus takes three arguments.", "d3f:modifies": { "@id": "d3f:File" }, "rdfs:isDefinedBy": { "@id": "dbr:Write_(system_call)" }, "rdfs:label": "Write File", "rdfs:subClassOf": [ { "@id": "d3f:SystemCall" }, { "@id": "_:Nf4545c8f0da24b6b9dd0bd88d984d5de" } ] }, { "@id": "_:Nf4545c8f0da24b6b9dd0bd88d984d5de", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:File" } }, { "@id": "d3f:T1151", "@type": "owl:Class", "d3f:attack-id": "T1151", "rdfs:label": "Space after Filename", "rdfs:subClassOf": [ { "@id": "d3f:DefenseEvasionTechnique" }, { "@id": "d3f:ExecutionTechnique" } ] }, { "@id": "d3f:RestoreConfiguration", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:RestoreObject" ], "d3f:d3fend-id": "D3-RC", "d3f:definition": "Restoring an software configuration.", "d3f:kb-reference": { "@id": "d3f:Reference-CybersecurityIncidentandVulnerabilityResponsePlaybooks" }, "d3f:restores": { "@id": "d3f:ConfigurationResource" }, "rdfs:label": "Restore Configuration", "rdfs:subClassOf": [ { "@id": "d3f:RestoreObject" }, { "@id": "_:Ne3760fd1b115422aa0f7205053a8fe40" } ] }, { "@id": "_:Ne3760fd1b115422aa0f7205053a8fe40", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:restores" }, "owl:someValuesFrom": { "@id": "d3f:ConfigurationResource" } }, { "@id": "d3f:NewsArticle", "@type": "owl:Class", "rdfs:label": "News Article", "rdfs:subClassOf": { "@id": "d3f:Article" } }, { "@id": "d3f:T1213.002", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:accesses": { "@id": "d3f:WebFileResource" }, "d3f:attack-id": "T1213.002", "rdfs:label": "Sharepoint", "rdfs:subClassOf": [ { "@id": "d3f:T1213" }, { "@id": "_:Nfdaf339576e144c181ced2edcd484d22" } ] }, { "@id": "_:Nfdaf339576e144c181ced2edcd484d22", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:accesses" }, "owl:someValuesFrom": { "@id": "d3f:WebFileResource" } }, { "@id": "d3f:T1123", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:accesses": { "@id": "d3f:AudioInputDevice" }, "d3f:attack-id": "T1123", "rdfs:label": "Audio Capture", "rdfs:subClassOf": [ { "@id": "d3f:CollectionTechnique" }, { "@id": "_:Na22dff886d8c436398835cbd5c00fb27" } ] }, { "@id": "_:Na22dff886d8c436398835cbd5c00fb27", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:accesses" }, "owl:someValuesFrom": { "@id": "d3f:AudioInputDevice" } }, { "@id": "d3f:BiometricAuthentication", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:CredentialHardening" ], "d3f:authenticates": { "@id": "d3f:UserAccount" }, "d3f:d3fend-id": "D3-BAN", "d3f:definition": "Using biological measures in order to authenticate a user.", "d3f:kb-reference": [ { "@id": "d3f:BiometricAuthentication" }, { "@id": "d3f:Reference-TokenlessBiometricTransactionAuthorizationMethodAndSystem" }, { "@id": "d3f:Reference-www.biometric-solutions.com_keystroke-dynamics" } ], "rdfs:label": "Biometric Authentication", "rdfs:subClassOf": [ { "@id": "d3f:CredentialHardening" }, { "@id": "_:N91f6cabeb8dc4c62b2cf310713cba2e0" } ] }, { "@id": "_:N91f6cabeb8dc4c62b2cf310713cba2e0", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:authenticates" }, "owl:someValuesFrom": { "@id": "d3f:UserAccount" } }, { "@id": "d3f:Policy", "@type": "owl:Class", "rdfs:label": "Policy", "rdfs:subClassOf": { "@id": "d3f:Document" } }, { "@id": "d3f:CWE-676", "@type": "owl:Class", "d3f:cwe-id": "CWE-676", "rdfs:label": "Use of Potentially Dangerous Function", "rdfs:subClassOf": { "@id": "d3f:CWE-1177" } }, { "@id": "d3f:TrajectoryPrediction", "@type": "owl:Class", "rdfs:label": "Trajectory Prediction", "rdfs:subClassOf": { "@id": "d3f:Forecasting" } }, { "@id": "d3f:CWE-1328", "@type": "owl:Class", "d3f:cwe-id": "CWE-1328", "rdfs:label": "Security Version Number Mutable to Older Versions", "rdfs:subClassOf": { "@id": "d3f:CWE-285" } }, { "@id": "d3f:Reference-IndirectBranchingCalls", "@type": [ "owl:NamedIndividual", "d3f:AcademicPaperReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.1048.1241&rep=rep1&type=pdf" }, "d3f:kb-abstract": "Return-oriented programming (ROP) has become the\nprimary exploitation technique for system compromise\nin the presence of non-executable page protections. ROP\nexploits are facilitated mainly by the lack of complete\naddress space randomization coverage or the presence\nof memory disclosure vulnerabilities, necessitating additional ROP-specific mitigations.\nIn this paper we present a practical runtime ROP exploit prevention technique for the protection of thirdparty applications. Our approach is based on the detection of abnormal control transfers that take place during\nROP code execution. This is achieved using hardware\nfeatures of commodity processors, which incur negligible runtime overhead and allow for completely transparent operation without requiring any modifications to\nthe protected applications. Our implementation for Windows 7, named kBouncer, can be selectively enabled for\ninstalled programs in the same fashion as user-friendly\nmitigation toolkits like Microsoft's EMET. The results of\nour evaluation demonstrate that kBouncer has low runtime overhead of up to 4%, when stressed with specially\ncrafted workloads that continuously trigger its core detection component, while it has negligible overhead for\nactual user applications. In our experiments with in-thewild ROP exploits, kBouncer successfully protected all\ntested applications, including Internet Explorer, Adobe\nFlash Player, and Adobe Reader.", "d3f:kb-author": "Vasilis Pappas, Michalis Polychronakis, Angelos D. Keromytis\nColumbia University", "d3f:kb-organization": "Columbia University", "d3f:kb-reference-of": { "@id": "d3f:IndirectBranchCallAnalysis" }, "d3f:kb-reference-title": "Transparent ROP Exploit Mitigation using Indirect Branch Tracing", "rdfs:label": "Reference - Indirect Branching Calls" }, { "@id": "d3f:ReconnaissanceTechnique", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:enables": { "@id": "d3f:Reconnaissance" }, "rdfs:label": "Reconnaissance Technique", "rdfs:subClassOf": [ { "@id": "d3f:OffensiveTechnique" }, { "@id": "_:Nc9b5e80571424016a2ebbc159b39b103" } ] }, { "@id": "_:Nc9b5e80571424016a2ebbc159b39b103", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:enables" }, "owl:someValuesFrom": { "@id": "d3f:Reconnaissance" } }, { "@id": "d3f:Reference-SystemAndMethodForDetectionOfAChangeInBehaviorInTheUseOfAWebsiteThroughVectorVelocityAnalysis_SilverTailSystems", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US20100235909A1/en?oq=US+20100235909+A1" }, "d3f:kb-abstract": "A system and software for identifying the change of user behavior on a website includes analyzing the actions of users on a website comprising a plurality of fields or input parameters that identify the actions performed on a website including fields related to previous actions by that user or other users of the website. The fields or input parameters are represented in a vector format where vectors represent different sessions of activity on the website, pages of the website, users of the website, or other attributes of the use of a website. Analysis is performed to determine if new sessions are similar or dissimilar to previously known sessions and if a session is converging or diverging from known sessions based on the velocity and direction of the velocity of the vectors in the vector space.", "d3f:kb-author": "Mike Eynon; Laura Mather; Erik Westland; Jim Lloyd", "d3f:kb-mitre-analysis": "This patent describes a technique for detecting fraudulent behavior on a website. Website behavior is mapped to build a multidimensional representation of user actions on a website that is updated as additional actions are recorded. Example actions on a website that are recorded include clicks by a user on the website and entering data into forms. Current behavior is compared against baseline recorded behavior and if current behavior deviates above a threshold, an alert is issued.", "d3f:kb-organization": "Silver Tail Systems", "d3f:kb-reference-of": { "@id": "d3f:WebSessionActivityAnalysis" }, "d3f:kb-reference-title": "System and Method for Detection of a Change in Behavior in the Use of a Website Through Vector Velocity Analysis", "rdfs:label": "Reference - System and Method for Detection of a Change in Behavior in the Use of a Website Through Vector Velocity Analysis - Silver Tail Systems" }, { "@id": "d3f:Reference-DetectingScript-basedMalware_CrowdstrikeInc", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US20190188384A1" }, "d3f:kb-abstract": "Described herein are systems, techniques, and computer program products for preventing execution, by a scripting engine, of harmful commands that may be introduced by computer malware or other mechanisms. The system identifies certain host processes that may attempt to utilize a hosted scripting engine. An unmanaged interface module is injected into an identified host process. The unmanaged interface module is configured to detect certain conditions indicating the likelihood that a scripting engine will be instantiated, and in response to inject a managed interface module into the host process. The managed interface module hooks into certain methods of the scripting engine to intercept commands before they are executed by the scripting engine. The managed and unmanaged interface components then communicate with a kernel-mode threat detection component to determine whether any commands should be blocked.", "d3f:kb-author": "Ion-Alexandru IONESCU; Satoshi Tanda", "d3f:kb-mitre-analysis": "The patent describes techniques that can be implemented to detect and block malicious commands and command scripts from being executed by scripting engines.\n\n### Script Execution Monitoring explanation\nThis patent describes software installed on the host system that hooks into methods of a scripting engine to intercept commands before they are executed and block commands if they are determined to be harmful. For example regular expression checking may be used to identify commands having malicious patterns. Expression checking may be used for script files as well as interactively - typed commands.\n\n### File Content Signatures explanation\nThis patent includes File Content Signatures because in the case of a script file, a hash of the file is compared against hashes of known malicious script files to determine whether the script file is malicious.", "d3f:kb-organization": "Crowdstrike Inc", "d3f:kb-reference-of": [ { "@id": "d3f:FileContentRules" }, { "@id": "d3f:ScriptExecutionAnalysis" } ], "d3f:kb-reference-title": "Detecting script-based malware", "rdfs:label": "Reference - Detecting script-based malware - Crowdstrike Inc" }, { "@id": "d3f:BroadcastDomainIsolation", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:NetworkIsolation" ], "d3f:d3fend-id": "D3-BDI", "d3f:definition": "Broadcast isolation restricts the number of computers a host can contact on their LAN.", "d3f:filters": { "@id": "d3f:LocalAreaNetworkTraffic" }, "d3f:kb-article": "## How it works\nSoftware Defined Networking, or other network encapsulation technologies intercept host broadcast traffic then route it to a specified destination per a configured policy.\n\nThis can be implemented within hypervisors, networking hardware (WAPs, switches, routers), or virutal hardware.\n\n## Considerations\nThis technique is highly dependent on network infrastructure and networking requirements.", "d3f:kb-reference": [ { "@id": "d3f:Reference-BroadcastIsolationAndLevel3NetworkSwitch_HewlettPackardEnterpriseDevelopmentLP" }, { "@id": "d3f:Reference-PrivateVirtualLocalAreaNetworkIsolation_CiscoTechnologyInc" } ], "d3f:synonym": "Network Segmentation", "rdfs:label": "Broadcast Domain Isolation", "rdfs:subClassOf": [ { "@id": "d3f:NetworkIsolation" }, { "@id": "_:N9952e449aab343939c652ea882a9f73d" } ] }, { "@id": "_:N9952e449aab343939c652ea882a9f73d", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:filters" }, "owl:someValuesFrom": { "@id": "d3f:LocalAreaNetworkTraffic" } }, { "@id": "d3f:Deceive", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:DefensiveTactic" ], "d3f:definition": "The deceive tactic is used to advertise, entice, and allow potential attackers access to an observed or controlled environment.", "d3f:display-order": 3, "d3f:display-priority": 0, "rdfs:label": "Deceive", "rdfs:subClassOf": { "@id": "d3f:DefensiveTactic" } }, { "@id": "d3f:CWE-1319", "@type": "owl:Class", "d3f:cwe-id": "CWE-1319", "rdfs:label": "Improper Protection against Electromagnetic Fault Injection (EM-FI)", "rdfs:subClassOf": { "@id": "d3f:CWE-693" } }, { "@id": "d3f:Reference-CAR-2021-02-001%3AWebshell-IndicativeProcessTree_MITRE", "@type": [ "owl:NamedIndividual", "d3f:ExternalKnowledgeBase" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://car.mitre.org/analytics/CAR-2021-02-001/" }, "d3f:kb-abstract": "A web shell is a web script placed on an openly accessible web server to allow an adversary to use the server as a gatway in a network. As the shell operates, commands will be issued from within the web application into the broader server operating system. This analytic looks for host enumeration executables initiated by any web service that would not normally be executed within that environment.", "d3f:kb-author": "MITRE", "d3f:kb-organization": "MITRE", "d3f:kb-reference-of": { "@id": "d3f:ProcessSpawnAnalysis" }, "d3f:kb-reference-title": "CAR-2021-02-001: Webshell-Indicative Process Tree", "rdfs:label": "Reference - CAR-2021-02-001: Webshell-Indicative Process Tree - MITRE" }, { "@id": "d3f:inventoried-by", "@type": "owl:ObjectProperty", "owl:inverseOf": { "@id": "d3f:inventories" }, "rdfs:label": "inventoried-by", "rdfs:subPropertyOf": { "@id": "d3f:associated-with" } }, { "@id": "d3f:may-contain", "@type": [ "owl:ObjectProperty", "owl:TransitiveProperty" ], "d3f:definition": "to potentially have as contents or constituent parts; comprise; include.", "rdfs:label": "may-contain", "rdfs:subPropertyOf": { "@id": "d3f:may-be-associated-with" } }, { "@id": "d3f:identifies", "@type": "owl:ObjectProperty", "rdfs:label": "identifies", "rdfs:subPropertyOf": { "@id": "d3f:associated-with" } }, { "@id": "d3f:CWE-295", "@type": "owl:Class", "d3f:cwe-id": "CWE-295", "rdfs:label": "Improper Certificate Validation", "rdfs:subClassOf": { "@id": "d3f:CWE-287" } }, { "@id": "d3f:d3fend-tactical-verb-property", "@type": "owl:ObjectProperty", "rdfs:domain": { "@id": "d3f:DefensiveTechnique" }, "rdfs:label": "d3fend-tactical-verb-property", "rdfs:range": { "@id": "d3f:Artifact" }, "rdfs:subPropertyOf": { "@id": "d3f:d3fend-object-property" } }, { "@id": "d3f:authenticates", "@type": "owl:ObjectProperty", "d3f:definition": "x authenticates y: The subject x establishes the authenticity of some y. This relation indicates an authentication event has occurred.", "rdfs:isDefinedBy": { "@id": "http://wordnet-rdf.princeton.edu/id/01980375-s" }, "rdfs:label": "authenticates", "rdfs:subPropertyOf": [ { "@id": "d3f:associated-with" }, { "@id": "d3f:hardens" } ] }, { "@id": "d3f:BooleanExpressionMatching", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-BEM", "d3f:definition": "Boolean expression matching produces a Boolean truth value for a given boolean expression and assignment of values to variables in the expression.", "d3f:kb-article": "## How it works\nA Boolean expression is an expression used in programming languages that produces a Boolean value when evaluated. A Boolean value is either true or false. A Boolean expression may be composed of a combination of the Boolean constants true or false, Boolean-typed variables, Boolean-valued operators, and Boolean-valued functions.\n\nBoolean expressions correspond to propositional formulas in logic and are a special case of Boolean circuits.\n\n## References\n1. Boolean expression. (2022, April 25). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Boolean_expression)\n2. Boolean algebra. (2022, May 19). In _Wikipedia_.\n[Link](https://en.wikipedia.org/wiki/Boolean_expression)", "rdfs:label": "Boolean Expression Matching", "rdfs:subClassOf": { "@id": "d3f:LogicalRules" } }, { "@id": "d3f:Platform", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:contains": [ { "@id": "d3f:Firmware" }, { "@id": "d3f:HardwareDevice" }, { "@id": "d3f:OperatingSystem" } ], "d3f:definition": "Platform includes the hardware and OS. The term computing platform can refer to different abstraction levels, including a certain hardware architecture, an operating system (OS), and runtime libraries. In total it can be said to be the stage on which computer programs can run.", "rdfs:label": "Platform", "rdfs:seeAlso": { "@id": "dbr:Computing_platform" }, "rdfs:subClassOf": [ { "@id": "d3f:DigitalArtifact" }, { "@id": "_:N26a6fc435867472a8269aeb5dd41b316" }, { "@id": "_:N02901ee132f74a159533ed6ecd27b706" }, { "@id": "_:N744c0f9affd445418b66a0aead78fef6" } ], "skos:altLabel": "Computer Platform" }, { "@id": "_:N26a6fc435867472a8269aeb5dd41b316", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:contains" }, "owl:someValuesFrom": { "@id": "d3f:Firmware" } }, { "@id": "_:N02901ee132f74a159533ed6ecd27b706", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:contains" }, "owl:someValuesFrom": { "@id": "d3f:HardwareDevice" } }, { "@id": "_:N744c0f9affd445418b66a0aead78fef6", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:contains" }, "owl:someValuesFrom": { "@id": "d3f:OperatingSystem" } }, { "@id": "d3f:CCI-002746_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system provides a manual override capability for input validation of organization-defined inputs.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:DatabaseQueryStringAnalysis" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-07-11T00:00:00" }, "rdfs:label": "CCI-002746" }, { "@id": "d3f:Reference-LibreNMSDocsOxidizedExtension", "@type": [ "owl:NamedIndividual", "d3f:UserManualReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://docs.librenms.org/Extensions/Oxidized/" }, "d3f:kb-abstract": "Integrating LibreNMS with Oxidized brings the following benefits:\n\n* Config viewing: Current, History, and Diffs all under the Configs tab of each device\n* Automatic addition of devices to Oxidized: Including filtering and grouping to ease credential management\n* Configuration searching", "d3f:kb-organization": "LibreNMS.org", "d3f:kb-reference-of": { "@id": "d3f:DiskEncryption" }, "d3f:kb-reference-title": "LibreNMSDocs - Oxidized Extension", "rdfs:label": "Reference - Libre NMS - Oxidized Extension" }, { "@id": "d3f:CWE-162", "@type": "owl:Class", "d3f:cwe-id": "CWE-162", "rdfs:label": "Improper Neutralization of Trailing Special Elements", "rdfs:subClassOf": { "@id": "d3f:CWE-138" } }, { "@id": "d3f:PortfolioAssessment", "@type": "owl:Class", "rdfs:label": "Portfolio Assessment", "rdfs:subClassOf": [ { "@id": "d3f:Assessment" }, { "@id": "_:Naa3c34bce9c846bbbb8df8335de06f67" } ] }, { "@id": "_:Naa3c34bce9c846bbbb8df8335de06f67", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:has-evidence" }, "owl:someValuesFrom": { "@id": "d3f:CapabilityAssessment" } }, { "@id": "d3f:CWE-791", "@type": "owl:Class", "d3f:cwe-id": "CWE-791", "rdfs:label": "Incomplete Filtering of Special Elements", "rdfs:subClassOf": { "@id": "d3f:CWE-790" } }, { "@id": "d3f:CWE-470", "@type": "owl:Class", "d3f:cwe-id": "CWE-470", "rdfs:label": "Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')", "rdfs:subClassOf": [ { "@id": "d3f:CWE-610" }, { "@id": "d3f:CWE-913" } ] }, { "@id": "d3f:RestoreDiskImage", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:RestoreObject" ], "d3f:d3fend-id": "D3-RDI", "d3f:definition": "Restoring a previously captured disk image a hard drive.", "d3f:kb-reference": { "@id": "d3f:Reference-CybersecurityIncidentandVulnerabilityResponsePlaybooks" }, "rdfs:label": "Restore Disk Image", "rdfs:subClassOf": { "@id": "d3f:RestoreObject" } }, { "@id": "d3f:TransferAgentAuthentication", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:MessageHardening" ], "d3f:d3fend-id": "D3-TAAN", "d3f:definition": "Validating that server components of a messaging infrastructure are authorized to send a particular message.", "d3f:kb-article": "## How it works\nTransfer Agent Authentication can be accomplished in different ways for depending on the protocol. In Email, Sender Policy Framework (SPF), Domain Key Identified Email (DKIM) or Domain-based Message Authentication Reporting and Conformance (DMARC) are used to validate sender domain ownership.\n\n### SPF\nSPF protocol allows for mail domain owners to specify the mail servers they use when sending email. SPF requires the use of SPF records published in the Domain Name System (DNS). The records record the authorized IPs for email senders. SPF uses the return-path address for domain IP identification. Email that is forwarded may cause the return-path validation problems.\n### DKIM\nDKIM also uses a record entry in DNS for authentication but does not rely on the simple return-path for validation. A signature header is added to email and encryption is used for security. This adds an additional layer of complexity and requires that DKIM servers be configured identified cryptographic signatures. The additional complexity results in a validation process that can survive complex routing of emails.\n\n### DMARC\nDMARC is an email policy and authentication protocol that seeks to ensure that the \"From\" field of emails is not spoofed. DMARC makes use of both SPF records and DKIM published key validation. DMARC also has a decision policy framework, contained in a DMARC record, for handling of rejected email. The DMARC framework also updates DMARC domains with authentication statues for allowed senders of that domain.\n\n## Considerations\n- Additional work is required to ensure that all SPF, DKIM and DMARC records are current and up to date.\n- Maintenance of DKIM signing keys is needed.\n- Using SPF without DKIM and DMARC verifies the Return-Path domain however does not prevent spoofing of the displayed From: address.\n- Parts of an email that are not signed or verified by email authentication methods, such as the message body or the header To: and Subject: fields, can be altered or modified.\n- Email message authentication does not replace the need to do email content analysis since executables, attachments, or links or other parts of the email beyond the sender domain are not verified.", "d3f:kb-reference": [ { "@id": "d3f:Reference-DomainKeysIdentifiedMail-Signatures-IETF" }, { "@id": "d3f:Reference-RFC7208-SenderPolicyFramework-SPF-ForAuthorizingUseOfDomainsInEmail-IETF" }, { "@id": "d3f:Reference-RFC7489-Domain-basedMessageAuthentication-Reporting-AndConformance-DMARC" } ], "rdfs:label": "Transfer Agent Authentication", "rdfs:subClassOf": { "@id": "d3f:MessageHardening" } }, { "@id": "d3f:Reference-CAR-2021-05-008%3ACertutilExeCertificateExtraction_MITRE", "@type": [ "owl:NamedIndividual", "d3f:ExternalKnowledgeBase" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://car.mitre.org/analytics/CAR-2021-05-008/" }, "d3f:kb-abstract": "This search looks for arguments to certutil.exe indicating the manipulation or extraction of Certificate. This certificate can then be used to sign new authentication tokens specially inside Federated environments such as Windows ADFS.", "d3f:kb-author": "MITRE", "d3f:kb-organization": "MITRE", "d3f:kb-reference-of": { "@id": "d3f:ProcessSpawnAnalysis" }, "d3f:kb-reference-title": "CAR-2021-05-008: Certutil exe certificate extraction", "rdfs:label": "Reference - CAR-2021-05-008: Certutil exe certificate extraction - MITRE" }, { "@id": "d3f:M1017", "@type": [ "owl:NamedIndividual", "d3f:ATTACKMitigation" ], "d3f:d3fend-comment": "Modeling user training is outside the scope of D3FEND.", "rdfs:label": "User Training" }, { "@id": "d3f:CWE-1241", "@type": "owl:Class", "d3f:cwe-id": "CWE-1241", "rdfs:label": "Use of Predictable Algorithm in Random Number Generator", "rdfs:subClassOf": { "@id": "d3f:CWE-330" } }, { "@id": "d3f:T1566.001", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1566.001", "d3f:produces": [ { "@id": "d3f:Email" }, { "@id": "d3f:InboundInternetMailTraffic" } ], "rdfs:label": "Spearphishing Attachment", "rdfs:subClassOf": [ { "@id": "d3f:T1566" }, { "@id": "_:N3375c8177a644ec8827e38a41ef8cbe6" }, { "@id": "_:Nf5cecce7cd9249978a70bc7169a601af" } ] }, { "@id": "_:N3375c8177a644ec8827e38a41ef8cbe6", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:produces" }, "owl:someValuesFrom": { "@id": "d3f:Email" } }, { "@id": "_:Nf5cecce7cd9249978a70bc7169a601af", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:produces" }, "owl:someValuesFrom": { "@id": "d3f:InboundInternetMailTraffic" } }, { "@id": "d3f:ResourceAccess", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "Ephemeral digital artifact comprising a request of a resource and any response from that resource.", "rdfs:label": "Resource Access", "rdfs:seeAlso": { "@id": "dbr:Computer_access_control" }, "rdfs:subClassOf": [ { "@id": "d3f:DigitalEvent" }, { "@id": "d3f:UserAction" } ] }, { "@id": "d3f:T1049", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1049", "d3f:may-invoke": { "@id": "d3f:GetOpenSockets" }, "rdfs:label": "System Network Connections Discovery", "rdfs:subClassOf": [ { "@id": "d3f:DiscoveryTechnique" }, { "@id": "_:N7f564cd87ae541ca9ccac6abbae33d03" } ] }, { "@id": "_:N7f564cd87ae541ca9ccac6abbae33d03", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-invoke" }, "owl:someValuesFrom": { "@id": "d3f:GetOpenSockets" } }, { "@id": "d3f:CloudServiceSensor", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "Senses data from cloud service platforms. Including data from cloud service authentications, authorizations, and other activities.", "d3f:monitors": [ { "@id": "d3f:CloudServiceAuthentication" }, { "@id": "d3f:CloudServiceAuthorization" } ], "rdfs:label": "Cloud Service Sensor", "rdfs:subClassOf": [ { "@id": "d3f:Sensor" }, { "@id": "_:Ne748372f8f2844daafd5dfc7bb05900e" }, { "@id": "_:Na632e933ed9a41929401a5144ece6139" } ] }, { "@id": "_:Ne748372f8f2844daafd5dfc7bb05900e", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:monitors" }, "owl:someValuesFrom": { "@id": "d3f:CloudServiceAuthentication" } }, { "@id": "_:Na632e933ed9a41929401a5144ece6139", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:monitors" }, "owl:someValuesFrom": { "@id": "d3f:CloudServiceAuthorization" } }, { "@id": "d3f:Reference-CAR-2021-01-007%3ADetectingTamperingOfWindowsDefenderCommandPrompt_MITRE", "@type": [ "owl:NamedIndividual", "d3f:ExternalKnowledgeBase" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://car.mitre.org/analytics/CAR-2021-01-007/" }, "d3f:kb-abstract": "In an attempt to avoid detection after compromising a machine, threat actors often try to disable Windows Defender. This is often done using “sc” [service control], a legitimate tool provided by Microsoft for managing services. This action interferes with event detection and may lead to a security event going undetected, thereby potentially leading to further compromise of the network.", "d3f:kb-author": "MITRE", "d3f:kb-mitre-analysis": "d", "d3f:kb-organization": "MITRE", "d3f:kb-reference-of": { "@id": "d3f:ProcessSpawnAnalysis" }, "d3f:kb-reference-title": "CAR-2021-01-007: Detecting Tampering of Windows Defender Command Prompt", "rdfs:label": "Reference - CAR-2021-01-007: Detecting Tampering of Windows Defender Command Prompt - MITRE" }, { "@id": "d3f:Reference-ServicesLaunchingCmd_MITRE", "@type": [ "owl:NamedIndividual", "d3f:ExternalKnowledgeBase" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "" }, "d3f:kb-abstract": "Windows runs the Service Control Manager (SCM) within the process services.exe. Windows launches services as independent processes or DLL loads within a svchost.exe group. To be a legitimate service, a process (or DLL) must have the appropriate service entry point SvcMain. If an application does not have the entry point, then it will timeout (default is 30 seconds) and the process will be killed.\n\nTo survive the timeout, adversaries and red teams can create services that direct to cmd.exe with the flag /c, followed by the desired command. The /c flag causes the command shell to run a command and immediately exit. As a result, the desired program will remain running and it will report an error starting the service. This analytic will catch that command prompt instance that is used to launch the actual malicious executable. Additionally, the children and descendants of services.exe will run as a SYSTEM user by default. Thus, services are a convenient way for an adversary to gain Persistence and Privilege Escalation.", "d3f:kb-author": "", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "", "d3f:kb-reference-of": { "@id": "d3f:ProcessLineageAnalysis" }, "d3f:kb-reference-title": "CAR-2014-05-002: Services launching Cmd", "rdfs:label": "Reference - CAR-2014-05-002: Services launching Cmd - MITRE" }, { "@id": "d3f:Password", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A password, sometimes called a passcode, is a memorized secret, typically a string of characters, usually used to confirm the identity of a user. Using the terminology of the NIST Digital Identity Guidelines, the secret is memorized by a party called the claimant while the party verifying the identity of the claimant is called the verifier. When the claimant successfully demonstrates knowledge of the password to the verifier through an established authentication protocol, the verifier is able to infer the claimant's identity.", "rdfs:isDefinedBy": { "@id": "dbr:Password" }, "rdfs:label": "Password", "rdfs:subClassOf": { "@id": "d3f:Credential" }, "skos:altLabel": "Passcode" }, { "@id": "d3f:CWE-152", "@type": "owl:Class", "d3f:cwe-id": "CWE-152", "rdfs:label": "Improper Neutralization of Macro Symbols", "rdfs:subClassOf": { "@id": "d3f:CWE-138" } }, { "@id": "d3f:SourceCodeReference", "@type": "owl:Class", "d3f:pref-label": "Source Code", "rdfs:label": "Source Code Reference", "rdfs:subClassOf": { "@id": "d3f:TechniqueReference" } }, { "@id": "d3f:Reference-QuickExecutionOfASeriesOfSuspiciousCommands_MITRE", "@type": [ "owl:NamedIndividual", "d3f:ExternalKnowledgeBase" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://car.mitre.org/analytics/CAR-2013-04-002/" }, "d3f:kb-abstract": "Certain commands are frequently used by malicious actors and infrequently used by normal users. By looking for execution of these commands in short periods of time, we can not only see when a malicious user was on the system but also get an idea of what they were doing.", "d3f:kb-author": "MITRE", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "MITRE", "d3f:kb-reference-of": { "@id": "d3f:ProcessLineageAnalysis" }, "d3f:kb-reference-title": "CAR-2013-04-002: Quick execution of a series of suspicious commands", "rdfs:label": "Reference - CAR-2013-04-002: Quick execution of a series of suspicious commands - MITRE" }, { "@id": "d3f:Reference-OutlierParentsOfCmd_MITRE", "@type": [ "owl:NamedIndividual", "d3f:ExternalKnowledgeBase" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://car.mitre.org/analytics/CAR-2014-11-002/" }, "d3f:kb-abstract": "Many programs create command prompts as part of their normal operation including malware used by attackers. This analytic attempts to identify suspicious programs spawning cmd.exe by looking for programs that do not normally create cmd.exe.\n\nWhile this analytic does not take the user into account, doing so could generate further interesting results. It is very common for some programs to spawn cmd.exe as a subprocess, for example to run batch files or windows commands. However many process don't routinely launch a command prompt - for example Microsoft Outlook. A command prompt being launched from a process that normally doesn't launch command prompts could be the result of malicious code being injected into that process, or of an attacker replacing a legitimate program with a malicious one.", "d3f:kb-author": "MITRE", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "MITRE", "d3f:kb-reference-of": { "@id": "d3f:ProcessLineageAnalysis" }, "d3f:kb-reference-title": "CAR-2014-11-002: Outlier Parents of Cmd", "rdfs:label": "Reference - CAR-2014-11-002: Outlier Parents of Cmd - MITRE" }, { "@id": "d3f:CWE-1044", "@type": "owl:Class", "d3f:cwe-id": "CWE-1044", "rdfs:label": "Architecture with Number of Horizontal Layers Outside of Expected Range", "rdfs:subClassOf": { "@id": "d3f:CWE-710" } }, { "@id": "d3f:MicrosoftWordWBKFile", "@type": [ "owl:NamedIndividual", "d3f:DocumentFile" ], "rdfs:label": "Microsoft Word WBK File" }, { "@id": "d3f:Kernel-basedProcessIsolation", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:ExecutionIsolation" ], "d3f:d3fend-id": "D3-KBPI", "d3f:definition": "Using kernel-level capabilities to isolate processes.", "d3f:kb-reference": { "@id": "d3f:Reference-OverviewOfTheSeccompSandbox" }, "rdfs:label": "Kernel-based Process Isolation", "rdfs:subClassOf": { "@id": "d3f:ExecutionIsolation" } }, { "@id": "d3f:ContainerRuntime", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A software layer between d3f:ContainerProcess and d3f:Kernel which often mediates the invocation of d3f:SystemCall", "d3f:runs": { "@id": "d3f:ContainerImage" }, "rdfs:label": "Container Runtime", "rdfs:subClassOf": [ { "@id": "d3f:ServiceApplication" }, { "@id": "_:N4f2e22a417854f349d1499b796904139" } ] }, { "@id": "_:N4f2e22a417854f349d1499b796904139", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:runs" }, "owl:someValuesFrom": { "@id": "d3f:ContainerImage" } }, { "@id": "d3f:T1087", "@type": "owl:Class", "d3f:attack-id": "T1087", "rdfs:label": "Account Discovery", "rdfs:subClassOf": { "@id": "d3f:DiscoveryTechnique" } }, { "@id": "d3f:CWE-317", "@type": "owl:Class", "d3f:cwe-id": "CWE-317", "rdfs:label": "Cleartext Storage of Sensitive Information in GUI", "rdfs:subClassOf": { "@id": "d3f:CWE-312" } }, { "@id": "d3f:Reference-SystemAndMethodThereofForIdentifyingAndRespondingToSecurityIncidentsBasedOnPreemptiveForensics_PaloAltoNetworksInc", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US20160142424A1" }, "d3f:kb-abstract": "A system is connected to a plurality of user devices coupled to an enterprise's network. The system continuously collects, stores, and analyzes forensic data related to the enterprise's network. Based on the analysis, the system is able to determine normal behavior of the network and portions thereof and thereby identify abnormal behaviors within the network. Upon identification of an abnormal behavior, the system determines whether the abnormal behavior relates to a security incident. Upon determining a security incident in any portion of the enterprise's network, the system extracts forensic data respective of the security incident and enables further assessment of the security incident as well as identification of the source of the security incident. The system provides real-time damage assessment respective of the security incident as well as the security incident's attributions.", "d3f:kb-author": "Gil BARAK; Shai MORAG", "d3f:kb-mitre-analysis": "This patent describes detecting abnormal behavior related to a security incident by collecting and analyzing forensic data in real time. Forensic data may include:\n\n* URLs visited\n* data downloaded or streamed\n* messages received and sent\n* amount of memory used for processing\n\nThe data is then analyzed according to a set of dynamically created rules to determine normal behavior patterns associated with the network or user devices. Anomalies between current behavior and normal behavior patterns trigger an alert.", "d3f:kb-organization": "Palo Alto Networks Inc", "d3f:kb-reference-of": [ { "@id": "d3f:ResourceAccessPatternAnalysis" }, { "@id": "d3f:UserDataTransferAnalysis" }, { "@id": "d3f:WebSessionActivityAnalysis" } ], "d3f:kb-reference-title": "System and method thereof for identifying and responding to security incidents based on preemptive forensics", "rdfs:label": "Reference - System and method thereof for identifying and responding to security incidents based on preemptive forensics - Palo Alto Networks Inc" }, { "@id": "d3f:Reference-ActiveDirectoryDumpingViaNTDSUtil_MITRE", "@type": [ "owl:NamedIndividual", "d3f:ExternalKnowledgeBase" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://car.mitre.org/analytics/CAR-2019-08-002/" }, "d3f:kb-abstract": "The NTDSUtil tool may be used to dump a Microsoft Active Directory database to disk for processing with a credential access tool such as Mimikatz. This is performed by launching ntdsutil.exe as a privileged user with command line arguments indicating that media should be created for offline Active Directory installation and specifying a folder path. This process will create a copy of the Active Directory database, ntds.dit, to the specified folder path.", "d3f:kb-author": "MITRE", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "MITRE", "d3f:kb-reference-of": { "@id": "d3f:ProcessSpawnAnalysis" }, "d3f:kb-reference-title": "CAR-2019-08-002: Active Directory Dumping via NTDSUtil", "rdfs:label": "Reference - CAR-2019-08-002: Active Directory Dumping via NTDSUtil - MITRE" }, { "@id": "d3f:CWE-430", "@type": "owl:Class", "d3f:cwe-id": "CWE-430", "rdfs:label": "Deployment of Wrong Handler", "rdfs:subClassOf": { "@id": "d3f:CWE-691" } }, { "@id": "d3f:CWE-15", "@type": "owl:Class", "d3f:cwe-id": "CWE-15", "rdfs:label": "External Control of System or Configuration Setting", "rdfs:subClassOf": [ { "@id": "d3f:CWE-610" }, { "@id": "d3f:CWE-642" } ] }, { "@id": "d3f:CWE-538", "@type": "owl:Class", "d3f:cwe-id": "CWE-538", "rdfs:label": "Insertion of Sensitive Information into Externally-Accessible File or Directory", "rdfs:subClassOf": { "@id": "d3f:CWE-200" } }, { "@id": "d3f:T1003.002", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1003.002", "d3f:may-access": [ { "@id": "d3f:AuthenticationService" }, { "@id": "d3f:Process" }, { "@id": "d3f:SystemPasswordDatabase" } ], "rdfs:label": "Security Account Manager", "rdfs:subClassOf": [ { "@id": "d3f:T1003" }, { "@id": "_:N7c2bb24fbc094cb094472433e93badc4" }, { "@id": "_:N92eaf657c87e47d080d28ea84f06ec24" }, { "@id": "_:N4532c80b28c74bf8bcd6d122e04ac36d" } ] }, { "@id": "_:N7c2bb24fbc094cb094472433e93badc4", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-access" }, "owl:someValuesFrom": { "@id": "d3f:AuthenticationService" } }, { "@id": "_:N92eaf657c87e47d080d28ea84f06ec24", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-access" }, "owl:someValuesFrom": { "@id": "d3f:Process" } }, { "@id": "_:N4532c80b28c74bf8bcd6d122e04ac36d", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-access" }, "owl:someValuesFrom": { "@id": "d3f:SystemPasswordDatabase" } }, { "@id": "d3f:CWE-578", "@type": "owl:Class", "d3f:cwe-id": "CWE-578", "rdfs:label": "EJB Bad Practices: Use of Class Loader", "rdfs:subClassOf": { "@id": "d3f:CWE-573" } }, { "@id": "d3f:T1567", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1567", "d3f:produces": { "@id": "d3f:OutboundInternetWebTraffic" }, "rdfs:label": "Exfiltration Over Web Service", "rdfs:subClassOf": [ { "@id": "d3f:ExfiltrationTechnique" }, { "@id": "_:N052d400e82ba46eb8ae021169c8c30aa" } ] }, { "@id": "_:N052d400e82ba46eb8ae021169c8c30aa", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:produces" }, "owl:someValuesFrom": { "@id": "d3f:OutboundInternetWebTraffic" } }, { "@id": "d3f:Model", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:DefensiveTactic" ], "d3f:definition": "The model tactic is used to apply security engineering, vulnerability, threat, and risk analyses to digital systems. This is accomplished by creating and maintaining a common understanding of the systems being defended, the operations on those systems, actors using the systems, and the relationships and interactions between these elements.", "d3f:display-order": -1, "d3f:display-priority": 1, "rdfs:label": "Model", "rdfs:subClassOf": { "@id": "d3f:DefensiveTactic" } }, { "@id": "d3f:CentralProcessingUnit", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:contains": { "@id": "d3f:ProcessorRegister" }, "d3f:definition": "A central processing unit (CPU), also called a central processor, main processor or just processor, is the electronic circuitry that executes instructions comprising a computer program. The CPU performs basic arithmetic, logic, controlling, and input/output (I/O) operations specified by the instructions in the program. This contrasts with external components such as main memory and I/O circuitry, and specialized processors such as graphics", "d3f:may-contain": [ { "@id": "d3f:CacheMemory" }, { "@id": "d3f:MemoryManagementUnit" }, { "@id": "d3f:MemoryProtectionUnit" } ], "d3f:synonym": [ "CPU", "Central Processor", "Main Processor" ], "rdfs:isDefinedBy": "https://en.wikipedia.org/wiki/Central_processing_unit", "rdfs:label": "Central Processing Unit", "rdfs:subClassOf": [ { "@id": "d3f:Processor" }, { "@id": "_:N5f6f42390d80488eb881b5ba8d2424e9" }, { "@id": "_:Nd15611669c194ac09e7e91ba07b1c5ea" }, { "@id": "_:N062eb81e9df4453bab07312667bc60bc" }, { "@id": "_:Nefa5e34152c84fa6b6434431cdabbf21" } ] }, { "@id": "_:N5f6f42390d80488eb881b5ba8d2424e9", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:contains" }, "owl:someValuesFrom": { "@id": "d3f:ProcessorRegister" } }, { "@id": "_:Nd15611669c194ac09e7e91ba07b1c5ea", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-contain" }, "owl:someValuesFrom": { "@id": "d3f:CacheMemory" } }, { "@id": "_:N062eb81e9df4453bab07312667bc60bc", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-contain" }, "owl:someValuesFrom": { "@id": "d3f:MemoryManagementUnit" } }, { "@id": "_:Nefa5e34152c84fa6b6434431cdabbf21", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-contain" }, "owl:someValuesFrom": { "@id": "d3f:MemoryProtectionUnit" } }, { "@id": "d3f:Moments", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-MOM", "d3f:definition": "With a probability distribution function, the the first moment is the expected value, the second central moment is the variance, the third standardized moment is the skewness, and the fourth standardized moment is the kurtosis.", "d3f:kb-article": "## References\nWikipedia. (n.d.). Moment (mathematics). [Link](https://en.wikipedia.org/wiki/Moment_(mathematics))", "rdfs:label": "Moments", "rdfs:subClassOf": { "@id": "d3f:DistributionProperties" } }, { "@id": "d3f:CWE-86", "@type": "owl:Class", "d3f:cwe-id": "CWE-86", "rdfs:label": "Improper Neutralization of Invalid Characters in Identifiers in Web Pages", "rdfs:subClassOf": [ { "@id": "d3f:CWE-436" }, { "@id": "d3f:CWE-79" } ] }, { "@id": "d3f:CycleGAN", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-CYC", "d3f:definition": "The Cycle Generative Adversarial Network (CycleGAN) is an approach to training a deep convolutional neural network for image-to-image translation tasks by mapping between input and output images using unpaired dataset.", "d3f:kb-article": "## References\nEsri. (n.d.). How CycleGAN Works. [Link](https://developers.arcgis.com/python/guide/how-cyclegan-works/)", "rdfs:label": "CycleGAN", "rdfs:subClassOf": { "@id": "d3f:Image-to-ImageTranslationGAN" } }, { "@id": "d3f:CWE-1060", "@type": "owl:Class", "d3f:cwe-id": "CWE-1060", "rdfs:label": "Excessive Number of Inefficient Server-Side Data Accesses", "rdfs:subClassOf": { "@id": "d3f:CWE-1120" } }, { "@id": "d3f:invokes", "@type": "owl:ObjectProperty", "d3f:definition": "x invokes y: The subject x invokes a system service y by use of an instruction object y that interrupts the program being executed and passes control to the operating system to perform that operation.", "rdfs:isDefinedBy": { "@id": "http://wordnet-rdf.princeton.edu/id/06599393-n" }, "rdfs:label": "invokes", "rdfs:seeAlso": { "@id": "dbr:System_call" }, "rdfs:subPropertyOf": [ { "@id": "d3f:executes" }, { "@id": "d3f:may-invoke" } ], "skos:altLabel": "calls" }, { "@id": "d3f:T1207", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1207", "d3f:modifies": { "@id": "d3f:SystemConfigurationDatabase" }, "d3f:produces": { "@id": "d3f:IntranetAdministrativeNetworkTraffic" }, "rdfs:label": "Rogue Domain Controller", "rdfs:subClassOf": [ { "@id": "d3f:DefenseEvasionTechnique" }, { "@id": "_:Nd483d8d96fc545b5a368ba97ec3a3766" }, { "@id": "_:Naaf615e205b54b40ad42e368e7fdf625" } ] }, { "@id": "_:Nd483d8d96fc545b5a368ba97ec3a3766", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:SystemConfigurationDatabase" } }, { "@id": "_:Naaf615e205b54b40ad42e368e7fdf625", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:produces" }, "owl:someValuesFrom": { "@id": "d3f:IntranetAdministrativeNetworkTraffic" } }, { "@id": "d3f:Procedure", "@type": "owl:Class", "rdfs:subClassOf": [ { "@id": "d3f:D3FENDThing" }, { "@id": "_:N8088442913d64f29a68af580a112a507" }, { "@id": "_:N25e4ec9d765e4490a7af44e96a4649a5" } ] }, { "@id": "_:N8088442913d64f29a68af580a112a507", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:implements" }, "owl:someValuesFrom": { "@id": "d3f:Technique" } }, { "@id": "_:N25e4ec9d765e4490a7af44e96a4649a5", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:start" }, "owl:someValuesFrom": { "@id": "d3f:Step" } }, { "@id": "d3f:T1195.001", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1195.001", "d3f:modifies": { "@id": "d3f:Software" }, "rdfs:label": "Compromise Software Dependencies and Development Tools", "rdfs:subClassOf": [ { "@id": "d3f:T1195" }, { "@id": "_:N871dca961bd64b9c999e4d7a94f49dc0" } ] }, { "@id": "_:N871dca961bd64b9c999e4d7a94f49dc0", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:Software" } }, { "@id": "d3f:T1503", "@type": "owl:Class", "d3f:attack-id": "T1503", "rdfs:label": "Credentials from Web Browsers", "rdfs:subClassOf": { "@id": "d3f:CredentialAccessTechnique" } }, { "@id": "d3f:CCI-002688_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:broader": { "@id": "d3f:FileContentRules" }, "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system discovers indicators of compromise.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-07-11T00:00:00" }, "rdfs:label": "CCI-002688" }, { "@id": "d3f:LogististicRegressionLearning", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-LRL", "d3f:definition": "A supervised learning method that builds a logistic regression model using training data.", "d3f:kb-article": "## References\nWikipedia. (n.d.). Logistic regression. [Link](https://en.wikipedia.org/wiki/Logistic_regression)", "rdfs:label": "Logistic Regression Learning", "rdfs:seeAlso": "http://d3fend.mitre.org/ontologies/d3fend.owl#LogisticRegression", "rdfs:subClassOf": { "@id": "d3f:RegressionAnalysisLearning" } }, { "@id": "d3f:CWE-1292", "@type": "owl:Class", "d3f:cwe-id": "CWE-1292", "rdfs:label": "Incorrect Conversion of Security Identifiers", "rdfs:subClassOf": { "@id": "d3f:CWE-284" } }, { "@id": "d3f:Discovery", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:OffensiveTactic" ], "d3f:display-order": 7, "rdfs:label": "Discovery", "rdfs:subClassOf": { "@id": "d3f:OffensiveTactic" } }, { "@id": "d3f:AdministrativeFeature", "@type": "owl:Class", "rdfs:label": "Administrative Feature", "rdfs:subClassOf": { "@id": "d3f:CapabilityFeature" }, "skos:altLabel": "Administrative Capability" }, { "@id": "d3f:CWE-486", "@type": "owl:Class", "d3f:cwe-id": "CWE-486", "rdfs:label": "Comparison of Classes by Name", "rdfs:subClassOf": { "@id": "d3f:CWE-1025" } }, { "@id": "_:Nf1f75156b16b4c219052c4166481fb9c", "@type": "owl:AllDisjointClasses", "owl:members": { "@list": [ { "@id": "d3f:Kurtosis" }, { "@id": "d3f:Moments" }, { "@id": "d3f:Skewness" } ] } }, { "@id": "d3f:CCI-001682_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system automatically removes or disables emergency accounts after an organization-defined time period for each type of account.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:AccountLocking" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2011-05-03T00:00:00" }, "rdfs:label": "CCI-001682" }, { "@id": "d3f:CWE-1116", "@type": "owl:Class", "d3f:cwe-id": "CWE-1116", "rdfs:label": "Inaccurate Comments", "rdfs:subClassOf": { "@id": "d3f:CWE-1078" } }, { "@id": "d3f:EmbeddedComputer", "@type": "owl:Class", "d3f:definition": "An embedded computer is a computer system -- a combination of a computer processor, computer memory, and input/output peripheral devices-that has a dedicated function within a larger mechanical or electrical system. It is embedded as part of a complete device often including electrical or electronic hardware and mechanical parts. Because an embedded system typically controls physical operations of the machine that it is embedded within, it often has real-time computing constraints. Embedded systems control many devices in common use today. Ninety-eight percent of all microprocessors manufactured are used in embedded systems.", "rdfs:isDefinedBy": { "@id": "dbr:Embedded_system" }, "rdfs:label": "Embedded Computer", "rdfs:subClassOf": { "@id": "d3f:ClientComputer" }, "skos:altLabel": "Embedded System" }, { "@id": "d3f:Blob", "@type": "owl:Class", "d3f:definition": "A binary large object (BLOB) is a collection of binary data stored as a single entity. Blobs are typically images, audio or other multimedia objects, though sometimes binary executable code is stored as a blob. They can exist as persistent values inside some databases, or exist at runtime as program variables in some languages. The term is used in NoSQL databases, especially in key-value store databases such as Redis. The term is also used by languages that allow runtime manipulation of Blobs, like JavaScript. (en)", "rdfs:isDefinedBy": { "@id": "dbr:Binary_large_object" }, "rdfs:label": "Blob", "rdfs:subClassOf": { "@id": "d3f:DigitalArtifact" } }, { "@id": "d3f:OutboundInternetEncryptedRemoteTerminalTraffic", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "Outbound internet encrypted remote terminal traffic is encrypted network traffic for a standard remote terminal protocol on an outgoing connection initiated from a host within a network to a host outside the network.", "rdfs:label": "Outbound Internet Encrypted Remote Terminal Traffic", "rdfs:subClassOf": { "@id": "d3f:OutboundInternetEncryptedTraffic" }, "skos:altLabel": [ "Outbound Internet Encrypted RDP Traffic", "Outbound Internet Encrypted SSH Traffic" ] }, { "@id": "d3f:DecoySessionToken", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:DecoyObject" ], "d3f:d3fend-id": "D3-DST", "d3f:definition": "An authentication token created for the purposes of deceiving an adversary.", "d3f:kb-article": "## How it works\nUsage of decoy session tokens may be monitored to track attacker behavior or otherwise control the beliefs of the attacker.\n\n## Considerations\n* Interaction and activity with the decoy session token must be constantly monitored and analyzed to detect unauthorized activity.\n* Session tokens are typically short-lived and therefore the decoy must be continuously updated to provide the appearance of it being used in the production environment.\n* Automated tools can assist with maintenance and updates by automatically adjusting the decoy session token and environment to mimic the production environment.", "d3f:kb-reference": { "@id": "d3f:Reference-DecoyAndDeceptiveDataObjectTechnology_CymmetriaInc" }, "d3f:spoofs": { "@id": "d3f:AccessToken" }, "rdfs:label": "Decoy Session Token", "rdfs:subClassOf": [ { "@id": "d3f:DecoyObject" }, { "@id": "_:N5c4939f184f9451499bad6cf6717b5aa" } ] }, { "@id": "_:N5c4939f184f9451499bad6cf6717b5aa", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:spoofs" }, "owl:someValuesFrom": { "@id": "d3f:AccessToken" } }, { "@id": "d3f:T1059.006", "@type": "owl:Class", "d3f:attack-id": "T1059.006", "rdfs:label": "Python Execution", "rdfs:subClassOf": { "@id": "d3f:T1059" } }, { "@id": "d3f:CWE-286", "@type": "owl:Class", "d3f:cwe-id": "CWE-286", "rdfs:label": "Incorrect User Management", "rdfs:subClassOf": { "@id": "d3f:CWE-284" } }, { "@id": "d3f:OutboundInternetFileTransferTraffic", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:contains": { "@id": "d3f:File" }, "d3f:definition": "Outbound internet file transfer traffic is file transfer traffic that is: (a) on an outgoing connection initiated from a host within a network to a host outside the network, and (b) using a standard file transfer protocol.", "rdfs:label": "Outbound Internet File Transfer Traffic", "rdfs:seeAlso": [ { "@id": "dbr:File_transfer" }, { "@id": "dbr:Internetworking" } ], "rdfs:subClassOf": [ { "@id": "d3f:FileTransferNetworkTraffic" }, { "@id": "d3f:OutboundInternetNetworkTraffic" }, { "@id": "d3f:OutboundNetworkTraffic" }, { "@id": "_:Neb2bde5074044d58991d6db0ba898226" } ] }, { "@id": "_:Neb2bde5074044d58991d6db0ba898226", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:contains" }, "owl:someValuesFrom": { "@id": "d3f:File" } }, { "@id": "d3f:NetworkFlowSensor", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "Monitors network traffic and produces summaries of data flows traversing the network.", "d3f:monitors": { "@id": "d3f:NetworkFlow" }, "rdfs:label": "Network Flow Sensor", "rdfs:subClassOf": [ { "@id": "d3f:NetworkSensor" }, { "@id": "_:N93d2334bec244f78991237dfb2bcf656" } ] }, { "@id": "_:N93d2334bec244f78991237dfb2bcf656", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:monitors" }, "owl:someValuesFrom": { "@id": "d3f:NetworkFlow" } }, { "@id": "d3f:T1562.007", "@type": "owl:Class", "d3f:attack-id": "T1562.007", "rdfs:label": "Disable or Modify Cloud Firewall", "rdfs:subClassOf": { "@id": "d3f:T1562" } }, { "@id": "d3f:name", "@type": "owl:DatatypeProperty", "rdfs:label": { "@language": "en", "@value": "name" }, "rdfs:subPropertyOf": { "@id": "d3f:d3fend-catalog-data-property" } }, { "@id": "d3f:CWE-53", "@type": "owl:Class", "d3f:cwe-id": "CWE-53", "rdfs:label": "Path Equivalence: '\\multiple\\\\internal\\backslash'", "rdfs:subClassOf": [ { "@id": "d3f:CWE-165" }, { "@id": "d3f:CWE-41" } ] }, { "@id": "d3f:Reference-TPM2.0LibrarySpecification_TrustedComputingGroup,Incorporated", "@type": [ "owl:NamedIndividual", "d3f:SpecificationReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://trustedcomputinggroup.org/resource/tpm-library-specification/" }, "d3f:kb-abstract": "This specification defines the Trusted Platform Module (TPM) a device that enables trust in computing\nplatforms in general. It is broken into parts to make the role of each part clear. All parts are required in\norder to constitute a complete standard. For a complete definition of all requirements necessary to build a TPM, the designer will need to use the appropriate platform-specific specification to understand all of the requirements for a TPM in a specific application or make appropriate choices as an implementer. Those wishing to create a TPM need to be aware that this specification does not provide a complete picture of the options and commands necessary to implement a TPM. To implement a TPM the designer needs to refer to the relevant platform-specific specification to understand the options and settings required for a TPM in a specific type of platform or make appropriate choices as an implementer.", "d3f:kb-author": "Trusted Computing Group", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "Trusted Computing Group, Incorporated", "d3f:kb-reference-of": { "@id": "d3f:TPMBootIntegrity" }, "d3f:kb-reference-title": "TPM 2.0 Library Specification", "rdfs:label": "Reference - TPM 2.0 Library Specification - Trusted Computing Group, Incorporated" }, { "@id": "d3f:T1042", "@type": "owl:Class", "d3f:attack-id": "T1042", "rdfs:label": "Change Default File Association", "rdfs:subClassOf": { "@id": "d3f:PersistenceTechnique" } }, { "@id": "d3f:forges", "@type": "owl:ObjectProperty", "d3f:definition": "x forges y: An technique or agent x counterfeits a digital artifact y, such as a fake credential, with the intent to deceive.", "rdfs:label": "forges", "rdfs:seeAlso": { "@id": "http://wordnet-rdf.princeton.edu/id/01657814-v" }, "rdfs:subPropertyOf": { "@id": "d3f:creates" } }, { "@id": "d3f:real-time-eviction", "@type": [ "owl:NamedIndividual", "d3f:EvictionLatency" ], "rdfs:label": "real-time-eviction" }, { "@id": "d3f:ReissueCredential", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:RestoreObject" ], "d3f:d3fend-id": "D3-RC", "d3f:definition": "Issue a new credential to a user which supercedes their old credential.", "d3f:kb-reference": { "@id": "d3f:Reference-CybersecurityIncidentandVulnerabilityResponsePlaybooks" }, "d3f:restores": { "@id": "d3f:Credential" }, "rdfs:label": "Reissue Credential", "rdfs:subClassOf": [ { "@id": "d3f:RestoreObject" }, { "@id": "_:N0691cfa23fab4037bcba62f5801149d4" } ] }, { "@id": "_:N0691cfa23fab4037bcba62f5801149d4", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:restores" }, "owl:someValuesFrom": { "@id": "d3f:Credential" } }, { "@id": "d3f:T1546.002", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1546.002", "d3f:creates": { "@id": "d3f:ExecutableFile" }, "d3f:modifies": { "@id": "d3f:SystemConfigurationDatabaseRecord" }, "rdfs:label": "Screensaver", "rdfs:subClassOf": [ { "@id": "d3f:T1546" }, { "@id": "_:N2b8d6244dc7f4c49aedc13a276acda2f" }, { "@id": "_:N2ba6a300ea5d4cd09bffda7555c1da5d" } ] }, { "@id": "_:N2b8d6244dc7f4c49aedc13a276acda2f", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:creates" }, "owl:someValuesFrom": { "@id": "d3f:ExecutableFile" } }, { "@id": "_:N2ba6a300ea5d4cd09bffda7555c1da5d", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:SystemConfigurationDatabaseRecord" } }, { "@id": "d3f:CWE-1280", "@type": "owl:Class", "d3f:cwe-id": "CWE-1280", "rdfs:label": "Access Control Check Implemented After Asset is Accessed", "rdfs:subClassOf": [ { "@id": "d3f:CWE-284" }, { "@id": "d3f:CWE-696" } ] }, { "@id": "d3f:Reference-AuditUserAccountManagement", "@type": [ "owl:NamedIndividual", "d3f:GuidelineReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management" }, "d3f:kb-abstract": "Audit User Account Management determines whether the operating system generates audit events when specific user account management tasks are performed.", "d3f:kb-organization": "Microsoft", "d3f:kb-reference-of": [ { "@id": "d3f:DomainAccountMonitoring" }, { "@id": "d3f:LocalAccountMonitoring" } ], "d3f:kb-reference-title": "Audit User Account Management", "rdfs:label": "Reference - Audit User Account Management" }, { "@id": "d3f:Variance", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-VAR", "d3f:definition": "Variance is a measure of dispersion, meaning it is a measure of how far a set of numbers is spread out from their average value.", "d3f:kb-article": "## References\nWikipedia. (n.d.). Variance. [Link](https://en.wikipedia.org/wiki/Variance)", "rdfs:label": "Variance", "rdfs:subClassOf": { "@id": "d3f:Variability" } }, { "@id": "d3f:Volume", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "In the context of computer operating systems, a volume or logical drive is a single accessible storage area with a single file system, typically (though not necessarily) resident on a single partition of a hard disk. Although a volume might be different from a physical disk drive, it can still be accessed with an operating system's logical interface. However, a volume differs from a partition.", "rdfs:label": "Volume", "rdfs:subClassOf": { "@id": "d3f:DigitalArtifact" }, "skos:altLabel": [ "Drive Volume", "Logical Drive" ] }, { "@id": "d3f:CWE-841", "@type": "owl:Class", "d3f:cwe-id": "CWE-841", "rdfs:label": "Improper Enforcement of Behavioral Workflow", "rdfs:subClassOf": { "@id": "d3f:CWE-691" } }, { "@id": "d3f:T1546.015", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1546.015", "d3f:loads": { "@id": "d3f:ExecutableBinary" }, "d3f:modifies": { "@id": "d3f:SystemConfigurationDatabase" }, "rdfs:label": "Component Object Model Hijacking", "rdfs:seeAlso": { "@id": "dbr:Component_Object_Model" }, "rdfs:subClassOf": [ { "@id": "d3f:T1546" }, { "@id": "_:N23b1672f353041a098adb946937a5e67" }, { "@id": "_:N2a6d84553c7746f795dde5ac90889b51" } ] }, { "@id": "_:N23b1672f353041a098adb946937a5e67", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:loads" }, "owl:someValuesFrom": { "@id": "d3f:ExecutableBinary" } }, { "@id": "_:N2a6d84553c7746f795dde5ac90889b51", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:SystemConfigurationDatabase" } }, { "@id": "d3f:BinarySegment", "@type": "owl:Class", "d3f:definition": "A binary segment is a partition of binary information within a larger binary object, which arranges a set of binary objects for its purpose. For example, code, data, heap, and stack segments are segments of the binary information used by a process. Code and data segments are also found in object files.", "rdfs:label": "Binary Segment", "rdfs:subClassOf": { "@id": "d3f:DigitalArtifact" } }, { "@id": "d3f:CWE-1092", "@type": "owl:Class", "d3f:cwe-id": "CWE-1092", "rdfs:label": "Use of Same Invokable Control Element in Multiple Architectural Layers", "rdfs:subClassOf": { "@id": "d3f:CWE-710" } }, { "@id": "d3f:CCI-002394_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system protects the availability of resources by allocating organization-defined resources based on priority, quota, and/or organization-defined security safeguards.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:SystemConfigurationPermissions" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-07-02T00:00:00" }, "rdfs:label": "CCI-002394" }, { "@id": "d3f:T1601", "@type": "owl:Class", "d3f:attack-id": "T1601", "rdfs:label": "Modify System Image", "rdfs:subClassOf": { "@id": "d3f:DefenseEvasionTechnique" } }, { "@id": "d3f:CCI-001185_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system invalidates session identifiers upon user logout or other session termination.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:AuthenticationCacheInvalidation" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-21T00:00:00" }, "rdfs:label": "CCI-001185" }, { "@id": "d3f:CWE-449", "@type": "owl:Class", "d3f:cwe-id": "CWE-449", "rdfs:label": "The UI Performs the Wrong Action", "rdfs:subClassOf": { "@id": "d3f:CWE-446" } }, { "@id": "d3f:Exfiltration", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:OffensiveTactic" ], "d3f:display-order": 11, "rdfs:label": "Exfiltration", "rdfs:subClassOf": { "@id": "d3f:OffensiveTactic" } }, { "@id": "d3f:T1137.002", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1137.002", "d3f:modifies": { "@id": "d3f:SystemConfigurationDatabaseRecord" }, "rdfs:label": "Office Test", "rdfs:subClassOf": [ { "@id": "d3f:T1137" }, { "@id": "_:N545795ce7b334d9d95601f946d9f8779" } ] }, { "@id": "_:N545795ce7b334d9d95601f946d9f8779", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:SystemConfigurationDatabaseRecord" } }, { "@id": "d3f:GroupPolicy", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "Group Policy is a feature of the Microsoft Windows NT family of operating systems that controls the working environment of user accounts and computer accounts. Group Policy provides the centralized management and configuration of operating systems, applications, and users' settings in an Active Directory environment. A version of Group Policy called Local Group Policy (\"LGPO\" or \"LocalGPO\") also allows Group Policy Object management on standalone and non-domain computers.", "rdfs:label": "Group Policy", "rdfs:subClassOf": { "@id": "d3f:AccessControlConfiguration" } }, { "@id": "d3f:DisplayAdapter", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A graphics card (also called a display card, video card, display adapter, or graphics adapter) is an expansion card which generates a feed of output images to a display device (such as a computer monitor). Frequently, these are advertised as discrete or dedicated graphics cards, emphasizing the distinction between these and integrated graphics. At the core of both is the graphics processing unit (GPU), which is the main part that does the actual computations, but should not be confused with the video card as a whole, although \"GPU\" is often used to refer to video cards.", "rdfs:isDefinedBy": { "@id": "dbr:Video_card" }, "rdfs:label": "Display Adapter", "rdfs:subClassOf": { "@id": "d3f:OutputDevice" }, "skos:altLabel": [ "Display Card", "Graphics Adapter", "Video Card" ] }, { "@id": "d3f:CWE-372", "@type": "owl:Class", "d3f:cwe-id": "CWE-372", "rdfs:label": "Incomplete Internal State Distinction", "rdfs:subClassOf": { "@id": "d3f:CWE-664" } }, { "@id": "d3f:Reference-RemotelyLaunchedExecutablesViaServices_MITRE", "@type": [ "owl:NamedIndividual", "d3f:ExternalKnowledgeBase" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://car.mitre.org/analytics/CAR-2014-03-005/" }, "d3f:kb-abstract": "There are several ways to cause code to execute on a remote host. One of the most common methods is via the Windows Service Control Manager (SCM), which allows authorized users to remotely create and modify services. Several tools, such as PsExec, use this functionality.\n\nWhen a client remotely communicates with the Service Control Manager, there are two observable behaviors. First, the client connects to the RPC Endpoint Mapper over 135/tcp. This handles authentication, and tells the client what port the endpoint--in this case the SCM--is listening on. Then, the client connects directly to the listening port on services.exe. If the request is to start an existing service with a known command line, the the SCM process will run the corresponding command.\n\nThis compound behavior can be detected by looking for services.exe receiving a network connection and immediately spawning a child process.", "d3f:kb-author": "MITRE", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "MITRE", "d3f:kb-reference-of": { "@id": "d3f:RPCTrafficAnalysis" }, "d3f:kb-reference-title": "CAR-2014-03-005: Remotely Launched Executables via Services", "rdfs:label": "Reference - CAR-2014-03-005: Remotely Launched Executables via Services - MITRE" }, { "@id": "d3f:CWE-790", "@type": "owl:Class", "d3f:cwe-id": "CWE-790", "rdfs:label": "Improper Filtering of Special Elements", "rdfs:subClassOf": { "@id": "d3f:CWE-138" } }, { "@id": "d3f:Hardware-basedProcessIsolation", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:ExecutionIsolation" ], "d3f:d3fend-id": "D3-HBPI", "d3f:definition": "Preventing one process from writing to the memory space of another process through hardware based address manager implementations.", "d3f:isolates": { "@id": "d3f:Process" }, "d3f:kb-article": "## How it works\nProcess isolation, in this context, is address space separation controlled by a security function that limits the communication between processes so that one process cannot directly modify the executing code of another process. For example with virtual address space:\n\n* Process A address space is different from process B address space, which prevents process A from writing to process B\n\nHardware process isolation is commonly implemented through Direct Memory Access (DMA) which collaborates with a Memory Management Unit (MMU), or Input-Output Memory Management Unit (IOMMU). These hardware controls are deployed directly on processors to aid hosts or enclaves in process isolation.\n\n* DMA - Direct memory access allows memory access to occur independently of the program currently run by the microprocessor. DMA allows for I/O devices to directly read from and write to memory, or it can be used to efficiently copy blocks of memory. During DMA transfers, the microprocessor can execute an unrelated program.\n* MMU - A memory management unit acts as an access control and is responsible for performing the translation of virtual memory addresses to physical memory addresses. The MMU allocates each process its own virtual memory space.\n* IOMMU - An input-output memory management unit is used to allocate each I/O device its own virtual address space to the underlying physical addresses. IOMMU allows devices that do not support long memory addresses to address the entire memory space.\n\n## Considerations\n* Private hosts may be vulnerable to DMA attack if they have a PCI or PCI Express port that connects attached devices directly to physical address space.\n\n## Implementations:\n * Intel Virtualization Technology for Directed I/O (Intel VT-d)\n * Firecracker", "d3f:kb-reference": [ { "@id": "d3f:Reference-VirtualizedProcessIsolation_AdvancedMicroDevicesInc" }, { "@id": "d3f:Reference-ApproachesForSecuringAnInternetEndpointUsingFine-grainedOperatingSystemVirtualization_Bromium,Inc." }, { "@id": "d3f:Reference-IsolationOfApplicationsWithinAVirtualMachine_Bromium,Inc." } ], "d3f:restricts": { "@id": "d3f:CreateProcess" }, "d3f:synonym": "Virtualization", "rdfs:label": "Hardware-based Process Isolation", "rdfs:subClassOf": [ { "@id": "d3f:ExecutionIsolation" }, { "@id": "_:Ncbaeba8f19854183ae34bd48c1e63155" }, { "@id": "_:N42cd959c4ce94ea689671b29398662ab" } ] }, { "@id": "_:Ncbaeba8f19854183ae34bd48c1e63155", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:isolates" }, "owl:someValuesFrom": { "@id": "d3f:Process" } }, { "@id": "_:N42cd959c4ce94ea689671b29398662ab", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:restricts" }, "owl:someValuesFrom": { "@id": "d3f:CreateProcess" } }, { "@id": "d3f:RFShielding", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:PlatformHardening" ], "d3f:d3fend-id": "D3-RFS", "d3f:definition": "Adding physical barriers to a platform to prevent undesired radio interference.", "d3f:kb-reference": [ { "@id": "d3f:Reference-PrivacyAndSecuritySystemsAndMethodsOfUse" }, { "@id": "d3f:Reference-Technical_Specifications_for_Construction_and_Management_of_Sensitive_Compartmented_Information_Facilities" } ], "rdfs:label": "RF Shielding", "rdfs:subClassOf": { "@id": "d3f:PlatformHardening" } }, { "@id": "d3f:CWE-775", "@type": "owl:Class", "d3f:cwe-id": "CWE-775", "rdfs:label": "Missing Release of File Descriptor or Handle after Effective Lifetime", "rdfs:subClassOf": { "@id": "d3f:CWE-772" } }, { "@id": "d3f:CCI-001009_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system uses cryptographic mechanisms to protect and restrict access to information on portable digital media.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:FileEncryption" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-21T00:00:00" }, "rdfs:label": "CCI-001009" }, { "@id": "d3f:T1048.002", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1048.002", "d3f:may-transfer": { "@id": "d3f:CertificateFile" }, "d3f:produces": { "@id": "d3f:OutboundInternetEncryptedTraffic" }, "rdfs:label": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "rdfs:subClassOf": [ { "@id": "d3f:T1048" }, { "@id": "_:N330854ff168148d1b7adc5b7c99d6e35" }, { "@id": "_:Ne42e45ced7bf46369a3d6b54cf6d4ec6" } ] }, { "@id": "_:N330854ff168148d1b7adc5b7c99d6e35", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-transfer" }, "owl:someValuesFrom": { "@id": "d3f:CertificateFile" } }, { "@id": "_:Ne42e45ced7bf46369a3d6b54cf6d4ec6", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:produces" }, "owl:someValuesFrom": { "@id": "d3f:OutboundInternetEncryptedTraffic" } }, { "@id": "d3f:T1122", "@type": "owl:Class", "d3f:attack-id": "T1122", "rdfs:label": "Component Object Model Hijacking", "rdfs:subClassOf": [ { "@id": "d3f:DefenseEvasionTechnique" }, { "@id": "d3f:PersistenceTechnique" } ] }, { "@id": "d3f:CWE-421", "@type": "owl:Class", "d3f:cwe-id": "CWE-421", "rdfs:label": "Race Condition During Access to Alternate Channel", "rdfs:subClassOf": [ { "@id": "d3f:CWE-362" }, { "@id": "d3f:CWE-420" } ] }, { "@id": "d3f:CCI-000068_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system implements cryptographic mechanisms to protect the confidentiality of remote access sessions.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:EncryptedTunnels" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-14T00:00:00" }, "rdfs:label": "CCI-000068" }, { "@id": "d3f:CWE-497", "@type": "owl:Class", "d3f:cwe-id": "CWE-497", "rdfs:label": "Exposure of Sensitive System Information to an Unauthorized Control Sphere", "rdfs:subClassOf": { "@id": "d3f:CWE-200" } }, { "@id": "d3f:NIST_SP_800-53_R5_AC-4_19", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:control-name": "Information Flow Enforcement | Validation of Metadata", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "d3f:narrower": [ { "@id": "d3f:InboundTrafficFiltering" }, { "@id": "d3f:OutboundTrafficFiltering" } ], "rdfs:label": "AC-4(19)" }, { "@id": "d3f:OperatingSystemConfigurationComponent", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "An component of the overall information necessary for the configuration of an operating system.", "rdfs:label": "Operating System Configuration Component", "rdfs:seeAlso": { "@id": "http://wordnet-rdf.princeton.edu/id/03085025-n" }, "rdfs:subClassOf": { "@id": "d3f:OperatingSystemConfiguration" }, "skos:altLabel": [ "System Configuration", "Operating System Configuration Information" ] }, { "@id": "d3f:DeonticLogic", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-DL", "d3f:definition": "Deontic logic addresses the modality of obligations and norms; i.e., the modality of morality.", "d3f:kb-article": "## References\n1. Deontic logic. (2023, June 4). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Modal_logic#Deontic_logic)", "rdfs:label": "Deontic Logic", "rdfs:subClassOf": { "@id": "d3f:ModalLogic" } }, { "@id": "d3f:TargetAudience", "@type": "owl:Class", "rdfs:label": "Target Audience", "rdfs:subClassOf": { "@id": "d3f:D3FENDUseCaseThing" } }, { "@id": "d3f:RegOpenKeyA", "@type": [ "owl:NamedIndividual", "d3f:GetSystemConfigValue" ] }, { "@id": "d3f:T1584.006", "@type": "owl:Class", "d3f:attack-id": "T1584.006", "rdfs:label": "Web Services", "rdfs:subClassOf": { "@id": "d3f:T1584" } }, { "@id": "d3f:SystemVulnerabilityAssessment", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:SystemMapping" ], "d3f:d3fend-id": "D3-SYSVA", "d3f:definition": "System vulnerability assessment relates all the vulnerabilities of a system's components in the context of their configuration and internal dependencies and can also include assessing risk emerging from the system's design as a whole, not just the sum of individual component vulnerabilities.", "d3f:evaluates": { "@id": "d3f:DigitalSystem" }, "d3f:identifies": { "@id": "d3f:Vulnerability" }, "d3f:kb-reference": { "@id": "d3f:Reference-SoftwareVulnerabilityGraphDatabase" }, "rdfs:label": "System Vulnerability Assessment", "rdfs:subClassOf": [ { "@id": "d3f:SystemMapping" }, { "@id": "_:Nc8bc0b5d99ec4dfbbd669ecda26563c4" }, { "@id": "_:N1afb53ca324e4eb18fe8224eca37e9cd" } ] }, { "@id": "_:Nc8bc0b5d99ec4dfbbd669ecda26563c4", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:evaluates" }, "owl:someValuesFrom": { "@id": "d3f:DigitalSystem" } }, { "@id": "_:N1afb53ca324e4eb18fe8224eca37e9cd", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:identifies" }, "owl:someValuesFrom": { "@id": "d3f:Vulnerability" } }, { "@id": "d3f:queries", "@type": "owl:ObjectProperty", "rdfs:label": "queries", "rdfs:subPropertyOf": [ { "@id": "d3f:associated-with" }, { "@id": "d3f:may-query" } ] }, { "@id": "d3f:NIST_SP_800-53_R5_RA-3_4", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:control-name": "Risk Assessment | Predictive Cyber Analytics", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "d3f:narrower": [ { "@id": "d3f:FileAnalysis" }, { "@id": "d3f:IdentifierAnalysis" }, { "@id": "d3f:MessageAnalysis" }, { "@id": "d3f:NetworkTrafficAnalysis" }, { "@id": "d3f:PlatformMonitoring" }, { "@id": "d3f:ProcessAnalysis" }, { "@id": "d3f:UserBehaviorAnalysis" } ], "rdfs:label": "RA-3(4)" }, { "@id": "d3f:PhysicalLocation", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "The terms location [here, a physical location] and place in geography are used to identify a point or an area on the Earth's surface or elsewhere. The term location generally implies a higher degree of certainty than place, which often indicates an entity with an ambiguous boundary, relying more on human or social attributes of place identity and sense of place than on geometry. The distinction between space and place is considered a central concern of geography, and has been addressed by scholars such as Yi-Fu Tuan and John Agnew.", "rdfs:isDefinedBy": { "@id": "dbr:Location_(geography)" }, "rdfs:label": "Physical Location", "rdfs:seeAlso": "https://schema.ocsf.io/objects/location", "rdfs:subClassOf": { "@id": "d3f:DigitalArtifact" } }, { "@id": "d3f:T1199", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1199", "d3f:creates": { "@id": "d3f:LoginSession" }, "d3f:produces": { "@id": "d3f:IntranetNetworkTraffic" }, "rdfs:label": "Trusted Relationship", "rdfs:subClassOf": [ { "@id": "d3f:InitialAccessTechnique" }, { "@id": "_:N1e7e9e882d9b41fe83780f0a3f2f2e21" }, { "@id": "_:Na23e9ab8328840048938f0ce1e2ee5e1" } ] }, { "@id": "_:N1e7e9e882d9b41fe83780f0a3f2f2e21", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:creates" }, "owl:someValuesFrom": { "@id": "d3f:LoginSession" } }, { "@id": "_:Na23e9ab8328840048938f0ce1e2ee5e1", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:produces" }, "owl:someValuesFrom": { "@id": "d3f:IntranetNetworkTraffic" } }, { "@id": "d3f:CCI-002468_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system performs data origin verification authentication on the name/address resolution responses the system receives from authoritative sources.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:DNSTrafficAnalysis" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-07-02T00:00:00" }, "rdfs:label": "CCI-002468" }, { "@id": "d3f:WindowsProcess", "@type": [ "owl:NamedIndividual", "d3f:Process" ], "rdfs:label": "Windows Process" }, { "@id": "d3f:M1027", "@type": [ "owl:NamedIndividual", "d3f:ATTACKMitigation" ], "d3f:related": [ { "@id": "d3f:One-timePassword" }, { "@id": "d3f:StrongPasswordPolicy" } ], "rdfs:label": "Password Policies" }, { "@id": "d3f:WindowsNtCreateThread", "@type": "owl:Class", "rdfs:label": "Windows NtCreateThread", "rdfs:seeAlso": "https://j00ru.vexillium.org/syscalls/nt/64/", "rdfs:subClassOf": [ { "@id": "d3f:OSAPICreateThread" }, { "@id": "d3f:OSAPIPrivateFunction" } ] }, { "@id": "d3f:LinearRegression", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-LR", "d3f:definition": "Statistical regression method used for predictive analysis by modeling the linear relationship between independent and dependent variables.", "d3f:kb-article": "## How it works\nTakes independent variables (i.e. covariate, features, predictors, input variables) and dependent variables (i.e. response, output, “thing to be estimated”) and produces the coefficient(s) and intercept for a linear equation (e.g. (β1, β0) for y = β1x + β0) which predicts the relationship between the independent and independent variables by minimizing a cost function, Mean Squared Error, either directly in the case of univariate linear regression or by gradient descent* in the case of multivariate linear regression.\n\n## Considerations\n - There are four principal assumptions required for good results using linear regression (the first letters of the four principal assumptions form the \"LINE\" mnemonic):\n - Linearity and Additivity\n - Independent Residuals\n - Normal Residual Distributions\n - Equal Variances (i.e. homoscedasticity)\n - Linear regression is a low variance/high bias model.\n - Optimizers like Adam, Batch, and Mini-Batch and others are available for certain applications and data sets.\n- A large learning ratio or training coefficient may lead to divergent behavior of the model and too small of values may lead to long run times and inefficiency.\n\n\n## Verification Approach\n - Models are often evaluated by examining one or more of the metrics of R2, Root Mean Squared Error (RMSE), Mean Absolute Error (MAE), and Mean Absolute Percentage Error (MAPE).\n - While there is no generally accepted single best performance metric as a criterion, users of linear regression should consider the suitability of one or more of these metrics for assessing the performance of their model.\n - Use well known data sets to verify model execution.\n\n## Validation Approach\n - Violating the principal assumptions of linear regression results in poor or misleading results.\n - Ensure data is truly representative and if there are any known biases.\n\n\n## References\n1. Gawali, Suvarna. “Linear Regression Algorithm to Make Predictions Easily.” Analytics Vidhya, 22 July 2022, https://www.analyticsvidhya.com/blog/2021/06/linear-regression-in-machine-learning/.\n1. Nau, Robert. “Statistical Forecasting: Notes On Regression and Time Series Analysis.” Introduction to Linear Regression Analysis, Duke University Fuqua School of Business, 18 Aug. 2020, https://people.duke.edu/~rnau/regintro.htm.\n1. Ng, Ritchie. “Evaluating a Linear Regression Model.” Ritchieng.github.io, 8 Jan. 2023, https://www.ritchieng.com/machine-learning-evaluate-linear-regression-model/.\n1. Bochkarev, Alexei. \"A New Typology Design of Performance Metrics to Measure Errors in Machine Learning Regression Algorithms\", 2019, https://www.researchgate.net/publication/330661543_A_New_Typology_Design_of_Performance_Metrics_to_Measure_Errors_in_Machine_Learning_Regression_Algorithms.", "rdfs:label": "Linear Regression", "rdfs:subClassOf": { "@id": "d3f:RegressionAnalysis" } }, { "@id": "d3f:AccessControlGroup", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A collection of objects that can have access controls placed on them.", "d3f:restricted-by": { "@id": "d3f:AccessControlList" }, "rdfs:label": "Access Control Group", "rdfs:seeAlso": "https://schema.ocsf.io/objects/group", "rdfs:subClassOf": [ { "@id": "d3f:AccessControlConfiguration" }, { "@id": "_:N7d046832996b4fa4a90528381dba682a" } ] }, { "@id": "_:N7d046832996b4fa4a90528381dba682a", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:restricted-by" }, "owl:someValuesFrom": { "@id": "d3f:AccessControlList" } }, { "@id": "d3f:CWE-456", "@type": "owl:Class", "d3f:cwe-id": "CWE-456", "rdfs:label": "Missing Initialization of a Variable", "rdfs:subClassOf": { "@id": "d3f:CWE-909" } }, { "@id": "d3f:StrongPasswordPolicy", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:CredentialHardening" ], "d3f:d3fend-id": "D3-SPP", "d3f:definition": "Modifying system configuration to increase password strength.", "d3f:kb-article": "## How it works\nPassword strength guidelines include increasing password length, permitting passwords that contain ASCII or Unicode characters, and requiring systems to screen new passwords against lists of commonly used or compromised passwords.\n## Considerations\nExtremely complex password requirements may lead users to saving passwords in text files or picking obvious passwords that meet the policy.", "d3f:kb-reference": [ { "@id": "d3f:Reference-DigitalIdentityGuidelines800-63-3" }, { "@id": "d3f:Reference-Testing_Metrics_for_Password_Creation_Policies_by_Attacking_Large_Sets_of_Revealed_Passwords" } ], "d3f:strengthens": [ { "@id": "d3f:Password" }, { "@id": "d3f:UserAccount" } ], "rdfs:label": "Strong Password Policy", "rdfs:subClassOf": [ { "@id": "d3f:CredentialHardening" }, { "@id": "_:N93f87349eb9b45cb8db3ba4b1baff97d" }, { "@id": "_:Nf0d13127ff304e9da4873881bc682683" } ] }, { "@id": "_:N93f87349eb9b45cb8db3ba4b1baff97d", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:strengthens" }, "owl:someValuesFrom": { "@id": "d3f:Password" } }, { "@id": "_:Nf0d13127ff304e9da4873881bc682683", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:strengthens" }, "owl:someValuesFrom": { "@id": "d3f:UserAccount" } }, { "@id": "d3f:Reference-CAR-2021-05-006%3ACertUtilDownloadWithURLCacheAndSplitArguments_MITRE", "@type": [ "owl:NamedIndividual", "d3f:ExternalKnowledgeBase" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://car.mitre.org/analytics/CAR-2021-05-006/" }, "d3f:kb-abstract": "Certutil.exe may download a file from a remote destination using -urlcache. This behavior does require a URL to be passed on the command-line. In addition, -f (force) and -split (Split embedded ASN.1 elements, and save to files) will be used. It is not entirely common for certutil.exe to contact public IP space. However, it is uncommon for certutil.exe to write files to world writeable paths.\\ During triage, capture any files on disk and review. Review the reputation of the remote IP or domain in question.", "d3f:kb-author": "MITRE", "d3f:kb-organization": "MITRE", "d3f:kb-reference-of": { "@id": "d3f:ProcessSpawnAnalysis" }, "d3f:kb-reference-title": "CAR-2021-05-006: CertUtil Download With URLCache and Split Arguments", "rdfs:label": "Reference - CAR-2021-05-006: CertUtil Download With URLCache and Split Arguments - MITRE" }, { "@id": "d3f:UseCaseStep", "@type": "owl:Class", "rdfs:label": "Use Case Step", "rdfs:subClassOf": [ { "@id": "d3f:D3FENDUseCaseThing" }, { "@id": "d3f:Step" } ] }, { "@id": "d3f:Reference-CAR-2020-11-004%3AProcessesStartedFromIrregularParent_MITRE", "@type": [ "owl:NamedIndividual", "d3f:ExternalKnowledgeBase" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://car.mitre.org/analytics/CAR-2020-11-004/" }, "d3f:kb-abstract": "Adversaries may start legitimate processes and then use their memory space to run malicious code. This analytic looks for common Windows processes that have been abused this way in the past; when the processes are started for this purpose they may not have the standard parent that we would expect. This list is not exhaustive, and it is possible for cyber actors to avoid this discepency. These signatures only work if Sysmon reports the parent process, which may not always be the case if the parent dies before sysmon processes the event.", "d3f:kb-author": "MITRE", "d3f:kb-organization": "MITRE", "d3f:kb-reference-of": { "@id": "d3f:ProcessLineageAnalysis" }, "d3f:kb-reference-title": "CAR-2020-11-004: Processes Started From Irregular Parent", "rdfs:label": "Reference - CAR-2020-11-004: Processes Started From Irregular Parent - MITRE" }, { "@id": "d3f:T1546.008", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1546.008", "d3f:may-create": { "@id": "d3f:IntranetAdministrativeNetworkTraffic" }, "d3f:may-modify": [ { "@id": "d3f:ExecutableBinary" }, { "@id": "d3f:SystemConfigurationDatabaseRecord" } ], "rdfs:label": "Accessibility Features", "rdfs:subClassOf": [ { "@id": "d3f:T1546" }, { "@id": "_:Nd8bf72f07d84497c9cfdf9924104d925" }, { "@id": "_:N4758e428d6ad4cfe91cc1b0aa3590384" }, { "@id": "_:N0adf529294974db999961f200b82a84e" } ] }, { "@id": "_:Nd8bf72f07d84497c9cfdf9924104d925", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-create" }, "owl:someValuesFrom": { "@id": "d3f:IntranetAdministrativeNetworkTraffic" } }, { "@id": "_:N4758e428d6ad4cfe91cc1b0aa3590384", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-modify" }, "owl:someValuesFrom": { "@id": "d3f:ExecutableBinary" } }, { "@id": "_:N0adf529294974db999961f200b82a84e", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-modify" }, "owl:someValuesFrom": { "@id": "d3f:SystemConfigurationDatabaseRecord" } }, { "@id": "d3f:CCI-001145_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The organization employs, at a minimum, FIPS-validated cryptography to protect unclassified information.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": [ { "@id": "d3f:DiskEncryption" }, { "@id": "d3f:FileEncryption" } ], "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-21T00:00:00" }, "rdfs:label": "CCI-001145" }, { "@id": "d3f:EvalFunction", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "Takes inputs of strings and evaluations them as expressions.", "d3f:invokes": { "@id": "d3f:Subroutine" }, "rdfs:label": "Eval Function", "rdfs:subClassOf": [ { "@id": "d3f:Subroutine" }, { "@id": "_:Nb10d552c8d674221a5121f9516520861" } ] }, { "@id": "_:Nb10d552c8d674221a5121f9516520861", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:invokes" }, "owl:someValuesFrom": { "@id": "d3f:Subroutine" } }, { "@id": "d3f:T1550.003", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1550.003", "d3f:creates": { "@id": "d3f:Authentication" }, "rdfs:label": "Pass The Ticket", "rdfs:subClassOf": [ { "@id": "d3f:T1550" }, { "@id": "_:Nc7a12d7089fd441d89eb43fc06cf8f00" } ] }, { "@id": "_:Nc7a12d7089fd441d89eb43fc06cf8f00", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:creates" }, "owl:someValuesFrom": { "@id": "d3f:Authentication" } }, { "@id": "d3f:may-evaluate", "@type": "owl:ObjectProperty", "rdfs:label": "may-evaluate", "rdfs:subPropertyOf": { "@id": "d3f:may-be-associated-with" } }, { "@id": "d3f:DecoyPersona", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:DecoyObject" ], "d3f:d3fend-id": "D3-DP", "d3f:definition": "Establishing a fake online identity to misdirect, deceive, and or interact with adversaries.", "d3f:kb-article": "## How it works\nA false online identity is created for the purposes of interacting with adversaries in a direct or indirect manner. This includes the associated email addresses, social media accounts, and other online communication profiles.\n\n## Considerations\n* Include phone numbers and online social profiles as well as automatically or manually responding to contact made to the persona to improve realism.\n* Continuous updating and managing the decoy personas and online activity streams to ensure personas do not become stale and outdated.", "d3f:kb-reference": [ { "@id": "d3f:Reference-DecoyPersonasForSafeguardingOnlineIdentityUsingDeception_" }, { "@id": "d3f:Reference-DecoyAndDeceptiveDataObjectTechnology_Cymmetria,Inc." } ], "d3f:spoofs": { "@id": "d3f:User" }, "rdfs:label": "Decoy Persona", "rdfs:subClassOf": [ { "@id": "d3f:DecoyObject" }, { "@id": "_:N8cb753e0b7a84f67952fcbb2912b6430" } ] }, { "@id": "_:N8cb753e0b7a84f67952fcbb2912b6430", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:spoofs" }, "owl:someValuesFrom": { "@id": "d3f:User" } }, { "@id": "d3f:T1114.003", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1114.003", "d3f:modifies": { "@id": "d3f:ApplicationConfiguration" }, "rdfs:label": "Email Forwarding Rule", "rdfs:subClassOf": [ { "@id": "d3f:T1114" }, { "@id": "_:N65c6aa2713fe4f20825e2278391b1214" } ] }, { "@id": "_:N65c6aa2713fe4f20825e2278391b1214", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:ApplicationConfiguration" } }, { "@id": "d3f:BusinessCommunicationPlatformClient", "@type": "owl:Class", "d3f:definition": "Client software to enable the process of sharing information between employees within and outside a company. Business communication encompasses topics such as marketing, brand management, customer relations, consumer behavior, advertising, public relations, corporate communication, community engagement, reputation management, interpersonal communication, employee engagement, and event management. It is closely related to the fields of professional communication and technical communication.", "rdfs:isDefinedBy": { "@id": "dbr:Business_communication" }, "rdfs:label": "Business Communication Platform Client", "rdfs:subClassOf": { "@id": "d3f:CollaborativeSoftware" } }, { "@id": "d3f:LinuxPauseThread", "@type": "owl:Class", "d3f:definition": "Causes the calling thread to sleep until a signal is delivered that either terminates the thread or causes the invocation of a signal-catching function.", "rdfs:isDefinedBy": "https://man7.org/linux/man-pages/man2/pause.2.html", "rdfs:label": "Linux Pause Thread", "rdfs:subClassOf": { "@id": "d3f:OSAPISuspendThread" } }, { "@id": "d3f:CCI-001211_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system, at organization-defined information system components, loads and executes organization-defined applications from hardware-enforced, read-only media.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:ApplicationConfigurationHardening" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-21T00:00:00" }, "rdfs:label": "CCI-001211" }, { "@id": "d3f:disables", "@type": "owl:ObjectProperty", "d3f:definition": "x disables y: The technique or agent x makes an entity y unable to perform its actions or capabilities.", "rdfs:isDefinedBy": { "@id": "http://wordnet-rdf.princeton.edu/id/00513267-v" }, "rdfs:label": "disables", "rdfs:subPropertyOf": [ { "@id": "d3f:evicts" }, { "@id": "d3f:may-disable" }, { "@id": "d3f:modifies" } ] }, { "@id": "d3f:CWE-548", "@type": "owl:Class", "d3f:cwe-id": "CWE-548", "rdfs:label": "Exposure of Information Through Directory Listing", "rdfs:subClassOf": { "@id": "d3f:CWE-497" } }, { "@id": "d3f:CWE-98", "@type": "owl:Class", "d3f:cwe-id": "CWE-98", "rdfs:label": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "rdfs:subClassOf": [ { "@id": "d3f:CWE-706" }, { "@id": "d3f:CWE-829" } ] }, { "@id": "d3f:Reference-DataProcessingAndScanningSystemsForGeneratingAndPopulatingADataInventory", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US11240273B2/" }, "d3f:kb-abstract": "In particular embodiments, a data processing data inventory generation system is configured to: (1) generate a data model (e.g., a data inventory) for one or more data assets utilized by a particular organization; (2) generate a respective data inventory for each of the one or more data assets; and (3) map one or more relationships between one or more aspects of the data inventory, the one or more data assets, etc. within the data model. In particular embodiments, a data asset (e.g., data system, software application, etc.) may include, for example, any entity that collects, processes, contains, and/or transfers personal data (e.g., such as a software application, “internet of things” computerized device, database, website, data-center, server, etc.). The system may be configured to identify particular data assets and/or personal data in data repositories using any suitable intelligent identity scanning technique.", "d3f:kb-author": "Kabir A. Barday, Mihir S. Karanjkar, Steven W. Finch, Ken A. Browne, Nathan W. Heard, Aakash H. Patel, Jason L. Sabourin, Richard L. Daniel, Dylan D. Patton-Kuhl, Jonathan Blake Brannon", "d3f:kb-organization": "OneTrust LLC", "d3f:kb-reference-of": { "@id": "d3f:DataInventory" }, "d3f:kb-reference-title": "Data processing and scanning systems for generating and populating a data inventory", "rdfs:label": "Reference - Data processing and scanning systems for generating and populating a data inventory" }, { "@id": "d3f:T1078", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1078", "d3f:produces": [ { "@id": "d3f:Authentication" }, { "@id": "d3f:Authorization" } ], "d3f:uses": { "@id": "d3f:UserAccount" }, "rdfs:label": "Valid Accounts", "rdfs:subClassOf": [ { "@id": "d3f:DefenseEvasionTechnique" }, { "@id": "d3f:InitialAccessTechnique" }, { "@id": "d3f:PersistenceTechnique" }, { "@id": "d3f:PrivilegeEscalationTechnique" }, { "@id": "_:Nb5a1749fc14d4075b74ccc248a1578ff" }, { "@id": "_:Nde07abd8ea8448908bb7669c85c948fb" }, { "@id": "_:N08b7beea631f428ca5447d7f5b5bc55b" } ] }, { "@id": "_:Nb5a1749fc14d4075b74ccc248a1578ff", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:produces" }, "owl:someValuesFrom": { "@id": "d3f:Authentication" } }, { "@id": "_:Nde07abd8ea8448908bb7669c85c948fb", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:produces" }, "owl:someValuesFrom": { "@id": "d3f:Authorization" } }, { "@id": "_:N08b7beea631f428ca5447d7f5b5bc55b", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:uses" }, "owl:someValuesFrom": { "@id": "d3f:UserAccount" } }, { "@id": "d3f:d3fend-display-annotation", "@type": "owl:AnnotationProperty", "rdfs:label": "d3fend-display-annotation", "rdfs:subPropertyOf": { "@id": "d3f:d3fend-annotation" } }, { "@id": "d3f:CWE-683", "@type": "owl:Class", "d3f:cwe-id": "CWE-683", "rdfs:label": "Function Call With Incorrect Order of Arguments", "rdfs:subClassOf": { "@id": "d3f:CWE-628" } }, { "@id": "d3f:RegSetValueExA", "@type": [ "owl:NamedIndividual", "d3f:SetSystemConfigValue" ] }, { "@id": "d3f:T1166", "@type": "owl:Class", "d3f:attack-id": "T1166", "rdfs:label": "Setuid and Setgid", "rdfs:subClassOf": [ { "@id": "d3f:PersistenceTechnique" }, { "@id": "d3f:PrivilegeEscalationTechnique" } ] }, { "@id": "d3f:IntranetIPCNetworkTraffic", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "Intranet IPC network traffic is network traffic that does not cross a given network's boundaries and uses a standard inter-process communication (IPC) networking protocol.", "d3f:may-contain": { "@id": "d3f:File" }, "rdfs:label": "Intranet IPC Network Traffic", "rdfs:seeAlso": [ { "@id": "dbr:Intranet" }, { "@id": "dbr:Inter-process_communication" } ], "rdfs:subClassOf": [ { "@id": "d3f:IPCNetworkTraffic" }, { "@id": "d3f:IntranetNetworkTraffic" }, { "@id": "_:N0848747b44ba4baa85d44aefcece4434" } ] }, { "@id": "_:N0848747b44ba4baa85d44aefcece4434", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-contain" }, "owl:someValuesFrom": { "@id": "d3f:File" } }, { "@id": "d3f:CCI-002689_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:broader": { "@id": "d3f:FileContentRules" }, "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system collects indicators of compromise.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-07-11T00:00:00" }, "rdfs:label": "CCI-002689" }, { "@id": "d3f:LogicProgramming", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-LP", "d3f:definition": "Logic programming is a programming paradigm which is largely based on formal logic.", "d3f:kb-article": "## How it works\nAny program written in a logic programming language is a set of sentences in logical form, expressing facts and rules about some problem domain. Major logic programming language families include Prolog, answer set programming (ASP) and Datalog. In all of these languages, rules are written in the form of clauses:\n\nH :- B_1, ..., B_n.\n\n## References\n1. Logic programming. (2023, May 29). In _Wikipedia_. [Link]( https://en.wikipedia.org/wiki/Logic_programming)", "rdfs:label": "Logic Programming", "rdfs:subClassOf": { "@id": "d3f:SymbolicAI" } }, { "@id": "d3f:Reference-FirmwareEmbeddedMonitoringCodeSymbiotes", "@type": [ "owl:NamedIndividual", "d3f:AcademicPaperReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "http://nsl.cs.columbia.edu/projects/minestrone/papers/Symbiotes.pdf" }, "d3f:kb-abstract": "A large number of embedded devices on the internet, such as\nrouters and VOIP phones, are typically ripe for exploitation. Little to no defensive technology, such as AV scanners or IDS's, are available to protect these devices. We propose a host-based defense mechanism, which we call Symbiotic Embedded Machines (SEM), that is specifically designed\nto inject intrusion detection functionality into the firmware of the device.", "d3f:kb-author": "Ang Cui, Salvatore J. Stolfo", "d3f:kb-organization": "Department of Computer Science Columbia University", "d3f:kb-reference-of": { "@id": "d3f:FirmwareEmbeddedMonitoringCode" }, "d3f:kb-reference-title": "Defending Embedded Systems with Software Symbiotes", "rdfs:label": "Reference - Firmware Embedded Monitoring Code Symbiotes" }, { "@id": "d3f:BookReference", "@type": "owl:Class", "d3f:pref-label": "Book", "rdfs:label": "Book Reference", "rdfs:subClassOf": { "@id": "d3f:TechniqueReference" } }, { "@id": "d3f:CWE-233", "@type": "owl:Class", "d3f:cwe-id": "CWE-233", "rdfs:label": "Improper Handling of Parameters", "rdfs:subClassOf": { "@id": "d3f:CWE-228" } }, { "@id": "d3f:MicrosoftWordDOTFile", "@type": [ "owl:NamedIndividual", "d3f:DocumentFile" ], "rdfs:label": "Microsoft Word DOT File" }, { "@id": "d3f:Reference-SMBSessionSetups_MITRE", "@type": [ "owl:NamedIndividual", "d3f:ExternalKnowledgeBase" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://car.mitre.org/analytics/CAR-2013-09-003/" }, "d3f:kb-abstract": "Account usage within SMB can be used to identify compromised credentials, and the hosts accessed with them.\n\nThis analytic monitors SMB activity that deals with user activity rather than file activity.", "d3f:kb-author": "MITRE", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "MITRE", "d3f:kb-reference-of": [ { "@id": "d3f:AuthorizationEventThresholding" }, { "@id": "d3f:IPCTrafficAnalysis" } ], "d3f:kb-reference-title": "CAR-2013-09-003: SMB Session Setups", "rdfs:label": "Reference - CAR-2013-09-003: SMB Session Setups - MITRE" }, { "@id": "d3f:T1005", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:accesses": [ { "@id": "d3f:File" }, { "@id": "d3f:LocalResource" } ], "d3f:attack-id": "T1005", "rdfs:label": "Data from Local System", "rdfs:subClassOf": [ { "@id": "d3f:CollectionTechnique" }, { "@id": "_:N6658f8666b234ff9b35dac9d470de4e2" }, { "@id": "_:Nac4ed70e4d1140b1b4c99b36504d030d" } ] }, { "@id": "_:N6658f8666b234ff9b35dac9d470de4e2", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:accesses" }, "owl:someValuesFrom": { "@id": "d3f:File" } }, { "@id": "_:Nac4ed70e4d1140b1b4c99b36504d030d", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:accesses" }, "owl:someValuesFrom": { "@id": "d3f:LocalResource" } }, { "@id": "d3f:NetworkPackets", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A network packet is a formatted unit of data carried by a packet-switched network. Computer communications links that do not support packets, such as traditional point-to-point telecommunications links, simply transmit data as a bit stream. When data is formatted into packets, packet switching is possible and the bandwidth of the communication medium can be better shared among users than with circuit switching.", "rdfs:isDefinedBy": { "@id": "dbr:Network_packet" }, "rdfs:label": "Network Packet", "rdfs:subClassOf": { "@id": "d3f:NetworkTraffic" } }, { "@id": "d3f:SystemFirmware", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "Firmware that is installed on a computer's main board which manages the initial boot process. It can also continue to run or function after the operating system boots.", "rdfs:label": "System Firmware", "rdfs:subClassOf": { "@id": "d3f:Firmware" }, "skos:altLabel": [ "BIOS Firmware", "UEFI Firmware" ] }, { "@id": "d3f:CWE-488", "@type": "owl:Class", "d3f:cwe-id": "CWE-488", "rdfs:label": "Exposure of Data Element to Wrong Session", "rdfs:subClassOf": { "@id": "d3f:CWE-668" } }, { "@id": "d3f:ProcessDataSegment", "@type": "owl:Class", "d3f:definition": "A process data segment, is a portion of the program's virtual address space that contains executable instructions and corresponds to the loaded image data segment.", "rdfs:label": "Process Data Segment", "rdfs:seeAlso": [ { "@id": "dbr:Data_segment" }, "Image Data Segment" ], "rdfs:subClassOf": { "@id": "d3f:ProcessSegment" } }, { "@id": "d3f:SecurityToken", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:contains": { "@id": "d3f:AccessToken" }, "d3f:definition": "Security tokens are peripheral devices used to prove one's identity electronically (as in the case of a customer trying to access their bank account). The token is used in addition to or in place of a password to prove that the customer is who they claim to be. The token acts like an electronic key to access something.", "rdfs:isDefinedBy": { "@id": "dbr:Security_token" }, "rdfs:label": "Security Token", "rdfs:subClassOf": [ { "@id": "d3f:HardwareDevice" }, { "@id": "_:N4ddb6c4f0358447982a644830fad18e7" } ] }, { "@id": "_:N4ddb6c4f0358447982a644830fad18e7", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:contains" }, "owl:someValuesFrom": { "@id": "d3f:AccessToken" } }, { "@id": "d3f:Reference-WebAuthentication_AnAPIForAccessingPublicKeyCredentials%0ALevel2", "@type": [ "owl:NamedIndividual", "d3f:SpecificationReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://www.w3.org/TR/webauthn-2/" }, "d3f:kb-abstract": "This specification defines an API enabling the creation and use of strong, attested, scoped, public key-based credentials by web applications, for the purpose of strongly authenticating users. Conceptually, one or more public key credentials, each scoped to a given WebAuthn Relying Party, are created by and bound to authenticators as requested by the web application. The user agent mediates access to authenticators and their public key credentials in order to preserve user privacy. Authenticators are responsible for ensuring that no operation is performed without user consent. Authenticators provide cryptographic proof of their properties to Relying Parties via attestation. This specification also describes the functional model for WebAuthn conformant authenticators, including their signature and attestation functionality.", "d3f:kb-author": "W3C", "d3f:kb-reference-of": { "@id": "d3f:CredentialTransmissionScoping" }, "d3f:kb-reference-title": "Web Authentication: An API for accessing Public Key Credentials\nLevel 2", "rdfs:label": "Reference - Web Authentication: An API for accessing Public Key Credentials\nLevel 2" }, { "@id": "d3f:IdentifierReputationAnalysis", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:IdentifierAnalysis" ], "d3f:d3fend-id": "D3-IRA", "d3f:definition": "Analyzing the reputation of an identifier.", "d3f:kb-reference": { "@id": "d3f:Reference-Finding_phishing_sites" }, "rdfs:label": "Identifier Reputation Analysis", "rdfs:subClassOf": { "@id": "d3f:IdentifierAnalysis" } }, { "@id": "d3f:Reference-SecureCachingOfServerCredentials_DellProductsLP", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US20100107241A1" }, "d3f:kb-abstract": "A credential caching system includes receiving a set of authentication credentials, storing the set of authentication credentials in a credential cache memory, wherein the credential cache memory is coupled with a management controller, and supplying the set of authentication credentials for automatic authentication during a reset or reboot. In the event of a security breach, the credential caching system clears the set of authentication credentials from the credential cache memory so that the set of authentication credentials may no longer be used for a reset or reboot.", "d3f:kb-author": "Muhammed K. JaberMukund P. KhatriKevin T. MarksDon Charles McCall", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "Dell Products LP", "d3f:kb-reference-of": { "@id": "d3f:AuthenticationCacheInvalidation" }, "d3f:kb-reference-title": "Secure caching of server credentials", "rdfs:label": "Reference - Secure caching of server credentials - Dell Products LP" }, { "@id": "d3f:CCI-001764_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:broader": [ { "@id": "d3f:ExecutableAllowlisting" }, { "@id": "d3f:ExecutableDenylisting" } ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system prevents program execution in accordance with organization-defined policies regarding software program usage and restrictions, and/or rules authorizing the terms and conditions of software program usage.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-02-28T00:00:00" }, "rdfs:label": "CCI-001764" }, { "@id": "d3f:CWE-75", "@type": "owl:Class", "d3f:cwe-id": "CWE-75", "rdfs:label": "Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)", "rdfs:subClassOf": { "@id": "d3f:CWE-74" } }, { "@id": "d3f:CCI-001127_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:broader": { "@id": "d3f:EncryptedTunnels" }, "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system protects the integrity of transmitted information.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-21T00:00:00" }, "rdfs:label": "CCI-001127" }, { "@id": "d3f:CCI-000058_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system provides the capability for users to directly initiate session lock mechanisms.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:AccountLocking" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-05-19T00:00:00" }, "rdfs:label": "CCI-000058" }, { "@id": "d3f:CollectionTechnique", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:enables": { "@id": "d3f:Collection" }, "rdfs:label": "Collection Technique", "rdfs:subClassOf": [ { "@id": "d3f:OffensiveTechnique" }, { "@id": "_:Nb64de08cee4940048cbe91a99c3544f2" } ] }, { "@id": "_:Nb64de08cee4940048cbe91a99c3544f2", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:enables" }, "owl:someValuesFrom": { "@id": "d3f:Collection" } }, { "@id": "d3f:SystemConfigurationPermissions", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:PlatformHardening" ], "d3f:d3fend-id": "D3-SCP", "d3f:definition": "Restricting system configuration modifications to a specific user or group of users.", "d3f:kb-reference": { "@id": "d3f:Reference-HowToChangeRegistryValuesOrPermissionsFromACommandLineOrAScript" }, "d3f:restricts": { "@id": "d3f:SystemConfigurationDatabase" }, "rdfs:label": "System Configuration Permissions", "rdfs:subClassOf": [ { "@id": "d3f:PlatformHardening" }, { "@id": "_:N431193169a3b4e6c80da7c28ce4a327d" }, { "@id": "_:Na19da556084c4bc2a09231c3927f0d85" } ] }, { "@id": "_:N431193169a3b4e6c80da7c28ce4a327d", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:restricts" }, "owl:someValuesFrom": { "@id": "d3f:SystemConfigurationDatabase" } }, { "@id": "_:Na19da556084c4bc2a09231c3927f0d85", "@type": "owl:Restriction", "owl:hasValue": { "@id": "d3f:M1028" }, "owl:onProperty": { "@id": "d3f:restricts" } }, { "@id": "d3f:InformationContentEntity", "@type": "owl:Class", "rdfs:isDefinedBy": "BFO, Cyc equiv, SUMO equiv, [Ontology Works] equiv", "rdfs:label": "Information Content Entity", "rdfs:subClassOf": [ { "@id": "d3f:D3FENDCatalogThing" }, { "@id": "_:N4ceb70cd10e541f7ad60e8a21edfafbc" } ] }, { "@id": "_:N4ceb70cd10e541f7ad60e8a21edfafbc", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:archived-at" }, "owl:someValuesFrom": { "@id": "xsd:anyURI" } }, { "@id": "d3f:ActivePhysicalLinkMapping", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:PhysicalLinkMapping" ], "d3f:d3fend-id": "D3-APLM", "d3f:definition": "Active physical link mapping sends and receives network traffic as a means to map the physical layer.", "d3f:kb-reference": [ { "@id": "d3f:Reference-IdentificationOfTracerouteNodesAndAssociatedDevices" }, { "@id": "d3f:Reference-UsingSpanningTreeProtocolSTPToEnhanceLayer2NetworkTopologyMaps" } ], "d3f:may-query": { "@id": "d3f:CollectorAgent" }, "d3f:synonym": "Active Physical Layer Mapping", "owl:disjointWith": { "@id": "d3f:PassivePhysicalLinkMapping" }, "rdfs:label": "Active Physical Link Mapping", "rdfs:subClassOf": [ { "@id": "d3f:PhysicalLinkMapping" }, { "@id": "_:N8f3e00b08a084e01a0e0efcb0644c5cf" } ] }, { "@id": "_:N8f3e00b08a084e01a0e0efcb0644c5cf", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-query" }, "owl:someValuesFrom": { "@id": "d3f:CollectorAgent" } }, { "@id": "d3f:publishes", "@type": "owl:ObjectProperty", "rdfs:label": "publishes", "rdfs:subPropertyOf": { "@id": "d3f:d3fend-catalog-object-property" } }, { "@id": "d3f:WindowsNtTerminateProcess", "@type": "owl:Class", "rdfs:label": "Windows NtTerminateProcess", "rdfs:seeAlso": "https://j00ru.vexillium.org/syscalls/nt/64/", "rdfs:subClassOf": [ { "@id": "d3f:OSAPIPrivateFunction" }, { "@id": "d3f:OSAPITerminateProcess" } ] }, { "@id": "d3f:NaiveBayesClassifier", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-NBC", "d3f:definition": "The Naïve Bayes classifier is a supervised machine learning algorithm, which is used for classification tasks, like text classification. It is also part of a family of generative learning algorithms, meaning that it seeks to model the distribution of inputs of a given class or category.", "d3f:kb-article": "## References\nNaive Bayes. IBM. [Link](https://www.ibm.com/topics/naive-bayes?mhsrc=ibmsearch_a&mhq=naive%20bayes).", "rdfs:label": "Naive Bayes Classifier", "rdfs:subClassOf": { "@id": "d3f:Classification" } }, { "@id": "d3f:T1055", "@type": "owl:Class", "d3f:attack-id": "T1055", "rdfs:label": "Process Injection", "rdfs:subClassOf": [ { "@id": "d3f:DefenseEvasionTechnique" }, { "@id": "d3f:PrivilegeEscalationTechnique" } ] }, { "@id": "d3f:T1489", "@type": "owl:Class", "d3f:attack-id": "T1489", "rdfs:label": "Service Stop", "rdfs:subClassOf": { "@id": "d3f:ImpactTechnique" } }, { "@id": "d3f:T1107", "@type": "owl:Class", "d3f:attack-id": "T1107", "rdfs:label": "File Deletion", "rdfs:subClassOf": { "@id": "d3f:DefenseEvasionTechnique" } }, { "@id": "d3f:CCI-000346_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The organization employs automated mechanisms to enforce access restrictions.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": [ { "@id": "d3f:LocalFilePermissions" }, { "@id": "d3f:MandatoryAccessControl" }, { "@id": "d3f:UserAccountPermissions" } ], "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-18T00:00:00" }, "rdfs:label": "CCI-000346" }, { "@id": "d3f:T1053.006", "@type": "owl:Class", "d3f:attack-id": "T1053.006", "rdfs:label": "Systemd Timers", "rdfs:subClassOf": { "@id": "d3f:T1053" } }, { "@id": "d3f:CCI-002385_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system protects against or limits the effects of organization-defined types of denial of service attacks by employing organization-defined security safeguards.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": [ { "@id": "d3f:InboundTrafficFiltering" }, { "@id": "d3f:OutboundTrafficFiltering" } ], "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-07-02T00:00:00" }, "rdfs:label": "CCI-002385" }, { "@id": "d3f:ExecutionIsolation", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:DefensiveTechnique" ], "d3f:d3fend-id": "D3-EI", "d3f:definition": "Execution Isolation techniques prevent application processes from accessing non-essential system resources, such as memory, devices, or files.", "d3f:enables": { "@id": "d3f:Isolate" }, "rdfs:label": "Execution Isolation", "rdfs:subClassOf": [ { "@id": "d3f:DefensiveTechnique" }, { "@id": "_:N496ee2b9d834420d81cee35dd5c976c1" } ] }, { "@id": "_:N496ee2b9d834420d81cee35dd5c976c1", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:enables" }, "owl:someValuesFrom": { "@id": "d3f:Isolate" } }, { "@id": "d3f:CCI-001239_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:broader": [ { "@id": "d3f:FileAnalysis" }, { "@id": "d3f:NetworkTrafficAnalysis" }, { "@id": "d3f:PlatformMonitoring" }, { "@id": "d3f:ProcessAnalysis" } ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The organization employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means or inserted through the exploitation of information system vulnerabilities.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-22T00:00:00" }, "rdfs:label": "CCI-001239" }, { "@id": "d3f:CWE-1126", "@type": "owl:Class", "d3f:cwe-id": "CWE-1126", "rdfs:label": "Declaration of Variable with Unnecessarily Wide Scope", "rdfs:subClassOf": { "@id": "d3f:CWE-710" } }, { "@id": "d3f:Reference-RevokingaPreviouslyIssuedVerifiableCredential-Microsoft", "@type": [ "owl:NamedIndividual", "d3f:SpecificationReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://learn.microsoft.com/en-us/azure/active-directory/verifiable-credentials/how-to-issuer-revoke" }, "d3f:kb-author": "Barclay Neira, Christer Ljung, Juan Camilo Ruiz, John Flores", "d3f:kb-organization": "Microsoft", "d3f:kb-reference-of": { "@id": "d3f:CredentialRevoking" }, "d3f:kb-reference-title": "Revoke a previously issued verifiable credential", "rdfs:label": "Reference - Revoke a previously issued verifiable credential - Microsoft" }, { "@id": "d3f:T1569.002", "@type": "owl:Class", "d3f:attack-id": "T1569.002", "rdfs:label": "Service Execution", "rdfs:subClassOf": { "@id": "d3f:T1569" } }, { "@id": "d3f:CWE-1048", "@type": "owl:Class", "d3f:cwe-id": "CWE-1048", "rdfs:label": "Invokable Control Element with Large Number of Outward Calls", "rdfs:subClassOf": { "@id": "d3f:CWE-710" } }, { "@id": "d3f:CWE-89", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:cwe-id": "CWE-89", "d3f:weakness-of": { "@id": "d3f:UserInputFunction" }, "rdfs:label": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "rdfs:subClassOf": [ { "@id": "d3f:CWE-943" }, { "@id": "_:Nd0f25c1039004c1590d8117f729cdd57" } ] }, { "@id": "_:Nd0f25c1039004c1590d8117f729cdd57", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:weakness-of" }, "owl:someValuesFrom": { "@id": "d3f:UserInputFunction" } }, { "@id": "d3f:modifies", "@type": "owl:ObjectProperty", "d3f:definition": "x modifies y: A technique or agent x causes a digital object y to change; become different; or undertake a transformation. Afterwards, the data or state held by a digital object is changed.", "rdfs:isDefinedBy": { "@id": "http://wordnet-rdf.princeton.edu/id/00126072-v" }, "rdfs:label": "modifies", "rdfs:subPropertyOf": [ { "@id": "d3f:accesses" }, { "@id": "d3f:associated-with" }, { "@id": "d3f:may-modify" } ], "skos:altLabel": "alters" }, { "@id": "d3f:CCI-000218_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system, when transferring information between different security domains, identifies information flows by data type specification and usage.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": [ { "@id": "d3f:InboundTrafficFiltering" }, { "@id": "d3f:OutboundTrafficFiltering" } ], "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-14T00:00:00" }, "rdfs:label": "CCI-000218" }, { "@id": "d3f:Reference-MethodAndSystemForUDPFloodAttackDetection-RioreyLLC", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US8307430B1" }, "d3f:kb-abstract": "A system and method is provided to identify UDP attacks. A processor determines a spectral density of packet timing intervals, a natural distance between the spectral density and a uniform distribution, and a non-linear amplifier applying a non-linear amplification to the natural distance to detect a denial-of-service attack. It uses the concept of traffic statistics analysis, i.e., spectral densities of arrived-packet timing intervals, calculates the KL-distance measurement and makes decision based on the output of a non-linear Gaussian amplifier, with which one can easily adjust the amplifier via selecting different parameters of mean and variance to satisfy system requirements of false-positive and false-negative UDP attack detections.", "d3f:kb-author": "Hongda Chen, Lijin Lu", "d3f:kb-reference-of": { "@id": "d3f:InboundSessionVolumeAnalysis" }, "d3f:kb-reference-title": "Method and system for UDP flood attack detection", "rdfs:label": "Reference - Method and system for UDP flood attack detection - Riorey LLC" }, { "@id": "d3f:CWE-413", "@type": "owl:Class", "d3f:cwe-id": "CWE-413", "rdfs:label": "Improper Resource Locking", "rdfs:subClassOf": { "@id": "d3f:CWE-667" } }, { "@id": "d3f:T1178", "@type": "owl:Class", "d3f:attack-id": "T1178", "rdfs:label": "SID-History Injection", "rdfs:subClassOf": { "@id": "d3f:PrivilegeEscalationTechnique" } }, { "@id": "d3f:dependsOn", "@type": "owl:ObjectProperty", "owl:inverseOf": { "@id": "d3f:has-dependent" }, "rdfs:isDefinedBy": [ "http://wordnet-rdf.princeton.edu/id/00729216-a", "x depends-on y: The entity x is contingent on y being available; x relies on y." ], "rdfs:label": "depends-on", "rdfs:seeAlso": "https://www.cisa.gov/what-are-dependencies", "rdfs:subPropertyOf": { "@id": "d3f:associated-with" } }, { "@id": "d3f:StaticAnalysisTool", "@type": "owl:Class", "d3f:definition": "A static [program] analysis tool performs an automated analysis of computer software without actually executing programs, in contrast with dynamic analysis, which is analysis performed on programs while they are executing. In most cases the analysis is performed on some version of the source code, and in the other cases, some form of the object code.", "rdfs:isDefinedBy": { "@id": "dbr:Static_program_analysis" }, "rdfs:label": "Static Analysis Tool", "rdfs:seeAlso": [ { "@id": "dbr:Program_analysis" }, { "@id": "dbr:Category:Program_analysis" } ], "rdfs:subClassOf": { "@id": "d3f:CodeAnalyzer" }, "skos:altLabel": "Static Program Analysis Tool" }, { "@id": "d3f:ASCIIDomainName", "@type": [ "owl:NamedIndividual", "d3f:DomainName" ], "rdfs:label": "ASCII Domain Name" }, { "@id": "d3f:LogicalLink", "@type": [ "owl:Class", "owl:NamedIndividual" ], "rdfs:label": "Logical Link", "rdfs:subClassOf": { "@id": "d3f:Link" } }, { "@id": "d3f:CCI-000187_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system, for PKI-based authentication, maps the authenticated identity to the account of the individual or group.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:CredentialHardening" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-15T00:00:00" }, "rdfs:label": "CCI-000187" }, { "@id": "d3f:CCI-000771_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system uses multifactor authentication for network access to privileged accounts where one of the factors is provided by a device separate from the information system being accessed.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:Multi-factorAuthentication" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-17T00:00:00" }, "rdfs:label": "CCI-000771" }, { "@id": "d3f:CCI-002465_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system requests data origin authentication verification on the name/address resolution responses the system receives from authoritative sources.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:DomainTrustPolicy" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-07-02T00:00:00" }, "rdfs:label": "CCI-002465" }, { "@id": "d3f:IntranetNetwork", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "An intranet is a private network accessible only to an organization's staff or delegates. Generally a wide range of information and services from the organization's internal IT systems are available that would not be available to the public from the Internet. A company-wide intranet can constitute an important focal point of internal communication and collaboration, and provide a single starting point to access internal and external resources. In its simplest form an intranet is established with the technologies for local area networks (LANs) and wide area networks (WANs).", "rdfs:isDefinedBy": { "@id": "dbr:Intranet" }, "rdfs:label": "Intranet Network", "rdfs:subClassOf": { "@id": "d3f:Network" } }, { "@id": "d3f:NIST_SP_800-53_R5_SC-3_1", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:control-name": "Security Function Isolation | Hardware Separation", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "d3f:narrower": { "@id": "d3f:ExecutionIsolation" }, "rdfs:label": "SC-3(1)" }, { "@id": "d3f:LinuxClone3ArgumentCLONE_THREAD", "@type": "owl:Class", "d3f:definition": "A flag parameter to the Clone3 syscall. If set, the child is placed in the same thread group as the calling process.", "rdfs:isDefinedBy": "https://man7.org/linux/man-pages/man2/clone3.2.html", "rdfs:label": "Linux Clone3 Argument CLONE_THREAD", "rdfs:subClassOf": { "@id": "d3f:OSAPICreateThread" } }, { "@id": "d3f:NIST_SP_800-53_R5_AC-2_9", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:control-name": "Account Management | Restrictions on Use of Shared and Group Accounts", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "d3f:narrower": [ { "@id": "d3f:MandatoryAccessControl" }, { "@id": "d3f:UserAccountPermissions" } ], "rdfs:label": "AC-2(9)" }, { "@id": "d3f:C4.5", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-C4.", "d3f:definition": "C4.5 is an algorithm that is strongly based off ID3. It creates decision trees the same way as ID3. C4.5 improves on several aspects of ID3, including handling discreet variables, handling training data with missing values, and has the ability to automatically prune the decision trees it creates.", "d3f:kb-article": "## References\nC4.5 algorithm. Wikipedia. [Link](https://en.wikipedia.org/wiki/C4.5_algorithm).", "rdfs:label": "C4.5", "rdfs:subClassOf": { "@id": "d3f:DecisionTree" } }, { "@id": "d3f:Reference-GuardsForApplicationInSoftwareTamperproofing_PurdueResearchFoundation", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US7287166B1/en?oq=US-7287166-B1" }, "d3f:kb-abstract": "A method of protecting a software program from unauthorized modification, and a system for practicing the method. The method utilizes self-protecting software code. Armed internally with self-defensive mechanisms, a self-protecting software program is tamper-resistant. Whenever its integrity is compromised, a self-protecting software program may become unusable due to software program crashes or other errors, or may generate subtle errors that do not immediately result render the program unusable but still result in incorrect software program execution. A self-protecting software program also may be able to repair itself to restore the integrity of its damaged code. The system comprises a computer program for automatically adding self-protection features to a software program.", "d3f:kb-author": "Hoi Chang; Mikhail J. Atallah; John R. Rice", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "Purdue Research Foundation", "d3f:kb-reference-of": { "@id": "d3f:ProcessCodeSegmentVerification" }, "d3f:kb-reference-title": "Guards for application in software tamperproofing", "rdfs:label": "Reference - Guards for application in software tamperproofing - Purdue Research Foundation" }, { "@id": "d3f:CWE-1004", "@type": "owl:Class", "d3f:cwe-id": "CWE-1004", "rdfs:label": "Sensitive Cookie Without 'HttpOnly' Flag", "rdfs:subClassOf": { "@id": "d3f:CWE-732" } }, { "@id": "d3f:SystemConfigurationDatabase", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A database used to hold system configuration data.", "rdfs:label": "System Configuration Database", "rdfs:subClassOf": { "@id": "d3f:Database" } }, { "@id": "d3f:OperatingSystem", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:contains": [ { "@id": "d3f:Kernel" }, { "@id": "d3f:SystemServiceSoftware" } ], "d3f:definition": "An operating system (OS) is system software that manages computer hardware and software resources and provides common services for computer programs. All computer programs, excluding firmware, require an operating system to function. Time-sharing operating systems schedule tasks for efficient use of the system and may also include accounting software for cost allocation of processor time, mass storage, printing, and other resources.", "d3f:may-contain": { "@id": "d3f:OperatingSystemConfigurationComponent" }, "rdfs:label": "Operating System", "rdfs:seeAlso": [ { "@id": "dbr:Operating_system" }, "https://schema.ocsf.io/objects/os" ], "rdfs:subClassOf": [ { "@id": "d3f:DigitalArtifact" }, { "@id": "_:N0b326c50ff00403a82f9775e7fffc657" }, { "@id": "_:N445676195eea40529432ce6a5f7afd9e" }, { "@id": "_:N2c76ccd9d3b04c40b60bc4d1ef826c39" } ] }, { "@id": "_:N0b326c50ff00403a82f9775e7fffc657", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:contains" }, "owl:someValuesFrom": { "@id": "d3f:Kernel" } }, { "@id": "_:N445676195eea40529432ce6a5f7afd9e", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:contains" }, "owl:someValuesFrom": { "@id": "d3f:SystemServiceSoftware" } }, { "@id": "_:N2c76ccd9d3b04c40b60bc4d1ef826c39", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-contain" }, "owl:someValuesFrom": { "@id": "d3f:OperatingSystemConfigurationComponent" } }, { "@id": "d3f:T1608.005", "@type": "owl:Class", "d3f:attack-id": "T1608.005", "rdfs:label": "Link Target", "rdfs:subClassOf": { "@id": "d3f:T1608" } }, { "@id": "d3f:Reference-FirmwareBehaviorAnalysisVIPER", "@type": [ "owl:NamedIndividual", "d3f:AcademicPaperReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://dl.acm.org/doi/pdf/10.1145/2046707.2046711" }, "d3f:kb-abstract": "Recent research demonstrates that malware can infect peripherals' firmware in a typical x86 computer system, e.g., by exploiting vulnerabilities in the firmware itself or in the firmware update tools. Verifying the integrity of peripherals' firmware is thus an important challenge. We propose software-only attestation protocols to verify the integrity of peripherals' firmware, and show that they can detect all known software-based attacks.", "d3f:kb-author": "Yanlin Li, Jonathan M. McCune, Adrian Perrig", "d3f:kb-organization": "CyLab, Carnegie Mellon University", "d3f:kb-reference-of": { "@id": "d3f:FirmwareBehaviorAnalysis" }, "d3f:kb-reference-title": "VIPER: Verifying the Integrity of PERipherals' Firmware", "rdfs:label": "Reference - Firmware Behavior Analysis VIPER" }, { "@id": "d3f:CredentialTransmissionScoping", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:CredentialHardening" ], "d3f:d3fend-id": "D3-CTS", "d3f:definition": "Limiting the transmission of a credential to a scoped set of relying parties.", "d3f:kb-reference": { "@id": "d3f:Reference-WebAuthentication_AnAPIForAccessingPublicKeyCredentials%0ALevel2" }, "d3f:restricts": { "@id": "d3f:Credential" }, "d3f:synonym": "Phishing Resistant Authentication", "rdfs:label": "Credential Transmission Scoping", "rdfs:seeAlso": [ { "@id": "https://pages.nist.gov/TIG-Stage/sp800-63c.html" }, { "@id": "https://www.w3.org/TR/webauthn-2/" } ], "rdfs:subClassOf": [ { "@id": "d3f:CredentialHardening" }, { "@id": "_:Nfda903d5fbab449fa37d11fb2efbc78d" } ] }, { "@id": "_:Nfda903d5fbab449fa37d11fb2efbc78d", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:restricts" }, "owl:someValuesFrom": { "@id": "d3f:Credential" } }, { "@id": "d3f:modifies-part", "@type": "owl:ObjectProperty", "d3f:definition": "x modifies-part y: The entity x modifies a part of y. [Note: This is a rolification property for the rule 'if one modifies a part of a whole, they modify the whole.' Reasoning for this and similar semantics to come are under evaluation and not part of current d3fend inferences.]", "owl:propertyChainAxiom": { "@list": [ { "@id": "d3f:modifies" }, { "@id": "d3f:contains" } ] }, "rdfs:label": "modifies-part", "rdfs:subPropertyOf": { "@id": "d3f:may-modify" } }, { "@id": "d3f:Reference-ThePyramidOfPain-DavidBianco", "@type": [ "owl:NamedIndividual", "d3f:InternetArticleReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html" }, "d3f:kb-abstract": "This article identifies progressive levels of adversary difficulty encountered for various types of indicators.", "d3f:kb-author": "David Bianco", "d3f:kb-reference-of": { "@id": "d3f:IdentifierActivityAnalysis" }, "d3f:kb-reference-title": "The Pyramid of Pain", "rdfs:label": "Reference - The Pyramid of Pain - David Bianco" }, { "@id": "d3f:T1546.010", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1546.010", "d3f:invokes": { "@id": "d3f:CreateProcess" }, "d3f:loads": { "@id": "d3f:SharedLibraryFile" }, "d3f:modifies": { "@id": "d3f:SystemConfigurationDatabaseRecord" }, "rdfs:label": "AppInit DLLs", "rdfs:subClassOf": [ { "@id": "d3f:T1546" }, { "@id": "_:N88b8be6ce30b411082f5cbb4c32b8b8b" }, { "@id": "_:N4ac00d18e48d41f5b9ff5738e9211d9c" }, { "@id": "_:N916f64f5611e4f4e99653396d635de6a" } ] }, { "@id": "_:N88b8be6ce30b411082f5cbb4c32b8b8b", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:invokes" }, "owl:someValuesFrom": { "@id": "d3f:CreateProcess" } }, { "@id": "_:N4ac00d18e48d41f5b9ff5738e9211d9c", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:loads" }, "owl:someValuesFrom": { "@id": "d3f:SharedLibraryFile" } }, { "@id": "_:N916f64f5611e4f4e99653396d635de6a", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:SystemConfigurationDatabaseRecord" } }, { "@id": "d3f:OSAPITraceProcess", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:invokes": { "@id": "d3f:TraceProcess" }, "rdfs:label": "OS API Trace Process", "rdfs:subClassOf": [ { "@id": "d3f:OSAPIFunction" }, { "@id": "_:N0139e7d8b8b4486cb17c0a30629c2248" } ] }, { "@id": "_:N0139e7d8b8b4486cb17c0a30629c2248", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:invokes" }, "owl:someValuesFrom": { "@id": "d3f:TraceProcess" } }, { "@id": "d3f:Range", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-RAN", "d3f:definition": "The range of a set of data is the difference between the largest and smallest value.", "d3f:kb-article": "## References\nWikipedia. (n.d.). Range (statistics). [Link](https://en.wikipedia.org/wiki/Range_(statistics))", "rdfs:label": "Range", "rdfs:subClassOf": { "@id": "d3f:Variability" } }, { "@id": "d3f:DomainNameReputationAnalysis", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:IdentifierReputationAnalysis" ], "d3f:analyzes": { "@id": "d3f:DomainName" }, "d3f:d3fend-id": "D3-DNRA", "d3f:definition": "Analyzing the reputation of a domain name.", "d3f:kb-reference": [ { "@id": "d3f:Reference-Database_for_receiving_storing_and_compiling_information_about_email_messages" }, { "@id": "d3f:Reference-Finding_phishing_sites" } ], "rdfs:label": "Domain Name Reputation Analysis", "rdfs:subClassOf": [ { "@id": "d3f:IdentifierReputationAnalysis" }, { "@id": "_:Na981d29e17de42ab87226c079ba05534" } ] }, { "@id": "_:Na981d29e17de42ab87226c079ba05534", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:analyzes" }, "owl:someValuesFrom": { "@id": "d3f:DomainName" } }, { "@id": "d3f:T1537", "@type": "owl:Class", "d3f:attack-id": "T1537", "rdfs:label": "Transfer Data to Cloud Account", "rdfs:subClassOf": { "@id": "d3f:ExfiltrationTechnique" } }, { "@id": "d3f:AlethicLogic", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-AL", "d3f:definition": "Alethic logic is a modal logic that addresses the modalities of necessity and possibility.", "d3f:kb-article": "## References\n1. Alethic logic. (2023, June 4). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Modal_logic#Alethic_logic)", "rdfs:label": "Alethic Logic", "rdfs:subClassOf": { "@id": "d3f:ModalLogic" } }, { "@id": "d3f:T1555.005", "@type": "owl:Class", "d3f:attack-id": "T1555.005", "rdfs:label": "Password Managers", "rdfs:subClassOf": { "@id": "d3f:T1555" } }, { "@id": "d3f:T1587.004", "@type": "owl:Class", "d3f:attack-id": "T1587.004", "rdfs:label": "Exploits", "rdfs:subClassOf": { "@id": "d3f:T1587" } }, { "@id": "d3f:CWE-602", "@type": "owl:Class", "d3f:cwe-id": "CWE-602", "rdfs:label": "Client-Side Enforcement of Server-Side Security", "rdfs:subClassOf": { "@id": "d3f:CWE-693" } }, { "@id": "d3f:Reference-QualysNetworkPassiveSensorGettingStartedGuide", "@type": [ "owl:NamedIndividual", "d3f:UserManualReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://www.qualys.com/passive-scanning-sensor/" }, "d3f:kb-abstract": "Qualys Passive Scanning Sensor (PS) continuously monitors all network traffic and flags any asset activity. It identifies and profiles devices the moment they connect to the network, including those difficult to scan, corporate owned, brought by employees, and rogue IT. The data is sent immediately to the Qualys Cloud Platform for centralized analysis.", "d3f:kb-organization": "Qualys", "d3f:kb-reference-of": [ { "@id": "d3f:HardwareComponentInventory" }, { "@id": "d3f:NetworkNodeInventory" } ], "d3f:kb-reference-title": "Qualys Network Passive Sensor Getting Started Guide", "rdfs:label": "Reference - Qualys Network Passive Sensor Getting Started Guide" }, { "@id": "d3f:Reference-SystemsAndMethodsForDetectingCredentialTheft_SymantecCorp", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US10162962B1" }, "d3f:kb-abstract": "The disclosed computer-implemented method for detecting credential theft may include (i) monitoring a secured computing system's credential store that may include at least one sensitive credential that may be used to facilitate authentication of a user that is attempting to access the secured computing system, (ii) gathering, while monitoring the credential store, primary evidence of an attempted theft of the sensitive credential from the credential store, (iii) gathering corroborating evidence of the attempted theft of the sensitive credential, and (iv) performing a security action in response to gathering the primary evidence and the corroborating evidence of the attempted theft. The primary evidence of the attempted theft of the sensitive credential may include evidence of any suspicious access of the sensitive credential from the credential store that occurs outside of a procedure of authenticating the user. Various other methods, systems, and computer-readable media are also disclosed.", "d3f:kb-author": "Adam Glick; Brian Schlatter; Feng Li; Akshata Krishnamoorthy Rao", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "Symantec Corp", "d3f:kb-reference-of": { "@id": "d3f:CredentialCompromiseScopeAnalysis" }, "d3f:kb-reference-title": "Systems and methods for detecting credential theft", "rdfs:label": "Reference - Systems and methods for detecting credential theft - Symantec Corp" }, { "@id": "d3f:Reference-FileIntegrityMonitoringinMicrosoftDefenderforCloud-Microsoft", "@type": [ "owl:NamedIndividual", "d3f:UserManualReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://learn.microsoft.com/en-us/azure/defender-for-cloud/file-integrity-monitoring-overview" }, "d3f:kb-organization": "Microsoft", "d3f:kb-reference-of": { "@id": "d3f:FileIntegrityMonitoring" }, "d3f:kb-reference-title": "File Integrity Monitoring in Microsoft Defender for Cloud", "rdfs:label": "Reference - File Integrity Monitoring in Microsoft Defender for Cloud - Microsoft" }, { "@id": "d3f:CCI-000880_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The organization audits non-local maintenance and diagnostic sessions.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:OperatingSystemMonitoring" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-18T00:00:00" }, "rdfs:label": "CCI-000880" }, { "@id": "d3f:DatabaseQueryStringAnalysis", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:ProcessAnalysis" ], "d3f:analyzes": { "@id": "d3f:DatabaseQuery" }, "d3f:d3fend-id": "D3-DQSA", "d3f:definition": "Analyzing database queries to detect [SQL Injection](https://capec.mitre.org/data/definitions/66.html).", "d3f:kb-article": "## How it works\n\nSome implementations use software hooks to intercept function calls related to database query operations. Other implementations might intercept or collect network traffic. The database query string is then extracted and analyzed with various methods, for example:\n* Detecting specific administrative SQL commands\n* Anomalous sequences of commands when compared to a statistical baseline.\n* Anomalous commands for a given user role.\n\n## Considerations\n\nSome capabilities sanitize queries before permitting them to be transmitted to the database. This incurs risks such altering data in an undesired way or breaking application functionality.", "d3f:kb-reference": { "@id": "d3f:Reference-SystemAndMethodForInternetSecurity_CylanceInc" }, "rdfs:label": "Database Query String Analysis", "rdfs:subClassOf": [ { "@id": "d3f:ProcessAnalysis" }, { "@id": "_:N39ae01c488b34a96b71cbbd57e9776b2" } ] }, { "@id": "_:N39ae01c488b34a96b71cbbd57e9776b2", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:analyzes" }, "owl:someValuesFrom": { "@id": "d3f:DatabaseQuery" } }, { "@id": "d3f:NetworkTrafficCommunityDeviation", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:NetworkTrafficAnalysis" ], "d3f:analyzes": { "@id": "d3f:NetworkTraffic" }, "d3f:d3fend-id": "D3-NTCD", "d3f:definition": "Establishing baseline communities of network hosts and identifying statistically divergent inter-community communication.", "d3f:kb-article": "## How it works\nHosts/users within a computer network are analyzed to identify communities of hosts which frequently communicate. Future communications between communities that don't usually communicate can then be detected. For example, if a community of hosts that communicate in support of a company's finance division suddenly starts to access the code server usually accessed only by engineers, this may indicate unauthorized activity.\n\n## Considerations\n* Potential for false positives in very dynamic network environments.\n* Attackers that move low and slow may not differentiate their behavior enough to trigger an alert.", "d3f:kb-reference": { "@id": "d3f:Reference-SystemForImplementingThreatDetectionUsingDailyNetworkTrafficCommunityOutliers_VECTRANETWORKSInc" }, "rdfs:label": "Network Traffic Community Deviation", "rdfs:subClassOf": [ { "@id": "d3f:NetworkTrafficAnalysis" }, { "@id": "_:N78c628a26d454ad8a1a9c45576b6c677" } ] }, { "@id": "_:N78c628a26d454ad8a1a9c45576b6c677", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:analyzes" }, "owl:someValuesFrom": { "@id": "d3f:NetworkTraffic" } }, { "@id": "d3f:T1546.007", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1546.007", "d3f:modifies": { "@id": "d3f:SystemConfigurationDatabaseRecord" }, "d3f:produces": { "@id": "d3f:Process" }, "rdfs:label": "Netsh Helper DLL", "rdfs:subClassOf": [ { "@id": "d3f:T1546" }, { "@id": "_:N0b932368a37a4f218e51ce0ae020214f" }, { "@id": "_:N64afedbe26e5442a8c92d7984107e3c6" } ] }, { "@id": "_:N0b932368a37a4f218e51ce0ae020214f", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:SystemConfigurationDatabaseRecord" } }, { "@id": "_:N64afedbe26e5442a8c92d7984107e3c6", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:produces" }, "owl:someValuesFrom": { "@id": "d3f:Process" } }, { "@id": "d3f:T1119", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:accesses": { "@id": "d3f:File" }, "d3f:attack-id": "T1119", "rdfs:label": "Automated Collection", "rdfs:subClassOf": [ { "@id": "d3f:CollectionTechnique" }, { "@id": "_:N19a76a9833124e509dcf28b52018ef21" } ] }, { "@id": "_:N19a76a9833124e509dcf28b52018ef21", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:accesses" }, "owl:someValuesFrom": { "@id": "d3f:File" } }, { "@id": "d3f:T1055.013", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1055.013", "d3f:invokes": { "@id": "d3f:CreateProcess" }, "rdfs:label": "Process Doppelgänging", "rdfs:subClassOf": [ { "@id": "d3f:T1055" }, { "@id": "_:Nd0b350ebe5a447baa225533a326d27af" } ] }, { "@id": "_:Nd0b350ebe5a447baa225533a326d27af", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:invokes" }, "owl:someValuesFrom": { "@id": "d3f:CreateProcess" } }, { "@id": "d3f:T1596.002", "@type": "owl:Class", "d3f:attack-id": "T1596.002", "rdfs:label": "WHOIS", "rdfs:subClassOf": { "@id": "d3f:T1596" } }, { "@id": "d3f:MemoryFreeFunction", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "Releases previously reserved memory associated with a process.", "d3f:invokes": { "@id": "d3f:FreeMemory" }, "rdfs:label": "Memory Free Function", "rdfs:subClassOf": [ { "@id": "d3f:Subroutine" }, { "@id": "_:Nb614e9397ce04577ab8ed31b6f3f196b" } ] }, { "@id": "_:Nb614e9397ce04577ab8ed31b6f3f196b", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:invokes" }, "owl:someValuesFrom": { "@id": "d3f:FreeMemory" } }, { "@id": "d3f:FileCarving", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:NetworkTrafficAnalysis" ], "d3f:analyzes": { "@id": "d3f:FileTransferNetworkTraffic" }, "d3f:d3fend-id": "D3-FC", "d3f:definition": "Identifying and extracting files from network application protocols through the use of network stream reassembly software.", "d3f:kb-article": "## How it works\nProtocol stream reassembly software recreates a directional byte stream by analyzing captured network packets. Once the stream is reassembled pattern matching is applied to determine if it contains a file of interest. Files of interest range from executable, archive, or document file formats. Once the file is captured, it is then processed with standard File Analysis Techniques. Example network protocols include HTTP, SMTP, FTP, HTTP/2, and TLS/HTTP/Dropbox.\n\n## Considerations\n- This is an error prone process due to the intricacies of network protocols and network packet capture. For example reassembly may be done in real-time or streaming fashion, or packets may be written to disk, then bulk processed. The packets may arrive out of order, with fragmentation, duplicates, or re-transmissions. The reassembly software must compensate for the imperfect packet stream in order to recreate the well formed file which was transmitted.\n- File type identification can be a difficult process which can be exploited by adversaries.", "d3f:kb-reference": { "@id": "d3f:Reference-ComputerWormDefenseSystemAndMethod_FireEyeInc" }, "rdfs:label": "File Carving", "rdfs:subClassOf": [ { "@id": "d3f:NetworkTrafficAnalysis" }, { "@id": "_:N3814a3fa5abf47169a21b40b8960fb97" } ] }, { "@id": "_:N3814a3fa5abf47169a21b40b8960fb97", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:analyzes" }, "owl:someValuesFrom": { "@id": "d3f:FileTransferNetworkTraffic" } }, { "@id": "d3f:T1499.003", "@type": "owl:Class", "d3f:attack-id": "T1499.003", "rdfs:label": "Application Exhaustion Flood", "rdfs:subClassOf": { "@id": "d3f:T1499" } }, { "@id": "d3f:T1115", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1115", "d3f:reads": { "@id": "d3f:Clipboard" }, "rdfs:label": "Clipboard Data", "rdfs:subClassOf": [ { "@id": "d3f:CollectionTechnique" }, { "@id": "_:N08cf71921f6e48a19fa91074b68d98e6" } ] }, { "@id": "_:N08cf71921f6e48a19fa91074b68d98e6", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:reads" }, "owl:someValuesFrom": { "@id": "d3f:Clipboard" } }, { "@id": "d3f:NetworkSession", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:contains": { "@id": "d3f:NetworkPackets" }, "d3f:definition": "A network session is a temporary and interactive information interchange between two or more devices communicating over a network. A session is established at a certain point in time, and then 'torn down' - brought to an end - at some later point. An established communication session may involve more than one message in each direction. A session is typically stateful, meaning that at least one of the communicating parties needs to hold current state information and save information about the session history in order to be able to communicate, as opposed to stateless communication, where the communication consists of independent requests with responses. Network sessions may be established and implemented as part of protocols and services at the application, session, or transport layers of the OSI model.", "rdfs:label": "Network Session", "rdfs:seeAlso": [ { "@id": "dbr:Session_(computer_science)" }, "https://schema.ocsf.io/objects/network_connection_info", { "@id": "dbr:OSI_model" } ], "rdfs:subClassOf": [ { "@id": "d3f:NetworkTraffic" }, { "@id": "_:N1d38b3944af149dc8901556404954912" } ] }, { "@id": "_:N1d38b3944af149dc8901556404954912", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:contains" }, "owl:someValuesFrom": { "@id": "d3f:NetworkPackets" } }, { "@id": "d3f:RegOpenKeyExW", "@type": [ "owl:NamedIndividual", "d3f:GetSystemConfigValue" ] }, { "@id": "d3f:ContainerProcess", "@type": "owl:Class", "d3f:definition": "A running instance of a d3f:ContainerImage", "rdfs:label": "Container Process", "rdfs:seeAlso": { "@id": "https://schema.ocsf.io/objects/container" }, "rdfs:subClassOf": { "@id": "d3f:ApplicationProcess" } }, { "@id": "d3f:FirmwareSensor", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "Collects information on firmware installed on an Endpoint.", "d3f:monitors": { "@id": "d3f:Firmware" }, "rdfs:label": "Firmware Sensor", "rdfs:subClassOf": [ { "@id": "d3f:EndpointSensor" }, { "@id": "_:N0d04a3aea2884356afb97912ec98e38c" } ] }, { "@id": "_:N0d04a3aea2884356afb97912ec98e38c", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:monitors" }, "owl:someValuesFrom": { "@id": "d3f:Firmware" } }, { "@id": "d3f:T1522", "@type": "owl:Class", "d3f:attack-id": "T1522", "rdfs:label": "Cloud Instance Metadata API", "rdfs:subClassOf": { "@id": "d3f:CredentialAccessTechnique" } }, { "@id": "d3f:Reference-MalwareDetectionUsingLocalComputationalModels_CrowdstrikeInc", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US20190026466A1" }, "d3f:kb-abstract": "Example techniques herein determine that a trial data stream is associated with malware (\"dirty\") using a local computational model (CM). The data stream can be represented by a feature vector. A control unit can receive a first, dirty feature vector (e.g., a false miss) and determine the local CM based on the first feature vector. The control unit can receive a trial feature vector representing the trial data stream. The control unit can determine that the trial data stream is dirty if a broad CM or the local CM determines that the trial feature vector is dirty. In some examples, the local CM can define a dirty region in a feature space. The control unit can determine the local CM based on the first feature vector and other clean or dirty feature vectors, e.g., a clean feature vector nearest to the first feature vector.", "d3f:kb-author": "Sven Krasser,David Elkind, Patrick Crenshaw, Kirby James Koster", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "Crowdstrike Inc", "d3f:kb-reference-of": { "@id": "d3f:ProcessTermination" }, "d3f:kb-reference-title": "Malware detection using local computational models", "rdfs:label": "Reference - Malware detection using local computational models - Crowdstrike Inc" }, { "@id": "d3f:ProcessCodeSegmentVerification", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:ProcessAnalysis" ], "d3f:d3fend-id": "D3-PCSV", "d3f:definition": "Comparing the \"text\" or \"code\" memory segments to a source of truth.", "d3f:kb-article": "## How it works\nA process code segment is an executable portion of computer memory allocated to a particular process. Process Code Segment Verification implements verification to compare a process code segment to some expected value.\n\n### Verification logic\nVerification can occur during application startup, or continuously during execution. The logic which verifies the process code may be separate in a third-party process, embedded in the application itself at compile time, or dynamically linked at runtime.\n\n### System of record\nExamples of systems of record:\n\n * On-disk application binary files or checksums\n * Remotely stored binary data or checksums\n * Embedded binary data or checksums\n\n### Post Verification Actions\nIf the verification function determines a process code segment may have been altered, a capability may invoke Eviction techniques as **Process Termination** to end the current process, or **Executable Blacklisting** to prevent the executable from launching in the future.\n\n## Considerations\n\n### False positives\n\nFalse positives commonly occur in the case that the layout of code in the process segment is legitimately modified:\n\n* Operating system features or third-party security software may modify the layout of process code, for example in the defensive technique **Segment Address Offset Randomization**, or in the case that a module is rebased. In both of these cases, the alteration occurs before the code is fully loaded into memory, and it would be possible to avoid the false positive by securely feeding this constant offset and any relocation data into the verification logic.\n\n* Process code segments may be written to modify themselves or other process code segments; however, this goes against widely-accepted current practices in software development.\n\n### False negatives\n\nFalse negatives can occur via alteration of the verification logic or source of truth, or insufficient verification logic.\n\n* Verification techniques which are executed only locally may be defeated by altering the local verification logic.\n\n* Verification that is run only on a recurring basis could be evaded if the malicious alteration is completed before verification is run.\n\n* Verification that requests an operation to be performed on a subset of the code segment could be evaded by performing that operation on a copy of the relevant bytes of the code segment.\n\n* Verification based on a system of record that can be altered may fail if that system of record is modifiable by a malicious user.", "d3f:kb-reference": [ { "@id": "d3f:Reference-Anti-tamperSystemWithSelf-adjustingGuards_ARXANTECHNOLOGIESInc" }, { "@id": "d3f:Reference-GuardsForApplicationInSoftwareTamperproofing_PurdueResearchFoundation" }, { "@id": "d3f:Reference-SystemAndMethodForDetectingMalwareInjectedIntoMemoryOfAComputingDevice_EndgameInc" }, { "@id": "d3f:Reference-SystemAndMethodForValidatingIn-memoryIntegrityOfExecutableFilesToIdentifyMaliciousActivity_EndgameInc" }, { "@id": "d3f:Reference-TamperProofMutatingSoftware_ARXANTECHNOLOGIESInc" }, { "@id": "d3f:Reference-ThreatDetectionThroughTheAccumulatedDetectionOfThreatCharacteristics_SophosLtd" } ], "d3f:verifies": { "@id": "d3f:ProcessCodeSegment" }, "rdfs:label": "Process Code Segment Verification", "rdfs:subClassOf": [ { "@id": "d3f:ProcessAnalysis" }, { "@id": "_:Ne0455b5070d94d4a912902eb487d5aeb" } ] }, { "@id": "_:Ne0455b5070d94d4a912902eb487d5aeb", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:verifies" }, "owl:someValuesFrom": { "@id": "d3f:ProcessCodeSegment" } }, { "@id": "d3f:T1573.002", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1573.002", "d3f:creates": { "@id": "d3f:OutboundInternetEncryptedTraffic" }, "d3f:may-transfer": { "@id": "d3f:CertificateFile" }, "rdfs:label": "Asymmetric Cryptography", "rdfs:subClassOf": [ { "@id": "d3f:T1573" }, { "@id": "_:N72b945f306934473b1c59cebf169a971" }, { "@id": "_:N1c904de4e78b403ea1f7cc13b4b4bd1b" } ] }, { "@id": "_:N72b945f306934473b1c59cebf169a971", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:creates" }, "owl:someValuesFrom": { "@id": "d3f:OutboundInternetEncryptedTraffic" } }, { "@id": "_:N1c904de4e78b403ea1f7cc13b4b4bd1b", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-transfer" }, "owl:someValuesFrom": { "@id": "d3f:CertificateFile" } }, { "@id": "d3f:CCI-002309_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:broader": [ { "@id": "d3f:MandatoryAccessControl" }, { "@id": "d3f:SystemConfigurationPermissions" }, { "@id": "d3f:UserAccountPermissions" } ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system provides authorized individuals the capability to define or change the value of security attributes available for association with objects.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-06-24T00:00:00" }, "rdfs:label": "CCI-002309" }, { "@id": "d3f:T1585.002", "@type": "owl:Class", "d3f:attack-id": "T1585.002", "rdfs:label": "Email Accounts", "rdfs:subClassOf": { "@id": "d3f:T1585" } }, { "@id": "d3f:CCI-001403_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system automatically audits account modification actions.", "d3f:exactly": { "@id": "d3f:DomainAccountMonitoring" }, "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-24T00:00:00" }, "rdfs:label": "CCI-001403" }, { "@id": "d3f:ActiveLearning", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-AL", "d3f:definition": "Active learning aims to improve learning efficiency by allowing the learning algorithm to select which data to learn from.", "d3f:kb-article": "## How it works\nTraditional supervised learning often requires a large number of labeled instances, which can be costly or time-consuming to obtain. Active learning addresses this labeling bottleneck by asking an oracle (e.g., a human annotator) to label selected unlabeled instances. The goal is to achieve high accuracy with minimal labeling effort.\n\n## Considerations\nActive learning is particularly useful in scenarios where data is abundant but labeled instances are scarce or expensive. Examples include speech recognition, information extraction, and document classification.\n\n## References\n- Wikipedia article on Active Learning (machine learning) [Link](https://en.wikipedia.org/wiki/Active_learning_(machine_learning))\n- Settles, B. (2009). Active Learning Literature Survey. [Link](https://burrsettles.com/pub/settles.activelearning.pdf)", "rdfs:label": "Active Learning", "rdfs:subClassOf": { "@id": "d3f:MachineLearning" } }, { "@id": "d3f:CWE-767", "@type": "owl:Class", "d3f:cwe-id": "CWE-767", "rdfs:label": "Access to Critical Private Variable via Public Method", "rdfs:subClassOf": { "@id": "d3f:CWE-668" } }, { "@id": "d3f:CWE-520", "@type": "owl:Class", "d3f:cwe-id": "CWE-520", "rdfs:label": ".NET Misconfiguration: Use of Impersonation", "rdfs:subClassOf": { "@id": "d3f:CWE-266" } }, { "@id": "d3f:CWE-1074", "@type": "owl:Class", "d3f:cwe-id": "CWE-1074", "rdfs:label": "Class with Excessively Deep Inheritance", "rdfs:subClassOf": { "@id": "d3f:CWE-1093" } }, { "@id": "d3f:T1155", "@type": "owl:Class", "d3f:attack-id": "T1155", "rdfs:label": "AppleScript", "rdfs:subClassOf": { "@id": "d3f:ExecutionTechnique" } }, { "@id": "d3f:T1546.003", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1546.003", "d3f:modifies": { "@id": "d3f:EventLog" }, "d3f:produces": { "@id": "d3f:IntranetAdministrativeNetworkTraffic" }, "rdfs:label": "Windows Management Instrumentation Event Subscription", "rdfs:subClassOf": [ { "@id": "d3f:T1546" }, { "@id": "_:N4af22191f24d439fa684f61fe963e7b9" }, { "@id": "_:N9ca4010dd54e45838d3571f3720d0875" } ] }, { "@id": "_:N4af22191f24d439fa684f61fe963e7b9", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:EventLog" } }, { "@id": "_:N9ca4010dd54e45838d3571f3720d0875", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:produces" }, "owl:someValuesFrom": { "@id": "d3f:IntranetAdministrativeNetworkTraffic" } }, { "@id": "d3f:Q-Learning", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-QL", "d3f:definition": "Q-learning is a model-free reinforcement learning algorithm to learn the value of an action in a particular state. It does not require a model of the environment (hence \"model-free\"), and it can handle problems with stochastic transitions and rewards without requiring adaptations.", "d3f:kb-article": "## References\nQ-learning. Wikipedia. [Link](https://en.wikipedia.org/wiki/Q-learning).", "rdfs:label": "Q-Learning", "rdfs:subClassOf": { "@id": "d3f:Model-freeReinforcementLearning" } }, { "@id": "d3f:Reference-SecuringWebTransactions", "@type": [ "owl:NamedIndividual", "d3f:GuidelineReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://www.nccoe.nist.gov/sites/default/files/library/sp1800/tls-serv-cert-mgt-nist-sp1800-16b-final.pdf" }, "d3f:kb-abstract": "Organizations risk losing revenue, customers, and reputation, and exposing internal or customer data to\nattackers if they do not properly manage Transport Layer Security (TLS) server certificates. TLS is the\nmost widely used security protocol to secure web transactions and other communications on the\ninternet and internal networks. TLS server certificates are central to the security and operation of\ninternet-facing and internal web services. Improper TLS server certificate management results in\nsignificant outages to web applications and services-such as government services, online banking, flight operations, and mission-critical services within an organization-and increased risk of security breaches.", "d3f:kb-author": "William Haag, Murugiah Souppaya, Paul Turner, William C. Barker, Brett Pleasant, Susan Symington", "d3f:kb-organization": "NIST", "d3f:kb-reference-of": { "@id": "d3f:ActiveCertificateAnalysis" }, "d3f:kb-reference-title": "Securing Web Transactions", "rdfs:label": "Reference - Securing Web Transactions" }, { "@id": "d3f:has-implementation", "@type": "owl:ObjectProperty", "rdfs:label": "has-implementation", "rdfs:subPropertyOf": { "@id": "d3f:d3fend-catalog-object-property" } }, { "@id": "d3f:IPReputationAnalysis", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:IdentifierReputationAnalysis" ], "d3f:analyzes": { "@id": "d3f:IPAddress" }, "d3f:d3fend-id": "D3-IPRA", "d3f:definition": "Analyzing the reputation of an IP address.", "d3f:kb-reference": [ { "@id": "d3f:Reference-Database_for_receiving_storing_and_compiling_information_about_email_messages" }, { "@id": "d3f:Reference-Finding_phishing_sites" } ], "rdfs:label": "IP Reputation Analysis", "rdfs:subClassOf": [ { "@id": "d3f:IdentifierReputationAnalysis" }, { "@id": "_:Nae9444cdb7824c2ca7e9df911e163615" } ] }, { "@id": "_:Nae9444cdb7824c2ca7e9df911e163615", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:analyzes" }, "owl:someValuesFrom": { "@id": "d3f:IPAddress" } }, { "@id": "d3f:Classification", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-CLA", "d3f:definition": "Classification uses an algorithm to accurately assign test data into specific categories.", "d3f:kb-article": "## How it works\nClassification recognizes specific entities within the dataset and attempts to draw some conclusions on how those entities should be labeled or defined. Common classification algorithms are linear classifiers, support vector machines (SVM), decision trees, k-nearest neighbor, and random forest, which are described in more detail below.\n\n## Considerations:\n\nThere are many different types of classification algorithms for modeling classification predictive modeling problems.\n\nThere is no single theory on how to map algorithms onto problem types; instead, it is generally recommended that a practitioner use controlled experiments and discover which algorithm and algorithm configuration results in the best performance for a given classification task.\n\n## Key Test Considerations\n\n- **Machine Learning**:\n\n - **Verify the dataset quality**: Check the data to make sure it is\n free of errors. Quantify the degree of missing values,\n outliers, and noise in the data collection. If the data quality\n is low, it may be difficult or impossible to create models and\n systems with the desired performance.\n\n - **Verify development datasets are representative** of expected\n operational environment and data collection means. Compare\n distributions of dataset features and labels with exploratory\n data analysis and assess the difference in tests on training\n data and tests on evaluation data (where the evaluation data\n must be drawn from a representative dataset.)\n\n - **Use software libraries**: and tools built for ML where possible, so\n that the underlying code is verified by prior use.**\n\n - **Diagnose model errors with domain SMEs**: Have problem domain\n SMEs investigate model errors for conditions for which the model\n may underperform and suggest refinements.\n\n- **Classification**:\n\n - **Use Standard Classification Performance Measures**: Not all of\n the following may be necessary, but should be considered for\n both verification (developmental test) and operational test\n stages use:\n\n - **Accuracy**: The fraction of predictions that were corret.\n\n - **Precision**: The proportion of positive identifications that were correct.\n\n - **Recall**: The proportion of actual positive cases identified correctly.\n\n - **F-Measure**: Combines the preicion and recall into a single\n score. It is the harmonic mean of the precision and recall.\n\n - **Receiver Operating Characteristic (ROC) Curve**: A ROC curve\n shows the performance of a classification model at all\n classification thresholds. It graphs the True Positive Rate\n over the False Positive Rate.\n\n - **Area Under the ROC Curve (AUC)**: This measures the\n two-dimensional area under the ROC Curve. AUC is\n scale-invariant and classification-threshold invariant.\n\n - **ROC TP vs FP points**: In addition to a specific AUC score,\n the performance at points\n\n - **Confusion Matrix**: A confusion matrix is a table layout that\n allows the visualization of the performance of an\n algorithm. Each row of the matrix represents the instances in\n an actual class while each column represents the instances in\n a predicted class, or vice versa. It is a special kind of\n contingency table, with two dimensions (\"actual\" and\n \"predicted\"), and identical sets of \"classes\" in both\n dimensions (each combination of dimension and class is a\n variable in the contingency table.)\n\n - **Prediction Bias**: The difference between the average of the\n predicted labels and the average of the labels in the data\n set. One should check for prediction bias when evaluating the\n classifier's results. Causes of bias can include:\n\n - **Noisy data set**: Errors in original data can as the\n collection method may have an underlying bias.\n\n - **Processing bug**: Errors in the data pipeline can\n introduce bias.\n\n - **Biased training sample (unbalanced samples)**: Model\n parameters may be skewed towards majority classes.\n\n\t- **Overly strong regularization**: Model may be underfitting\n model and too simple.\n\n\t- **Proxy variables**: Model features may be highly\n correlated.\n\n - **Overfitting and Underfitting**: Overfitting occurs when the the\n model built corresponds too closely or exactly to a particular\n set of data, and thus may fail to fit to predict additional data\n reliably. An overfitted model is a mathematical model that\n contains more parameters than can be justified by the data.\n Underfitting occurs when the model built does adequately capture\n the patterns in the data. As an example, a linear model will\n underfit a non-linear dataset.\n\n## Platforms, Tools, or Libraries:\n\n- **Python**:\n\n - **scikit-learn**: Is a free software machine learning library for\n Python and includes features for classification.\n\n - **TensorFlow**: is an end-to-end source machine learning\n platform.\n\n - **Keras**: is an open-source library that provides a Python API\n designed to enable fast experimentation with deep neural networks.\n\n - **PyTorch**: Is a machine learning framework based on the Torch\n library.\n\n- **R**:\n\n - **caret**: Classification And REgression Training package contains\n functions to streamline model training for complex regression\n and classification problems.\n\n - **randomForest**: Implementation of classification and regression\n based on forest of trees.\n\n## References\n\n1. Supervised Learning. IBM.\n[Link](https://www.ibm.com/topics/supervised-learning).\n\n1. Types of Classification in Machine Learning. Machine Learning Mastery.\n[Link](https://machinelearningmastery.com/types-of-classification-in-machine-learning/).\n\n1. Google. (18 July 2022). Classification: Precision and Recall.\n[Link](https://developers.google.com/machine-learning/crash-course/classification/precision-and-recall).\n\n1. Wikipedia. (18 Aug 2023). Overfitting.\n[Link](https://en.wikipedia.org/wiki/Overfitting).\n\n1. Wikipedia. (19 Aug 2023). Confusion matrix.\n[Link](https://en.wikipedia.org/wiki/Confusion_matrix).", "rdfs:label": "Classification", "rdfs:subClassOf": { "@id": "d3f:SupervisedLearning" } }, { "@id": "d3f:NIST_SP_800-53_R5_SI-2_5", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:control-name": "Flaw Remediation | Automatic Software and Firmware Updates", "d3f:exactly": [ { "@id": "d3f:FirmwareVerification" }, { "@id": "d3f:PeripheralFirmwareVerification" }, { "@id": "d3f:SoftwareUpdate" }, { "@id": "d3f:SystemFirmwareVerification" } ], "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "rdfs:label": "SI-2(5)" }, { "@id": "d3f:CWE-582", "@type": "owl:Class", "d3f:cwe-id": "CWE-582", "rdfs:label": "Array Declared Public, Final, and Static", "rdfs:subClassOf": { "@id": "d3f:CWE-668" } }, { "@id": "d3f:FuzzyLogic", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-FL", "d3f:definition": "Fuzzy logic is a form of many-valued logic in which the truth value of variables may be any real number between 0 and 1.", "d3f:kb-article": "## How it works\nIt is employed to handle the concept of partial truth, where the truth value may range between completely true and completely false.[1] By contrast, in Boolean logic, the truth values of variables may only be the integer values 0 or 1.\n\n## References\n1. Fuzzy logic. (2023, May 28). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Fuzzy_logic)", "rdfs:label": "Fuzzy Logic", "rdfs:subClassOf": { "@id": "d3f:SymbolicAI" } }, { "@id": "d3f:CWE-119", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:cwe-id": "CWE-119", "d3f:weakness-of": { "@id": "d3f:RawMemoryAccessFunction" }, "rdfs:label": "Improper Restriction of Operations within the Bounds of a Memory Buffer", "rdfs:subClassOf": [ { "@id": "d3f:CWE-118" }, { "@id": "_:Na1a0964449334d118389e78a6ac469b9" } ] }, { "@id": "_:Na1a0964449334d118389e78a6ac469b9", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:weakness-of" }, "owl:someValuesFrom": { "@id": "d3f:RawMemoryAccessFunction" } }, { "@id": "d3f:CWE-84", "@type": "owl:Class", "d3f:cwe-id": "CWE-84", "rdfs:label": "Improper Neutralization of Encoded URI Schemes in a Web Page", "rdfs:subClassOf": { "@id": "d3f:CWE-79" } }, { "@id": "d3f:BootLoader", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A bootloader is software that is responsible for booting a computer. When a computer is turned off, its software‍-‌including operating systems, application code, and data‍-‌remains stored on non-volatile memory. When the computer is powered on, it typically does not have an operating system or its loader in random-access memory (RAM). The computer first executes a relatively small program stored in read-only memory (ROM, and later EEPROM, NOR flash) along with some needed data, to initialize RAM (especially on x86 systems) to access the nonvolatile device (usually block device, eg NAND flash) or devices from which the operating system programs and data can be loaded into RAM.", "rdfs:isDefinedBy": { "@id": "dbr:Bootloader" }, "rdfs:label": "Boot Loader", "rdfs:subClassOf": { "@id": "d3f:DigitalArtifact" }, "skos:altLabel": "Bootloader" }, { "@id": "d3f:MediaServer", "@type": "owl:Class", "d3f:definition": "A media server is a computer appliance or an application software that stores digital media (video, audio or images) and makes it available over a network. Media servers range from servers that provide video on demand to smaller personal computers or NAS (Network Attached Storage) for the home.", "rdfs:isDefinedBy": { "@id": "dbr:Media_server" }, "rdfs:label": "Media Server", "rdfs:subClassOf": { "@id": "d3f:Server" } }, { "@id": "d3f:Thread", "@type": [ "owl:Class", "owl:NamedIndividual" ], "rdfs:label": "Thread", "rdfs:subClassOf": { "@id": "d3f:DigitalArtifact" } }, { "@id": "d3f:manages", "@type": "owl:ObjectProperty", "d3f:definition": "x manages y: The technique or agent x watches and directs the use of a digital artifact y.", "rdfs:isDefinedBy": { "@id": "http://wordnet-rdf.princeton.edu/id/02447914-v" }, "rdfs:label": "manages", "rdfs:subPropertyOf": { "@id": "d3f:associated-with" }, "skos:altLabel": [ "oversees", "supervises" ] }, { "@id": "d3f:T1060", "@type": "owl:Class", "d3f:attack-id": "T1060", "rdfs:label": "Registry Run Keys / Startup Folder", "rdfs:subClassOf": { "@id": "d3f:PersistenceTechnique" } }, { "@id": "d3f:CCI-001686_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system notifies organization-defined personnel or roles for account removal actions.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:DomainAccountMonitoring" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2011-05-03T00:00:00" }, "rdfs:label": "CCI-001686" }, { "@id": "d3f:T1200", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1200", "d3f:connects": { "@id": "d3f:HardwareDevice" }, "rdfs:label": "Hardware Additions", "rdfs:subClassOf": [ { "@id": "d3f:InitialAccessTechnique" }, { "@id": "_:Nd4efd1114d554477933605e66a413a54" } ] }, { "@id": "_:Nd4efd1114d554477933605e66a413a54", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:connects" }, "owl:someValuesFrom": { "@id": "d3f:HardwareDevice" } }, { "@id": "d3f:T1491", "@type": "owl:Class", "d3f:attack-id": "T1491", "rdfs:label": "Defacement", "rdfs:subClassOf": { "@id": "d3f:ImpactTechnique" } }, { "@id": "d3f:MemoryManagementUnitComponent", "@type": "owl:Class", "rdfs:label": "Memory Management Unit Component", "rdfs:subClassOf": { "@id": "d3f:HardwareDevice" } }, { "@id": "d3f:Reference-CAR-2020-09-005%3AAppInitDLLs_MITRE", "@type": [ "owl:NamedIndividual", "d3f:ExternalKnowledgeBase" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://car.mitre.org/analytics/CAR-2020-09-005/" }, "d3f:kb-abstract": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the AppInit_DLLs value in the Registry keys HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows or HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows are loaded by user32.dll into every process that loads user32.dll. These values can be abused to obtain elevated privileges by causing a malicious DLL to be loaded and run in the context of separate processes. Accordingly, this analytic looks for modifications to these registry keys that may be indicative of this type of abuse.", "d3f:kb-author": "MITRE", "d3f:kb-organization": "MITRE", "d3f:kb-reference-of": { "@id": "d3f:SystemInitConfigAnalysis" }, "d3f:kb-reference-title": "CAR-2020-09-005: AppInit DLLs", "rdfs:label": "Reference - CAR-2020-09-005: AppInit DLLs - MITRE" }, { "@id": "d3f:Reference-TokenlessBiometricTransactionAuthorizationMethodAndSystem", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US5870723A/" }, "d3f:kb-abstract": "A method and system for tokenless authorization of commercial transactions between a buyer and a seller using a computer system. A transaction is proposed by a seller, and the buyer signals his acceptance by entering his personal authentication information comprising a PIN and at least one biometric sample, forming a commercial transaction message. The commercial transaction message is forwarded to the computer system, where the computer system compares the personal authentication information in the commercial transaction message with previously registered buyer biometric samples. If the computer system successfully identifies the buyer, a financial account of the buyer is debited and a financial account of the seller is credited, and the results of the transaction are presented to both buyer and seller. As a result of the invention, a buyer can conduct commercial transactions without having to use any tokens such as portable man-made memory devices such as smartcards or swipe cards. The invention allows buyers to quickly select one of a group of different financial accounts from which to transfer funds. The invention further indicates to the user that the authentic computer system was accessed by the use of a private code that is returned to the buyer after the identification is complete. The invention additionally permits an authorized buyer to alert authorities in the event of an emergency, such as when a transaction is coerced.", "d3f:kb-organization": "SmartTouch Inc", "d3f:kb-reference-of": { "@id": "d3f:BiometricAuthentication" }, "d3f:kb-reference-title": "Tokenless biometric transaction authorization method and system", "rdfs:label": "Reference - Tokenless biometric transaction authorization method and system" }, { "@id": "d3f:may-be-weakness-of", "@type": "owl:ObjectProperty", "owl:inverseOf": { "@id": "d3f:may-have-weakness" }, "rdfs:domain": { "@id": "d3f:Weakness" }, "rdfs:label": "may-be-weakness-of", "rdfs:range": { "@id": "d3f:Artifact" }, "rdfs:subPropertyOf": { "@id": "d3f:may-be-associated-with" } }, { "@id": "d3f:Reference-ThreatDetectionForReturnOrientedProgramming_CrowdstrikeInc", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US20140075556A1" }, "d3f:kb-abstract": "This disclosure describes, in part, techniques for detecting security exploits associated with return-oriented programming. The techniques include determining that a retrieved count is indicative of malicious activity, such as return oriented programming. The count may be retrieved from a processor performance counter of prediction mismatches, the prediction mismatches resulting from comparisons of a call stack of a computing device and of a shadow call stack maintained by a processor of the computing device. The techniques further include performing at least one security response action in response to determining that the count indicates malicious activity.", "d3f:kb-author": "Georg WICHERSKI", "d3f:kb-mitre-analysis": "This patent describes a technique for detecting shellcode security exploits. A call stack of a computing device is compared with a shadow call stack maintained by a processor of the computing device since a return oriented program may only be able to control or spoof the call stack and not the shadow call stack. Mismatches between the two are counted and if the number of mismatches exceeds a certain threshold it is an indication of malicious activity and a security response action is performed.", "d3f:kb-organization": "Crowdstrike Inc", "d3f:kb-reference-of": { "@id": "d3f:ShadowStackComparisons" }, "d3f:kb-reference-title": "Threat detection for return oriented programming", "rdfs:label": "Reference - Threat detection for return oriented programming - Crowdstrike Inc" }, { "@id": "d3f:CCI-002462_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system provides additional data integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:DomainTrustPolicy" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-07-02T00:00:00" }, "rdfs:label": "CCI-002462" }, { "@id": "d3f:T1497", "@type": "owl:Class", "d3f:attack-id": "T1497", "rdfs:label": "Virtualization/Sandbox Evasion", "rdfs:subClassOf": { "@id": "d3f:DefenseEvasionTechnique" } }, { "@id": "d3f:CWE-912", "@type": "owl:Class", "d3f:cwe-id": "CWE-912", "rdfs:label": "Hidden Functionality", "rdfs:subClassOf": { "@id": "d3f:CWE-684" } }, { "@id": "d3f:CWE-922", "@type": "owl:Class", "d3f:cwe-id": "CWE-922", "rdfs:label": "Insecure Storage of Sensitive Information", "rdfs:subClassOf": { "@id": "d3f:CWE-664" } }, { "@id": "d3f:Subroutine", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "In different programming languages, a subroutine may be called a procedure, a function, a routine, a method, or a subprogram. The generic term callable unit is sometimes used.", "d3f:synonym": [ "Software Function", "Method" ], "rdfs:label": "Subroutine", "rdfs:seeAlso": { "@id": "dbr:Subroutine" }, "rdfs:subClassOf": { "@id": "d3f:Software" } }, { "@id": "d3f:ANN-basedClustering", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-ABC", "d3f:definition": "Combines the principles of Artificial Neural Networks (ANN) and clustering methods.", "d3f:kb-article": "## References\nWikipedia. (n.d.). Artificial neural network. [Link](https://en.wikipedia.org/wiki/Artificial_neural_network)", "rdfs:label": "ANN-based Clustering", "rdfs:subClassOf": { "@id": "d3f:ClusterAnalysis" } }, { "@id": "d3f:T1216.001", "@type": "owl:Class", "d3f:attack-id": "T1216.001", "rdfs:label": "PubPrn Execution", "rdfs:subClassOf": { "@id": "d3f:T1216" } }, { "@id": "d3f:CCI-002346_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:broader": [ { "@id": "d3f:DatabaseQueryStringAnalysis" }, { "@id": "d3f:DiskEncryption" }, { "@id": "d3f:FileEncryption" } ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The organization employs organization-defined data mining prevention techniques for organization-defined data storage objects to adequately protect against data mining.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-06-25T00:00:00" }, "rdfs:label": "CCI-002346" }, { "@id": "d3f:T1184", "@type": "owl:Class", "d3f:attack-id": "T1184", "rdfs:label": "SSH Hijacking", "rdfs:subClassOf": { "@id": "d3f:LateralMovementTechnique" } }, { "@id": "d3f:CWE-149", "@type": "owl:Class", "d3f:cwe-id": "CWE-149", "rdfs:label": "Improper Neutralization of Quoting Syntax", "rdfs:subClassOf": { "@id": "d3f:CWE-138" } }, { "@id": "d3f:InternationalizedDomainName", "@type": [ "owl:NamedIndividual", "d3f:DomainName" ], "rdfs:label": "Internationalized Domain Name" }, { "@id": "d3f:Reference-MethodAndSystemForDetectingThreatsUsingMetadataVectors_VECTRANETWORKSInc", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US20160191551A1" }, "d3f:kb-abstract": "An approach for detecting network attacks using metadata vectors may initially involve receiving network communications or packets, extracting metadata items from the packets. The metadata items describe the communications without requiring deep content inspection of the data payload or contents. The communications may be clustered into groups using the metadata items. If a cluster exceeds a threshold, an alarm may be generated.", "d3f:kb-author": "Nicolas BEAUCHESNE; David Lopes Pegna; Karl Lynn", "d3f:kb-mitre-analysis": "This patent describes detecting network threats by first passively collecting network traffic and storing it for processing. Metadata from network traffic such as packet header information or information about a session (ex. time between request/responses) is extracted. After the metadata is extracted, the data is grouped into cluster maps of matching events to track how many instances of a network communication have occurred, such as five requests sent and five responses received. Threshold limits are set on the clusters to monitor them and if a cluster grows too large (ex. ten instances of requests and responses) this can correspond to unauthorized behavior. This method might detect, for example, a network attack using malicious payloads with automated scripts, in which a bot sends replicated malicious payloads to the same destination port.", "d3f:kb-organization": "VECTRA NETWORKS Inc", "d3f:kb-reference-of": { "@id": "d3f:ProtocolMetadataAnomalyDetection" }, "d3f:kb-reference-title": "Method and system for detecting threats using metadata vectors", "rdfs:label": "Reference - Method and system for detecting threats using metadata vectors - VECTRA NETWORKS Inc" }, { "@id": "d3f:Reference-IdentificationAndExtractionOfKeyForensicsIndicatorsOfCompromiseUsingSubject-specificFilesystemViews", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US20200004962A1/en" }, "d3f:kb-abstract": "A stackable filesystem that transparently tracks process file writes for forensic analysis. The filesystem comprises a base filesystem, and an overlay filesystem. Processes see the union of the upper and lower filesystems, but process writes are only reflected in the overlay. By providing per-process views of the filesystem using this stackable approach, a forensic analyzer can record a process's file-based activity-i.e., file creation, deletion, modification. These activities are then analyzed to identify indicators of compromise (IoCs). These indicators are then fed into a forensics analysis engine, which then quickly decides whether a subject (e.g., process, user) is malicious. If so, the system takes some proactive action to alert a proper authority, to quarantine the potential attack, or to provide other remediation. The approach enables forensic analysis without requiring file access mediation, or conducting system event-level collection and analysis, making it a lightweight, and non-intrusive solution.", "d3f:kb-author": "Frederico Araujo; Anne E. Kohlbrenner; Marc Philippe Stoecklin; Teryl Paul Taylor", "d3f:kb-reference-title": "Identification and extraction of key forensics indicators of compromise using subject-specific filesystem views", "rdfs:label": "Reference - Identification and extraction of key forensics indicators of compromise using subject-specific filesystem views" }, { "@id": "d3f:M1013", "@type": [ "owl:NamedIndividual", "d3f:ATTACKMitigation" ], "d3f:d3fend-comment": "A future release of D3FEND will define a taxonomy of Source Code Hardening Techniques.", "rdfs:label": "Application Developer Guidance" }, { "@id": "d3f:DBSCAN", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-DBS", "d3f:definition": "A density-based clustering algorithm that works on the assumption that clusters are dense regions in space separated by regions of lower density.", "d3f:kb-article": "## References\nAnalytics Vidhya. (2020, September 15). How DBSCAN Clustering Works: A Comprehensive Guide with Implementations in Python. [Link](https://www.analyticsvidhya.com/blog/2020/09/how-dbscan-clustering-works/#:~:text=DBSCAN%20is%20a%20density%2Dbased,points%20into%20a%20single%20cluster.)", "rdfs:label": "DBSCAN", "rdfs:subClassOf": { "@id": "d3f:Density-basedClustering" } }, { "@id": "d3f:T1036", "@type": "owl:Class", "d3f:attack-id": "T1036", "rdfs:label": "Masquerading", "rdfs:subClassOf": { "@id": "d3f:DefenseEvasionTechnique" } }, { "@id": "d3f:T1222", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1222", "d3f:modifies": { "@id": "d3f:AccessControlConfiguration" }, "rdfs:label": "File and Directory Permissions Modification", "rdfs:subClassOf": [ { "@id": "d3f:DefenseEvasionTechnique" }, { "@id": "_:N5b779e07953148deb6ad8105d03516f3" } ] }, { "@id": "_:N5b779e07953148deb6ad8105d03516f3", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:AccessControlConfiguration" } }, { "@id": "d3f:Patent", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:ReferenceType" ], "rdfs:label": "Patent", "rdfs:subClassOf": { "@id": "d3f:Document" } }, { "@id": "d3f:CWE-305", "@type": "owl:Class", "d3f:cwe-id": "CWE-305", "rdfs:label": "Authentication Bypass by Primary Weakness", "rdfs:subClassOf": { "@id": "d3f:CWE-1390" } }, { "@id": "d3f:Reference-CAR-2020-11-008%3AMSBuildAndMsxsl_MITRE", "@type": [ "owl:NamedIndividual", "d3f:ExternalKnowledgeBase" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://car.mitre.org/analytics/CAR-2020-11-008/" }, "d3f:kb-abstract": "Trusted developer utilities such as MSBuild may be leveraged to run malicious code with elevated privileges. This analytic looks for any instances of msbuild.exe, which will execute any C# code placed within a given XML document; and msxsl.exe, which processes xsl transformation specifications for XML files and will execute a variaty of scripting languages contained within the XSL file. Both of these executables are rarely used outside of Visual Studio.", "d3f:kb-author": "MITRE", "d3f:kb-organization": "MITRE", "d3f:kb-reference-of": { "@id": "d3f:ProcessSpawnAnalysis" }, "d3f:kb-reference-title": "CAR-2020-11-008: MSBuild and msxsl", "rdfs:label": "Reference - CAR-2020-11-008: MSBuild and msxsl - MITRE" }, { "@id": "d3f:T1104", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1104", "d3f:produces": { "@id": "d3f:OutboundInternetNetworkTraffic" }, "rdfs:label": "Multi-Stage Channels", "rdfs:subClassOf": [ { "@id": "d3f:CommandAndControlTechnique" }, { "@id": "_:N8d5a73c418e340eeb2bdf2fc020a0460" } ] }, { "@id": "_:N8d5a73c418e340eeb2bdf2fc020a0460", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:produces" }, "owl:someValuesFrom": { "@id": "d3f:OutboundInternetNetworkTraffic" } }, { "@id": "d3f:ImageCodeSegment", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:contains": { "@id": "d3f:Subroutine" }, "d3f:definition": "An image code segment, also known as a text segment or simply as text, is a portion of an object file that contains executable instructions. The term \"segment\" comes from the memory segment, which is a historical approach to memory management that has been succeeded by paging. When a program is stored in an object file, the code segment is a part of this file; when the loader places a program into memory so that it may be executed, various memory regions are allocated (in particular, as pages), corresponding to both the segments in the object files and to segments only needed at run time. For example, the code segment of an object file is loaded into a corresponding code segment in memory.", "rdfs:label": "Image Code Segment", "rdfs:seeAlso": [ { "@id": "dbr:Code_segment" }, "Process Code Segment" ], "rdfs:subClassOf": [ { "@id": "d3f:ImageSegment" }, { "@id": "_:N1a9873bc6d1a4faba7296cd8ec235db2" } ] }, { "@id": "_:N1a9873bc6d1a4faba7296cd8ec235db2", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:contains" }, "owl:someValuesFrom": { "@id": "d3f:Subroutine" } }, { "@id": "d3f:NIST_SP_800-53_R5_AC-2_4", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:control-name": "Account Management | Automated Audit Actions", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "d3f:related": { "@id": "d3f:DomainAccountMonitoring" }, "rdfs:label": "AC-2(4)" }, { "@id": "d3f:CWE-131", "@type": "owl:Class", "d3f:cwe-id": "CWE-131", "rdfs:label": "Incorrect Calculation of Buffer Size", "rdfs:subClassOf": { "@id": "d3f:CWE-682" } }, { "@id": "d3f:NIST_SP_800-53_R5_SA-11_1", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:control-name": "Developer Testing and Evaluation | Static Code Analysis", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "d3f:related": { "@id": "d3f:ApplicationHardening" }, "rdfs:label": "SA-11(1)" }, { "@id": "d3f:POSIXSymbolicLink", "@type": "owl:Class", "d3f:definition": "A POSIX-compliant symbolic link. These are often fast symbolic links, but need not be.", "rdfs:isDefinedBy": { "@id": "dbr:Symbolic_link" }, "rdfs:label": "POSIX Symbolic Link", "rdfs:subClassOf": [ { "@id": "d3f:SymbolicLink" }, { "@id": "d3f:UnixLink" } ] }, { "@id": "d3f:CCI-001668_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:broader": [ { "@id": "d3f:FileAnalysis" }, { "@id": "d3f:NetworkTrafficAnalysis" }, { "@id": "d3f:PlatformMonitoring" }, { "@id": "d3f:ProcessAnalysis" } ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The organization employs malicious code protection mechanisms at workstations, servers, or mobile computing devices on the network to detect and eradicate malicious code transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means or inserted through the exploitation of information system vulnerabilities.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2010-05-12T00:00:00" }, "rdfs:label": "CCI-001668" }, { "@id": "d3f:PE32ExecutableFile", "@type": [ "owl:NamedIndividual", "d3f:ExecutableBinary" ], "rdfs:label": "PE32 Executable File" }, { "@id": "d3f:Reference-NIST-Special-Publication-800-160-Volume-1", "@type": [ "owl:NamedIndividual", "d3f:GuidelineReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://doi.org/10.6028/NIST.SP.800-160v1" }, "d3f:kb-abstract": "With the continuing frequency, intensity, and adverse consequences of cyber-attacks, disruptions, hazards, and other threats to federal, state, and local governments, the military, businesses, and the critical infrastructure, the need for trustworthy secure systems has never been more important to the long-term economic and national security interests of the United States. Engineering-based solutions are essential to managing the growing complexity, dynamicity, and interconnectedness of today’s systems, as exemplified by cyber-physical systems and systems-of-systems, including the Internet of Things. This publication addresses the engineering-driven perspective and actions necessary to develop more defensible and survivable systems, inclusive of the machine, physical, and human components that compose the systems and the capabilities and services delivered by those systems. It starts with and builds upon a set of well-established International Standards for systems and software engineering published by the International Organization for Standardization (ISO), the International Electrotechnical Commission (IEC), and the Institute of Electrical and Electronics Engineers (IEEE) and infuses systems security engineering methods, practices, and techniques into those systems and software engineering activities. The objective is to address security issues from a stakeholder protection needs, concerns, and requirements perspective and to use established engineering processes to ensure that such needs, concerns, and requirements are addressed with appropriate fidelity and rigor, early and in a sustainable manner throughout the life cycle of the system.", "d3f:kb-author": "Ron Ross, Michael McEvilley, and Janet Carrier Oren", "d3f:kb-organization": "NIST", "d3f:kb-reference-of": { "@id": "d3f:OperationalRiskAssessment" }, "d3f:kb-reference-title": "NIST Special Publication 800-160 Volume 1 - Systems Security Engineering", "rdfs:label": "Reference - NIST Special Publication 800-160 Volume 1 - System Security Engineering" }, { "@id": "d3f:Actor-Critic", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-AC", "d3f:definition": "Actor-Critic is a Temporal Difference(TD) version of Policy gradient. It has two networks: Actor and Critic. The actor decided which action should be taken and critic inform the actor how good was the action and how it should adjust. The learning of the actor is based on policy gradient approach. In comparison, critics evaluate the action produced by the actor by computing the value function.", "d3f:kb-article": "## References\nThe Actor-Critic Reinforcement Learning Algorithm. Medium. [Link](https://medium.com/intro-to-artificial-intelligence/the-actor-critic-reinforcement-learning-algorithm-c8095a655c14).", "rdfs:label": "Actor-Critic", "rdfs:subClassOf": [ { "@id": "d3f:PolicyGradient" }, { "@id": "d3f:TemporalDifferenceLearning" } ] }, { "@id": "d3f:Vulnerability", "@type": [ "owl:Class", "owl:NamedIndividual" ], "rdfs:subClassOf": { "@id": "d3f:D3FENDThing" } }, { "@id": "wptmp:entity#Reference%20-%20DNS%20Whitelist%20(DNSWL)%20Email%20Authentication%20Method%20Extension", "d3f:kb-author": "Alessandro Vesely" }, { "@id": "d3f:SoundexMatching", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-SM", "d3f:definition": "Soundex is a phonetic algorithm for indexing names by sound, as pronounced in English.", "d3f:kb-article": "## How it works\nThe goal is for homophones to be encoded to the same representation so that they can be matched despite minor differences in spelling. The algorithm mainly encodes consonants; a vowel will not be encoded unless it is the first letter. Soundex is the most widely known of all phonetic algorithms (in part because it is a standard feature of popular database software. Improvements to Soundex are the basis for many modern phonetic algorithms.\n\n## References\n1. Soundex. (2023, April 19). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Soundex)", "rdfs:label": "Soundex Matching", "rdfs:subClassOf": { "@id": "d3f:PartialMatching" } }, { "@id": "d3f:CWE-908", "@type": "owl:Class", "d3f:cwe-id": "CWE-908", "rdfs:label": "Use of Uninitialized Resource", "rdfs:subClassOf": { "@id": "d3f:CWE-665" } }, { "@id": "d3f:CCI-001111_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system prevents remote devices that have established a non-remote connection with the system from communicating outside of that communications path with resources in external networks.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": [ { "@id": "d3f:InboundTrafficFiltering" }, { "@id": "d3f:OutboundTrafficFiltering" } ], "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-21T00:00:00" }, "rdfs:label": "CCI-001111" }, { "@id": "d3f:CWE-353", "@type": "owl:Class", "d3f:cwe-id": "CWE-353", "rdfs:label": "Missing Support for Integrity Check", "rdfs:subClassOf": { "@id": "d3f:CWE-345" } }, { "@id": "d3f:Kurtosis", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-KUR", "d3f:definition": "The measure of the \"fatness\" of the tails of a pmf or pdf. The fourth standardized moment of the distribution.", "d3f:kb-article": "## References\nWikipedia. (n.d.). Probability distribution. [Link](https://en.wikipedia.org/wiki/Probability_distribution)", "rdfs:label": "Kurtosis", "rdfs:subClassOf": { "@id": "d3f:DistributionProperties" } }, { "@id": "d3f:CWE-838", "@type": "owl:Class", "d3f:cwe-id": "CWE-838", "rdfs:label": "Inappropriate Encoding for Output Context", "rdfs:subClassOf": { "@id": "d3f:CWE-116" } }, { "@id": "d3f:LoginSession", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "In computing, a login session is the period of activity between a user logging in and logging out of a (multi-user) system. On Unix and Unix-like operating systems, a login session takes one of two main forms: (a) When a textual user interface is used, a login session is represented as a kernel session -- a collection of process groups with the logout action managed by a session leader, and (b) Where an X display manager is employed, a login session is considered to be the lifetime of a designated user process that the display manager invokes.", "rdfs:isDefinedBy": { "@id": "dbr:Login_session" }, "rdfs:label": "Login Session", "rdfs:subClassOf": { "@id": "d3f:Session" } }, { "@id": "d3f:T1583", "@type": "owl:Class", "d3f:attack-id": "T1583", "rdfs:label": "Acquire Infrastructure", "rdfs:subClassOf": { "@id": "d3f:ResourceDevelopmentTechnique" } }, { "@id": "d3f:T1218.002", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1218.002", "d3f:invokes": { "@id": "d3f:CreateProcess" }, "d3f:may-modify": { "@id": "d3f:SystemConfigurationDatabaseRecord" }, "rdfs:label": "Control Panel Execution", "rdfs:subClassOf": [ { "@id": "d3f:T1218" }, { "@id": "_:Nbd4a041310ce4b1db315541c04cf089d" }, { "@id": "_:N473f50f7b8b844cfa2c8ff003e889bc7" } ] }, { "@id": "_:Nbd4a041310ce4b1db315541c04cf089d", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:invokes" }, "owl:someValuesFrom": { "@id": "d3f:CreateProcess" } }, { "@id": "_:N473f50f7b8b844cfa2c8ff003e889bc7", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-modify" }, "owl:someValuesFrom": { "@id": "d3f:SystemConfigurationDatabaseRecord" } }, { "@id": "d3f:Second-stageBootLoader", "@type": "owl:Class", "d3f:definition": "An optional, often feature rich, second stage set of routines run in order to load the operating system.", "rdfs:label": "Second-stage Boot Loader", "rdfs:subClassOf": { "@id": "d3f:BootLoader" } }, { "@id": "d3f:T1500", "@type": "owl:Class", "d3f:attack-id": "T1500", "rdfs:label": "Compile After Delivery", "rdfs:subClassOf": { "@id": "d3f:DefenseEvasionTechnique" } }, { "@id": "d3f:validator", "@type": "owl:ObjectProperty", "rdfs:label": "validator", "rdfs:subPropertyOf": { "@id": "d3f:contributor" } }, { "@id": "d3f:may-detect", "@type": "owl:ObjectProperty", "d3f:pref-label": "may detect", "rdfs:label": "may-detect", "rdfs:subPropertyOf": { "@id": "d3f:may-counter-attack" } }, { "@id": "d3f:CCI-002420_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system maintains the confidentiality and/or integrity of information during preparation for transmission.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:EncryptedTunnels" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-07-02T00:00:00" }, "rdfs:label": "CCI-002420" }, { "@id": "d3f:CCI-001147_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The organization employs, at a minimum, FIPS-validated cryptography to protect information when such information must be separated from individuals who have the necessary clearances yet lack the necessary access approvals.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": [ { "@id": "d3f:DiskEncryption" }, { "@id": "d3f:FileEncryption" } ], "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-21T00:00:00" }, "rdfs:label": "CCI-001147" }, { "@id": "d3f:CWE-1293", "@type": "owl:Class", "d3f:cwe-id": "CWE-1293", "rdfs:label": "Missing Source Correlation of Multiple Independent Data", "rdfs:subClassOf": { "@id": "d3f:CWE-345" } }, { "@id": "d3f:RandomSplits", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-RS", "d3f:definition": "The dataset is repeatedly sampled with a random split of the data into train and test sets.", "d3f:kb-article": "## References\nHow to Create a Random Split Cross-Validation and Bagging Ensemble for Deep Learning in Keras.\"*Machine Learning Mastery*. [Link](https://machinelearningmastery.com/how-to-create-a-random-split-cross-validation-and-bagging-ensemble-for-deep-learning-in-keras/).", "rdfs:label": "Random Splits", "rdfs:subClassOf": { "@id": "d3f:ResamplingEnsemble" } }, { "@id": "d3f:CWE-916", "@type": "owl:Class", "d3f:cwe-id": "CWE-916", "rdfs:label": "Use of Password Hash With Insufficient Computational Effort", "rdfs:subClassOf": { "@id": "d3f:CWE-327" } }, { "@id": "d3f:T1608", "@type": "owl:Class", "d3f:attack-id": "T1608", "rdfs:label": "Stage Capabilities", "rdfs:subClassOf": { "@id": "d3f:ResourceDevelopmentTechnique" } }, { "@id": "d3f:DecisionTree", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-DT", "d3f:definition": "Decision tree learning is a supervised learning approach used in statistics, data mining, and machine learning. In this formalism, a classification or regression decision tree is used as a predictive model to draw conclusions about a set of observations.", "d3f:kb-article": "## How it works\n\nA decision tree starts with a root node, which does not have any incoming branches. The outgoing branches from the root node then feed into the internal nodes, also known as decision nodes. Based on the available features, both node types conduct evaluations to form homogenous subsets, which are denoted by leaf nodes, or terminal nodes. The leaf nodes represent all the possible outcomes within the dataset.\n\n## Considerations\n\nWhile the basic underlying model is that of a decision tree, the decision tree node criteria, and the method for identifying splits varies significantly depending on the learning algorithm selected (e.g., CART, ID3, C4.5, C5.0, CHAID, MARS.) Extensions like linear and logistic trees can add additional expressiveness as well.\n\n## Key Test Considerations\n\n- **Machine Learning**:\n\n - **Verify the dataset quality**: Check the data to make sure it is\n free of errors. Quantify the degree of missing values,\n outliers, and noise in the data collection. If the data quality\n is low, it may be difficult or impossible to create models and\n systems with the desired performance.\n\n - **Verify development datasets are representative**: of expected\n operational environment and data collection means. Compare\n distributions of dataset features and labels with exploratory\n data analysis and assess the difference in tests on training\n data and tests on evaluation data (where the evaluation data\n must be drawn from a representative dataset.)\n\n - **Use a variety of data sets**: where available and applicable, to\n reflect different operating and environment conditions that are\n likley to be be encountered.\n\n - **Use software libraries**: and tools built for ML where possible, so\n that the underlying code is verified by prior use.**\n\n - **Diagnose model errors with domain SMEs**: Have problem domain\n SMEs investigate model errors for conditions for which the model\n may underperform and suggest refinements.\n\n- **Classification**:\n\n - **Use Standard Classification Performance Measures**: Not all of\n the following may be necessary, but should be considered for\n both verification (developmental test) and operational test\n stages use:\n\n - **Accuracy**: The fraction of predictions that were corret.\n\n - **Precision**: The proportion of positive identifications that were correct.\n\n - **Recall**: The proportion of actual positive cases identified correctly.\n\n - **F-Measure**: Combines the preicion and recall into a single\n score. It is the harmonic mean of the precision and recall.\n\n - **Receiver Operating Characteristic (ROC) Curve**: A ROC curve\n shows the performance of a classification model at all\n classification thresholds. It graphs the True Positive Rate\n over the False Positive Rate.\n\n - **Area Under the ROC Curve (AUC)**: This measures the\n two-dimensional area under the ROC Curve. AUC is\n scale-invariant and classification-threshold invariant.\n\n - **ROC TP vs FP points**: In addition to a specific AUC score,\n the performance at points\n\n - **Confusion Matrix**: A confusion matrix is a table layout that\n allows the visualization of the performance of an\n algorithm. Each row of the matrix represents the instances in\n an actual class while each column represents the instances in\n a predicted class, or vice versa. It is a special kind of\n contingency table, with two dimensions (\"actual\" and\n \"predicted\"), and identical sets of \"classes\" in both\n dimensions (each combination of dimension and class is a\n variable in the contingency table.)\n\n - **Prediction Bias**: The difference between the average of the\n predicted labels and the average of the labels in the data\n set. One should check for prediction bias when evaluating the\n classifier's results. Causes of bias can include:\n\n - **Noisy data set**: Errors in original data can as the\n collection method may have an underlying bias.\n\n - **Processing bug**: Errors in the data pipeline can\n introduce bias.\n\n - **Biased training sample (unbalanced samples)**: Model\n parameters may be skewed towards majority classes.\n\n - **Overly strong regularization**: Model may be underfitting\n model and too simple.\n\n - **Proxy variables**: Model features may be highly\n correlated.\n\n- **Supervised Learning**:\n\n - **Overfitting and Underfitting**: Overfitting occurs when the the\n model built corresponds too closely or exactly to a particular\n set of data, and thus may fail to fit to predict additional data\n reliably. An overfitted model is a mathematical model that\n contains more parameters than can be justified by the data.\n Underfitting occurs when the model built does adequately capture\n the patterns in the data. As an example, a linear model will\n underfit a non-linear dataset.\n\n - **Sensitivity**: Perform N-fold Cross validation to indicate how\n much sensitivity the algorithm has to data variation and to avoid\n overfitting operational models.\n\n- **Decision Tree Learning**:\n\n - **Sensitive to unbalanced classes**: Examine and determine target\n class balance; decision tree learning algorithms are especially\n sensitive to unbalanced target classes.\n\n - **Consider decision boundaries**: Perform exploratory data\n analysis to determine if decision boundaries lie alongaxes of\n features. _Decision trees are ideal when decision boundaries can\n be found that lie along axes of features._\n\n - **Decision tree overfitting** may require tuning algorithm hyperparameters such as tree depth, max features used, max leaf nodes, etc.\n\n - **Pruning** may result in a more robust model in real-word applications.\n\n - **Missing values**: Inspect the data set to determine if there\n are missing values and select a means to address them, either by\n choosing an algorithm that works well or a way to impute the\n value or eliminate the missing values in the data sensors or\n pipeline.\n\n## Platforms, Tools, or Libraries\n\n- **scikit-learn**: includes tree algorithms for ID3, C4.5, C5.0, and CART.\n\n- **Weka**: includes J48 (C4.5), SimpleCart (CART), Logistic Model Trees, Naive Bayes Trees, and more.\n\n### Validation Approach\n- Use operationally relevant data across the range of application's operating environment.\n- Incorporate some kind of continuous validation to address concept drift and the need to retrain the model and/or check data quality.\n\n## References\n1. Decision tree learning. (2023, May 30). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Decision_tree_learning).\n2. Decision Trees. (n.d.). In _scikit-learn User Guide 1.2.2_. [Link](https://scikit-learn.org/stable/modules/tree.html).\n3. Concept drift. (2023, April 17). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Concept_drift).\n4. 8 Concept Drift Detection Methods. (n.d.). In _Aporia Learning Center_. [Link](https://www.aporia.com/learn/data-drift/concept-drift-detection-methods/).", "rdfs:label": "Decision Tree", "rdfs:subClassOf": { "@id": "d3f:Classification" } }, { "@id": "d3f:CWE-23", "@type": "owl:Class", "d3f:cwe-id": "CWE-23", "rdfs:label": "Relative Path Traversal", "rdfs:subClassOf": { "@id": "d3f:CWE-22" } }, { "@id": "d3f:CWE-412", "@type": "owl:Class", "d3f:cwe-id": "CWE-412", "rdfs:label": "Unrestricted Externally Accessible Lock", "rdfs:subClassOf": { "@id": "d3f:CWE-667" } }, { "@id": "d3f:DeepConvolutionalGAN", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-DCG", "d3f:definition": "Deep Convolutional GAN (DCGAN) uses convolutional and convolutional-transpose layers in the generator and discriminator, respectively.", "d3f:kb-article": "## References\nAnalytics Vidhya. (2021). Deep Convolutional Generative Adversarial Network (DCGAN) for Beginners. [Link](https://www.analyticsvidhya.com/blog/2021/07/deep-convolutional-generative-adversarial-network-dcgan-for-beginners/)", "d3f:synonym": "DCGAN", "rdfs:label": "Deep Convolutional GAN", "rdfs:subClassOf": { "@id": "d3f:ImageSynthesisGAN" } }, { "@id": "d3f:LaptopComputer", "@type": "owl:Class", "d3f:definition": "A laptop computer (also laptop), is a small, portable personal computer (PC) with a \"clamshell\" form factor, typically having a thin LCD or LED computer screen mounted on the inside of the upper lid of the clamshell and an alphanumeric keyboard on the inside of the lower lid. The clamshell is opened up to use the computer. Laptops are folded shut for transportation, and thus are suitable for mobile use. Its name comes from lap, as it was deemed to be placed on a person's lap when being used. Although originally there was a distinction between laptops and notebooks (the former being bigger and heavier than the latter), as of 2014, there is often no longer any difference. Today, laptops are commonly used in a variety of settings, such as at work, in education, for playing games, web browsing", "rdfs:isDefinedBy": { "@id": "dbr:Laptop" }, "rdfs:label": "Laptop Computer", "rdfs:subClassOf": { "@id": "d3f:PersonalComputer" }, "skos:altLabel": [ "Laptop", "Notebook" ] }, { "@id": "d3f:CWE-1323", "@type": "owl:Class", "d3f:cwe-id": "CWE-1323", "rdfs:label": "Improper Management of Sensitive Trace Data", "rdfs:subClassOf": { "@id": "d3f:CWE-284" } }, { "@id": "d3f:TrimmedMean", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-TM", "d3f:definition": "The arithmetic mean of data values after a certain number or proportion of the highest and lowest data values have been discarded.", "d3f:kb-article": "## References\nWikipedia. (n.d.). Central tendency. [Link](https://en.wikipedia.org/wiki/Central_tendency)", "d3f:synonym": "Truncated mean", "rdfs:label": "Trimmed Mean", "rdfs:subClassOf": { "@id": "d3f:CentralTendency" } }, { "@id": "d3f:CWE-1177", "@type": "owl:Class", "d3f:cwe-id": "CWE-1177", "rdfs:label": "Use of Prohibited Code", "rdfs:subClassOf": { "@id": "d3f:CWE-710" } }, { "@id": "d3f:CCI-002364_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system displays an explicit logout message to users indicating the reliable termination of authenticated communications sessions.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:ProcessTermination" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-06-26T00:00:00" }, "rdfs:label": "CCI-002364" }, { "@id": "d3f:CCI-001084_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system isolates security functions from nonsecurity functions.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:SystemConfigurationPermissions" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-21T00:00:00" }, "rdfs:label": "CCI-001084" }, { "@id": "d3f:CCI-002207_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system uniquely identifies and authenticates destination by organization, system, application, and/or individual for information transfer.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:DomainTrustPolicy" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-06-24T00:00:00" }, "rdfs:label": "CCI-002207" }, { "@id": "d3f:Product", "@type": "owl:Class", "rdfs:label": "Product", "rdfs:subClassOf": { "@id": "d3f:CapabilityImplementation" } }, { "@id": "d3f:BayesianLinearRegression", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-BLR", "d3f:definition": "Bayesian linear regression is a type of conditional modeling in which the mean of one variable is described by a linear combination of other variables, with the goal of obtaining the posterior probability of the regression coefficients.", "d3f:kb-article": "## References\nWikipedia. (n.d.). Bayesian linear regression. [Link](https://en.wikipedia.org/wiki/Bayesian_linear_regression)", "rdfs:label": "Bayesian Linear Regression", "rdfs:subClassOf": { "@id": "d3f:RegressionAnalysis" } }, { "@id": "d3f:LocalAuthorizationService", "@type": "owl:Class", "d3f:definition": "A local authorization service running on a host can authorize a user logged into just that local host computer.", "rdfs:label": "Local Authorization Service", "rdfs:subClassOf": [ { "@id": "d3f:AuthorizationService" }, { "@id": "d3f:SystemServiceSoftware" } ] }, { "@id": "d3f:CWE-1235", "@type": "owl:Class", "d3f:cwe-id": "CWE-1235", "rdfs:label": "Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations", "rdfs:subClassOf": { "@id": "d3f:CWE-400" } }, { "@id": "d3f:CWE-697", "@type": "owl:Class", "d3f:cwe-id": "CWE-697", "rdfs:label": "Incorrect Comparison", "rdfs:subClassOf": { "@id": "d3f:Weakness" } }, { "@id": "d3f:CCI-002470_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system only allows the use of organization-defined certificate authorities for verification of the establishment of protected sessions.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": [ { "@id": "d3f:Certificate-basedAuthentication" }, { "@id": "d3f:CertificatePinning" } ], "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-07-02T00:00:00" }, "rdfs:label": "CCI-002470" }, { "@id": "d3f:ARM32CodeSegment", "@type": [ "owl:NamedIndividual", "d3f:ImageCodeSegment", "d3f:ProcessCodeSegment" ], "rdfs:label": "ARM32 Code Segment" }, { "@id": "d3f:T1204.001", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:accesses": { "@id": "d3f:URL" }, "d3f:attack-id": "T1204.001", "d3f:produces": { "@id": "d3f:OutboundInternetWebTraffic" }, "rdfs:label": "Malicious Link Execution", "rdfs:subClassOf": [ { "@id": "d3f:T1204" }, { "@id": "_:Ncbcd2df612874e7bb3a9bf3bef485b84" }, { "@id": "_:Nbdad70b25ddc4458b73799b0550d61d6" } ] }, { "@id": "_:Ncbcd2df612874e7bb3a9bf3bef485b84", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:accesses" }, "owl:someValuesFrom": { "@id": "d3f:URL" } }, { "@id": "_:Nbdad70b25ddc4458b73799b0550d61d6", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:produces" }, "owl:someValuesFrom": { "@id": "d3f:OutboundInternetWebTraffic" } }, { "@id": "d3f:member-of", "@type": "owl:ObjectProperty", "rdfs:label": "member-of", "rdfs:subPropertyOf": { "@id": "d3f:d3fend-catalog-object-property" } }, { "@id": "d3f:CWE-420", "@type": "owl:Class", "d3f:cwe-id": "CWE-420", "rdfs:label": "Unprotected Alternate Channel", "rdfs:subClassOf": { "@id": "d3f:CWE-923" } }, { "@id": "d3f:AudioInputDevice", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "Audio input devices allow a user to send audio info to a computer for processing, recording, or carrying out commands. Devices such as microphones allow users to speak to the computer in order to record a voice message or navigate software. Aside from recording, audio input devices are also used with speech recognition software.", "rdfs:isDefinedBy": { "@id": "http://dbpedia.org/resource/Input_device#Voice_input_devices" }, "rdfs:label": "Audio Input Device", "rdfs:subClassOf": { "@id": "d3f:InputDevice" } }, { "@id": "d3f:OperatingSystemProcess", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "An operating system process, or system process, is a process running to perform operating system functions.", "rdfs:label": "Operating System Process", "rdfs:seeAlso": { "@id": "http://people.scs.carleton.ca/~maheshwa/courses/300/l4/node7.html" }, "rdfs:subClassOf": { "@id": "d3f:Process" }, "skos:altLabel": "System Process" }, { "@id": "d3f:T1078.003", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1078.003", "d3f:uses": { "@id": "d3f:LocalUserAccount" }, "rdfs:label": "Local Accounts", "rdfs:subClassOf": [ { "@id": "d3f:T1078" }, { "@id": "_:N074f73d44af94ca39af799555d6117ab" } ] }, { "@id": "_:N074f73d44af94ca39af799555d6117ab", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:uses" }, "owl:someValuesFrom": { "@id": "d3f:LocalUserAccount" } }, { "@id": "d3f:Projection-basedClustering", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-PBC", "d3f:definition": "Projection Based Clustering is a clustering framework based on a chosen projection method and projection method a parameter-free high-dimensional data visualization technique.", "d3f:kb-article": "## References\nR Core Team. (2021). ProjectionBasedClustering: Projection Based Clustering. [Link](https://cran.r-project.org/web/packages/ProjectionBasedClustering/ProjectionBasedClustering.pdf)\n\nLai, J. H., Liu, Y., & Wu, W. (2017). Projection Based Clustering. [Link](https://www.researchgate.net/publication/319006501_Projection_Based_Clustering)", "rdfs:label": "Projection-based Clustering", "rdfs:subClassOf": { "@id": "d3f:High-dimensionClustering" } }, { "@id": "d3f:VirtualizationSoftware", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "Virtualization software allows a single host computer to create and run one or more virtual environments. Virtualization software is most often used to emulate a complete computer system in order to allow a guest operating system to be run, for example allowing Linux to run as a guest on top of a PC that is natively running a Microsoft Windows operating system (or the inverse, running Windows as a guest on Linux).", "rdfs:isDefinedBy": { "@id": "dbr:Category:Virtualization_software" }, "rdfs:label": "Virtualization Software", "rdfs:subClassOf": { "@id": "d3f:ServiceApplication" } }, { "@id": "d3f:CWE-1063", "@type": "owl:Class", "d3f:cwe-id": "CWE-1063", "rdfs:label": "Creation of Class Instance within a Static Code Block", "rdfs:subClassOf": { "@id": "d3f:CWE-1176" } }, { "@id": "d3f:RegSetValueW", "@type": [ "owl:NamedIndividual", "d3f:SetSystemConfigValue" ] }, { "@id": "d3f:StackFrame", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A machine-dependent and application-binary-dependent (ABI-dependent) data structure containing subroutine state information including the arguments passed into the routine, the return address back to the routine's caller, and space for local variables of the routine.", "d3f:may-contain": [ { "@id": "d3f:Pointer" }, { "@id": "d3f:StackFrameCanary" } ], "rdfs:isDefinedBy": { "@id": "http://dbpedia.org/resource/Call_stack#Structure" }, "rdfs:label": "Stack Frame", "rdfs:seeAlso": { "@id": "dbr:Call_stack" }, "rdfs:subClassOf": [ { "@id": "d3f:StackComponent" }, { "@id": "_:Nd7efc97df84844ffbcacf4378321f82d" }, { "@id": "_:N37b6bba25e60411099718b9014e8d107" } ], "skos:altLabel": [ "Activation Record", "Activation Frame" ] }, { "@id": "_:Nd7efc97df84844ffbcacf4378321f82d", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-contain" }, "owl:someValuesFrom": { "@id": "d3f:Pointer" } }, { "@id": "_:N37b6bba25e60411099718b9014e8d107", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-contain" }, "owl:someValuesFrom": { "@id": "d3f:StackFrameCanary" } }, { "@id": "d3f:T1137.005", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1137.005", "d3f:modifies": { "@id": "d3f:ApplicationConfigurationDatabase" }, "rdfs:label": "Outlook Rules", "rdfs:subClassOf": [ { "@id": "d3f:T1137" }, { "@id": "_:N24b2b2656cd94706a3d4dfc1d13cb160" } ] }, { "@id": "_:N24b2b2656cd94706a3d4dfc1d13cb160", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:ApplicationConfigurationDatabase" } }, { "@id": "d3f:UseCaseGoal", "@type": "owl:Class", "rdfs:label": "Use Case Goal", "rdfs:subClassOf": { "@id": "d3f:D3FENDUseCaseThing" } }, { "@id": "d3f:T1563.001", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:accesses": { "@id": "d3f:SSHSession" }, "d3f:attack-id": "T1563.001", "rdfs:label": "SSH Hijacking", "rdfs:subClassOf": [ { "@id": "d3f:T1563" }, { "@id": "_:N51519912ed3943789ab11146b22dd537" } ] }, { "@id": "_:N51519912ed3943789ab11146b22dd537", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:accesses" }, "owl:someValuesFrom": { "@id": "d3f:SSHSession" } }, { "@id": "d3f:T1564.009", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1564.009", "d3f:may-create": { "@id": "d3f:ResourceFork" }, "d3f:may-modify": { "@id": "d3f:ResourceFork" }, "rdfs:label": "Resource Forking", "rdfs:subClassOf": [ { "@id": "d3f:T1564" }, { "@id": "_:N2c49afc22d434e938d7f3a4d658673e7" }, { "@id": "_:N20ab7caa4a7b4a6bbd641db28ad026b7" } ] }, { "@id": "_:N2c49afc22d434e938d7f3a4d658673e7", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-create" }, "owl:someValuesFrom": { "@id": "d3f:ResourceFork" } }, { "@id": "_:N20ab7caa4a7b4a6bbd641db28ad026b7", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-modify" }, "owl:someValuesFrom": { "@id": "d3f:ResourceFork" } }, { "@id": "d3f:LocalResource", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "In computing, a system resource, or simply resource, is any physical or virtual component of limited availability within a computer system. Every device connected to a computer system is a resource. Every internal system component is a resource. Virtual system resources include files (concretely file handles), network connections (concretely network sockets), and memory areas. Managing resources is referred to as resource management, and includes both preventing resource leaks (releasing a resource when a process has finished using it) and dealing with resource contention (when multiple processes wish to access a limited resource).", "rdfs:label": "Local Resource", "rdfs:seeAlso": { "@id": "dbr:System_resource" }, "rdfs:subClassOf": { "@id": "d3f:Resource" }, "skos:altLabel": "System Resource" }, { "@id": "d3f:CWE-653", "@type": "owl:Class", "d3f:cwe-id": "CWE-653", "rdfs:label": "Improper Isolation or Compartmentalization", "rdfs:subClassOf": [ { "@id": "d3f:CWE-657" }, { "@id": "d3f:CWE-693" } ] }, { "@id": "d3f:SessionDurationAnalysis", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:UserBehaviorAnalysis" ], "d3f:analyzes": [ { "@id": "d3f:Authentication" }, { "@id": "d3f:Authorization" } ], "d3f:d3fend-id": "D3-SDA", "d3f:definition": "Analyzing the duration of user sessions in order to detect unauthorized activity.", "d3f:kb-article": "## How it works\nDetecting unauthorized user sessions by comparing the duration of a user logon session with a baseline behavior model. The behavior model comprises historical user session duration times. Abnormalities between session duration and the behavior model may indicate suspicious activity.\n\n## Considerations\n* Potential for false positives from anomalies that are not associated with malicious activity.\n* Attackers may not differentiate their session duration enough to trigger an alert.", "d3f:kb-reference": [ { "@id": "d3f:Reference-MethodAndApparatusForNetworkFraudDetectionAndRemediationThroughAnalytics_IdaptiveLLC" }, { "@id": "d3f:Reference-System,Method,AndComputerProgramProductForDetectingAndAssessingSecurityRisksInANetwork_ExabeamInc" } ], "rdfs:label": "Session Duration Analysis", "rdfs:subClassOf": [ { "@id": "d3f:UserBehaviorAnalysis" }, { "@id": "_:N8adea8b7203648f691702b49d0daa18a" }, { "@id": "_:N87c1bf2a3cc34fd690cb0aa75bc0a54a" } ] }, { "@id": "_:N8adea8b7203648f691702b49d0daa18a", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:analyzes" }, "owl:someValuesFrom": { "@id": "d3f:Authentication" } }, { "@id": "_:N87c1bf2a3cc34fd690cb0aa75bc0a54a", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:analyzes" }, "owl:someValuesFrom": { "@id": "d3f:Authorization" } }, { "@id": "d3f:CWE-1123", "@type": "owl:Class", "d3f:cwe-id": "CWE-1123", "rdfs:label": "Excessive Use of Self-Modifying Code", "rdfs:subClassOf": { "@id": "d3f:CWE-1120" } }, { "@id": "d3f:T1563.002", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:accesses": { "@id": "d3f:RDPSession" }, "d3f:attack-id": "T1563.002", "rdfs:label": "RDP Hijacking", "rdfs:subClassOf": [ { "@id": "d3f:T1563" }, { "@id": "_:Nadd31a23e5c746d2a47be26041274d6c" } ] }, { "@id": "_:Nadd31a23e5c746d2a47be26041274d6c", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:accesses" }, "owl:someValuesFrom": { "@id": "d3f:RDPSession" } }, { "@id": "d3f:CWE-475", "@type": "owl:Class", "d3f:cwe-id": "CWE-475", "rdfs:label": "Undefined Behavior for Input to API", "rdfs:subClassOf": { "@id": "d3f:CWE-573" } }, { "@id": "d3f:CWE-276", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:cwe-id": "CWE-276", "d3f:weakness-of": { "@id": "d3f:ApplicationInstaller" }, "rdfs:label": "Incorrect Default Permissions", "rdfs:subClassOf": [ { "@id": "d3f:CWE-732" }, { "@id": "_:Nb7622dbfb8c74b2483e96c4f76151406" } ] }, { "@id": "_:Nb7622dbfb8c74b2483e96c4f76151406", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:weakness-of" }, "owl:someValuesFrom": { "@id": "d3f:ApplicationInstaller" } }, { "@id": "d3f:Reference-ComputationalModelingAndClassificationOfDataStreams_CrowdstrikeInc", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US20180197089A1/en?oq=US-2018197089-A1" }, "d3f:kb-abstract": "Example techniques described herein determine a signature or classification of a data stream such as a file. The classification can indicate whether the data stream is associated with malware. A processor can locate training analysis regions of training data streams based on predetermined structure data, and determining training model inputs based on the training analysis regions. The processor can determine a computational model based on the training model inputs. The computational model can receive an input vector and provide a corresponding feature vector. The processor can then locate a trial analysis region of a trial data stream based on the predetermined structure data and determine a trial model input. The processor can operate the computational model based on the trial model input to provide a trial feature vector, e.g., a signature. The processor can operate a second computational model to provide a classification based on the signature.", "d3f:kb-author": "Sven Krasser; David Elkind; Patrick Crenshaw; Brett Meyer", "d3f:kb-mitre-analysis": "Provides a mechanism to classify files using file signatures based on a computational model. Training data that comprises at least a portion of a file, e.g. number of bytes, is used as input to the computational model to develop a file signature and classify the file as malware.", "d3f:kb-organization": "Crowdstrike Inc", "d3f:kb-reference-of": { "@id": "d3f:FileContentRules" }, "d3f:kb-reference-title": "Computational modeling and classification of data streams", "rdfs:label": "Reference - Computational modeling and classification of data streams - Crowdstrike Inc" }, { "@id": "d3f:Reference-ThreatDetectionThroughTheAccumulatedDetectionOfThreatCharacteristics_SophosLtd", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US9104864B2/en?oq=US-9104864-B2" }, "d3f:kb-abstract": "Embodiments of the present disclosure provide for improved capabilities in the detection of malware, where malware threats are detected through the accumulated identification of threat characteristics for targeted computer objects. Methods and systems include dynamic threat detection providing a first database that correlates a plurality of threat characteristics to a threat, wherein a presence of the plurality of the threat characteristics confirms a presence of the threat; detecting a change event in a computer run-time process; testing the change event for a presence of one or more of the plurality of characteristics upon detection of the change event; storing a detection of one of the plurality of characteristics in a second database that accumulates detected characteristics for the computer run-time process; and identifying the threat when each one of the plurality of characteristics appears in the second database.", "d3f:kb-author": "Clifford Penton; Irene Michlin", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "Sophos Ltd", "d3f:kb-reference-of": { "@id": "d3f:ProcessCodeSegmentVerification" }, "d3f:kb-reference-title": "Threat detection through the accumulated detection of threat characteristics", "rdfs:label": "Reference - Threat detection through the accumulated detection of threat characteristics - Sophos Ltd" }, { "@id": "d3f:CWE-665", "@type": "owl:Class", "d3f:cwe-id": "CWE-665", "rdfs:label": "Improper Initialization", "rdfs:subClassOf": { "@id": "d3f:CWE-664" } }, { "@id": "d3f:CommandLineInterface", "@type": "owl:Class", "d3f:definition": "A command-line interface or command language interpreter (CLI), also known as command-line user interface, console user interface, and character user interface (CUI), is a means of interacting with a computer program where the user (or client) issues commands to the program in the form of successive lines of text (command lines). Command-line interfaces to computer operating systems are less widely used by casual computer users, who favor graphical user interfaces. Programs with command-line interfaces are generally easier to automate via scripting.", "rdfs:isDefinedBy": { "@id": "dbr:Command-line_interface" }, "rdfs:label": "Command Line Interface", "rdfs:subClassOf": { "@id": "d3f:UserInterface" }, "skos:altLabel": [ "CLI", "CUI", "Command-line Interface" ] }, { "@id": "d3f:Switch", "@type": "owl:Class", "d3f:definition": "A network switch (also called switching hub, bridging hub, and by the IEEE MAC bridge) is networking hardware that connects devices on a computer network by using packet switching to receive and forward data to the destination device. A network switch is a multiport network bridge that uses MAC addresses to forward data at the data link layer (layer 2) of the OSI model. Some switches can also forward data at the network layer (layer 3) by additionally incorporating routing functionality. Such switches are commonly known as layer-3 switches or multilayer switches.", "rdfs:isDefinedBy": { "@id": "dbr:Network_switch" }, "rdfs:label": "Switch", "rdfs:subClassOf": { "@id": "d3f:NetworkNode" }, "skos:altLabel": [ "Bridging Hub", "MAC Bridge", "Network Switch", "Switching Hub" ] }, { "@id": "d3f:CWE-822", "@type": "owl:Class", "d3f:cwe-id": "CWE-822", "rdfs:label": "Untrusted Pointer Dereference", "rdfs:subClassOf": { "@id": "d3f:CWE-119" } }, { "@id": "d3f:CWE-489", "@type": "owl:Class", "d3f:cwe-id": "CWE-489", "rdfs:label": "Active Debug Code", "rdfs:subClassOf": { "@id": "d3f:CWE-710" } }, { "@id": "d3f:CCI-001210_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system, at organization-defined information system components, loads and executes the operating environment from hardware-enforced, read-only media.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:DriverLoadIntegrityChecking" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-21T00:00:00" }, "rdfs:label": "CCI-001210" }, { "@id": "d3f:Reference-OverviewOfTheSeccompSandbox", "@type": [ "owl:NamedIndividual", "d3f:InternetArticleReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://code.google.com/archive/p/seccompsandbox/wikis/overview.wiki" }, "d3f:kb-reference-of": { "@id": "d3f:SystemCallFiltering" }, "d3f:kb-reference-title": "Overview of the seccomp sandbox", "rdfs:label": "Reference - Overview of the seccomp sandbox" }, { "@id": "d3f:NIST_SP_800-53_R5_MA-3_4", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:control-name": "Maintenance Tools | Restricted Tool Use", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "d3f:narrower": { "@id": "d3f:UserAccountPermissions" }, "rdfs:label": "MA-3(4)" }, { "@id": "d3f:PointEstimation", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-PE", "d3f:definition": "A point estimation is a single value that estimates the parameter. Point estimates are single values calculated from the sample", "d3f:kb-article": "## References\nPennsylvania State University. (n.d.). Statistical Inference and Estimation. [Link](https://online.stat.psu.edu/stat504/lesson/statistical-inference-and-estimation)", "rdfs:label": "Point Estimation", "rdfs:subClassOf": { "@id": "d3f:Estimation" } }, { "@id": "d3f:CWE-1102", "@type": "owl:Class", "d3f:cwe-id": "CWE-1102", "rdfs:label": "Reliance on Machine-Dependent Data Representation", "rdfs:subClassOf": { "@id": "d3f:CWE-758" } }, { "@id": "d3f:T1494", "@type": "owl:Class", "d3f:attack-id": "T1494", "rdfs:label": "Runtime Data Manipulation", "rdfs:subClassOf": { "@id": "d3f:ImpactTechnique" } }, { "@id": "d3f:abuses", "@type": "owl:ObjectProperty", "d3f:definition": "x abuses y: The entity x applies an artifact y to a wrong thing or person; x applies y badly or incorrectly.", "rdfs:isDefinedBy": { "@id": "http://wordnet-rdf.princeton.edu/id/01163606-v" }, "rdfs:label": "abuses", "rdfs:subPropertyOf": { "@id": "d3f:uses" }, "skos:altLabel": [ "misapplies", "misuses" ] }, { "@id": "d3f:ClientComputer", "@type": "owl:Class", "d3f:definition": "A client computer is a host that accesses a service made available by a server. The server is often (but not always) on another computer system, in which case the client accesses the service by way of a network.", "rdfs:isDefinedBy": { "@id": "dbr:Client_(computing)" }, "rdfs:label": "Client Computer", "rdfs:seeAlso": { "@id": "dbr:Host_(network)" }, "rdfs:subClassOf": { "@id": "d3f:Host" } }, { "@id": "d3f:VolumeBootRecord", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A volume boot record (VBR) (also known as a volume boot sector, a partition boot record or a partition boot sector) is a type of boot sector introduced by the IBM Personal Computer. It may be found on a partitioned data storage device, such as a hard disk, or an unpartitioned device, such as a floppy disk, and contains machine code for bootstrapping programs (usually, but not necessarily, operating systems) stored in other parts of the device. On non-partitioned storage devices, it is the first sector of the device. On partitioned devices, it is the first sector of an individual partition on the device, with the first sector of the entire device being a Master Boot Record (MBR) containing the partition table.", "rdfs:isDefinedBy": { "@id": "dbr:Volume_boot_record" }, "rdfs:label": "Volume Boot Record", "rdfs:subClassOf": { "@id": "d3f:BootRecord" } }, { "@id": "d3f:T1488", "@type": "owl:Class", "d3f:attack-id": "T1488", "rdfs:label": "Disk Content Wipe", "rdfs:subClassOf": { "@id": "d3f:ImpactTechnique" } }, { "@id": "d3f:CWE-183", "@type": "owl:Class", "d3f:cwe-id": "CWE-183", "rdfs:label": "Permissive List of Allowed Inputs", "rdfs:subClassOf": { "@id": "d3f:CWE-697" } }, { "@id": "d3f:CWE-226", "@type": "owl:Class", "d3f:cwe-id": "CWE-226", "rdfs:label": "Sensitive Information in Resource Not Removed Before Reuse", "rdfs:subClassOf": [ { "@id": "d3f:CWE-212" }, { "@id": "d3f:CWE-459" } ] }, { "@id": "d3f:CWE-1321", "@type": "owl:Class", "d3f:cwe-id": "CWE-1321", "rdfs:label": "Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')", "rdfs:subClassOf": { "@id": "d3f:CWE-915" } }, { "@id": "d3f:T1059.001", "@type": "owl:Class", "d3f:attack-id": "T1059.001", "rdfs:label": "PowerShell Execution", "rdfs:subClassOf": { "@id": "d3f:T1059" } }, { "@id": "d3f:records", "@type": "owl:ObjectProperty", "d3f:definition": "x records y: The digital artifact x makes a record of events y; set down in permanent form.", "rdfs:isDefinedBy": { "@id": "http://wordnet-rdf.princeton.edu/id/01002259-v" }, "rdfs:label": "records", "rdfs:seeAlso": { "@id": "http://wordnet-rdf.princeton.edu/id/01003181-v" }, "rdfs:subPropertyOf": { "@id": "d3f:associated-with" } }, { "@id": "d3f:PrimaryStorage", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:contains": [ { "@id": "d3f:PageFrame" }, { "@id": "d3f:ProcessSegment" } ], "d3f:definition": "Primary memory of a computer is memory that is wired directly to the processor, consisting of RAM and possibly ROM. These terms are used in contrast to mass storage devices and cache memory (although we may note that when a program accesses main memory, it is often actually interacting with a cache).", "rdfs:isDefinedBy": "https://www.memorymanagement.org/glossary/m.html#term-main-memory", "rdfs:label": "Primary Storage", "rdfs:seeAlso": "https://en.wikipedia.org/wiki/Computer_data_storage#Primary_storage", "rdfs:subClassOf": [ { "@id": "d3f:HardwareDevice" }, { "@id": "d3f:Storage" }, { "@id": "_:Nf353e7800fa64eec9377de206de07ea7" }, { "@id": "_:Na9c75c6120ad425ea796abb226a59ec9" } ] }, { "@id": "_:Nf353e7800fa64eec9377de206de07ea7", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:contains" }, "owl:someValuesFrom": { "@id": "d3f:PageFrame" } }, { "@id": "_:Na9c75c6120ad425ea796abb226a59ec9", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:contains" }, "owl:someValuesFrom": { "@id": "d3f:ProcessSegment" } }, { "@id": "d3f:ClientApplication", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A client application is software that accesses a service made available by a server. The server is often (but not always) on another computer system, in which case the client accesses the service by way of a network. The term applies to the role that programs or devices play in the client-server model", "rdfs:isDefinedBy": { "@id": "dbr:Client_(computing)" }, "rdfs:label": "Client Application", "rdfs:seeAlso": "http://attackguidev.mitre.org/techniques/T1554/ \"Compromise Client Software Binary\"", "rdfs:subClassOf": { "@id": "d3f:Application" } }, { "@id": "d3f:CWE-262", "@type": "owl:Class", "d3f:cwe-id": "CWE-262", "rdfs:label": "Not Using Password Aging", "rdfs:subClassOf": { "@id": "d3f:CWE-1390" } }, { "@id": "d3f:CWE-474", "@type": "owl:Class", "d3f:cwe-id": "CWE-474", "rdfs:label": "Use of Function with Inconsistent Implementations", "rdfs:subClassOf": { "@id": "d3f:CWE-758" } }, { "@id": "d3f:InitialAccessTechnique", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:enables": { "@id": "d3f:InitialAccess" }, "rdfs:label": "Initial Access Technique", "rdfs:subClassOf": [ { "@id": "d3f:OffensiveTechnique" }, { "@id": "_:N26a205c80ffd48328106b15a21648f71" } ] }, { "@id": "_:N26a205c80ffd48328106b15a21648f71", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:enables" }, "owl:someValuesFrom": { "@id": "d3f:InitialAccess" } }, { "@id": "d3f:Reference-DecoyAndDeceptiveDataObjectTechnology_CymmetriaInc", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US20170134423A1" }, "d3f:kb-abstract": "A computer implemented method of detecting unauthorized access to a protected network by monitoring a dynamically updated deception environment, comprising launching, on one or more decoy endpoints, one or more decoy operating system (OS) managing one or more of a plurality of deception applications mapping a plurality of applications executed in a protected network, updating dynamically a usage indication for a plurality of deception data objects deployed in the protected network to emulate usage of the plurality of deception data objects for accessing the deception application(s) wherein the plurality of deception data objects are configured to trigger an interaction with the deception application(s) when used, detecting usage of data contained in the deception data object(s) by monitoring the interaction and identifying one or more potential unauthorized operations based on analysis of the detection.", "d3f:kb-author": "Dean Sysman; Gadi Evron; Imri Goldberg; Itamar Sher; Shmuel Ur", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "Cymmetria Inc", "d3f:kb-reference-of": [ { "@id": "d3f:DecoySessionToken" }, { "@id": "d3f:DecoyUserCredential" } ], "d3f:kb-reference-title": "Decoy and deceptive data object technology", "rdfs:label": "Reference - Decoy and deceptive data object technology - Cymmetria Inc" }, { "@id": "d3f:CWE-1257", "@type": "owl:Class", "d3f:cwe-id": "CWE-1257", "rdfs:label": "Improper Access Control Applied to Mirrored or Aliased Memory Regions", "rdfs:subClassOf": { "@id": "d3f:CWE-284" } }, { "@id": "d3f:may-be-invoked-by", "@type": "owl:ObjectProperty", "owl:inverseOf": { "@id": "d3f:may-invoke" }, "rdfs:label": "may-be-invoked-by", "rdfs:subPropertyOf": { "@id": "d3f:may-be-associated-with" } }, { "@id": "d3f:CCI-002009_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system accepts Personal Identity Verification (PIV) credentials from other federal agencies.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": [ { "@id": "d3f:BiometricAuthentication" }, { "@id": "d3f:Certificate-basedAuthentication" } ], "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-05-03T00:00:00" }, "rdfs:label": "CCI-002009" }, { "@id": "d3f:T1556", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1556", "d3f:modifies": { "@id": "d3f:AuthenticationService" }, "rdfs:label": "Modify Authentication Process", "rdfs:subClassOf": [ { "@id": "d3f:CredentialAccessTechnique" }, { "@id": "d3f:DefenseEvasionTechnique" }, { "@id": "_:N225a0bfd99c24855883489986670d4a6" } ] }, { "@id": "_:N225a0bfd99c24855883489986670d4a6", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:AuthenticationService" } }, { "@id": "d3f:CWE-776", "@type": "owl:Class", "d3f:cwe-id": "CWE-776", "rdfs:label": "Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')", "rdfs:subClassOf": [ { "@id": "d3f:CWE-405" }, { "@id": "d3f:CWE-674" } ] }, { "@id": "d3f:CWE-1107", "@type": "owl:Class", "d3f:cwe-id": "CWE-1107", "rdfs:label": "Insufficient Isolation of Symbolic Constant Definitions", "rdfs:subClassOf": { "@id": "d3f:CWE-1078" } }, { "@id": "d3f:Reference-Network-BasedBufferOverflowDetectionByExploitCodeAnalysis_InformationSecurityResearchCentre", "@type": [ "owl:NamedIndividual", "d3f:AcademicPaperReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://eprints.qut.edu.au/21172/1/21172.pdf" }, "d3f:kb-abstract": "Buffer overflow attacks continue to be a major security problem and detecting attacks of this nature\nis therefore crucial to network security. Signature based network based intrusion detection systems (NIDS)\ncompare network traffic to signatures modelling suspicious or attack traffic to detect network attacks. Since\ndetection is based on pattern matching, a signature modelling the attack must exist for the NIDS to detect it, and\nit is therefore only capable of detecting known attacks. This paper proposes a method to detect buffer overflow\nattacks by parsing the payload of network packets in search of shellcode which is the remotely executable\ncomponent of a buffer overflow attack. By analysing the shellcode it is possible to determine which system\ncalls the exploit uses, and hence the operation of the exploit. Current NIDS-based buffer overflow detection\ntechniques mainly rely upon specific signatures for each new attack. Our approach is able to detect previously\nunseen buffer overflow attacks, in addition to existing ones, without the need for specific signatures for each\nnew attack. The method has been implemented and tested for buffer overflow attacks on Linux on the Intel x86\narchitecture using the Snort NIDS.", "d3f:kb-author": "Stig Andersson, Andrew Clark, and George Mohay", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "Information Security Research Centre", "d3f:kb-reference-of": { "@id": "d3f:ByteSequenceEmulation" }, "d3f:kb-reference-title": "Network-Based Buffer Overflow Detection by Exploit Code Analysis", "rdfs:label": "Reference - Network-Based Buffer Overflow Detection by Exploit Code Analysis - Information Security Research Centre" }, { "@id": "d3f:CWE-351", "@type": "owl:Class", "d3f:cwe-id": "CWE-351", "rdfs:label": "Insufficient Type Distinction", "rdfs:subClassOf": { "@id": "d3f:CWE-345" } }, { "@id": "d3f:SystemMapping", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:DefensiveTechnique" ], "d3f:d3fend-id": "D3-SYSM", "d3f:definition": "System mapping encompasses the techniques to identify the organization's systems, how they are configured and decomposed into subsystems and components, how they are dependent on one another, and where they are physically located.", "d3f:display-order": 2, "d3f:enables": { "@id": "d3f:Model" }, "rdfs:label": "System Mapping", "rdfs:subClassOf": [ { "@id": "d3f:DefensiveTechnique" }, { "@id": "_:N02c878820b7847c6b30f7d33b6344817" } ] }, { "@id": "_:N02c878820b7847c6b30f7d33b6344817", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:enables" }, "owl:someValuesFrom": { "@id": "d3f:Model" } }, { "@id": "d3f:CWE-807", "@type": "owl:Class", "d3f:cwe-id": "CWE-807", "rdfs:label": "Reliance on Untrusted Inputs in a Security Decision", "rdfs:subClassOf": { "@id": "d3f:CWE-693" } }, { "@id": "d3f:CWE-198", "@type": "owl:Class", "d3f:cwe-id": "CWE-198", "rdfs:label": "Use of Incorrect Byte Ordering", "rdfs:subClassOf": { "@id": "d3f:CWE-188" } }, { "@id": "d3f:Mean", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-MEA", "d3f:definition": "The sum of all measurements divided by the number of observations in the data set.", "d3f:kb-article": "## References\nWikipedia. (n.d.). Central tendency. [Link](https://en.wikipedia.org/wiki/Central_tendency)", "rdfs:label": "Mean", "rdfs:subClassOf": { "@id": "d3f:CentralTendency" } }, { "@id": "d3f:URLReputationAnalysis", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:IdentifierReputationAnalysis" ], "d3f:analyzes": { "@id": "d3f:URL" }, "d3f:d3fend-id": "D3-URA", "d3f:definition": "Analyzing the reputation of a URL.", "d3f:kb-reference": { "@id": "d3f:Reference-Finding_phishing_sites" }, "rdfs:label": "URL Reputation Analysis", "rdfs:subClassOf": [ { "@id": "d3f:IdentifierReputationAnalysis" }, { "@id": "_:Ncd7a2ce6c2a242149548e0c1f01f85ed" } ] }, { "@id": "_:Ncd7a2ce6c2a242149548e0c1f01f85ed", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:analyzes" }, "owl:someValuesFrom": { "@id": "d3f:URL" } }, { "@id": "d3f:CWE-215", "@type": "owl:Class", "d3f:cwe-id": "CWE-215", "rdfs:label": "Insertion of Sensitive Information Into Debugging Code", "rdfs:subClassOf": { "@id": "d3f:CWE-200" } }, { "@id": "d3f:NIST_SP_800-53_R5_RA-5_3", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:control-name": "Vulnerability Monitoring and Scanning | Breadth and Depth of Coverage", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "d3f:narrower": { "@id": "d3f:NetworkTrafficAnalysis" }, "rdfs:label": "RA-5(3)" }, { "@id": "d3f:CWE-599", "@type": "owl:Class", "d3f:cwe-id": "CWE-599", "rdfs:label": "Missing Validation of OpenSSL Certificate", "rdfs:subClassOf": { "@id": "d3f:CWE-295" } }, { "@id": "d3f:CWE-61", "@type": "owl:Class", "d3f:cwe-id": "CWE-61", "rdfs:label": "UNIX Symbolic Link (Symlink) Following", "rdfs:subClassOf": { "@id": "d3f:CWE-59" } }, { "@id": "d3f:CWE-787", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:cwe-id": "CWE-787", "d3f:weakness-of": { "@id": "d3f:RawMemoryAccessFunction" }, "rdfs:label": "Out-of-bounds Write", "rdfs:subClassOf": [ { "@id": "d3f:CWE-119" }, { "@id": "_:N018fb0f55e67464894afd7ea1570a778" } ] }, { "@id": "_:N018fb0f55e67464894afd7ea1570a778", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:weakness-of" }, "owl:someValuesFrom": { "@id": "d3f:RawMemoryAccessFunction" } }, { "@id": "d3f:LocalResourceAccess", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:accesses": { "@id": "d3f:LocalResource" }, "d3f:definition": "Ephemeral digital artifact comprising a request of a local resource and any response from that resource.", "rdfs:label": "Local Resource Access", "rdfs:subClassOf": [ { "@id": "d3f:ResourceAccess" }, { "@id": "_:N314a0ebe169149d08b22b5c055b91a23" } ], "skos:altLabel": "Endpoint Resource Access" }, { "@id": "_:N314a0ebe169149d08b22b5c055b91a23", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:accesses" }, "owl:someValuesFrom": { "@id": "d3f:LocalResource" } }, { "@id": "d3f:T1021.005", "@type": "owl:Class", "d3f:attack-id": "T1021.005", "rdfs:label": "VNC", "rdfs:subClassOf": { "@id": "d3f:T1021" } }, { "@id": "d3f:ProcessTree", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:contains": { "@id": "d3f:Process" }, "d3f:definition": "A process tree is a tree structure representation of parent-child relationships established via process spawn operations.", "rdfs:label": "Process Tree", "rdfs:seeAlso": [ { "@id": "dbr:Child_process" }, "Process Spawn", { "@id": "dbr:Parent_process" } ], "rdfs:subClassOf": [ { "@id": "d3f:DigitalArtifact" }, { "@id": "_:Nabad9ed806f846d7a47a3fc1aafcd04f" } ] }, { "@id": "_:Nabad9ed806f846d7a47a3fc1aafcd04f", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:contains" }, "owl:someValuesFrom": { "@id": "d3f:Process" } }, { "@id": "d3f:T1138", "@type": "owl:Class", "d3f:attack-id": "T1138", "rdfs:label": "Application Shimming", "rdfs:subClassOf": [ { "@id": "d3f:PersistenceTechnique" }, { "@id": "d3f:PrivilegeEscalationTechnique" } ] }, { "@id": "d3f:SenderMTAReputationAnalysis", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:MessageAnalysis" ], "d3f:analyzes": { "@id": "d3f:Email" }, "d3f:d3fend-id": "D3-SMRA", "d3f:definition": "Characterizing the reputation of mail transfer agents (MTA) to determine the security risk in emails.", "d3f:kb-article": "## How it works\nThe sender message transfer agent (MTA) trust rating can be considered an indicator of the level of security risk and/or a trust level associated with sender MTAs in an email header.\n\nThe features considered in determining the trust rating may include:\n\n* Length of time MTA has interacted with the enterprise\n* Number of sender domains sending emails from the MTA\n* Number of recipients in the enterprise the MTA sends emails to\n* Number of emails received from this MTA\n* Number of email replies received from this MTA\n\nFor example, higher values for the length of time an MTA has interacted with the enterprise, or number of emails received from an MTA can result in a higher trust rating. The trust rating categorizes the sender MTA as unrated, neutral, trusted, suspicious, or malicious.\n\n## Considerations\nLegitimate emails from a sender MTA may receive a lower trust rating over time if the sender's domain gets spoofed and is used to send unauthorized emails.", "d3f:kb-reference": { "@id": "d3f:Reference-SystemsAndMethodsForDetectingAnd_orHandlingTargetedAttacksInTheEmailChannel_GraphusInc" }, "rdfs:label": "Sender MTA Reputation Analysis", "rdfs:subClassOf": [ { "@id": "d3f:MessageAnalysis" }, { "@id": "_:Naae3bc24aac74450999a844001840c54" } ] }, { "@id": "_:Naae3bc24aac74450999a844001840c54", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:analyzes" }, "owl:someValuesFrom": { "@id": "d3f:Email" } }, { "@id": "d3f:T1609", "@type": "owl:Class", "d3f:attack-id": "T1609", "rdfs:label": "Container Administration Command", "rdfs:subClassOf": { "@id": "d3f:ExecutionTechnique" } }, { "@id": "d3f:CCI-001425_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:broader": [ { "@id": "d3f:MandatoryAccessControl" }, { "@id": "d3f:UserAccountPermissions" } ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system provides authorized individuals (or processes acting on behalf of individuals) the capability to change the value of associated security attributes.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-25T00:00:00" }, "rdfs:label": "CCI-001425" }, { "@id": "owl:versionInfo", "rdfs:subPropertyOf": { "@id": "d3f:d3fend-annotation" } }, { "@id": "d3f:CWE-1111", "@type": "owl:Class", "d3f:cwe-id": "CWE-1111", "rdfs:label": "Incomplete I/O Documentation", "rdfs:subClassOf": { "@id": "d3f:CWE-1059" } }, { "@id": "d3f:Reference-DomainKeysIdentifiedMail-Signatures-IETF", "@type": [ "owl:NamedIndividual", "d3f:SpecificationReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://tools.ietf.org/html/rfc6376" }, "d3f:kb-abstract": "DomainKeys Identified Mail (DKIM) permits a person, role, or organization that owns the signing domain to claim some responsibility for a message by associating the domain with the message. This can be an author's organization, an operational relay, or one of their agents. DKIM separates the question of the identity of the Signer of the message from the purported author of the message. Assertion of responsibility is validated through a\ncryptographic signature and by querying the Signer's domain directly\nto retrieve the appropriate public key. Message transit from author to recipient is through relays that typically make no substantive change to the message content and thus preserve the DKIM signature.", "d3f:kb-author": "D. Crocker, T. Hansen, M. Kucherawy", "d3f:kb-organization": "Internet Engineering Task Force (IETF)", "d3f:kb-reference-of": { "@id": "d3f:TransferAgentAuthentication" }, "d3f:kb-reference-title": "RFC 6376: DomainKeys Identified Mail (DKIM) Signatures", "rdfs:label": "Reference - RFC 6376: DomainKeys Identified Mail (DKIM) Signatures - IETF" }, { "@id": "d3f:Reference-EmbeddingContextsForOn-lineThreatsIntoResponsePolicyZones-VerisignInc", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US10440059B1" }, "d3f:kb-abstract": "Hierarchical threat intelligence embedded in subdomain CNAMEs of a DNS denylist.\n\nIn one embodiment, a response policy zone (RPZ) application generates an RPZ that includes contexts for the on-line threats that are associated with domain names. For a domain name that is associated with an on-line threat, the RPZ application determines a threat specification that describes a characteristic of the on-line threat. The RPZ application then generates an alias based on the domain name and the threat specification. Subsequently, the RPZ application generates a domain name system (DNS) resource record that maps the domain name to the alias, includes the resource record in the RPZ, and transmits the RPZ to a DNS name server that implements the RPZ. Upon receiving a DNS query associated with the domain name, the DNS name server generates a DNS response based on the alias. Because the domain name and the threat specification is reflected in the alias, the DNS response automatically provides a relevant context.", "d3f:kb-author": "Ben McCarty", "d3f:kb-mitre-analysis": "MITRE Analysis was not found.", "d3f:kb-reference-of": { "@id": "d3f:HierarchicalDomainDenylisting" }, "d3f:kb-reference-title": "Embedding contexts for on-line threats into response policy zones", "rdfs:label": "Reference - Embedding contexts for on-line threats into response policy zones - Verisign Inc" }, { "@id": "d3f:CCI-001100_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system prevents public access into the organization's internal networks except as appropriately mediated by managed interfaces employing boundary protection devices.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:MandatoryAccessControl" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-21T00:00:00" }, "rdfs:label": "CCI-001100" }, { "@id": "d3f:TranslationLookasideBuffer", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A translation lookaside buffer (TLB) is a memory cache that is used to reduce the time taken to access a user memory location. It is a part of the chip's memory-management unit (MMU).", "rdfs:isDefinedBy": "https://dbpedia.org/page/Translation_lookaside_buffer", "rdfs:label": "Translation Lookaside Buffer", "rdfs:subClassOf": { "@id": "d3f:MemoryManagementUnitComponent" } }, { "@id": "d3f:CWE-176", "@type": "owl:Class", "d3f:cwe-id": "CWE-176", "rdfs:label": "Improper Handling of Unicode Encoding", "rdfs:subClassOf": { "@id": "d3f:CWE-172" } }, { "@id": "d3f:T1141", "@type": "owl:Class", "d3f:attack-id": "T1141", "rdfs:label": "Input Prompt", "rdfs:subClassOf": { "@id": "d3f:CredentialAccessTechnique" } }, { "@id": "d3f:uses", "@type": "owl:ObjectProperty", "d3f:definition": "x uses y: An entity x puts into service a resource or implement y; makes y work or employ for a particular purpose or for its inherent or natural purpose.", "rdfs:isDefinedBy": { "@id": "http://wordnet-rdf.princeton.edu/id/01161188-v" }, "rdfs:label": "uses", "rdfs:subPropertyOf": { "@id": "d3f:associated-with" } }, { "@id": "d3f:CWE-1176", "@type": "owl:Class", "d3f:cwe-id": "CWE-1176", "rdfs:label": "Inefficient CPU Computation", "rdfs:subClassOf": { "@id": "d3f:CWE-405" } }, { "@id": "d3f:T1590.004", "@type": "owl:Class", "d3f:attack-id": "T1590.004", "rdfs:label": "Network Topology", "rdfs:subClassOf": { "@id": "d3f:T1590" } }, { "@id": "d3f:CWE-38", "@type": "owl:Class", "d3f:cwe-id": "CWE-38", "rdfs:label": "Path Traversal: '\\absolute\\pathname\\here'", "rdfs:subClassOf": { "@id": "d3f:CWE-36" } }, { "@id": "d3f:T1198", "@type": "owl:Class", "d3f:attack-id": "T1198", "rdfs:label": "SIP and Trust Provider Hijacking", "rdfs:subClassOf": [ { "@id": "d3f:DefenseEvasionTechnique" }, { "@id": "d3f:PersistenceTechnique" } ] }, { "@id": "d3f:FirmwareEmbeddedMonitoringCode", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:PlatformMonitoring" ], "d3f:analyzes": { "@id": "d3f:Firmware" }, "d3f:d3fend-id": "D3-FEMC", "d3f:definition": "Monitoring code is injected into firmware for integrity monitoring of firmware and firmware data.", "d3f:kb-article": "## How it works\nFirmware in deployed network devices is typically not monitored for malicious changes. This technique provides a method to embed a software security component into the deployed firmware which provides a near real-time monitoring hook. The exception handling code, in the firmware, is typically used to expose any detected vulnerabilities.\n\nThe injected software components provide a feature similar to intrusion detection systems for the firmware by detecting unauthorized modifications of the embedded firmware. The integrity of static code and firmware data are monitored continuously in the hosted devices. Comparisons are made to monitored elements like firmware memory addresses and data segments. Memory pages are scanned and if a modification is detected the software component may lock the page. This will protect subsequent attempted modifications to the firmware. The software component may utilize the exception handling code and thus be able to disclose the exact address of the modified memory.\n\nThe injected software components are inserted during the firmware imaging process. The injected software is assumed to have knowledge of both the embedded code and the current execution state of the host program. The injected software will monitor and alert, in near real-time, on potential suspicious activity. The injected code is run alongside of the embedded code in the host. The injected software operates as an independent entity and is not dependent on the host software.\n\nFinally, this technique may implement other countermeasure techniques as part of their analytical processes. These should be identified by referencing other countermeasure techniques directly as necessary.\n\n## Considerations\n* The firmware code will need to be modified and re-hosted on the device.\n* Exposing monitoring hooks to the injected code may introduce additional risk.", "d3f:kb-reference": [ { "@id": "d3f:Reference-FirmwareEmbeddedMonitoringCodeRedBalloon" }, { "@id": "d3f:Reference-FirmwareEmbeddedMonitoringCodeSymbiotes" } ], "rdfs:label": "Firmware Embedded Monitoring Code", "rdfs:subClassOf": [ { "@id": "d3f:PlatformMonitoring" }, { "@id": "_:Ne4c4bebfeeb542bf990e9c20fd0144be" } ] }, { "@id": "_:Ne4c4bebfeeb542bf990e9c20fd0144be", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:analyzes" }, "owl:someValuesFrom": { "@id": "d3f:Firmware" } }, { "@id": "d3f:Reference-SAFESEH_ImageHasSafeExceptionHandlers_MicrosoftDocs", "@type": [ "owl:NamedIndividual", "d3f:UserManualReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://docs.microsoft.com/en-us/cpp/build/reference/safeseh-image-has-safe-exception-handlers?view=msvc-160" }, "d3f:kb-abstract": "When /SAFESEH is specified, the linker will only produce an image if it can also produce a table of the image's safe exception handlers. This table specifies for the operating system which exception handlers are valid for the image.", "d3f:kb-author": "Mike Blome, Saisang Cai, Colin Robertson, Mike Jones, NextTurn, Gordon Hogenson", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "Microsoft", "d3f:kb-reference-of": { "@id": "d3f:ExceptionHandlerPointerValidation" }, "d3f:kb-reference-title": "/SAFESEH (Image has Safe Exception Handlers)", "rdfs:label": "Reference - /SAFESEH (Image has Safe Exception Handlers) - Microsoft Docs" }, { "@id": "d3f:CWE-483", "@type": "owl:Class", "d3f:cwe-id": "CWE-483", "rdfs:label": "Incorrect Block Delimitation", "rdfs:subClassOf": { "@id": "d3f:CWE-670" } }, { "@id": "d3f:NIST_SP_800-53_R5_IA-2_1", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:control-name": "Identification and Authentication (organizational Users) | Multi-factor Authentication to Privileged Accounts", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "d3f:narrower": { "@id": "d3f:Multi-factorAuthentication" }, "rdfs:label": "IA-2(1)" }, { "@id": "d3f:T1574.011", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1574.011", "d3f:modifies": { "@id": "d3f:SystemConfigurationInitDatabaseRecord" }, "rdfs:label": "Services Registry Permissions Weakness", "rdfs:subClassOf": [ { "@id": "d3f:T1574" }, { "@id": "_:N01dd1969652e484b8462c69a6c3113bf" } ] }, { "@id": "_:N01dd1969652e484b8462c69a6c3113bf", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:SystemConfigurationInitDatabaseRecord" } }, { "@id": "d3f:WindowsBatchFile", "@type": [ "owl:NamedIndividual", "d3f:ExecutableScript" ], "rdfs:label": "Windows Batch File" }, { "@id": "d3f:ProcessCodeSegment", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:contains": { "@id": "d3f:Subroutine" }, "d3f:definition": "A process code segment, also known as a text segment or simply as text, is a portion of the program's virtual address space that contains executable instructions and corresponds to the loaded image code segment. Includes additional sections such as an import table.", "d3f:may-contain": { "@id": "d3f:ProcessSegment" }, "rdfs:label": "Process Code Segment", "rdfs:seeAlso": [ { "@id": "d3f:ImageCodeSegment" }, { "@id": "dbr:Code_segment" } ], "rdfs:subClassOf": [ { "@id": "d3f:ProcessSegment" }, { "@id": "_:N37dae23622b340158f94afbbcdf8544e" }, { "@id": "_:Nd9a5b8db251e4df48bcfe2c1094e541b" } ], "skos:altLabel": "Process Text Segment" }, { "@id": "_:N37dae23622b340158f94afbbcdf8544e", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:contains" }, "owl:someValuesFrom": { "@id": "d3f:Subroutine" } }, { "@id": "_:Nd9a5b8db251e4df48bcfe2c1094e541b", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-contain" }, "owl:someValuesFrom": { "@id": "d3f:ProcessSegment" } }, { "@id": "d3f:NIST_SP_800-53_R5_AU-10_5", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:broader": { "@id": "d3f:DriverLoadIntegrityChecking" }, "d3f:control-name": "Non-repudiation | Digital Signatures", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "rdfs:label": "AU-10(5)" }, { "@id": "d3f:KendallsRankCorrelationCoefficient", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-KRCC", "d3f:definition": "Kendall's $\\\\tau$ between and is given by $(n_c - n_d) / \\\\sqrt((n_c+n_d+n_x)(n_c+n_d+n_y)$, where is the number of concordant pairs of observations, is the number of discordant pairs, is the number of ties involving only the variable, and is the number of ties involving only the variable.\" ;", "d3f:kb-article": "## References\n1. Wolfram Research. (2012). KendallTau. Wolfram Language function. [Link](https://reference.wolfram.com/language/ref/KendallTau.html)\n1. Kendall's Tau. (2023, May 23). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Kendall_rank_correlation_coefficient]\"\"\",", "d3f:synonym": "Kendall's Tau Coefficient", "rdfs:isDefinedBy": "https://reference.wolfram.com/language/ref/KendallTau.html", "rdfs:label": "Kendall's Rank Correlation Coefficient", "rdfs:subClassOf": { "@id": "d3f:RankCorrelationCoefficient" } }, { "@id": "d3f:SystemInitConfigAnalysis", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:OperatingSystemMonitoring" ], "d3f:analyzes": { "@id": "d3f:SystemInitConfiguration" }, "d3f:d3fend-id": "D3-SICA", "d3f:definition": "Analysis of any system process startup configuration.", "d3f:kb-reference": [ { "@id": "d3f:Reference-AutorunDifferences_MITRE" }, { "@id": "d3f:Reference-CAR-2020-09-005%3AAppInitDLLs_MITRE" }, { "@id": "d3f:Reference-CAR-2020-11-001%3ABootOrLogonInitializationScripts_MITRE" } ], "d3f:synonym": [ "Startup Analysis", "Autorun Analysis" ], "rdfs:label": "System Init Config Analysis", "rdfs:subClassOf": [ { "@id": "d3f:OperatingSystemMonitoring" }, { "@id": "_:Ncc51b8183f4b4ec5ba773e25f6f2b661" } ], "skos:altLabel": "System Initialization Configuration Analysis" }, { "@id": "_:Ncc51b8183f4b4ec5ba773e25f6f2b661", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:analyzes" }, "owl:someValuesFrom": { "@id": "d3f:SystemInitConfiguration" } }, { "@id": "d3f:process-image-path", "@type": "owl:ObjectProperty", "d3f:definition": "x process-image-path y: The filepath y is the process image path for the process x, indicating the path to the resource from which the process's image was loaded.", "rdfs:label": "process-image-path", "rdfs:subPropertyOf": { "@id": "d3f:process-property" }, "skos:altLabel": "processImagePath" }, { "@id": "d3f:CWE-826", "@type": "owl:Class", "d3f:cwe-id": "CWE-826", "rdfs:label": "Premature Release of Resource During Expected Lifetime", "rdfs:subClassOf": { "@id": "d3f:CWE-666" } }, { "@id": "d3f:CWE-1385", "@type": "owl:Class", "d3f:cwe-id": "CWE-1385", "rdfs:label": "Missing Origin Validation in WebSockets", "rdfs:subClassOf": { "@id": "d3f:CWE-346" } }, { "@id": "d3f:MessageHardening", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:DefensiveTechnique" ], "d3f:d3fend-id": "D3-MH", "d3f:definition": "Email or Messaging Hardening includes measures taken to ensure the confidentiality and integrity of user to user computer messages.", "d3f:enables": { "@id": "d3f:Harden" }, "d3f:synonym": "Email Or Messaging Hardening", "rdfs:label": "Message Hardening", "rdfs:subClassOf": [ { "@id": "d3f:DefensiveTechnique" }, { "@id": "_:Nc49aa2cf2a8c4e969956be244781ffaf" } ] }, { "@id": "_:Nc49aa2cf2a8c4e969956be244781ffaf", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:enables" }, "owl:someValuesFrom": { "@id": "d3f:Harden" } }, { "@id": "d3f:UserLogonInitResource", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A user logon initialization resource contains information used to configure a user's environment when a user logs into a system.", "rdfs:label": "User Logon Init Resource", "rdfs:subClassOf": { "@id": "d3f:LocalResource" } }, { "@id": "d3f:assesses", "@type": "owl:ObjectProperty", "rdfs:domain": { "@id": "d3f:DefensiveTechniqueClaim" }, "rdfs:label": "assesses", "rdfs:range": { "@id": "d3f:DefensiveTechniqueAssessment" }, "rdfs:subPropertyOf": { "@id": "d3f:d3fend-catalog-object-property" } }, { "@id": "d3f:Partition", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A partition is a region on secondary storage device created so that the region can be managed by itself; separate from any other regions (partitions) on that secondary storage device. Creating partitions is typically the first step of preparing a newly installed storage device, before any file system is created. The device stores the information about the partitions' locations and sizes in an area known as the partition table that the operating system reads before any other part of the disk. Each partition then appears to the operating system as a distinct \"logical\" storage device that uses part of the actual device. System administrators use a program called a partition editor to create, resize, delete, and manipulate the partitions. Partitioning allows the use of different filesystems to be installed for different kinds of files. Separating user data from system data can prevent the system partition from becoming full and rendering the system unusable. Partitioning can also make backing up easier. [Definition adapted as generalization from definition of disk partitioning and distinct from in-memory partitions.]", "rdfs:isDefinedBy": { "@id": "dbr:Disk_partitioning" }, "rdfs:label": "Partition", "rdfs:seeAlso": [ { "@id": "dbr:Memory_management_(operating_systems)" }, { "@id": "dbr:Partition_table" } ], "rdfs:subClassOf": { "@id": "d3f:DigitalArtifact" }, "skos:altLabel": [ "Disk Slice", "Disk Partition" ] }, { "@id": "d3f:CWE-1254", "@type": "owl:Class", "d3f:cwe-id": "CWE-1254", "rdfs:label": "Incorrect Comparison Logic Granularity", "rdfs:subClassOf": [ { "@id": "d3f:CWE-208" }, { "@id": "d3f:CWE-697" } ] }, { "@id": "d3f:T1218.014", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1218.014", "d3f:executes": { "@id": "d3f:Command" }, "d3f:may-add": { "@id": "d3f:Software" }, "d3f:may-modify": { "@id": "d3f:SystemConfigurationDatabase" }, "rdfs:label": "MMC", "rdfs:subClassOf": [ { "@id": "d3f:T1218" }, { "@id": "_:Nf2aed841509e43a79574fc234ee9dbfa" }, { "@id": "_:N441a32b2eb8e45f8934f98667814c9b6" }, { "@id": "_:Ndec0595f8c6f4d0da51ef0e87be8e4ba" } ] }, { "@id": "_:Nf2aed841509e43a79574fc234ee9dbfa", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:executes" }, "owl:someValuesFrom": { "@id": "d3f:Command" } }, { "@id": "_:N441a32b2eb8e45f8934f98667814c9b6", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-add" }, "owl:someValuesFrom": { "@id": "d3f:Software" } }, { "@id": "_:Ndec0595f8c6f4d0da51ef0e87be8e4ba", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-modify" }, "owl:someValuesFrom": { "@id": "d3f:SystemConfigurationDatabase" } }, { "@id": "d3f:creates", "@type": "owl:ObjectProperty", "d3f:definition": "x creates y: The subject x bring into existence an object y. Some technique or agent x creates a persistent digital artifact y (as opposed to production of a consumable or transient object.); i.e., bring forth or generate", "rdfs:isDefinedBy": { "@id": "http://wordnet-rdf.princeton.edu/id/01630392-v" }, "rdfs:label": "creates", "rdfs:seeAlso": "produces", "rdfs:subPropertyOf": [ { "@id": "d3f:associated-with" }, { "@id": "d3f:may-create" } ] }, { "@id": "d3f:T1132", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1132", "d3f:produces": { "@id": "d3f:OutboundInternetNetworkTraffic" }, "rdfs:label": "Data Encoding", "rdfs:subClassOf": [ { "@id": "d3f:CommandAndControlTechnique" }, { "@id": "_:Nad16cb8711324fbaa1655f0eedca68f4" } ] }, { "@id": "_:Nad16cb8711324fbaa1655f0eedca68f4", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:produces" }, "owl:someValuesFrom": { "@id": "d3f:OutboundInternetNetworkTraffic" } }, { "@id": "d3f:CWE-496", "@type": "owl:Class", "d3f:cwe-id": "CWE-496", "rdfs:label": "Public Data Assigned to Private Array-Typed Field", "rdfs:subClassOf": { "@id": "d3f:CWE-664" } }, { "@id": "d3f:Reference-SystemForImplementingThreatDetectionUsingDailyNetworkTrafficCommunityOutliers_VECTRANETWORKSInc", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US20160191560A1" }, "d3f:kb-abstract": "A method and system for identifying insider threats within an organization is provided. The approach constructs an internal connectivity graph to identify communities of hosts/users, and checks for abnormal behavior relative to past behaviors.", "d3f:kb-author": "David Lopes Pegna; Himanshu Mhatre; Oliver Brdiczka", "d3f:kb-mitre-analysis": "This patent describes techniques for detecting insider attacks. Network packet capture data is collected and stored for processing. Metadata is extracted for each communication session on the organization's network and includes information on source and destination host destination port, number of connection attempts, size of data exchanged, duration and time of the communication. The metadata is used to build a connectivity graph of the network and identify groups of similar hosts that exhibit similar behavior. For each group of similar behavior identified, a baseline behavior pattern profile is developed. Network activity for a host within a group that deviates over a threshold from the baseline behavior patterns is identified as suspicious and an alert is generated.", "d3f:kb-organization": "VECTRA NETWORKS Inc", "d3f:kb-reference-of": [ { "@id": "d3f:NetworkTrafficCommunityDeviation" }, { "@id": "d3f:ProtocolMetadataAnomalyDetection" } ], "d3f:kb-reference-title": "System for implementing threat detection using daily network traffic community outliers", "rdfs:label": "Reference - System for implementing threat detection using daily network traffic community outliers - VECTRA NETWORKS Inc" }, { "@id": "d3f:ApplicationConfigurationDatabase", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:contains": { "@id": "d3f:ApplicationConfigurationDatabaseRecord" }, "d3f:definition": "A database used to hold application configuration data.", "rdfs:label": "Application Configuration Database", "rdfs:subClassOf": [ { "@id": "d3f:ConfigurationDatabase" }, { "@id": "_:Ndff2e55f08214785ae7de4f5e8a23355" } ] }, { "@id": "_:Ndff2e55f08214785ae7de4f5e8a23355", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:contains" }, "owl:someValuesFrom": { "@id": "d3f:ApplicationConfigurationDatabaseRecord" } }, { "@id": "d3f:CWE-1085", "@type": "owl:Class", "d3f:cwe-id": "CWE-1085", "rdfs:label": "Invokable Control Element with Excessive Volume of Commented-out Code", "rdfs:subClassOf": { "@id": "d3f:CWE-1078" } }, { "@id": "d3f:VirtualAddress", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A virtual address in memory is a pointer or marker for a memory space that an operating system allows a process to use. The virtual address points to a location in primary storage that a process can use independently of other processes.", "d3f:synonym": "Logical Address", "rdfs:isDefinedBy": "https://www.techopedia.com/definition/9934/virtual-address-va", "rdfs:label": "Virtual Address", "rdfs:seeAlso": [ "https://en.wikipedia.org/wiki/Memory_address#Logical_addresses", "https://dbpedia.org/page/Virtual_address_space" ], "rdfs:subClassOf": { "@id": "d3f:MemoryAddress" } }, { "@id": "d3f:attached-to", "@type": "owl:ObjectProperty", "d3f:definition": "x attached-to y: A subject x is joined in close association to an object y.", "rdfs:isDefinedBy": { "@id": "http://wordnet-rdf.princeton.edu/id/01980375-s" }, "rdfs:label": "attached-to", "rdfs:seeAlso": "d3f:connects", "rdfs:subPropertyOf": { "@id": "d3f:associated-with" } }, { "@id": "d3f:neutralizes", "@type": "owl:ObjectProperty", "d3f:definition": "x neutralizes y: The technique x makes the execution of actions of y ineffective by preventing or counterbalancing the effect of y.", "rdfs:isDefinedBy": { "@id": "http://wordnet-rdf.princeton.edu/id/00471015-v" }, "rdfs:label": "neutralizes", "rdfs:subPropertyOf": [ { "@id": "d3f:associated-with" }, { "@id": "d3f:hardens" } ] }, { "@id": "d3f:Voting", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-VOT", "d3f:definition": "Voting is another form of ensembling.", "d3f:kb-article": "## References\nEnsemble learning. Wikipedia. [Link](https://en.wikipedia.org/wiki/Ensemble_learning).", "rdfs:label": "Voting", "rdfs:subClassOf": { "@id": "d3f:EnsembleLearning" } }, { "@id": "d3f:HumanInputDeviceFirmware", "@type": "owl:Class", "d3f:definition": "Firmware that is installed on an HCI device such as a mouse or keyboard.", "rdfs:label": "Human Input Device Firmware", "rdfs:seeAlso": [ { "@id": "d3f:Firmware" }, { "@id": "dbr:Human_interface_device" } ], "rdfs:subClassOf": { "@id": "d3f:PeripheralFirmware" } }, { "@id": "d3f:PhiCoefficient", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-PC", "d3f:definition": "The phi coefficient (or mean square contingency coefficient is a measure of association for two binary variables.", "d3f:kb-article": "## References\n\\Wikipedia. (n.d.). Phi coefficient. [Link](https://en.wikipedia.org/wiki/Phi_coefficient)", "d3f:synonym": [ "MCC", "Matthews Correlation Coefficient (in machine learning)" ], "rdfs:label": "Phi Coefficient", "rdfs:subClassOf": { "@id": "d3f:Correlation" } }, { "@id": "d3f:T1040", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1040", "d3f:may-produce": { "@id": "d3f:DNSLookup" }, "rdfs:label": "Network Sniffing", "rdfs:subClassOf": [ { "@id": "d3f:CredentialAccessTechnique" }, { "@id": "d3f:DiscoveryTechnique" }, { "@id": "_:Nb63ff8673ede42809d83e77f4798c3d7" } ] }, { "@id": "_:Nb63ff8673ede42809d83e77f4798c3d7", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-produce" }, "owl:someValuesFrom": { "@id": "d3f:DNSLookup" } }, { "@id": "d3f:AuthorizationService", "@type": "owl:Class", "d3f:definition": "An authorization service ensures that the user is authorized to have access to a particular resource. Authorization can be done through role-based access control (RBAC) or list-based access control (LBAC).", "rdfs:isDefinedBy": { "@id": "https://www.sciencedirect.com/referencework/9780122272400/encyclopedia-of-information-systems" }, "rdfs:label": "Authorization Service", "rdfs:seeAlso": { "@id": "dbr:Authorization" }, "rdfs:subClassOf": [ { "@id": "d3f:NetworkService" }, { "@id": "d3f:ServiceApplicationProcess" } ] }, { "@id": "d3f:LuaScriptFile", "@type": [ "owl:NamedIndividual", "d3f:ExecutableScript" ], "rdfs:label": "Lua Script File" }, { "@id": "d3f:T1127.001", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1127.001", "d3f:modifies": { "@id": "d3f:CompilerConfigurationFile" }, "d3f:runs": { "@id": "d3f:Compiler" }, "rdfs:label": "MSBuild", "rdfs:subClassOf": [ { "@id": "d3f:T1127" }, { "@id": "_:Nccb373c75dfe4cb49e07b5fbbea66b93" }, { "@id": "_:N077d3a7a479a40a4a19fe39dcc1adf64" } ] }, { "@id": "_:Nccb373c75dfe4cb49e07b5fbbea66b93", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:CompilerConfigurationFile" } }, { "@id": "_:N077d3a7a479a40a4a19fe39dcc1adf64", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:runs" }, "owl:someValuesFrom": { "@id": "d3f:Compiler" } }, { "@id": "d3f:CWE-1313", "@type": "owl:Class", "d3f:cwe-id": "CWE-1313", "rdfs:label": "Hardware Allows Activation of Test or Debug Logic at Runtime", "rdfs:subClassOf": { "@id": "d3f:CWE-284" } }, { "@id": "d3f:DialUpModem", "@type": "owl:Class", "d3f:definition": "A dial-up modem transmits computer data over an ordinary switched telephone line that has not been designed for data use. This contrasts with leased line modems, which also operate over lines provided by a telephone company, but ones which are intended for data use and do not impose the same signaling constraints. The modulated data must fit the frequency constraints of a normal voice audio signal, and the modem must be able to perform the actions needed to connect a call through a telephone exchange, namely: picking up the line, dialing, understanding signals sent back by phone company equipment (dial tone, ringing, busy signal,) and on the far end of the call, the second modem in the connection must be able to recognize the incoming ring signal and answer the line.", "rdfs:isDefinedBy": { "@id": "http://dbpedia.org/resource/Modem#Dial-up" }, "rdfs:label": "Dial Up Modem", "rdfs:subClassOf": { "@id": "d3f:Modem" } }, { "@id": "d3f:WindowsNtDuplicateToken", "@type": "owl:Class", "rdfs:label": "Windows NtDuplicateToken", "rdfs:seeAlso": "https://j00ru.vexillium.org/syscalls/nt/64/", "rdfs:subClassOf": [ { "@id": "d3f:OSAPICopyToken" }, { "@id": "d3f:OSAPIPrivateFunction" } ] }, { "@id": "d3f:T1529", "@type": "owl:Class", "d3f:attack-id": "T1529", "rdfs:label": "System Shutdown/Reboot", "rdfs:subClassOf": { "@id": "d3f:ImpactTechnique" } }, { "@id": "d3f:CWE-939", "@type": "owl:Class", "d3f:cwe-id": "CWE-939", "rdfs:label": "Improper Authorization in Handler for Custom URL Scheme", "rdfs:subClassOf": { "@id": "d3f:CWE-862" } }, { "@id": "d3f:CCI-002400_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system audits the identity of internal users associated with denied outgoing communications traffic posing a threat to external information systems.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:OutboundTrafficFiltering" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-07-02T00:00:00" }, "rdfs:label": "CCI-002400" }, { "@id": "d3f:CCI-003123_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system implements cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:EncryptedTunnels" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-09-24T00:00:00" }, "rdfs:label": "CCI-003123" }, { "@id": "d3f:CWE-37", "@type": "owl:Class", "d3f:cwe-id": "CWE-37", "rdfs:label": "Path Traversal: '/absolute/pathname/here'", "rdfs:subClassOf": [ { "@id": "d3f:CWE-160" }, { "@id": "d3f:CWE-36" } ] }, { "@id": "d3f:T1170", "@type": "owl:Class", "d3f:attack-id": "T1170", "rdfs:label": "Mshta", "rdfs:subClassOf": [ { "@id": "d3f:DefenseEvasionTechnique" }, { "@id": "d3f:ExecutionTechnique" } ] }, { "@id": "d3f:T1587.002", "@type": "owl:Class", "d3f:attack-id": "T1587.002", "rdfs:label": "Code Signing Certificates", "rdfs:subClassOf": { "@id": "d3f:T1587" } }, { "@id": "d3f:T1110.003", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:accesses": { "@id": "d3f:Password" }, "d3f:attack-id": "T1110.003", "d3f:may-create": { "@id": "d3f:IntranetAdministrativeNetworkTraffic" }, "d3f:modifies": { "@id": "d3f:AuthenticationLog" }, "d3f:produces": { "@id": "d3f:Authentication" }, "rdfs:label": "Password Spraying", "rdfs:subClassOf": [ { "@id": "d3f:T1110" }, { "@id": "_:N397eca99c7ab429689d608317799183c" }, { "@id": "_:N0ffafa08e61e4b50908873a9af95b58f" }, { "@id": "_:N6a5ce795547e47718b6fe87a697c1ae3" }, { "@id": "_:Nf03cbe5d565f4e0b99e17d7accafc6fe" } ] }, { "@id": "_:N397eca99c7ab429689d608317799183c", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:accesses" }, "owl:someValuesFrom": { "@id": "d3f:Password" } }, { "@id": "_:N0ffafa08e61e4b50908873a9af95b58f", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-create" }, "owl:someValuesFrom": { "@id": "d3f:IntranetAdministrativeNetworkTraffic" } }, { "@id": "_:N6a5ce795547e47718b6fe87a697c1ae3", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:AuthenticationLog" } }, { "@id": "_:Nf03cbe5d565f4e0b99e17d7accafc6fe", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:produces" }, "owl:someValuesFrom": { "@id": "d3f:Authentication" } }, { "@id": "d3f:T1132.001", "@type": "owl:Class", "d3f:attack-id": "T1132.001", "rdfs:label": "Standard Encoding", "rdfs:subClassOf": { "@id": "d3f:T1132" } }, { "@id": "d3f:CWE-686", "@type": "owl:Class", "d3f:cwe-id": "CWE-686", "rdfs:label": "Function Call With Incorrect Argument Type", "rdfs:subClassOf": { "@id": "d3f:CWE-628" } }, { "@id": "d3f:Reference-SystemAndMethodForValidatingIn-memoryIntegrityOfExecutableFilesToIdentifyMaliciousActivity_EndgameInc", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US20190018962A1/en?oq=15648887" }, "d3f:kb-abstract": "In the embodiments described herein, a malicious code detection module identifies potentially malicious instructions in volatile memory of a computing device before the instructions are executed. The malicious code detection module identifies an executable file, such as an .exe file, in memory, validates one or more components of the executable file against the same file stored in non-volatile storage, and issues an alert if the validation fails.", "d3f:kb-author": "Joseph W. Desimone", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "Endgame Inc", "d3f:kb-reference-of": { "@id": "d3f:ProcessCodeSegmentVerification" }, "d3f:kb-reference-title": "System and method for validating in-memory integrity of executable files to identify malicious activity", "rdfs:label": "Reference - System and method for validating in-memory integrity of executable files to identify malicious activity - Endgame Inc" }, { "@id": "d3f:T1590", "@type": "owl:Class", "d3f:attack-id": "T1590", "rdfs:label": "Gather Victim Network Information", "rdfs:subClassOf": { "@id": "d3f:ReconnaissanceTechnique" } }, { "@id": "d3f:CWE-491", "@type": "owl:Class", "d3f:cwe-id": "CWE-491", "rdfs:label": "Public cloneable() Method Without Final ('Object Hijack')", "rdfs:subClassOf": { "@id": "d3f:CWE-668" } }, { "@id": "d3f:CWE-106", "@type": "owl:Class", "d3f:cwe-id": "CWE-106", "rdfs:label": "Struts: Plug-in Framework not in Use", "rdfs:subClassOf": { "@id": "d3f:CWE-1173" } }, { "@id": "d3f:OperatingSystemSharedLibraryFile", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "An operating system shared library file is a shared library file that is part of the operating system and that incorporates common operating system code for use by any application or to provide operating system services.", "rdfs:label": "Operating System Shared Library File", "rdfs:seeAlso": { "@id": "http://dbpedia.org/resource/Library_(computing)#Shared_libraries" }, "rdfs:subClassOf": [ { "@id": "d3f:OperatingSystemFile" }, { "@id": "d3f:SharedLibraryFile" } ] }, { "@id": "d3f:CopyToken", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:CopyToken" ], "d3f:copies": { "@id": "d3f:AccessToken" }, "rdfs:label": "Copy Token", "rdfs:subClassOf": [ { "@id": "d3f:SystemCall" }, { "@id": "_:N6a96e71e85584a7e95b42ce820e7a52c" } ] }, { "@id": "_:N6a96e71e85584a7e95b42ce820e7a52c", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:copies" }, "owl:someValuesFrom": { "@id": "d3f:AccessToken" } }, { "@id": "d3f:Reconnaissance", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:display-order": -1, "rdfs:label": "Reconnaissance", "rdfs:subClassOf": { "@id": "d3f:OffensiveTactic" } }, { "@id": "d3f:Guidance", "@type": "owl:Class", "rdfs:label": "Guidance", "rdfs:subClassOf": { "@id": "d3f:Policy" } }, { "@id": "d3f:M1046", "@type": [ "owl:NamedIndividual", "d3f:ATTACKMitigation" ], "d3f:related": [ { "@id": "d3f:BootloaderAuthentication" }, { "@id": "d3f:TPMBootIntegrity" } ], "rdfs:label": "Boot Integrity" }, { "@id": "d3f:Reference-IntegrityAssuranceThroughEarlyLoadingInTheBootPhase_CrowdstrikeInc", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US20170061127A1" }, "d3f:kb-abstract": "Techniques utilizing library and pre-boot components to ensure that a driver associated with a kernel-mode component is initialized before other drivers during a boot phase are described herein. The library component is processed during a boot phase; the pre-boot component, which may be an alternative to the library component, is processed during a pre-boot phase. By ensuring that the driver is the first driver initialized, the components enable the driver to launch the kernel-mode component before other drivers are initialized. The library component may also determine whether another driver is to be initialized before the kernel-mode component driver, may ensure that kernel-mode component driver is initialized first, and may alert the kernel-mode component. Also, the library component may retrieve information that is to be deleted by the operating system before initialization of drivers and may provide that information to the kernel-mode component.", "d3f:kb-author": "Ion-Alexandru Ionescu", "d3f:kb-mitre-analysis": "To compromise software or to gain control of a host device, a security exploit can modify driver initialization order used by an operating system and place a driver associated with the security exploit first in a list of drivers initialized by the operating system.\n\nThis patent describes ensuring that a driver associated with the agent is initialized first. To ensure the driver is initialized first, a dependent DLL associated with the driver is configured to be processed before other dependent DLLs. The dependent DLL can be configured to be processed first by various methods, for example if processing is done in alphabetical order, changing its name to be processed first. The dependent DLL, once processed, executes a number of operations to ensure the driver associated with the agent is initialized first. Furthermore, if the initialization order is modified, an alert is provided to the kernel-mode component that notifies the kernel-mode component it was not first and the order had to be altered. It can then take additional actions such as additional monitoring or remediation.", "d3f:kb-organization": "Crowdstrike Inc", "d3f:kb-reference-of": { "@id": "d3f:DriverLoadIntegrityChecking" }, "d3f:kb-reference-title": "Integrity assurance through early loading in the boot phase", "rdfs:label": "Reference - Integrity assurance through early loading in the boot phase - Crowdstrike Inc" }, { "@id": "d3f:NIST_SP_800-53_R5_SI-3_8", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:control-name": "Malicious Code Protection | Detect Unauthorized Commands", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "d3f:narrower": { "@id": "d3f:UserBehaviorAnalysis" }, "rdfs:label": "SI-3(8)" }, { "@id": "d3f:IdentifierActivityAnalysis", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:IdentifierAnalysis" ], "d3f:d3fend-id": "D3-IAA", "d3f:definition": "Taking known malicious identifiers and determining if they are present in a system.", "d3f:kb-article": "## How it works\n\nIdentifier activity analysis is the process of taking identifiers--typically known malicious identifiers--and determining the artifacts that have interacted with those identifiers.\n\nThere are many open and closed source repositories of identifiers that represent indicators of compromise. For example, VirusTotal contains hash signatures of malware and IP Addresses used by threat actors. Defenders can search for these indicators of compromise their own systems to gain context on activity around an identifier.\n\n## Considerations\n\nIndicator activity analysis is a good way to gain high precision analysis, but adversaries can modify their own signatures such as hashes quickly to evade detection. This is related to David Bianco’s Pyramid of Pain - Indicators on the lower level (hash values, IP addresses domain names) are easy for adversaries to change.\n\nIdentifier activity data of interest for analysis with the identifier might include, but is not limited to:\n\n* network traffic activity where the identifier was used to identify communicating entities or referred to in the communication\n* process activity referencing the identifier, especially for resource access\n* file activity referencing the identifier\n* registry settings referencing the identifier", "d3f:kb-reference": { "@id": "d3f:Reference-ThePyramidOfPain-DavidBianco" }, "rdfs:label": "Identifier Activity Analysis", "rdfs:subClassOf": { "@id": "d3f:IdentifierAnalysis" } }, { "@id": "d3f:CWE-779", "@type": "owl:Class", "d3f:cwe-id": "CWE-779", "rdfs:label": "Logging of Excessive Data", "rdfs:subClassOf": { "@id": "d3f:CWE-400" } }, { "@id": "d3f:CWE-493", "@type": "owl:Class", "d3f:cwe-id": "CWE-493", "rdfs:label": "Critical Public Variable Without Final Modifier", "rdfs:subClassOf": { "@id": "d3f:CWE-668" } }, { "@id": "d3f:ApplicationInstaller", "@type": [ "owl:Class", "owl:NamedIndividual" ], "rdfs:label": "Application Installer", "rdfs:subClassOf": { "@id": "d3f:UserApplication" } }, { "@id": "d3f:T1591.004", "@type": "owl:Class", "d3f:attack-id": "T1591.004", "rdfs:label": "Identify Roles", "rdfs:subClassOf": { "@id": "d3f:T1591" } }, { "@id": "d3f:T1090", "@type": "owl:Class", "d3f:attack-id": "T1090", "rdfs:label": "Proxy", "rdfs:subClassOf": { "@id": "d3f:CommandAndControlTechnique" } }, { "@id": "d3f:HomogenousTransferLearning", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-HTL", "d3f:definition": "In homogeneous transfer learning, the feature spaces of the source and target domains is of the same dimension (Ds = Dt) while the data of both domains is represented by the same attributes (Xs = Xt) and labels (Ys = Yt). Thus, homogeneous transfer learning aims to bridge the gap in the data distributions experienced during cross-domain transfer.", "d3f:kb-article": "## References\nKhalil, K., Asgher, U., & Ayaz, Y. (2022). Novel fNIRS study on homogeneous symmetric feature-based transfer learning for brain-computer interface. Scientific Reports, 12, 3198. [Link](https://www.nature.com/articles/s41598-022-06805-4).", "rdfs:label": "Homogenous Transfer Learning", "rdfs:subClassOf": { "@id": "d3f:TransferLearning" } }, { "@id": "d3f:T1220", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:adds": { "@id": "d3f:File" }, "d3f:attack-id": "T1220", "d3f:interprets": { "@id": "d3f:ExecutableScript" }, "d3f:invokes": { "@id": "d3f:CreateProcess" }, "rdfs:label": "XSL Script Processing", "rdfs:subClassOf": [ { "@id": "d3f:DefenseEvasionTechnique" }, { "@id": "_:N8428e2b97d4348a781720067c6435f84" }, { "@id": "_:N0c9addcd8b4d41d8ab18698030962227" }, { "@id": "_:N9476d05611b644688524c6a7db36a28d" } ] }, { "@id": "_:N8428e2b97d4348a781720067c6435f84", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:adds" }, "owl:someValuesFrom": { "@id": "d3f:File" } }, { "@id": "_:N0c9addcd8b4d41d8ab18698030962227", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:interprets" }, "owl:someValuesFrom": { "@id": "d3f:ExecutableScript" } }, { "@id": "_:N9476d05611b644688524c6a7db36a28d", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:invokes" }, "owl:someValuesFrom": { "@id": "d3f:CreateProcess" } }, { "@id": "d3f:LevenshteinMatching", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-LM", "d3f:definition": "The Levenshtein distance (LD) is a metric for measuring the differences between two sequences - or strings. Informally, the LD is the number of individual edits one would have to make to turn one sequence into another.", "d3f:kb-article": "## References\n1. Navarro, G. (2001). A guided tour to approximate string matching. _ACM Computing Surveys_, 33(1), 31-88. [Link](https://doi.org/10.1145/375360.375365)", "d3f:synonym": "Edit Distance", "rdfs:label": "Levenschtein Matching", "rdfs:subClassOf": { "@id": "d3f:ApproximateStringMatching" } }, { "@id": "d3f:T1484", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1484", "d3f:modifies": { "@id": "d3f:GroupPolicy" }, "rdfs:label": "Group Policy Modification", "rdfs:subClassOf": [ { "@id": "d3f:DefenseEvasionTechnique" }, { "@id": "d3f:PrivilegeEscalationTechnique" }, { "@id": "_:N9a5f59a700534e80ac28c196104bb2af" } ] }, { "@id": "_:N9a5f59a700534e80ac28c196104bb2af", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:GroupPolicy" } }, { "@id": "d3f:CWE-50", "@type": "owl:Class", "d3f:cwe-id": "CWE-50", "rdfs:label": "Path Equivalence: '//multiple/leading/slash'", "rdfs:subClassOf": [ { "@id": "d3f:CWE-161" }, { "@id": "d3f:CWE-41" } ] }, { "@id": "d3f:T1069.002", "@type": "owl:Class", "d3f:attack-id": "T1069.002", "rdfs:label": "Domain Groups", "rdfs:subClassOf": { "@id": "d3f:T1069" } }, { "@id": "d3f:Semi-supervisedSelf-training", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-SSST", "d3f:definition": "Self-training is the procedure in which a supervised method for classification or regression is modified it to work in a semi-supervised manner, taking advantage of labeled and unlabeled data", "d3f:kb-article": "## References\nAltexSoft. (n.d.). Semi-Supervised Learning: A Technical Guide with Python Examples. [Link](https://www.altexsoft.com/blog/semi-supervised-learning/#:~:text=One%20of%20the%20simplest%20examples,of%20labeled%20and%20unlabeled%20data.)", "rdfs:label": "Semi-supervised Self-training", "rdfs:subClassOf": { "@id": "d3f:Semi-supervisedWrapperMethod" } }, { "@id": "d3f:T1559.003", "@type": "owl:Class", "d3f:attack-id": "T1559.003", "rdfs:label": "XPC Services", "rdfs:subClassOf": { "@id": "d3f:T1559" } }, { "@id": "d3f:RegSetValueA", "@type": [ "owl:NamedIndividual", "d3f:SetSystemConfigValue" ] }, { "@id": "d3f:CCI-000195_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system, for password-based authentication, when new passwords are created, enforces that at least an organization-defined number of characters are changed.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:StrongPasswordPolicy" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-15T00:00:00" }, "rdfs:label": "CCI-000195" }, { "@id": "d3f:archived-at", "@type": "owl:DatatypeProperty", "rdfs:label": { "@language": "en", "@value": "archived-at" }, "rdfs:range": { "@id": "xsd:anyURI" }, "rdfs:subPropertyOf": { "@id": "d3f:d3fend-catalog-data-property" } }, { "@id": "d3f:CapabilityImplementation", "@type": "owl:Class", "rdfs:label": "Capability Implementation", "rdfs:subClassOf": [ { "@id": "d3f:D3FENDCatalogThing" }, { "@id": "_:Nc9c0e6e2edd94391b1dfe31fe65b926a" }, { "@id": "_:N12e6d4f45b6c43f9ad1237032e893405" }, { "@id": "_:Ned85399c54f648618841a02ffb8a9553" }, { "@id": "_:N80b49c96ec2540dc9c50a4dca145796b" } ] }, { "@id": "_:Nc9c0e6e2edd94391b1dfe31fe65b926a", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:features" }, "owl:someValuesFrom": { "@id": "d3f:AdministrativeFeature" } }, { "@id": "_:N12e6d4f45b6c43f9ad1237032e893405", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:latency" }, "owl:someValuesFrom": { "@id": "d3f:D3FENDCatalogThing" } }, { "@id": "_:Ned85399c54f648618841a02ffb8a9553", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:operating-system" }, "owl:someValuesFrom": { "@id": "xsd:string" } }, { "@id": "_:N80b49c96ec2540dc9c50a4dca145796b", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:version" }, "owl:someValuesFrom": { "@id": "xsd:string" } }, { "@id": "d3f:Reference-CredentialDumpingViaWindowsTaskManager_MITRE", "@type": [ "owl:NamedIndividual", "d3f:ExternalKnowledgeBase" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://car.mitre.org/analytics/CAR-2019-08-001/" }, "d3f:kb-abstract": "The Windows Task Manager may be used to dump the memory space of lsass.exe to disk for processing with a credential access tool such as Mimikatz. This is performed by launching Task Manager as a privileged user, selecting lsass.exe, and clicking \"Create dump file\". This saves a dump file to disk with a deterministic name that includes the name of the process being dumped.\n\nThis requires filesystem data to determine whether files have been created.", "d3f:kb-author": "MITRE", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "MITRE", "d3f:kb-reference-of": { "@id": "d3f:SystemCallAnalysis" }, "d3f:kb-reference-title": "CAR-2019-08-001: Credential Dumping via Windows Task Manager", "rdfs:label": "Reference - CAR-2019-08-001: Credential Dumping via Windows Task Manager - MITRE" }, { "@id": "d3f:T1547.001", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1547.001", "d3f:may-modify": [ { "@id": "d3f:SystemConfigurationInitDatabaseRecord" }, { "@id": "d3f:UserStartupScriptFile" } ], "rdfs:label": "Registry Run Keys / Startup Folder", "rdfs:subClassOf": [ { "@id": "d3f:T1547" }, { "@id": "_:N778e591052e24c36aef1810ce7c7b9ce" }, { "@id": "_:Nb5b350cc69b54de198493141f186f9a9" } ] }, { "@id": "_:N778e591052e24c36aef1810ce7c7b9ce", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-modify" }, "owl:someValuesFrom": { "@id": "d3f:SystemConfigurationInitDatabaseRecord" } }, { "@id": "_:Nb5b350cc69b54de198493141f186f9a9", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-modify" }, "owl:someValuesFrom": { "@id": "d3f:UserStartupScriptFile" } }, { "@id": "d3f:CWE-556", "@type": "owl:Class", "d3f:cwe-id": "CWE-556", "rdfs:label": "ASP.NET Misconfiguration: Use of Identity Impersonation", "rdfs:subClassOf": { "@id": "d3f:CWE-266" } }, { "@id": "d3f:SystemPasswordDatabase", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A password database used by a system service or process to authenticate users (e.g., Security Account Manager)", "rdfs:label": "System Password Database", "rdfs:subClassOf": { "@id": "d3f:PasswordDatabase" } }, { "@id": "d3f:UserInputFunction", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "Generic function that receives direct user input from an untrusted source.", "rdfs:label": "User Input Function", "rdfs:subClassOf": { "@id": "d3f:InputFunction" } }, { "@id": "d3f:CWE-1080", "@type": "owl:Class", "d3f:cwe-id": "CWE-1080", "rdfs:label": "Source Code File with Excessive Number of Lines of Code", "rdfs:subClassOf": { "@id": "d3f:CWE-1120" } }, { "@id": "d3f:HierarchicalDomainDenylisting", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:ForwardResolutionDomainDenylisting" ], "d3f:d3fend-id": "D3-HDDL", "d3f:definition": "Blocking the resolution of any subdomain of a specified domain name.", "d3f:kb-article": "## How it works\nThis technique is used to block DNS queries from related domains and subdomains that are unauthorized.\n\nHierarchical domain blacklisting considers the blacklisting of second level domains and additional sub-domains and specific hosts for a given query value. A denylist is maintained that contains DNS names and corresponding subdomains, including wildcards, that should be blocked for a given lookup.\n\n## Considerations\n* The denylist of domain names will have to be maintained and will need to be kept up to date\n* Other domains that resolve to the domain of interest for blocking (CNAME, etc).\n* Denylists should have identified maintenance cycles to ensure lists are not stale.", "d3f:kb-reference": { "@id": "d3f:Reference-UseDNSPolicyForApplyingFiltersOnDNSQueries" }, "d3f:synonym": "Hierarchical Domain Blacklisting", "rdfs:label": "Hierarchical Domain Denylisting", "rdfs:subClassOf": { "@id": "d3f:ForwardResolutionDomainDenylisting" } }, { "@id": "d3f:CWE-1290", "@type": "owl:Class", "d3f:cwe-id": "CWE-1290", "rdfs:label": "Incorrect Decoding of Security Identifiers", "rdfs:subClassOf": { "@id": "d3f:CWE-284" } }, { "@id": "d3f:CCI-002178_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system enforces the revocation of access authorizations resulting from changes to the security attributes of subjects based on organization-defined rules governing the timing of revocations of access authorizations.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": [ { "@id": "d3f:MandatoryAccessControl" }, { "@id": "d3f:SystemCallFiltering" } ], "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-06-24T00:00:00" }, "rdfs:label": "CCI-002178" }, { "@id": "d3f:GetRunningProcesses", "@type": [ "owl:Class", "owl:NamedIndividual" ], "rdfs:label": "Get Running Processes", "rdfs:subClassOf": { "@id": "d3f:SystemCall" } }, { "@id": "d3f:CWE-689", "@type": "owl:Class", "d3f:cwe-id": "CWE-689", "rdfs:label": "Permission Race Condition During Resource Copy", "rdfs:subClassOf": { "@id": "d3f:CWE-362" } }, { "@id": "d3f:CCI-002205_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system uniquely identifies and authenticates source by organization, system, application, and/or individual for information transfer.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:DomainTrustPolicy" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-06-24T00:00:00" }, "rdfs:label": "CCI-002205" }, { "@id": "d3f:T1499.004", "@type": "owl:Class", "d3f:attack-id": "T1499.004", "rdfs:label": "Application or System Exploitation", "rdfs:subClassOf": { "@id": "d3f:T1499" } }, { "@id": "d3f:CWE-652", "@type": "owl:Class", "d3f:cwe-id": "CWE-652", "rdfs:label": "Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')", "rdfs:subClassOf": [ { "@id": "d3f:CWE-91" }, { "@id": "d3f:CWE-943" } ] }, { "@id": "d3f:FileHashing", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:FileAnalysis" ], "d3f:d3fend-id": "D3-FH", "d3f:definition": "Employing file hash comparisons to detect known malware.", "d3f:kb-article": "## How it works\nThis technique requires a list of hashes to compare a file against.\n\n## Considerations\nPerformance on large files or very large numbers of files.", "d3f:kb-reference": { "@id": "d3f:Reference-Munin" }, "rdfs:label": "File Hashing", "rdfs:subClassOf": { "@id": "d3f:FileAnalysis" } }, { "@id": "d3f:Reference-CAR-2021-05-007%3ACertUtilDownloadWithVerifyCtlAndSplitArguments_MITRE", "@type": [ "owl:NamedIndividual", "d3f:ExternalKnowledgeBase" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://car.mitre.org/analytics/CAR-2021-05-007/" }, "d3f:kb-abstract": "Certutil.exe may download a file from a remote destination using -VerifyCtl. This behavior does require a URL to be passed on the command-line. In addition, -f (force) and -split (Split embedded ASN.1 elements, and save to files) will be used. It is not entirely common for certutil.exe to contact public IP space. \\ During triage, capture any files on disk and review. Review the reputation of the remote IP or domain in question. Using -VerifyCtl, the file will either be written to the current working directory or %APPDATA%\\..\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\.", "d3f:kb-reference-of": { "@id": "d3f:ProcessSpawnAnalysis" }, "d3f:kb-reference-title": "CAR-2021-05-007: CertUtil Download With VerifyCtl and Split Arguments", "rdfs:label": "Reference - CAR-2021-05-007: CertUtil Download With VerifyCtl and Split Arguments - MITRE" }, { "@id": "d3f:AuthenticationCacheInvalidation", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:CredentialEviction" ], "d3f:d3fend-id": "D3-ANCI", "d3f:definition": "Removing tokens or credentials from an authentication cache to prevent further user associated account accesses.", "d3f:deletes": { "@id": "d3f:Credential" }, "d3f:kb-article": "## How it works\nApplications can locally cache user authentication credentials for certain server connections. An application may attempt to use the cached credential for a connection. If the cached credentials exist then the user will not be typically prompted for new credentials.\n\n\n## Considerations\nAre these cached credentials only on the local host? Can they be persisted to the remote server?\n\n## Examples\nWindows Credential Management API", "d3f:kb-reference": [ { "@id": "d3f:Reference-SecureCachingOfServerCredentials_DellProductsLP" }, { "@id": "d3f:Reference-SystemAndMethodForProvidingAnActivelyInvalidatedClient-sideNetworkResourceCache_IMVU" } ], "rdfs:label": "Authentication Cache Invalidation", "rdfs:subClassOf": [ { "@id": "d3f:CredentialEviction" }, { "@id": "_:Nc7a636c6dec343adbb14669c88b30f3d" } ] }, { "@id": "_:Nc7a636c6dec343adbb14669c88b30f3d", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:deletes" }, "owl:someValuesFrom": { "@id": "d3f:Credential" } }, { "@id": "d3f:CWE-668", "@type": "owl:Class", "d3f:cwe-id": "CWE-668", "rdfs:label": "Exposure of Resource to Wrong Sphere", "rdfs:subClassOf": { "@id": "d3f:CWE-664" } }, { "@id": "d3f:T1185", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1185", "d3f:produces": { "@id": "d3f:WebNetworkTraffic" }, "rdfs:label": "Man in the Browser", "rdfs:subClassOf": [ { "@id": "d3f:CollectionTechnique" }, { "@id": "_:N303d2b4064334d8eb6622392ad4d53cc" } ] }, { "@id": "_:N303d2b4064334d8eb6622392ad4d53cc", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:produces" }, "owl:someValuesFrom": { "@id": "d3f:WebNetworkTraffic" } }, { "@id": "d3f:CWE-330", "@type": "owl:Class", "d3f:cwe-id": "CWE-330", "rdfs:label": "Use of Insufficiently Random Values", "rdfs:subClassOf": { "@id": "d3f:CWE-693" } }, { "@id": "d3f:CWE-125", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:cwe-id": "CWE-125", "d3f:weakness-of": { "@id": "d3f:RawMemoryAccessFunction" }, "rdfs:label": "Out-of-bounds Read", "rdfs:subClassOf": [ { "@id": "d3f:CWE-119" }, { "@id": "_:N9b2845f13a664a9eb32fe7d8a3fcc349" } ] }, { "@id": "_:N9b2845f13a664a9eb32fe7d8a3fcc349", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:weakness-of" }, "owl:someValuesFrom": { "@id": "d3f:RawMemoryAccessFunction" } }, { "@id": "d3f:T1536", "@type": "owl:Class", "d3f:attack-id": "T1536", "rdfs:label": "Revert Cloud Instance", "rdfs:subClassOf": { "@id": "d3f:DefenseEvasionTechnique" } }, { "@id": "d3f:T1017", "@type": "owl:Class", "d3f:attack-id": "T1017", "rdfs:label": "Application Deployment Software", "rdfs:subClassOf": { "@id": "d3f:LateralMovementTechnique" } }, { "@id": "d3f:CWE-331", "@type": "owl:Class", "d3f:cwe-id": "CWE-331", "rdfs:label": "Insufficient Entropy", "rdfs:subClassOf": { "@id": "d3f:CWE-330" } }, { "@id": "d3f:T1547.013", "@type": "owl:Class", "d3f:attack-id": "T1547.013", "rdfs:label": "XDG Autostart Entries", "rdfs:subClassOf": { "@id": "d3f:T1547" } }, { "@id": "d3f:Scheduling", "@type": "owl:Class", "rdfs:label": "Scheduling", "rdfs:subClassOf": { "@id": "d3f:Planning" } }, { "@id": "d3f:windows-registry-value", "@type": "owl:DatatypeProperty", "d3f:definition": "x value y: The key-value pair x has the data value y.", "rdfs:label": "windows-registry-value", "rdfs:subPropertyOf": { "@id": "d3f:windows-registry-data-property" }, "skos:altLabel": "value" }, { "@id": "d3f:counters", "@type": "owl:ObjectProperty", "rdfs:label": "counters", "rdfs:subPropertyOf": [ { "@id": "d3f:d3fend-catalog-object-property" }, { "@id": "d3f:may-counter" } ] }, { "@id": "d3f:IOPortRestriction", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:ExecutionIsolation" ], "d3f:d3fend-id": "D3-IOPR", "d3f:definition": "Limiting access to computer input/output (IO) ports to restrict unauthorized devices.", "d3f:filters": [ { "@id": "d3f:InputDevice" }, { "@id": "d3f:RemovableMediaDevice" } ], "d3f:kb-article": "## How It works\n\nSoftware-based restriction uses agent software installed on a computer system. The agent software monitors all IO port system traffic. The agent software is configurable to limit the use of certain devices connected to IO ports. The restriction software can also be configured to limit the access to files and applications on external storage devices connected to IO ports.\n\nHardware-based restriction can also be employed to limit access to IO ports. For example, a hardware USB filter device that is placed between the host system and the external devices can filter IO port connections based on configurable rules. When new devices are connected to the USB filter the type of device is determined. Using an allow list a connection determination is made for the device.\n\nSome implementations detect when a device is connected in order to authorize the connection against a list of approved devices, in some cases by device type. For example, if the device is determined to be a storage device, then the contained files and executables are examined to more accurately identify the device type.\n\nTypes of restrictions that may be applied:\n- Device connection\n- Device command filtering\n- Device file system read or write restrictions\n\n## Considerations\n * Agent software will need to be installed on host systems\n * Configurations for allow/deny for devices and files will need to be maintained", "d3f:kb-reference": [ { "@id": "d3f:Reference-ComputerMotherboardHavingPeripheralSecurityFunctions" }, { "@id": "d3f:Reference-MethodAndSystemForControllingCommunicationPorts" }, { "@id": "d3f:Reference-USBFilterForHubMaliciousCodePreventionSystem" } ], "rdfs:label": "IO Port Restriction", "rdfs:subClassOf": [ { "@id": "d3f:ExecutionIsolation" }, { "@id": "_:Nc9551dab8e594e6cac78c86a78ba98c6" }, { "@id": "_:Ncaa4e7b03d1e43b5a49a7fdbe2f75142" } ] }, { "@id": "_:Nc9551dab8e594e6cac78c86a78ba98c6", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:filters" }, "owl:someValuesFrom": { "@id": "d3f:InputDevice" } }, { "@id": "_:Ncaa4e7b03d1e43b5a49a7fdbe2f75142", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:filters" }, "owl:someValuesFrom": { "@id": "d3f:RemovableMediaDevice" } }, { "@id": "d3f:CWE-311", "@type": "owl:Class", "d3f:cwe-id": "CWE-311", "rdfs:label": "Missing Encryption of Sensitive Data", "rdfs:subClassOf": { "@id": "d3f:CWE-693" } }, { "@id": "d3f:T1053.001", "@type": "owl:Class", "d3f:attack-id": "T1053.001", "rdfs:label": "At (Linux) Execution", "rdfs:subClassOf": { "@id": "d3f:T1053" } }, { "@id": "d3f:SetSystemConfigValue", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:modifies": { "@id": "d3f:SystemConfigurationDatabaseRecord" }, "rdfs:label": "Set System Config Value", "rdfs:seeAlso": "https://docs.microsoft.com/en-us/windows/win32/api/winreg/nf-winreg-regsetvalueexa", "rdfs:subClassOf": [ { "@id": "d3f:SystemConfigSystemCall" }, { "@id": "_:N7510758e64f44d24bbcf9a3c99423ee9" } ] }, { "@id": "_:N7510758e64f44d24bbcf9a3c99423ee9", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:SystemConfigurationDatabaseRecord" } }, { "@id": "d3f:T1574.010", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1574.010", "d3f:modifies": { "@id": "d3f:ServiceApplication" }, "rdfs:label": "Services File Permissions Weakness", "rdfs:subClassOf": [ { "@id": "d3f:T1574" }, { "@id": "_:Nb069883f75424c0c95f4eff16703c6dd" } ], "skos:altLabel": "Service Registry Permissions Weakness" }, { "@id": "_:Nb069883f75424c0c95f4eff16703c6dd", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:ServiceApplication" } }, { "@id": "d3f:CWE-327", "@type": "owl:Class", "d3f:cwe-id": "CWE-327", "rdfs:label": "Use of a Broken or Risky Cryptographic Algorithm", "rdfs:subClassOf": { "@id": "d3f:CWE-693" } }, { "@id": "d3f:T1036.007", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1036.007", "d3f:modifies": { "@id": "d3f:FileSystemMetadata" }, "rdfs:label": "Double File Extension", "rdfs:subClassOf": [ { "@id": "d3f:T1036" }, { "@id": "_:N978aa345a66a497b9458adcc96b7260e" } ] }, { "@id": "_:N978aa345a66a497b9458adcc96b7260e", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:FileSystemMetadata" } }, { "@id": "d3f:CWE-1118", "@type": "owl:Class", "d3f:cwe-id": "CWE-1118", "rdfs:label": "Insufficient Documentation of Error Handling Techniques", "rdfs:subClassOf": { "@id": "d3f:CWE-1059" } }, { "@id": "d3f:CCI-001495_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system protects audit tools from unauthorized deletion.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:PlatformHardening" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-29T00:00:00" }, "rdfs:label": "CCI-001495" }, { "@id": "d3f:T1059.008", "@type": "owl:Class", "d3f:attack-id": "T1059.008", "rdfs:label": "Network Device CLI", "rdfs:subClassOf": { "@id": "d3f:T1059" } }, { "@id": "d3f:Reference-SystemAndMethodForVulnerabilityRiskAssessment", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US9317692B2" }, "d3f:kb-abstract": "Embodiments of the present invention are directed to a method and system for automated risk analysis. The method includes accessing host configuration information of a host and querying a vulnerability database based on the host configuration information. The method further includes receiving a list of vulnerabilities and accessing a plurality of vulnerability scores. The list of vulnerabilities corresponds to vulnerabilities of the host. Vulnerabilities can be removed from the list based on checking for installed fixes corresponding to vulnerability. A composite risk score can then be determined for the host a nd each software product of the host based on the plurality of vulnerability scores. An aggregate risk score can then be determined for the host and each software product of the host based on the plurality of vulnerability scores.", "d3f:kb-author": "Matthew Cruz Elder, Darrell Martin Kienzle, Pratyusa K. Manadhata, Ryan Kumar Persaud", "d3f:kb-organization": "CA Inc", "d3f:kb-reference-of": { "@id": "d3f:AssetVulnerabilityEnumeration" }, "d3f:kb-reference-title": "System and method for vulnerability risk analysis", "rdfs:label": "Reference - System and method for vulnerability risk analysis" }, { "@id": "d3f:CWE-609", "@type": "owl:Class", "d3f:cwe-id": "CWE-609", "rdfs:label": "Double-Checked Locking", "rdfs:subClassOf": { "@id": "d3f:CWE-667" } }, { "@id": "d3f:CWE-521", "@type": "owl:Class", "d3f:cwe-id": "CWE-521", "rdfs:label": "Weak Password Requirements", "rdfs:subClassOf": { "@id": "d3f:CWE-1391" } }, { "@id": "d3f:Vendor", "@type": "owl:Class", "rdfs:label": "Vendor", "rdfs:subClassOf": [ { "@id": "d3f:Provider" }, { "@id": "_:N6c97aa05444044a88397d68273bc0c5a" } ] }, { "@id": "_:N6c97aa05444044a88397d68273bc0c5a", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:sells" }, "owl:someValuesFrom": { "@id": "d3f:CapabilityImplementation" } }, { "@id": "d3f:T1567.001", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1567.001", "d3f:may-produce": [ { "@id": "d3f:OutboundInternetEncryptedRemoteTerminalTraffic" }, { "@id": "d3f:OutboundInternetEncryptedWebTraffic" } ], "rdfs:label": "Exfiltration to Code Repository", "rdfs:subClassOf": [ { "@id": "d3f:T1567" }, { "@id": "_:Ne75305a1cac14f028b90a11bcf002afd" }, { "@id": "_:N0661e1a069324f7eb4cfe4096b736dd0" } ] }, { "@id": "_:Ne75305a1cac14f028b90a11bcf002afd", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-produce" }, "owl:someValuesFrom": { "@id": "d3f:OutboundInternetEncryptedRemoteTerminalTraffic" } }, { "@id": "_:N0661e1a069324f7eb4cfe4096b736dd0", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-produce" }, "owl:someValuesFrom": { "@id": "d3f:OutboundInternetEncryptedWebTraffic" } }, { "@id": "d3f:CWE-1247", "@type": "owl:Class", "d3f:cwe-id": "CWE-1247", "rdfs:label": "Improper Protection Against Voltage and Clock Glitches", "rdfs:subClassOf": { "@id": "d3f:CWE-1384" } }, { "@id": "d3f:NIST_SP_800-53_R5_MA-3_6", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:control-name": "Maintenance Tools | Software Updates and Patches", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "d3f:narrower": { "@id": "d3f:SoftwareUpdate" }, "rdfs:label": "MA-3(6)" }, { "@id": "d3f:WindowsNtAllocateVirtualMemoryEx", "@type": "owl:Class", "rdfs:label": "Windows NtAllocateVirtualMemoryEx", "rdfs:subClassOf": [ { "@id": "d3f:OSAPIAllocateMemory" }, { "@id": "d3f:OSAPIPrivateFunction" } ] }, { "@id": "d3f:CCI-001811_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system alerts organization-defined personnel or roles when the unauthorized installation of software is detected.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:FileAnalysis" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-03-01T00:00:00" }, "rdfs:label": "CCI-001811" }, { "@id": "d3f:restricts", "@type": "owl:ObjectProperty", "d3f:definition": "x restricts y: An entity x bounds the use of entity y.", "rdfs:isDefinedBy": { "@id": "http://wordnet-rdf.princeton.edu/id/00234091-v" }, "rdfs:label": "restricts", "rdfs:subPropertyOf": { "@id": "d3f:associated-with" } }, { "@id": "d3f:may-access", "@type": "owl:ObjectProperty", "d3f:definition": "x may-access y: They entity x may access the thing y; that is, 'x accesses y' may be true.", "owl:inverseOf": { "@id": "d3f:may-be-accessed-by" }, "rdfs:label": "may-access", "rdfs:subPropertyOf": { "@id": "d3f:may-be-associated-with" } }, { "@id": "d3f:UserInterface", "@type": "owl:Class", "d3f:definition": "The user interface (UI), in the industrial design field of human-machine interaction, is the space where interactions between humans and machines occur. The goal of this interaction is to allow effective operation and control of the machine from the human end, whilst the machine simultaneously feeds back information that aids the operators' decision-making process. Examples of this broad concept of user interfaces include the interactive aspects of computer operating systems, hand tools, heavy machinery operator controls, and process controls. The design considerations applicable when creating user interfaces are related to or involve such disciplines as ergonomics and psychology.", "rdfs:isDefinedBy": { "@id": "dbr:User_interface" }, "rdfs:label": "User Interface", "rdfs:subClassOf": { "@id": "d3f:DigitalArtifact" }, "skos:altLabel": "UI" }, { "@id": "d3f:FileContentAnalysis", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:FileAnalysis" ], "d3f:d3fend-id": "D3-FCOA", "d3f:definition": "Employing a pattern matching algorithm to statically analyze the content of files.", "d3f:kb-article": "## How it works\nAnalyzing a piece of code without it being executed in a sandbox, virtual machine, or simulator. Patterns or signatures in the file can indicate whati kind of software it is, including whether it is malware.", "d3f:kb-reference": { "@id": "d3f:Reference-CyberVaccineAndPredictiveMalwareDefensiveMethodsAndSystems" }, "rdfs:label": "File Content Analysis", "rdfs:subClassOf": { "@id": "d3f:FileAnalysis" } }, { "@id": "d3f:RemoteTerminalSessionDetection", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:NetworkTrafficAnalysis" ], "d3f:analyzes": { "@id": "d3f:NetworkTraffic" }, "d3f:d3fend-id": "D3-RTSD", "d3f:definition": "Detection of an unauthorized remote live terminal console session by examining network traffic to a network host.", "d3f:kb-article": "## How it works\nAn external attacker takes remote control of a host inside a company or organization's network and manually directs offensive techniques. Nonstandard terminal sessions and abnormal behaviors are analyzed in this technique. Abnormal behavior detection includes analysis of user input patterns in the real-time session, keyboard output and packet inspection.\n\n### Network Traffic Inspection\nNetwork traffic from internal hosts is the main concern and focus for the traffic inspection. The network traffic is collected into inspection groups. The groups of traffic are assembled into distinct pair flows (outbound/inbound) and the pair flows are further divided into sessions. Only sessions originated inside of the network are considered for the inspection. Traffic inspection includes analysis to determine if a human is involved in the session exchanges. Time-based statistics are captured for each session being analyzed by the detection engine.\n\n### Algorithm Analysis Description\nAnalysis algorithms look for patterns in the network traffic captured from the session data. A detection engine groups the session traffic data, between the hosts, into rapid exchange instances. Analysis of rapid exchange traffic patterns can lead to the discovery of abnormal behavior which is indicative of a compromised internal host. The analysis algorithms look for patterns in the traffic which correlate to known activity (e.g., relay attacks, bot activity, bitcoin mining). Some metrics used during inspection include the following.\n\n* Number of rapid-exchange instances\n* Time interval between packets\n* Fixed cadence of traffic\n* Rhythm and direction of the initiation of instances\n* Volume of data flowing from internal to external controlling host\n* Data transfer characteristics\n* Variability in length of silent periods\n\n## Considerations\n* Full packet capture is required which can be process intensive to analyze\n* Attackers that move low and slow may blend in with existing traffic resulting in false negatives", "d3f:kb-reference": [ { "@id": "d3f:Reference-MethodAndSystemForDetectingExternalControlOfCompromisedHosts_VECTRANETWORKSInc" }, { "@id": "d3f:Reference-RDPConnectionDetection_MITRE" }, { "@id": "d3f:Reference-RemoteDesktopLogon_MITRE" } ], "rdfs:label": "Remote Terminal Session Detection", "rdfs:subClassOf": [ { "@id": "d3f:NetworkTrafficAnalysis" }, { "@id": "_:N392b04b9978043efbfdc8299dca9fd62" } ] }, { "@id": "_:N392b04b9978043efbfdc8299dca9fd62", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:analyzes" }, "owl:someValuesFrom": { "@id": "d3f:NetworkTraffic" } }, { "@id": "d3f:OSAPIExec", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:invokes": { "@id": "d3f:Exec" }, "rdfs:label": "OS API Exec", "rdfs:subClassOf": [ { "@id": "d3f:OSAPIFunction" }, { "@id": "_:N0c50e2ff82f046aa9cc35e3173a891b3" } ] }, { "@id": "_:N0c50e2ff82f046aa9cc35e3173a891b3", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:invokes" }, "owl:someValuesFrom": { "@id": "d3f:Exec" } }, { "@id": "d3f:CWE-797", "@type": "owl:Class", "d3f:cwe-id": "CWE-797", "rdfs:label": "Only Filtering Special Elements at an Absolute Position", "rdfs:subClassOf": { "@id": "d3f:CWE-795" } }, { "@id": "d3f:VarianceReduction", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-VR", "d3f:definition": "Leverages a well-known result from statistical learning and decomposes the model error into a data noise term, a model bias term and a model variance term. As the noise term only depends on the data and the bias is induced by the choice of model, any reduction in the error can only come from the variance term.", "d3f:kb-article": "## References\nIntro to Active Learning. inovex Blog. [Link](https://www.inovex.de/de/blog/intro-to-active-learning/).", "rdfs:label": "Variance Reduction", "rdfs:subClassOf": { "@id": "d3f:ActiveLearning" } }, { "@id": "d3f:T1157", "@type": "owl:Class", "d3f:attack-id": "T1157", "rdfs:label": "Dylib Hijacking", "rdfs:subClassOf": [ { "@id": "d3f:PersistenceTechnique" }, { "@id": "d3f:PrivilegeEscalationTechnique" } ] }, { "@id": "d3f:CWE-153", "@type": "owl:Class", "d3f:cwe-id": "CWE-153", "rdfs:label": "Improper Neutralization of Substitution Characters", "rdfs:subClassOf": { "@id": "d3f:CWE-138" } }, { "@id": "d3f:CCI-001858_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system provides a real-time alert in an organization-defined real-time period to organization-defined personnel, roles, and/or locations when organization-defined audit failure events requiring real-time alerts occur.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:SystemDaemonMonitoring" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-03-14T00:00:00" }, "rdfs:label": "CCI-001858" }, { "@id": "d3f:CWE-352", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:cwe-id": "CWE-352", "d3f:weakness-of": { "@id": "d3f:UserInputFunction" }, "rdfs:label": "Cross-Site Request Forgery (CSRF)", "rdfs:subClassOf": [ { "@id": "d3f:CWE-345" }, { "@id": "_:N6730765c4c4040bdae17f078a854a044" } ] }, { "@id": "_:N6730765c4c4040bdae17f078a854a044", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:weakness-of" }, "owl:someValuesFrom": { "@id": "d3f:UserInputFunction" } }, { "@id": "d3f:CWE-573", "@type": "owl:Class", "d3f:cwe-id": "CWE-573", "rdfs:label": "Improper Following of Specification by Caller", "rdfs:subClassOf": { "@id": "d3f:CWE-710" } }, { "@id": "d3f:NIST_SP_800-53_R5_AC-6_10", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:control-name": "Least Privilege | Prohibit Non-privileged Users from Executing Privileged Functions", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "d3f:narrower": [ { "@id": "d3f:LocalFilePermissions" }, { "@id": "d3f:MandatoryAccessControl" }, { "@id": "d3f:SystemConfigurationPermissions" } ], "rdfs:label": "AC-6(10)" }, { "@id": "d3f:Reference-CAR-2020-11-002%3ALocalNetworkSniffing_MITRE", "@type": [ "owl:NamedIndividual", "d3f:ExternalKnowledgeBase" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://car.mitre.org/analytics/CAR-2020-11-002/" }, "d3f:kb-abstract": "Adversaries may use a variety of tools to gain visibility on the current status of things on the network: which processes are listening on which ports, which services are running on other hosts, etc. This analytic looks for the names of the most common network sniffing tools. While this may be noisy on networks where sysadmins are using any of these tools on a regular basis, in most networks their use is noteworthy.", "d3f:kb-author": "MITRE", "d3f:kb-organization": "MITRE", "d3f:kb-reference-of": { "@id": "d3f:ProcessLineageAnalysis" }, "d3f:kb-reference-title": "CAR-2020-11-002: Local Network Sniffing", "rdfs:label": "Reference - CAR-2020-11-002: Local Network Sniffing - MITRE" }, { "@id": "d3f:Semi-supervisedFeatureExtraction", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-SSFE", "d3f:definition": "Feature extraction refers to reducing the number of dimensions in a data point so that it is computationally feasible and effective to learn a model.", "d3f:kb-article": "## References\nJashish Shrestha. (n.d.). Beginner's Guide to Semi-Supervised Learning. [Link](http://jashish.com.np/blog/posts/beginners-guide-to-semi-supervised-learning/)", "rdfs:label": "Semi-supervised Feature Extraction", "rdfs:subClassOf": { "@id": "d3f:UnsupervisedPreprocessing" } }, { "@id": "d3f:reads", "@type": "owl:ObjectProperty", "d3f:definition": "x reads y: The subject x takes the action of reading from a digital source y to acquire data and placing it into volatile memory for processing.", "rdfs:label": "reads", "rdfs:seeAlso": [ { "@id": "dbr:Reading_(computer)" }, { "@id": "http://wordnet-rdf.princeton.edu/id/00629157-v" } ], "rdfs:subPropertyOf": { "@id": "d3f:accesses" } }, { "@id": "d3f:process-identifier", "@type": "owl:DatatypeProperty", "d3f:definition": "x process-identifier y: The process x has the process identifier y.", "rdfs:label": "process-identifier", "rdfs:subPropertyOf": { "@id": "d3f:process-data-property" } }, { "@id": "d3f:strengthens", "@type": "owl:ObjectProperty", "d3f:definition": "x strengthens y: The technique x make digital artifact y resistant (to harm or misuse.)", "rdfs:isDefinedBy": { "@id": "http://wordnet-rdf.princeton.edu/id/00165779-v" }, "rdfs:label": "strengthens", "rdfs:subPropertyOf": [ { "@id": "d3f:associated-with" }, { "@id": "d3f:hardens" } ] }, { "@id": "d3f:CWE-406", "@type": "owl:Class", "d3f:cwe-id": "CWE-406", "rdfs:label": "Insufficient Control of Network Message Volume (Network Amplification)", "rdfs:subClassOf": { "@id": "d3f:CWE-405" } }, { "@id": "d3f:CWE-385", "@type": "owl:Class", "d3f:cwe-id": "CWE-385", "rdfs:label": "Covert Timing Channel", "rdfs:subClassOf": { "@id": "d3f:CWE-514" } }, { "@id": "d3f:NetworkFlow", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A summarization of network transactions between a client and server. It often summarizes bytes sent, bytes received, and protocol flags.", "d3f:summarizes": { "@id": "d3f:NetworkTraffic" }, "rdfs:label": "Network Flow", "rdfs:subClassOf": [ { "@id": "d3f:DigitalArtifact" }, { "@id": "_:Na0d68f09ce3344218936cf42caf0e3e2" } ] }, { "@id": "_:Na0d68f09ce3344218936cf42caf0e3e2", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:summarizes" }, "owl:someValuesFrom": { "@id": "d3f:NetworkTraffic" } }, { "@id": "d3f:CWE-103", "@type": "owl:Class", "d3f:cwe-id": "CWE-103", "rdfs:label": "Struts: Incomplete validate() Method Definition", "rdfs:subClassOf": { "@id": "d3f:CWE-573" } }, { "@id": "d3f:FirmwareBehaviorAnalysis", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:PlatformMonitoring" ], "d3f:analyzes": { "@id": "d3f:Firmware" }, "d3f:d3fend-id": "D3-FBA", "d3f:definition": "Analyzing the behavior of embedded code in firmware and looking for anomalous behavior and suspicious activity.", "d3f:kb-article": "## How it works\nFirmware behavior analysis provides protections by ensuring that installed firmware has not been tampered with or modified. Firmware analysis applies to mutable firmware and immutable read-only memory (ROMs).\n\nFirmware in deployed network devices is typically not analyzed and monitored for vulnerabilities and thus is subject to potential attacks. This technique makes use of known and measured behavioral attributes, including timing attributes, of analyzed firmware on deployed devices.\n\nA behavioral method that employs known timing measurements may use the timing results from a challenge and response protocol to detect the presence of malware in embedded firmware. Firmware device timing measurements are made, specific to the installed device, and are used in the verifying function.\n\nThe original firmware image is modified by injecting a monitoring software component into the embedded firmware code. The injected software components will allow for a software root of trust, the challenge and response protocol, to be implement in the firmware.\n\nA challenge-response is issued and includes a nonce so that replays are not allowed. The firmware will calculate a checksum over all of memory, including the nonce, and return the result. The verification system will compare the computed checksum and the time it took for the computation of the checksum to determine if the firmware has been modified.\n\n## Considerations\n* The firmware code will need to be modified to include the behavioral monitoring functionality.\n* This technique is sensitive to the device the embedded firmware is hosted on and it is expected that the devices and firmware will need to be profiled and analyzed to determine timing estimation.\n* This technique is not expected to be one hundred percent correct as you would expect in a hardware root of trust solution and may require some tuning.", "d3f:kb-reference": [ { "@id": "d3f:Reference-FirmwareBehaviorAnalysisConFirm" }, { "@id": "d3f:Reference-FirmwareBehaviorAnalysisVIPER" } ], "d3f:synonym": "Firmware Timing Analysis", "rdfs:label": "Firmware Behavior Analysis", "rdfs:subClassOf": [ { "@id": "d3f:PlatformMonitoring" }, { "@id": "_:N6b082aaa9011432e80fa57024a00f531" } ] }, { "@id": "_:N6b082aaa9011432e80fa57024a00f531", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:analyzes" }, "owl:someValuesFrom": { "@id": "d3f:Firmware" } }, { "@id": "d3f:CWE-436", "@type": "owl:Class", "d3f:cwe-id": "CWE-436", "rdfs:label": "Interpretation Conflict", "rdfs:subClassOf": { "@id": "d3f:CWE-435" } }, { "@id": "d3f:AuthenticateUser", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:authenticates": { "@id": "d3f:UserAccount" }, "rdfs:label": "Authenticate User", "rdfs:subClassOf": [ { "@id": "d3f:SystemCall" }, { "@id": "_:N30981104511c41e0b4f7a6e6f544ef48" } ] }, { "@id": "_:N30981104511c41e0b4f7a6e6f544ef48", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:authenticates" }, "owl:someValuesFrom": { "@id": "d3f:UserAccount" } }, { "@id": "d3f:NetworkMapping", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:DefensiveTechnique" ], "d3f:d3fend-id": "D3-NM", "d3f:definition": "Network mapping encompasses the techniques to identify and model the physical layer, network layer, and data exchange layers of the organization's network and their physical location, and determine allowed pathways through that network.", "d3f:display-order": 3, "d3f:enables": { "@id": "d3f:Model" }, "rdfs:label": "Network Mapping", "rdfs:subClassOf": [ { "@id": "d3f:DefensiveTechnique" }, { "@id": "_:N1ad832b5cab3466fb9d824a0b6de40fc" } ] }, { "@id": "_:N1ad832b5cab3466fb9d824a0b6de40fc", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:enables" }, "owl:someValuesFrom": { "@id": "d3f:Model" } }, { "@id": "d3f:StartupDirectory", "@type": "owl:Class", "d3f:definition": "A startup directory is a directory containing executable files or links to executable files which are run when a user logs in or when a system component or service is started.", "rdfs:label": "Startup Directory", "rdfs:subClassOf": [ { "@id": "d3f:Directory" }, { "@id": "d3f:LocalResource" } ] }, { "@id": "d3f:CWE-1272", "@type": "owl:Class", "d3f:cwe-id": "CWE-1272", "rdfs:label": "Sensitive Information Uncleared Before Debug/Power State Transition", "rdfs:subClassOf": { "@id": "d3f:CWE-226" } }, { "@id": "d3f:M1048", "@type": [ "owl:NamedIndividual", "d3f:ATTACKMitigation" ], "d3f:d3fend-comment": "\"Sandboxing\" is often used to describe a detection environment which includes some forms of analysis (see D3-DA.)\" Many forms of isolation (e.g., quarantining) are more static in nature and simply limit software's access to system resources.", "d3f:related": [ { "@id": "d3f:DynamicAnalysis" }, { "@id": "d3f:Hardware-basedProcessIsolation" }, { "@id": "d3f:MandatoryAccessControl" }, { "@id": "d3f:SystemCallFiltering" } ], "rdfs:label": "Application Isolation and Sandboxing" }, { "@id": "d3f:CloudStorage", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "Cloud storage is storage held within a computing cloud.", "rdfs:isDefinedBy": { "@id": "dbr:Cloud_storage" }, "rdfs:label": "Cloud Storage", "rdfs:seeAlso": { "@id": "dbr:Cloud_computing" }, "rdfs:subClassOf": { "@id": "d3f:SecondaryStorage" } }, { "@id": "d3f:NetworkTrafficAnalysis", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:DefensiveTechnique" ], "d3f:d3fend-id": "D3-NTA", "d3f:definition": "Analyzing intercepted or summarized computer network traffic to detect unauthorized activity.", "d3f:enables": { "@id": "d3f:Detect" }, "rdfs:label": "Network Traffic Analysis", "rdfs:subClassOf": [ { "@id": "d3f:DefensiveTechnique" }, { "@id": "_:N1c66bc9e70b844efa65afb62b3f545ad" } ] }, { "@id": "_:N1c66bc9e70b844efa65afb62b3f545ad", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:enables" }, "owl:someValuesFrom": { "@id": "d3f:Detect" } }, { "@id": "d3f:LinuxPtraceArgumentPTRACE_TRACEME", "@type": "owl:Class", "d3f:definition": "Indicates that the process is to be traced by its parent.", "rdfs:isDefinedBy": "https://man7.org/linux/man-pages/man2/ptrace.2.html", "rdfs:label": "Linux Ptrace Argument PTRACE_TRACEME", "rdfs:subClassOf": { "@id": "d3f:OSAPITraceProcess" } }, { "@id": "d3f:T1527", "@type": "owl:Class", "d3f:attack-id": "T1527", "rdfs:label": "Application Access Token", "rdfs:subClassOf": [ { "@id": "d3f:DefenseEvasionTechnique" }, { "@id": "d3f:LateralMovementTechnique" } ] }, { "@id": "d3f:CWE-613", "@type": "owl:Class", "d3f:cwe-id": "CWE-613", "rdfs:label": "Insufficient Session Expiration", "rdfs:subClassOf": { "@id": "d3f:CWE-672" } }, { "@id": "d3f:T1143", "@type": "owl:Class", "d3f:attack-id": "T1143", "rdfs:label": "Hidden Window", "rdfs:subClassOf": { "@id": "d3f:DefenseEvasionTechnique" } }, { "@id": "d3f:OSAPICreateProcess", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:invokes": { "@id": "d3f:CreateProcess" }, "rdfs:label": "OS API Create Process", "rdfs:subClassOf": [ { "@id": "d3f:OSAPIFunction" }, { "@id": "_:N8de0fbced56048d0839d6e96f44990d5" } ] }, { "@id": "_:N8de0fbced56048d0839d6e96f44990d5", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:invokes" }, "owl:someValuesFrom": { "@id": "d3f:CreateProcess" } }, { "@id": "d3f:CWE-78", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:cwe-id": "CWE-78", "d3f:may-be-weakness-of": [ { "@id": "d3f:EvalFunction" }, { "@id": "d3f:ProcessStartFunction" }, { "@id": "d3f:UserInputFunction" } ], "rdfs:label": "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "rdfs:subClassOf": [ { "@id": "d3f:CWE-77" }, { "@id": "_:N7a05dd0e808243e5b8429735c74adf9a" }, { "@id": "_:N3b3c81d3a06145b0824f0a9a74da21c9" }, { "@id": "_:N57fbd6a723fc43e9a91c43b5158d9462" } ] }, { "@id": "_:N7a05dd0e808243e5b8429735c74adf9a", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-be-weakness-of" }, "owl:someValuesFrom": { "@id": "d3f:EvalFunction" } }, { "@id": "_:N3b3c81d3a06145b0824f0a9a74da21c9", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-be-weakness-of" }, "owl:someValuesFrom": { "@id": "d3f:ProcessStartFunction" } }, { "@id": "_:N57fbd6a723fc43e9a91c43b5158d9462", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-be-weakness-of" }, "owl:someValuesFrom": { "@id": "d3f:UserInputFunction" } }, { "@id": "d3f:CWE-603", "@type": "owl:Class", "d3f:cwe-id": "CWE-603", "rdfs:label": "Use of Client-Side Authentication", "rdfs:subClassOf": [ { "@id": "d3f:CWE-1390" }, { "@id": "d3f:CWE-602" } ] }, { "@id": "d3f:T1150", "@type": "owl:Class", "d3f:attack-id": "T1150", "rdfs:label": "Plist Modification", "rdfs:subClassOf": [ { "@id": "d3f:DefenseEvasionTechnique" }, { "@id": "d3f:PersistenceTechnique" }, { "@id": "d3f:PrivilegeEscalationTechnique" } ] }, { "@id": "d3f:OutboundInternetWebTraffic", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "Outbound internet web traffic is network traffic that is: (a) on an outgoing connection initiated from a host within a network to a host outside the network, and (b) using a standard web protocol.", "d3f:may-contain": { "@id": "d3f:URL" }, "rdfs:label": "Outbound Internet Web Traffic", "rdfs:seeAlso": { "@id": "dbr:Internetworking" }, "rdfs:subClassOf": [ { "@id": "d3f:OutboundInternetNetworkTraffic" }, { "@id": "d3f:WebNetworkTraffic" }, { "@id": "_:N600f8ba48edf42faa8693f3c2f85af90" } ] }, { "@id": "_:N600f8ba48edf42faa8693f3c2f85af90", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-contain" }, "owl:someValuesFrom": { "@id": "d3f:URL" } }, { "@id": "d3f:T1110.002", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:accesses": { "@id": "d3f:Password" }, "d3f:attack-id": "T1110.002", "rdfs:label": "Password Cracking", "rdfs:subClassOf": [ { "@id": "d3f:T1110" }, { "@id": "_:N8b6f5fcbee1447f7926a1cf9d82ff31c" } ] }, { "@id": "_:N8b6f5fcbee1447f7926a1cf9d82ff31c", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:accesses" }, "owl:someValuesFrom": { "@id": "d3f:Password" } }, { "@id": "d3f:T1568.001", "@type": "owl:Class", "d3f:attack-id": "T1568.001", "rdfs:label": "Fast Flux DNS", "rdfs:subClassOf": { "@id": "d3f:T1568" } }, { "@id": "d3f:T1057", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1057", "d3f:may-invoke": [ { "@id": "d3f:CreateProcess" }, { "@id": "d3f:GetRunningProcesses" } ], "rdfs:label": "Process Discovery", "rdfs:subClassOf": [ { "@id": "d3f:DiscoveryTechnique" }, { "@id": "_:N7892e1c67e874d4eb3a28a39c6767155" }, { "@id": "_:Ne017d9fdd08f42c09ea67710d47d7cda" } ] }, { "@id": "_:N7892e1c67e874d4eb3a28a39c6767155", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-invoke" }, "owl:someValuesFrom": { "@id": "d3f:CreateProcess" } }, { "@id": "_:Ne017d9fdd08f42c09ea67710d47d7cda", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-invoke" }, "owl:someValuesFrom": { "@id": "d3f:GetRunningProcesses" } }, { "@id": "d3f:CWE-190", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:cwe-id": "CWE-190", "d3f:weakness-of": { "@id": "d3f:MathematicalFunction" }, "rdfs:label": "Integer Overflow or Wraparound", "rdfs:subClassOf": [ { "@id": "d3f:CWE-682" }, { "@id": "_:Nd5fc8127df9844058ab8f1d458d0d13b" } ] }, { "@id": "_:Nd5fc8127df9844058ab8f1d458d0d13b", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:weakness-of" }, "owl:someValuesFrom": { "@id": "d3f:MathematicalFunction" } }, { "@id": "d3f:M1031", "@type": [ "owl:NamedIndividual", "d3f:ATTACKMitigation" ], "d3f:related": [ { "@id": "d3f:InboundTrafficFiltering" }, { "@id": "d3f:NetworkTrafficAnalysis" }, { "@id": "d3f:OutboundTrafficFiltering" } ], "rdfs:label": "Network Intrusion Prevention" }, { "@id": "d3f:FreeMemory", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:deletes": { "@id": "d3f:MemoryBlock" }, "rdfs:label": "Free Memory", "rdfs:subClassOf": [ { "@id": "d3f:SystemCall" }, { "@id": "_:N14abe09b55244580a4a2f8b870de51fe" } ] }, { "@id": "_:N14abe09b55244580a4a2f8b870de51fe", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:deletes" }, "owl:someValuesFrom": { "@id": "d3f:MemoryBlock" } }, { "@id": "d3f:Reference-CAR-2020-05-001%3AMiniDumpOfLSASS_MITRE", "@type": [ "owl:NamedIndividual", "d3f:ExternalKnowledgeBase" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://car.mitre.org/analytics/CAR-2020-05-001/" }, "d3f:kb-abstract": "This analytic detects the minidump variant of credential dumping where a process opens lsass.exe in order to extract credentials using the Win32 API call MiniDumpWriteDump. Tools like SafetyKatz, SafetyDump, and Outflank-Dumpert default to this variant and may be detected by this analytic, though keep in mind that not all options for using those tools will result in this specific behavior.\n\nThe analytic is based on a Sigma analytic contributed by Samir Bousseaden and written up in a blog on MENASEC. It looks for a call trace that includes either dbghelp.dll or dbgcore.dll, which export the relevant functions/permissions to perform the dump. It also detects using the Windows Task Manager (taskmgr.exe) to dump lsass, which is described in CAR-2019-08-001. In this iteration of the Sigma analytic, the GrantedAccess filter isn’t included because it didn’t seem to filter out any false positives and introduces the potential for evasion.\n\nThis analytic was tested both in a lab and in a production environment with a very low false-positive rate. werfault.exe and tasklist.exe, both standard Windows processes, showed up multiple times as false positives.", "d3f:kb-author": "MITRE", "d3f:kb-organization": "MITRE", "d3f:kb-reference-of": { "@id": "d3f:SystemCallAnalysis" }, "d3f:kb-reference-title": "CAR-2020-05-001: MiniDump of LSASS", "rdfs:label": "Reference - CAR-2020-05-001: MiniDump of LSASS - MITRE" }, { "@id": "d3f:NIST_SP_800-53_R5_RA-5_7", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:control-name": "Vulnerability Monitoring and Scanning | Automated Detection and Notification of Unauthorized Components", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "d3f:narrower": [ { "@id": "d3f:ExecutableAllowlisting" }, { "@id": "d3f:ExecutableDenylisting" } ], "rdfs:label": "RA-5(7)" }, { "@id": "d3f:ProcessSegmentExecutionPrevention", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:ApplicationHardening" ], "d3f:d3fend-id": "D3-PSEP", "d3f:definition": "Preventing execution of any address in a memory region other than the code segment.", "d3f:kb-article": "## How it works\n\nDuring execution of a process, the instruction pointer register should only point to addresses in a code segment (also called the .text segment), as this is the sole segment which should contain program code.\n\nWhen this technique detects an attempt to execute something that has been designated as non-executable, other techniques such as those in **Process Eviction** might be invoked, such as **Process Termination** to end the current process, or **Executable Blacklisting** to blacklist the potentially vulnerable or malfunctioning executable.\n\n### Software-based implementations\nThe software-based implementation in Windows XP SP2 might not check that every time the instruction pointer is changed, and does not check on each jump or return. Before calling an exception handler, Windows XP SP2 software-enforced DEP checks whether the exception handler is located in a memory region marked as executable. If the program was also built with SafeSEH, this implementation also checks before changing control to the exception handler whether it is a registered exception handler in the program's file on disk.\n\n### Hardware-based implementations\nThe NX (No Execute) or XD (Execute Disable) bit on the processor specifies whether a certain part of memory is executable. Early implementations set this bit by the memory segment, while modern implementations which are built on the flat memory model often store this bit in each entry of the page table, to control execution by the page.\n\n\n## Considerations\n\nNon-hardware process data segment execution prevention is more susceptible to being able to be turned off for a page of memory.\n\nDifferent implementations of this defense have been in place since the 1980s, but implementation stalled when larger 16-bit programs began stuffing code in the segments usually reserved for data. Many modern programs follow the best practice of separation of code and data, are able to run under this defense.\n\nROP or ret2libc/return-to-function attacks could bypass this defense, as although they may pass attacker-controlled data or stack frames to a function, they abuse functions that are legitimately located in the .text segment (code segment) of the program. For those, more advanced defenses such as a table of valid jump addresses, function call analysis, or return depth analysis could be used.", "d3f:kb-reference": [ { "@id": "d3f:Reference-DataExecutionPrevention_Microsoft" }, { "@id": "d3f:Reference-WhatIsNX_XDFeature_RedHat" } ], "d3f:neutralizes": { "@id": "d3f:ProcessSegment" }, "d3f:synonym": [ "No Execute", "Execute Disable" ], "rdfs:label": "Process Segment Execution Prevention", "rdfs:subClassOf": [ { "@id": "d3f:ApplicationHardening" }, { "@id": "_:N807cf500e6d9421187ba8ab1658990d2" } ] }, { "@id": "_:N807cf500e6d9421187ba8ab1658990d2", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:neutralizes" }, "owl:someValuesFrom": { "@id": "d3f:ProcessSegment" } }, { "@id": "d3f:NIST_SP_800-53_R5_RA-5_2", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:control-name": "Vulnerability Monitoring and Scanning | Update Vulnerabilities to Be Scanned", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "d3f:narrower": { "@id": "d3f:NetworkTrafficAnalysis" }, "rdfs:label": "RA-5(2)" }, { "@id": "wptmp:entity#Reference%20-%20%20CAR-2016-04-004:%20Successful%20Local%20Account%20Login", "d3f:kb-organization": "MITRE/NSA" }, { "@id": "d3f:SoftwarePackage", "@type": "owl:Class", "rdfs:label": "Software Package", "rdfs:seeAlso": "https://schema.ocsf.io/objects/package", "rdfs:subClassOf": { "@id": "d3f:DigitalArtifact" } }, { "@id": "d3f:Compiler", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "In computing, a compiler is a computer program that translates computer code written in one programming language (the source language) into another language (the target language). The name \"compiler\" is primarily used for programs that translate source code from a high-level programming language to a lower level language (e.g., assembly language, object code, or machine code) to create an executable program.", "d3f:reads": { "@id": "d3f:CompilerConfigurationFile" }, "rdfs:isDefinedBy": { "@id": "dbr:Compiler" }, "rdfs:label": "Compiler", "rdfs:subClassOf": [ { "@id": "d3f:BuildTool" }, { "@id": "_:N5ae31451e9e642f5b81e579712167cc6" } ] }, { "@id": "_:N5ae31451e9e642f5b81e579712167cc6", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:reads" }, "owl:someValuesFrom": { "@id": "d3f:CompilerConfigurationFile" } }, { "@id": "d3f:T1136", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1136", "d3f:creates": { "@id": "d3f:UserAccount" }, "rdfs:label": "Create Account", "rdfs:subClassOf": [ { "@id": "d3f:PersistenceTechnique" }, { "@id": "d3f:PrivilegeEscalationTechnique" }, { "@id": "_:Ne42493dc1b644d28beec64b7632d08e0" } ] }, { "@id": "_:Ne42493dc1b644d28beec64b7632d08e0", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:creates" }, "owl:someValuesFrom": { "@id": "d3f:UserAccount" } }, { "@id": "d3f:CWE-36", "@type": "owl:Class", "d3f:cwe-id": "CWE-36", "rdfs:label": "Absolute Path Traversal", "rdfs:subClassOf": { "@id": "d3f:CWE-22" } }, { "@id": "d3f:ResourceAccessPatternAnalysis", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:UserBehaviorAnalysis" ], "d3f:analyzes": [ { "@id": "d3f:Authentication" }, { "@id": "d3f:Authorization" } ], "d3f:d3fend-id": "D3-RAPA", "d3f:definition": "Analyzing the resources accessed by a user to identify unauthorized activity.", "d3f:kb-article": "## How it works\nThis technique analyzes a user's resource accesses by comparing the user's recent activity against a baseline activity model. Major differences between the current activity and the baseline model might indicate unauthorized activity if they are severe enough.\n\n\n## Considerations\n* Potential for false positives from anomalies that are not associated with malicious activity.\n* Attackers that move low and slow may not differentiate their resource access activity behavior enough to trigger an alert.", "d3f:kb-reference": [ { "@id": "d3f:Reference-HostIntrusionPreventionSystemUsingSoftwareAndUserBehaviorAnalysis_SophosLtd" }, { "@id": "d3f:Reference-MethodAndApparatusForNetworkFraudDetectionAndRemediationThroughAnalytics_IdaptiveLLC" }, { "@id": "d3f:Reference-ModelingUserAccessToComputerResources_DaedalusGroupLLC" }, { "@id": "d3f:Reference-SystemAndMethodThereofForIdentifyingAndRespondingToSecurityIncidentsBasedOnPreemptiveForensics_PaloAltoNetworksInc" }, { "@id": "d3f:Reference-System,Method,AndComputerProgramProductForDetectingAndAssessingSecurityRisksInANetwork_ExabeamInc" } ], "rdfs:label": "Resource Access Pattern Analysis", "rdfs:subClassOf": [ { "@id": "d3f:UserBehaviorAnalysis" }, { "@id": "_:Nca6b7fe17b1949ab91fab67ccb4130a7" }, { "@id": "_:Nce34465027644e588e6ae42a91bd5eb4" } ] }, { "@id": "_:Nca6b7fe17b1949ab91fab67ccb4130a7", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:analyzes" }, "owl:someValuesFrom": { "@id": "d3f:Authentication" } }, { "@id": "_:Nce34465027644e588e6ae42a91bd5eb4", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:analyzes" }, "owl:someValuesFrom": { "@id": "d3f:Authorization" } }, { "@id": "d3f:may-produce", "@type": "owl:ObjectProperty", "d3f:definition": "x may-produce y: They entity x may produce the thing y; that is, 'x produces y' may be true.", "rdfs:label": "may-produce", "rdfs:subPropertyOf": { "@id": "d3f:may-be-associated-with" } }, { "@id": "d3f:CWE-696", "@type": "owl:Class", "d3f:cwe-id": "CWE-696", "rdfs:label": "Incorrect Behavior Order", "rdfs:subClassOf": { "@id": "d3f:CWE-691" } }, { "@id": "d3f:CCI-000663_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:broader": { "@id": "d3f:ExecutionIsolation" }, "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The organization (or information system) enforces explicit rules governing the installation of software by users.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-21T00:00:00" }, "rdfs:label": "CCI-000663" }, { "@id": "d3f:NetworkIsolation", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:DefensiveTechnique" ], "d3f:d3fend-id": "D3-NI", "d3f:definition": "Network Isolation techniques prevent network hosts from accessing non-essential system network resources.", "d3f:enables": { "@id": "d3f:Isolate" }, "rdfs:label": "Network Isolation", "rdfs:subClassOf": [ { "@id": "d3f:DefensiveTechnique" }, { "@id": "_:Nb71153e9ddb54ea9b67e629cf276bbd6" } ] }, { "@id": "_:Nb71153e9ddb54ea9b67e629cf276bbd6", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:enables" }, "owl:someValuesFrom": { "@id": "d3f:Isolate" } }, { "@id": "d3f:CredentialAccess", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:OffensiveTactic" ], "d3f:display-order": 6, "rdfs:label": "Credential Access", "rdfs:subClassOf": { "@id": "d3f:OffensiveTactic" } }, { "@id": "d3f:Reference-HowTrustRelationshipsWorkForResourceForestsInAzureActiveDirectoryDomainServices", "@type": [ "owl:NamedIndividual", "d3f:InternetArticleReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://docs.microsoft.com/en-us/azure/active-directory-domain-services/concepts-forest-trust" }, "d3f:kb-abstract": "Active Directory Domain Services (AD DS) provides security across multiple domains or forests through domain and forest trust relationships. Before authentication can occur across trusts, Windows must first check if the domain being requested by a user, computer, or service has a trust relationship with the domain of the requesting account.", "d3f:kb-author": "Microsoft", "d3f:kb-reference-of": { "@id": "d3f:DomainTrustPolicy" }, "d3f:kb-reference-title": "How trust relationships work for resource forests in Azure Active Directory Domain Services", "rdfs:label": "Reference - How trust relationships work for resource forests in Azure Active Directory Domain Services" }, { "@id": "d3f:T1556.004", "@type": "owl:Class", "d3f:attack-id": "T1556.004", "rdfs:label": "Network Device Authentication", "rdfs:subClassOf": { "@id": "d3f:T1556" } }, { "@id": "d3f:CWE-921", "@type": "owl:Class", "d3f:cwe-id": "CWE-921", "rdfs:label": "Storage of Sensitive Data in a Mechanism without Access Control", "rdfs:subClassOf": { "@id": "d3f:CWE-922" } }, { "@id": "d3f:LinuxOpenAt2ArgumentO_CREAT", "@type": "owl:Class", "d3f:definition": "Create a regular file. Extension of Linux Openat.", "rdfs:isDefinedBy": "https://man7.org/linux/man-pages/man2/openat2.2.html", "rdfs:label": "Linux OpenAt2 Argument O_CREAT", "rdfs:subClassOf": { "@id": "d3f:OSAPICreateFile" } }, { "@id": "d3f:Reference-Munin", "@type": [ "owl:NamedIndividual", "d3f:SourceCodeReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://github.com/Neo23x0/munin" }, "d3f:kb-author": "Florian Roth", "d3f:kb-reference-title": "Online Hash Checker for Virustotal and Other Services", "rdfs:label": "Reference - Munin" }, { "@id": "d3f:Clipboard", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "The clipboard is a buffer that some operating systems provide for short-term storage and transfer within and between application programs. The clipboard is usually temporary and unnamed, and its contents reside in the computer's RAM. The clipboard is sometimes called the paste buffer. Windows, Linux and macOS support a single clipboard transaction. Each cut or copy overwrites the previous contents. Normally, paste operations copy the contents, leaving the contents available in the clipboard for further pasting.", "rdfs:isDefinedBy": { "@id": "dbr:Clipboard_(computing)" }, "rdfs:label": "Clipboard", "rdfs:subClassOf": { "@id": "d3f:DigitalArtifact" } }, { "@id": "d3f:CCI-002726_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:broader": [ { "@id": "d3f:DriverLoadIntegrityChecking" }, { "@id": "d3f:TPMBootIntegrity" } ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system verifies the integrity of the boot process of organization-defined devices.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-07-11T00:00:00" }, "rdfs:label": "CCI-002726" }, { "@id": "d3f:Reference-MethodForFileEncryption", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US9521123B2/en" }, "d3f:kb-abstract": "A method for encryption and sealing of a plaintext file by hashing the plaintext file to produce a plaintext hash, encrypting the plaintext file to produce ciphertext, hashing the ciphertext to produce a ciphertext hash, hashing the plaintext hash and the ciphertext hash to produce a result hash, and sealing the ciphertext together with the result hash.", "d3f:kb-author": "Robert R. Jueneman, Duane J. LINSENBARDT, John N. Young, William Reid Carlisle, Burton George Tregub", "d3f:kb-organization": "New Kailung Gear Co Ltd", "d3f:kb-reference-of": { "@id": "d3f:FileEncryption" }, "d3f:kb-reference-title": "Method for file encryption", "rdfs:label": "Reference - Method for file encryption" }, { "@id": "d3f:CWE-415", "@type": "owl:Class", "d3f:cwe-id": "CWE-415", "rdfs:label": "Double Free", "rdfs:subClassOf": [ { "@id": "d3f:CWE-1341" }, { "@id": "d3f:CWE-666" }, { "@id": "d3f:CWE-825" } ] }, { "@id": "d3f:CWE-650", "@type": "owl:Class", "d3f:cwe-id": "CWE-650", "rdfs:label": "Trusting HTTP Permission Methods on the Server Side", "rdfs:subClassOf": { "@id": "d3f:CWE-436" } }, { "@id": "d3f:WebScriptFile", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A file containing a script in a web-scripting programming language. Web scripts may be present and run on the client or on the server side.", "rdfs:label": "Web Script File", "rdfs:subClassOf": { "@id": "d3f:ExecutableScript" }, "skos:altLabel": "Web Script" }, { "@id": "d3f:CloudServiceAuthorization", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "Cloud authorization is the function of specifying access rights to cloud resources.", "rdfs:label": "Cloud Service Authorization", "rdfs:subClassOf": { "@id": "d3f:Authorization" } }, { "@id": "d3f:CCI-002476_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system implements cryptographic mechanisms to prevent unauthorized disclosure of organization-defined information at rest on organization-defined information system components.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": [ { "@id": "d3f:DiskEncryption" }, { "@id": "d3f:FileEncryption" } ], "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-07-02T00:00:00" }, "rdfs:label": "CCI-002476" }, { "@id": "d3f:SavedInstructionPointer", "@type": "owl:Class", "d3f:definition": "A saved instruction pointer points to the instruction that generated an exception (trap or fault).", "rdfs:label": "Saved Instruction Pointer", "rdfs:seeAlso": { "@id": "dbr:Exception_handling" }, "rdfs:subClassOf": [ { "@id": "d3f:Pointer" }, { "@id": "d3f:StackComponent" } ] }, { "@id": "d3f:T1011", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1011", "d3f:produces": { "@id": "d3f:InternetNetworkTraffic" }, "rdfs:label": "Exfiltration Over Other Network Medium", "rdfs:subClassOf": [ { "@id": "d3f:ExfiltrationTechnique" }, { "@id": "_:N737f7783715046578af0d9e572a5e5ce" } ] }, { "@id": "_:N737f7783715046578af0d9e572a5e5ce", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:produces" }, "owl:someValuesFrom": { "@id": "d3f:InternetNetworkTraffic" } }, { "@id": "d3f:FilePathOpenFunction", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:accesses": { "@id": "d3f:File" }, "d3f:definition": "Has an input of a file path, and opens a file handle for reading or writing.", "d3f:invokes": { "@id": "d3f:OpenFile" }, "rdfs:label": "File Path Open Function", "rdfs:subClassOf": [ { "@id": "d3f:Subroutine" }, { "@id": "_:Nc8143d9875504c8fa6defd478ef7dda4" }, { "@id": "_:Nbad84317c2b74819b415cca6a794a271" } ] }, { "@id": "_:Nc8143d9875504c8fa6defd478ef7dda4", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:accesses" }, "owl:someValuesFrom": { "@id": "d3f:File" } }, { "@id": "_:Nbad84317c2b74819b415cca6a794a271", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:invokes" }, "owl:someValuesFrom": { "@id": "d3f:OpenFile" } }, { "@id": "d3f:T1588.005", "@type": "owl:Class", "d3f:attack-id": "T1588.005", "rdfs:label": "Exploits", "rdfs:subClassOf": { "@id": "d3f:T1588" } }, { "@id": "d3f:CCI-000162_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system protects audit information from unauthorized access.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:CredentialHardening" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-05-22T00:00:00" }, "rdfs:label": "CCI-000162" }, { "@id": "d3f:ResourceDevelopmentTechnique", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:enables": { "@id": "d3f:ResourceDevelopment" }, "rdfs:label": "Resource Development Technique", "rdfs:subClassOf": [ { "@id": "d3f:OffensiveTechnique" }, { "@id": "_:N019eb642d1f1435d9ecfe0aa7d5ad6b1" } ] }, { "@id": "_:N019eb642d1f1435d9ecfe0aa7d5ad6b1", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:enables" }, "owl:someValuesFrom": { "@id": "d3f:ResourceDevelopment" } }, { "@id": "d3f:NIST_SP_800-53_R5_AC-4_5", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:control-name": "Information Flow Enforcement | Embedded Data Types", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "d3f:narrower": [ { "@id": "d3f:InboundTrafficFiltering" }, { "@id": "d3f:OutboundTrafficFiltering" } ], "rdfs:label": "AC-4(5)" }, { "@id": "d3f:T1498", "@type": "owl:Class", "d3f:attack-id": "T1498", "rdfs:label": "Network Denial of Service", "rdfs:subClassOf": { "@id": "d3f:ImpactTechnique" } }, { "@id": "d3f:Reference-MethodAndSystemForDetectingMaliciousPayloads_VectraNetworksInc", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/EP3293937A1/en?oq=EP-3293937-A1" }, "d3f:kb-abstract": "Disclosed is an improved method, system, and computer program product for identifying malicious payloads. The disclosed approach identifies potentially malicious payload exchanges which may be associated with payload injection or root-kit magic key usage.\n\nSome examples of data inputs:\n Information for clients and servers, such as IP address and host information\n Payloads for both clients and servers\n Amount of data being transferred\n Duration of communications\n Length of time delay between client request and server response", "d3f:kb-author": "Nicolas Beauchesne; John Steven Mancini", "d3f:kb-mitre-analysis": "Extraction of network flow data and using unsupervised machine learning to create a standard baseline. During the monitoring phase, abnormal network metadata will result in an alert.", "d3f:kb-organization": "Vectra Networks Inc", "d3f:kb-reference-of": { "@id": "d3f:Client-serverPayloadProfiling" }, "d3f:kb-reference-title": "Method and system for detecting malicious payloads", "rdfs:label": "Reference - Method and system for detecting malicious payloads - Vectra Networks Inc" }, { "@id": "d3f:T1121", "@type": "owl:Class", "d3f:attack-id": "T1121", "rdfs:label": "Regsvcs/Regasm", "rdfs:subClassOf": [ { "@id": "d3f:DefenseEvasionTechnique" }, { "@id": "d3f:ExecutionTechnique" } ] }, { "@id": "d3f:OrchestrationWorker", "@type": "owl:Class", "d3f:definition": "A d3f:Server which receives commands from a d3f:OrchestrationController to execute workloads.", "rdfs:label": "Orchestration Worker", "rdfs:seeAlso": "d3f:OrchestrationController", "rdfs:subClassOf": { "@id": "d3f:OrchestrationServer" } }, { "@id": "d3f:Semi-SupervisedLearning", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-SSL", "d3f:definition": "Semi-supervised learning is a branch of machine learning that combines a small amount of labeled data with a large amount of unlabeled data during training.", "d3f:kb-article": "## References\nSemi-Supervised Learning. Wikipedia. [Link](https://en.wikipedia.org/wiki/Semi-Supervised_Learning).", "rdfs:label": "Semi-Supervised Learning", "rdfs:seeAlso": "https://link.springer.com/article/10.1007/s10994-019-05855-6", "rdfs:subClassOf": { "@id": "d3f:MachineLearning" } }, { "@id": "d3f:T1555.001", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:accesses": { "@id": "d3f:MacOSKeychain" }, "d3f:attack-id": "T1555.001", "rdfs:label": "Keychain", "rdfs:subClassOf": [ { "@id": "d3f:T1555" }, { "@id": "_:Nf7931794a7f14ffc8382e3287d24d31d" } ] }, { "@id": "_:Nf7931794a7f14ffc8382e3287d24d31d", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:accesses" }, "owl:someValuesFrom": { "@id": "d3f:MacOSKeychain" } }, { "@id": "d3f:T1547.003", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1547.003", "d3f:modifies": { "@id": "d3f:SystemConfigurationDatabaseRecord" }, "rdfs:label": "Time Providers", "rdfs:subClassOf": [ { "@id": "d3f:T1547" }, { "@id": "_:N1e80200b303e489386e1a4981c1614eb" } ] }, { "@id": "_:N1e80200b303e489386e1a4981c1614eb", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:SystemConfigurationDatabaseRecord" } }, { "@id": "d3f:Semi-supervisedWrapperMethod", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-SSWM", "d3f:definition": "The principle behind wrapper methods is that we train a model with labeled data and then generate pseudo-labels for the unlabeled data using the trained model iteratively.", "d3f:kb-article": "## References\nJashish, M. (n.d.). Beginner's Guide to Semi-Supervised Learning. Jashish Blog. [Link](http://jashish.com.np/blog/posts/beginners-guide-to-semi-supervised-learning/).", "rdfs:label": "Semi-supervised Wrapper Method", "rdfs:subClassOf": { "@id": "d3f:Semi-SupervisedLearning" } }, { "@id": "d3f:SourceCodeAnalyzerTool", "@type": "owl:Class", "d3f:definition": "A source code analyzer tool is a static analysis tool that operates specifically on source code, but not object code.", "rdfs:label": "Source Code Analyzer Tool", "rdfs:seeAlso": { "@id": "dbr:Static_program_analysis" }, "rdfs:subClassOf": { "@id": "d3f:StaticAnalysisTool" } }, { "@id": "d3f:CWE-1023", "@type": "owl:Class", "d3f:cwe-id": "CWE-1023", "rdfs:label": "Incomplete Comparison with Missing Factors", "rdfs:subClassOf": { "@id": "d3f:CWE-697" } }, { "@id": "d3f:CWE-511", "@type": "owl:Class", "d3f:cwe-id": "CWE-511", "rdfs:label": "Logic/Time Bomb", "rdfs:subClassOf": { "@id": "d3f:CWE-506" } }, { "@id": "d3f:CWE-274", "@type": "owl:Class", "d3f:cwe-id": "CWE-274", "rdfs:label": "Improper Handling of Insufficient Privileges", "rdfs:subClassOf": [ { "@id": "d3f:CWE-269" }, { "@id": "d3f:CWE-755" } ] }, { "@id": "d3f:HeapSegment", "@type": "owl:Class", "d3f:definition": "The heap segment (or free store) is a large pool of memory from which dynamic memory requests of a process are allocated and satisfied.", "rdfs:label": "Heap Segment", "rdfs:seeAlso": { "@id": "http://dbpedia.org/resource/Memory_management#HEAP" }, "rdfs:subClassOf": { "@id": "d3f:ProcessSegment" } }, { "@id": "d3f:AddressSpace", "@type": "owl:Class", "d3f:definition": "An address space defines a range of discrete addresses, each of which may correspond to a network host, peripheral device, disk sector, a memory cell or other logical or physical entity. For software programs to save and retrieve stored data, each unit of data must have an address where it can be located. The number of address spaces available depends on the underlying address structure, which is usually limited by the computer architecture being used.", "rdfs:isDefinedBy": "https://dbpedia.org/page/Address_space", "rdfs:label": "Address Space", "rdfs:subClassOf": { "@id": "d3f:DigitalArtifact" } }, { "@id": "d3f:NIST_SP_800-53_R5_AU-14_2", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:control-name": "Session Audit | Capture and Record Content", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "d3f:narrower": { "@id": "d3f:LocalAccountMonitoring" }, "rdfs:label": "AU-14(2)" }, { "@id": "d3f:CCI-001685_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system notifies organization-defined personnel or roles for account disabling actions.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:DomainAccountMonitoring" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2011-05-03T00:00:00" }, "rdfs:label": "CCI-001685" }, { "@id": "d3f:T1048.001", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1048.001", "d3f:produces": { "@id": "d3f:OutboundInternetEncryptedTraffic" }, "rdfs:label": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "rdfs:subClassOf": [ { "@id": "d3f:T1048" }, { "@id": "_:N2ef43da4f5ac4a7c961c2f18b8c4f52f" } ] }, { "@id": "_:N2ef43da4f5ac4a7c961c2f18b8c4f52f", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:produces" }, "owl:someValuesFrom": { "@id": "d3f:OutboundInternetEncryptedTraffic" } }, { "@id": "d3f:CryptographicKey", "@type": "owl:Class", "d3f:definition": "In cryptography, a key is a piece of information (a parameter) that determines the functional output of a cryptographic algorithm. For encryption algorithms, a key specifies the transformation of plaintext into ciphertext, and vice versa for decryption algorithms. Keys also specify transformations in other cryptographic algorithms, such as digital signature schemes and message authentication codes.", "rdfs:isDefinedBy": { "@id": "dbr:Public-key_cryptography" }, "rdfs:label": "Cryptographic Key", "rdfs:subClassOf": { "@id": "d3f:DigitalArtifact" } }, { "@id": "d3f:DNSRecord", "@type": "owl:Class", "d3f:definition": "A Domain Name System (DNS) record is a record of information returned to clients seeking to find computers, services, and other resources connected to the Internet or a private network. Record information is stored on a domain name server so it can respond to DNS queries from clients.There are a variety of record types, depending on the client's information needs. Common types include Start of Authority, IP addresses, SMTP mail exchangers, name servers, reverse DNS lookup pointers, etc.", "rdfs:label": "DNS Record", "rdfs:seeAlso": [ { "@id": "dbr:Domain_Name_System" }, { "@id": "dbr:List_of_DNS_record_types" } ], "rdfs:subClassOf": { "@id": "d3f:Record" } }, { "@id": "d3f:CWE-382", "@type": "owl:Class", "d3f:cwe-id": "CWE-382", "rdfs:label": "J2EE Bad Practices: Use of System.exit()", "rdfs:subClassOf": { "@id": "d3f:CWE-705" } }, { "@id": "d3f:NIST_SP_800-53_R5_AC-6", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:broader": [ { "@id": "d3f:LocalFilePermissions" }, { "@id": "d3f:MandatoryAccessControl" }, { "@id": "d3f:UserAccountPermissions" } ], "d3f:control-name": "Least Privilege", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "rdfs:label": "AC-6" }, { "@id": "d3f:CWE-507", "@type": "owl:Class", "d3f:cwe-id": "CWE-507", "rdfs:label": "Trojan Horse", "rdfs:subClassOf": { "@id": "d3f:CWE-506" } }, { "@id": "d3f:CWE-479", "@type": "owl:Class", "d3f:cwe-id": "CWE-479", "rdfs:label": "Signal Handler Use of a Non-reentrant Function", "rdfs:subClassOf": [ { "@id": "d3f:CWE-663" }, { "@id": "d3f:CWE-828" } ] }, { "@id": "d3f:VirtualMemorySpace", "@type": "owl:Class", "d3f:definition": "Virtual memory is a memory management technique where secondary memory can be used as if it were a part of the main memory. Virtual memory uses hardware and software to enable a computer to compensate for physical memory shortages", "rdfs:isDefinedBy": "https://whatis.techtarget.com/definition/memory", "rdfs:label": "Virtual Memory Space", "rdfs:seeAlso": "https://dbpedia.org/page/Virtual_memory", "rdfs:subClassOf": { "@id": "d3f:MemoryAddressSpace" } }, { "@id": "d3f:CWE-1053", "@type": "owl:Class", "d3f:cwe-id": "CWE-1053", "rdfs:label": "Missing Documentation for Design", "rdfs:subClassOf": { "@id": "d3f:CWE-1059" } }, { "@id": "d3f:T1593.002", "@type": "owl:Class", "d3f:attack-id": "T1593.002", "rdfs:label": "Search Engines", "rdfs:subClassOf": { "@id": "d3f:T1593" } }, { "@id": "d3f:T1573", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1573", "d3f:produces": { "@id": "d3f:OutboundInternetEncryptedTraffic" }, "rdfs:label": "Encrypted Channel", "rdfs:subClassOf": [ { "@id": "d3f:CommandAndControlTechnique" }, { "@id": "_:N93141329fb4644acb29392e120e6709f" } ], "skos:altLabel": [ "Multilayer Encryption", "Custom Cryptographic Protocol", "Custom Command and Control Protocol" ] }, { "@id": "_:N93141329fb4644acb29392e120e6709f", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:produces" }, "owl:someValuesFrom": { "@id": "d3f:OutboundInternetEncryptedTraffic" } }, { "@id": "d3f:NIST_SP_800-53_R5_SI-2_4", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:control-name": "Flaw Remediation | Automated Patch Management Tools", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "d3f:narrower": { "@id": "d3f:SoftwareUpdate" }, "rdfs:label": "SI-2(4)" }, { "@id": "d3f:T1090.002", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1090.002", "d3f:produces": { "@id": "d3f:OutboundInternetNetworkTraffic" }, "rdfs:label": "External Proxy", "rdfs:subClassOf": [ { "@id": "d3f:T1090" }, { "@id": "_:N3c9bcadeb9ac4b5c9dabf24dfb97dd3d" } ] }, { "@id": "_:N3c9bcadeb9ac4b5c9dabf24dfb97dd3d", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:produces" }, "owl:someValuesFrom": { "@id": "d3f:OutboundInternetNetworkTraffic" } }, { "@id": "d3f:T1542.003", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1542.003", "d3f:may-modify": [ { "@id": "d3f:BootLoader" }, { "@id": "d3f:BootSector" }, { "@id": "d3f:VolumeBootRecord" } ], "rdfs:label": "Bootkit", "rdfs:subClassOf": [ { "@id": "d3f:T1542" }, { "@id": "_:N516d11b0d79145a2a36fa36abf0465fa" }, { "@id": "_:Na23955afb41a4b1f991e3888e5d88399" }, { "@id": "_:Ne6e3185203f64a99bae16ab0b8595bce" } ] }, { "@id": "_:N516d11b0d79145a2a36fa36abf0465fa", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-modify" }, "owl:someValuesFrom": { "@id": "d3f:BootLoader" } }, { "@id": "_:Na23955afb41a4b1f991e3888e5d88399", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-modify" }, "owl:someValuesFrom": { "@id": "d3f:BootSector" } }, { "@id": "_:Ne6e3185203f64a99bae16ab0b8595bce", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-modify" }, "owl:someValuesFrom": { "@id": "d3f:VolumeBootRecord" } }, { "@id": "d3f:T1221", "@type": "owl:Class", "d3f:attack-id": "T1221", "rdfs:label": "Template Injection", "rdfs:subClassOf": { "@id": "d3f:DefenseEvasionTechnique" } }, { "@id": "d3f:T1205", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1205", "d3f:definition": "used all over so its not just internet traffic", "d3f:produces": { "@id": "d3f:NetworkTraffic" }, "rdfs:label": "Traffic Signaling", "rdfs:subClassOf": [ { "@id": "d3f:CommandAndControlTechnique" }, { "@id": "d3f:DefenseEvasionTechnique" }, { "@id": "d3f:PersistenceTechnique" }, { "@id": "_:Nde6578f4994b413c93055becfb9ba1c6" } ] }, { "@id": "_:Nde6578f4994b413c93055becfb9ba1c6", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:produces" }, "owl:someValuesFrom": { "@id": "d3f:NetworkTraffic" } }, { "@id": "d3f:CWE-476", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:cwe-id": "CWE-476", "d3f:weakness-of": { "@id": "d3f:PointerDereferencingFunction" }, "rdfs:label": "NULL Pointer Dereference", "rdfs:subClassOf": [ { "@id": "d3f:CWE-710" }, { "@id": "d3f:CWE-754" }, { "@id": "_:N3deb4c527f1a4a18a55a99d9c0e6a5ef" } ] }, { "@id": "_:N3deb4c527f1a4a18a55a99d9c0e6a5ef", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:weakness-of" }, "owl:someValuesFrom": { "@id": "d3f:PointerDereferencingFunction" } }, { "@id": "d3f:Reference-SystemAndMethodForProcessHollowingDetection_CarbonBlackInc", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US20170272462A1" }, "d3f:kb-abstract": "A method and system for remediating a process hollowing intrusion on a user device comprising detecting a process starting on the user device, preparing the process to monitor Application Programming Interface (API) calls between the process and an operating system of the user device, determining whether the process is associated with a process hollowing intrusion based on information associated with the process and/or the API calls, and executing security policies against the process associated with the process hollowing intrusion. In examples, it is determined whether the child process is associated with a process hollowing intrusion in response to determining whether one or more API calls associated with known process hollowing intrusions modify executable memory of and/or modify an entry point address of the child process.", "d3f:kb-author": "Jeffrey Albin Kraemer, Paul Matthew Drapeau", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "Carbon Black Inc", "d3f:kb-reference-of": { "@id": "d3f:ProcessSelf-ModificationDetection" }, "d3f:kb-reference-title": "System and Method for Process Hollowing Detection", "rdfs:label": "Reference - System and Method for Process Hollowing Detection - Carbon Black Inc" }, { "@id": "d3f:ProcessSpawnAnalysis", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:ProcessAnalysis" ], "d3f:analyzes": [ { "@id": "d3f:CreateProcess" }, { "@id": "d3f:Process" } ], "d3f:d3fend-id": "D3-PSA", "d3f:definition": "Analyzing spawn arguments or attributes of a process to detect processes that are unauthorized.", "d3f:kb-article": "## How it works\nProcess attributes are established when an operating system spawns a new process. These attributes are analyzed to look for the presence or absence of specific values or patterns.\n\nSome attributes of interest are:\n - user\n - process name\n - image path\n - security content\n\n## Considerations\n\n - Attackers can spoof the parent process identifier (PPID), which could bypass this defense to allow execution of a malicious process from an arbitrary parent process.\n - Attackers could have legitimately compromised any of the process properties, such as the user, to make the execution appear legitimate.\n - Location: If the full image path is not checked, there could be a conflict with an executable that appears earlier due to resolution involving the system environment path/classpath variable.\n - Parsing issues: If the raw command from a shell is analyzed, rather than the actual function call, it is important to identify the actual command being run from its arguments. In Windows, services with unquoted file paths containing spaces will try to use the first token as the executable and the rest as arguments -- and shift tokens to the executable until a valid one is found.\n - Some [operating systems](/dao/artifact/d3f:OperatingSystem) can spawn processes without forking.", "d3f:kb-reference": [ { "@id": "d3f:Reference-ActiveDirectoryDumpingViaNTDSUtil_MITRE" }, { "@id": "d3f:Reference-CommandLineUsageOfArchivingSoftware_MITRE" }, { "@id": "d3f:Reference-CreateRemoteProcessViaWMIC_MITRE_Other" }, { "@id": "d3f:Reference-CredentialDumpingViaMimikatz_MITRE" }, { "@id": "d3f:Reference-HostDiscoveryCommands_MITRE" }, { "@id": "d3f:Reference-LsassProcessDumpViaProcdump_MITRE" }, { "@id": "d3f:Reference-PowershellExecution_MITRE" }, { "@id": "d3f:Reference-RunDLL32.exeMonitoring_MITRE" }, { "@id": "d3f:Reference-Squiblydoo_MITRE" }, { "@id": "d3f:Reference-SuspiciousArguments_MITRE" }, { "@id": "d3f:Reference-SuspiciousRunLocations_MITRE" }, { "@id": "d3f:Reference-CAR-2020-04-001%3AShadowCopyDeletion_MITRE" }, { "@id": "d3f:Reference-CAR-2020-05-003%3ARareLolBASCommandLines_MITRE" }, { "@id": "d3f:Reference-CAR-2020-08-001%3ANTFSAlternateDataStreamExecution-SystemUtilities_MITRE" }, { "@id": "d3f:Reference-CAR-2020-09-003%3AIndicatorBlocking-DriverUnloaded_MITRE" }, { "@id": "d3f:Reference-CAR-2020-09-004%3ACredentialsInFiles%26Registry_MITRE" }, { "@id": "d3f:Reference-CAR-2020-11-001%3ABootOrLogonInitializationScripts_MITRE" }, { "@id": "d3f:Reference-CAR-2020-11-003%3ADLLInjectionWithMavinject_MITRE" }, { "@id": "d3f:Reference-CAR-2020-11-005%3AClearPowershellConsoleCommandHistory_MITRE" }, { "@id": "d3f:Reference-CAR-2020-11-006%3ALocalPermissionGroupDiscovery_MITRE" }, { "@id": "d3f:Reference-CAR-2020-11-007%3ANetworkShareConnectionRemoval_MITRE" }, { "@id": "d3f:Reference-CAR-2020-11-008%3AMSBuildAndMsxsl_MITRE" }, { "@id": "d3f:Reference-CAR-2020-11-009%3ACompiledHTMLAccess_MITRE" }, { "@id": "d3f:Reference-CAR-2021-01-002%3AUnusuallyLongCommandLineStrings_MITRE" }, { "@id": "d3f:Reference-CAR-2021-01-003%3AClearingWindowsLogsWithWevtutil_MITRE" }, { "@id": "d3f:Reference-CAR-2021-01-004%3AUnusualChildProcessForSpoolsv.ExeOrConnhost.Exe_MITRE" }, { "@id": "d3f:Reference-CAR-2021-01-006%3AUnusualChildProcessSpawnedUsingDDEExploit_MITRE" }, { "@id": "d3f:Reference-CAR-2021-01-007%3ADetectingTamperingOfWindowsDefenderCommandPrompt_MITRE" }, { "@id": "d3f:Reference-CAR-2021-01-008%3ADisableUAC_MITRE" }, { "@id": "d3f:Reference-CAR-2021-01-009%3ADetectingShadowCopyDeletionViaVssadmin.exe_MITRE" }, { "@id": "d3f:Reference-CAR-2021-02-001%3AWebshell-IndicativeProcessTree_MITRE" }, { "@id": "d3f:Reference-CAR-2021-04-001%3ACommonWindowsProcessMasquerading_MITRE" }, { "@id": "d3f:Reference-CAR-2021-05-001%3AAttemptToAddCertificateToUntrustedStore_MITRE" }, { "@id": "d3f:Reference-CAR-2021-05-002%3ABatchFileWriteToSystem32_MITRE" }, { "@id": "d3f:Reference-CAR-2021-05-003%3ABCDEditFailureRecoveryModification_MITRE" }, { "@id": "d3f:Reference-CAR-2021-05-004%3ABITSJobPersistence_MITRE" }, { "@id": "d3f:Reference-CAR-2021-05-005%3ABITSAdminDownloadFile_MITRE" }, { "@id": "d3f:Reference-CAR-2021-05-006%3ACertUtilDownloadWithURLCacheAndSplitArguments_MITRE" }, { "@id": "d3f:Reference-CAR-2021-05-007%3ACertUtilDownloadWithVerifyCtlAndSplitArguments_MITRE" }, { "@id": "d3f:Reference-CAR-2021-05-008%3ACertutilExeCertificateExtraction_MITRE" }, { "@id": "d3f:Reference-CAR-2021-05-009%3ACertUtilWithDecodeArgument_MITRE" }, { "@id": "d3f:Reference-CAR-2021-05-010%3ACreateLocalAdminAccountsUsingNetExe_MITRE" } ], "rdfs:label": "Process Spawn Analysis", "rdfs:subClassOf": [ { "@id": "d3f:ProcessAnalysis" }, { "@id": "_:N7854ae5ff436496bb62db332cf9ea30c" }, { "@id": "_:N54705b3d1afe4ac28c5808b2e3513163" } ] }, { "@id": "_:N7854ae5ff436496bb62db332cf9ea30c", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:analyzes" }, "owl:someValuesFrom": { "@id": "d3f:CreateProcess" } }, { "@id": "_:N54705b3d1afe4ac28c5808b2e3513163", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:analyzes" }, "owl:someValuesFrom": { "@id": "d3f:Process" } }, { "@id": "d3f:Reference-OrganizationalManagementInSAPERPHCM", "@type": [ "owl:NamedIndividual", "d3f:BookReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://www.sap-press.com/organizational-management-in-sap-erp-hcm_3996/" }, "d3f:kb-author": "Soham Ray", "d3f:kb-organization": "SAP Press", "d3f:kb-reference-of": { "@id": "d3f:OrganizationMapping" }, "d3f:kb-reference-title": "Organization Mapping in SAP ERP HCM", "rdfs:label": "Reference - Organizational Management in SAP ERP HCM" }, { "@id": "d3f:Reference-HowDoesAntivirusQuarantineWork-SafetyDetectives", "@type": [ "owl:NamedIndividual", "d3f:InternetArticleReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://www.safetydetectives.com/blog/how-does-antivirus-quarantine-work/" }, "d3f:kb-abstract": "Your antivirus has just finished a regular scan and it’s asking whether you want to quarantine the virus it’s found. You click ‘yes’ without putting much thought into what’s actually happening. But what does quarantining actually mean, what does it do and is it safe for your computer? It’s important to understand the details so that you know what’s happening when you send infected files into quarantine.", "d3f:kb-author": "Katarina Glamoslija", "d3f:kb-reference-of": { "@id": "d3f:FileRemoval" }, "d3f:kb-reference-title": "How Does Antivirus Quarantine Work?", "rdfs:label": "Reference - How Does Antivirus Quarantine Work? - Safety Detectives" }, { "@id": "d3f:T1070.003", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1070.003", "d3f:modifies": { "@id": "d3f:CommandHistoryLog" }, "rdfs:label": "Clear Command History", "rdfs:subClassOf": [ { "@id": "d3f:T1070" }, { "@id": "_:N67360329bba44a41baa6309b4d80e7a4" } ] }, { "@id": "_:N67360329bba44a41baa6309b4d80e7a4", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:CommandHistoryLog" } }, { "@id": "d3f:Reference-DecoyNetwork-BasedServiceForDeceivingAttackers-AmazonTechnologies", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US10873601B1" }, "d3f:kb-abstract": "A decoy network-based service uses a decoy credential to lure an attacker to access the decoy network-based service, and monitors the attacker's activity with respect to the decoy network-based service to determine the attacker's motivation. In various examples, a decoy credential is published on an Internet-accessible site, and a system that provides a network-based service (e.g., a service provider network) subsequently receives an access request from a computing device that includes the decoy credential. Based on the decoy credential, the computing device may be provided access to a decoy network-based service, and application programming interface (API) calls made by the computing device may be routed through a decoy control plane. The data relating to the API calls may be stored and analyzed to determine a motivation of the attacker, which may be used in various downstream applications to improve security for customers of the network-based service.", "d3f:kb-author": "Thomas Stickle", "d3f:kb-mitre-analysis": "MITRE analysis was not found.", "d3f:kb-organization": "Amazon Technologies", "d3f:kb-reference-of": { "@id": "d3f:DecoyUserCredential" }, "d3f:kb-reference-title": "Decoy network-based service for deceiving attackers", "rdfs:label": "Reference - Decoy Network-Based Service for Deceiving Attackers - Amazon Technologies" }, { "@id": "d3f:T1024", "@type": "owl:Class", "d3f:attack-id": "T1024", "rdfs:label": "Custom Cryptographic Protocol", "rdfs:subClassOf": { "@id": "d3f:CommandAndControlTechnique" } }, { "@id": "d3f:CCI-001117_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system checks incoming communications to ensure the communications are coming from an authorized source and routed to an authorized destination.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": [ { "@id": "d3f:InboundTrafficFiltering" }, { "@id": "d3f:OutboundTrafficFiltering" } ], "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-21T00:00:00" }, "rdfs:label": "CCI-001117" }, { "@id": "d3f:Reference-CAR-2014-05-001%3ARPCActivity_MITRE", "@type": [ "owl:NamedIndividual", "d3f:ExternalKnowledgeBase" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://car.mitre.org/analytics/CAR-2014-05-001/" }, "d3f:kb-abstract": "Microsoft Windows uses its implementation of Distributed Computing Environment/Remote Procedure Call (DCE/RPC), which it calls Microsoft RPC, to call certain APIs remotely.\n\nA Remote Procedure Call is initiated by communicating to the RPC Endpoint Mapper, which exists as the Windows service RpcEptMapper and listens on the port 135/tcp. The endpoint mapper resolves a requested endpoint/interface and responds to the client with the port that the service is listening on. Since the RPC endpoints are assigned ports when the services start, these ports are dynamically assigned from 49152 to 65535. The connection to the endpoint mapper then terminates and the client program can communicate directly with the requested service.\n\nRPC is a legitimate functionality of Windows that allows remote interaction with a variety of services. For a Windows environment to be properly configured, several programs use RPC to communicate legitimately with servers. The background and benign RPC activity may be enormous, but must be learned, especially peer-to-peer RPC between workstations, which is often indicative of Lateral Movement.", "d3f:kb-author": "MITRE", "d3f:kb-organization": "MITRE", "d3f:kb-reference-of": { "@id": "d3f:RPCTrafficAnalysis" }, "d3f:kb-reference-title": "CAR-2014-05-001: RPC Activity", "rdfs:label": "Reference - CAR-2014-05-001: RPC Activity - MITRE" }, { "@id": "d3f:DeadCodeElimination", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:ApplicationHardening" ], "d3f:d3fend-id": "D3-DCE", "d3f:definition": "Removing unreachable or \"dead code\" from compiled source code.", "d3f:kb-article": "## How it works\n\nDead code is code that is considered unreachable by normal program execution. Dead code can be created by adding code under a condition that never evaluates to true. Dead code should be removed since this type of code can produce unexpected results, if accidentally or maliciously forced to execute.\n\nDead code identification is typically performed by algorithms that implement program flows analysis looking for unreachable code. The dead code is eliminated by instructing compilers to remove the code through compiler flags, i.e., '-fdce' is used for Dead Code Elimination.\n\n## Considerations\n\nCode can also be deemed unreachable for certain run-time conditions. Different deployed systems and environments may contain some code that is unreachable for the given environment. This technique does not consider run-time conditions for unreachable code.", "d3f:kb-reference": { "@id": "d3f:Reference-DeadCodeElimination" }, "rdfs:label": "Dead Code Elimination", "rdfs:subClassOf": { "@id": "d3f:ApplicationHardening" } }, { "@id": "d3f:resume", "@type": "owl:ObjectProperty", "d3f:definition": "The agent or technique x continues a previous action on entity y. Usually occurs after suspension on y.", "rdfs:isDefinedBy": "http://wordnet-rdf.princeton.edu/id/00350758-v", "rdfs:label": "resume", "rdfs:subPropertyOf": { "@id": "d3f:d3fend-process-object-property" } }, { "@id": "d3f:CWE-1041", "@type": "owl:Class", "d3f:cwe-id": "CWE-1041", "rdfs:label": "Use of Redundant Code", "rdfs:subClassOf": { "@id": "d3f:CWE-710" } }, { "@id": "d3f:kb-author", "@type": "owl:AnnotationProperty", "d3f:definition": "x kb-author y: The reference x has some author y.", "rdfs:domain": { "@id": "d3f:Reference" }, "rdfs:label": "kb-author", "rdfs:range": { "@id": "xsd:string" }, "rdfs:subPropertyOf": { "@id": "d3f:d3fend-kb-reference-annotation" } }, { "@id": "d3f:NIST_SP_800-53_R5_AC-4_13", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:control-name": "Information Flow Enforcement | Decomposition into Policy-relevant Subcomponents", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "d3f:narrower": [ { "@id": "d3f:InboundTrafficFiltering" }, { "@id": "d3f:OutboundTrafficFiltering" } ], "rdfs:label": "AC-4(13)" }, { "@id": "d3f:RegOpenKeyTransactedA", "@type": [ "owl:NamedIndividual", "d3f:GetSystemConfigValue" ] }, { "@id": "d3f:employs", "@type": "owl:ObjectProperty", "rdfs:label": "employs", "rdfs:subPropertyOf": { "@id": "d3f:associated-with" } }, { "@id": "d3f:CWE-641", "@type": "owl:Class", "d3f:cwe-id": "CWE-641", "rdfs:label": "Improper Restriction of Names for Files and Other Resources", "rdfs:subClassOf": { "@id": "d3f:CWE-99" } }, { "@id": "d3f:CCI-002716_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:broader": { "@id": "d3f:FileHashing" }, "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system implements cryptographic mechanisms to detect unauthorized changes to software.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-07-11T00:00:00" }, "rdfs:label": "CCI-002716" }, { "@id": "d3f:ProtocolMetadataAnomalyDetection", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:NetworkTrafficAnalysis" ], "d3f:analyzes": { "@id": "d3f:NetworkTraffic" }, "d3f:d3fend-id": "D3-PMAD", "d3f:definition": "Collecting network communication protocol metadata and identifying statistical outliers.", "d3f:kb-article": "## How it works\nNetwork protocol metadata is first collected and processed in real-time or post-facto. Metadata may include packet header information or information about a session (ex. time between requests/responses). Metadata is then grouped based on shared characteristics and those groups are compared to each other. If particular metadata differs significantly from other data, an alert is generated, identifying the network event as anomalous. Anomalous activity may indicate unauthorized activity.\n\n## Considerations\nMetadata collection on enterprises can yield large data sets. Storage, indexing, querying, and aging should be considered prior to implementation.", "d3f:kb-reference": [ { "@id": "d3f:Reference-MethodAndSystemForDetectingThreatsUsingMetadataVectors_VECTRANETWORKSInc" }, { "@id": "d3f:Reference-MethodAndSystemForDetectingThreatsUsingPassiveClusterMapping_VectraNetworksInc" }, { "@id": "d3f:Reference-SystemForImplementingThreatDetectionUsingDailyNetworkTrafficCommunityOutliers_VECTRANETWORKSInc" } ], "rdfs:label": "Protocol Metadata Anomaly Detection", "rdfs:subClassOf": [ { "@id": "d3f:NetworkTrafficAnalysis" }, { "@id": "_:Nd88751a6a1df432b8d1b557e67234963" } ] }, { "@id": "_:Nd88751a6a1df432b8d1b557e67234963", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:analyzes" }, "owl:someValuesFrom": { "@id": "d3f:NetworkTraffic" } }, { "@id": "d3f:T1547.015", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1547.015", "d3f:modifies": { "@id": "d3f:UserLogonInitResource" }, "rdfs:label": "Login Items", "rdfs:subClassOf": [ { "@id": "d3f:T1547" }, { "@id": "_:Ncfa7677da85444b3bfa4299564fbe4ca" } ] }, { "@id": "_:Ncfa7677da85444b3bfa4299564fbe4ca", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:UserLogonInitResource" } }, { "@id": "d3f:CCI-001089_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The organization implements security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:SystemConfigurationPermissions" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-21T00:00:00" }, "rdfs:label": "CCI-001089" }, { "@id": "d3f:CWE-1062", "@type": "owl:Class", "d3f:cwe-id": "CWE-1062", "rdfs:label": "Parent Class with References to Child Class", "rdfs:subClassOf": { "@id": "d3f:CWE-1061" } }, { "@id": "d3f:CWE-622", "@type": "owl:Class", "d3f:cwe-id": "CWE-622", "rdfs:label": "Improper Validation of Function Hook Arguments", "rdfs:subClassOf": { "@id": "d3f:CWE-20" } }, { "@id": "d3f:NetworkFileResource", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:contains": { "@id": "d3f:File" }, "d3f:definition": "A computer file resource made available from one host to other hosts on a computer network.", "rdfs:label": "Network File Resource", "rdfs:subClassOf": [ { "@id": "d3f:NetworkFileShareResource" }, { "@id": "_:N16b6337274964c70b024f6ac6b7413f0" } ] }, { "@id": "_:N16b6337274964c70b024f6ac6b7413f0", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:contains" }, "owl:someValuesFrom": { "@id": "d3f:File" } }, { "@id": "d3f:SupervisedLearning", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-SL", "d3f:definition": "Supervised learning establishes a relationship between the known input and output variables to conduct a predictive analysis.", "d3f:kb-article": "## References\nSupervised learning. Wikipedia. [Link](https://en.wikipedia.org/wiki/Supervised_learning).", "rdfs:label": "Supervised Learning", "rdfs:subClassOf": { "@id": "d3f:MachineLearning" } }, { "@id": "d3f:NISTControl", "@type": "owl:Class", "rdfs:label": "NIST Control", "rdfs:subClassOf": [ { "@id": "d3f:ExternalControl" }, { "@id": "_:N42a1628766184c51b841ca83c8edf42b" } ] }, { "@id": "_:N42a1628766184c51b841ca83c8edf42b", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:member-of" }, "owl:someValuesFrom": { "@id": "d3f:NISTSP800-53ControlCatalog" } }, { "@id": "d3f:originates-from", "@type": "owl:ObjectProperty", "d3f:definition": "x originates-from y: The digital event or artifact x began its network transit from a physical location y.", "rdfs:isDefinedBy": { "@id": "http://wordnet-rdf.princeton.edu/id/02749218-v" }, "rdfs:label": "originates-from", "rdfs:subPropertyOf": { "@id": "d3f:associated-with" } }, { "@id": "d3f:CWE-567", "@type": "owl:Class", "d3f:cwe-id": "CWE-567", "rdfs:label": "Unsynchronized Access to Shared Data in a Multithreaded Context", "rdfs:subClassOf": { "@id": "d3f:CWE-820" } }, { "@id": "d3f:Higher-orderLogic", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-HOL", "d3f:definition": "Higher-order logic is a form of predicate logic that is distinguished from first-order logic by additional quantifiers and, sometimes, stronger semantics. Higher-order logics with their standard semantics are more expressive, but their model-theoretic properties are less well-behaved than those of first-order logic.", "d3f:kb-article": "## References\n1. Higher-order logic. (2023, May 13). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Higher-order_logic)", "d3f:synonym": "HOL", "rdfs:label": "Higher-order Logic", "rdfs:subClassOf": { "@id": "d3f:PredicateLogic" } }, { "@id": "d3f:T1499.002", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1499.002", "d3f:produces": { "@id": "d3f:InboundInternetNetworkTraffic" }, "rdfs:label": "Service Exhaustion Flood", "rdfs:subClassOf": [ { "@id": "d3f:T1498" }, { "@id": "_:N9efc40a6e5ac49c8ad49fb596c3da519" } ] }, { "@id": "_:N9efc40a6e5ac49c8ad49fb596c3da519", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:produces" }, "owl:someValuesFrom": { "@id": "d3f:InboundInternetNetworkTraffic" } }, { "@id": "d3f:NIST_SP_800-53_R5_AC-4_29", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:control-name": "Information Flow Enforcement | Filter Orchestration Engines", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "d3f:narrower": [ { "@id": "d3f:InboundTrafficFiltering" }, { "@id": "d3f:OutboundTrafficFiltering" } ], "rdfs:label": "AC-4(29)" }, { "@id": "d3f:RegOpenKeyExA", "@type": [ "owl:NamedIndividual", "d3f:GetSystemConfigValue" ] }, { "@id": "d3f:NIST_SP_800-53_R5_SA-8_18", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:control-name": "Security and Privacy Engineering Principles | Trusted Communications Channels", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "d3f:related": { "@id": "d3f:EncryptedTunnels" }, "rdfs:label": "SA-8(18)" }, { "@id": "d3f:T1598.001", "@type": "owl:Class", "d3f:attack-id": "T1598.001", "rdfs:label": "Spearphishing Service", "rdfs:subClassOf": { "@id": "d3f:T1598" } }, { "@id": "d3f:T1562.003", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1562.003", "d3f:may-modify": [ { "@id": "d3f:UserInitScript" }, { "@id": "d3f:WindowsRegistryKey" } ], "d3f:modifies": { "@id": "d3f:ProcessEnvironmentVariable" }, "rdfs:label": "Impair Command History Logging", "rdfs:subClassOf": [ { "@id": "d3f:T1562" }, { "@id": "_:Nfb7a89ab284a4184918d89bd17764509" }, { "@id": "_:Na7cde620907842288b7dd01cf6dce8a0" }, { "@id": "_:N10714f5292f34ada8aae5a3dfbb31e10" } ] }, { "@id": "_:Nfb7a89ab284a4184918d89bd17764509", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-modify" }, "owl:someValuesFrom": { "@id": "d3f:UserInitScript" } }, { "@id": "_:Na7cde620907842288b7dd01cf6dce8a0", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-modify" }, "owl:someValuesFrom": { "@id": "d3f:WindowsRegistryKey" } }, { "@id": "_:N10714f5292f34ada8aae5a3dfbb31e10", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:ProcessEnvironmentVariable" } }, { "@id": "d3f:T1182", "@type": "owl:Class", "d3f:attack-id": "T1182", "rdfs:label": "AppCert DLLs", "rdfs:subClassOf": [ { "@id": "d3f:PersistenceTechnique" }, { "@id": "d3f:PrivilegeEscalationTechnique" } ] }, { "@id": "d3f:T1179", "@type": "owl:Class", "d3f:attack-id": "T1179", "rdfs:label": "Hooking", "rdfs:subClassOf": [ { "@id": "d3f:CredentialAccessTechnique" }, { "@id": "d3f:PersistenceTechnique" }, { "@id": "d3f:PrivilegeEscalationTechnique" } ] }, { "@id": "d3f:CWE-564", "@type": "owl:Class", "d3f:cwe-id": "CWE-564", "rdfs:label": "SQL Injection: Hibernate", "rdfs:subClassOf": { "@id": "d3f:CWE-89" } }, { "@id": "d3f:CWE-408", "@type": "owl:Class", "d3f:cwe-id": "CWE-408", "rdfs:label": "Incorrect Behavior Order: Early Amplification", "rdfs:subClassOf": [ { "@id": "d3f:CWE-405" }, { "@id": "d3f:CWE-696" } ] }, { "@id": "d3f:JobFunctionAccessPatternAnalysis", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:UserBehaviorAnalysis" ], "d3f:analyzes": { "@id": "d3f:Authorization" }, "d3f:d3fend-id": "D3-JFAPA", "d3f:definition": "Detecting anomalies in user access patterns by comparing user access activity to behavioral profiles that categorize users by role such as job title, function, department.", "d3f:kb-article": "## How it works\nPeer group analysis identifies functionally similar groups of actors (users or resources) based on categorizations such as job title, organizational hierarchy, or other attribute that indicates similarity of job function. Current user access activity is then compared to the appropriate peer group behavior profile to identify anomalies.\n\n## Considerations\nPotential for false positives from anomalies that are not associated with malicious activity.", "d3f:kb-reference": { "@id": "d3f:Reference-AnomalyDetectionUsingAdaptiveBehavioralProfiles_SecuronixInc" }, "rdfs:label": "Job Function Access Pattern Analysis", "rdfs:subClassOf": [ { "@id": "d3f:UserBehaviorAnalysis" }, { "@id": "_:N85a8c7743bfa43c09ffb105d061bf214" } ] }, { "@id": "_:N85a8c7743bfa43c09ffb105d061bf214", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:analyzes" }, "owl:someValuesFrom": { "@id": "d3f:Authorization" } }, { "@id": "d3f:MultimediaDocumentFile", "@type": "owl:Class", "d3f:definition": "Digital video files which often contain audio.", "rdfs:label": "Multimedia Document File", "rdfs:seeAlso": "https://dbpedia.org/page/Multimedia", "rdfs:subClassOf": { "@id": "d3f:DocumentFile" } }, { "@id": "d3f:CWE-405", "@type": "owl:Class", "d3f:cwe-id": "CWE-405", "rdfs:label": "Asymmetric Resource Consumption (Amplification)", "rdfs:subClassOf": { "@id": "d3f:CWE-664" } }, { "@id": "d3f:provides", "@type": "owl:ObjectProperty", "rdfs:label": "provides", "rdfs:subPropertyOf": { "@id": "d3f:d3fend-catalog-object-property" } }, { "@id": "d3f:CCI-002748_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system restricts the use of the manual override capability to only organization-defined authorized individuals.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:DatabaseQueryStringAnalysis" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-07-11T00:00:00" }, "rdfs:label": "CCI-002748" }, { "@id": "d3f:CWE-772", "@type": "owl:Class", "d3f:cwe-id": "CWE-772", "rdfs:label": "Missing Release of Resource after Effective Lifetime", "rdfs:subClassOf": { "@id": "d3f:CWE-404" } }, { "@id": "d3f:CCI-000888_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The organization employs cryptographic mechanisms to protect the integrity and confidentiality of non-local maintenance and diagnostic communications.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:EncryptedTunnels" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-18T00:00:00" }, "rdfs:label": "CCI-000888" }, { "@id": "d3f:CWE-180", "@type": "owl:Class", "d3f:cwe-id": "CWE-180", "rdfs:label": "Incorrect Behavior Order: Validate Before Canonicalize", "rdfs:subClassOf": { "@id": "d3f:CWE-179" } }, { "@id": "d3f:Graph-basedSemi-supervisedLearning", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-GBSSL", "d3f:definition": "Graph-based Semi-Supervised Learning (GSSL) methods aim to classify unlabeled data by learning the graph structure and labeled data jointly.", "d3f:kb-article": "## References\nYang, S., Pan, L., & Cheng, J. (2021). Graph-based Semi-Supervised Learning Methods for Imbalanced Data Classification. [Link](https://www.sciencedirect.com/science/article/pii/S0031320321002132?viewFullText=true).", "rdfs:label": "Graph-based Semi-supervised Learning", "rdfs:subClassOf": { "@id": "d3f:Semi-supervisedTransductiveLearning" } }, { "@id": "d3f:GraphicsProcessingUnit", "@type": "owl:Class", "d3f:synonym": "GPU", "rdfs:label": "Graphics Processing Unit", "rdfs:subClassOf": { "@id": "d3f:Processor" } }, { "@id": "d3f:CWE-143", "@type": "owl:Class", "d3f:cwe-id": "CWE-143", "rdfs:label": "Improper Neutralization of Record Delimiters", "rdfs:subClassOf": { "@id": "d3f:CWE-140" } }, { "@id": "d3f:Reference-DecoyPersonasForSafeguardingOnlineIdentityUsingDeception_", "@type": [ "owl:NamedIndividual", "d3f:InternetArticleReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://web.archive.org/web/20180407204216/https://isc.sans.edu/diary/Decoy+Personas+for+Safeguarding+Online+Identity+Using+Deception/16159" }, "d3f:kb-abstract": "What if online scammers weren't sure whether the user account they are targeting is really yours, or whether the information they compiled about you is real? It's worth considering whether decoy online personas might help in the quest to safeguard our digital identities and data.\n\nI believe deception tactics, such as selective and careful use of honeypots, holds promise for defending enterprise IT resources. Some forms of deception could also protect individuals against online scammers and other attackers. This approach might not be quite practical today for most people, but in the future we might find it both necessary and achievable.\n\nHuman attackers and malicious software pursue user accounts and data on-line through harvesting, phishing, password-guessing, software vulnerabilities, and various other means. How might we use decoys to confuse, misdirect, slow down and detect adversaries engaged in such activities?\n\n...\n\nThe wealth of personal details available on social networking sites allows attackers to target individuals using social engineering, secret question-guessing and other techniques. For some examples of such approaches, see The Use of Fake or Fraudulent LinkedIn Profiles and Data Mining Resumes for Computer Attack Reconnaissance.\n\nSetting up one or more fake social network profiles (e.g., on Facebook) that use the person's real name can help the individual deflect the attack or can act as an early warning of an impending attack. A decoy profile could purposefully expose some inaccurate information, while the person's real profile would be more carefully concealed using the site's privacy settings. Decoy profiles would be associated with spamtrap email addresses.\n\nSimilarly, the person could expose decoy profiles on other sites, for instance those reveal shopping habits (e.g., Amazon), musings (e.g., Twitter), skills (e.g., GitHub), travel (e.g., TripIt), affections (e.g., Pinterest), music taste (e.g., Pandora) and so on. The person's decoy identities could also have fake resumes available on sites such as Indeed and Monster.com.", "d3f:kb-author": "Lenny Zeltser", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "SANS", "d3f:kb-reference-of": { "@id": "d3f:DecoyPersona" }, "d3f:kb-reference-title": "Decoy Personas for Safeguarding Online Identity Using Deception", "rdfs:label": "Reference - Decoy Personas for Safeguarding Online Identity Using Deception - MITRE" }, { "@id": "d3f:ContainerImage", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A container is a standard unit of software that packages up code and all its dependencies so the application runs quickly and reliably from one computing environment to another. A Docker container image is a lightweight, standalone, executable package of software that includes everything needed to run an application: code, runtime, system tools, system libraries and settings.\n\nContainer images become containers at runtime and in the case of Docker containers - images become containers when they run on Docker Engine. Available for both Linux and Windows-based applications, containerized software will always run the same, regardless of the infrastructure. Containers isolate software from its environment and ensure that it works uniformly despite differences for instance between development and staging.", "rdfs:isDefinedBy": { "@id": "https://www.docker.com/resources/what-container" }, "rdfs:label": "Container Image", "rdfs:seeAlso": "https://schema.ocsf.io/objects/image", "rdfs:subClassOf": [ { "@id": "d3f:File" }, { "@id": "d3f:SoftwarePackage" } ] }, { "@id": "d3f:CCI-002771_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system validates information output from organization-defined software programs and/or applications to ensure that the information is consistent with the expected content.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:OutboundTrafficFiltering" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-07-11T00:00:00" }, "rdfs:label": "CCI-002771" }, { "@id": "d3f:CWE-837", "@type": "owl:Class", "d3f:cwe-id": "CWE-837", "rdfs:label": "Improper Enforcement of a Single, Unique Action", "rdfs:subClassOf": { "@id": "d3f:CWE-799" } }, { "@id": "d3f:CWE-256", "@type": "owl:Class", "d3f:cwe-id": "CWE-256", "rdfs:label": "Plaintext Storage of a Password", "rdfs:subClassOf": { "@id": "d3f:CWE-522" } }, { "@id": "d3f:M1018", "@type": [ "owl:NamedIndividual", "d3f:ATTACKMitigation" ], "d3f:related": [ { "@id": "d3f:LocalFilePermissions" }, { "@id": "d3f:MandatoryAccessControl" }, { "@id": "d3f:SystemConfigurationPermissions" } ], "rdfs:label": "User Account Management" }, { "@id": "d3f:may-create", "@type": "owl:ObjectProperty", "d3f:definition": "x may-create y: They entity x may create the entity y; that is, 'x creates y' may be true.", "rdfs:label": "may-create", "rdfs:subPropertyOf": { "@id": "d3f:may-be-associated-with" } }, { "@id": "d3f:MicrosoftHTMLApplication", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:may-contain": { "@id": "d3f:ExecutableScript" }, "rdfs:isDefinedBy": "http://dbpedia.org/resource/HTML_Application", "rdfs:label": "Microsoft HTML Application", "rdfs:subClassOf": [ { "@id": "d3f:HTMLFile" }, { "@id": "_:Ncb721156669e4e26a0e41dc062658d31" } ] }, { "@id": "_:Ncb721156669e4e26a0e41dc062658d31", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-contain" }, "owl:someValuesFrom": { "@id": "d3f:ExecutableScript" } }, { "@id": "d3f:T1525", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:adds": { "@id": "d3f:ContainerImage" }, "d3f:attack-id": "T1525", "rdfs:label": "Implant Container Image", "rdfs:subClassOf": [ { "@id": "d3f:PersistenceTechnique" }, { "@id": "_:N046327c80b9540b9a7cf6867811d0960" } ] }, { "@id": "_:N046327c80b9540b9a7cf6867811d0960", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:adds" }, "owl:someValuesFrom": { "@id": "d3f:ContainerImage" } }, { "@id": "d3f:Dyna-Q", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-DQ", "d3f:definition": "A Dyna-Q agent combines acting, learning, and planning.", "d3f:kb-article": "## References\nCompNeuro Neuromatch Academy Tutorials. [Link](https://compneuro.neuromatch.io/tutorials/W3D4_ReinforcementLearning/student/W3D4_Tutorial4.html)", "rdfs:label": "Dyna-Q", "rdfs:subClassOf": { "@id": "d3f:Model-basedReinforcementLearning" } }, { "@id": "d3f:RemoteSession", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A remote login session is a login session where a client has logged in from their local host machine to a server via a network.", "rdfs:label": "Remote Session", "rdfs:subClassOf": { "@id": "d3f:LoginSession" } }, { "@id": "d3f:T1197", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1197", "d3f:may-produce": [ { "@id": "d3f:IntranetIPCNetworkTraffic" }, { "@id": "d3f:IntranetWebNetworkTraffic" }, { "@id": "d3f:OutboundInternetWebTraffic" } ], "rdfs:label": "BITS Jobs", "rdfs:subClassOf": [ { "@id": "d3f:DefenseEvasionTechnique" }, { "@id": "d3f:PersistenceTechnique" }, { "@id": "_:N1a9182a8c5dd48138bac4a35356bcc95" }, { "@id": "_:Nab00c76d5b394c22a81e01efffc90e68" }, { "@id": "_:N9d4f1983633745ceb5ac8775d1d94018" } ] }, { "@id": "_:N1a9182a8c5dd48138bac4a35356bcc95", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-produce" }, "owl:someValuesFrom": { "@id": "d3f:IntranetIPCNetworkTraffic" } }, { "@id": "_:Nab00c76d5b394c22a81e01efffc90e68", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-produce" }, "owl:someValuesFrom": { "@id": "d3f:IntranetWebNetworkTraffic" } }, { "@id": "_:N9d4f1983633745ceb5ac8775d1d94018", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-produce" }, "owl:someValuesFrom": { "@id": "d3f:OutboundInternetWebTraffic" } }, { "@id": "d3f:CWE-447", "@type": "owl:Class", "d3f:cwe-id": "CWE-447", "rdfs:label": "Unimplemented or Unsupported Feature in UI", "rdfs:subClassOf": [ { "@id": "d3f:CWE-446" }, { "@id": "d3f:CWE-671" } ] }, { "@id": "d3f:NIST_SP_800-53_R5_RA-5_4", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:control-name": "Vulnerability Monitoring and Scanning | Discoverable Information", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "d3f:related": [ { "@id": "d3f:DecoyEnvironment" }, { "@id": "d3f:DecoyObject" } ], "rdfs:label": "RA-5(4)" }, { "@id": "d3f:Reference-MGT516ManagingSecurityVulnerabilitiesEnterpriseAndCloud", "@type": [ "owl:NamedIndividual", "d3f:InternetArticleReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://www.sans.org/cyber-security-courses/managing-enterprise-cloud-security-vulnerabilities/" }, "d3f:kb-abstract": "Vulnerability, patch, and configuration management are not new security topics. In fact, they are some of the oldest security functions. Yet, we still struggle to manage these capabilities effectively. The quantity of outstanding vulnerabilities for most large organizations is overwhelming, and all organizations struggle to keep up with the never-ending onslaught of new vulnerabilities in their infrastructure and applications. When you add in the cloud and the increasing speed with which all organizations must deliver systems, applications, and features to both their internal and external customers, security may seem unachievable. This course will show you the most effective ways to mature your vulnerability management program and move from identifying vulnerabilities to successfully treating them. 16 Cyber42 and lab exercises", "d3f:kb-author": "Jonathan Risto and David Hazar", "d3f:kb-organization": "SANS", "d3f:kb-reference-of": { "@id": "d3f:OperationalRiskAssessment" }, "d3f:kb-reference-title": "MGT516: Managing Security Vulnerabilities: Enterprise and Cloud", "rdfs:label": "Reference - MGT516: Managing Security Vulnerabilities: Enterprise and Cloud" }, { "@id": "d3f:T1078.001", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1078.001", "d3f:uses": { "@id": "d3f:DefaultUserAccount" }, "rdfs:label": "Default Accounts", "rdfs:subClassOf": [ { "@id": "d3f:T1078" }, { "@id": "_:Ndd8494b963074efc9f900540ccd0ffd0" } ] }, { "@id": "_:Ndd8494b963074efc9f900540ccd0ffd0", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:uses" }, "owl:someValuesFrom": { "@id": "d3f:DefaultUserAccount" } }, { "@id": "d3f:KioskComputer", "@type": "owl:Class", "d3f:definition": "An interactive kiosk is a computer terminal featuring specialized hardware and software that provides access to information and applications for communication, commerce, entertainment, or education. Early interactive kiosks sometimes resembled telephone booths, but have been embraced by retail, food service and hospitality to improve customer service and streamline operations. Interactive kiosks are typically placed in high foot traffic settings such as shops, hotel lobbies or airports.", "rdfs:isDefinedBy": { "@id": "dbr:Interactive_kiosk" }, "rdfs:label": "Kiosk Computer", "rdfs:subClassOf": { "@id": "d3f:SharedComputer" }, "skos:altLabel": "Interactive Kiosk" }, { "@id": "d3f:CWE-1220", "@type": "owl:Class", "d3f:cwe-id": "CWE-1220", "rdfs:label": "Insufficient Granularity of Access Control", "rdfs:subClassOf": { "@id": "d3f:CWE-284" } }, { "@id": "d3f:CWE-289", "@type": "owl:Class", "d3f:cwe-id": "CWE-289", "rdfs:label": "Authentication Bypass by Alternate Name", "rdfs:subClassOf": { "@id": "d3f:CWE-1390" } }, { "@id": "d3f:NetworkNode", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "In telecommunications networks, a node (Latin nodus, 'knot') is either a redistribution point or a communication endpoint. The definition of a node depends on the network and protocol layer referred to. A physical network node is an electronic device that is attached to a network, and is capable of creating, receiving, or transmitting information over a communications channel. A passive distribution point such as a distribution frame or patch panel is consequently not a node.", "d3f:runs": { "@id": "d3f:OperatingSystem" }, "rdfs:isDefinedBy": { "@id": "dbr:Node_(networking)" }, "rdfs:label": "Network Node", "rdfs:subClassOf": [ { "@id": "d3f:DigitalArtifact" }, { "@id": "_:N7289389b4c04449494640a30d6599689" } ] }, { "@id": "_:N7289389b4c04449494640a30d6599689", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:runs" }, "owl:someValuesFrom": { "@id": "d3f:OperatingSystem" } }, { "@id": "d3f:GuidelineReference", "@type": "owl:Class", "d3f:pref-label": "Guideline", "rdfs:label": "Guideline Reference", "rdfs:subClassOf": { "@id": "d3f:PolicyReference" } }, { "@id": "d3f:CCI-001937_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The device used in the information system implementation of multifactor authentication for network access to privileged accounts meets organization-defined strength of mechanism requirements.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:Multi-factorAuthentication" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-05-03T00:00:00" }, "rdfs:label": "CCI-001937" }, { "@id": "d3f:CWE-1204", "@type": "owl:Class", "d3f:cwe-id": "CWE-1204", "rdfs:label": "Generation of Weak Initialization Vector (IV)", "rdfs:subClassOf": { "@id": "d3f:CWE-330" } }, { "@id": "d3f:CWE-428", "@type": "owl:Class", "d3f:cwe-id": "CWE-428", "rdfs:label": "Unquoted Search Path or Element", "rdfs:subClassOf": { "@id": "d3f:CWE-668" } }, { "@id": "d3f:CWE-211", "@type": "owl:Class", "d3f:cwe-id": "CWE-211", "rdfs:label": "Externally-Generated Error Message Containing Sensitive Information", "rdfs:subClassOf": { "@id": "d3f:CWE-209" } }, { "@id": "d3f:EnsembleLearning", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-EL", "d3f:definition": "In statistics and machine learning, ensemble methods use multiple learning algorithms to obtain better predictive performance than could be obtained from any of the constituent learning algorithms alone", "d3f:kb-article": "## References\nEnsemble learning. Wikipedia. [Link](https://en.wikipedia.org/wiki/Ensemble_learning).", "rdfs:label": "Ensemble Learning", "rdfs:subClassOf": { "@id": "d3f:MachineLearning" } }, { "@id": "d3f:Reference-CertificateAndPublicKeyPinning", "@type": [ "owl:NamedIndividual", "d3f:TechniqueReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://owasp.org/www-community/controls/Certificate_and_Public_Key_Pinning" }, "d3f:kb-abstract": "Certificate and Public Key Pinning technical guide to implementing certificate and public key pinning.", "d3f:kb-author": "OWASP", "d3f:kb-organization": "OWASP", "d3f:kb-reference-of": { "@id": "d3f:CertificatePinning" }, "d3f:kb-reference-title": "Certificate and Public Key Pinning", "rdfs:label": "Reference - Certificate and Public Key Pinning" }, { "@id": "d3f:OpenFile", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:accesses": { "@id": "d3f:File" }, "d3f:definition": "For most file systems, a program initializes access to a file in a file system using the open system call. This allocates resources associated to the file (the file descriptor), and returns a handle that the process will use to refer to that file. In some cases the open is performed by the first access. During the open, the filesystem may allocate memory for buffers, or it may wait until the first operation. Various other errors which may occur during the open include directory update failures, un-permitted multiple connections, media failures, communication link failures and device failures.", "rdfs:isDefinedBy": { "@id": "dbr:Open_(system_call)" }, "rdfs:label": "Open File", "rdfs:subClassOf": [ { "@id": "d3f:SystemCall" }, { "@id": "_:N47c4ef849b5740948b8be08a68a95792" } ] }, { "@id": "_:N47c4ef849b5740948b8be08a68a95792", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:accesses" }, "owl:someValuesFrom": { "@id": "d3f:File" } }, { "@id": "d3f:CCI-002618_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The organization removes organization-defined firmware components (e.g., previous versions) after updated versions have been installed.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:SoftwareUpdate" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-07-11T00:00:00" }, "rdfs:label": "CCI-002618" }, { "@id": "d3f:Reference-Windows-Management-Infrastructure", "@type": [ "owl:NamedIndividual", "d3f:SpecificationReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://docs.microsoft.com/en-us/previous-versions/windows/desktop/wmi_v2/windows-management-infrastructure" }, "d3f:kb-organization": "Microsoft", "d3f:kb-reference-of": [ { "@id": "d3f:ConfigurationInventory" }, { "@id": "d3f:HardwareComponentInventory" }, { "@id": "d3f:NetworkNodeInventory" }, { "@id": "d3f:SoftwareInventory" } ], "d3f:kb-reference-title": "Windows Management Infrastructure", "rdfs:label": "Reference - Windows Management Infrastructure (MI)" }, { "@id": "d3f:CWE-756", "@type": "owl:Class", "d3f:cwe-id": "CWE-756", "rdfs:label": "Missing Custom Error Page", "rdfs:subClassOf": { "@id": "d3f:CWE-755" } }, { "@id": "d3f:CCI-001352_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The organization protects the audit records of non-local accesses to privileged accounts and the execution of privileged functions.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:MandatoryAccessControl" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-22T00:00:00" }, "rdfs:label": "CCI-001352" }, { "@id": "d3f:CWE-549", "@type": "owl:Class", "d3f:cwe-id": "CWE-549", "rdfs:label": "Missing Password Field Masking", "rdfs:subClassOf": { "@id": "d3f:CWE-522" } }, { "@id": "d3f:JobSchedulerSoftware", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:creates": { "@id": "d3f:ScheduledJob" }, "d3f:definition": "A job scheduler software is operating system software that when run executes scheduled tasks (time-scheduling in the sense of wall clock time; not operating system scheduling of processes for multitasking). Processes running such software are task scheduler processes. In Windows, Scheduled Tasks are created and managed by the Task Scheduler. In Unix-like OSes, the `cron` utitility serves a similar role.", "d3f:modifies": [ { "@id": "d3f:JobSchedule" }, { "@id": "d3f:ScheduledJob" } ], "d3f:synonym": "Task Scheduler Software", "rdfs:label": "Job Scheduler Software", "rdfs:seeAlso": [ "Scheduled Task", { "@id": "dbr:Cron" }, { "@id": "dbr:Windows_Task_Scheduler" } ], "rdfs:subClassOf": [ { "@id": "d3f:SystemServiceSoftware" }, { "@id": "_:Ne9be94b72d454dcd98e0f83ee429f2df" }, { "@id": "_:Ne7c04e2a94ee4132ab7451f4e71cc943" }, { "@id": "_:N7e79496e009d41ccbf9bb4a629909ac9" } ] }, { "@id": "_:Ne9be94b72d454dcd98e0f83ee429f2df", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:creates" }, "owl:someValuesFrom": { "@id": "d3f:ScheduledJob" } }, { "@id": "_:Ne7c04e2a94ee4132ab7451f4e71cc943", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:JobSchedule" } }, { "@id": "_:N7e79496e009d41ccbf9bb4a629909ac9", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:ScheduledJob" } }, { "@id": "d3f:SymbolicAI", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-SR", "d3f:definition": "Symbolic artificial intelligence is the term for the collection of all methods in artificial intelligence that are based on high-level symbolic (human-readable) representations of problems, logic, and search.", "d3f:kb-article": "## How it works\nSymbolic artificial intelligence is used in tools such as logic programming, production rules, semantic nets and frames, and it developed applications such as knowledge-based systems (in particular, expert systems), symbolic mathematics, automated theorem provers, ontologies, the semantic web, and automated planning and scheduling systems. The Symbolic AI paradigm led to seminal ideas in search, symbolic programming languages, agents, multi-agent systems, the semantic web, and the strengths and limitations of formal knowledge and reasoning systems.\n\n## References\n1. Symbolic artifical intelligence. (2023, May 23). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Symbolic_artificial_intelligence)", "d3f:synonym": "Symbolic Artificial Intelligence", "rdfs:label": "Symbolic AI", "rdfs:subClassOf": { "@id": "d3f:SymbolicLogic" } }, { "@id": "d3f:CWE-788", "@type": "owl:Class", "d3f:cwe-id": "CWE-788", "rdfs:label": "Access of Memory Location After End of Buffer", "rdfs:subClassOf": { "@id": "d3f:CWE-119" } }, { "@id": "d3f:CWE-166", "@type": "owl:Class", "d3f:cwe-id": "CWE-166", "rdfs:label": "Improper Handling of Missing Special Element", "rdfs:subClassOf": [ { "@id": "d3f:CWE-159" }, { "@id": "d3f:CWE-703" } ] }, { "@id": "d3f:Semi-supervisedTransductiveLearning", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-SSTL", "d3f:definition": "The goal of transductive learning is to infer the correct labels for the given unlabeled data\nx_{l+1},... ,x_{l+u} only", "d3f:kb-article": "## References\nSemi-Supervised Learning. Wikipedia. [Link](https://en.wikipedia.org/wiki/Semi-Supervised_Learning#Semi-supervised_learning).\n\nZhou, D., & Li, M. (2005). Semi-supervised learning by higher order regularization. In Proceedings of the 43rd Annual Meeting of the Association for Computational Linguistics (ACL) (pp. 1-9). [Link](https://www.cs.sfu.ca/~anoop/papers/pdf/semisup_naacl.pdf).", "rdfs:label": "Semi-supervised Transductive Learning", "rdfs:subClassOf": { "@id": "d3f:Semi-SupervisedLearning" } }, { "@id": "d3f:CreateProcess", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": [ "Executes a process.", "Creates a process.", "A process spawn refers to a function that loads and executes a new child process.The current process may wait for the child to terminate or may continue to execute asynchronously. Creating a new subprocess requires enough memory in which both the child process and the current program can execute. There is a family of spawn functions in DOS, inherited by Microsoft Windows. There is also a different family of spawn functions in an optional extension of the POSIX standards. Fork-exec is another technique combining two Unix system calls, which can effect a process spawn." ], "d3f:executes": { "@id": "d3f:Process" }, "rdfs:label": "Create Process", "rdfs:seeAlso": [ "https://dbpedia.org/page/Fork%E2%80%93exec", { "@id": "dbr:Spawn_(computing)" }, "https://learn.microsoft.com/en-us/windows/win32/procthread/creating-processes", { "@id": "https://docs.microsoft.com/en-us/windows/win32/procthread/creating-processes" }, "https://dbpedia.org/page/Spawn_(computing)", { "@id": "dbr:Fork%E2%80%93exec" } ], "rdfs:subClassOf": [ { "@id": "d3f:SystemCall" }, { "@id": "_:Nb073c5baf1754c40a741344cd6484540" } ], "skos:altLabel": [ "Execute Process", "Process Spawn", "Spawn Process" ] }, { "@id": "_:Nb073c5baf1754c40a741344cd6484540", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:executes" }, "owl:someValuesFrom": { "@id": "d3f:Process" } }, { "@id": "d3f:interprets", "@type": "owl:ObjectProperty", "d3f:definition": "x interprets y: The subject x interprets the executable script y. The sense of interprets is here 'Parse the source code and perform its behavior directly.'", "rdfs:label": "interprets", "rdfs:seeAlso": { "@id": "dbr:Interpreter_(computing)" }, "rdfs:subPropertyOf": [ { "@id": "d3f:executes" }, { "@id": "d3f:may-interpret" } ] }, { "@id": "d3f:CWE-308", "@type": "owl:Class", "d3f:cwe-id": "CWE-308", "rdfs:label": "Use of Single-factor Authentication", "rdfs:subClassOf": [ { "@id": "d3f:CWE-1390" }, { "@id": "d3f:CWE-654" } ] }, { "@id": "d3f:SoftwareDeploymentTool", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "Software that coordinates the deployment process of software to systems, typically remotely.", "rdfs:label": "Software Deployment Tool", "rdfs:subClassOf": { "@id": "d3f:ServiceApplication" } }, { "@id": "d3f:UserStartupDirectory", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:contains": { "@id": "d3f:UserStartupScriptFile" }, "d3f:definition": "A user startup directory holds information necessary to start the users session with the system.", "rdfs:label": "User Startup Directory", "rdfs:subClassOf": [ { "@id": "d3f:UserLogonInitResource" }, { "@id": "_:N813e73c6a378498eadc2bfc6152f6b19" } ] }, { "@id": "_:N813e73c6a378498eadc2bfc6152f6b19", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:contains" }, "owl:someValuesFrom": { "@id": "d3f:UserStartupScriptFile" } }, { "@id": "d3f:CWE-914", "@type": "owl:Class", "d3f:cwe-id": "CWE-914", "rdfs:label": "Improper Control of Dynamically-Identified Variables", "rdfs:subClassOf": [ { "@id": "d3f:CWE-913" }, { "@id": "d3f:CWE-99" } ] }, { "@id": "d3f:T1557", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1557", "d3f:produces": { "@id": "d3f:NetworkTraffic" }, "rdfs:label": "Man-in-the-Middle", "rdfs:subClassOf": [ { "@id": "d3f:CollectionTechnique" }, { "@id": "d3f:CredentialAccessTechnique" }, { "@id": "_:Nf1b4743c75b34b90a2efbabb2f7e2905" } ] }, { "@id": "_:Nf1b4743c75b34b90a2efbabb2f7e2905", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:produces" }, "owl:someValuesFrom": { "@id": "d3f:NetworkTraffic" } }, { "@id": "d3f:Isolate", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:DefensiveTactic" ], "d3f:definition": "The isolate tactic creates logical or physical barriers in a system which reduces opportunities for adversaries to create further accesses.", "d3f:display-order": 2, "d3f:display-priority": 0, "rdfs:label": "Isolate", "rdfs:subClassOf": { "@id": "d3f:DefensiveTactic" } }, { "@id": "d3f:CCI-000766_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system implements multifactor authentication for network access to non-privileged accounts.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:Multi-factorAuthentication" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-17T00:00:00" }, "rdfs:label": "CCI-000766" }, { "@id": "d3f:T1011.001", "@type": "owl:Class", "d3f:attack-id": "T1011.001", "rdfs:label": "Exfiltration Over Bluetooth", "rdfs:subClassOf": { "@id": "d3f:T1011" } }, { "@id": "d3f:T1584", "@type": "owl:Class", "d3f:attack-id": "T1584", "rdfs:label": "Compromise Infrastructure", "rdfs:subClassOf": { "@id": "d3f:ResourceDevelopmentTechnique" } }, { "@id": "d3f:T1647", "@type": "owl:Class", "d3f:attack-id": "T1647", "rdfs:label": "Plist File Modification", "rdfs:subClassOf": { "@id": "d3f:DefenseEvasionTechnique" } }, { "@id": "d3f:CCI-002426_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:broader": { "@id": "d3f:EncryptedTunnels" }, "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system provides a trusted communications path that is logically isolated and distinguishable from other paths.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-07-02T00:00:00" }, "rdfs:label": "CCI-002426" }, { "@id": "d3f:T1602", "@type": "owl:Class", "d3f:attack-id": "T1602", "rdfs:label": "Data from Configuration Repository", "rdfs:subClassOf": { "@id": "d3f:CollectionTechnique" } }, { "@id": "d3f:Connection-basedClustering", "@type": "owl:NamedIndividual", "d3f:d3fend-id": "D3A-CBC" }, { "@id": "d3f:Summarizing", "@type": "owl:Class", "rdfs:label": "Summarizing", "rdfs:subClassOf": { "@id": "d3f:AnalyticalPurpose" } }, { "@id": "d3f:Reference-MockAttackCybersecurityTrainingSystemAndMethods_WOMBATSECURITYTECHNOLOGIESInc", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US9558677B2/" }, "d3f:kb-abstract": "A training system senses a user action that may expose the user to a threat, such as a cybersecurity threat. The user action may be in response to a mock attack delivered via a messaging service, a wireless communication service, a fake malware application or another device, service, system or mechanism. The system selects a training action from a collection of available training actions and causes the training action to be delivered to the user.", "d3f:kb-author": "Norman Sadeh-Koniecpol, Kurt Wescoe, Jason Brubaker, Jason Hong", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "WOMBAT SECURITY TECHNOLOGIES Inc", "d3f:kb-reference-of": { "@id": "d3f:DecoyPublicRelease" }, "d3f:kb-reference-title": "Mock attack cybersecurity training system and methods", "rdfs:label": "Reference - Mock attack cybersecurity training system and methods - WOMBAT SECURITY TECHNOLOGIES Inc" }, { "@id": "d3f:CWE-66", "@type": "owl:Class", "d3f:cwe-id": "CWE-66", "rdfs:label": "Improper Handling of File Names that Identify Virtual Resources", "rdfs:subClassOf": { "@id": "d3f:CWE-706" } }, { "@id": "d3f:CWE-1295", "@type": "owl:Class", "d3f:cwe-id": "CWE-1295", "rdfs:label": "Debug Messages Revealing Unnecessary Information", "rdfs:subClassOf": { "@id": "d3f:CWE-200" } }, { "@id": "d3f:Reference-CAR-2021-02-002%3AGetSystemElevation_MITRE", "@type": [ "owl:NamedIndividual", "d3f:ExternalKnowledgeBase" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://car.mitre.org/analytics/CAR-2021-02-002/" }, "d3f:kb-abstract": "Cyber actors frequently escalate to the SYSTEM account after gaining entry to a Windows host, to enable them to carry out various attacks more effectively. Tools such as Meterpreter, Cobalt Strike, and Empire carry out automated steps to “Get System”, which is the same as switching over to the System user account. Most of these tools utilize multiple techniques to try and attain SYSTEM: in the first technique, they create a named pipe and connects an instance of cmd.exe to it, which allows them to impersonate the security context of cmd.exe, which is SYSTEM. In the second technique, a malicious DLL is injected into a process that is running as SYSTEM; the injected DLL steals the SYSTEM token and applies it where necessary to escalate privileges. This analytic looks for both of these techniques.", "d3f:kb-author": "MITRE", "d3f:kb-organization": "MITRE", "d3f:kb-reference-of": { "@id": "d3f:ProcessLineageAnalysis" }, "d3f:kb-reference-title": "CAR-2021-02-002: Get System Elevation", "rdfs:label": "Reference - CAR-2021-02-002: Get System Elevation - MITRE" }, { "@id": "d3f:T1203", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1203", "d3f:modifies": [ { "@id": "d3f:ProcessCodeSegment" }, { "@id": "d3f:StackFrame" } ], "rdfs:label": "Exploitation for Client Execution", "rdfs:subClassOf": [ { "@id": "d3f:ExecutionTechnique" }, { "@id": "_:N865dc09b12b3472a82f18667af451755" }, { "@id": "_:N834898700f6044e0a259e88fef2e8169" } ] }, { "@id": "_:N865dc09b12b3472a82f18667af451755", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:ProcessCodeSegment" } }, { "@id": "_:N834898700f6044e0a259e88fef2e8169", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:StackFrame" } }, { "@id": "d3f:ApplicationConfigurationHardening", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:ApplicationHardening" ], "d3f:d3fend-id": "D3-ACH", "d3f:definition": "Modifying an application's configuration to reduce its attack surface.", "d3f:hardens": { "@id": "d3f:ApplicationConfiguration" }, "d3f:kb-article": "## How it works\nApplication configuration settings can be configured to limit the permissions on an application or disable certain vulnerable application features.\n\nHardening an application's configuration involves analyzing not only the application but also the environment in which the application is run in for potential vulnerabilities.", "d3f:kb-reference": [ { "@id": "d3f:Reference-RedHatEnterpriseLinux8SecurityTechnicalImplementationGuide" }, { "@id": "d3f:Reference-Windows10STIG" } ], "rdfs:label": "Application Configuration Hardening", "rdfs:subClassOf": [ { "@id": "d3f:ApplicationHardening" }, { "@id": "_:N993774554fa74bb9a9513278ed36c320" } ] }, { "@id": "_:N993774554fa74bb9a9513278ed36c320", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:hardens" }, "owl:someValuesFrom": { "@id": "d3f:ApplicationConfiguration" } }, { "@id": "d3f:CWE-287", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:cwe-id": "CWE-287", "d3f:weakness-of": { "@id": "d3f:AuthenticationFunction" }, "rdfs:label": "Improper Authentication", "rdfs:subClassOf": [ { "@id": "d3f:CWE-284" }, { "@id": "_:N7bc9f3d9634d40538e3ac483c734a7e0" } ] }, { "@id": "_:N7bc9f3d9634d40538e3ac483c734a7e0", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:weakness-of" }, "owl:someValuesFrom": { "@id": "d3f:AuthenticationFunction" } }, { "@id": "d3f:T1555.004", "@type": "owl:Class", "d3f:attack-id": "T1555.004", "rdfs:label": "Windows Credential Manager", "rdfs:subClassOf": { "@id": "d3f:T1555" } }, { "@id": "d3f:CWE-1277", "@type": "owl:Class", "d3f:cwe-id": "CWE-1277", "rdfs:label": "Firmware Not Updateable", "rdfs:subClassOf": { "@id": "d3f:CWE-1329" } }, { "@id": "d3f:CWE-1050", "@type": "owl:Class", "d3f:cwe-id": "CWE-1050", "rdfs:label": "Excessive Platform Resource Consumption within a Loop", "rdfs:subClassOf": { "@id": "d3f:CWE-405" } }, { "@id": "d3f:Metadata", "@type": "owl:Class", "d3f:definition": "Metadata is \"data [information] that provides information about other data\". Three distinct types of metadata exist: structural metadata, descriptive metadata, and administrative metadata. Structural metadata is data about the containers of data. For instance a \"book\" contains data, and data about the book is metadata about that container of data. Descriptive metadata uses individual instances of application data or the data content.", "rdfs:isDefinedBy": { "@id": "dbr:Metadata" }, "rdfs:label": "Metadata", "rdfs:seeAlso": "https://schema.ocsf.io/objects/metadata", "rdfs:subClassOf": { "@id": "d3f:DigitalArtifact" } }, { "@id": "d3f:T1027", "@type": "owl:Class", "d3f:attack-id": "T1027", "rdfs:label": "Obfuscated Files or Information", "rdfs:subClassOf": { "@id": "d3f:DefenseEvasionTechnique" } }, { "@id": "d3f:CWE-1105", "@type": "owl:Class", "d3f:cwe-id": "CWE-1105", "rdfs:label": "Insufficient Encapsulation of Machine-Dependent Functionality", "rdfs:subClassOf": [ { "@id": "d3f:CWE-1061" }, { "@id": "d3f:CWE-758" } ] }, { "@id": "d3f:Reference-CommandLaunchedFromWinLogon_MITRE", "@type": [ "owl:NamedIndividual", "d3f:ExternalKnowledgeBase" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://car.mitre.org/analytics/CAR-2014-11-008/" }, "d3f:kb-abstract": "An adversary can use accessibility features (Ease of Access), such as StickyKeys or Utilman, to launch a command shell from the logon screen and gain SYSTEM access. Since an adversary does not have physical access to the machine, this technique must be run within Remote Desktop. To prevent an adversary from getting to the login screen without first authenticating, Network-Level Authentication (NLA) must be enabled. If a debugger is set up for one of the accessibility features, then it will intercept the process launch of the feature and instead execute a new command line. This analytic looks for instances of cmd.exe or powershell.exe launched directly from the logon process, winlogon.exe. It should be used in tandem with CAR-2014-11-003, which detects the accessibility programs in the command line.", "d3f:kb-author": "MITRE", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "MITRE", "d3f:kb-reference-of": { "@id": "d3f:ProcessLineageAnalysis" }, "d3f:kb-reference-title": "CAR-2014-11-008: Command Launched from WinLogon", "rdfs:label": "Reference - CAR-2014-11-008: Command Launched from WinLogon - MITRE" }, { "@id": "d3f:T1113", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1113", "d3f:may-access": { "@id": "d3f:DisplayServer" }, "d3f:may-invoke": { "@id": "d3f:GetScreenCapture" }, "rdfs:label": "Screen Capture", "rdfs:subClassOf": [ { "@id": "d3f:CollectionTechnique" }, { "@id": "_:N8ae6b4e584f248cb976597854af5c599" }, { "@id": "_:Nd31a4f58aea54b5db5bd75672d4aa94b" } ] }, { "@id": "_:N8ae6b4e584f248cb976597854af5c599", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-access" }, "owl:someValuesFrom": { "@id": "d3f:DisplayServer" } }, { "@id": "_:Nd31a4f58aea54b5db5bd75672d4aa94b", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-invoke" }, "owl:someValuesFrom": { "@id": "d3f:GetScreenCapture" } }, { "@id": "d3f:Specification", "@type": "owl:Class", "rdfs:label": "Specification", "rdfs:subClassOf": { "@id": "d3f:Document" } }, { "@id": "d3f:Reference-ConfigureUserAccessControlAndPermissions", "@type": [ "owl:NamedIndividual", "d3f:InternetArticleReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://docs.microsoft.com/en-us/windows-server/manage/windows-admin-center/configure/user-access-control" }, "d3f:kb-abstract": "When deployed on Windows Server, Windows Admin Center provides a centralized point of management for your server environment. By controlling access to Windows Admin Center, you can improve the security of your management landscape.", "d3f:kb-author": "Microsoft", "d3f:kb-reference-of": { "@id": "d3f:UserAccountPermissions" }, "d3f:kb-reference-title": "Configure User Access Control and Permissions", "rdfs:label": "Reference - Configure User Access Control and Permissions" }, { "@id": "d3f:evicts", "@type": "owl:ObjectProperty", "rdfs:label": "evicts", "rdfs:subPropertyOf": [ { "@id": "d3f:counters" }, { "@id": "d3f:d3fend-tactical-verb-property" }, { "@id": "d3f:may-evict" } ] }, { "@id": "d3f:T1070.002", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1070.002", "d3f:modifies": { "@id": "d3f:OperatingSystemLogFile" }, "rdfs:label": "Clear Linux or Mac System Logs", "rdfs:subClassOf": [ { "@id": "d3f:T1070" }, { "@id": "_:N1757715e20b24050abca830a183d1e51" } ] }, { "@id": "_:N1757715e20b24050abca830a183d1e51", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:OperatingSystemLogFile" } }, { "@id": "d3f:T1027.003", "@type": "owl:Class", "d3f:attack-id": "T1027.003", "rdfs:label": "Steganography", "rdfs:subClassOf": { "@id": "d3f:T1027" } }, { "@id": "d3f:Reference-DistributedMeta-informationQueryInANetwork_Bit9Inc", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US20070028302A1/en?oq=US-2007028302-A1" }, "d3f:kb-abstract": "A security system provides a defense from known and unknown viruses, worms, spyware, hackers, and social engineering attacks. The system can implement centralized policies that allow an administrator to approve, block, quarantine, and log file activities. A server associated with a number of hosts can provide a query for host computers to access security-related meta-information in local host stores. The query is pulled from the server by the hosts. The results of the distributed host query are stored and merged on the server, and exported for display, reports, or security response.", "d3f:kb-author": "Todd Brennan; John Hanratty", "d3f:kb-mitre-analysis": "Provides a mechanism to detect, monitor, locate, and control files installed on host computers. Each host has a host agent that analyzes file system activity and takes action based on policies configured on a server. The policies identify whether to block, log, allow, or quarantine actions such as file accesses and execution of executables. Examples of policies include:\n\n* Block/log execution of new executables and detached scripts (e.g., .exe or .bat)\n* Block/log reading/execution of new embedded content (e.g., macros in .doc)\n* Block/log installation/modification of Web content (alteration of content in .html or .cgi files)\n* Block/log execution of new files in an administratively defined 'class'; e.g., an administrator might want to block screen savers .scr, but not the entire class of executables .exe, .dll, .sys, etc . . .", "d3f:kb-organization": "Bit 9 Inc", "d3f:kb-reference-of": { "@id": "d3f:FileContentRules" }, "d3f:kb-reference-title": "Distributed meta-information query in a network", "rdfs:label": "Reference - Distributed meta-information query in a network - Bit 9 Inc" }, { "@id": "d3f:CCI-000186_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system, for PKI-based authentication, enforces authorized access to the corresponding private key.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:CredentialHardening" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-15T00:00:00" }, "rdfs:label": "CCI-000186" }, { "@id": "d3f:T1183", "@type": "owl:Class", "d3f:attack-id": "T1183", "rdfs:label": "Image File Execution Options Injection", "rdfs:subClassOf": [ { "@id": "d3f:DefenseEvasionTechnique" }, { "@id": "d3f:PersistenceTechnique" }, { "@id": "d3f:PrivilegeEscalationTechnique" } ] }, { "@id": "d3f:ReinforcementLearning", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-RL", "d3f:definition": "Reinforcement Learning is a subjugate technique of machine learning that uses feedback to reinforce good or valid rules and lessen the reliance of bad or ineffective rules", "d3f:kb-article": "## References\nReinforcement learning. Wikipedia. [Link](https://en.wikipedia.org/wiki/Reinforcement_learning).", "rdfs:label": "Reinforcement Learning", "rdfs:subClassOf": { "@id": "d3f:MachineLearning" } }, { "@id": "d3f:CWE-439", "@type": "owl:Class", "d3f:cwe-id": "CWE-439", "rdfs:label": "Behavioral Change in New Version or Environment", "rdfs:subClassOf": { "@id": "d3f:CWE-435" } }, { "@id": "d3f:CWE-30", "@type": "owl:Class", "d3f:cwe-id": "CWE-30", "rdfs:label": "Path Traversal: '\\dir\\..\\filename'", "rdfs:subClassOf": { "@id": "d3f:CWE-23" } }, { "@id": "d3f:Technique", "@type": "owl:Class", "rdfs:label": "Technique", "rdfs:subClassOf": [ { "@id": "d3f:D3FENDThing" }, { "@id": "_:Nab6cd0bee92747ddab8c3294bff08996" } ] }, { "@id": "_:Nab6cd0bee92747ddab8c3294bff08996", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:implemented-by" }, "owl:someValuesFrom": { "@id": "d3f:Procedure" } }, { "@id": "d3f:CWE-258", "@type": "owl:Class", "d3f:cwe-id": "CWE-258", "rdfs:label": "Empty Password in Configuration File", "rdfs:subClassOf": [ { "@id": "d3f:CWE-260" }, { "@id": "d3f:CWE-521" } ] }, { "@id": "d3f:T1499.001", "@type": "owl:Class", "d3f:attack-id": "T1499.001", "rdfs:label": "OS Exhaustion Flood", "rdfs:subClassOf": { "@id": "d3f:T1499" } }, { "@id": "d3f:CWE-495", "@type": "owl:Class", "d3f:cwe-id": "CWE-495", "rdfs:label": "Private Data Structure Returned From A Public Method", "rdfs:subClassOf": { "@id": "d3f:CWE-664" } }, { "@id": "d3f:CCI-001762_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The organization disables organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:SystemConfigurationPermissions" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-02-28T00:00:00" }, "rdfs:label": "CCI-001762" }, { "@id": "d3f:RemoteDatabaseQuery", "@type": "owl:Class", "d3f:definition": "A remote query session enabling a user to make an SQL, SPARQL, or similar query over the network from one host to another.", "rdfs:label": "Remote Database Query", "rdfs:subClassOf": [ { "@id": "d3f:DatabaseQuery" }, { "@id": "d3f:RemoteCommand" } ] }, { "@id": "d3f:T1552.004", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:accesses": { "@id": "d3f:PrivateKey" }, "d3f:attack-id": "T1552.004", "rdfs:label": "Private Keys", "rdfs:subClassOf": [ { "@id": "d3f:T1552" }, { "@id": "_:N0bc0c2d25ecc4589a0b383ff5449861a" } ] }, { "@id": "_:N0bc0c2d25ecc4589a0b383ff5449861a", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:accesses" }, "owl:someValuesFrom": { "@id": "d3f:PrivateKey" } }, { "@id": "d3f:CWE-5", "@type": "owl:Class", "d3f:cwe-id": "CWE-5", "rdfs:label": "J2EE Misconfiguration: Data Transmission Without Encryption", "rdfs:subClassOf": { "@id": "d3f:CWE-319" } }, { "@id": "d3f:SlowSymbolicLink", "@type": "owl:Class", "d3f:definition": "A slow symbolic link is any symbolic link on a Unix filesystem that is not a fast symbolic link; slow symlink is thus retroactively termed from fast symlink. Slow symbolic links stored the symbolic link information as data in regular files.", "rdfs:label": "Slow Symbolic Link", "rdfs:seeAlso": { "@id": "http://dbpedia.org/resource/Symbolic_link#Storage_of_symbolic_links" }, "rdfs:subClassOf": [ { "@id": "d3f:SymbolicLink" }, { "@id": "d3f:UnixLink" } ], "skos:altLabel": "Slow Symlink" }, { "@id": "d3f:CWE-478", "@type": "owl:Class", "d3f:cwe-id": "CWE-478", "rdfs:label": "Missing Default Case in Multiple Condition Expression", "rdfs:subClassOf": { "@id": "d3f:CWE-1023" } }, { "@id": "d3f:DirectoryService", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "In computing, directory service or name service maps the names of network resources to their respective network addresses. It is a shared information infrastructure for locating, managing, administering and organizing everyday items and network resources, which can include volumes, folders, files, printers, users, groups, devices, telephone numbers and other objects. A directory service is a critical component of a network operating system. A directory server or name server is a server which provides such a service. Each resource on the network is considered an object by the directory server. Information about a particular resource is stored as a collection of attributes associated with that resource or object.", "rdfs:isDefinedBy": { "@id": "dbr:Directory_service" }, "rdfs:label": "Directory Service", "rdfs:subClassOf": { "@id": "d3f:NetworkService" } }, { "@id": "d3f:T1208", "@type": "owl:Class", "d3f:attack-id": "T1208", "rdfs:label": "Kerberoasting", "rdfs:subClassOf": { "@id": "d3f:CredentialAccessTechnique" } }, { "@id": "d3f:PerHostDownload-UploadRatioAnalysis", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:NetworkTrafficAnalysis" ], "d3f:analyzes": { "@id": "d3f:NetworkTraffic" }, "d3f:d3fend-id": "D3-PHDURA", "d3f:definition": "Detecting anomalies that indicate malicious activity by comparing the amount of data downloaded versus data uploaded by a host.", "d3f:kb-article": "## How it works\nAggregate pull vs. push ratios from metadata are used to develop a baseline for a given host over a specific time period, e.g., over a three-hour period, one day, one week, etc. Anomalies identified over a threshold produce an alert.\n\n## Considerations\nCollection and analysis of large network packet captures requires large storage and intensive computing power. The time windows used to calculate the ratio may vary in implementations, this consideration should take into account a threat model and likely effects (impacts) delivered by an adversary.", "d3f:kb-reference": { "@id": "d3f:Reference-SystemForDetectingThreatsUsingScenario-basedTrackingOfInternalAndExternalNetworkTraffic_VECTRANETWORKSInc" }, "rdfs:label": "Per Host Download-Upload Ratio Analysis", "rdfs:subClassOf": [ { "@id": "d3f:NetworkTrafficAnalysis" }, { "@id": "_:N37d779bc2f384019bab703b65b5103c7" } ] }, { "@id": "_:N37d779bc2f384019bab703b65b5103c7", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:analyzes" }, "owl:someValuesFrom": { "@id": "d3f:NetworkTraffic" } }, { "@id": "d3f:LongShort-termMemory", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-LSTM", "d3f:definition": "Unlike standard feedforward neural networks, LSTM has feedback connections. Such a recurrent neural network (RNN) can process not only single data points (such as images), but also entire sequences of data (such as speech or video). This characteristic makes LSTM networks ideal for processing and predicting data", "d3f:kb-article": "## References\nWikipedia. (2021, September 29). Long short-term memory. [Link](https://en.wikipedia.org/wiki/Long_short-term_memory)", "rdfs:label": "Long Short-term Memory", "rdfs:subClassOf": { "@id": "d3f:RecurrentNeuralNetwork" } }, { "@id": "d3f:WebApplicationFirewall", "@type": "owl:Class", "d3f:definition": "A web application firewall (or WAF) filters, monitors, and blocks HTTP traffic to and from a web application. A WAF is differentiated from a regular firewall in that a WAF is able to filter the content of specific web applications while regular firewalls serve as a safety gate between servers. By inspecting HTTP traffic, it can prevent attacks stemming from web application security flaws, such as SQL injection, cross-site scripting (XSS), file inclusion, and security misconfigurations.", "rdfs:isDefinedBy": { "@id": "dbr:Web_application_firewall" }, "rdfs:label": "Web Application Firewall", "rdfs:subClassOf": { "@id": "d3f:ApplicationLayerFirewall" }, "skos:altLabel": "WAF" }, { "@id": "d3f:T1021.002", "@type": "owl:Class", "d3f:attack-id": "T1021.002", "rdfs:label": "SMB/Windows Admin Shares", "rdfs:subClassOf": { "@id": "d3f:T1021" } }, { "@id": "d3f:CWE-431", "@type": "owl:Class", "d3f:cwe-id": "CWE-431", "rdfs:label": "Missing Handler", "rdfs:subClassOf": { "@id": "d3f:CWE-691" } }, { "@id": "d3f:T1025", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:accesses": { "@id": "d3f:RemovableMediaDevice" }, "d3f:attack-id": "T1025", "rdfs:label": "Data from Removable Media", "rdfs:subClassOf": [ { "@id": "d3f:CollectionTechnique" }, { "@id": "_:N32c73c8432164d38bd763f8cd52f75b5" } ] }, { "@id": "_:N32c73c8432164d38bd763f8cd52f75b5", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:accesses" }, "owl:someValuesFrom": { "@id": "d3f:RemovableMediaDevice" } }, { "@id": "d3f:CWE-1269", "@type": "owl:Class", "d3f:cwe-id": "CWE-1269", "rdfs:label": "Product Released in Non-Release Configuration", "rdfs:subClassOf": { "@id": "d3f:CWE-693" } }, { "@id": "d3f:CWE-1270", "@type": "owl:Class", "d3f:cwe-id": "CWE-1270", "rdfs:label": "Generation of Incorrect Security Tokens", "rdfs:subClassOf": { "@id": "d3f:CWE-284" } }, { "@id": "d3f:IPAddress", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "An Internet Protocol address (IP address) is a numerical label assigned to each device connected to a computer network that uses the Internet Protocol for communication.An IP address serves two main functions: host or network interface identification and location addressing. Internet Protocol version 4 (IPv4) defines an IP address as a 32-bit number. However, because of the growth of the Internet and the depletion of available IPv4 addresses, a new version of IP (IPv6), using 128 bits for the IP address, was standardized in 1998. IPv6 deployment has been ongoing since the mid-2000s.", "d3f:identifies": { "@id": "d3f:NetworkNode" }, "rdfs:isDefinedBy": { "@id": "dbr:IP_address" }, "rdfs:label": "IP Address", "rdfs:subClassOf": [ { "@id": "d3f:Identifier" }, { "@id": "_:N265203c0d43f495889005a7528181e46" } ] }, { "@id": "_:N265203c0d43f495889005a7528181e46", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:identifies" }, "owl:someValuesFrom": { "@id": "d3f:NetworkNode" } }, { "@id": "d3f:d3fend-kb-data-property", "@type": "owl:DatatypeProperty", "d3f:definition": "x d3fend-kb-data-property y: The d3fend knowledge base object x has a data property y; e.g., a string capturing a particular aspect or section of a knowledge base article.", "rdfs:label": "d3fend-kb-data-property", "rdfs:subPropertyOf": { "@id": "d3f:d3fend-data-property" } }, { "@id": "d3f:Reference-System,Method,AndComputerProgramProductForDetectingAndAssessingSecurityRisksInANetwork_ExabeamInc", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US20190034641A1" }, "d3f:kb-abstract": "The present disclosure is directed to a system, method, and computer program for detecting and assessing security risks in an enterprise's computer network. A behavior model is built for a user in the network based on the user's interactions with the network, wherein a behavior model for a user indicates client device(s), server(s), and resources used by the user. The user's behavior during a period of time is compared to the user's behavior model. A risk assessment is calculated for the period of time based at least in part on the comparison between the user's behavior and the user's behavior model, wherein any one of certain anomalies between the user's behavior and the user's behavior model increase the risk assessment.", "d3f:kb-author": "Sylvain Gil; Domingo Mihovilovic; Nir Polak; Magnus Stensmo; Sing Yip", "d3f:kb-mitre-analysis": "This patent describes calculating a risk score to detect anomalies in user activity based on comparing a user's current session with a user behavior model. The user behavior model is comprised of a number of histograms including:\n\n* client devices from which the user logs in\n* servers accessed\n* data accessed\n* applications accessed\n* session duration\n* logon time of day\n* logon day of week\n* geo - location of logon origination\n\nThe system has an initial training period with x number of days (e. g., 90 days) in which session data is recorded in behavior models before behavior analysis begins.The histograms are then used to determine anomalies between current session activity and a user's behavior model. Values for a histogram category are along one axis and the number of times the value is received for the category is along another axis. If a data point value associated with the current user session is over an anomaly threshold, an alert is generated.", "d3f:kb-organization": "Exabeam Inc", "d3f:kb-reference-of": [ { "@id": "d3f:AuthenticationEventThresholding" }, { "@id": "d3f:AuthorizationEventThresholding" }, { "@id": "d3f:ResourceAccessPatternAnalysis" }, { "@id": "d3f:SessionDurationAnalysis" }, { "@id": "d3f:UserGeolocationLogonPatternAnalysis" } ], "d3f:kb-reference-title": "System, method, and computer program product for detecting and assessing security risks in a network", "rdfs:label": "Reference - System, method, and computer program product for detecting and assessing security risks in a network - Exabeam Inc" }, { "@id": "d3f:LinuxRenameat", "@type": "owl:Class", "d3f:definition": "Change the name or location of a file. Different parameter handling than Linux Rename.", "rdfs:isDefinedBy": "https://man7.org/linux/man-pages/man2/renameat.2.html", "rdfs:label": "Linux Renameat", "rdfs:subClassOf": { "@id": "d3f:OSAPIMoveFile" } }, { "@id": "d3f:CWE-28", "@type": "owl:Class", "d3f:cwe-id": "CWE-28", "rdfs:label": "Path Traversal: '..\\filedir'", "rdfs:subClassOf": { "@id": "d3f:CWE-23" } }, { "@id": "d3f:ATTACKThing", "@type": "owl:Class", "d3f:definition": "ATTACK things are concepts defined in the ATT&CK Framework.", "rdfs:label": "ATTACK Thing" }, { "@id": "d3f:CWE-340", "@type": "owl:Class", "d3f:cwe-id": "CWE-340", "rdfs:label": "Generation of Predictable Numbers or Identifiers", "rdfs:subClassOf": { "@id": "d3f:CWE-330" } }, { "@id": "d3f:Reference-SuspiciousRunLocations_MITRE", "@type": [ "owl:NamedIndividual", "d3f:ExternalKnowledgeBase" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://car.mitre.org/analytics/CAR-2013-05-002/" }, "d3f:kb-abstract": "In Windows, files should never execute out of certain directory locations. Any of these locations may exist for a variety of reasons, and executables may be present in the directory but should not execute. As a result, some defenders make the mistake of ignoring these directories and assuming that a process will never run from one. There are known TTPs that have taken advantage of this fact to go undetected. This fact should inform defenders to monitor these directories more closely, knowing that they should never contain running processes.", "d3f:kb-author": "", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "", "d3f:kb-reference-of": { "@id": "d3f:ProcessSpawnAnalysis" }, "d3f:kb-reference-title": "CAR-2013-05-002: Suspicious Run Locations", "rdfs:label": "Reference - CAR-2013-05-002: Suspicious Run Locations - MITRE" }, { "@id": "d3f:CCI-001574_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system rejects or delays, as defined by the organization, network traffic which exceed the organization-defined thresholds.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": [ { "@id": "d3f:InboundTrafficFiltering" }, { "@id": "d3f:OutboundTrafficFiltering" } ], "d3f:published": { "@type": "xsd:dateTime", "@value": "2010-05-11T00:00:00" }, "rdfs:label": "CCI-001574" }, { "@id": "d3f:T1059.005", "@type": "owl:Class", "d3f:attack-id": "T1059.005", "rdfs:label": "VBScript Execution", "rdfs:subClassOf": { "@id": "d3f:T1059" } }, { "@id": "d3f:evaluates", "@type": "owl:ObjectProperty", "rdfs:label": "evaluates", "rdfs:subPropertyOf": [ { "@id": "d3f:associated-with" }, { "@id": "d3f:may-evaluate" } ] }, { "@id": "d3f:Reference-SystemAndMethodsThereofForLogicalIdentificationOfMaliciousThreatsAcrossAPluralityOfEnd-pointDevicesCommunicativelyConnectedByANetwork_PaloAltoNetworksIncCyberSecdoLtd", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US20180373870A1/en?oq=US-2018373870-A1" }, "d3f:kb-abstract": "A computerized method for logical identification of malicious threats across a plurality of end-point devices (EPD) communicatively connected by a network, comprising collecting over the network an identifier associated with each file of a plurality of files, wherein each file of the plurality of files is installed on at least one of the plurality of EPDs and wherein the identifier is the same for each like file of the plurality of file. Information associated with an identified subset of files is collected, wherein the information indicates at least a time at which the at least one file was installed on one or more of the plurality of EPDs and the way the at least one file spread within the network. The collected information is analyzed according to a set of predetermined computerized investigation rules. The analysis is used to determine whether at least a file of the identified subset files is a suspicious file.", "d3f:kb-author": "Gil BARAK", "d3f:kb-mitre-analysis": "This patent describes detecting suspicious files using file metadata such as the prevalence of the file deployed on the network, file installation times, and how the file was spread within the network. The combination of these factors are used to determine a risk score of the file and if below a threshold, sends an alert.", "d3f:kb-organization": "Palo Alto Networks IncCyber Secdo Ltd", "d3f:kb-reference-of": { "@id": "d3f:FileContentRules" }, "d3f:kb-reference-title": "System and methods thereof for logical identification of malicious threats across a plurality of end-point devices (epd) communicatively connected by a network", "rdfs:label": "Reference - System and methods thereof for logical identification of malicious threats across a plurality of end-point devices (epd) communicatively connected by a network - Palo Alto Networks IncCyber Secdo Ltd" }, { "@id": "d3f:CWE-1281", "@type": "owl:Class", "d3f:cwe-id": "CWE-1281", "rdfs:label": "Sequence of Processor Instructions Leads to Unexpected Behavior", "rdfs:subClassOf": { "@id": "d3f:CWE-691" } }, { "@id": "d3f:CWE-1094", "@type": "owl:Class", "d3f:cwe-id": "CWE-1094", "rdfs:label": "Excessive Index Range Scan for a Data Resource", "rdfs:subClassOf": { "@id": "d3f:CWE-405" } }, { "@id": "d3f:CWE-138", "@type": "owl:Class", "d3f:cwe-id": "CWE-138", "rdfs:label": "Improper Neutralization of Special Elements", "rdfs:subClassOf": { "@id": "d3f:CWE-707" } }, { "@id": "d3f:StandardDeviation", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-SD", "d3f:definition": "The standard deviation is a measure of the amount of variation or dispersion of a set of values.", "d3f:kb-article": "## References\nWikipedia. (n.d.). Standard deviation. [Link](https://en.wikipedia.org/wiki/Standard_deviation)", "d3f:synonym": "SD", "rdfs:label": "Standard Deviation", "rdfs:subClassOf": { "@id": "d3f:Variability" } }, { "@id": "d3f:T1074", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1074", "d3f:reads": { "@id": "d3f:Resource" }, "rdfs:label": "Data Staged", "rdfs:subClassOf": [ { "@id": "d3f:CollectionTechnique" }, { "@id": "_:N2ed77de045424b9b80ddd25357fa539a" } ] }, { "@id": "_:N2ed77de045424b9b80ddd25357fa539a", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:reads" }, "owl:someValuesFrom": { "@id": "d3f:Resource" } }, { "@id": "d3f:LinuxMmap2", "@type": "owl:Class", "d3f:definition": "Map files or devices into memory.", "rdfs:isDefinedBy": "https://man7.org/linux/man-pages/man2/mmap2.2.html", "rdfs:label": "Linux Mmap2", "rdfs:subClassOf": { "@id": "d3f:OSAPIAllocateMemory" } }, { "@id": "d3f:Reference-CAR-2020-09-004%3ACredentialsInFiles%26Registry_MITRE", "@type": [ "owl:NamedIndividual", "d3f:ExternalKnowledgeBase" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://car.mitre.org/analytics/CAR-2020-09-004/" }, "d3f:kb-abstract": "Adversaries may search the Windows Registry on compromised systems for insecurely stored credentials for credential access. This can be accomplished using the query functionality of the reg.exe system utility, by looking for keys and values that contain strings such as “password”. In addition, adversaries may use toolkits such as PowerSploit in order to dump credentials from various applications such as IIS.Accordingly, this analytic looks for invocations of reg.exe in this capacity as well as that of several powersploit modules with similar functionality.", "d3f:kb-author": "MITRE", "d3f:kb-organization": "MITRE", "d3f:kb-reference-of": { "@id": "d3f:ProcessSpawnAnalysis" }, "d3f:kb-reference-title": "CAR-2020-09-004: Credentials in Files & Registry", "rdfs:label": "Reference - CAR-2020-09-004: Credentials in Files & Registry - MITRE" }, { "@id": "_:Nc9f3867983e249878bbb7c3990e4c32f", "@type": "owl:AllDisjointClasses", "owl:members": { "@list": [ { "@id": "d3f:Classifying" }, { "@id": "d3f:Forecasting" }, { "@id": "d3f:Generation" }, { "@id": "d3f:Matching" }, { "@id": "d3f:Summarizing" } ] } }, { "@id": "d3f:CCI-002357_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system implements a reference monitor for organization-defined access control policies that is tamperproof.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": [ { "@id": "d3f:MandatoryAccessControl" }, { "@id": "d3f:UserAccountPermissions" } ], "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-06-25T00:00:00" }, "rdfs:label": "CCI-002357" }, { "@id": "d3f:ExternalContentInclusionFunction", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "External content, strings or data, are inserted into a local document (e.g. xml document) as if it were a native part of that document.", "rdfs:label": "External Content Inclusion Function", "rdfs:subClassOf": { "@id": "d3f:Subroutine" } }, { "@id": "d3f:M1050", "@type": [ "owl:NamedIndividual", "d3f:ATTACKMitigation" ], "d3f:related": [ { "@id": "d3f:ApplicationHardening" }, { "@id": "d3f:ExceptionHandlerPointerValidation" }, { "@id": "d3f:InboundTrafficFiltering" }, { "@id": "d3f:ShadowStackComparisons" } ], "rdfs:label": "Exploit Protection" }, { "@id": "d3f:T1075", "@type": "owl:Class", "d3f:attack-id": "T1075", "rdfs:label": "Pass the Hash", "rdfs:subClassOf": { "@id": "d3f:LateralMovementTechnique" } }, { "@id": "d3f:T1158", "@type": "owl:Class", "d3f:attack-id": "T1158", "rdfs:label": "Hidden Files and Directories", "rdfs:subClassOf": [ { "@id": "d3f:DefenseEvasionTechnique" }, { "@id": "d3f:PersistenceTechnique" } ] }, { "@id": "d3f:LinuxReadv", "@type": "owl:Class", "d3f:definition": "Read data into multiple buffers.", "rdfs:isDefinedBy": "https://man7.org/linux/man-pages/man2/readv.2.html", "rdfs:label": "Linux Readv", "rdfs:subClassOf": { "@id": "d3f:OSAPIReadFile" } }, { "@id": "d3f:CWE-124", "@type": "owl:Class", "d3f:cwe-id": "CWE-124", "rdfs:label": "Buffer Underwrite ('Buffer Underflow')", "rdfs:subClassOf": [ { "@id": "d3f:CWE-786" }, { "@id": "d3f:CWE-787" } ] }, { "@id": "d3f:release-date", "@type": "owl:AnnotationProperty", "d3f:definition": "x release-date y: The object x has the release-date y.", "rdfs:label": "release-date", "rdfs:subPropertyOf": [ { "@id": "d3f:d3fend-annotation" }, { "@id": "owl:versionInfo" } ] }, { "@id": "d3f:T1589", "@type": "owl:Class", "d3f:attack-id": "T1589", "rdfs:label": "Gather Victim Identity Information", "rdfs:subClassOf": { "@id": "d3f:ReconnaissanceTechnique" } }, { "@id": "d3f:SystemUtilizationRecord", "@type": "owl:Class", "d3f:definition": "A system utilization record is a record for the tracking of resource utilization e.g. CPU, Disk, Network, Memory Bandwidth, GPU, or other resources for a given time period.", "rdfs:label": "System Utilization Record", "rdfs:subClassOf": { "@id": "d3f:Record" } }, { "@id": "d3f:Semi-supervisedManifoldLearning", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-SSML", "d3f:definition": "A version of Semi-Supervised Learning that applies the Manifold assumption that the data like approximately on a manifold of much lower dimension than the input space.", "d3f:kb-article": "## References\nWeak supervision. Wikipedia. [Link](https://en.wikipedia.org/wiki/Weak_supervision#Generative_models).", "rdfs:label": "Semi-supervised Manifold Learning", "rdfs:subClassOf": { "@id": "d3f:IntrinsicallySemi-supervisedLearning" } }, { "@id": "d3f:FileContentRules", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:FileContentAnalysis" ], "d3f:d3fend-id": "D3-FCR", "d3f:definition": "Employing a pattern matching rule language to analyze the content of files.", "d3f:kb-article": "## How it works\nRules, often called signatures, are used for both generic and targeted malware detection. The rules are usually expressed in a domain specific language (DSL), then deployed to software that scans files for matches. The rules are developed and broadly distributed by commercial vendors, or they are developed and deployed by enterprise security teams to address highly targeted or custom malware. Conceptually, there are public and private rule sets. Both leverage the same technology, but they are intended to detect different types of cyber adversaries.\n\n## Considerations\n* Patterns expressed in the DSLs range in their complexity. Some scanning engines support file parsing and normalization for high fidelity matching, others support only simple regular expression matching against raw file data. Engineers must make a trade-off in terms of:\n * The fidelity of the matching capabilities in order to balance high recall with avoiding false positives,\n * The computational load for scanning, and\n * The resilience of the engine to deal with adversarial content presented in different forms-- content which in some cases is designed to exploit or defeat the scanning engines.\n * Signature libraries can become large over time and impact scanning performance.\n * Some vendors who sell signatures have to delete old signatures over time.\n * Simple signatures against raw content cannot match against encoded, encrypted, or sufficiently obfuscated content.\n\n## Implementations\n * YARA\n * ClamAV", "d3f:kb-reference": [ { "@id": "d3f:Reference-ComputationalModelingAndClassificationOfDataStreams_CrowdstrikeInc" }, { "@id": "d3f:Reference-DetectingScript-basedMalware_CrowdstrikeInc" }, { "@id": "d3f:Reference-DistributedMeta-informationQueryInANetwork_Bit9Inc" }, { "@id": "d3f:Reference-SystemAndMethodsThereofForLogicalIdentificationOfMaliciousThreatsAcrossAPluralityOfEnd-pointDevicesCommunicativelyConnectedByANetwork_PaloAltoNetworksIncCyberSecdoLtd" } ], "d3f:synonym": [ "File Signatures", "File Content Signatures" ], "rdfs:label": "File Content Rules", "rdfs:subClassOf": { "@id": "d3f:FileContentAnalysis" } }, { "@id": "d3f:SupportVectorMachineClassification", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-SVMC", "d3f:definition": "Support Vector Machine (SVM) is a robust classification and regression technique that maximizes the predictive accuracy of a model without overfitting the training data. SVM is particularly suited to analyzing data with very large numbers (for example, thousands) of predictor fields.", "d3f:kb-article": "## References\nAbout Support Vector Machine (SVM). IBM SPSS Modeler SaaS Documentation. [Link](https://www.ibm.com/docs/en/spss-modeler/saas?topic=models-about-svm&mhsrc=ibmsearch_a&mhq=support%20vector%20machine).", "rdfs:label": "Support Vector Machine Classification", "rdfs:subClassOf": { "@id": "d3f:Classification" } }, { "@id": "d3f:T1553.003", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1553.003", "d3f:modifies": { "@id": "d3f:SystemConfigurationDatabaseRecord" }, "rdfs:label": "SIP and Trust Provider Hijacking", "rdfs:subClassOf": [ { "@id": "d3f:T1553" }, { "@id": "_:N2be4b90eb7894ec197d6d756073e6d3a" } ] }, { "@id": "_:N2be4b90eb7894ec197d6d756073e6d3a", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:SystemConfigurationDatabaseRecord" } }, { "@id": "d3f:Reference-NetworkFirewallWithProxy_SecureComputingLLC", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/GB2318031A" }, "d3f:kb-abstract": "A proxy which is part of a firewall controls exchanges of information between two application entities. The proxy interrogates attempts to establish a communication session by requesting entities with a server entity in lower layers in accordance with defined authentication procedures. The Proxy interfaces with networking software to direct a communication stack to monitor connection requests to any address on specific ports. The requestor's address, and the server's address are checked against a access control list. If either address is invalid, the proxy closes the connection. If both are valid, a new connection is setup such that both the requestor and server are transparently connected to the proxy with variable higher levels being connected in a relay mode. Protocol data units are interrogated for conformance to a protocol session, and optionally further decoded to add additional application specific filtering. In one embodiment, an OSI architecture comprises the levels.", "d3f:kb-author": "Michael W Green, Ricky Ronald Kruse", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "Secure Computing LLC", "d3f:kb-reference-of": { "@id": "d3f:InboundTrafficFiltering" }, "d3f:kb-reference-title": "Network firewall with proxy", "rdfs:label": "Reference - Network firewall with proxy - Secure Computing LLC" }, { "@id": "d3f:t-SNEClustering", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-TSC", "d3f:definition": "T-distributed Stochastic Neighbor Embedding (t-SNE) is a statistical method for visualizing high-dimensional data by giving each datapoint a location in a two or three-dimensional map.", "d3f:kb-article": "## References\nWikipedia. (n.d.). T-distributed stochastic neighbor embedding. [Link](https://en.wikipedia.org/wiki/T-distributed_stochastic_neighbor_embedding)", "rdfs:label": "t-SNE Clustering", "rdfs:subClassOf": { "@id": "d3f:Projection-basedClustering" } }, { "@id": "d3f:Person", "@type": [ "owl:Class", "owl:NamedIndividual" ], "rdfs:label": "Person", "rdfs:subClassOf": [ { "@id": "d3f:Agent" }, { "@id": "_:N13d272184d9f46ecb3ecebb9b7ea5f23" } ] }, { "@id": "_:N13d272184d9f46ecb3ecebb9b7ea5f23", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:name" }, "owl:someValuesFrom": { "@id": "xsd:string" } }, { "@id": "d3f:may-run", "@type": "owl:ObjectProperty", "d3f:definition": "x may-run y: They entity x may run the thing y; that is, 'x runs y' may be true.", "rdfs:label": "may-run", "rdfs:subPropertyOf": { "@id": "d3f:may-be-associated-with" } }, { "@id": "d3f:CCI-000213_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:broader": [ { "@id": "d3f:BiometricAuthentication" }, { "@id": "d3f:Certificate-basedAuthentication" }, { "@id": "d3f:Multi-factorAuthentication" }, { "@id": "d3f:UserAccountPermissions" } ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-14T00:00:00" }, "rdfs:label": "CCI-000213" }, { "@id": "d3f:CCI-001774_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The organization employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the information system.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:ExecutableAllowlisting" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-02-28T00:00:00" }, "rdfs:label": "CCI-001774" }, { "@id": "d3f:ConnectSocket", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:connects": { "@id": "d3f:Pipe" }, "d3f:definition": "The connect socket system call connects the socket to a target address.", "rdfs:label": "Connect Socket", "rdfs:seeAlso": { "@id": "https://man7.org/linux/man-pages/man2/connect.2.html" }, "rdfs:subClassOf": [ { "@id": "d3f:SystemCall" }, { "@id": "_:N5abb47543d194efcb55fa7c1e0518ffa" } ] }, { "@id": "_:N5abb47543d194efcb55fa7c1e0518ffa", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:connects" }, "owl:someValuesFrom": { "@id": "d3f:Pipe" } }, { "@id": "d3f:CCI-001954_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system electronically verifies Personal Identity Verification (PIV) credentials.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": [ { "@id": "d3f:BiometricAuthentication" }, { "@id": "d3f:Certificate-basedAuthentication" } ], "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-05-03T00:00:00" }, "rdfs:label": "CCI-001954" }, { "@id": "d3f:T1542.001", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1542.001", "d3f:modifies": { "@id": "d3f:SystemFirmware" }, "rdfs:label": "System Firmware", "rdfs:subClassOf": [ { "@id": "d3f:T1542" }, { "@id": "_:Nd19874d55a0741fdab2e05d61c5881d8" } ] }, { "@id": "_:Nd19874d55a0741fdab2e05d61c5881d8", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:SystemFirmware" } }, { "@id": "d3f:CloudInstanceMetadata", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "Cloud instance metadata is configuration information on the instance and users of the instance. This includes such information as security groups, public ip addresses, and private addresses, public keys configured, and event rotating security keys. User data can contain initialization scripts, variables, passwords, and more.", "rdfs:label": "Cloud Instance Metadata", "rdfs:seeAlso": { "@id": "https://isc.sans.edu/forums/diary/Cloud+Metadata+Urls/22046" }, "rdfs:subClassOf": { "@id": "d3f:CloudConfiguration" } }, { "@id": "d3f:T1190", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1190", "d3f:injects": { "@id": "d3f:DatabaseQuery" }, "d3f:modifies": { "@id": "d3f:ProcessSegment" }, "d3f:produces": { "@id": "d3f:InboundInternetNetworkTraffic" }, "rdfs:label": "Exploit Public-Facing Application", "rdfs:subClassOf": [ { "@id": "d3f:InitialAccessTechnique" }, { "@id": "_:Nacac947efa8b43f999c14bad4494003f" }, { "@id": "_:N310515eae3f44990839f8435e2de62fe" }, { "@id": "_:Nf874bfc1f6da40efa6ea15ca94dd4b0c" } ] }, { "@id": "_:Nacac947efa8b43f999c14bad4494003f", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:injects" }, "owl:someValuesFrom": { "@id": "d3f:DatabaseQuery" } }, { "@id": "_:N310515eae3f44990839f8435e2de62fe", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:ProcessSegment" } }, { "@id": "_:Nf874bfc1f6da40efa6ea15ca94dd4b0c", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:produces" }, "owl:someValuesFrom": { "@id": "d3f:InboundInternetNetworkTraffic" } }, { "@id": "d3f:CWE-214", "@type": "owl:Class", "d3f:cwe-id": "CWE-214", "rdfs:label": "Invocation of Process Using Visible Sensitive Information", "rdfs:subClassOf": { "@id": "d3f:CWE-497" } }, { "@id": "d3f:T1110", "@type": "owl:Class", "d3f:attack-id": "T1110", "rdfs:label": "Brute Force", "rdfs:subClassOf": { "@id": "d3f:CredentialAccessTechnique" } }, { "@id": "d3f:CCI-000030_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system enforces information flow control based on organization-defined metadata.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": [ { "@id": "d3f:InboundTrafficFiltering" }, { "@id": "d3f:OutboundTrafficFiltering" } ], "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-05-13T00:00:00" }, "rdfs:label": "CCI-000030" }, { "@id": "d3f:SoftwareLibraryFile", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:contains": { "@id": "d3f:Subroutine" }, "d3f:definition": "A software library is a collection of software components that are used to build a software product.", "d3f:may-contain": [ { "@id": "d3f:ExecutableBinary" }, { "@id": "d3f:ExecutableScript" } ], "rdfs:label": "Software Library File", "rdfs:seeAlso": { "@id": "https://dbpedia.org/page/Library_(computing)" }, "rdfs:subClassOf": [ { "@id": "d3f:File" }, { "@id": "_:N4f35fb02ae7e471da347a9c71ae41d80" }, { "@id": "_:N29fd86258952457bb3f3dbbe51be63aa" }, { "@id": "_:N9786b68eaef74dec995cd40997cf0bfc" } ] }, { "@id": "_:N4f35fb02ae7e471da347a9c71ae41d80", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:contains" }, "owl:someValuesFrom": { "@id": "d3f:Subroutine" } }, { "@id": "_:N29fd86258952457bb3f3dbbe51be63aa", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-contain" }, "owl:someValuesFrom": { "@id": "d3f:ExecutableBinary" } }, { "@id": "_:N9786b68eaef74dec995cd40997cf0bfc", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-contain" }, "owl:someValuesFrom": { "@id": "d3f:ExecutableScript" } }, { "@id": "d3f:CWE-129", "@type": "owl:Class", "d3f:cwe-id": "CWE-129", "rdfs:label": "Improper Validation of Array Index", "rdfs:subClassOf": { "@id": "d3f:CWE-1285" } }, { "@id": "d3f:OfficeApplication", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "An office application is one that is part of an application suite (e.g., Microsoft Office, Open Office).", "rdfs:label": "Office Application", "rdfs:subClassOf": { "@id": "d3f:UserApplication" } }, { "@id": "d3f:Reference-DomainAgeRegistrationAlert_IncRapid7IncRAPID7Inc", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US20170026400A1/" }, "d3f:kb-abstract": "Systems and methods of identifying a security risk by monitoring and generating alerts based on attempts to access web domains that have been registered within a short period of time and are therefore identified as \"high-risk,\" including identifying an attempt to access a domain; receiving a registration date of the domain; and detecting a security risk based on the registration date of the domain.", "d3f:kb-author": "Samuel Adams; H D. Moore", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "Rapid7 Inc.", "d3f:kb-reference-of": { "@id": "d3f:DNSTrafficAnalysis" }, "d3f:kb-reference-title": "Domain age registration alert", "rdfs:label": "Reference - Domain age registration alert - Inc Rapid7 Inc RAPID7 Inc" }, { "@id": "d3f:T1559.002", "@type": "owl:Class", "d3f:attack-id": "T1559.002", "rdfs:label": "Dynamic Data Exchange Execution", "rdfs:subClassOf": { "@id": "d3f:T1559" } }, { "@id": "d3f:NIST_SP_800-53_R5_AC-4_20", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:control-name": "Information Flow Enforcement | Approved Solutions", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "d3f:narrower": [ { "@id": "d3f:InboundTrafficFiltering" }, { "@id": "d3f:OutboundTrafficFiltering" } ], "rdfs:label": "AC-4(20)" }, { "@id": "d3f:SymbolicLogic", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-SL", "d3f:definition": "Symbolic Logic, also known as formal logic, is a branch of mathematics that uses symbolic representations for logical expressions and relationships. It provides a systematic method for examining the structure of arguments and reasoning, focusing on the relationships between propositions rather than the content of those propositions.", "d3f:kb-article": "## How it Works\n\n## References\n1. Symbolic Logic. (2023, June 6). In _Wolfram Mathworld_. [Link](https://mathworld.wolfram.com/SymbolicLogic.html)\n2. Hughes, G. and Schagrin, M. (2023, Apr 19). Formal Logic. _Encyclopedia Brittanica_. [Link](https://www.britannica.com/topic/formal-logic)\n3. Carnap, R. (1953). Introduction to Symbolic Logic and Its Applications. Dover Publications. [Link](https://archive.org/details/rudolf-carnap-introduction-to-symbolic-logic-and-its-applications/page/3/mode/2up)", "rdfs:label": "Symbolic Logic", "rdfs:subClassOf": { "@id": "d3f:AnalyticTechnique" } }, { "@id": "d3f:T1610", "@type": "owl:Class", "d3f:attack-id": "T1610", "rdfs:label": "Deploy Container", "rdfs:subClassOf": [ { "@id": "d3f:DefenseEvasionTechnique" }, { "@id": "d3f:ExecutionTechnique" } ] }, { "@id": "d3f:T1020", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1020", "d3f:produces": { "@id": "d3f:InternetNetworkTraffic" }, "rdfs:label": "Automated Exfiltration", "rdfs:subClassOf": [ { "@id": "d3f:ExfiltrationTechnique" }, { "@id": "_:N81dadd29aa0c4aa4a5bdf921de938773" } ] }, { "@id": "_:N81dadd29aa0c4aa4a5bdf921de938773", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:produces" }, "owl:someValuesFrom": { "@id": "d3f:InternetNetworkTraffic" } }, { "@id": "d3f:CWE-707", "@type": "owl:Class", "d3f:cwe-id": "CWE-707", "rdfs:label": "Improper Neutralization", "rdfs:subClassOf": { "@id": "d3f:Weakness" } }, { "@id": "d3f:T1592.004", "@type": "owl:Class", "d3f:attack-id": "T1592.004", "rdfs:label": "Client Configurations", "rdfs:subClassOf": { "@id": "d3f:T1592" } }, { "@id": "d3f:Reference-CAR-2021-05-010%3ACreateLocalAdminAccountsUsingNetExe_MITRE", "@type": [ "owl:NamedIndividual", "d3f:ExternalKnowledgeBase" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://car.mitre.org/analytics/CAR-2021-05-010/" }, "d3f:kb-abstract": "This search looks for the creation of local administrator accounts using net.exe.", "d3f:kb-author": "MITRE", "d3f:kb-organization": "MITRE", "d3f:kb-reference-of": { "@id": "d3f:ProcessSpawnAnalysis" }, "d3f:kb-reference-title": "CAR-2021-05-010: Create local admin accounts using net exe", "rdfs:label": "Reference - CAR-2021-05-010: Create local admin accounts using net exe - MITRE" }, { "@id": "d3f:NIST_SP_800-53_R5_AC-4_21", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:control-name": "Information Flow Enforcement | Physical or Logical Separation of Information Flows", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "d3f:narrower": [ { "@id": "d3f:InboundTrafficFiltering" }, { "@id": "d3f:OutboundTrafficFiltering" } ], "rdfs:label": "AC-4(21)" }, { "@id": "d3f:CCI-001128_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:broader": { "@id": "d3f:EncryptedTunnels" }, "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The organization employs cryptographic mechanisms to recognize changes to information during transmission unless otherwise protected by alternative physical measures.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-21T00:00:00" }, "rdfs:label": "CCI-001128" }, { "@id": "_:N1e76d0ee8e064e5b9c129f3dcd761d33", "@type": "owl:AllDisjointClasses", "owl:members": { "@list": [ { "@id": "d3f:CoefficientOfVariation" }, { "@id": "d3f:InterquartileRange" }, { "@id": "d3f:MeanAbsoluteDeviation" }, { "@id": "d3f:MedianAbsoluteDeviation" }, { "@id": "d3f:Range" }, { "@id": "d3f:StandardDeviation" }, { "@id": "d3f:Variance" } ] } }, { "@id": "d3f:T1548", "@type": "owl:Class", "d3f:attack-id": "T1548", "rdfs:label": "Abuse Elevation Control Mechanism", "rdfs:subClassOf": [ { "@id": "d3f:DefenseEvasionTechnique" }, { "@id": "d3f:PrivilegeEscalationTechnique" } ] }, { "@id": "d3f:CCI-001632_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The organization protects nonlocal maintenance sessions by separating the maintenance session from other network sessions with the information system by either physically separated communications paths or logically separated communications paths based upon encryption.", "d3f:exactly": { "@id": "d3f:EncryptedTunnels" }, "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2010-05-12T00:00:00" }, "rdfs:label": "CCI-001632" }, { "@id": "d3f:CWE-821", "@type": "owl:Class", "d3f:cwe-id": "CWE-821", "rdfs:label": "Incorrect Synchronization", "rdfs:subClassOf": { "@id": "d3f:CWE-662" } }, { "@id": "d3f:CWE-466", "@type": "owl:Class", "d3f:cwe-id": "CWE-466", "rdfs:label": "Return of Pointer Value Outside of Expected Range", "rdfs:subClassOf": { "@id": "d3f:CWE-119" } }, { "@id": "d3f:Reference-MethodAndSystemForControllingCommunicationPorts", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US8566924" }, "d3f:kb-abstract": "A method for limiting devices and controlling the applications executed from USB ports on personal computers (PCs).", "d3f:kb-author": "Steven V Bacastow", "d3f:kb-organization": "OL Security LLC", "d3f:kb-reference-of": { "@id": "d3f:IOPortRestriction" }, "d3f:kb-reference-title": "Method and system for controlling communication ports", "rdfs:label": "Reference - Method and system for controlling communication ports" }, { "@id": "d3f:T1070.005", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1070.005", "d3f:unmounts": { "@id": "d3f:NetworkFileShareResource" }, "rdfs:label": "Network Share Connection Removal", "rdfs:subClassOf": [ { "@id": "d3f:T1070" }, { "@id": "_:N5e5df1fa46364225b40361fc1950cdb6" } ] }, { "@id": "_:N5e5df1fa46364225b40361fc1950cdb6", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:unmounts" }, "owl:someValuesFrom": { "@id": "d3f:NetworkFileShareResource" } }, { "@id": "d3f:CCI-002530_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:broader": [ { "@id": "d3f:Hardware-basedProcessIsolation" }, { "@id": "d3f:Kernel-basedProcessIsolation" } ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system maintains a separate execution domain for each executing process.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-07-02T00:00:00" }, "rdfs:label": "CCI-002530" }, { "@id": "d3f:CCI-000831_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:broader": [ { "@id": "d3f:CredentialEviction" }, { "@id": "d3f:ProcessEviction" } ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The organization implements a configurable capability to automatically disable the information system if organization-defined security violations are detected.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-18T00:00:00" }, "rdfs:label": "CCI-000831" }, { "@id": "d3f:DigitalObject", "@type": "owl:Class", "d3f:definition": "A digital object is the top-level class for an object that exists in a digital environment. The digital object may be virtual or physical.", "rdfs:label": "Digital Object", "rdfs:seeAlso": [ { "@id": "dbr:Digital_artifactual_value" }, { "@id": "dbr:Virtual_artifact" } ], "rdfs:subClassOf": { "@id": "d3f:D3FENDThing" } }, { "@id": "d3f:CWE-608", "@type": "owl:Class", "d3f:cwe-id": "CWE-608", "rdfs:label": "Struts: Non-private Field in ActionForm Class", "rdfs:subClassOf": { "@id": "d3f:CWE-668" } }, { "@id": "d3f:may-be-contained-by", "@type": [ "owl:ObjectProperty", "owl:TransitiveProperty" ], "owl:inverseOf": { "@id": "d3f:may-contain" }, "rdfs:label": "may-be-contained-by", "rdfs:subPropertyOf": { "@id": "d3f:may-be-associated-with" } }, { "@id": "d3f:T1548.002", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1548.002", "d3f:executes": { "@id": "d3f:ExecutableFile" }, "d3f:invokes": { "@id": "d3f:CreateProcess" }, "d3f:may-modify": { "@id": "d3f:SystemConfigurationDatabaseRecord" }, "rdfs:label": "Bypass User Access Control", "rdfs:subClassOf": [ { "@id": "d3f:T1548" }, { "@id": "_:N56e53d970abb4c0f8872f67b28296327" }, { "@id": "_:N1a60d4dc035749a791b1528b8f130369" }, { "@id": "_:N35f4860791954f54bf74becf5ad8cf08" } ] }, { "@id": "_:N56e53d970abb4c0f8872f67b28296327", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:executes" }, "owl:someValuesFrom": { "@id": "d3f:ExecutableFile" } }, { "@id": "_:N1a60d4dc035749a791b1528b8f130369", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:invokes" }, "owl:someValuesFrom": { "@id": "d3f:CreateProcess" } }, { "@id": "_:N35f4860791954f54bf74becf5ad8cf08", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-modify" }, "owl:someValuesFrom": { "@id": "d3f:SystemConfigurationDatabaseRecord" } }, { "@id": "d3f:CapabilityAssessment", "@type": "owl:Class", "rdfs:label": "Capability Assessment", "rdfs:subClassOf": [ { "@id": "d3f:Assessment" }, { "@id": "_:N499880bed8144fdbb0ecfc373846eb0c" }, { "@id": "_:Nbc3cb383e2754a7ba2ad2cd6e83fe6de" }, { "@id": "_:N1552cc1b135847c0af2fddf07a1cdf05" }, { "@id": "_:N1dc6d7ce62de4782b06d67eb956b86b6" } ] }, { "@id": "_:N499880bed8144fdbb0ecfc373846eb0c", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:assesses" }, "owl:someValuesFrom": { "@id": "d3f:Capability" } }, { "@id": "_:Nbc3cb383e2754a7ba2ad2cd6e83fe6de", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:has-evidence" }, "owl:someValuesFrom": { "@id": "d3f:AdminFeatureAssessment" } }, { "@id": "_:N1552cc1b135847c0af2fddf07a1cdf05", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:has-evidence" }, "owl:someValuesFrom": { "@id": "d3f:DefensiveTechniqueAssessment" } }, { "@id": "_:N1dc6d7ce62de4782b06d67eb956b86b6", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:has-implementation" }, "owl:someValuesFrom": { "@id": "d3f:CapabilityImplementation" } }, { "@id": "d3f:CWE-773", "@type": "owl:Class", "d3f:cwe-id": "CWE-773", "rdfs:label": "Missing Reference to Active File Descriptor or Handle", "rdfs:subClassOf": { "@id": "d3f:CWE-771" } }, { "@id": "d3f:LinuxExecve", "@type": "owl:Class", "d3f:definition": "Executes a program by replacing the calling process with a new program, with newly initialized stack, heap, and (initialized and uninitialized) data segments. The PID stays the same.", "rdfs:isDefinedBy": "https://man7.org/linux/man-pages/man2/execve.2.html", "rdfs:label": "Linux Execve", "rdfs:subClassOf": { "@id": "d3f:OSAPIExec" } }, { "@id": "d3f:T1528", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:accesses": { "@id": "d3f:AccessToken" }, "d3f:attack-id": "T1528", "rdfs:label": "Steal Application Access Token", "rdfs:subClassOf": [ { "@id": "d3f:CredentialAccessTechnique" }, { "@id": "_:N7dbb3ece8e9b48df810059f217c401bf" } ] }, { "@id": "_:N7dbb3ece8e9b48df810059f217c401bf", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:accesses" }, "owl:someValuesFrom": { "@id": "d3f:AccessToken" } }, { "@id": "d3f:evaluator", "@type": "owl:ObjectProperty", "rdfs:label": "evaluator", "rdfs:subPropertyOf": { "@id": "d3f:contributor" } }, { "@id": "d3f:T1590.002", "@type": "owl:Class", "d3f:attack-id": "T1590.002", "rdfs:label": "DNS", "rdfs:subClassOf": { "@id": "d3f:T1590" } }, { "@id": "d3f:ProcessStartFunction", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A function creates a new computer process, usually by invoking a create process system call.", "d3f:invokes": { "@id": "d3f:CreateProcess" }, "rdfs:label": "Process Start Function", "rdfs:subClassOf": [ { "@id": "d3f:Subroutine" }, { "@id": "_:Ne50c49370dc342269fd8023b40069a7c" } ] }, { "@id": "_:Ne50c49370dc342269fd8023b40069a7c", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:invokes" }, "owl:someValuesFrom": { "@id": "d3f:CreateProcess" } }, { "@id": "d3f:CWE-1069", "@type": "owl:Class", "d3f:cwe-id": "CWE-1069", "rdfs:label": "Empty Exception Block", "rdfs:subClassOf": { "@id": "d3f:CWE-1071" } }, { "@id": "d3f:Reference-OpenSourceIntelligenceDeceptions_IllusiveNetworksLtd", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US10333976B1/en?assignee=Illusive+Networks+Ltd&oq=Illusive+Networks+Ltd+" }, "d3f:kb-abstract": "A system to detect attackers who attempt to breach an enterprise network and attackers who have already breached the enterprise network, including an open source intelligence (OSINT) discoverer scanning the Internet to discover data related to an enterprise that is available online, an OSINT replacer generating deceptive files by replacing placeholders within template files with deceptive information, based on the data discovered by the OSINT discoverer, an OSINT distributor planting the deceptive files generated by the OSINT replacer within designated OSINT resources, and a deception management server that alerts an administrator in response to an attacker attempting to make a connection within the network using information in a deceptive file planted by the OSINT distributor.", "d3f:kb-author": "Hadar Yudovich; Nimrod Lavi; Sharon Bittan; Tom Kahana; Tom Sela", "d3f:kb-mitre-analysis": "Seems to focus on configuration oriented files to put in decoy hostnames etc. to publish on internet sites, then monitor the decoy \"objects\".", "d3f:kb-organization": "Illusive Networks Ltd", "d3f:kb-reference-of": { "@id": "d3f:DecoyFile" }, "d3f:kb-reference-title": "Open source intelligence deceptions", "rdfs:label": "Reference - Open source intelligence deceptions - Illusive Networks Ltd" }, { "@id": "d3f:ResourceDevelopment", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:display-order": 0, "rdfs:label": "Resource Development", "rdfs:subClassOf": { "@id": "d3f:OffensiveTactic" } }, { "@id": "d3f:CWE-525", "@type": "owl:Class", "d3f:cwe-id": "CWE-525", "rdfs:label": "Use of Web Browser Cache Containing Sensitive Information", "rdfs:subClassOf": { "@id": "d3f:CWE-524" } }, { "@id": "d3f:CWE-464", "@type": "owl:Class", "d3f:cwe-id": "CWE-464", "rdfs:label": "Addition of Data Structure Sentinel", "rdfs:subClassOf": { "@id": "d3f:CWE-138" } }, { "@id": "d3f:UserBehaviorAnalysis", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:DefensiveTechnique" ], "d3f:d3fend-id": "D3-UBA", "d3f:definition": "User behavior analytics (\"UBA\") as defined by Gartner, is a cybersecurity process about detection of insider threats, targeted attacks, and financial fraud. UBA solutions look at patterns of human behavior, and then apply algorithms and statistical analysis to detect meaningful anomalies from those patterns-anomalies that indicate potential threats.' Instead of tracking devices or security events, UBA tracks a system's users. Big data platforms are increasing UBA functionality by allowing them to analyze petabytes worth of data to detect insider threats and advanced persistent threats.", "d3f:enables": { "@id": "d3f:Detect" }, "d3f:kb-article": "## Technique Overview\n\nSome techniques monitor patterns of human behavior and then apply algorithms and to identify patterns such as repeated login attempts from a single IP address or large file downloads, or abnormal accesses.\n\nOther techniques may have explicit or rigid definitions of \"bad behavior\" which are then matched against instances in a computer network environment.", "d3f:synonym": [ "Credential Monitoring", "UBA" ], "rdfs:isDefinedBy": { "@id": "dbr:User_behavior_analytics" }, "rdfs:label": "User Behavior Analysis", "rdfs:subClassOf": [ { "@id": "d3f:DefensiveTechnique" }, { "@id": "_:Neafda120a9844536b40cd84014eb7916" } ] }, { "@id": "_:Neafda120a9844536b40cd84014eb7916", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:enables" }, "owl:someValuesFrom": { "@id": "d3f:Detect" } }, { "@id": "d3f:T1600", "@type": "owl:Class", "d3f:attack-id": "T1600", "rdfs:label": "Weaken Encryption", "rdfs:subClassOf": { "@id": "d3f:DefenseEvasionTechnique" } }, { "@id": "d3f:ProgressivelyGrowingGAN", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-PGG", "d3f:definition": "Progressive Growing GAN (ProGAN) is an extension to the GAN training process that allows for the stable training of generator models that can output large high-quality images.", "d3f:kb-article": "## References\n\nMachine Learning Mastery. (n.d.). Introduction to Progressive Growing Generative Adversarial Networks. [Link](https://machinelearningmastery.com/introduction-to-progressive-growing-generative-adversarial-networks/)", "d3f:synonym": "ProGAN", "rdfs:label": "Progressively Growing GAN", "rdfs:subClassOf": { "@id": "d3f:ImageSynthesisGAN" } }, { "@id": "d3f:NIST_SP_800-53_R5_AU-2_2", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:control-name": "Event Logging | Selection of Audit Events by Component", "d3f:exactly": { "@id": "d3f:LocalAccountMonitoring" }, "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "rdfs:label": "AU-2(2)" }, { "@id": "d3f:T1588.001", "@type": "owl:Class", "d3f:attack-id": "T1588.001", "rdfs:label": "Malware", "rdfs:subClassOf": { "@id": "d3f:T1588" } }, { "@id": "d3f:CWE-1221", "@type": "owl:Class", "d3f:cwe-id": "CWE-1221", "rdfs:label": "Incorrect Register Defaults or Module Parameters", "rdfs:subClassOf": { "@id": "d3f:CWE-665" } }, { "@id": "d3f:T1031", "@type": "owl:Class", "d3f:attack-id": "T1031", "rdfs:label": "Modify Existing Service", "rdfs:subClassOf": { "@id": "d3f:PersistenceTechnique" } }, { "@id": "d3f:Execution", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:OffensiveTactic" ], "d3f:display-order": 2, "rdfs:label": "Execution", "rdfs:subClassOf": { "@id": "d3f:OffensiveTactic" } }, { "@id": "d3f:NIST_SP_800-53_R5_CM-5_1", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:control-name": "Access Restrictions for Change | Automated Access Enforcement and Audit Records", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "d3f:narrower": { "@id": "d3f:LocalAccountMonitoring" }, "rdfs:label": "CM-5(1)" }, { "@id": "d3f:InputDeviceAnalysis", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:OperatingSystemMonitoring" ], "d3f:analyzes": { "@id": "d3f:InputDevice" }, "d3f:d3fend-id": "D3-IDA", "d3f:definition": "Operating system level mechanisms to prevent abusive input device exploitation.", "d3f:kb-article": "## How it works\n\nInput Device Hardening techniques filter certain commands, or disable related operating system functionality.\n\n### Analytics\n\nAll of these values can be analyzed and compared to a baseline:\n\n* Amount of input\n* Duration of a single input\n* Durations between inputs\n* Value of input\n\nContext can also include:\n\n* User which is logged in, to include attributes such as physical location of the user\n* Date and time\n* System which is processing the input\n* Source device of input, to include its properties (eg. manufacturer), configuration (eg. keyboard layout) and behavioral attributes of this device (eg. first use)\n* Source system of input (local or remote system)\n* Other hardware devices attached to the system\n\n\n### Actions\n\nActions can include:\n\n* Disabling the source device\n* Sending an alert\n* Locking the current session (eg. system screen lock, or returning to an authentication screen in a web app) and requiring one or more methods of authentication to continue\n* Administratively disabling credentials for the account or the entire account -- the technique *Account Locking*\n\n\n### Examples\nA malicious input device sends many keystrokes with approximately the same delay between each. This does not match the normal cadence of input, and the device is disabled.\n\nInput to type the session user's name takes abnormally longer for each keystroke. The system is locked to the password prompt screen.\n\nA system receives key press events from two different devices -- one device sends keystrokes after the other has been idle for a long time.\n\nA system receives physical input in a user session, while that user has sent input from a device located out of the country in the past hour.\n\nNetwork traffic is suddenly routed through a new external device, and nearly the same volume of network traffic is subsequently sent out the previously existing interface. The new external device is disabled, and an alert is raised to investigate the network configuration for a potential compromise.\n\n\n## Considerations\n\nGiven some example of legitimate behavioral input patterns, attackers could mimic those input patterns, a technique which has been used in popular culture in the creation of Deepfake videos and [This Person Does Not Exist](https://thispersondoesnotexist.com).", "d3f:kb-reference": [ { "@id": "d3f:Reference-www.biometric-solutions.com_keystroke-dynamics" }, { "@id": "d3f:Reference-ContinuousAuthenticationByAnalysisOfKeyboardTypingCharacteristics_BradfordUniv.,UK" } ], "rdfs:label": "Input Device Analysis", "rdfs:subClassOf": [ { "@id": "d3f:OperatingSystemMonitoring" }, { "@id": "_:Nbec48c25be3b44cc8c70684eb79220d4" } ] }, { "@id": "_:Nbec48c25be3b44cc8c70684eb79220d4", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:analyzes" }, "owl:someValuesFrom": { "@id": "d3f:InputDevice" } }, { "@id": "d3f:Reference-ApproachesForSecuringAnInternetEndpointUsingFine-grainedOperatingSystemVirtualization_Bromium,Inc.", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US20110296412A1" }, "d3f:kb-abstract": "Approaches for executing untrusted software on a client without compromising the client using micro-virtualization to execute untrusted software in isolated contexts. A template for instantiating a virtual machine on a client is identified in response to receiving a request to execute an application. After the template is identified, without human intervention, a virtual machine is instantiated, using the template, in which the application is to be executed. The template may be selected from a plurality of templates based on the nature of the request, as each template describe characteristics of a virtual machine suitable for a different type of activity. Selected resources such as files are displayed to the virtual machines according to user and organization policies and controls. When the client determines that the application has ceased to execute, the client ceases execution of the virtual machine without human intervention.", "d3f:kb-author": "Gaurav Banga, Ian Pratt, Kiran Bondalapati, Vikram Kapoor", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "Bromium, Inc.", "d3f:kb-reference-of": { "@id": "d3f:Hardware-basedProcessIsolation" }, "d3f:kb-reference-title": "Approaches for securing an internet endpoint using fine-grained operating system virtualization", "rdfs:label": "Reference - Approaches for securing an internet endpoint using fine-grained operating system virtualization - Bromium, Inc." }, { "@id": "d3f:UserManualReference", "@type": "owl:Class", "d3f:pref-label": "User Manual", "rdfs:label": "User Manual Reference", "rdfs:subClassOf": { "@id": "d3f:TechniqueReference" } }, { "@id": "d3f:CWE-1046", "@type": "owl:Class", "d3f:cwe-id": "CWE-1046", "rdfs:label": "Creation of Immutable Text Using String Concatenation", "rdfs:subClassOf": { "@id": "d3f:CWE-1176" } }, { "@id": "d3f:T1565.003", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1565.003", "d3f:may-modify": { "@id": "d3f:ExecutableFile" }, "rdfs:label": "Runtime Data Manipulation", "rdfs:subClassOf": [ { "@id": "d3f:T1565" }, { "@id": "_:N17541b219b204c4cb88d855f9de44a9a" } ] }, { "@id": "_:N17541b219b204c4cb88d855f9de44a9a", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-modify" }, "owl:someValuesFrom": { "@id": "d3f:ExecutableFile" } }, { "@id": "d3f:HypothesisTesting", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-HT", "d3f:definition": "A statistical hypothesis test is a method of statistical inference used to decide whether the data at hand sufficiently support a particular hypothesis. Hypothesis testing allows us to make probabilistic statements about population parameters.", "d3f:kb-article": "## References\nWikipedia. (n.d.). Statistical hypothesis testing. [Link](https://en.wikipedia.org/wiki/Statistical_hypothesis_testing)", "rdfs:label": "Hypothesis Testing", "rdfs:subClassOf": { "@id": "d3f:InferentialStatistics" } }, { "@id": "d3f:T1132.002", "@type": "owl:Class", "d3f:attack-id": "T1132.002", "rdfs:label": "Non-Standard Encoding", "rdfs:subClassOf": { "@id": "d3f:T1132" } }, { "@id": "d3f:T1586.002", "@type": "owl:Class", "d3f:attack-id": "T1586.002", "rdfs:label": "Email Accounts", "rdfs:subClassOf": { "@id": "d3f:T1586" } }, { "@id": "d3f:CWE-925", "@type": "owl:Class", "d3f:cwe-id": "CWE-925", "rdfs:label": "Improper Verification of Intent by Broadcast Receiver", "rdfs:subClassOf": { "@id": "d3f:CWE-940" } }, { "@id": "d3f:EpistemicLogic", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-EL", "d3f:definition": "Epistemic logic addresses modalities of knowledge; i.e., the certainty of sentences.", "d3f:kb-article": "## References\n1. Epistemic logic. (2023, June 4). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Modal_logic#Epistemic_logic)", "d3f:synonym": "Epistemic Modal Logic", "rdfs:label": "Epistemic Logic", "rdfs:subClassOf": { "@id": "d3f:ModalLogic" } }, { "@id": "d3f:M1038", "@type": [ "owl:NamedIndividual", "d3f:ATTACKMitigation" ], "d3f:related": [ { "@id": "d3f:DriverLoadIntegrityChecking" }, { "@id": "d3f:ExecutableAllowlisting" }, { "@id": "d3f:ExecutableDenylisting" }, { "@id": "d3f:ProcessSegmentExecutionPrevention" } ], "rdfs:label": "Execution Prevention" }, { "@id": "d3f:T1587", "@type": "owl:Class", "d3f:attack-id": "T1587", "rdfs:label": "Develop Capabilities", "rdfs:subClassOf": { "@id": "d3f:ResourceDevelopmentTechnique" } }, { "@id": "d3f:T1195", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1195", "d3f:modifies": { "@id": "d3f:DigitalArtifact" }, "rdfs:label": "Supply Chain Compromise", "rdfs:subClassOf": [ { "@id": "d3f:InitialAccessTechnique" }, { "@id": "_:N8cdae48b3b7d4828815a49f08573029e" } ] }, { "@id": "_:N8cdae48b3b7d4828815a49f08573029e", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:DigitalArtifact" } }, { "@id": "d3f:CCI-000804_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:broader": [ { "@id": "d3f:BiometricAuthentication" }, { "@id": "d3f:Certificate-basedAuthentication" }, { "@id": "d3f:Multi-factorAuthentication" }, { "@id": "d3f:One-timePassword" } ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users).", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-17T00:00:00" }, "rdfs:label": "CCI-000804" }, { "@id": "d3f:CWE-290", "@type": "owl:Class", "d3f:cwe-id": "CWE-290", "rdfs:label": "Authentication Bypass by Spoofing", "rdfs:subClassOf": { "@id": "d3f:CWE-1390" } }, { "@id": "d3f:Reference-ServiceSearchPathInterception_MITRE", "@type": [ "owl:NamedIndividual", "d3f:ExternalKnowledgeBase" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://car.mitre.org/analytics/CAR-2014-07-001/" }, "d3f:kb-abstract": "According to ATT&CK, an adversary may escalate privileges by intercepting the search path for legitimately installed services. As a result, Windows will launch the target executable instead of the desired binary and command line. This can be done when there are spaces in the binary path and the path is unquoted. Search path interception should never happen legitimately and will likely be the result of an adversary abusing a system misconfiguration. With a few regular expressions, it is possible to identify the execution of services with intercepted search paths.", "d3f:kb-author": "MITRE", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "MITRE", "d3f:kb-reference-of": { "@id": "d3f:ProcessLineageAnalysis" }, "d3f:kb-reference-title": "CAR-2014-07-001: Service Search Path Interception", "rdfs:label": "Reference - CAR-2014-07-001: Service Search Path Interception - MITRE" }, { "@id": "d3f:CWE-655", "@type": "owl:Class", "d3f:cwe-id": "CWE-655", "rdfs:label": "Insufficient Psychological Acceptability", "rdfs:subClassOf": [ { "@id": "d3f:CWE-657" }, { "@id": "d3f:CWE-693" } ] }, { "@id": "d3f:Reference-CAR-2021-01-008%3ADisableUAC_MITRE", "@type": [ "owl:NamedIndividual", "d3f:ExternalKnowledgeBase" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://car.mitre.org/analytics/CAR-2021-01-008/" }, "d3f:kb-abstract": "Threat actors often, after compromising a machine, try to disable User Access Control (UAC) to escalate privileges. This is often done by changing the registry key for system policies using “reg.exe”, a legitimate tool provided by Microsoft for modifying the registry via command prompt or scripts. This action interferes with UAC and may enable a threat actor to escalate privileges on the compromised system, thereby allowing further exploitation of the system.", "d3f:kb-author": "MITRE", "d3f:kb-organization": "MITRE", "d3f:kb-reference-of": { "@id": "d3f:ProcessSpawnAnalysis" }, "d3f:kb-reference-title": "CAR-2021-01-008: Disable UAC", "rdfs:label": "Reference - CAR-2021-01-008: Disable UAC - MITRE" }, { "@id": "d3f:Processor", "@type": "owl:Class", "d3f:synonym": "Computer Processor", "rdfs:label": "Processor", "rdfs:subClassOf": { "@id": "d3f:HardwareDevice" } }, { "@id": "d3f:may-be-isolated-by", "@type": "owl:ObjectProperty", "d3f:pref-label": "may be isolated by", "owl:inverseOf": { "@id": "d3f:may-isolate" }, "rdfs:label": "may-be-isolated-by", "rdfs:subPropertyOf": { "@id": "d3f:attack-may-be-countered-by" } }, { "@id": "d3f:InitialAccess", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:OffensiveTactic" ], "d3f:display-order": 1, "rdfs:label": "Initial Access", "rdfs:subClassOf": { "@id": "d3f:OffensiveTactic" } }, { "@id": "d3f:T1546.004", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1546.004", "d3f:modifies": { "@id": "d3f:UserInitConfigurationFile" }, "rdfs:label": ".bash_profile and .bashrc", "rdfs:subClassOf": [ { "@id": "d3f:T1546" }, { "@id": "_:N97332c0a70b64564bad6852b1e88bc2a" } ] }, { "@id": "_:N97332c0a70b64564bad6852b1e88bc2a", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:UserInitConfigurationFile" } }, { "@id": "d3f:CWE-1275", "@type": "owl:Class", "d3f:cwe-id": "CWE-1275", "rdfs:label": "Sensitive Cookie with Improper SameSite Attribute", "rdfs:subClassOf": { "@id": "d3f:CWE-923" } }, { "@id": "d3f:CWE-145", "@type": "owl:Class", "d3f:cwe-id": "CWE-145", "rdfs:label": "Improper Neutralization of Section Delimiters", "rdfs:subClassOf": { "@id": "d3f:CWE-140" } }, { "@id": "d3f:NIST_SP_800-53_R5_MA-6", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:control-name": "Timely Maintenance", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "d3f:narrower": { "@id": "d3f:SoftwareUpdate" }, "rdfs:label": "MA-6" }, { "@id": "d3f:CWE-1276", "@type": "owl:Class", "d3f:cwe-id": "CWE-1276", "rdfs:label": "Hardware Child Block Incorrectly Connected to Parent System", "rdfs:subClassOf": { "@id": "d3f:CWE-284" } }, { "@id": "d3f:SecondaryStorage", "@type": "owl:Class", "d3f:definition": "Secondary memory (storage, hard disk) is the computer component holding information that does not need to be accessed quickly and that needs to be retained long-term.", "rdfs:isDefinedBy": "https://whatis.techtarget.com/definition/memory", "rdfs:label": "Secondary Storage", "rdfs:seeAlso": "https://en.wikipedia.org/wiki/Computer_data_storage#Secondary_storage", "rdfs:subClassOf": [ { "@id": "d3f:HardwareDevice" }, { "@id": "d3f:Storage" } ] }, { "@id": "d3f:T1003.008", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:accesses": [ { "@id": "d3f:EncryptedCredential" }, { "@id": "d3f:PasswordFile" } ], "d3f:attack-id": "T1003.008", "rdfs:label": "/etc/passwd and /etc/shadow", "rdfs:subClassOf": [ { "@id": "d3f:T1003" }, { "@id": "_:Na7d63ef744194a1fbd3ab4c11f81d833" }, { "@id": "_:N3d8f5e0b5a574325be5c9cb8a8a2d470" } ] }, { "@id": "_:Na7d63ef744194a1fbd3ab4c11f81d833", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:accesses" }, "owl:someValuesFrom": { "@id": "d3f:EncryptedCredential" } }, { "@id": "_:N3d8f5e0b5a574325be5c9cb8a8a2d470", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:accesses" }, "owl:someValuesFrom": { "@id": "d3f:PasswordFile" } }, { "@id": "d3f:Model-basedReinforcementLearning", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-MBRL", "d3f:definition": "Model-based Reinforcement Learning refers to learning optimal behavior indirectly by learning a model of the environment by taking actions and observing the outcomes that include the next state and the immediate reward. The models predict the outcomes of actions and are used in lieu of or in addition to interaction with the environment to learn optimal policies.", "d3f:kb-article": "## References\nModel-Based Reinforcement Learning. In *Encyclopedia of Machine Learning*, pp. 642-644. Springer, 2010. [Link](https://link.springer.com/referenceworkentry/10.1007/978-0-387-30164-8_556#:~:text=Model%2Dbased%20Reinforcement%20Learning%20refers,state%20and%20the%20immediate%20reward).", "rdfs:label": "Model-based Reinforcement Learning", "rdfs:subClassOf": { "@id": "d3f:ReinforcementLearning" } }, { "@id": "d3f:process-security-context", "@type": "owl:DatatypeProperty", "d3f:definition": "x process-security-context y: The process x has the process security context data y.", "rdfs:domain": { "@id": "d3f:Process" }, "rdfs:label": "process-security-context", "rdfs:subPropertyOf": { "@id": "d3f:process-data-property" } }, { "@id": "d3f:Semi-supervisedBoosting", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-SSB", "d3f:definition": "Boosting methods can be readily extended to the semi-supervised setting, by introducing pseudo-labeled data after each learning step; which gives rise to the idea of semi-supervised boosting methods. The pseudo-labeling approach of self- training and co-training can be easily extended to boosting methods. Several boosting methods such as SSMBoost, ASSEMBLE, SemiBoost, RegBoost, etc can be found which can be applied for utilizing unlabeled datasets for supervised classifiers.", "d3f:kb-article": "## References\nJashish Shrestha. (n.d.). Beginner's Guide to Semi-Supervised Learning. [Link](http://jashish.com.np/blog/posts/beginners-guide-to-semi-supervised-learning/)", "rdfs:label": "Semi-supervised Boosting", "rdfs:subClassOf": { "@id": "d3f:Semi-supervisedWrapperMethod" } }, { "@id": "d3f:assessed-by", "@type": "owl:ObjectProperty", "owl:inverseOf": { "@id": "d3f:assesses" }, "rdfs:label": "assessed-by", "rdfs:subPropertyOf": { "@id": "d3f:d3fend-catalog-object-property" } }, { "@id": "d3f:T1027.001", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1027.001", "d3f:modifies": { "@id": "d3f:ExecutableBinary" }, "rdfs:label": "Binary Padding", "rdfs:subClassOf": [ { "@id": "d3f:T1027" }, { "@id": "_:N54e56ae7dd244bf7beb0277586f82301" } ] }, { "@id": "_:N54e56ae7dd244bf7beb0277586f82301", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:ExecutableBinary" } }, { "@id": "d3f:T1003.005", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:accesses": { "@id": "d3f:EncryptedCredential" }, "d3f:attack-id": "T1003.005", "d3f:may-modify": { "@id": "d3f:Log" }, "rdfs:label": "Cached Domain Credentials", "rdfs:subClassOf": [ { "@id": "d3f:T1003" }, { "@id": "_:Naa73acdf4119441387daa55d4ff5ec83" }, { "@id": "_:N5ced4682e5904fce839fbf32016234b3" } ] }, { "@id": "_:Naa73acdf4119441387daa55d4ff5ec83", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:accesses" }, "owl:someValuesFrom": { "@id": "d3f:EncryptedCredential" } }, { "@id": "_:N5ced4682e5904fce839fbf32016234b3", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-modify" }, "owl:someValuesFrom": { "@id": "d3f:Log" } }, { "@id": "d3f:Model-basedPolicyOptimization", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-MBPO", "d3f:definition": "Model-based policy optimization (MBPO) is a model-based, online, off-policy reinforcement learning algorithm. For more information on the different types of reinforcement learning agents", "d3f:kb-article": "## References\nMBPO Agents. MathWorks. [Link](https://www.mathworks.com/help/reinforcement-learning/ug/mbpo-agents.html).", "rdfs:label": "Model-based Policy Optimization", "rdfs:subClassOf": { "@id": "d3f:Model-basedReinforcementLearning" } }, { "@id": "d3f:CWE-221", "@type": "owl:Class", "d3f:cwe-id": "CWE-221", "rdfs:label": "Information Loss or Omission", "rdfs:subClassOf": { "@id": "d3f:CWE-664" } }, { "@id": "d3f:Application", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A program that gives a computer instructions that provide the user with tools to accomplish a task; \"he has tried several different word processing applications\". Distinct from system software that is intrinsically part of the operating system. An application can be made up of executable files, configuration files, shared libraries, etc.", "d3f:may-contain": { "@id": "d3f:ApplicationConfiguration" }, "rdfs:label": "Application", "rdfs:seeAlso": [ { "@id": "dbr:Application_software" }, { "@id": "http://wordnet-rdf.princeton.edu/id/06582286-n" } ], "rdfs:subClassOf": [ { "@id": "d3f:Software" }, { "@id": "_:Nd3223dee2d3144f49f5dfd18442e2700" } ] }, { "@id": "_:Nd3223dee2d3144f49f5dfd18442e2700", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-contain" }, "owl:someValuesFrom": { "@id": "d3f:ApplicationConfiguration" } }, { "@id": "d3f:CCI-001813_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:broader": [ { "@id": "d3f:MandatoryAccessControl" }, { "@id": "d3f:UserAccountPermissions" } ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system enforces access restrictions.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-03-01T00:00:00" }, "rdfs:label": "CCI-001813" }, { "@id": "d3f:CCI-000144_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system provides a real-time alert when organization-defined audit failure events occur.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:SystemDaemonMonitoring" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-05-20T00:00:00" }, "rdfs:label": "CCI-000144" }, { "@id": "d3f:Authentication", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:Authentication" ], "d3f:authenticates": { "@id": "d3f:User" }, "d3f:definition": "A request-response comprising a user credential presentation to a system and a verification response.", "d3f:may-create": { "@id": "d3f:IntranetNetworkTraffic" }, "d3f:originates-from": { "@id": "d3f:PhysicalLocation" }, "rdfs:label": "Authentication", "rdfs:seeAlso": [ { "@id": "http://wordnet-rdf.princeton.edu/id/00155053-n" }, { "@id": "dbr:Authentication" } ], "rdfs:subClassOf": [ { "@id": "d3f:UserAction" }, { "@id": "_:N5c1b2df3ad7e437bbc6ca21277186d43" }, { "@id": "_:N0d625acdd2314ff5aa366d56df716b79" }, { "@id": "_:Nfd40948b5e3e42a0b4396e7acdb1199f" } ] }, { "@id": "_:N5c1b2df3ad7e437bbc6ca21277186d43", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:authenticates" }, "owl:someValuesFrom": { "@id": "d3f:User" } }, { "@id": "_:N0d625acdd2314ff5aa366d56df716b79", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-create" }, "owl:someValuesFrom": { "@id": "d3f:IntranetNetworkTraffic" } }, { "@id": "_:Nfd40948b5e3e42a0b4396e7acdb1199f", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:originates-from" }, "owl:someValuesFrom": { "@id": "d3f:PhysicalLocation" } }, { "@id": "d3f:CWE-574", "@type": "owl:Class", "d3f:cwe-id": "CWE-574", "rdfs:label": "EJB Bad Practices: Use of Synchronization Primitives", "rdfs:subClassOf": [ { "@id": "d3f:CWE-695" }, { "@id": "d3f:CWE-821" } ] }, { "@id": "d3f:Density-weightedMethod", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-DWM", "d3f:definition": "An Actvie Learning technique that uses a density estimate meta-parameter to avoid sampling sparsely populated regions of the feature space and can be based parametrically or from a parameter free model.", "d3f:kb-article": "## References\nIntro to Active Learning. inovex Blog. [Link](https://www.inovex.de/de/blog/intro-to-active-learning/).", "rdfs:label": "Density-weighted Method", "rdfs:subClassOf": { "@id": "d3f:ActiveLearning" } }, { "@id": "d3f:T1036.006", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1036.006", "d3f:creates": { "@id": "d3f:File" }, "rdfs:label": "Space after Filename", "rdfs:subClassOf": [ { "@id": "d3f:T1036" }, { "@id": "_:N6cdeca6986434456ac723fd5c04ce8ef" } ] }, { "@id": "_:N6cdeca6986434456ac723fd5c04ce8ef", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:creates" }, "owl:someValuesFrom": { "@id": "d3f:File" } }, { "@id": "d3f:TechniqueReference", "@type": "owl:Class", "d3f:definition": "A reference used to develop KB articles.", "d3f:pref-label": "Technique Reference", "rdfs:label": "Technique Reference", "rdfs:subClassOf": [ { "@id": "d3f:D3FENDThing" }, { "@id": "_:Nb9da86c18c0a4f0db50dc22d59fd65b2" }, { "@id": "_:N445b3eb3db144746b6414d1928bc6cd5" }, { "@id": "_:N002389195c8e49d8a37bf9c73b763658" } ] }, { "@id": "_:Nb9da86c18c0a4f0db50dc22d59fd65b2", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:kb-reference-of" }, "owl:someValuesFrom": { "@id": "d3f:DefensiveTechnique" } }, { "@id": "_:N445b3eb3db144746b6414d1928bc6cd5", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:has-link" }, "owl:someValuesFrom": { "@id": "xsd:anyURI" } }, { "@id": "_:N002389195c8e49d8a37bf9c73b763658", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:kb-reference-title" }, "owl:someValuesFrom": { "@id": "xsd:string" } }, { "@id": "d3f:LinuxClone", "@type": "owl:Class", "d3f:definition": "Creates a child process and provides more precise control over the data shared between the parent and child processes", "rdfs:isDefinedBy": "https://man7.org/linux/man-pages/man2/clone.2.html", "rdfs:label": "Linux Clone", "rdfs:subClassOf": { "@id": "d3f:OSAPICreateProcess" } }, { "@id": "d3f:Reference-CAR-2020-11-010%3ACMSTP_MITRE", "@type": [ "owl:NamedIndividual", "d3f:ExternalKnowledgeBase" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://car.mitre.org/analytics/CAR-2020-11-010/" }, "d3f:kb-abstract": "CMSTP.exe is the Microsoft Connection Manager Profile Installer, which can be leveraged to setup listeners that will receive and install malware from remote sources in trusted fashion. When CMSTP.exe is seen in combination with an external connection, it is a good indication of this TTP.", "d3f:kb-author": "MITRE", "d3f:kb-organization": "MITRE", "d3f:kb-reference-of": { "@id": "d3f:ProcessSpawnAnalysis" }, "d3f:kb-reference-title": "CAR-2020-11-010: CMSTP", "rdfs:label": "Reference - CAR-2020-11-010: CMSTP - MITRE" }, { "@id": "d3f:T1585", "@type": "owl:Class", "d3f:attack-id": "T1585", "rdfs:label": "Establish Accounts", "rdfs:subClassOf": { "@id": "d3f:ResourceDevelopmentTechnique" } }, { "@id": "d3f:CWE-379", "@type": "owl:Class", "d3f:cwe-id": "CWE-379", "rdfs:label": "Creation of Temporary File in Directory with Insecure Permissions", "rdfs:subClassOf": { "@id": "d3f:CWE-377" } }, { "@id": "d3f:Reference-DetectingDDoSAttackUsingSnort", "@type": [ "owl:NamedIndividual", "d3f:AcademicPaperReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://www.researchgate.net/publication/338660054_DETECTING_DDoS_ATTACK_USING_Snort" }, "d3f:kb-abstract": "A DDoS (Distributed Denial-of-Service) attack is very common and easy toexecute and does not require any sophisticated tools. It can happen to anyone. In this project we deploy snort in our home network as a NIDS (Network Intrusion Detection System) to detect a DDoS attack and prevent it.", "d3f:kb-author": "Manas Gogoi, Sourav Mishra", "d3f:kb-organization": "Indian Institute of Information Technology Allahabad", "d3f:kb-reference-of": { "@id": "d3f:InboundSessionVolumeAnalysis" }, "d3f:kb-reference-title": "DETECTING DDoS ATTACK USING Snort", "rdfs:label": "Reference - Detecting DDoS Attack Using Snort" }, { "@id": "d3f:CWE-135", "@type": "owl:Class", "d3f:cwe-id": "CWE-135", "rdfs:label": "Incorrect Calculation of Multi-Byte String Length", "rdfs:subClassOf": { "@id": "d3f:CWE-682" } }, { "@id": "d3f:T1140", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1140", "d3f:invokes": { "@id": "d3f:CreateProcess" }, "d3f:may-add": { "@id": "d3f:ExecutableFile" }, "d3f:may-modify": { "@id": "d3f:EventLog" }, "rdfs:label": "Deobfuscate/Decode Files or Information", "rdfs:subClassOf": [ { "@id": "d3f:DefenseEvasionTechnique" }, { "@id": "_:N28c3a61c5ebc47b28810662911d428d5" }, { "@id": "_:N9cf150e32aca45a1bd17d97766cf07cd" }, { "@id": "_:Nb9c4a067212e46d4b5c596fabf180b59" } ] }, { "@id": "_:N28c3a61c5ebc47b28810662911d428d5", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:invokes" }, "owl:someValuesFrom": { "@id": "d3f:CreateProcess" } }, { "@id": "_:N9cf150e32aca45a1bd17d97766cf07cd", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-add" }, "owl:someValuesFrom": { "@id": "d3f:ExecutableFile" } }, { "@id": "_:Nb9c4a067212e46d4b5c596fabf180b59", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-modify" }, "owl:someValuesFrom": { "@id": "d3f:EventLog" } }, { "@id": "d3f:AsymmetricKey", "@type": "owl:Class", "d3f:definition": "Asymmetric keys are public and private keys, paired such that asymmetric (public-key) cryptography algorithms can be implemented using them. Public-key cryptography, or asymmetric cryptography, is any cryptographic system that uses pairs of keys: public keys that may be disseminated widely paired with private keys which are known only to the owner. There are two functions that can be achieved: using a public key to authenticate that a message originated with a holder of the paired private key; or encrypting a message with a public key to ensure that only the holder of the paired private key can decrypt it.", "rdfs:label": "Asymmetric Key", "rdfs:seeAlso": { "@id": "dbr:Public-key_cryptography" }, "rdfs:subClassOf": { "@id": "d3f:CryptographicKey" } }, { "@id": "d3f:LinuxPauseProcess", "@type": "owl:Class", "d3f:definition": "Causes the calling process to sleep until a signal is delivered that either terminates the process or causes the invocation of a signal-catching function.", "rdfs:isDefinedBy": "https://man7.org/linux/man-pages/man2/pause.2.html", "rdfs:label": "Linux Pause Process", "rdfs:subClassOf": { "@id": "d3f:OSAPISuspendProcess" } }, { "@id": "d3f:T1078.004", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1078.004", "d3f:uses": { "@id": "d3f:CloudUserAccount" }, "rdfs:label": "Cloud Accounts", "rdfs:subClassOf": [ { "@id": "d3f:T1078" }, { "@id": "_:Ndfc447b0a8c54c02bdc27bcdd8538931" } ] }, { "@id": "_:Ndfc447b0a8c54c02bdc27bcdd8538931", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:uses" }, "owl:someValuesFrom": { "@id": "d3f:CloudUserAccount" } }, { "@id": "d3f:maps", "@type": "owl:ObjectProperty", "rdfs:label": "maps", "rdfs:subPropertyOf": { "@id": "d3f:may-map" } }, { "@id": "d3f:CWE-614", "@type": "owl:Class", "d3f:cwe-id": "CWE-614", "rdfs:label": "Sensitive Cookie in HTTPS Session Without 'Secure' Attribute", "rdfs:subClassOf": { "@id": "d3f:CWE-319" } }, { "@id": "d3f:CustomArchiveFile", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A custom archive file is an archive file conforming to a custom format; that is, an archive file that does not conform to a common standard.", "rdfs:label": "Custom Archive File", "rdfs:subClassOf": { "@id": "d3f:ArchiveFile" } }, { "@id": "d3f:NIST_SP_800-53_R5_AC-4_27", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:control-name": "Information Flow Enforcement | Redundant/independent Filtering Mechanisms", "d3f:exactly": [ { "@id": "d3f:InboundTrafficFiltering" }, { "@id": "d3f:OutboundTrafficFiltering" } ], "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "rdfs:label": "AC-4(27)" }, { "@id": "d3f:NetworkPrinter", "@type": "owl:Class", "d3f:definition": "In computing, a network printer is a device that can be accessed over a network which makes a persistent representation of graphics or text, usually on paper. While most output is human-readable, bar code printers are an example of an expanded use for printers. The different types of printers include 3D printer, inkjet printer, laser printer, thermal printer, etc. Note that not all printers are networked and the digital information to be printed must be passed either by removable media or as directly connecting the printer to a computer (e.g., by USB.)", "rdfs:isDefinedBy": { "@id": "dbr:Printer_(computing)" }, "rdfs:label": "Network Printer", "rdfs:subClassOf": { "@id": "d3f:SharedComputer" } }, { "@id": "d3f:WebSocketURL", "@type": [ "owl:NamedIndividual", "d3f:URL" ], "rdfs:label": "Web Socket URL" }, { "@id": "d3f:NIST_SP_800-53_R5_AC-6_4", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:control-name": "Least Privilege | Separate Processing Domains", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "d3f:narrower": { "@id": "d3f:Hardware-basedProcessIsolation" }, "rdfs:label": "AC-6(4)" }, { "@id": "d3f:WindowsNtCreateMailslotFile", "@type": "owl:Class", "d3f:definition": "Creates a special File Object called Mailslot.", "rdfs:label": "Windows NtCreateMailslotFile", "rdfs:seeAlso": "https://j00ru.vexillium.org/syscalls/nt/64/", "rdfs:subClassOf": [ { "@id": "d3f:OSAPICreateFile" }, { "@id": "d3f:OSAPIPrivateFunction" } ] }, { "@id": "d3f:DatabaseFile", "@type": [ "owl:Class", "owl:NamedIndividual" ], "rdfs:label": "Database File", "rdfs:subClassOf": { "@id": "d3f:File" } }, { "@id": "d3f:LocalAreaNetwork", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A local area network (LAN) is a computer network that interconnects computers within a limited area such as a residence, school, laboratory, university campus or office building and has its network equipment and interconnects locally managed. Ethernet and Wi-Fi are the two most common transmission technologies in use for local area networks. Historical technologies include ARCNET, Token ring, and AppleTalk.", "d3f:may-contain": { "@id": "d3f:Host" }, "rdfs:isDefinedBy": { "@id": "dbr:Local_area_network" }, "rdfs:label": "Local Area Network", "rdfs:subClassOf": [ { "@id": "d3f:Network" }, { "@id": "_:N029c6b949450496587600542a9e8ab5c" } ], "skos:altLabel": "LAN" }, { "@id": "_:N029c6b949450496587600542a9e8ab5c", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-contain" }, "owl:someValuesFrom": { "@id": "d3f:Host" } }, { "@id": "d3f:HardwareDriver", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "In computing, a device driver (commonly referred to simply as a driver) is a computer program that operates or controls a particular type of device that is attached to a computer. A driver provides a software interface to hardware devices, enabling operating systems and other computer programs to access hardware functions without needing to know precise details of the hardware being used. A driver communicates with the device through the computer bus or communications subsystem to which the hardware connects. When a calling program invokes a routine in the driver, the driver issues commands to the device. Once the device sends data back to the driver, the driver may invoke routines in the original calling program. Drivers are hardware dependent and operating-system-specific. They usually provide the interrupt handling required for any necessary asynchronous time-dependent hardware interface.", "d3f:drives": { "@id": "d3f:HardwareDevice" }, "rdfs:isDefinedBy": { "@id": "dbr:Device_driver" }, "rdfs:label": "Hardware Driver", "rdfs:subClassOf": [ { "@id": "d3f:DigitalArtifact" }, { "@id": "_:N8a5f0c96bc8c4a00a57e71e7689d348d" } ], "skos:altLabel": "Device Driver" }, { "@id": "_:N8a5f0c96bc8c4a00a57e71e7689d348d", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:drives" }, "owl:someValuesFrom": { "@id": "d3f:HardwareDevice" } }, { "@id": "d3f:CWE-14", "@type": "owl:Class", "d3f:cwe-id": "CWE-14", "rdfs:label": "Compiler Removal of Code to Clear Buffers", "rdfs:subClassOf": { "@id": "d3f:CWE-733" } }, { "@id": "d3f:Reference-DetectionOfMaliciousIDNHomoglyphDomains", "@type": [ "owl:NamedIndividual", "d3f:InternetArticleReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "http://essay.utwente.nl/79263/1/Yazdani_MA_EEMCS.pdf" }, "d3f:kb-abstract": "At early stages of Internet development, users were only able to register or access domains with ASCII characters. The introduction of IDN (Internationalized Domain Name) which uses the larger Unicode character set, made it possible for regional users to deal with domain names using their local language alphabet. Beside the advantages provided by IDN, a new type of network threats has also emerged. The reason behind this is that there are many similar-looking characters in Unicode system, called homoglyphs. These characters could be used by an attacker to lure users by replacing one or more characters of a benign domain.", "d3f:kb-author": "Ramin Yazdani", "d3f:kb-organization": "University of Twente", "d3f:kb-reference-of": { "@id": "d3f:HomoglyphDenylisting" }, "d3f:kb-reference-title": "Detection of Malicious IDN Homoglyph Domains Using Active DNS Measurements", "rdfs:label": "Reference - Detection of Malicious IDNHomoglyph Domains" }, { "@id": "d3f:T1590.001", "@type": "owl:Class", "d3f:attack-id": "T1590.001", "rdfs:label": "Domain Properties", "rdfs:subClassOf": { "@id": "d3f:T1590" } }, { "@id": "d3f:OSAPIFunction", "@type": "owl:Class", "rdfs:label": "OS API Function", "rdfs:seeAlso": [ "http://dbpedia.org/page/Linux_kernel_interfaces", "http://dbpedia.org/resource/Windows_API" ], "rdfs:subClassOf": { "@id": "d3f:Software" } }, { "@id": "d3f:drives", "@type": "owl:ObjectProperty", "d3f:definition": "x drives y: The device driver x causes a system component y to function by controlling it.", "rdfs:isDefinedBy": { "@id": "http://wordnet-rdf.princeton.edu/id/01184038-v" }, "rdfs:label": "drives", "rdfs:seeAlso": { "@id": "dbr:Device_driver" }, "rdfs:subPropertyOf": { "@id": "d3f:associated-with" } }, { "@id": "d3f:K-meansClustering", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-KMC", "d3f:definition": "K-means algorithm identifies k number of centroids, and then allocates every data point to the nearest cluster, while keeping the centroids as small as possible.", "d3f:kb-article": "## References\nTowards Data Science. (n.d.). Understanding K-means Clustering in Machine Learning. [Link](https://towardsdatascience.com/understanding-k-means-clustering-in-machine-learning-6a6e67336aa1)", "rdfs:label": "K-means Clustering", "rdfs:subClassOf": { "@id": "d3f:Centroid-basedClustering" } }, { "@id": "d3f:CCI-001683_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system notifies organization-defined personnel or roles for account creation actions.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:DomainAccountMonitoring" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2011-05-03T00:00:00" }, "rdfs:label": "CCI-001683" }, { "@id": "d3f:CCI-002238_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system automatically locks the account or node for either an organization-defined time period, until the locked account or node is released by an administrator, or delays the next logon prompt according to the organization-defined delay algorithm when the maximum number of unsuccessful logon attempts is exceeded.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:AccountLocking" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-06-24T00:00:00" }, "rdfs:label": "CCI-002238" }, { "@id": "d3f:PythonPackage", "@type": "owl:Class", "d3f:definition": "A Python package is an aggregation of many Python files - either in source code or in bytecode - and associated metadata and resources (text, images, etc.). Python packages can be distributed in different file formats.", "rdfs:label": "Python Package", "rdfs:seeAlso": { "@id": "https://packaging.python.org/" }, "rdfs:subClassOf": { "@id": "d3f:SoftwarePackage" } }, { "@id": "d3f:UserApplication", "@type": "owl:Class", "d3f:definition": "A user application is executed for that an individual user on a user's personal computer or remotely by means of virtualization. This is in contrast to service applications or enterprise software.", "rdfs:label": "User Application", "rdfs:seeAlso": { "@id": "dbr:Enterprise_software" }, "rdfs:subClassOf": { "@id": "d3f:Application" } }, { "@id": "d3f:CWE-151", "@type": "owl:Class", "d3f:cwe-id": "CWE-151", "rdfs:label": "Improper Neutralization of Comment Delimiters", "rdfs:subClassOf": { "@id": "d3f:CWE-138" } }, { "@id": "d3f:CWE-759", "@type": "owl:Class", "d3f:cwe-id": "CWE-759", "rdfs:label": "Use of a One-Way Hash without a Salt", "rdfs:subClassOf": { "@id": "d3f:CWE-916" } }, { "@id": "d3f:Reference-SimultaneousLoginsOnAHost_MITRE", "@type": [ "owl:NamedIndividual", "d3f:ExternalKnowledgeBase" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://car.mitre.org/analytics/CAR-2013-02-008/" }, "d3f:kb-abstract": "Multiple users logged into a single machine at the same time, or even within the same hour, do not typically occur in networks we have observed.\n\nLogon events are Windows Event Code 4624 for Windows Vista and above, 518 for pre-Vista. Logoff events are 4634 for Windows Vista and above, 538 for pre-Vista. Logon types 2, 3, 9 and 10 are of interest. For more details see the Logon Types table on Microsoft's Audit Logon Events page.", "d3f:kb-author": "MITRE", "d3f:kb-reference-of": { "@id": "d3f:AuthenticationEventThresholding" }, "d3f:kb-reference-title": "CAR-2013-02-008: Simultaneous Logins on a Host", "rdfs:label": "Reference - CAR-2013-02-008: Simultaneous Logins on a Host - MITRE" }, { "@id": "d3f:EmulatedFileAnalysis", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:FileAnalysis" ], "d3f:analyzes": [ { "@id": "d3f:DocumentFile" }, { "@id": "d3f:ExecutableFile" } ], "d3f:d3fend-id": "D3-EFA", "d3f:definition": "Emulating instructions in a file looking for specific patterns.", "d3f:kb-reference": { "@id": "d3f:Reference-Network-levelPolymorphicShellcodeDetectionUsingEmulation" }, "rdfs:label": "Emulated File Analysis", "rdfs:subClassOf": [ { "@id": "d3f:FileAnalysis" }, { "@id": "_:Nbb7a01f8506146239da26c2f7841ba87" }, { "@id": "_:N240affda29674e2d9168f69ac60e2345" } ] }, { "@id": "_:Nbb7a01f8506146239da26c2f7841ba87", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:analyzes" }, "owl:someValuesFrom": { "@id": "d3f:DocumentFile" } }, { "@id": "_:N240affda29674e2d9168f69ac60e2345", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:analyzes" }, "owl:someValuesFrom": { "@id": "d3f:ExecutableFile" } }, { "@id": "d3f:windows-registry-data-property", "@type": "owl:DatatypeProperty", "d3f:definition": "x windows-registry-data-property y: The windows registry entry x has the property y.", "rdfs:label": "windows-registry-data-property", "rdfs:subPropertyOf": { "@id": "d3f:d3fend-artifact-data-property" } }, { "@id": "d3f:CWE-87", "@type": "owl:Class", "d3f:cwe-id": "CWE-87", "rdfs:label": "Improper Neutralization of Alternate XSS Syntax", "rdfs:subClassOf": { "@id": "d3f:CWE-79" } }, { "@id": "d3f:HeterogeneousTransferLearning", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-HTL", "d3f:definition": "Heterogeneous transfer learning is characterized by the source and target domains having differing feature spaces, but may also be combined with other issues such as differing data distributions and label spaces.", "d3f:kb-article": "## References\nWang, Q., Mao, K. Z., Wang, B., & Guan, J. (2017). Big data clustering by hybrid optimization algorithm. Journal of Big Data, 4(1), 25. [Link](https://journalofbigdata.springeropen.com/articles/10.1186/s40537-017-0089-0).", "rdfs:label": "Heterogeneous Transfer Learning", "rdfs:subClassOf": { "@id": "d3f:TransferLearning" } }, { "@id": "d3f:CWE-1284", "@type": "owl:Class", "d3f:cwe-id": "CWE-1284", "rdfs:label": "Improper Validation of Specified Quantity in Input", "rdfs:subClassOf": { "@id": "d3f:CWE-20" } }, { "@id": "d3f:ExecutableAllowlisting", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:PlatformHardening" ], "d3f:blocks": { "@id": "d3f:ExecutableFile" }, "d3f:d3fend-id": "D3-EAL", "d3f:definition": "Using a digital signature to authenticate a file before opening.", "d3f:kb-article": "## How it works\n\nThis technique is generic and there are numerous ways to compute and authenticate digital signatures.\nA digital certificate is generated from a private/public key pair issued by a certificate authority (CA). A hash of the file is encrypted using the private key. When the file is downloaded by another user, the user's system uses the public key to decrypt the hash and a new hash is created of the downloaded file. The hash decrypted by the public key is compared to the new hash and if there is a mismatch, further techniques, such as file deletion, file quarantine, or **Executable Blacklisting** may be invoked.\n\nThis technique may be invoked when deciding whether to execute a file.\n\n## Considerations\n\nOrganizations which download or create high volumes of software make management complex, in particular engineering or scientific organizations.", "d3f:kb-reference": [ { "@id": "d3f:Reference-EnhancingNetworkSecurityByPreventingUser-InitiatedMalwareExecution_" }, { "@id": "d3f:Reference-ComputingApparatusWithAutomaticIntegrityReferenceGenerationAndMaintenance_Tripwire,Inc." } ], "d3f:restricts": { "@id": "d3f:CreateProcess" }, "d3f:synonym": "File Signature Authentication", "rdfs:label": "Executable Allowlisting", "rdfs:subClassOf": [ { "@id": "d3f:ExecutionIsolation" }, { "@id": "_:N56edd67765f14d6586695aadc120c878" }, { "@id": "_:Nb1c36ff6c3d6453cb95bd31ab34570f1" } ] }, { "@id": "_:N56edd67765f14d6586695aadc120c878", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:blocks" }, "owl:someValuesFrom": { "@id": "d3f:ExecutableFile" } }, { "@id": "_:Nb1c36ff6c3d6453cb95bd31ab34570f1", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:restricts" }, "owl:someValuesFrom": { "@id": "d3f:CreateProcess" } }, { "@id": "d3f:T1591.003", "@type": "owl:Class", "d3f:attack-id": "T1591.003", "rdfs:label": "Identify Business Tempo", "rdfs:subClassOf": { "@id": "d3f:T1591" } }, { "@id": "d3f:T1592", "@type": "owl:Class", "d3f:attack-id": "T1592", "rdfs:label": "Gather Victim Host Information", "rdfs:subClassOf": { "@id": "d3f:ReconnaissanceTechnique" } }, { "@id": "d3f:MessageAuthentication", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:MessageHardening" ], "d3f:authenticates": { "@id": "d3f:UserToUserMessage" }, "d3f:d3fend-id": "D3-MAN", "d3f:definition": "Authenticating the sender of a message and ensuring message integrity.", "d3f:kb-article": "## How it works\n\n### Digital Signature\nDigital signatures are used to verifying a message is from the expected sender. In email, Secure/Multipurpose Internet Mail Extensions (S/MIME) protocol is typically used to digitally sign messages. A hash value of the sender's message is created and encrypted with the sender's private key to create a digital signature. The message and the digital signature are sent to the recipient where the sender's public key is used to decrypt the digital signature and compute the hash of the message. The computed hash is compared with the hash from the received message, and any difference in the hash values signify the message did not originate from the sender and has been alerted in transit.\n\n### Message Authentication Code (MAC)\nMAC is a fixed size string that is appended to a message to provide message authentication and integrity. The sender MAC signing algorithm takes as input a secret symmetric key shared between sender and recipient and the message to calculate a short tag that is appended to the message. The recipient receives the message with the appended tag, and a MAC verification algorithm is run using the symmetric key to verify the message came from the stated sender and ensure the message has not been tampered with.\n\n## Considerations\n- Public keys associated with digital signatures should be verified by a Certification Authority (CA) to prevent impersonation. The CA verifies the owner of a public key and puts the sender's identity and public key into a certificate that is signed by the CA.\n- Digital signatures provide non-repudiation where a third party can verify the authenticity of the message using the sender's digital certificate signed by the CA.\n- Symmetric keys must be exchanged securely via a private channel and management of new symmetric keys are needed for each pair of participants wishing to exchange messages.", "d3f:kb-reference": [ { "@id": "d3f:Reference-DomainKeysIdentifiedMail-Signatures-IETF" }, { "@id": "d3f:Reference-SecureMultipurposeInternetMailExtensionsMIME-Version3.1" } ], "rdfs:label": "Message Authentication", "rdfs:subClassOf": [ { "@id": "d3f:MessageHardening" }, { "@id": "_:N808a6efe612641308806e0e817479ac4" } ] }, { "@id": "_:N808a6efe612641308806e0e817479ac4", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:authenticates" }, "owl:someValuesFrom": { "@id": "d3f:UserToUserMessage" } }, { "@id": "d3f:SystemDependency", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A system dependency indicates a system has an activity, agent, or another system which relies on it in order to be functional.", "rdfs:label": "System Dependency", "rdfs:seeAlso": [ "https://www.ibm.com/docs/en/taddm/7.3.0?topic=model-dependencies-between-resources", "https://r-docs.synapse.org/articles/systemDependencies.html", "https://dl.acm.org/doi/10.1145/960116.53994" ], "rdfs:subClassOf": { "@id": "d3f:Dependency" } }, { "@id": "d3f:DISA_FSO", "@type": [ "owl:NamedIndividual", "d3f:Organization" ], "d3f:definition": "Defense Information Systems Agency (DISA) Field Security Office (FSO)", "rdfs:label": "DISA FSO" }, { "@id": "d3f:HostConfigurationSensor", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "Collects the configuration data on an endpoint.", "d3f:monitors": [ { "@id": "d3f:ApplicationConfiguration" }, { "@id": "d3f:OperatingSystemConfiguration" } ], "rdfs:label": "Host Configuration Sensor", "rdfs:subClassOf": [ { "@id": "d3f:EndpointSensor" }, { "@id": "_:N7d3a5e6b025f4fa593442ea0d850f2d1" }, { "@id": "_:N35a54952ff51406d82032e1166fdc637" } ] }, { "@id": "_:N7d3a5e6b025f4fa593442ea0d850f2d1", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:monitors" }, "owl:someValuesFrom": { "@id": "d3f:ApplicationConfiguration" } }, { "@id": "_:N35a54952ff51406d82032e1166fdc637", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:monitors" }, "owl:someValuesFrom": { "@id": "d3f:OperatingSystemConfiguration" } }, { "@id": "d3f:T1552.005", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:accesses": { "@id": "d3f:CloudInstanceMetadata" }, "d3f:attack-id": "T1552.005", "rdfs:label": "Cloud Instance Metadata API", "rdfs:subClassOf": [ { "@id": "d3f:T1552" }, { "@id": "_:N5f738a8bbe0f41d2b42b1cacd4f58673" } ] }, { "@id": "_:N5f738a8bbe0f41d2b42b1cacd4f58673", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:accesses" }, "owl:someValuesFrom": { "@id": "d3f:CloudInstanceMetadata" } }, { "@id": "d3f:ApplicationLayerLink", "@type": "owl:Class", "rdfs:label": "Application Layer Link", "rdfs:subClassOf": { "@id": "d3f:LogicalLink" } }, { "@id": "d3f:CCI-002691_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:broader": { "@id": "d3f:FileContentRules" }, "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system uses indicators of compromise.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-07-11T00:00:00" }, "rdfs:label": "CCI-002691" }, { "@id": "d3f:T1578.001", "@type": "owl:Class", "d3f:attack-id": "T1578.001", "rdfs:label": "Create Snapshot", "rdfs:subClassOf": { "@id": "d3f:T1578" } }, { "@id": "d3f:CWE-341", "@type": "owl:Class", "d3f:cwe-id": "CWE-341", "rdfs:label": "Predictable from Observable State", "rdfs:subClassOf": { "@id": "d3f:CWE-340" } }, { "@id": "d3f:T1557.001", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1557.001", "d3f:produces": { "@id": "d3f:IntranetMulticastNetworkTraffic" }, "rdfs:label": "LLMNR/NBT-NS Poisoning and SMB Relay", "rdfs:subClassOf": [ { "@id": "d3f:T1557" }, { "@id": "_:N7e65747aef86465d90dbece40fcc00d2" } ] }, { "@id": "_:N7e65747aef86465d90dbece40fcc00d2", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:produces" }, "owl:someValuesFrom": { "@id": "d3f:IntranetMulticastNetworkTraffic" } }, { "@id": "d3f:FileSystemLink", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A file system link associates a name with a file on a file system. Most generally, this may be a direct reference (a hard link) or an indirect one (a soft link).", "rdfs:isDefinedBy": { "@id": "dbr:Hard_link" }, "rdfs:label": "File System Link", "rdfs:subClassOf": { "@id": "d3f:DigitalArtifact" } }, { "@id": "d3f:attack-may-be-countered-by", "@type": "owl:ObjectProperty", "rdfs:label": "attack-may-be-countered-by", "rdfs:subPropertyOf": { "@id": "d3f:may-be-tactically-associated-with" } }, { "@id": "d3f:CWE-236", "@type": "owl:Class", "d3f:cwe-id": "CWE-236", "rdfs:label": "Improper Handling of Undefined Parameters", "rdfs:subClassOf": { "@id": "d3f:CWE-233" } }, { "@id": "d3f:CWE-1294", "@type": "owl:Class", "d3f:cwe-id": "CWE-1294", "rdfs:label": "Insecure Security Identifier Mechanism", "rdfs:subClassOf": { "@id": "d3f:CWE-284" } }, { "@id": "d3f:T1148", "@type": "owl:Class", "d3f:attack-id": "T1148", "rdfs:label": "HISTCONTROL", "rdfs:subClassOf": { "@id": "d3f:DefenseEvasionTechnique" } }, { "@id": "d3f:T1212", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1212", "d3f:may-access": [ { "@id": "d3f:AuthenticationService" }, { "@id": "d3f:CredentialManagementSystem" } ], "d3f:may-modify": [ { "@id": "d3f:ProcessCodeSegment" }, { "@id": "d3f:StackFrame" } ], "rdfs:label": "Exploitation for Credential Access", "rdfs:subClassOf": [ { "@id": "d3f:CredentialAccessTechnique" }, { "@id": "_:Ned906af42e9644f690e7fbee5981f848" }, { "@id": "_:N32d35b68cdf34bc0beaf1d19210074d1" }, { "@id": "_:N52381b7687fc40ccb5102e147f83ac6a" }, { "@id": "_:N6cca479ed0594e4f810bb45f1003524a" } ] }, { "@id": "_:Ned906af42e9644f690e7fbee5981f848", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-access" }, "owl:someValuesFrom": { "@id": "d3f:AuthenticationService" } }, { "@id": "_:N32d35b68cdf34bc0beaf1d19210074d1", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-access" }, "owl:someValuesFrom": { "@id": "d3f:CredentialManagementSystem" } }, { "@id": "_:N52381b7687fc40ccb5102e147f83ac6a", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-modify" }, "owl:someValuesFrom": { "@id": "d3f:ProcessCodeSegment" } }, { "@id": "_:N6cca479ed0594e4f810bb45f1003524a", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-modify" }, "owl:someValuesFrom": { "@id": "d3f:StackFrame" } }, { "@id": "d3f:T1027.005", "@type": "owl:Class", "d3f:attack-id": "T1027.005", "rdfs:label": "Indicator Removal from Tools", "rdfs:subClassOf": { "@id": "d3f:T1027" } }, { "@id": "d3f:T1584.005", "@type": "owl:Class", "d3f:attack-id": "T1584.005", "rdfs:label": "Botnet", "rdfs:subClassOf": { "@id": "d3f:T1584" } }, { "@id": "d3f:CWE-705", "@type": "owl:Class", "d3f:cwe-id": "CWE-705", "rdfs:label": "Incorrect Control Flow Scoping", "rdfs:subClassOf": { "@id": "d3f:CWE-691" } }, { "@id": "d3f:addressed-by", "@type": "owl:ObjectProperty", "d3f:definition": "x addressed-by y: Relates a resource x (e.g., network host, peripheral device, disk sector, a memory cell or other logical or physical entity) to a discrete address y in an address space that points to it.", "owl:inverseOf": { "@id": "d3f:addresses" }, "rdfs:domain": { "@id": "d3f:Resource" }, "rdfs:label": "addressed-by", "rdfs:range": { "@id": "d3f:Identifier" }, "rdfs:subPropertyOf": { "@id": "d3f:associated-with" } }, { "@id": "d3f:T1102.003", "@type": "owl:Class", "d3f:attack-id": "T1102.003", "rdfs:label": "One-Way Communication", "rdfs:subClassOf": { "@id": "d3f:T1102" } }, { "@id": "d3f:CCI-002723_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system, upon detection of a potential integrity violation, provides the capability to audit the event.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": [ { "@id": "d3f:DriverLoadIntegrityChecking" }, { "@id": "d3f:FileHashing" }, { "@id": "d3f:PointerAuthentication" }, { "@id": "d3f:TPMBootIntegrity" } ], "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-07-11T00:00:00" }, "rdfs:label": "CCI-002723" }, { "@id": "d3f:T1037.002", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1037.002", "d3f:modifies": { "@id": "d3f:UserInitScript" }, "rdfs:label": "Logon Script (Mac)", "rdfs:subClassOf": [ { "@id": "d3f:T1037" }, { "@id": "_:Ne4d1d815201c4193b527b54234709945" } ] }, { "@id": "_:Ne4d1d815201c4193b527b54234709945", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:UserInitScript" } }, { "@id": "d3f:File", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:contains": { "@id": "d3f:FileSection" }, "d3f:definition": "A file maintained in computer-readable form.", "d3f:may-contain": [ { "@id": "d3f:File" }, { "@id": "d3f:URL" } ], "rdfs:label": "File", "rdfs:seeAlso": { "@id": "http://wordnet-rdf.princeton.edu/id/06521201-n" }, "rdfs:subClassOf": [ { "@id": "d3f:Resource" }, { "@id": "_:N4808469cd9794411b4dc49dbe0227c53" }, { "@id": "_:N5ef5df2b1b1b42c69149649677ecb64e" }, { "@id": "_:N84d0e2acefec4231aedf58fe5d9dc8e9" } ] }, { "@id": "_:N4808469cd9794411b4dc49dbe0227c53", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:contains" }, "owl:someValuesFrom": { "@id": "d3f:FileSection" } }, { "@id": "_:N5ef5df2b1b1b42c69149649677ecb64e", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-contain" }, "owl:someValuesFrom": { "@id": "d3f:File" } }, { "@id": "_:N84d0e2acefec4231aedf58fe5d9dc8e9", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-contain" }, "owl:someValuesFrom": { "@id": "d3f:URL" } }, { "@id": "d3f:CWE-766", "@type": "owl:Class", "d3f:cwe-id": "CWE-766", "rdfs:label": "Critical Data Element Declared Public", "rdfs:subClassOf": { "@id": "d3f:CWE-1061" } }, { "@id": "d3f:CWE-348", "@type": "owl:Class", "d3f:cwe-id": "CWE-348", "rdfs:label": "Use of Less Trusted Source", "rdfs:subClassOf": { "@id": "d3f:CWE-345" } }, { "@id": "d3f:UserStartupScriptFile", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A user startup script file is a shortcut file that is executed when a user logs in and starts a session on the host. These indicate applications the user wants started at login. For Windows, these are typically found in the user's startup directory.", "rdfs:label": "User Startup Script File", "rdfs:subClassOf": [ { "@id": "d3f:ExecutableScript" }, { "@id": "d3f:UserLogonInitResource" } ] }, { "@id": "d3f:OSAPICopyToken", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:invokes": { "@id": "d3f:CopyToken" }, "rdfs:label": "OS API Copy Token", "rdfs:subClassOf": [ { "@id": "d3f:OSAPIFunction" }, { "@id": "_:Nbff3704dac8c4362a94741a677ce2658" } ] }, { "@id": "_:Nbff3704dac8c4362a94741a677ce2658", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:invokes" }, "owl:someValuesFrom": { "@id": "d3f:CopyToken" } }, { "@id": "d3f:T1103", "@type": "owl:Class", "d3f:attack-id": "T1103", "rdfs:label": "AppInit DLLs", "rdfs:subClassOf": [ { "@id": "d3f:PersistenceTechnique" }, { "@id": "d3f:PrivilegeEscalationTechnique" } ] }, { "@id": "d3f:CWE-1339", "@type": "owl:Class", "d3f:cwe-id": "CWE-1339", "rdfs:label": "Insufficient Precision or Accuracy of a Real Number", "rdfs:subClassOf": { "@id": "d3f:CWE-682" } }, { "@id": "d3f:CCI-002824_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:broader": [ { "@id": "d3f:DeadCodeElimination" }, { "@id": "d3f:ProcessSegmentExecutionPrevention" }, { "@id": "d3f:SegmentAddressOffsetRandomization" }, { "@id": "d3f:StackFrameCanaryValidation" } ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system implements organization-defined security safeguards to protect its memory from unauthorized code execution.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-07-12T00:00:00" }, "rdfs:label": "CCI-002824" }, { "@id": "d3f:Reference-MethodAndApparatusForNetworkFraudDetectionAndRemediationThroughAnalytics_IdaptiveLLC", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US20190081968A1/en" }, "d3f:kb-abstract": "A system and method for assessing the identity fraud risk of an entity's (a user's, computer process's, or device's) behavior within a computer network and then to take appropriate action. The system uses real-time machine learning for its assessment. It records the entity's log-in behavior (conditions at log-in) and behavior once logged in to create an entity profile that helps identify behavior patterns. The system compares new entity behavior with the entity profile to determine a risk score and a confidence level for the behavior. If the risk score and confidence level indicate a credible identity fraud risk at log-in, the system can require more factors of authentication before log-in succeeds. If the system detects risky behavior after log-in, it can take remedial action such as ending the entity's session, curtailing the entity's privileges, or notifying a human administrator.", "d3f:kb-author": "Yanlin Wang; Weizhi Li", "d3f:kb-mitre-analysis": "This patent describes determining a confidence score to detect anomalies in user activity based on comparing a user's behavior profile with current user activity events. The following types of events are used to develop a user entity profile:\n\n* logon and logoff times and locations\n* starting or ending applications\n* reading or writing files\n* changing an entity 's authorization\n* monitoring network traffic\n\nUser events that deviate from the entity profile over a certain threshold trigger a remedial action.", "d3f:kb-organization": "Idaptive LLC", "d3f:kb-reference-of": [ { "@id": "d3f:AuthenticationEventThresholding" }, { "@id": "d3f:AuthorizationEventThresholding" }, { "@id": "d3f:ResourceAccessPatternAnalysis" }, { "@id": "d3f:SessionDurationAnalysis" }, { "@id": "d3f:UserGeolocationLogonPatternAnalysis" } ], "d3f:kb-reference-title": "Method and Apparatus for Network Fraud Detection and Remediation Through Analytics", "rdfs:label": "Reference - Method and Apparatus for Network Fraud Detection and Remediation Through Analytics - Idaptive LLC" }, { "@id": "d3f:T1069", "@type": "owl:Class", "d3f:attack-id": "T1069", "rdfs:label": "Permission Groups Discovery", "rdfs:subClassOf": { "@id": "d3f:DiscoveryTechnique" } }, { "@id": "d3f:T1519", "@type": "owl:Class", "d3f:attack-id": "T1519", "rdfs:label": "Emond", "rdfs:subClassOf": [ { "@id": "d3f:PersistenceTechnique" }, { "@id": "d3f:PrivilegeEscalationTechnique" } ] }, { "@id": "d3f:CWE-41", "@type": "owl:Class", "d3f:cwe-id": "CWE-41", "rdfs:label": "Improper Resolution of Path Equivalence", "rdfs:subClassOf": { "@id": "d3f:CWE-706" } }, { "@id": "d3f:T1562.002", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1562.002", "d3f:may-modify": [ { "@id": "d3f:ApplicationConfiguration" }, { "@id": "d3f:OperatingSystemConfigurationComponent" } ], "rdfs:label": "Disable Windows Event Logging", "rdfs:subClassOf": [ { "@id": "d3f:T1562" }, { "@id": "_:N9720744f164545a198df9a8c13c7ded1" }, { "@id": "_:N51c83be9d6874169bb16ba95e6966761" } ] }, { "@id": "_:N9720744f164545a198df9a8c13c7ded1", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-modify" }, "owl:someValuesFrom": { "@id": "d3f:ApplicationConfiguration" } }, { "@id": "_:N51c83be9d6874169bb16ba95e6966761", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-modify" }, "owl:someValuesFrom": { "@id": "d3f:OperatingSystemConfigurationComponent" } }, { "@id": "d3f:PrincipalComponentsAnalysis", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-PCA", "d3f:definition": "Principal Component Analysis (PCA) is a statistic-based method of identifying patterns in a large dataset while increasing interpretability and preserving information.", "d3f:kb-article": "## References\nWikipedia. (n.d.). Principal component analysis. [Link](https://en.wikipedia.org/wiki/Principal_component_analysis)", "rdfs:label": "Principal Components Analysis", "rdfs:subClassOf": { "@id": "d3f:DimensionReduction" } }, { "@id": "d3f:Reference", "@type": "owl:Class", "rdfs:label": "Reference", "rdfs:subClassOf": { "@id": "d3f:D3FENDThing" } }, { "@id": "d3f:CreateFile", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:creates": { "@id": "d3f:File" }, "d3f:definition": "System call to create a new file on a file system. Some operating systems implement this functionality as part of their d3f:OpenFile system call.", "rdfs:label": "Create File", "rdfs:seeAlso": [ { "@id": "https://docs.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-createfilea" }, { "@id": "https://docs.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-createfile2" }, { "@id": "https://linux.die.net/man/2/creat" }, { "@id": "https://docs.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-createfilew" } ], "rdfs:subClassOf": [ { "@id": "d3f:SystemCall" }, { "@id": "_:N79a09d1cb2854428b0dd87ad432808ec" } ] }, { "@id": "_:N79a09d1cb2854428b0dd87ad432808ec", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:creates" }, "owl:someValuesFrom": { "@id": "d3f:File" } }, { "@id": "d3f:CCI-001310_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:broader": { "@id": "d3f:DatabaseQueryStringAnalysis" }, "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system checks the validity of organization-defined inputs.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-22T00:00:00" }, "rdfs:label": "CCI-001310" }, { "@id": "d3f:T1136.002", "@type": "owl:Class", "d3f:attack-id": "T1136.002", "rdfs:label": "Domain Account", "rdfs:subClassOf": { "@id": "d3f:T1136" } }, { "@id": "d3f:T1606", "@type": "owl:Class", "d3f:attack-id": "T1606", "rdfs:label": "Forge Web Credentials", "rdfs:subClassOf": { "@id": "d3f:CredentialAccessTechnique" } }, { "@id": "d3f:T1600.001", "@type": "owl:Class", "d3f:attack-id": "T1600.001", "rdfs:label": "Reduce Key Space", "rdfs:subClassOf": { "@id": "d3f:T1600" } }, { "@id": "d3f:weakness-of", "@type": "owl:ObjectProperty", "rdfs:label": "weakness-of", "rdfs:subPropertyOf": { "@id": "d3f:may-be-weakness-of" } }, { "@id": "d3f:OutboundNetworkTraffic", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "Outbound traffic is network traffic originating from a host of interest (client), to another host (server).", "rdfs:label": "Outbound Network Traffic", "rdfs:subClassOf": { "@id": "d3f:NetworkTraffic" } }, { "@id": "d3f:CWE-591", "@type": "owl:Class", "d3f:cwe-id": "CWE-591", "rdfs:label": "Sensitive Data Storage in Improperly Locked Memory", "rdfs:subClassOf": { "@id": "d3f:CWE-413" } }, { "@id": "d3f:CCI-002883_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system restricts the use of maintenance tools to authorized personnel only.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:UserAccountPermissions" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-07-22T00:00:00" }, "rdfs:label": "CCI-002883" }, { "@id": "d3f:BayesianLinearRegressionLearning", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-BLRL", "d3f:definition": "A supervised learning method that builds a Bayesian linear regression model using training data.", "d3f:kb-article": "## References\nWikipedia. (n.d.). Bayesian linear regression. [Link](https://en.wikipedia.org/wiki/Bayesian_linear_regression)", "rdfs:label": "Bayesian Linear Regression Learning", "rdfs:seeAlso": "http://d3fend.mitre.org/ontologies/d3fend.owl#BayesianLinearRegression", "rdfs:subClassOf": { "@id": "d3f:RegressionAnalysisLearning" } }, { "@id": "d3f:T1163", "@type": "owl:Class", "d3f:attack-id": "T1163", "rdfs:label": "Rc.common", "rdfs:subClassOf": { "@id": "d3f:PersistenceTechnique" } }, { "@id": "d3f:UserAccount", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A user account allows a user to authenticate to a system and potentially to receive authorization to access resources provided by or connected to that system; however, authentication does not imply authorization. To log into an account, a user is typically required to authenticate oneself with a password or other credentials for the purposes of accounting, security, logging, and resource management.", "rdfs:isDefinedBy": { "@id": "http://dbpedia.org/resource/User_(computing)#User_account" }, "rdfs:label": "User Account", "rdfs:seeAlso": [ "https://schema.ocsf.io/objects/user", { "@id": "dbr:User_account" } ], "rdfs:subClassOf": { "@id": "d3f:DigitalArtifact" } }, { "@id": "d3f:ResourceFork", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "The resource fork is a fork or section of a file on Apple's classic Mac OS operating system, which was also carried over to the modern macOS for compatibility, used to store structured data along with the unstructured data stored within the data fork.", "rdfs:isDefinedBy": { "@id": "dbr:Resource_fork" }, "rdfs:label": "Resource Fork", "rdfs:subClassOf": { "@id": "d3f:FileSection" } }, { "@id": "d3f:LateralMovement", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:OffensiveTactic" ], "d3f:display-order": 8, "rdfs:label": "Lateral Movement", "rdfs:subClassOf": { "@id": "d3f:OffensiveTactic" } }, { "@id": "d3f:CCI-000884_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The organization protects nonlocal maintenance sessions by employing organization-defined authenticators that are replay resistant.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:CredentialHardening" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-18T00:00:00" }, "rdfs:label": "CCI-000884" }, { "@id": "d3f:CWE-576", "@type": "owl:Class", "d3f:cwe-id": "CWE-576", "rdfs:label": "EJB Bad Practices: Use of Java I/O", "rdfs:subClassOf": { "@id": "d3f:CWE-695" } }, { "@id": "d3f:RDPSession", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A Remote Desktop Protocol (RDP) session is a session established using the RDP protocol to access Remove Desktop Services (RDS).", "rdfs:label": "RDP Session", "rdfs:seeAlso": [ { "@id": "dbr:Remote_Desktop_Services" }, { "@id": "dbr:Remote_Desktop_Protocol" } ], "rdfs:subClassOf": { "@id": "d3f:RemoteSession" }, "skos:altLabel": [ "Remote Desktop Session", "Terminal Services" ] }, { "@id": "d3f:T1098", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1098", "d3f:modifies": { "@id": "d3f:UserAccount" }, "rdfs:label": "Account Manipulation", "rdfs:subClassOf": [ { "@id": "d3f:PersistenceTechnique" }, { "@id": "_:N059e4228870a4256b47e19bd1e0ccf1b" } ] }, { "@id": "_:N059e4228870a4256b47e19bd1e0ccf1b", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:UserAccount" } }, { "@id": "d3f:CWE-685", "@type": "owl:Class", "d3f:cwe-id": "CWE-685", "rdfs:label": "Function Call With Incorrect Number of Arguments", "rdfs:subClassOf": { "@id": "d3f:CWE-628" } }, { "@id": "d3f:CWE-1071", "@type": "owl:Class", "d3f:cwe-id": "CWE-1071", "rdfs:label": "Empty Code Block", "rdfs:subClassOf": { "@id": "d3f:CWE-1164" } }, { "@id": "d3f:T1214", "@type": "owl:Class", "d3f:attack-id": "T1214", "rdfs:label": "Credentials in Registry", "rdfs:subClassOf": { "@id": "d3f:CredentialAccessTechnique" } }, { "@id": "d3f:T1547.002", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1547.002", "d3f:modifies": { "@id": "d3f:SystemConfigurationDatabaseRecord" }, "rdfs:label": "Authentication Package", "rdfs:subClassOf": [ { "@id": "d3f:T1547" }, { "@id": "_:N13ca822c304f4e4ea25894ff6db57e88" } ] }, { "@id": "_:N13ca822c304f4e4ea25894ff6db57e88", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:SystemConfigurationDatabaseRecord" } }, { "@id": "d3f:T1557.003", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1557.003", "d3f:creates": { "@id": "d3f:DHCPNetworkTraffic" }, "rdfs:label": "DHCP Spoofing", "rdfs:subClassOf": [ { "@id": "d3f:T1557" }, { "@id": "_:Nca4e963b74a544b8be255f5a4566cc3d" } ] }, { "@id": "_:Nca4e963b74a544b8be255f5a4566cc3d", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:creates" }, "owl:someValuesFrom": { "@id": "d3f:DHCPNetworkTraffic" } }, { "@id": "d3f:CWE-1327", "@type": "owl:Class", "d3f:cwe-id": "CWE-1327", "rdfs:label": "Binding to an Unrestricted IP Address", "rdfs:subClassOf": { "@id": "d3f:CWE-668" } }, { "@id": "d3f:CWE-502", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:cwe-id": "CWE-502", "d3f:may-be-weakness-of": { "@id": "d3f:UserInputFunction" }, "d3f:weakness-of": { "@id": "d3f:DeserializationFunction" }, "rdfs:label": "Deserialization of Untrusted Data", "rdfs:subClassOf": [ { "@id": "d3f:CWE-913" }, { "@id": "_:Nca571d5d4f04484da441c4985439690e" }, { "@id": "_:Ndb2008b34f374ea5a3d1f248d4a63bd1" } ] }, { "@id": "_:Nca571d5d4f04484da441c4985439690e", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-be-weakness-of" }, "owl:someValuesFrom": { "@id": "d3f:UserInputFunction" } }, { "@id": "_:Ndb2008b34f374ea5a3d1f248d4a63bd1", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:weakness-of" }, "owl:someValuesFrom": { "@id": "d3f:DeserializationFunction" } }, { "@id": "d3f:Reference-SecurityVulnerabilityInformationAggregation", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US8544098B2" }, "d3f:kb-abstract": "Security vulnerability information aggregation techniques are disclosed. Vulnerability information associated with one or more security vulnerabilities is obtained from multiple sources and aggregated into respective unified vulnerability definitions for the one or more security vulnerabilities. Aggregation may involve format conversion, content aggregation, or both in some embodiments. Unified vulnerability definitions may be distributed to vulnerability information consumers in accordance with consumer-specific policies. Storage of vulnerability information received from the sources may allow the aggregation process to be performed on existing vulnerability information “retro-actively”. Related data structures and Graphical User Interfaces (GUIs) are also disclosed.", "d3f:kb-author": "Christophe Gustave, Stanley Taihai Chow, Douglas Wiemer", "d3f:kb-organization": "Nokia Technologies Oy", "d3f:kb-reference-of": { "@id": "d3f:AssetVulnerabilityEnumeration" }, "d3f:kb-reference-title": "Security vulnerability information aggregation", "rdfs:label": "Reference - Security vulnerability information aggregation" }, { "@id": "d3f:CWE-563", "@type": "owl:Class", "d3f:cwe-id": "CWE-563", "rdfs:label": "Assignment to Variable without Use", "rdfs:subClassOf": { "@id": "d3f:CWE-1164" } }, { "@id": "d3f:GenerativeAdversarialNetwork", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-GAN", "d3f:definition": "Generative Adversarial Networks (GAN) are an approach to generative modeling using deep learning methods, such as convolutional neural networks.", "d3f:kb-article": "## References\nBrownlee, J. (2019). What Are Generative Adversarial Networks (GANs)? Machine Learning Mastery. [Link](https://machinelearningmastery.com/what-are-generative-adversarial-networks-gans/)", "d3f:synonym": "GAN", "rdfs:label": "Generative Adversarial Network", "rdfs:subClassOf": { "@id": "d3f:UnsupervisedLearning" } }, { "@id": "d3f:CWE-263", "@type": "owl:Class", "d3f:cwe-id": "CWE-263", "rdfs:label": "Password Aging with Long Expiration", "rdfs:subClassOf": { "@id": "d3f:CWE-1390" } }, { "@id": "d3f:CCI-001855_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system provides a warning to organization-defined personnel, roles, and/or locations within an organization-defined time period when allocated audit record storage volume reaches an organization-defined percentage of repository maximum audit record storage capacity.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:SystemDaemonMonitoring" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-03-14T00:00:00" }, "rdfs:label": "CCI-001855" }, { "@id": "d3f:CWE-1043", "@type": "owl:Class", "d3f:cwe-id": "CWE-1043", "rdfs:label": "Data Element Aggregating an Excessively Large Number of Non-Primitive Elements", "rdfs:subClassOf": { "@id": "d3f:CWE-1093" } }, { "@id": "d3f:T1611", "@type": "owl:Class", "d3f:attack-id": "T1611", "rdfs:label": "Escape to Host", "rdfs:subClassOf": { "@id": "d3f:PrivilegeEscalationTechnique" } }, { "@id": "d3f:CCI-002717_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:broader": { "@id": "d3f:FileHashing" }, "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system implements cryptographic mechanisms to detect unauthorized changes to firmware.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-07-11T00:00:00" }, "rdfs:label": "CCI-002717" }, { "@id": "d3f:ImageSynthesisGAN", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-ISG", "d3f:definition": "Image synthesis thorugh the application of Generative Adversarial Networks.", "d3f:kb-article": "## References\n\nZhang, Q., Wang, H., Lu, H., Won, D., & Yoon, S. W. (2018). Medical Image Synthesis with Generative Adversarial Networks for Tissue Recognition. 2018 IEEE International Conference on Healthcare Informatics (ICHI), 199-207. doi: 10.1109/ICHI.2018.00030. [Link](https://ieeexplore.ieee.org/document/8419363)", "rdfs:label": "Image Synthesis GAN", "rdfs:subClassOf": { "@id": "d3f:GenerativeAdversarialNetwork" } }, { "@id": "d3f:T1564", "@type": "owl:Class", "d3f:attack-id": "T1564", "rdfs:label": "Hide Artifacts", "rdfs:subClassOf": { "@id": "d3f:DefenseEvasionTechnique" } }, { "@id": "d3f:CWE-1274", "@type": "owl:Class", "d3f:cwe-id": "CWE-1274", "rdfs:label": "Improper Access Control for Volatile Memory Containing Boot Code", "rdfs:subClassOf": { "@id": "d3f:CWE-284" } }, { "@id": "d3f:Reference-ReverseDNSBlocking_BarracudaNetworks", "@type": [ "owl:NamedIndividual", "d3f:UserManualReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://campus.barracuda.com/product/emailsecuritygateway/doc/39819732/reverse-dns-blocking/" }, "d3f:kb-author": "campus.barracuda.com", "d3f:kb-mitre-analysis": "Inbound corporate traffic SMTP traffic on port 25 can be routed through Barracuda Email Security Gateway before reaching the corporate mail server, acting as a traffic filter based on reverse DNS lookups and a denylist for blocking domains.", "d3f:kb-reference-of": { "@id": "d3f:ReverseResolutionDomainDenylisting" }, "d3f:kb-reference-title": "Reverse DNS Blocking", "rdfs:label": "Reference - Reverse DNS Blocking - Barracuda Networks" }, { "@id": "d3f:T1072", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:adds": { "@id": "d3f:File" }, "d3f:attack-id": "T1072", "d3f:executes": { "@id": "d3f:SoftwareDeploymentTool" }, "d3f:installs": { "@id": "d3f:Software" }, "rdfs:label": "Software Deployment Tools Execution", "rdfs:subClassOf": [ { "@id": "d3f:ExecutionTechnique" }, { "@id": "d3f:LateralMovementTechnique" }, { "@id": "_:N84e916769216470b8f4c6f6000ff971e" }, { "@id": "_:N572b4e43080645c4a59b4d9556120bd9" }, { "@id": "_:Nec07ef77d9e54fb2a4b6cbee715375a6" } ] }, { "@id": "_:N84e916769216470b8f4c6f6000ff971e", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:adds" }, "owl:someValuesFrom": { "@id": "d3f:File" } }, { "@id": "_:N572b4e43080645c4a59b4d9556120bd9", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:executes" }, "owl:someValuesFrom": { "@id": "d3f:SoftwareDeploymentTool" } }, { "@id": "_:Nec07ef77d9e54fb2a4b6cbee715375a6", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:installs" }, "owl:someValuesFrom": { "@id": "d3f:Software" } }, { "@id": "d3f:DecoyEnvironment", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:DefensiveTechnique" ], "d3f:d3fend-id": "D3-DE", "d3f:definition": "A Decoy Environment comprises hosts and networks for the purposes of deceiving an attacker.", "d3f:enables": { "@id": "d3f:Deceive" }, "d3f:kb-article": "## Technique Overview\n\nSystems in a decoy environment are typically configured so that some detectable means of communication does not have any legitimate business purpose. Any communication via these means should be logged and analyzed to find potential indicators of compromise for a possible past or future attack against other systems.", "d3f:manages": { "@id": "d3f:DecoyArtifact" }, "d3f:synonym": "Honeypot", "rdfs:label": "Decoy Environment", "rdfs:subClassOf": [ { "@id": "d3f:DefensiveTechnique" }, { "@id": "_:N1ec1c7386cf14c459fd1f86d2d4239b0" }, { "@id": "_:N6acb0b76a9594a37b838efce156ec82d" } ] }, { "@id": "_:N1ec1c7386cf14c459fd1f86d2d4239b0", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:enables" }, "owl:someValuesFrom": { "@id": "d3f:Deceive" } }, { "@id": "_:N6acb0b76a9594a37b838efce156ec82d", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:manages" }, "owl:someValuesFrom": { "@id": "d3f:DecoyArtifact" } }, { "@id": "d3f:InboundInternetMailTraffic", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "Inbound internet mail traffic is network traffic that is: (a) coming from a host outside a given network via an incoming connection to a host inside that same network, and (b) using a standard protocol for email.", "rdfs:label": "Inbound Internet Mail Traffic", "rdfs:seeAlso": { "@id": "dbr:Internetworking" }, "rdfs:subClassOf": [ { "@id": "d3f:InboundInternetNetworkTraffic" }, { "@id": "d3f:InboundNetworkTraffic" }, { "@id": "d3f:MailNetworkTraffic" } ] }, { "@id": "d3f:text", "@type": "owl:DatatypeProperty", "d3f:definition": "The text of the document (i.e., terms of license.)", "rdfs:label": { "@language": "en", "@value": "text" }, "rdfs:subPropertyOf": { "@id": "d3f:d3fend-catalog-data-property" } }, { "@id": "d3f:WebResourceAccess", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "Ephemeral digital artifact comprising a request of a network resource and any response from that network resource using a standard web protocol.", "rdfs:label": "Web Resource Access", "rdfs:subClassOf": { "@id": "d3f:NetworkResourceAccess" } }, { "@id": "d3f:PassiveLogicalLinkMapping", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:LogicalLinkMapping" ], "d3f:d3fend-id": "D3-PLLM", "d3f:definition": "Passive logical link mapping only listens to network traffic as a means to map the the whole data link layer, where the links represent logical data flows rather than physical connections.", "d3f:kb-reference": { "@id": "d3f:Reference-TenablePassiveNetworkMonitoring" }, "d3f:synonym": "Passive Logical Layer Mapping", "rdfs:label": "Passive Logical Link Mapping", "rdfs:subClassOf": { "@id": "d3f:LogicalLinkMapping" } }, { "@id": "d3f:Reference-UserActivityFromStoppingWindowsDefensiveServices_MITRE", "@type": [ "owl:NamedIndividual", "d3f:ExternalKnowledgeBase" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://car.mitre.org/analytics/CAR-2016-04-003/" }, "d3f:kb-abstract": "Spyware and malware remain a serious problem and Microsoft developed security services, Windows Defender and Windows Firewall, to combat this threat. In the event Windows Defender or Windows Firewall is turned off, administrators should correct the issue immediately to prevent the possibility of infection or further infection and investigate to determine if caused by crash or user manipulation.", "d3f:kb-author": "MITRE", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "MITRE", "d3f:kb-reference-of": { "@id": "d3f:SystemDaemonMonitoring" }, "d3f:kb-reference-title": "CAR-2016-04-003: User Activity from Stopping Windows Defensive Services", "rdfs:label": "Reference - CAR-2016-04-003: User Activity from Stopping Windows Defensive Services - MITRE" }, { "@id": "d3f:CCI-000772_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system uses multifactor authentication for network access to non-privileged accounts where one of the factors is provided by a device separate from the information system being accessed.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:Multi-factorAuthentication" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-17T00:00:00" }, "rdfs:label": "CCI-000772" }, { "@id": "d3f:Reference-RemoteRegistry_MITRE", "@type": [ "owl:NamedIndividual", "d3f:ExternalKnowledgeBase" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://car.mitre.org/analytics/CAR-2014-11-005/" }, "d3f:kb-abstract": "An adversary can remotely manipulate the registry of another machine if the RemoteRegistry service is enabled and valid credentials are obtained. While the registry is remotely accessed, it can be used to prepare a Lateral Movement technique, discover the configuration of a host, achieve Persistence, or anything that aids an adversary in achieving the mission. Like most ATT&CK techniques, this behavior can be used legitimately, and the reliability of an analytic depends on the proper identification of the pre-existing legitimate behaviors. Although this behavior is disabled in many Windows configurations, it is possible to remotely enable the RemoteRegistry service, which can be detected with CAR-2014-03-005.\n\nRemote access to the registry can be achieved via\n\n* Windows API function RegConnectRegistry\n* command line via reg.exe\n* graphically via regedit.exe\n\nAll of these behaviors call into the Windows API, which uses the NamedPipe WINREG over SMB to handle the protocol information. This network can be decoded with wireshark or a similar sensor, and can also be detected by hooking the API function.", "d3f:kb-author": "MITRE", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "MITRE", "d3f:kb-reference-of": { "@id": "d3f:AdministrativeNetworkActivityAnalysis" }, "d3f:kb-reference-title": "CAR-2014-11-005: Remote Registry", "rdfs:label": "Reference - CAR-2014-11-005: Remote Registry - MITRE" }, { "@id": "d3f:process-parent", "@type": "owl:ObjectProperty", "d3f:definition": "x process-parent y: The process y created the process x (directly) with a create process event.", "rdfs:label": "process-parent", "rdfs:subPropertyOf": { "@id": "d3f:process-ancestor" }, "skos:altLabel": "processParent" }, { "@id": "d3f:NIST_SP_800-53_R5", "@type": [ "owl:NamedIndividual", "d3f:NISTSP800-53ControlCatalog" ], "d3f:archived-at": { "@type": "xsd:anyURI", "@value": "https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final" }, "d3f:has-member": [ { "@id": "d3f:NIST_SP_800-53_R5_AC-17_8" }, { "@id": "d3f:NIST_SP_800-53_R5_AC-23" }, { "@id": "d3f:NIST_SP_800-53_R5_AC-24" }, { "@id": "d3f:NIST_SP_800-53_R5_AC-24_1" }, { "@id": "d3f:NIST_SP_800-53_R5_AC-24_2" }, { "@id": "d3f:NIST_SP_800-53_R5_AC-2_1" }, { "@id": "d3f:NIST_SP_800-53_R5_AC-2_13" }, { "@id": "d3f:NIST_SP_800-53_R5_AC-2_2" }, { "@id": "d3f:NIST_SP_800-53_R5_AC-2_3" }, { "@id": "d3f:NIST_SP_800-53_R5_AC-2_4" }, { "@id": "d3f:NIST_SP_800-53_R5_AC-2_5" }, { "@id": "d3f:NIST_SP_800-53_R5_AC-2_6" }, { "@id": "d3f:NIST_SP_800-53_R5_AC-2_7" }, { "@id": "d3f:NIST_SP_800-53_R5_AC-2_9" }, { "@id": "d3f:NIST_SP_800-53_R5_AC-3" }, { "@id": "d3f:NIST_SP_800-53_R5_AC-3_11" }, { "@id": "d3f:NIST_SP_800-53_R5_AC-3_13" }, { "@id": "d3f:NIST_SP_800-53_R5_AC-3_3" }, { "@id": "d3f:NIST_SP_800-53_R5_AC-3_7" }, { "@id": "d3f:NIST_SP_800-53_R5_AC-3_8" }, { "@id": "d3f:NIST_SP_800-53_R5_AC-4" }, { "@id": "d3f:NIST_SP_800-53_R5_AC-4_1" }, { "@id": "d3f:NIST_SP_800-53_R5_AC-4_10" }, { "@id": "d3f:NIST_SP_800-53_R5_AC-4_11" }, { "@id": "d3f:NIST_SP_800-53_R5_AC-4_12" }, { "@id": "d3f:NIST_SP_800-53_R5_AC-4_13" }, { "@id": "d3f:NIST_SP_800-53_R5_AC-4_14" }, { "@id": "d3f:NIST_SP_800-53_R5_AC-4_15" }, { "@id": "d3f:NIST_SP_800-53_R5_AC-4_17" }, { "@id": "d3f:NIST_SP_800-53_R5_AC-4_19" }, { "@id": "d3f:NIST_SP_800-53_R5_AC-4_20" }, { "@id": "d3f:NIST_SP_800-53_R5_AC-4_21" }, { "@id": "d3f:NIST_SP_800-53_R5_AC-4_26" }, { "@id": "d3f:NIST_SP_800-53_R5_AC-4_27" }, { "@id": "d3f:NIST_SP_800-53_R5_AC-4_28" }, { "@id": "d3f:NIST_SP_800-53_R5_AC-4_29" }, { "@id": "d3f:NIST_SP_800-53_R5_AC-4_3" }, { "@id": "d3f:NIST_SP_800-53_R5_AC-4_30" }, { "@id": "d3f:NIST_SP_800-53_R5_AC-4_32" }, { "@id": "d3f:NIST_SP_800-53_R5_AC-4_4" }, { "@id": "d3f:NIST_SP_800-53_R5_AC-4_5" }, { "@id": "d3f:NIST_SP_800-53_R5_AC-4_6" }, { "@id": "d3f:NIST_SP_800-53_R5_AC-4_8" }, { "@id": "d3f:NIST_SP_800-53_R5_AC-5" }, { "@id": "d3f:NIST_SP_800-53_R5_AC-6" }, { "@id": "d3f:NIST_SP_800-53_R5_AC-6_1" }, { "@id": "d3f:NIST_SP_800-53_R5_AC-6_10" }, { "@id": "d3f:NIST_SP_800-53_R5_AC-6_3" }, { "@id": "d3f:NIST_SP_800-53_R5_AC-6_4" }, { "@id": "d3f:NIST_SP_800-53_R5_AC-6_5" }, { "@id": "d3f:NIST_SP_800-53_R5_AC-6_6" }, { "@id": "d3f:NIST_SP_800-53_R5_AC-6_9" }, { "@id": "d3f:NIST_SP_800-53_R5_AC-7" }, { "@id": "d3f:NIST_SP_800-53_R5_AC-7_3" }, { "@id": "d3f:NIST_SP_800-53_R5_AC-7_4" }, { "@id": "d3f:NIST_SP_800-53_R5_AU-10_5" }, { "@id": "d3f:NIST_SP_800-53_R5_AU-14_2" }, { "@id": "d3f:NIST_SP_800-53_R5_AU-15" }, { "@id": "d3f:NIST_SP_800-53_R5_AU-2" }, { "@id": "d3f:NIST_SP_800-53_R5_AU-2_1" }, { "@id": "d3f:NIST_SP_800-53_R5_AU-2_2" }, { "@id": "d3f:NIST_SP_800-53_R5_AU-3" }, { "@id": "d3f:NIST_SP_800-53_R5_AU-4" }, { "@id": "d3f:NIST_SP_800-53_R5_CM-14" }, { "@id": "d3f:NIST_SP_800-53_R5_CM-5" }, { "@id": "d3f:NIST_SP_800-53_R5_CM-5_1" }, { "@id": "d3f:NIST_SP_800-53_R5_CM-5_3" }, { "@id": "d3f:NIST_SP_800-53_R5_CM-5_5" }, { "@id": "d3f:NIST_SP_800-53_R5_CM-5_6" }, { "@id": "d3f:NIST_SP_800-53_R5_CM-6_3" }, { "@id": "d3f:NIST_SP_800-53_R5_IA-2_1" }, { "@id": "d3f:NIST_SP_800-53_R5_IA-2_2" }, { "@id": "d3f:NIST_SP_800-53_R5_IA-2_4" }, { "@id": "d3f:NIST_SP_800-53_R5_IA-2_6" }, { "@id": "d3f:NIST_SP_800-53_R5_IR-4_12" }, { "@id": "d3f:NIST_SP_800-53_R5_IR-4_13" }, { "@id": "d3f:NIST_SP_800-53_R5_MA-3_3" }, { "@id": "d3f:NIST_SP_800-53_R5_MA-3_4" }, { "@id": "d3f:NIST_SP_800-53_R5_MA-3_5" }, { "@id": "d3f:NIST_SP_800-53_R5_MA-3_6" }, { "@id": "d3f:NIST_SP_800-53_R5_MA-4_1" }, { "@id": "d3f:NIST_SP_800-53_R5_MA-6" }, { "@id": "d3f:NIST_SP_800-53_R5_MA-6_1" }, { "@id": "d3f:NIST_SP_800-53_R5_MA-6_2" }, { "@id": "d3f:NIST_SP_800-53_R5_MA-6_3" }, { "@id": "d3f:NIST_SP_800-53_R5_RA-3_3" }, { "@id": "d3f:NIST_SP_800-53_R5_RA-3_4" }, { "@id": "d3f:NIST_SP_800-53_R5_RA-5" }, { "@id": "d3f:NIST_SP_800-53_R5_RA-5_2" }, { "@id": "d3f:NIST_SP_800-53_R5_RA-5_3" }, { "@id": "d3f:NIST_SP_800-53_R5_RA-5_4" }, { "@id": "d3f:NIST_SP_800-53_R5_RA-5_5" }, { "@id": "d3f:NIST_SP_800-53_R5_RA-5_6" }, { "@id": "d3f:NIST_SP_800-53_R5_RA-5_7" }, { "@id": "d3f:NIST_SP_800-53_R5_SA-10_1" }, { "@id": "d3f:NIST_SP_800-53_R5_SA-10_3" }, { "@id": "d3f:NIST_SP_800-53_R5_SA-10_4" }, { "@id": "d3f:NIST_SP_800-53_R5_SA-10_5" }, { "@id": "d3f:NIST_SP_800-53_R5_SA-10_6" }, { "@id": "d3f:NIST_SP_800-53_R5_SA-11_1" }, { "@id": "d3f:NIST_SP_800-53_R5_SA-11_8" }, { "@id": "d3f:NIST_SP_800-53_R5_SA-8_18" }, { "@id": "d3f:NIST_SP_800-53_R5_SA-8_22" }, { "@id": "d3f:NIST_SP_800-53_R5_SC-2" }, { "@id": "d3f:NIST_SP_800-53_R5_SC-2_1" }, { "@id": "d3f:NIST_SP_800-53_R5_SC-3" }, { "@id": "d3f:NIST_SP_800-53_R5_SC-3_1" }, { "@id": "d3f:NIST_SP_800-53_R5_SI-2_4" }, { "@id": "d3f:NIST_SP_800-53_R5_SI-2_5" }, { "@id": "d3f:NIST_SP_800-53_R5_SI-2_6" }, { "@id": "d3f:NIST_SP_800-53_R5_SI-3" }, { "@id": "d3f:NIST_SP_800-53_R5_SI-3_10" }, { "@id": "d3f:NIST_SP_800-53_R5_SI-3_4" }, { "@id": "d3f:NIST_SP_800-53_R5_SI-3_8" }, { "@id": "d3f:NIST_SP_800-53_R5_SI-4" }, { "@id": "d3f:NIST_SP_800-53_R5_SI-4_2" }, { "@id": "d3f:NIST_SP_800-53_R5_SI-4_4" } ], "d3f:version": 5, "rdfs:label": "NIST SP 800-53 R5", "rdfs:seeAlso": "https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final" }, { "@id": "d3f:Impact", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:OffensiveTactic" ], "d3f:display-order": 12, "rdfs:label": "Impact", "rdfs:subClassOf": { "@id": "d3f:OffensiveTactic" } }, { "@id": "d3f:CCI-000352_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system prevents the installation of organization-defined critical software programs that are not signed with a certificate that is recognized and approved by the organization.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": [ { "@id": "d3f:ExecutableAllowlisting" }, { "@id": "d3f:ExecutableDenylisting" } ], "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-18T00:00:00" }, "rdfs:label": "CCI-000352" }, { "@id": "d3f:T1497.002", "@type": "owl:Class", "d3f:attack-id": "T1497.002", "rdfs:label": "User Activity Based Checks", "rdfs:subClassOf": { "@id": "d3f:T1497" } }, { "@id": "d3f:AuthorizationEventThresholding", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:UserBehaviorAnalysis" ], "d3f:analyzes": { "@id": "d3f:Authorization" }, "d3f:created": { "@type": "xsd:dateTime", "@value": "2020-08-05T00:00:00" }, "d3f:d3fend-id": "D3-AZET", "d3f:definition": "Collecting authorization events, creating a baseline user profile, and determining whether authorization events are consistent with the baseline profile.", "d3f:kb-article": "## How it works\n\nAuthorization event data is collected to create a baseline user profile. Authorization events that deviate from the baseline and exceed a static or dynamic threshold are identified for further action. Authorization events can include successful and failed authorization attempts as well as events related to permissions including viewing, editing, deleting, creating files, databases etc.\n\n## Considerations\n\nDepending on the complexity of the data considered, outliers may not be obvious to a human analyst reviewing events in simplistic analytic views. If malicious activity is not statistically different from benign activity, an alert threshold will not be met.", "d3f:kb-reference": [ { "@id": "d3f:Reference-MethodAndApparatusForNetworkFraudDetectionAndRemediationThroughAnalytics_IdaptiveLLC" }, { "@id": "d3f:Reference-SMBSessionSetups_MITRE" }, { "@id": "d3f:Reference-UserLoggedInToMultipleHosts_MITRE" }, { "@id": "d3f:Reference-System,Method,AndComputerProgramProductForDetectingAndAssessingSecurityRisksInANetwork_ExabeamInc" } ], "rdfs:label": "Authorization Event Thresholding", "rdfs:subClassOf": [ { "@id": "d3f:UserBehaviorAnalysis" }, { "@id": "_:N69a3895b52244095a1814625c8e1b01d" } ] }, { "@id": "_:N69a3895b52244095a1814625c8e1b01d", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:analyzes" }, "owl:someValuesFrom": { "@id": "d3f:Authorization" } }, { "@id": "d3f:OutboundTrafficFiltering", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:NetworkTrafficFiltering" ], "d3f:d3fend-id": "D3-OTF", "d3f:definition": "Restricting network traffic originating from a private host or enclave destined towards untrusted networks.", "d3f:filters": { "@id": "d3f:OutboundNetworkTraffic" }, "d3f:kb-article": "## How it works\n\nOutbound traffic, in this context, is network traffic originating from a private host or enclave destined towards untrusted networks.\nFor example:\n\n* An enterprise desktop intranet user connecting to www.example.com\n* An internal mail server connecting to an external mail server, mail.example.com\n\nFiltering is commonly implemented as firewall rulesets to limit outbound traffic permitted to egress a host or network. Firewalls are deployed either directly on hosts through kernel level software implementations or installed in-line directly on network links. There are benefits and disadvantages to each approach.\n\nThere are various strategies for developing filtering rulesets:\n\n* Block everything by default\n* Limit destination hosts\n* Limit destination transport or application protocols\n* Restrict content outbound (Ex. strings formatted as social security numbers, or proprietary data)\n\n## Considerations\n* Dynamic IP assignment creates challenges for Outbound Traffic Filtering because users are not necessarily associated with the same IP address. This can be addressed by linking IP address management information with the filtering logic.\n* Connections using non-standard transport layer ports may circumvent outbound traffic filtering technology which does not detect application protocol based on traffic content.\n* Business requirements typically drive the development of filtering rule sets.\n\n## Implementations\n- iptables (Linux)\n- Windows Firewall\n- pf (BSD)", "d3f:kb-reference": { "@id": "d3f:Reference-AutomaticallyGeneratingRulesForConnectionSecurity_Microsoft" }, "rdfs:label": "Outbound Traffic Filtering", "rdfs:subClassOf": [ { "@id": "d3f:NetworkTrafficFiltering" }, { "@id": "_:Nc219bb0332d74f3cb664d50a25b5757b" } ] }, { "@id": "_:Nc219bb0332d74f3cb664d50a25b5757b", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:filters" }, "owl:someValuesFrom": { "@id": "d3f:OutboundNetworkTraffic" } }, { "@id": "d3f:RegSetKeyValueA", "@type": [ "owl:NamedIndividual", "d3f:SetSystemConfigValue" ] }, { "@id": "d3f:DigitalArtifact", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "An information-bearing artifact (object) that is, or is encoded to be used with, a digital computer system. This concept is broad to include the literal instances of an artifact, or an implicit summarization of changes to or properties of other artifacts.", "d3f:display-baseurl": "/dao/artifact/", "d3f:synonym": "Digital Asset", "rdfs:label": "Digital Artifact", "rdfs:seeAlso": [ { "@id": "dbr:Digital_artifactual_value" }, "https://www.iso.org/obp/ui/#iso:std:iso-iec:19770:-1:ed-3:v1:en", { "@id": "dbr:Virtual_artifact" } ], "rdfs:subClassOf": [ { "@id": "d3f:Artifact" }, { "@id": "d3f:DigitalObject" } ] }, { "@id": "d3f:CWE-422", "@type": "owl:Class", "d3f:cwe-id": "CWE-422", "rdfs:label": "Unprotected Windows Messaging Channel ('Shatter')", "rdfs:subClassOf": [ { "@id": "d3f:CWE-360" }, { "@id": "d3f:CWE-420" } ] }, { "@id": "d3f:start", "@type": "owl:ObjectProperty", "rdfs:label": "start", "rdfs:subPropertyOf": { "@id": "d3f:d3fend-process-object-property" } }, { "@id": "d3f:Reference-SystemAndAMethodForIdentifyingThePresenceOfMalwareAndRansomwareUsingMini-trapsSetAtNetworkEndpoints_FidelisCybersecuritySolutionsInc", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US9807115B2/en?oq=US-9807115-B2" }, "d3f:kb-abstract": "A system for identifying the presence of ransomware on a network, including a plurality of resources, interconnected to form a network and at least one decoy drive.The decoy drive includes a plurality of decoy files to be encrypted by the ransomware, and wherein the decoy drive continuously provides the decoy files thereby continuously occupying the ransomware.", "d3f:kb-author": "Doron Kolton; Rami Mizrahi; Omer Zohar; Benny Ben-Rabi; Alex Barbalat; Shlomi Gabai", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "Fidelis Cybersecurity Solutions Inc", "d3f:kb-reference-of": { "@id": "d3f:DecoyFile" }, "d3f:kb-reference-title": "System and a method for identifying the presence of malware and ransomware using mini-traps set at network endpoints", "rdfs:label": "Reference - System and a method for identifying the presence of malware and ransomware using mini-traps set at network endpoints - Fidelis Cybersecurity Solutions Inc" }, { "@id": "d3f:Reference-EvictionGuidanceforNetworksAffectedbytheSolarWindsandActiveDirectory/M365Compromise-CISA", "@type": [ "owl:NamedIndividual", "d3f:InternetArticleReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://www.cisa.gov/news-events/analysis-reports/ar21-134a" }, "d3f:kb-organization": "CISA", "d3f:kb-reference-of": { "@id": "d3f:CredentialRotation" }, "d3f:kb-reference-title": "Eviction Guidance for Networks Affected by the SolarWinds and Active Directory/M365 Compromise", "rdfs:label": "Reference - Eviction Guidance for Networks Affected by the SolarWinds and Active Directory/M365 Compromise - CISA" }, { "@id": "d3f:identifier", "@type": "owl:DatatypeProperty", "rdfs:label": { "@language": "en", "@value": "identifier" }, "rdfs:range": { "@id": "xsd:string" }, "rdfs:subPropertyOf": { "@id": "d3f:d3fend-catalog-data-property" } }, { "@id": "d3f:DimensionReduction", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-DR", "d3f:definition": "Dimensionality reduction is a key technique within unsupervised learning. It compresses the data by finding a smaller, different set of variables that capture what matters most in the original features, while minimizing the loss of information.", "d3f:kb-article": "## References\nO'Reilly Media. (n.d.). Chapter 7. Machine Learning and Security: Protecting Systems with Data and Algorithms. [Link](https://www.oreilly.com/library/view/machine-learning-and/9781492073048/ch07.html)", "rdfs:label": "Dimension Reduction", "rdfs:subClassOf": { "@id": "d3f:UnsupervisedLearning" } }, { "@id": "d3f:T1566", "@type": "owl:Class", "d3f:attack-id": "T1566", "rdfs:label": "Phishing", "rdfs:subClassOf": { "@id": "d3f:InitialAccessTechnique" } }, { "@id": "d3f:CCI-000067_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:broader": { "@id": "d3f:RemoteTerminalSessionDetection" }, "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system monitors remote access methods.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-14T00:00:00" }, "rdfs:label": "CCI-000067" }, { "@id": "d3f:T1099", "@type": "owl:Class", "d3f:attack-id": "T1099", "rdfs:label": "Timestomp", "rdfs:subClassOf": { "@id": "d3f:DefenseEvasionTechnique" } }, { "@id": "d3f:T1593.001", "@type": "owl:Class", "d3f:attack-id": "T1593.001", "rdfs:label": "Social Media", "rdfs:subClassOf": { "@id": "d3f:T1593" } }, { "@id": "d3f:CCI-000196_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system, for password-based authentication, stores only cryptographically-protected passwords.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:StrongPasswordPolicy" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-15T00:00:00" }, "rdfs:label": "CCI-000196" }, { "@id": "d3f:CWE-1047", "@type": "owl:Class", "d3f:cwe-id": "CWE-1047", "rdfs:label": "Modules with Circular Dependencies", "rdfs:subClassOf": { "@id": "d3f:CWE-1120" } }, { "@id": "d3f:CWE-687", "@type": "owl:Class", "d3f:cwe-id": "CWE-687", "rdfs:label": "Function Call With Incorrectly Specified Argument Value", "rdfs:subClassOf": { "@id": "d3f:CWE-628" } }, { "@id": "d3f:CCI-001376_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system uniquely identifies source domains for information transfer.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:DomainTrustPolicy" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-22T00:00:00" }, "rdfs:label": "CCI-001376" }, { "@id": "d3f:has-account", "@type": "owl:ObjectProperty", "d3f:definition": "x has-account y: The subject x has ownership or possession of some account y.", "rdfs:label": "has-account", "rdfs:seeAlso": { "@id": "http://wordnet-rdf.princeton.edu/id/02209474-v" }, "rdfs:subPropertyOf": { "@id": "d3f:owns" } }, { "@id": "d3f:CWE-1064", "@type": "owl:Class", "d3f:cwe-id": "CWE-1064", "rdfs:label": "Invokable Control Element with Signature Containing an Excessive Number of Parameters", "rdfs:subClassOf": { "@id": "d3f:CWE-1120" } }, { "@id": "d3f:SubspaceClustering", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-SC", "d3f:definition": "Subspace clustering is an extension of traditional clustering that seeks to find clusters in different subspaces within a dataset.", "d3f:kb-article": "## References\nParsons, L., Haque, E., & Liu, H. (2004). Subspace Clustering for High Dimensional Data: A Review. [Link](https://www.kdd.org/exploration_files/parsons.pdf)", "rdfs:label": "Subspace Clustering", "rdfs:subClassOf": { "@id": "d3f:CorrelationClustering" } }, { "@id": "d3f:CWE-107", "@type": "owl:Class", "d3f:cwe-id": "CWE-107", "rdfs:label": "Struts: Unused Validation Form", "rdfs:subClassOf": { "@id": "d3f:CWE-1164" } }, { "@id": "d3f:has-goal", "@type": "owl:ObjectProperty", "rdfs:subPropertyOf": { "@id": "d3f:d3fend-use-case-object-property" } }, { "@id": "d3f:CWE-482", "@type": "owl:Class", "d3f:cwe-id": "CWE-482", "rdfs:label": "Comparing instead of Assigning", "rdfs:subClassOf": { "@id": "d3f:CWE-480" } }, { "@id": "d3f:T1133", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1133", "d3f:produces": [ { "@id": "d3f:Authentication" }, { "@id": "d3f:Authorization" }, { "@id": "d3f:NetworkSession" } ], "rdfs:label": "External Remote Services", "rdfs:subClassOf": [ { "@id": "d3f:InitialAccessTechnique" }, { "@id": "d3f:PersistenceTechnique" }, { "@id": "_:N1f2584f239ae46e5838c326d435ca368" }, { "@id": "_:Nd6c3debedb3f40f99fae88890a1d8211" }, { "@id": "_:N811d1def5d9a44dc9b3dcbf801392058" } ] }, { "@id": "_:N1f2584f239ae46e5838c326d435ca368", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:produces" }, "owl:someValuesFrom": { "@id": "d3f:Authentication" } }, { "@id": "_:Nd6c3debedb3f40f99fae88890a1d8211", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:produces" }, "owl:someValuesFrom": { "@id": "d3f:Authorization" } }, { "@id": "_:N811d1def5d9a44dc9b3dcbf801392058", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:produces" }, "owl:someValuesFrom": { "@id": "d3f:NetworkSession" } }, { "@id": "d3f:CWE-763", "@type": "owl:Class", "d3f:cwe-id": "CWE-763", "rdfs:label": "Release of Invalid Pointer or Reference", "rdfs:subClassOf": { "@id": "d3f:CWE-404" } }, { "@id": "d3f:CWE-123", "@type": "owl:Class", "d3f:cwe-id": "CWE-123", "rdfs:label": "Write-what-where Condition", "rdfs:subClassOf": { "@id": "d3f:CWE-787" } }, { "@id": "d3f:Reference-CAR-2020-09-003%3AIndicatorBlocking-DriverUnloaded_MITRE", "@type": [ "owl:NamedIndividual", "d3f:ExternalKnowledgeBase" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://car.mitre.org/analytics/CAR-2020-09-003/" }, "d3f:kb-abstract": "Adversaries may attempt to evade system defenses by unloading minifilter drivers used by host-based sensors such as Sysmon through the use of the fltmc command-line utility. Accordingly, this analytic looks for command-line invocations of this utility when used to unload minifilter drivers.", "d3f:kb-author": "MITRE", "d3f:kb-organization": "MITRE", "d3f:kb-reference-of": { "@id": "d3f:ProcessSpawnAnalysis" }, "d3f:kb-reference-title": "CAR-2020-09-003: Indicator Blocking - Driver Unloaded", "rdfs:label": "Reference - CAR-2020-09-003: Indicator Blocking - Driver Unloaded - MITRE" }, { "@id": "d3f:InboundNetworkTraffic", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "Inbound traffic is network traffic originating from another host (client), to the host of interest (server).", "rdfs:label": "Inbound Network Traffic", "rdfs:subClassOf": { "@id": "d3f:NetworkTraffic" } }, { "@id": "d3f:MessageEncryption", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:MessageHardening" ], "d3f:d3fend-id": "D3-MENCR", "d3f:definition": "Encrypting a message body using a cryptographic key.", "d3f:encrypts": { "@id": "d3f:UserToUserMessage" }, "d3f:kb-article": "## How it works\n\n### Asymmetric Cryptography\nAsymmetric encryption is typically accomplished using public and private key certificates based on the X.509 standard. The sender encrypts messages using the recipient's public key and the receipt decrypts the message using their private key. Standards that can be used to implement message encryption include S/MIME (Secure/Multipurpose Internet Mail Extensions) and PGP.\n### Symmetric Cryptography\nSymmetric encryption uses the same cryptographic key by both the sender and receiver to encrypt and decrypt a message. Asymmetric key exchange protocols such as Diffie-Hellman can be used to share the cryptographic key with the recipient.\n\n## Considerations\n- Separate configuration settings to enable message encryption are often needed for each messenger client (e.g. webmail, desktop client, mobile).\n- Continuous monitoring to ensure private keys are not compromised and the certificate authority (CA) is trusted.\n- Secure transfer of private keys between multiple devices.", "d3f:kb-reference": { "@id": "d3f:Reference-SecureMultipurposeInternetMailExtensionsMIME-Version3.1" }, "rdfs:label": "Message Encryption", "rdfs:subClassOf": [ { "@id": "d3f:MessageHardening" }, { "@id": "_:N04f6fb0080fa4561add6efaa5fee7015" } ] }, { "@id": "_:N04f6fb0080fa4561add6efaa5fee7015", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:encrypts" }, "owl:someValuesFrom": { "@id": "d3f:UserToUserMessage" } }, { "@id": "d3f:PatentReference", "@type": "owl:Class", "d3f:pref-label": "Patent", "rdfs:label": "Patent Reference", "rdfs:subClassOf": { "@id": "d3f:TechniqueReference" } }, { "@id": "d3f:d3fend-kb-object-property", "@type": "owl:ObjectProperty", "d3f:definition": "x d3fend-kb-object-property y: The object y is a d3fend knowledge base object property. These properties allow the linkage of knowledge and information supporting and illustrating the d3fend model.", "rdfs:label": "d3fend-kb-object-property", "rdfs:subPropertyOf": { "@id": "d3f:d3fend-object-property" } }, { "@id": "d3f:CCI-001400_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:broader": [ { "@id": "d3f:MandatoryAccessControl" }, { "@id": "d3f:UserAccountPermissions" } ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system supports and maintains the binding of organization-defined security attributes to information in process.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-22T00:00:00" }, "rdfs:label": "CCI-001400" }, { "@id": "d3f:CWE-104", "@type": "owl:Class", "d3f:cwe-id": "CWE-104", "rdfs:label": "Struts: Form Bean Does Not Extend Validation Class", "rdfs:subClassOf": { "@id": "d3f:CWE-573" } }, { "@id": "d3f:InternetArticle", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:ReferenceType" ], "rdfs:label": "Internet Article", "rdfs:subClassOf": { "@id": "d3f:NewsArticle" } }, { "@id": "d3f:CWE-626", "@type": "owl:Class", "d3f:cwe-id": "CWE-626", "rdfs:label": "Null Byte Interaction Error (Poison Null Byte)", "rdfs:subClassOf": [ { "@id": "d3f:CWE-147" }, { "@id": "d3f:CWE-436" } ] }, { "@id": "d3f:Reference-UEFIPlatformInitialization-Specification", "@type": [ "owl:NamedIndividual", "d3f:SpecificationReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://uefi.org/sites/default/files/resources/PI_Spec_1_7_A_final_May1.pdf" }, "d3f:kb-reference-of": { "@id": "d3f:BootloaderAuthentication" }, "d3f:kb-reference-title": "UEFI Platform Initialization (PI) Specification", "rdfs:label": "Reference - UEFI Platform Initialization (PI) Specification" }, { "@id": "d3f:OffensiveTechnique", "@type": "owl:Class", "d3f:display-baseurl": "/offensive-technique/attack/", "rdfs:isDefinedBy": { "@id": "https://attack.mitre.org/docs/ATTACK_Design_and_Philosophy_March_2020.pdf" }, "rdfs:label": "Offensive Technique", "rdfs:subClassOf": [ { "@id": "d3f:ATTACKThing" }, { "@id": "d3f:Technique" }, { "@id": "_:N443f1d3456f74e5999c110ab04e025a7" } ] }, { "@id": "_:N443f1d3456f74e5999c110ab04e025a7", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:enables" }, "owl:someValuesFrom": { "@id": "d3f:OffensiveTactic" } }, { "@id": "d3f:T1561", "@type": "owl:Class", "d3f:attack-id": "T1561", "rdfs:label": "Disk Wipe", "rdfs:subClassOf": { "@id": "d3f:ImpactTechnique" } }, { "@id": "d3f:T1003.004", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1003.004", "d3f:may-access": [ { "@id": "d3f:Process" }, { "@id": "d3f:SystemPasswordDatabase" } ], "rdfs:label": "LSA Secrets", "rdfs:subClassOf": [ { "@id": "d3f:T1003" }, { "@id": "_:N61e9b6cc793647c5adba72971ef31d4d" }, { "@id": "_:Na9ac4c8704b74abd91be3f7c501390d9" } ] }, { "@id": "_:N61e9b6cc793647c5adba72971ef31d4d", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-access" }, "owl:someValuesFrom": { "@id": "d3f:Process" } }, { "@id": "_:Na9ac4c8704b74abd91be3f7c501390d9", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-access" }, "owl:someValuesFrom": { "@id": "d3f:SystemPasswordDatabase" } }, { "@id": "d3f:CWE-1097", "@type": "owl:Class", "d3f:cwe-id": "CWE-1097", "rdfs:label": "Persistent Storable Data Element without Associated Comparison Control Element", "rdfs:subClassOf": { "@id": "d3f:CWE-1076" } }, { "@id": "d3f:M1015", "@type": [ "owl:NamedIndividual", "d3f:ATTACKMitigation" ], "d3f:d3fend-comment": "M1015 scope is broad, touches on an wide variety of techniques in D3FEND.", "d3f:related": [ { "@id": "d3f:AuthenticationCacheInvalidation" }, { "@id": "d3f:DomainTrustPolicy" }, { "@id": "d3f:UserAccountPermissions" } ], "rdfs:label": "Active Directory Configuration" }, { "@id": "d3f:may-have-weakness", "@type": "owl:ObjectProperty", "rdfs:domain": { "@id": "d3f:Artifact" }, "rdfs:label": "may-have-weakness", "rdfs:range": { "@id": "d3f:Weakness" }, "rdfs:subPropertyOf": { "@id": "d3f:may-be-associated-with" } }, { "@id": "d3f:OperatingSystemExecutableFile", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "An operating system executable is a critical executable that is part of the operating system, and without which, the operating system may not operate correctly.", "rdfs:label": "Operating System Executable File", "rdfs:subClassOf": { "@id": "d3f:OperatingSystemFile" } }, { "@id": "d3f:CWE-360", "@type": "owl:Class", "d3f:cwe-id": "CWE-360", "rdfs:label": "Trust of System Event Data", "rdfs:subClassOf": { "@id": "d3f:CWE-345" } }, { "@id": "d3f:LogMessageFunction", "@type": "owl:Class", "d3f:definition": "Produces an entry in a log.", "rdfs:label": "Log Message Function", "rdfs:subClassOf": { "@id": "d3f:Subroutine" } }, { "@id": "d3f:Transformer-XL", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-TX", "d3f:definition": "Transformer-XL is a transformer architecture that introduces the notion of recurrence to the deep self-attention network. Instead of computing the hidden states from scratch for each new segment, Transformer-XL reuses the hidden states obtained in previous segments.", "d3f:kb-article": "## References\nTransformer-XL. (n.d.). Papers with Code. [Link](https://paperswithcode.com/method/transformer-xl)", "rdfs:label": "Transformer-XL", "rdfs:subClassOf": { "@id": "d3f:Transformer-basedLearning" } }, { "@id": "d3f:employed-by", "@type": "owl:ObjectProperty", "d3f:definition": "x employed-by y: An entity x is put into service by a technique or agent y. Inverse of y employs x.", "owl:inverseOf": { "@id": "d3f:employs" }, "rdfs:isDefinedBy": { "@id": "http://wordnet-rdf.princeton.edu/id/01161188-v" }, "rdfs:label": "employed-by", "rdfs:subPropertyOf": { "@id": "d3f:associated-with" } }, { "@id": "d3f:CCI-001426_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:broader": [ { "@id": "d3f:MandatoryAccessControl" }, { "@id": "d3f:UserAccountPermissions" } ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system maintains the binding of security attributes to information with sufficient assurance that the information--attribute association can be used as the basis for automated policy actions.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-25T00:00:00" }, "rdfs:label": "CCI-001426" }, { "@id": "d3f:CWE-1066", "@type": "owl:Class", "d3f:cwe-id": "CWE-1066", "rdfs:label": "Missing Serialization Control Element", "rdfs:subClassOf": { "@id": "d3f:CWE-710" } }, { "@id": "d3f:CWE-27", "@type": "owl:Class", "d3f:cwe-id": "CWE-27", "rdfs:label": "Path Traversal: 'dir/../../filename'", "rdfs:subClassOf": { "@id": "d3f:CWE-23" } }, { "@id": "d3f:Host", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:contains": [ { "@id": "d3f:Application" }, { "@id": "d3f:OperatingSystem" } ], "d3f:definition": "A host is a computer or other device, typically connected to a computer network. A network host may offer information resources, services, and applications to users or other nodes on the network. A network host is a network node that is assigned a network layer host address. Network hosts that participate in applications that use the client-server model of computing, are classified as server or client systems. Network hosts may also function as nodes in peer-to-peer applications, in which all nodes share and consume resources in an equipotent manner.", "d3f:runs": { "@id": "d3f:OperatingSystem" }, "rdfs:isDefinedBy": { "@id": "dbr:Host_(network)" }, "rdfs:label": "Host", "rdfs:seeAlso": "https://schema.ocsf.io/objects/device", "rdfs:subClassOf": [ { "@id": "d3f:NetworkNode" }, { "@id": "_:N69810b6bad184993ae0c993b629a76a8" }, { "@id": "_:N3e0d1c373d7f46c1a27b32a33072a66e" }, { "@id": "_:N63a189ab14364ebe837d8e6deca0bb85" } ], "skos:altLabel": "Network Host" }, { "@id": "_:N69810b6bad184993ae0c993b629a76a8", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:contains" }, "owl:someValuesFrom": { "@id": "d3f:Application" } }, { "@id": "_:N3e0d1c373d7f46c1a27b32a33072a66e", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:contains" }, "owl:someValuesFrom": { "@id": "d3f:OperatingSystem" } }, { "@id": "_:N63a189ab14364ebe837d8e6deca0bb85", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:runs" }, "owl:someValuesFrom": { "@id": "d3f:OperatingSystem" } }, { "@id": "d3f:may-evict", "@type": "owl:ObjectProperty", "d3f:pref-label": "may evict", "rdfs:label": "may-evict", "rdfs:subPropertyOf": [ { "@id": "d3f:may-counter" }, { "@id": "d3f:may-counter-attack" } ] }, { "@id": "d3f:RPCNetworkTraffic", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "RPC network traffic is network traffic related to remote procedure calls between network nodes..This includes only network traffic conforming to a standard RPC protocol; not custom protocols.", "rdfs:label": "RPC Network Traffic", "rdfs:subClassOf": { "@id": "d3f:NetworkTraffic" } }, { "@id": "d3f:CWE-692", "@type": "owl:Class", "d3f:cwe-id": "CWE-692", "rdfs:label": "Incomplete Denylist to Cross-Site Scripting", "rdfs:subClassOf": { "@id": "d3f:CWE-79" } }, { "@id": "d3f:CWE-1252", "@type": "owl:Class", "d3f:cwe-id": "CWE-1252", "rdfs:label": "CPU Hardware Not Configured to Support Exclusivity of Write and Execute Operations", "rdfs:subClassOf": { "@id": "d3f:CWE-284" } }, { "@id": "d3f:CWE-1038", "@type": "owl:Class", "d3f:cwe-id": "CWE-1038", "rdfs:label": "Insecure Automated Optimizations", "rdfs:subClassOf": [ { "@id": "d3f:CWE-435" }, { "@id": "d3f:CWE-758" } ] }, { "@id": "d3f:PearsonsCorrelationCoefficient", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-PCC", "d3f:kb-article": "## References\nWolfram MathWorld. (n.d.). Correlation Coefficient. [Link](https://mathworld.wolfram.com/CorrelationCoefficient.html)", "rdfs:label": "Pearson's Correlation Coefficient", "rdfs:subClassOf": { "@id": "d3f:Correlation" } }, { "@id": "d3f:InputFunction", "@type": "owl:Class", "d3f:definition": "Generic function that receives input from an untrusted source.", "rdfs:label": "Input Function", "rdfs:subClassOf": { "@id": "d3f:Subroutine" } }, { "@id": "d3f:T1147", "@type": "owl:Class", "d3f:attack-id": "T1147", "rdfs:label": "Hidden Users", "rdfs:subClassOf": { "@id": "d3f:DefenseEvasionTechnique" } }, { "@id": "d3f:CCI-001695_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system prevents the execution of organization-defined unacceptable mobile code.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:ExecutableDenylisting" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2011-10-07T00:00:00" }, "rdfs:label": "CCI-001695" }, { "@id": "d3f:CWE-1236", "@type": "owl:Class", "d3f:cwe-id": "CWE-1236", "rdfs:label": "Improper Neutralization of Formula Elements in a CSV File", "rdfs:subClassOf": { "@id": "d3f:CWE-74" } }, { "@id": "d3f:T1550.002", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1550.002", "d3f:creates": { "@id": "d3f:Authentication" }, "rdfs:label": "Pass The Hash", "rdfs:subClassOf": [ { "@id": "d3f:T1550" }, { "@id": "_:N193a7d49e0234ff689cfb0172c022f73" } ] }, { "@id": "_:N193a7d49e0234ff689cfb0172c022f73", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:creates" }, "owl:someValuesFrom": { "@id": "d3f:Authentication" } }, { "@id": "d3f:Reference-UseRkillToStopMalwareProcesses-Ghacks.net", "@type": [ "owl:NamedIndividual", "d3f:TechniqueReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://www.ghacks.net/2011/07/29/use-rkill-to-stop-malware-processes/" }, "d3f:kb-author": "Melanie Gross", "d3f:kb-organization": "ghacks.net", "d3f:kb-reference-of": { "@id": "d3f:ProcessTermination" }, "d3f:kb-reference-title": "Use Rkill to Stop Malware Processes", "rdfs:label": "Reference - Use Rkill to Stop Malware Processes - ghacks.net" }, { "@id": "d3f:DisplayServer", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A display server or window server is a program whose primary task is to coordinate the input and output of its clients to and from the rest of the operating system, the hardware, and each other. The display server communicates with its clients over the display server protocol, a communications protocol, which can be network-transparent or simply network-capable. The display server is a key component in any graphical user interface, specifically the windowing system.", "rdfs:isDefinedBy": { "@id": "dbr:Display_server" }, "rdfs:label": "Display Server", "rdfs:subClassOf": { "@id": "d3f:DigitalArtifact" }, "skos:altLabel": "Window Server" }, { "@id": "d3f:UserAction", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "An action performed by a user. Executing commands, granting permissions, and accessing resources are examples of user actions.", "rdfs:label": "User Action", "rdfs:subClassOf": [ { "@id": "d3f:DigitalArtifact" }, { "@id": "d3f:DigitalEvent" } ] }, { "@id": "d3f:UnixLink", "@type": "owl:Class", "d3f:definition": "A Unix link is a file link in a Unix file system.", "rdfs:label": "Unix Link", "rdfs:subClassOf": { "@id": "d3f:FileSystemLink" } }, { "@id": "d3f:CCI-001166_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:broader": [ { "@id": "d3f:DynamicAnalysis" }, { "@id": "d3f:EmulatedFileAnalysis" }, { "@id": "d3f:FileContentRules" } ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system identifies organization-defined unacceptable mobile code.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-21T00:00:00" }, "rdfs:label": "CCI-001166" }, { "@id": "d3f:M1034", "@type": [ "owl:NamedIndividual", "d3f:ATTACKMitigation" ], "d3f:related": { "@id": "d3f:IOPortRestriction" }, "rdfs:label": "Limit Hardware Installation" }, { "@id": "d3f:CCI-002712_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:broader": [ { "@id": "d3f:DriverLoadIntegrityChecking" }, { "@id": "d3f:FileHashing" }, { "@id": "d3f:PointerAuthentication" }, { "@id": "d3f:TPMBootIntegrity" } ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system performs an integrity check of organization-defined information at startup, at organization-defined transitional states or security-relevant events, or on an organization-defined frequency.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-07-11T00:00:00" }, "rdfs:label": "CCI-002712" }, { "@id": "d3f:CCI-002662_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system monitors outbound communications traffic per organization-defined frequency for unusual or unauthorized activities or conditions.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:OutboundTrafficFiltering" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-07-11T00:00:00" }, "rdfs:label": "CCI-002662" }, { "@id": "d3f:may-deceive", "@type": "owl:ObjectProperty", "d3f:pref-label": "may deceive", "rdfs:label": "may-deceive", "rdfs:subPropertyOf": { "@id": "d3f:may-counter-attack" } }, { "@id": "d3f:CWE-539", "@type": "owl:Class", "d3f:cwe-id": "CWE-539", "rdfs:label": "Use of Persistent Cookies Containing Sensitive Information", "rdfs:subClassOf": { "@id": "d3f:CWE-552" } }, { "@id": "d3f:NIST_SP_800-53_R5_AC-3_11", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:control-name": "Access Enforcement | Restrict Access to Specific Information Types", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "d3f:narrower": { "@id": "d3f:MandatoryAccessControl" }, "rdfs:label": "AC-3(11)" }, { "@id": "d3f:T1134.001", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:AccessToken" ], "d3f:attack-id": "T1134.001", "d3f:copies": { "@id": "d3f:AccessToken" }, "rdfs:label": "Token Impersonation/Theft", "rdfs:subClassOf": [ { "@id": "d3f:T1134" }, { "@id": "_:N2ac59138bdad458b86e1cd492a170c5a" } ] }, { "@id": "_:N2ac59138bdad458b86e1cd492a170c5a", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:copies" }, "owl:someValuesFrom": { "@id": "d3f:AccessToken" } }, { "@id": "d3f:T1210", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1210", "d3f:may-modify": [ { "@id": "d3f:ProcessCodeSegment" }, { "@id": "d3f:ProcessSegment" }, { "@id": "d3f:StackFrame" } ], "d3f:produces": { "@id": "d3f:IntranetNetworkTraffic" }, "rdfs:label": "Exploitation of Remote Services", "rdfs:subClassOf": [ { "@id": "d3f:LateralMovementTechnique" }, { "@id": "_:Nea359d5f3a2a49dfbba6f832313de142" }, { "@id": "_:N62cde0573be64b89a169ef3834e6996e" }, { "@id": "_:N0f57a7e47e1a42b99ebd6091f0410d8d" }, { "@id": "_:N01d6fee2c8344a669454623af28203ba" } ] }, { "@id": "_:Nea359d5f3a2a49dfbba6f832313de142", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-modify" }, "owl:someValuesFrom": { "@id": "d3f:ProcessCodeSegment" } }, { "@id": "_:N62cde0573be64b89a169ef3834e6996e", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-modify" }, "owl:someValuesFrom": { "@id": "d3f:ProcessSegment" } }, { "@id": "_:N0f57a7e47e1a42b99ebd6091f0410d8d", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-modify" }, "owl:someValuesFrom": { "@id": "d3f:StackFrame" } }, { "@id": "_:N01d6fee2c8344a669454623af28203ba", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:produces" }, "owl:someValuesFrom": { "@id": "d3f:IntranetNetworkTraffic" } }, { "@id": "d3f:CWE-562", "@type": "owl:Class", "d3f:cwe-id": "CWE-562", "rdfs:label": "Return of Stack Variable Address", "rdfs:subClassOf": { "@id": "d3f:CWE-758" } }, { "@id": "d3f:StackComponent", "@type": "owl:Class", "d3f:definition": "A stack component is any component of a call stack used for stack-based memory allocation in a running process. Examples include saved instruction pointers, stack frames, and stack frame canaries.", "rdfs:label": "Stack Component", "rdfs:seeAlso": { "@id": "dbr:Call_stack" }, "rdfs:subClassOf": { "@id": "d3f:DigitalArtifact" } }, { "@id": "d3f:Reference-Anti-tamperSystemWithSelf-adjustingGuards_ARXANTECHNOLOGIESInc", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US20150052603A1" }, "d3f:kb-abstract": "An anti-tamper system is disclosed that includes self-adjusting guards inserted in software. Self-adjusting guards include invocation criteria and guard function. During run-time, each time the self-adjusting guard is invoked, the invocation criteria is evaluated and the guard function is only executed if the invocation criteria is satisfied. The invocation criteria can be static or dynamic, satisfied randomly with fixed or varying probability, a monotonically or exponentially decreasing function or most any other type of function. The invocation criteria can be satisfied based on elapsed inter-guard invocation time (time since last guard function execution), target inter-guard invocation time, and/or guard execution time. A method is disclosed of inserting self-adjusting guards into software, and executing the software. Evaluating the invocation criteria can include adjusting the invocation criteria when satisfied. The self-adjusting guards can be inserted into the software at a source or object code level.", "d3f:kb-author": "Kevin Dale Morgan", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "ARXAN TECHNOLOGIES Inc", "d3f:kb-reference-of": { "@id": "d3f:ProcessCodeSegmentVerification" }, "d3f:kb-reference-title": "Anti-tamper system with self-adjusting guards", "rdfs:label": "Reference - Anti-tamper system with self-adjusting guards - ARXAN TECHNOLOGIES Inc" }, { "@id": "d3f:DeepQ-learning", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-DQL", "d3f:definition": "Uses a deep convolutional neural network, with layers of tiled convolutional filters to mimic the effects of receptive fields.", "d3f:kb-article": "## References\nQ-learning. Wikipedia. [Link](https://en.wikipedia.org/wiki/Q-learning#Deep_Q-learning).", "rdfs:label": "Deep Q-learning", "rdfs:subClassOf": { "@id": "d3f:Q-Learning" } }, { "@id": "d3f:SymmetricFeature-basedTransferLearning", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-SFTL", "d3f:definition": "Homogeneous symmetric transformation takes both the source feature space Xs and target feature space Xt and learns feature transformations as to project each onto a common subspace Xc for adaptation purposes. This derived subspace becomes a domain-invariant feature subspace to associate cross-domain data, and in effect, reduces marginal distribution differences.", "d3f:kb-article": "## References\nDay, O., & Khoshgoftaar, T.M. (2017). A survey on heterogeneous transfer learning. *Journal of Big Data, 4*(1), 29. [Link](https://doi.org/10.1186/s40537-017-0089-0).", "rdfs:label": "Symmetric Feature-based Transfer Learning", "rdfs:subClassOf": { "@id": "d3f:HomogenousTransferLearning" } }, { "@id": "d3f:CWE-1065", "@type": "owl:Class", "d3f:cwe-id": "CWE-1065", "rdfs:label": "Runtime Resource Management Control Element in a Component Built to Run on Application Servers", "rdfs:subClassOf": { "@id": "d3f:CWE-710" } }, { "@id": "d3f:Authorization", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:authorizes": { "@id": "d3f:NetworkResourceAccess" }, "d3f:definition": "Authorization is the function of specifying access rights to resources related to information security and computer security in general and to access control in particular. More formally, \"to authorize\" is to define an access policy. For example, human resources staff is normally authorized to access employee records and this policy is usually formalized as access control rules in a computer system. During operation, the system uses the access control rules to decide whether access requests from (authenticated) consumers shall be approved (granted) or disapproved (rejected). Resources include individual files or an item's data, computer programs, computer devices and functionality provided by computer applications. Examples of consumers are computer users, computer program", "rdfs:isDefinedBy": { "@id": "dbr:Authorization" }, "rdfs:label": "Authorization", "rdfs:subClassOf": [ { "@id": "d3f:UserAction" }, { "@id": "_:N72fa48470f3c454b818fd9cf4ccf6609" } ] }, { "@id": "_:N72fa48470f3c454b818fd9cf4ccf6609", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:authorizes" }, "owl:someValuesFrom": { "@id": "d3f:NetworkResourceAccess" } }, { "@id": "d3f:CCI-001453_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system implements cryptographic mechanisms to protect the integrity of remote access sessions.", "d3f:exactly": { "@id": "d3f:EncryptedTunnels" }, "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-29T00:00:00" }, "rdfs:label": "CCI-001453" }, { "@id": "d3f:CWE-943", "@type": "owl:Class", "d3f:cwe-id": "CWE-943", "rdfs:label": "Improper Neutralization of Special Elements in Data Query Logic", "rdfs:subClassOf": { "@id": "d3f:CWE-74" } }, { "@id": "d3f:T1561.002", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1561.002", "d3f:may-modify": [ { "@id": "d3f:BootSector" }, { "@id": "d3f:PartitionTable" } ], "rdfs:label": "Disk Structure Wipe", "rdfs:subClassOf": [ { "@id": "d3f:T1561" }, { "@id": "_:Ne0f5ecf2104542fcb0314ea1ec6d1ed2" }, { "@id": "_:N282155342bf14781b2e9da20f338149d" } ] }, { "@id": "_:Ne0f5ecf2104542fcb0314ea1ec6d1ed2", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-modify" }, "owl:someValuesFrom": { "@id": "d3f:BootSector" } }, { "@id": "_:N282155342bf14781b2e9da20f338149d", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-modify" }, "owl:someValuesFrom": { "@id": "d3f:PartitionTable" } }, { "@id": "d3f:hardens", "@type": "owl:ObjectProperty", "rdfs:label": "hardens", "rdfs:subPropertyOf": [ { "@id": "d3f:counters" }, { "@id": "d3f:d3fend-tactical-verb-property" } ] }, { "@id": "d3f:semantic-relation", "@type": "owl:ObjectProperty", "rdfs:label": "semantic-relation", "rdfs:subPropertyOf": { "@id": "d3f:associated-with" } }, { "@id": "d3f:Reference-SystemsAndMethodsForDetectingAnd_orHandlingTargetedAttacksInTheEmailChannel_GraphusInc", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US20170324767A1" }, "d3f:kb-abstract": "Techniques for detecting and/or handling target attacks in an enterprise's email channel are provided. The techniques include receiving aspects of an incoming email message addressed to a first email account holder, selecting a recipient interaction profile and/or a sender profile from a plurality of predetermined profiles stored in a memory based upon the received properties, determining a message trust rating associated with the incoming email message based upon the incoming email message and the selected recipient interaction profile and/or the sender profile; and generating an alert identifying the incoming email message as including a security risk based upon the determined message trust rating. The recipient interaction profile includes information associating the first email account holder and a plurality of email senders from whom email messages have previously been received for the first email account holder, and the sender profile includes information associating a sender of the incoming email message with characteristics determined from a plurality of email messages previously received from the sender.", "d3f:kb-author": "Manoj Kumar Srivastava", "d3f:kb-mitre-analysis": "The patent describes using sender trust rating and sender MTA trust rating as an indicator of level of email security risk.\n\n### Sender Reputation explanation\nThis patent includes Sender Reputation because it describes sender trust rating being used as an indicator of the level of security risk and/or trust level associated with an email sender. The sender trust rating may be determined based on one or more of:\n\n* length of time sender has known the enterprise\n* number of recipients in the enterprise the sender interacts with\n* sender vs. enterprise originated message ratio\n* sender messages open vs. not-open ratio\n* number of emails received from this sender\n* number of emails replied for this sender\n* number of emails from this sender not opened\n* number of emails from this sender not opened that contain an attachment\n* number of emails from this sender not opened that contain a URL\n* number of emails sent to this sender\n* number of email replies received from this sender\n\nBased on the trust rating an alert is generated identifying the incoming email message as a security risk.\n\n### Sender MTA Reputation explanation\nThis patent includes Sender MTA Reputation because it describes sender MTA trust rating as an indicator of the level of security risk and/or trust level associated with a sender MTA. The trust rating may be determined based on one or more of:\n\n* length of time MTA has interacted with the enterprise\n* number of sender domains sending emails from the MTA\n* number of recipients in the enterprise the MTA sends emails to\n* number of emails received from this MTA\n* number of email replies received from this MTA\n\nBased on the trust rating an alert is generated identifying the incoming email message as a security risk.", "d3f:kb-organization": "Graphus Inc", "d3f:kb-reference-of": [ { "@id": "d3f:SenderMTAReputationAnalysis" }, { "@id": "d3f:SenderReputationAnalysis" } ], "d3f:kb-reference-title": "Systems and methods for detecting and/or handling targeted attacks in the email channel", "rdfs:label": "Reference - Systems and methods for detecting and/or handling targeted attacks in the email channel - Graphus Inc" }, { "@id": "d3f:ContainerBuildTool", "@type": "owl:Class", "d3f:definition": "A software build tool that creates a container (e.g., Docker container) for deployment.", "rdfs:label": "Container Build Tool", "rdfs:subClassOf": { "@id": "d3f:SoftwarePackagingTool" } }, { "@id": "d3f:CCI-001374_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system, when transferring information between different security domains, prohibits the transfer of organization-defined unsanctioned information in accordance with the organization-defined security policy.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": [ { "@id": "d3f:InboundTrafficFiltering" }, { "@id": "d3f:OutboundTrafficFiltering" } ], "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-22T00:00:00" }, "rdfs:label": "CCI-001374" }, { "@id": "d3f:ServiceDependencyMapping", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:SystemMapping" ], "d3f:d3fend-id": "D3-SVCDM", "d3f:definition": "Service dependency mapping determines the services on which each given service relies.", "d3f:kb-article": "## How it works\nThe organization collects and models architectural information about the services and consumers of services and maps the dependencies between the services.\n\n## Considerations\n* Architectural design artifacts and SMEs may need to be consulted to determine if dependencies are intended or otherwise essential.\n* Service dependencies for critical systems--those supporting critical organizational activities--should be prioritized for supply chain risk analysis.\n* Service dependencies in cloud or microservice architectures may be discovered using distributed tracing capabilities", "d3f:kb-reference": [ { "@id": "d3f:Reference-CatiaUAFPlugin" }, { "@id": "d3f:Reference-TivoliApplicationDependencyDiscoverManager7_3_0DependenciesBetweenResources" }, { "@id": "d3f:Reference-UnifiedArchitectureFrameworkUAF" } ], "d3f:maps": { "@id": "d3f:ServiceDependency" }, "d3f:synonym": "Distributed Tracing", "rdfs:label": "Service Dependency Mapping", "rdfs:subClassOf": [ { "@id": "d3f:SystemMapping" }, { "@id": "_:Naeffdfd6b0f44edca1741a009aaef23e" } ] }, { "@id": "_:Naeffdfd6b0f44edca1741a009aaef23e", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:maps" }, "owl:someValuesFrom": { "@id": "d3f:ServiceDependency" } }, { "@id": "d3f:T1055.002", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1055.002", "d3f:may-add": { "@id": "d3f:ObjectFile" }, "rdfs:label": "Portable Executable Injection", "rdfs:subClassOf": [ { "@id": "d3f:T1055" }, { "@id": "_:Ne74be0b8908c492db065fd9d125a65a6" } ] }, { "@id": "_:Ne74be0b8908c492db065fd9d125a65a6", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-add" }, "owl:someValuesFrom": { "@id": "d3f:ObjectFile" } }, { "@id": "d3f:MeanAbsoluteDeviation", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-MAD", "d3f:definition": "The mean absolute deviation (MAD), also referred to as the \"mean deviation\" or sometimes \"average absolute deviation\", is the mean of the data's absolute deviations around the data's mean: the average (absolute) distance from the mean.", "d3f:kb-article": "## References\nWikipedia. (n.d.). Average absolute deviation. [Link](https://en.wikipedia.org/wiki/Average_absolute_deviation)", "d3f:synonym": "MAD", "rdfs:label": "Mean Absolute Deviation", "rdfs:subClassOf": { "@id": "d3f:AverageAbsoluteDeviation" } }, { "@id": "d3f:CWE-440", "@type": "owl:Class", "d3f:cwe-id": "CWE-440", "rdfs:label": "Expected Behavior Violation", "rdfs:subClassOf": { "@id": "d3f:CWE-684" } }, { "@id": "d3f:T1564.002", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1564.002", "d3f:modifies": { "@id": "d3f:UserInitConfigurationFile" }, "rdfs:label": "Hidden Users", "rdfs:subClassOf": [ { "@id": "d3f:T1564" }, { "@id": "_:N9bbbc9ed100a48c9a8bd9b6441950ffb" } ] }, { "@id": "_:N9bbbc9ed100a48c9a8bd9b6441950ffb", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:UserInitConfigurationFile" } }, { "@id": "d3f:ProcessorRegister", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:contained-by": { "@id": "d3f:CentralProcessingUnit" }, "d3f:definition": "A processor register is a quickly accessible location available to a computer's processor. Registers usually consist of a small amount of fast storage, although some registers have specific hardware functions, and may be read-only or write-only.", "rdfs:isDefinedBy": "https://dbpedia.org/page/Processor_register", "rdfs:label": "Processor Register", "rdfs:seeAlso": "https://www.techtarget.com/whatis/definition/register", "rdfs:subClassOf": [ { "@id": "d3f:PrimaryStorage" }, { "@id": "_:N41f4921716bf44e29233ff1a96a85be4" } ] }, { "@id": "_:N41f4921716bf44e29233ff1a96a85be4", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:contained-by" }, "owl:someValuesFrom": { "@id": "d3f:CentralProcessingUnit" } }, { "@id": "d3f:published", "@type": "owl:DatatypeProperty", "d3f:definition": "Date of publication of the resource.", "rdfs:label": { "@language": "en", "@value": "date published" }, "rdfs:range": { "@id": "xsd:dateTime" }, "rdfs:subPropertyOf": { "@id": "d3f:date" } }, { "@id": "d3f:CWE-498", "@type": "owl:Class", "d3f:cwe-id": "CWE-498", "rdfs:label": "Cloneable Class Containing Sensitive Information", "rdfs:subClassOf": { "@id": "d3f:CWE-668" } }, { "@id": "d3f:T1071", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1071", "d3f:may-transfer": { "@id": "d3f:CertificateFile" }, "d3f:pref-label": "Application Layer Protocol C2", "d3f:produces": { "@id": "d3f:OutboundInternetNetworkTraffic" }, "rdfs:label": "Application Layer Protocol", "rdfs:subClassOf": [ { "@id": "d3f:CommandAndControlTechnique" }, { "@id": "_:N727d875ce2244a5a9f0e6aa6d21644b9" }, { "@id": "_:N96d5843169084eecbbd6ae5a877dee59" } ] }, { "@id": "_:N727d875ce2244a5a9f0e6aa6d21644b9", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-transfer" }, "owl:someValuesFrom": { "@id": "d3f:CertificateFile" } }, { "@id": "_:N96d5843169084eecbbd6ae5a877dee59", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:produces" }, "owl:someValuesFrom": { "@id": "d3f:OutboundInternetNetworkTraffic" } }, { "@id": "d3f:InternetDNSLookup", "@type": "owl:Class", "d3f:definition": "An internet Domain Name System (DNS) lookup is a DNS lookup made from a host on a network that is resolved after querying a DNS name server hosted on a different network.", "rdfs:label": "Internet DNS Lookup", "rdfs:seeAlso": { "@id": "dbr:Internetworking" }, "rdfs:subClassOf": { "@id": "d3f:DNSLookup" } }, { "@id": "d3f:LegacySystem", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "In computing, a legacy system is an old method, technology, computer system, or application program, \"of, relating to, or being a previous or outdated computer system,\" yet still in use. Often referencing a system as \"legacy\" means that it paved the way for the standards that would follow it. This can also imply that the system is out of date or in need of replacement.", "d3f:synonym": "Legacy Digital System", "rdfs:isDefinedBy": { "@id": "dbr:Legacy_system" }, "rdfs:label": "Legacy System", "rdfs:subClassOf": { "@id": "d3f:DigitalSystem" } }, { "@id": "d3f:CCI-000226_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:broader": { "@id": "d3f:ExecutionIsolation" }, "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system provides the capability for a privileged administrator to configure organization-defined security policy filters to support different security policies.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-14T00:00:00" }, "rdfs:label": "CCI-000226" }, { "@id": "d3f:DomainAccountMonitoring", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:UserBehaviorAnalysis" ], "d3f:d3fend-id": "D3-DAM", "d3f:definition": "Monitoring the existence of or changes to Domain User Accounts.", "d3f:kb-reference": { "@id": "d3f:Reference-AuditUserAccountManagement" }, "d3f:monitors": { "@id": "d3f:DomainUserAccount" }, "rdfs:label": "Domain Account Monitoring", "rdfs:subClassOf": [ { "@id": "d3f:UserBehaviorAnalysis" }, { "@id": "_:Nf244898c02074a4e8041bae9329ef1e7" } ] }, { "@id": "_:Nf244898c02074a4e8041bae9329ef1e7", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:monitors" }, "owl:someValuesFrom": { "@id": "d3f:DomainUserAccount" } }, { "@id": "d3f:UserInitScript", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A script used to initialize and configure elements of the user's applications and user environment.", "rdfs:label": "User Init Script", "rdfs:subClassOf": [ { "@id": "d3f:ExecutableScript" }, { "@id": "d3f:InitScript" }, { "@id": "d3f:UserLogonInitResource" } ] }, { "@id": "d3f:GPT", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-GPT", "d3f:definition": "Generative pre-trained transformers (GPT) are a type of large language model (LLM) and a prominent framework for generative artificial intelligence.", "d3f:kb-article": "## References\nGenerative pre-trained transformer. (n.d.). In Wikipedia. [Link](https://en.wikipedia.org/wiki/Generative_pre-trained_transformer)", "d3f:synonym": "Generative Pre-trained Transformer", "rdfs:label": "GPT", "rdfs:subClassOf": { "@id": "d3f:Transformer-basedLearning" } }, { "@id": "d3f:T1053.003", "@type": "owl:Class", "d3f:attack-id": "T1053.003", "rdfs:label": "Cron Execution", "rdfs:subClassOf": { "@id": "d3f:T1053" } }, { "@id": "d3f:Certificate", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:contains": [ { "@id": "d3f:Identifier" }, { "@id": "d3f:PublicKey" } ], "d3f:definition": "In cryptography, a public key certificate, also known as a digital certificate or identity certificate, is an electronic document used to prove the ownership of a public key. The certificate includes information about the key, information about the identity of its owner (called the subject), and the digital signature of an entity that has verified the certificate's contents (called the issuer). If the signature is valid, and the software examining the certificate trusts the issuer, then it can use that key to communicate securely with the certificate's subject. In email encryption, code signing, and e-signature systems, a certificate's subject is typically a person or organization. However, in Transport Layer Security (TLS) a certificate's subject is typically a computer or other device.", "rdfs:isDefinedBy": { "@id": "dbr:Public_key_certificate" }, "rdfs:label": "Certificate", "rdfs:seeAlso": "https://schema.ocsf.io/objects/certificate", "rdfs:subClassOf": [ { "@id": "d3f:DigitalArtifact" }, { "@id": "_:N51f86bbdd4414663ad928cc1b44da0e4" }, { "@id": "_:N720b282b58014aa78328d4d7bcaf9df0" } ], "skos:altLabel": "Public Key Certificate" }, { "@id": "_:N51f86bbdd4414663ad928cc1b44da0e4", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:contains" }, "owl:someValuesFrom": { "@id": "d3f:Identifier" } }, { "@id": "_:N720b282b58014aa78328d4d7bcaf9df0", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:contains" }, "owl:someValuesFrom": { "@id": "d3f:PublicKey" } }, { "@id": "d3f:Reference-Testing_Metrics_for_Password_Creation_Policies_by_Attacking_Large_Sets_of_Revealed_Passwords", "@type": [ "owl:NamedIndividual", "d3f:AcademicPaperReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://www.cs.umd.edu/~jkatz/security/downloads/passwords_revealed-weir.pdf" }, "d3f:kb-author": "Matt Weir, Sudhir Aggarwal, Michael Collins, Henry Stern", "d3f:kb-reference-of": { "@id": "d3f:StrongPasswordPolicy" }, "d3f:kb-reference-title": "Testing Metrics for Password Creation Policies by Attacking Large Sets of Revealed Passwords", "rdfs:label": "Reference - Testing Metrics for Password Creation Policies by Attacking Large Sets of Revealed Passwords" }, { "@id": "d3f:PatternMatching", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-PM", "d3f:definition": "Pattern matching is the act of checking a given sequence of tokens for the presence of the constituents of some pattern.", "d3f:kb-article": "## References\n1. Pattern matching. (2023, May 20). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Pattern_matching)", "rdfs:label": "Pattern Matching", "rdfs:subClassOf": { "@id": "d3f:LogicalRules" } }, { "@id": "d3f:LinuxOpenAtArgumentO_CREAT", "@type": "owl:Class", "d3f:definition": "Create a regular file. Same functionality as Linux Open but slight differences in parameter.", "rdfs:isDefinedBy": "https://man7.org/linux/man-pages/man2/openat.2.html", "rdfs:label": "Linux OpenAt Argument O_CREAT", "rdfs:subClassOf": { "@id": "d3f:OSAPICreateFile" } }, { "@id": "d3f:T1587.001", "@type": "owl:Class", "d3f:attack-id": "T1587.001", "rdfs:label": "Malware", "rdfs:subClassOf": { "@id": "d3f:T1587" } }, { "@id": "d3f:CCI-002211_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system, when transferring information between different security domains, applies the same security policy filtering to metadata as it applies to data payloads.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": [ { "@id": "d3f:InboundTrafficFiltering" }, { "@id": "d3f:OutboundTrafficFiltering" } ], "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-06-24T00:00:00" }, "rdfs:label": "CCI-002211" }, { "@id": "d3f:CCI-000200_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system prohibits password reuse for the organization-defined number of generations.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:StrongPasswordPolicy" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-05-22T00:00:00" }, "rdfs:label": "CCI-000200" }, { "@id": "d3f:CWE-299", "@type": "owl:Class", "d3f:cwe-id": "CWE-299", "rdfs:label": "Improper Check for Certificate Revocation", "rdfs:subClassOf": [ { "@id": "d3f:CWE-295" }, { "@id": "d3f:CWE-404" } ] }, { "@id": "d3f:T1074.001", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1074.001", "d3f:may-create": { "@id": "d3f:File" }, "d3f:may-invoke": { "@id": "d3f:CreateFile" }, "rdfs:label": "Local Data Staging", "rdfs:subClassOf": [ { "@id": "d3f:T1074" }, { "@id": "_:N55f2ef7326084bb39d026242fa0fa7a0" }, { "@id": "_:N629fa387848347ac8feb7d8f78d4a97a" } ] }, { "@id": "_:N55f2ef7326084bb39d026242fa0fa7a0", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-create" }, "owl:someValuesFrom": { "@id": "d3f:File" } }, { "@id": "_:N629fa387848347ac8feb7d8f78d4a97a", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-invoke" }, "owl:someValuesFrom": { "@id": "d3f:CreateFile" } }, { "@id": "d3f:CWE-1311", "@type": "owl:Class", "d3f:cwe-id": "CWE-1311", "rdfs:label": "Improper Translation of Security Attributes by Fabric Bridge", "rdfs:subClassOf": { "@id": "d3f:CWE-284" } }, { "@id": "d3f:CWE-96", "@type": "owl:Class", "d3f:cwe-id": "CWE-96", "rdfs:label": "Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')", "rdfs:subClassOf": { "@id": "d3f:CWE-94" } }, { "@id": "d3f:T1578", "@type": "owl:Class", "d3f:attack-id": "T1578", "rdfs:label": "Modify Cloud Compute Infrastructure", "rdfs:subClassOf": { "@id": "d3f:DefenseEvasionTechnique" } }, { "@id": "d3f:ImpactTechnique", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:enables": { "@id": "d3f:Impact" }, "rdfs:label": "Impact Technique", "rdfs:subClassOf": [ { "@id": "d3f:OffensiveTechnique" }, { "@id": "_:Ndab215a193a0446ca0bada17589b8969" } ] }, { "@id": "_:Ndab215a193a0446ca0bada17589b8969", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:enables" }, "owl:someValuesFrom": { "@id": "d3f:Impact" } }, { "@id": "d3f:NIST_SP_800-53_R5_AC-4_6", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:control-name": "Information Flow Enforcement | Metadata", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "d3f:narrower": [ { "@id": "d3f:InboundTrafficFiltering" }, { "@id": "d3f:OutboundTrafficFiltering" } ], "rdfs:label": "AC-4(6)" }, { "@id": "d3f:CWE-296", "@type": "owl:Class", "d3f:cwe-id": "CWE-296", "rdfs:label": "Improper Following of a Certificate's Chain of Trust", "rdfs:subClassOf": [ { "@id": "d3f:CWE-295" }, { "@id": "d3f:CWE-573" } ] }, { "@id": "d3f:may-be-created-by", "@type": "owl:ObjectProperty", "owl:inverseOf": { "@id": "d3f:may-create" }, "rdfs:label": "may-be-created-by", "rdfs:subPropertyOf": { "@id": "d3f:may-be-associated-with" } }, { "@id": "d3f:NIST_SP_800-53_R5_AC-4_10", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:broader": [ { "@id": "d3f:InboundTrafficFiltering" }, { "@id": "d3f:OutboundTrafficFiltering" } ], "d3f:control-name": "Information Flow Enforcement | Enable and Disable Security or Privacy Policy Filters", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "rdfs:label": "AC-4(10)" }, { "@id": "d3f:CWE-1091", "@type": "owl:Class", "d3f:cwe-id": "CWE-1091", "rdfs:label": "Use of Object without Invoking Destructor Method", "rdfs:subClassOf": [ { "@id": "d3f:CWE-1076" }, { "@id": "d3f:CWE-772" } ] }, { "@id": "d3f:LinuxCreat", "@type": "owl:Class", "d3f:definition": "Equivalent to calling Linux Open with flags equal to O_CREAT|O_WRONLY|O_TRUNC.", "rdfs:isDefinedBy": "https://man7.org/linux/man-pages/man2/creat.2.html", "rdfs:label": "Linux Creat", "rdfs:subClassOf": { "@id": "d3f:OSAPICreateFile" } }, { "@id": "d3f:cites", "@type": "owl:ObjectProperty", "owl:inverseOf": { "@id": "d3f:d3fend-catalog-object-property" }, "rdfs:label": "cites", "rdfs:range": { "@id": "d3f:InformationContentEntity" }, "rdfs:subPropertyOf": { "@id": "d3f:d3fend-catalog-object-property" } }, { "@id": "d3f:SystemConfigurationInitResource", "@type": "owl:Class", "d3f:definition": "A system configuration initialization resource has information for initializing (booting) a system.", "rdfs:label": "System Configuration Init Resource", "rdfs:subClassOf": { "@id": "d3f:LocalResource" }, "skos:altLabel": "System Init Resource" }, { "@id": "d3f:T1037.005", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1037.005", "d3f:modifies": { "@id": "d3f:SystemStartupDirectory" }, "rdfs:label": "Startup Items", "rdfs:subClassOf": [ { "@id": "d3f:T1037" }, { "@id": "_:N692da5f14cc2484a9df944f90823a6ef" } ] }, { "@id": "_:N692da5f14cc2484a9df944f90823a6ef", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:SystemStartupDirectory" } }, { "@id": "d3f:ProcessSuspension", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:ProcessEviction" ], "d3f:d3fend-id": "D3-PS", "d3f:definition": "Suspending a running process on a computer system.", "d3f:kb-article": "## How it works\n\nA running process might be suspended to mitigate its immediate effects if it is exhibiting anomalous, unauthorized, or malicious behavior. Defenders may choose to suspend rather than terminate to analyze the process first and resume the process if deemed benign.\n\n### System-provided functions\n\n#### Windows tools\nIn Windows, the `PsSuspend` command line utility from the SysInternals Suite provides functionality to suspend processes on a local or remote system.", "d3f:kb-reference": { "@id": "d3f:Reference-PsSuspend" }, "d3f:suspends": { "@id": "d3f:Process" }, "rdfs:label": "Process Suspension", "rdfs:subClassOf": [ { "@id": "d3f:ProcessEviction" }, { "@id": "_:N06e30b317cab43189365cb9c29c2a571" } ] }, { "@id": "_:N06e30b317cab43189365cb9c29c2a571", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:suspends" }, "owl:someValuesFrom": { "@id": "d3f:Process" } }, { "@id": "d3f:Reference-PostSandboxMethodsAndSystemsForDetectingAndBlockingZero-dayExploitsViaApiCallValidation_K2CyberSecurityInc", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US20190138715A1/" }, "d3f:kb-abstract": "In one aspect, a method useful for monitoring and validating execution of executable binary code, includes the step of disassembling an executable binary code of an application. The method includes the step of detecting and obtaining location and type of an application programming interface (API) call, system call, and privileged instruction that is executed by the executable binary code. The method includes the step of detecting and obtaining return address from an Al call and system call. The method includes the step of validating location of the API call system call, and privileged instruction. The method includes the step of validating return from the API call and system call.", "d3f:kb-author": "Jayant Shukla", "d3f:kb-mitre-analysis": "The patent describes a technique for monitoring API calls. Executable binary code of an application is first disassembled and scanned for API calls. Based on the recorded API calls, a rule list is generated. Software hooks are placed in the code for monitoring API calls during program execution and then each API call is validated using the generated rule list to permit or deny execution of API calls.\n\nRules are created that specify the type and location of the API call. For example, data collected for an application can show an API call to libc at address 0x43e0 and an API call by libc at address 0xlfb47. Accordingly, two rules are generated. The first rule specifies the location type and target of the API call at address 0x43e0, as well as the return address. The second rule is for the API call to the kernel and states the target address, return address, instruction, and target type.", "d3f:kb-organization": "K2 Cyber Security Inc", "d3f:kb-reference-of": { "@id": "d3f:SystemCallAnalysis" }, "d3f:kb-reference-title": "Post sandbox methods and systems for detecting and blocking zero-day exploits via api call validation", "rdfs:label": "Reference - Post sandbox methods and systems for detecting and blocking zero-day exploits via api call validation - K2 Cyber Security Inc" }, { "@id": "d3f:Reference-StreamingPhish", "@type": [ "owl:NamedIndividual", "d3f:TechniqueReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://github.com/wesleyraptor/streamingphish" }, "d3f:kb-abstract": "This is a utility that uses supervised machine learning to detect phishing domains from the Certificate Transparency log network.", "d3f:kb-author": "Wes Connell", "d3f:kb-organization": "Uber", "d3f:kb-reference-of": { "@id": "d3f:PassiveCertificateAnalysis" }, "d3f:kb-reference-title": "StreamingPhish", "rdfs:label": "Reference - StreamingPhish" }, { "@id": "d3f:CWE-1335", "@type": "owl:Class", "d3f:cwe-id": "CWE-1335", "rdfs:label": "Incorrect Bitwise Shift of Integer", "rdfs:subClassOf": { "@id": "d3f:CWE-682" } }, { "@id": "d3f:CWE-607", "@type": "owl:Class", "d3f:cwe-id": "CWE-607", "rdfs:label": "Public Static Final Field References Mutable Object", "rdfs:subClassOf": { "@id": "d3f:CWE-471" } }, { "@id": "d3f:CCI-001684_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system notifies organization-defined personnel or roles for account modification actions.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:DomainAccountMonitoring" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2011-05-03T00:00:00" }, "rdfs:label": "CCI-001684" }, { "@id": "d3f:CWE-560", "@type": "owl:Class", "d3f:cwe-id": "CWE-560", "rdfs:label": "Use of umask() with chmod-style Argument", "rdfs:subClassOf": { "@id": "d3f:CWE-687" } }, { "@id": "d3f:CWE-806", "@type": "owl:Class", "d3f:cwe-id": "CWE-806", "rdfs:label": "Buffer Access Using Size of Source Buffer", "rdfs:subClassOf": { "@id": "d3f:CWE-805" } }, { "@id": "d3f:related", "@type": "owl:ObjectProperty", "d3f:definition": "x related y: x has a symmetric associative relation to y.", "rdfs:isDefinedBy": { "@id": "skos:related" }, "rdfs:label": "related", "rdfs:subPropertyOf": { "@id": "d3f:semantic-relation" } }, { "@id": "d3f:T1505.002", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:adds": { "@id": "d3f:MessageTransferAgent" }, "d3f:attack-id": "T1505.002", "d3f:modifies": { "@id": "d3f:MailServer" }, "rdfs:label": "Transport Agent", "rdfs:subClassOf": [ { "@id": "d3f:T1505" }, { "@id": "_:N14ae013100fd43eba43ada15cb25bb3f" }, { "@id": "_:Nba47683a7cc7415ab89f56d9823e405e" } ] }, { "@id": "_:N14ae013100fd43eba43ada15cb25bb3f", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:adds" }, "owl:someValuesFrom": { "@id": "d3f:MessageTransferAgent" } }, { "@id": "_:Nba47683a7cc7415ab89f56d9823e405e", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:MailServer" } }, { "@id": "skos:altLabel", "@type": "owl:AnnotationProperty", "rdfs:isDefinedBy": { "@id": "skos:" }, "rdfs:label": { "@language": "en", "@value": "altLabel" } }, { "@id": "d3f:CWE-336", "@type": "owl:Class", "d3f:cwe-id": "CWE-336", "rdfs:label": "Same Seed in Pseudo-Random Number Generator (PRNG)", "rdfs:subClassOf": { "@id": "d3f:CWE-335" } }, { "@id": "d3f:Hostname", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:DomainName" ], "d3f:definition": "In computer networking, a hostname (archaically nodename) is a label that is assigned to a device connected to a computer network and that is used to identify the device in various forms of electronic communication, such as the World Wide Web. Hostnames may be simple names consisting of a single word or phrase, or they may be structured.", "d3f:identifies": { "@id": "d3f:Host" }, "rdfs:isDefinedBy": { "@id": "dbr:Hostname" }, "rdfs:label": "Hostname", "rdfs:subClassOf": [ { "@id": "d3f:Identifier" }, { "@id": "_:Naf6faab73ba44f619efa415440a91d5c" } ], "skos:altLabel": "Nodename" }, { "@id": "_:Naf6faab73ba44f619efa415440a91d5c", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:identifies" }, "owl:someValuesFrom": { "@id": "d3f:Host" } }, { "@id": "d3f:CWE-1325", "@type": "owl:Class", "d3f:cwe-id": "CWE-1325", "rdfs:label": "Improperly Controlled Sequential Memory Allocation", "rdfs:subClassOf": { "@id": "d3f:CWE-770" } }, { "@id": "d3f:UnixHardLink", "@type": "owl:Class", "d3f:definition": "A Unix hard link is a hard link on a Unix file system.", "rdfs:isDefinedBy": { "@id": "dbr:Hard_link" }, "rdfs:label": "Unix Hard Link", "rdfs:subClassOf": [ { "@id": "d3f:HardLink" }, { "@id": "d3f:UnixLink" } ] }, { "@id": "d3f:ClusterAnalysis", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-CA", "d3f:definition": "Cluster analysis or clustering is the task of grouping a set of objects in such a way that objects in the same group (called a cluster) are more similar (in some sense) to each other than to those in other groups (clusters).", "d3f:kb-article": "## References\nCluster analysis. (n.d.). Wikipedia. [Link](https://en.wikipedia.org/wiki/Cluster_analysis)", "rdfs:label": "Cluster Analysis", "rdfs:subClassOf": { "@id": "d3f:UnsupervisedLearning" } }, { "@id": "d3f:creator", "@type": "owl:ObjectProperty", "rdfs:label": "creator", "rdfs:subPropertyOf": { "@id": "d3f:contributor" } }, { "@id": "d3f:CWE-760", "@type": "owl:Class", "d3f:cwe-id": "CWE-760", "rdfs:label": "Use of a One-Way Hash with a Predictable Salt", "rdfs:subClassOf": { "@id": "d3f:CWE-916" } }, { "@id": "d3f:invoked-by", "@type": "owl:ObjectProperty", "owl:inverseOf": { "@id": "d3f:invokes" }, "rdfs:label": "invoked-by", "rdfs:subPropertyOf": [ { "@id": "d3f:associated-with" }, { "@id": "d3f:may-be-invoked-by" } ] }, { "@id": "d3f:NIST_SP_800-53_R5_MA-3_3", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:control-name": "Maintenance Tools | Prevent Unauthorized Removal", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "d3f:narrower": { "@id": "d3f:UserAccountPermissions" }, "rdfs:label": "MA-3(3)" }, { "@id": "d3f:WindowsRegistryKey", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "Windows Registry Keys are container objects similar to folders that contain subkeys and/or data entries called values. A key can be a 'Registry Hive' when it is root key of a logical group of keys, subkeys, and values that has a set of supporting files loaded into memory when the operating system is started or a user logs in.", "d3f:may-contain": [ { "@id": "d3f:WindowsRegistryKey" }, { "@id": "d3f:WindowsRegistryValue" } ], "rdfs:isDefinedBy": [ { "@id": "http://dbpedia.org/resource/Windows_Registry#Keys_and_values" }, "https://learn.microsoft.com/en-us/windows/win32/sysinfo/structure-of-the-registry" ], "rdfs:label": "Windows Registry Key", "rdfs:seeAlso": [ "https://schema.ocsf.io/objects/registry_key", "https://learn.microsoft.com/en-us/windows/win32/sysinfo/registry-hives" ], "rdfs:subClassOf": [ { "@id": "d3f:SystemConfigurationDatabaseRecord" }, { "@id": "_:N20d5555d48694b68a6c37211c9c3f28c" }, { "@id": "_:Nfee3646d731048618f435b95e1742b40" }, { "@id": "_:Ned1cb638f5f24678a87cf1cf46232d6f" } ] }, { "@id": "_:N20d5555d48694b68a6c37211c9c3f28c", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-contain" }, "owl:someValuesFrom": { "@id": "d3f:WindowsRegistryKey" } }, { "@id": "_:Nfee3646d731048618f435b95e1742b40", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-contain" }, "owl:someValuesFrom": { "@id": "d3f:WindowsRegistryValue" } }, { "@id": "_:Ned1cb638f5f24678a87cf1cf46232d6f", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:windows-registry-key" }, "owl:someValuesFrom": { "@id": "xsd:string" } }, { "@id": "d3f:CACertificateFile", "@type": "owl:Class", "d3f:definition": "A file containing a digital certificate issued by a certificate authority (CA). Certificate authorities store, issue, and sign digital certificates used as part of the public key infrastructure.", "rdfs:label": "CA Certificate File", "rdfs:seeAlso": [ { "@id": "dbr:Certificate_authority" }, { "@id": "dbr:Public_key_infrastructure" } ], "rdfs:subClassOf": { "@id": "d3f:CertificateFile" } }, { "@id": "d3f:T1219", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1219", "d3f:produces": { "@id": "d3f:OutboundInternetNetworkTraffic" }, "rdfs:label": "Remote Access Software", "rdfs:subClassOf": [ { "@id": "d3f:CommandAndControlTechnique" }, { "@id": "_:N3f04eb7ca4d5494a8c824314282553e8" } ] }, { "@id": "_:N3f04eb7ca4d5494a8c824314282553e8", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:produces" }, "owl:someValuesFrom": { "@id": "d3f:OutboundInternetNetworkTraffic" } }, { "@id": "d3f:Reference-USBFilterForHubMaliciousCodePreventionSystem", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US9990325B2/en" }, "d3f:kb-abstract": "The present invention relates generally to computer systems, and more specifically, to a universal serial bus (USB) filter hub for a computer system.", "d3f:kb-author": "Steven R Hetzler, Daniel F Smith", "d3f:kb-organization": "International Business Machines Corp", "d3f:kb-reference-of": { "@id": "d3f:IOPortRestriction" }, "d3f:kb-reference-title": "Universal serial bus (USB) filter hub malicious code prevention system", "rdfs:label": "Reference - USB filter for hub malicious code prevention system" }, { "@id": "d3f:T1001.001", "@type": "owl:Class", "d3f:attack-id": "T1001.001", "rdfs:label": "Junk Data", "rdfs:subClassOf": { "@id": "d3f:T1001" } }, { "@id": "d3f:T1020.001", "@type": "owl:Class", "d3f:attack-id": "T1020.001", "rdfs:label": "Traffic Duplication", "rdfs:subClassOf": { "@id": "d3f:T1020" } }, { "@id": "d3f:CWE-241", "@type": "owl:Class", "d3f:cwe-id": "CWE-241", "rdfs:label": "Improper Handling of Unexpected Data Type", "rdfs:subClassOf": { "@id": "d3f:CWE-228" } }, { "@id": "d3f:may-query", "@type": "owl:ObjectProperty", "rdfs:label": "may-query", "rdfs:subPropertyOf": { "@id": "d3f:may-be-associated-with" } }, { "@id": "d3f:ScheduledJob", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:contained-by": { "@id": "d3f:JobSchedule" }, "d3f:created-by": { "@id": "d3f:JobSchedulerSoftware" }, "d3f:definition": "A task scheduler process is an operating system process that executes scheduled tasks (time-scheduling in the sense of wall clock time; not operating system scheduling of processes for multitasking).", "d3f:modified-by": { "@id": "d3f:JobSchedulerSoftware" }, "d3f:synonym": [ "Scheduled Task", "Task Scheduler Process" ], "rdfs:label": "Scheduled Job", "rdfs:seeAlso": [ "https://schema.ocsf.io/objects/job", "https://linux.die.net/man/1/at", { "@id": "dbr:Cron" }, { "@id": "dbr:Windows_Task_Scheduler" } ], "rdfs:subClassOf": [ { "@id": "d3f:OperatingSystemProcess" }, { "@id": "_:N7cfa919b3fa44660bfab3111e9b3c8f7" }, { "@id": "_:N7a0d851950c0402fad7c99ec9a7eccc2" }, { "@id": "_:Nf24f93f008db4396a88fcc95ac64f7cc" } ] }, { "@id": "_:N7cfa919b3fa44660bfab3111e9b3c8f7", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:contained-by" }, "owl:someValuesFrom": { "@id": "d3f:JobSchedule" } }, { "@id": "_:N7a0d851950c0402fad7c99ec9a7eccc2", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:created-by" }, "owl:someValuesFrom": { "@id": "d3f:JobSchedulerSoftware" } }, { "@id": "_:Nf24f93f008db4396a88fcc95ac64f7cc", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modified-by" }, "owl:someValuesFrom": { "@id": "d3f:JobSchedulerSoftware" } }, { "@id": "d3f:CWE-231", "@type": "owl:Class", "d3f:cwe-id": "CWE-231", "rdfs:label": "Improper Handling of Extra Values", "rdfs:subClassOf": { "@id": "d3f:CWE-229" } }, { "@id": "d3f:CCI-002464_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system provides data integrity protection artifacts for internal name/address resolution queries.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:DomainTrustPolicy" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-07-02T00:00:00" }, "rdfs:label": "CCI-002464" }, { "@id": "d3f:Reference-InferentialExploitAttemptDetection_CrowdstrikeInc", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US10216934B2/en?oq=US-10216934-B2" }, "d3f:kb-abstract": "A security agent implemented on a monitored computing device is described herein. The security agent is configured to detect an action of interest (AoI) that may be probative of a security exploit and to determine a context in which that AoI occurred. Based on that context, the security agent is further configured to decide whether the AoI is a security exploit and can take preventative action to prevent the exploit from being completed.\n\nDetermining that the AoI includes the security exploit is based at least in part on one or more of: determining that the return address is outside memory previously allocated for an object; determining that the object identifier is associated with a vulnerable object; determining that permissions of the memory region include two or more of read, write, and execute; or determining that the memory region is one page in length.\n\nDetermining that the return address is outside memory previously allocated for an object and the method further including treating code that the return address points to as malicious code.", "d3f:kb-author": "Daniel W. Brown; Ion-Alexandru Ionescu; Loren C. Robinson", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "Crowdstrike Inc", "d3f:kb-reference-of": { "@id": "d3f:MemoryBoundaryTracking" }, "d3f:kb-reference-title": "Inferential exploit attempt detection", "rdfs:label": "Reference - Inferential exploit attempt detection - Crowdstrike Inc" }, { "@id": "d3f:CCI-000025_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system enforces information flow control using explicit security attributes on information, source, and destination objects as a basis for flow control decisions.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": [ { "@id": "d3f:InboundTrafficFiltering" }, { "@id": "d3f:OutboundTrafficFiltering" } ], "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-14T00:00:00" }, "rdfs:label": "CCI-000025" }, { "@id": "d3f:Reference-ProtectingAgainstDistributedNetworkFloodAttacks-JuniperNetworksInc.", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US8789173B2" }, "d3f:kb-abstract": "A network security device performs a three-stage analysis of traffic to identify malicious clients. In one example, a device includes an attack detection module to, during a first stage, monitor network connections to a protected network device, during a second stage, to monitor a plurality of types of transactions for the plurality of network sessions when a parameter for the connections exceeds a connection threshold, and during a third stage, to monitor communications associated with network addresses from which transactions of the at least one of type of transactions originate when a parameter associated with the at least one type of transactions exceeds a transaction-type threshold. The device executes a programmed action with respect to at least one of the network addresses when the transactions of the at least one of the plurality of types of transactions originating from the at least one network address exceeds a client-transaction threshold.", "d3f:kb-author": "Krishna Narayanaswamy, Bryan Burns, Venkata Rama Raju Manthena", "d3f:kb-organization": "Juniper Networks Inc.", "d3f:kb-reference-of": { "@id": "d3f:InboundSessionVolumeAnalysis" }, "d3f:kb-reference-title": "Protecting against distributed network flood attacks", "rdfs:label": "Reference - Protecting against distributed network flood attacks - Juniper Networks Inc." }, { "@id": "d3f:T1614.001", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1614.001", "d3f:queries": { "@id": "d3f:SystemConfigurationDatabase" }, "rdfs:label": "System Language Discovery", "rdfs:subClassOf": [ { "@id": "d3f:T1614" }, { "@id": "_:N741d3be3e88245c8b195efaf23c0f3dc" } ] }, { "@id": "_:N741d3be3e88245c8b195efaf23c0f3dc", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:queries" }, "owl:someValuesFrom": { "@id": "d3f:SystemConfigurationDatabase" } }, { "@id": "d3f:CredentialManagementSystem", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "Credential Management, also referred to as a Credential Management System (CMS), is an established form of software that is used for issuing and managing credentials as part of public key infrastructure (PKI).", "rdfs:isDefinedBy": { "@id": "dbr:Credential_Management" }, "rdfs:label": "Credential Management System", "rdfs:subClassOf": { "@id": "d3f:ServiceApplication" } }, { "@id": "d3f:T1003.001", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:accesses": [ { "@id": "d3f:AuthenticationService" }, { "@id": "d3f:Process" } ], "d3f:attack-id": "T1003.001", "rdfs:label": "LSASS Memory", "rdfs:subClassOf": [ { "@id": "d3f:T1003" }, { "@id": "_:N5f331d875d604bae9004783d7d1e12ee" }, { "@id": "_:N76a424de053e46888fda80ff84d304d1" } ] }, { "@id": "_:N5f331d875d604bae9004783d7d1e12ee", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:accesses" }, "owl:someValuesFrom": { "@id": "d3f:AuthenticationService" } }, { "@id": "_:N76a424de053e46888fda80ff84d304d1", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:accesses" }, "owl:someValuesFrom": { "@id": "d3f:Process" } }, { "@id": "d3f:HostGroup", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:contains": { "@id": "d3f:Host" }, "d3f:definition": "A collection of Hosts used to allow operations such as access control to be applied to the entire group.", "rdfs:label": "Host Group", "rdfs:subClassOf": [ { "@id": "d3f:AccessControlGroup" }, { "@id": "_:N36076f44616a44bc99806cd3200f727d" } ] }, { "@id": "_:N36076f44616a44bc99806cd3200f727d", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:contains" }, "owl:someValuesFrom": { "@id": "d3f:Host" } }, { "@id": "d3f:T1195.003", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1195.003", "d3f:modifies": { "@id": "d3f:HardwareDevice" }, "rdfs:label": "Compromise Hardware Supply Chain", "rdfs:subClassOf": [ { "@id": "d3f:T1195" }, { "@id": "_:Nd70059b15a9144bb951d8dfb251b8d9f" } ] }, { "@id": "_:Nd70059b15a9144bb951d8dfb251b8d9f", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:HardwareDevice" } }, { "@id": "d3f:Reference-DynamicSelectionAndGenerationOfAVirtualCloneForDetonationOfSuspiciousContentWithinAHoneyNetwork_PaloAltoNetworksInc", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US9882929B1/en?oq=US-9882929-B1" }, "d3f:kb-abstract": "Techniques for dynamic selection and generation of detonation location of suspicious content with a honey network are disclosed. In some embodiments, a system for dynamic selection and generation of detonation location of suspicious content with a honey network includes a virtual machine (VM) instance manager that manages a plurality of virtual clones executed in an instrumented VM environment, in which the plurality of virtual clones executed in the instrumented VM environment correspond to the honey network that emulates a plurality of devices in an enterprise network; and an intelligent malware detonator that detonates a malware sample in at least one of the plurality of virtual clones executed in the instrumented VM environment.", "d3f:kb-author": "Taylor Ettema; Huagang Xie", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "Palo Alto Networks Inc", "d3f:kb-reference-of": [ { "@id": "d3f:DecoyNetworkResource" }, { "@id": "d3f:StandaloneHoneynet" } ], "d3f:kb-reference-title": "Dynamic selection and generation of a virtual clone for detonation of suspicious content within a honey network", "rdfs:label": "Reference - Dynamic selection and generation of a virtual clone for detonation of suspicious content within a honey network - Palo Alto Networks Inc" }, { "@id": "d3f:CWE-693", "@type": "owl:Class", "d3f:cwe-id": "CWE-693", "rdfs:label": "Protection Mechanism Failure", "rdfs:subClassOf": { "@id": "d3f:Weakness" } }, { "@id": "d3f:Reference-TCGTrustedAttestationProtocolUseCasesForTPMFamilies1.2And2.0AndDICE", "@type": [ "owl:NamedIndividual", "d3f:SpecificationReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://trustedcomputinggroup.org/wp-content/uploads/TCG_TNC_TAP_Use_Cases_v1r0p35_published.pdf" }, "d3f:kb-reference-title": "TCG Trusted Attestation Protocol Use Cases for TPM Families 1.2 and 2.0 and DICE", "rdfs:label": "Reference - TCG Trusted Attestation Protocol Use Cases for TPM Families 1.2 and 2.0 and DICE" }, { "@id": "d3f:CWE-324", "@type": "owl:Class", "d3f:cwe-id": "CWE-324", "rdfs:label": "Use of a Key Past its Expiration Date", "rdfs:subClassOf": { "@id": "d3f:CWE-672" } }, { "@id": "d3f:Reference-CAR-2021-05-002%3ABatchFileWriteToSystem32_MITRE", "@type": [ "owl:NamedIndividual", "d3f:ExternalKnowledgeBase" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://car.mitre.org/analytics/CAR-2021-05-002/" }, "d3f:kb-abstract": "While batch files are not inherently malicious, it is uncommon to see them created after OS installation, especially in the Windows directory. This analytic looks for the suspicious activity of a batch file being created within the C:\\Windows\\System32 directory tree. There will be only occasional false positives due to administrator actions.", "d3f:kb-author": "MITRE", "d3f:kb-organization": "MITRE", "d3f:kb-reference-of": { "@id": "d3f:ProcessSpawnAnalysis" }, "d3f:kb-reference-title": "CAR-2021-05-002: Batch File Write to System32", "rdfs:label": "Reference - CAR-2021-05-002: Batch File Write to System32 - MITRE" }, { "@id": "d3f:CWE-246", "@type": "owl:Class", "d3f:cwe-id": "CWE-246", "rdfs:label": "J2EE Bad Practices: Direct Use of Sockets", "rdfs:subClassOf": { "@id": "d3f:CWE-695" } }, { "@id": "d3f:CWE-454", "@type": "owl:Class", "d3f:cwe-id": "CWE-454", "rdfs:label": "External Initialization of Trusted Variables or Data Stores", "rdfs:subClassOf": { "@id": "d3f:CWE-665" } }, { "@id": "d3f:Reference-MethodForControllingComputerNetworkSecurity_CheckpointSoftwareTechnologiesLtd", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/EP0658837B1/" }, "d3f:kb-abstract": "A method of operating a security system for a computer network in which data is passed in said network as data packets, said system controlling the passage of said data packets in the network according to a security rule, where each aspect of said network controlled by said security rule has been defined, said security rule has been defined in terms of said aspects and converted into a set of filter language instructions.", "d3f:kb-author": "Gil Shwed", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "Checkpoint Software Technologies Ltd", "d3f:kb-reference-of": { "@id": "d3f:InboundTrafficFiltering" }, "d3f:kb-reference-title": "Method for controlling computer network security", "rdfs:label": "Reference - Method for controlling computer network security - Checkpoint Software Technologies Ltd" }, { "@id": "d3f:CWE-328", "@type": "owl:Class", "d3f:cwe-id": "CWE-328", "rdfs:label": "Use of Weak Hash", "rdfs:subClassOf": [ { "@id": "d3f:CWE-326" }, { "@id": "d3f:CWE-327" } ] }, { "@id": "d3f:exactly", "@type": "owl:ObjectProperty", "rdfs:label": "exactly", "rdfs:subPropertyOf": { "@id": "d3f:semantic-relation" } }, { "@id": "d3f:CWE-409", "@type": "owl:Class", "d3f:cwe-id": "CWE-409", "rdfs:label": "Improper Handling of Highly Compressed Data (Data Amplification)", "rdfs:subClassOf": { "@id": "d3f:CWE-405" } }, { "@id": "d3f:AnalyticLatency", "@type": "owl:Class", "rdfs:label": "Analytic Latency", "rdfs:subClassOf": { "@id": "d3f:Latency" } }, { "@id": "d3f:RubyScriptFile", "@type": [ "owl:NamedIndividual", "d3f:ExecutableScript" ], "rdfs:label": "Ruby Script File" }, { "@id": "d3f:CWE-682", "@type": "owl:Class", "d3f:cwe-id": "CWE-682", "rdfs:label": "Incorrect Calculation", "rdfs:subClassOf": { "@id": "d3f:Weakness" } }, { "@id": "d3f:T1597.002", "@type": "owl:Class", "d3f:attack-id": "T1597.002", "rdfs:label": "Purchase Technical Data", "rdfs:subClassOf": { "@id": "d3f:T1597" } }, { "@id": "d3f:OSAPIWriteFile", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:invokes": { "@id": "d3f:WriteFile" }, "rdfs:label": "OS API Write File", "rdfs:subClassOf": [ { "@id": "d3f:OSAPIFunction" }, { "@id": "_:Nf4743e3db0804de49c5e732096fc2e36" } ] }, { "@id": "_:Nf4743e3db0804de49c5e732096fc2e36", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:invokes" }, "owl:someValuesFrom": { "@id": "d3f:WriteFile" } }, { "@id": "d3f:OperationalActivityMapping", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:DefensiveTechnique" ], "d3f:d3fend-id": "D3-OAM", "d3f:definition": "Operational activity mapping identifies activities of the organization and the organization's suborganizations, groups, roles, and individuals that carry out the activities and then establishes the dependencies of the activities on the systems and people that perform those activities.", "d3f:enables": { "@id": "d3f:Model" }, "d3f:kb-reference": { "@id": "d3f:Reference-CatiaUAFPlugin" }, "d3f:synonym": "Mission Mapping", "rdfs:label": "Operational Activity Mapping", "rdfs:subClassOf": [ { "@id": "d3f:DefensiveTechnique" }, { "@id": "_:N7490077c446a4adebc19955fdefe6f01" } ] }, { "@id": "_:N7490077c446a4adebc19955fdefe6f01", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:enables" }, "owl:someValuesFrom": { "@id": "d3f:Model" } }, { "@id": "d3f:MandatoryAccessControl", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:Kernel-basedProcessIsolation" ], "d3f:d3fend-id": "D3-MAC", "d3f:definition": "Controlling access to local computer system resources with kernel-level capabilities.", "d3f:isolates": { "@id": "d3f:Process" }, "d3f:kb-article": "## How it works\nMandatory access control is a non-discretionary access control system because the rules and polices that determine access is determined by a security control authority and not distributed to local users. Access determinations are based on designed access control polices and are not based on local resource owner determinations.\n\nAccess is typically granted by defining sets of subjects and sets of objects. Subjects are the entities requesting access and objects are the resources that subjects are trying to access. Rules and policies are defined that associate subjects and object permissions and access controls.\n\n### Common MAC implementations\n#### Security label access control\nA fine-grained form of mandatory access control is to apply security labels to individual resources, including processes, and the access control decisions are against a particular resource and a given user attempting to gain access. This type of MAC requires that the file system has built-in support for security labels.\n\nAccess controls are typically implemented through the use of label identifiers for every file system object. Identifier labels are applied to resources and users are assigned a similar access identifier. Users attempting to access a resource will result in the operating system performing an access control check. The access control check will compare the assigned user's credentials to that of the resource or object they are attempting to access.\n\nA security context is associated with resources and is used to determine assess. Typical basic access control elements include users, roles and types and together they form a security context which is the basis for the security labels.\n\nThis type of access control is what is employed in SELinux [2]. This form of MAC is considered the most flexible implementation, but it also is the most complex to deploy across the enterprise. Where multiple virtual machines (VM) are run together this type of access control is typically employed to ensure true isolation of processes and VMs.\n\n#### File path level controls\nA less fine-grained form of mandatory access control is to apply security labels that allow for access control at the file path level. Access control is filesystem agnostic and no relabeling of resources is required. Pathname access control usually seems more natural for implementation and corresponding access audits.\n\nThis type of MAC is what is employed in AppArmor [3]. AppArmor was developed to provide a simpler alternative MAC method with much less management overhead. A simple access policy is maintained that defines path resource access rules. Access control attributes are typically associated with programs instead of users.\n\n\n## Considerations\nSome implementations of security label mandatory access control contain complex rules set that are hard to verify and complex to maintain over time.\n\nInitial planning of access model and continuous monitoring of the available users, resources and object is necessary.\n\n## Implementations\n\n * Linux C-Groups, and policy engines like SELinux and AppArmor\n * Windows Mandatory Integrity Control introduced in Windows Vista\n\n\n### Citations\n1. [Implementation of Mandatory Access Control in Distributed Systems](https://link.springer.com/article/10.3103/S0146411618080357)\n2. [SELinux](https://selinuxproject.org/)\n3. [AppArmor](https://www.apparmor.net/)", "d3f:kb-reference": [ { "@id": "d3f:Reference-AnalysisOfTheWindowsVistaSecurityModel_SymantecCorporation" }, { "@id": "d3f:Reference-ArchitectureOfTransparentNetworkSecurityForApplicationContainers_NeuvectorInc" } ], "d3f:restricts": { "@id": "d3f:CreateProcess" }, "rdfs:label": "Mandatory Access Control", "rdfs:subClassOf": [ { "@id": "d3f:Kernel-basedProcessIsolation" }, { "@id": "_:Nbe93307cb84f428aafe020be33f475f9" }, { "@id": "_:N6cf8856a844645bb93fba2d67d656b54" } ] }, { "@id": "_:Nbe93307cb84f428aafe020be33f475f9", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:isolates" }, "owl:someValuesFrom": { "@id": "d3f:Process" } }, { "@id": "_:N6cf8856a844645bb93fba2d67d656b54", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:restricts" }, "owl:someValuesFrom": { "@id": "d3f:CreateProcess" } }, { "@id": "d3f:Reference-SystemAndMethodsThereofForCausalityIdentificationAndAttributionsDeterminationOfProcessesInANetwork_PaloAltoNetworksIncCyberSecdoLtd", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US20170195350A1/en?oq=US-2017195350-A1" }, "d3f:kb-abstract": "A system is used for detection of advanced persistent and non-persistent threats in a computerized environment. The system is connected to a plurality of user devices coupled to an enterprise's network. The system receives via an interface an electronic notification of at least one event in the operating system of the computer. The system then analyzes the at least one event. The system then generates a causality chain for the at least one event respective of the analysis. The causality chain comprises all the threads that attributed to the at least one event in a chronological order. The system then identifies a main thread that started the causality chain that led to the at least one event. Then, the system determines whether the main thread is associated with malicious software. Upon determination that the main thread is associated with malicious software, the causality chain is marked as infected.", "d3f:kb-author": "Gil BARAK", "d3f:kb-mitre-analysis": "This patent describes detecting malicious processes on a host. Agents are deployed on hosts that monitor all initiated processes and determine whether a process was initiated at boot or initiated by another process. If not initiated at boot or by another process, the process is identified as suspicious and an alert is triggered.", "d3f:kb-organization": "Palo Alto Networks IncCyber Secdo Ltd", "d3f:kb-reference-of": { "@id": "d3f:ProcessLineageAnalysis" }, "d3f:kb-reference-title": "System and methods thereof for causality identification and attributions determination of processes in a network", "rdfs:label": "Reference - System and methods thereof for causality identification and attributions determination of processes in a network - Palo Alto Networks IncCyber Secdo Ltd" }, { "@id": "d3f:CollaborativeSoftware", "@type": "owl:Class", "d3f:definition": "Collaborative software or groupware is application software designed to help people working on a common task to attain their goals. One of the earliest definitions of groupware is \"intentional group processes plus software to support them\". Collaborative software is a broad concept that overlaps considerably with computer-supported cooperative work (CSCW). According to Carstensen and Schmidt (1999) groupware is part of CSCW. The authors claim that CSCW, and thereby groupware, addresses \"how collaborative activities and their coordination can be supported by means of computer systems.\"", "rdfs:isDefinedBy": { "@id": "dbr:Collaborative_software" }, "rdfs:label": "Collaborative Software", "rdfs:subClassOf": { "@id": "d3f:UserApplication" } }, { "@id": "d3f:WebFileResource", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:addressed-by": { "@id": "d3f:URL" }, "d3f:definition": "A web file resource is a file resource identified by a Uniform Resource Identifier (URI) and made available from one host to another host via a web protocol and across a network or networks.", "rdfs:label": "Web File Resource", "rdfs:subClassOf": [ { "@id": "d3f:NetworkFileResource" }, { "@id": "d3f:WebResource" }, { "@id": "_:N7ea11c91fbec47d7aaf7a59db99e95f6" } ] }, { "@id": "_:N7ea11c91fbec47d7aaf7a59db99e95f6", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:addressed-by" }, "owl:someValuesFrom": { "@id": "d3f:URL" } }, { "@id": "d3f:CWE-59", "@type": "owl:Class", "d3f:cwe-id": "CWE-59", "rdfs:label": "Improper Link Resolution Before File Access ('Link Following')", "rdfs:subClassOf": { "@id": "d3f:CWE-706" } }, { "@id": "d3f:MediaGeneration", "@type": "owl:Class", "owl:disjointWith": { "@id": "d3f:Simulation" }, "rdfs:label": "Media Generation", "rdfs:subClassOf": { "@id": "d3f:Generation" } }, { "@id": "d3f:CCI-000877_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:broader": [ { "@id": "d3f:BiometricAuthentication" }, { "@id": "d3f:Certificate-basedAuthentication" }, { "@id": "d3f:Multi-factorAuthentication" } ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The organization employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-18T00:00:00" }, "rdfs:label": "CCI-000877" }, { "@id": "d3f:CWE-232", "@type": "owl:Class", "d3f:cwe-id": "CWE-232", "rdfs:label": "Improper Handling of Undefined Values", "rdfs:subClassOf": { "@id": "d3f:CWE-229" } }, { "@id": "d3f:CCI-002353_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:broader": [ { "@id": "d3f:MandatoryAccessControl" }, { "@id": "d3f:UserAccountPermissions" } ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system transmits organization-defined access authorization information using organization-defined security safeguards to organization-defined information systems which enforce access control decisions.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-06-25T00:00:00" }, "rdfs:label": "CCI-002353" }, { "@id": "d3f:Link", "@type": "owl:Class", "rdfs:label": "Link", "rdfs:seeAlso": "https://dbpedia.org/resource/Link", "rdfs:subClassOf": { "@id": "d3f:DigitalArtifact" } }, { "@id": "d3f:T1102.002", "@type": "owl:Class", "d3f:attack-id": "T1102.002", "rdfs:label": "Bidirectional Communication", "rdfs:subClassOf": { "@id": "d3f:T1102" } }, { "@id": "d3f:WindowsNtAllocateVirtualMemory", "@type": "owl:Class", "rdfs:label": "Windows NtAllocateVirtualMemory", "rdfs:seeAlso": "https://j00ru.vexillium.org/syscalls/nt/64/", "rdfs:subClassOf": [ { "@id": "d3f:OSAPIAllocateMemory" }, { "@id": "d3f:OSAPIPrivateFunction" } ] }, { "@id": "d3f:OperationsCenterComputer", "@type": "owl:Class", "d3f:definition": "Mainframe computers or mainframes (colloquially referred to as \"big iron\") are computers used primarily by large organizations for critical applications; bulk data processing, such as census, industry and consumer statistics, and enterprise resource planning; and transaction processing. They are larger and have more processing power than some other classes of computers: minicomputers, servers, workstations, and personal computers.", "rdfs:isDefinedBy": { "@id": "dbr:Mainframe_computer" }, "rdfs:label": "Operations Center Computer", "rdfs:seeAlso": { "@id": "dbr:Time-sharing" }, "rdfs:subClassOf": { "@id": "d3f:SharedComputer" }, "skos:altLabel": "Mainframe" }, { "@id": "d3f:confidence", "@type": "owl:DatatypeProperty", "rdfs:label": "confidence", "rdfs:subPropertyOf": { "@id": "d3f:d3fend-catalog-data-property" } }, { "@id": "d3f:CredentialRevoking", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:CredentialEviction" ], "d3f:d3fend-id": "D3-CR", "d3f:definition": "Deleting a set of credentials permanently to prevent them from being used to authenticate.", "d3f:deletes": { "@id": "d3f:Credential" }, "d3f:kb-article": "## How it works\n\nManagement servers with enterprise policies for account management provide the ability remove permissions, accounts, or credentials. Compromised credentials should be revoked to prevent further malicious activity.", "d3f:kb-reference": { "@id": "d3f:Reference-RevokingaPreviouslyIssuedVerifiableCredential-Microsoft" }, "rdfs:label": "Credential Revoking", "rdfs:subClassOf": [ { "@id": "d3f:CredentialEviction" }, { "@id": "_:Na98866c69acd4b4da93c872939d398ca" } ] }, { "@id": "_:Na98866c69acd4b4da93c872939d398ca", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:deletes" }, "owl:someValuesFrom": { "@id": "d3f:Credential" } }, { "@id": "d3f:WeightedMean", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-WM", "d3f:definition": "A mean that incorporates weighting to certain data elements.", "d3f:kb-article": "## Considerations\nThe arithmetic mean, geometric mean, and harmonic mean can all be weighted.\n\n## References\nWikipedia. (n.d.). Central tendency. [Link](https://en.wikipedia.org/wiki/Central_tendency)", "rdfs:label": "Weighted Mean", "rdfs:subClassOf": { "@id": "d3f:CentralTendency" } }, { "@id": "d3f:Planning", "@type": "owl:Class", "rdfs:label": "Planning", "rdfs:subClassOf": { "@id": "d3f:AnalyticalPurpose" } }, { "@id": "d3f:CWE-530", "@type": "owl:Class", "d3f:cwe-id": "CWE-530", "rdfs:label": "Exposure of Backup File to an Unauthorized Control Sphere", "rdfs:subClassOf": { "@id": "d3f:CWE-552" } }, { "@id": "d3f:T1565", "@type": "owl:Class", "d3f:attack-id": "T1565", "rdfs:label": "Data Manipulation", "rdfs:subClassOf": { "@id": "d3f:ImpactTechnique" } }, { "@id": "d3f:CWE-657", "@type": "owl:Class", "d3f:cwe-id": "CWE-657", "rdfs:label": "Violation of Secure Design Principles", "rdfs:subClassOf": { "@id": "d3f:CWE-710" } }, { "@id": "d3f:ConfigurationFile", "@type": "owl:Class", "d3f:definition": "A file containing Information used to configure the parameters and initial settings for some computer programs. They are used for user applications, server processes and operating system settings.", "rdfs:isDefinedBy": { "@id": "dbr:Configuration_file" }, "rdfs:label": "Configuration File", "rdfs:subClassOf": { "@id": "d3f:File" }, "skos:altLabel": "Settings File" }, { "@id": "d3f:T1202", "@type": "owl:Class", "d3f:attack-id": "T1202", "rdfs:label": "Indirect Command Execution", "rdfs:subClassOf": { "@id": "d3f:DefenseEvasionTechnique" } }, { "@id": "d3f:Reference-UnifiedArchitectureFrameworkUAF", "@type": [ "owl:NamedIndividual", "d3f:SpecificationReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://www.omg.org/spec/UAF/" }, "d3f:kb-abstract": "UAF is an OMG standard that assists in development of architectural descriptions in commercial industry firms, federal government agencies and defense organizations. UAF has a variety of use cases from Enterprise and Mission architecting, to System of Systems (SoS) and Cyber-physical Systems engineering, as well as being an enabler for Digital Transformation efforts and for Department of Defense Architecture Framework (DoDAF) and NATO Architecture Framework (NAF) modeling. Architectural Descriptions in UAF are aligned with ISO/IEC/IEEE 42010:2011, Systems and software engineering -- Architecture description.", "d3f:kb-organization": "OMG", "d3f:kb-reference-of": [ { "@id": "d3f:DataExchangeMapping" }, { "@id": "d3f:OperationalActivityMapping" }, { "@id": "d3f:OperationalDependencyMapping" }, { "@id": "d3f:OrganizationMapping" }, { "@id": "d3f:ServiceDependencyMapping" }, { "@id": "d3f:SystemDependencyMapping" } ], "d3f:kb-reference-title": "Unified Architecture Framework (UAF)", "rdfs:label": "Reference - Unified Architecture Framework (UAF)" }, { "@id": "d3f:CWE-654", "@type": "owl:Class", "d3f:cwe-id": "CWE-654", "rdfs:label": "Reliance on a Single Factor in a Security Decision", "rdfs:subClassOf": [ { "@id": "d3f:CWE-657" }, { "@id": "d3f:CWE-693" } ] }, { "@id": "d3f:connects", "@type": "owl:ObjectProperty", "d3f:definition": "x connects y: The subject x joins system y by means of communication equipment (to some other system, typically the adversary-targeted host).", "rdfs:isDefinedBy": { "@id": "http://wordnet-rdf.princeton.edu/id/01071413-v" }, "rdfs:label": "connects", "rdfs:subPropertyOf": { "@id": "d3f:associated-with" } }, { "@id": "d3f:detects", "@type": "owl:ObjectProperty", "rdfs:label": "detects", "rdfs:subPropertyOf": [ { "@id": "d3f:counters" }, { "@id": "d3f:d3fend-tactical-verb-property" } ] }, { "@id": "d3f:NIST_SP_800-53_R5_SI-3_4", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:control-name": "Malicious Code Protection | Updates Only by Privileged Users", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "d3f:narrower": [ { "@id": "d3f:LocalFilePermissions" }, { "@id": "d3f:MandatoryAccessControl" }, { "@id": "d3f:SystemConfigurationPermissions" } ], "rdfs:label": "SI-3(4)" }, { "@id": "d3f:may-invoke", "@type": "owl:ObjectProperty", "d3f:definition": "x may-invoke y: They entity x may invoke the thing y; that is, 'x invokes y' may be true.", "rdfs:label": "may-invoke", "rdfs:subPropertyOf": { "@id": "d3f:may-be-associated-with" } }, { "@id": "d3f:Transformer-basedLearning", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-TBL", "d3f:definition": "A transformer is a deep learning model. It is distinguished by its adoption of self-attention, differentially weighting the significance of each part of the input (which includes the recursive output) data.", "d3f:kb-article": "## References\n\"Transformer (machine learning model).\" Wikipedia. [Link](https://en.wikipedia.org/wiki/Transformer_(machine_learning_model)).", "rdfs:label": "Transformer-based Learning", "rdfs:subClassOf": { "@id": "d3f:MachineLearning" } }, { "@id": "d3f:SerializationFunction", "@type": "owl:Class", "d3f:definition": "A function which has an operation that serializes data.", "rdfs:label": "Serialization Function", "rdfs:subClassOf": { "@id": "d3f:Subroutine" } }, { "@id": "d3f:pref-label", "@type": "owl:AnnotationProperty", "d3f:definition": "x pref-label y: The preferred display value for x is y in d3fend tools.", "rdfs:label": "pref-label", "rdfs:subPropertyOf": { "@id": "d3f:d3fend-annotation" } }, { "@id": "d3f:CWE-1055", "@type": "owl:Class", "d3f:cwe-id": "CWE-1055", "rdfs:label": "Multiple Inheritance from Concrete Classes", "rdfs:subClassOf": { "@id": "d3f:CWE-1093" } }, { "@id": "d3f:ProcessSegment", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "Process segments are distinct partitions of the memory space of a running process. Heap, data, code, and stack segments are examples of process segments.", "d3f:synonym": "Process Memory", "rdfs:label": "Process Segment", "rdfs:subClassOf": { "@id": "d3f:BinarySegment" } }, { "@id": "d3f:T1490", "@type": "owl:Class", "d3f:attack-id": "T1490", "rdfs:label": "Inhibit System Recovery", "rdfs:subClassOf": { "@id": "d3f:ImpactTechnique" } }, { "@id": "d3f:D3FENDUseCaseThing", "@type": "owl:Class", "rdfs:label": "D3FEND Use Case Thing", "rdfs:subClassOf": { "@id": "d3f:D3FENDThing" } }, { "@id": "d3f:T1053.004", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1053.004", "d3f:creates": { "@id": "d3f:PropertyListFile" }, "rdfs:label": "Launchd", "rdfs:subClassOf": [ { "@id": "d3f:T1053" }, { "@id": "_:N9ebf60bd8f2c4d4fafc27e6a0582abce" } ] }, { "@id": "_:N9ebf60bd8f2c4d4fafc27e6a0582abce", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:creates" }, "owl:someValuesFrom": { "@id": "d3f:PropertyListFile" } }, { "@id": "d3f:T1591", "@type": "owl:Class", "d3f:attack-id": "T1591", "rdfs:label": "Gather Victim Org Information", "rdfs:subClassOf": { "@id": "d3f:ReconnaissanceTechnique" } }, { "@id": "d3f:T1590.003", "@type": "owl:Class", "d3f:attack-id": "T1590.003", "rdfs:label": "Network Trust Dependencies", "rdfs:subClassOf": { "@id": "d3f:T1590" } }, { "@id": "d3f:ChatroomClient", "@type": "owl:Class", "d3f:definition": "Client software used to describe conduct any form of synchronous conferencing, occasionally even asynchronous conferencing. The term can thus mean any technology ranging from real-time online chat and online interaction with strangers (e.g., online forums) to fully immersive graphical social environments.", "rdfs:isDefinedBy": { "@id": "dbr:Chat_room" }, "rdfs:label": "Chatroom Client", "rdfs:subClassOf": { "@id": "d3f:CollaborativeSoftware" }, "skos:altLabel": "Chat Room Client" }, { "@id": "d3f:CWE-792", "@type": "owl:Class", "d3f:cwe-id": "CWE-792", "rdfs:label": "Incomplete Filtering of One or More Instances of Special Elements", "rdfs:subClassOf": { "@id": "d3f:CWE-791" } }, { "@id": "d3f:CWE-304", "@type": "owl:Class", "d3f:cwe-id": "CWE-304", "rdfs:label": "Missing Critical Step in Authentication", "rdfs:subClassOf": [ { "@id": "d3f:CWE-303" }, { "@id": "d3f:CWE-573" } ] }, { "@id": "d3f:BayesianHypothesisTesting", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-BHT", "d3f:definition": "Bayesian hypothesis testing can be framed as a special case of model comparison where a model refers to a likelihood function and a prior distribution.", "d3f:kb-article": "## How it works\nGiven two competing hypotheses and some relevant data, Bayesian hypothesis testing begins by specifying separate prior distributions to quantitatively describe each hypothesis. The combination of the likelihood function for the observed data with each of the prior distributions yields hypothesis-specific models. For each of the hypothesis-specific models, averaging (ie, integrating) the likelihood with respect to the prior distribution across the entire parameter space yields the probability of the data under the model and, therefore, the corresponding hypothesis. This quantity is more commonly referred to as the marginal likelihood and represents the average fit of the model to the data. The ratio of the marginal likelihoods for both hypothesis-specific models is known as the Bayes factor.\n\n## References\nBaig, S. A., PhD. (2020). Bayesian Inference: An Introduction to Hypothesis Testing Using Bayes Factors. Nicotine & Tobacco Research, 22(7), 1244-1246. [Link](https://academic.oup.com/ntr/article/22/7/1244/5613971)", "rdfs:label": "Bayesian Hypothesis Testing", "rdfs:subClassOf": { "@id": "d3f:BayesianMethod" } }, { "@id": "d3f:GetOpenSockets", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:enumerates": { "@id": "d3f:Pipe" }, "rdfs:label": "Get Open Sockets", "rdfs:subClassOf": [ { "@id": "d3f:SystemCall" }, { "@id": "_:Ne2b8453e85144da981f6c3c7641e3f36" } ] }, { "@id": "_:Ne2b8453e85144da981f6c3c7641e3f36", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:enumerates" }, "owl:someValuesFrom": { "@id": "d3f:Pipe" } }, { "@id": "d3f:KernelAPISensor", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "Monitors system calls (operating system api functions).", "d3f:monitors": { "@id": "d3f:SystemCall" }, "rdfs:label": "Kernel API Sensor", "rdfs:subClassOf": [ { "@id": "d3f:EndpointSensor" }, { "@id": "_:N811683e8e48c4d8688d8dd69022c8efb" } ] }, { "@id": "_:N811683e8e48c4d8688d8dd69022c8efb", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:monitors" }, "owl:someValuesFrom": { "@id": "d3f:SystemCall" } }, { "@id": "d3f:CWE-909", "@type": "owl:Class", "d3f:cwe-id": "CWE-909", "rdfs:label": "Missing Initialization of Resource", "rdfs:subClassOf": { "@id": "d3f:CWE-665" } }, { "@id": "d3f:Reference-ContentExtractorAndAnalysisSystem_Bit9Inc,CarbonBlackInc", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US20070028110A1" }, "d3f:kb-abstract": "A security system provides a defense from known and unknown viruses, worms, spyware, hackers, and unwanted software. The system can implement centralized policies that allow an administrator to approve, block, quarantine, and log file activities. The system can extract content of interest from a file container, repackage the content of interest as another valid file type, perform hashes on the content of interest, associate the hash of the container with the hash of the repackaged content, transfer the repackaged content, and store the hash with other security-related information.", "d3f:kb-author": "Todd Brennan", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "Bit 9 Inc, Carbon Black Inc", "d3f:kb-reference-of": { "@id": "d3f:ExecutableDenylisting" }, "d3f:kb-reference-title": "Content extractor and analysis system", "rdfs:label": "Reference - Content extractor and analysis system - Bit 9 Inc, Carbon Black Inc" }, { "@id": "d3f:NIST_SP_800-53_R5_CM-5_5", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:control-name": "Access Restrictions for Change | Privilege Limitation for Production and Operation", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "d3f:narrower": [ { "@id": "d3f:LocalAccountMonitoring" }, { "@id": "d3f:SystemConfigurationPermissions" } ], "rdfs:label": "CM-5(5)" }, { "@id": "d3f:GoodmanAndKruskalsGamma", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-GAKG", "d3f:definition": "Goodman-Kruskal $\\\\gamma$ is a measure of rank correlation between x and y and is given by $(n_c -n_d) / (n_c + n_d)$, where $n_c$ is the number of concordant pairs of the observations and $n_d$ is the number of discordant pairs.", "d3f:kb-article": "## References\n1. Wolfram Research. (2012). GoodmanKruskalGamma. Wolfram Language function. [Link](https://reference.wolfram.com/language/ref/GoodmanKruskalGamma.html)\n1. Goodman and Kruskal's gamma. (2022, Nov 23). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Goodman_and_Kruskal%27s_gamma]", "rdfs:isDefinedBy": "https://reference.wolfram.com/language/ref/GoodmanKruskalGamma.html", "rdfs:label": "Goodman and Kruskal's Gamma", "rdfs:subClassOf": { "@id": "d3f:RankCorrelationCoefficient" } }, { "@id": "d3f:CCI-002425_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system implements cryptographic mechanisms to conceal or randomize communication patterns unless otherwise protected by organization-defined alternative physical safeguards.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:EncryptedTunnels" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-07-02T00:00:00" }, "rdfs:label": "CCI-002425" }, { "@id": "d3f:CWE-606", "@type": "owl:Class", "d3f:cwe-id": "CWE-606", "rdfs:label": "Unchecked Input for Loop Condition", "rdfs:subClassOf": { "@id": "d3f:CWE-1284" } }, { "@id": "d3f:Reference-CAR-2021-05-004%3ABITSJobPersistence_MITRE", "@type": [ "owl:NamedIndividual", "d3f:ExternalKnowledgeBase" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://car.mitre.org/analytics/CAR-2021-05-004/" }, "d3f:kb-abstract": "The following query identifies Microsoft Background Intelligent Transfer Service utility bitsadmin.exe scheduling a BITS job to persist on an endpoint. The query identifies the parameters used to create, resume or add a file to a BITS job. Typically seen combined in a oneliner or ran in sequence. If identified, review the BITS job created and capture any files written to disk. It is possible for BITS to be used to upload files and this may require further network data analysis to identify. You can use bitsadmin /list /verbose to list out the jobs during investigation.", "d3f:kb-author": "MITRE", "d3f:kb-organization": "MITRE", "d3f:kb-reference-of": { "@id": "d3f:ProcessSpawnAnalysis" }, "d3f:kb-reference-title": "CAR-2021-05-004: BITS Job Persistence", "rdfs:label": "Reference - CAR-2021-05-004: BITS Job Persistence - MITRE" }, { "@id": "d3f:T1495", "@type": "owl:Class", "d3f:attack-id": "T1495", "rdfs:label": "Firmware Corruption", "rdfs:subClassOf": { "@id": "d3f:ImpactTechnique" } }, { "@id": "d3f:T1001.003", "@type": "owl:Class", "d3f:attack-id": "T1001.003", "rdfs:label": "Protocol Impersonation", "rdfs:subClassOf": { "@id": "d3f:T1001" } }, { "@id": "d3f:IntranetDNSLookup", "@type": "owl:Class", "d3f:definition": "An Intranet Domain Name System (DNS) lookup is a DNS lookup made from a host on a network that is resolved after querying a DNS name server hosted on a that same network.", "rdfs:label": "Intranet DNS Lookup", "rdfs:seeAlso": { "@id": "dbr:Intranet" }, "rdfs:subClassOf": { "@id": "d3f:DNSLookup" } }, { "@id": "d3f:CCI-000767_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system implements multifactor authentication for local access to privileged accounts.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:Multi-factorAuthentication" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-17T00:00:00" }, "rdfs:label": "CCI-000767" }, { "@id": "d3f:CCI-000197_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system, for password-based authentication, transmits only cryptographically-protected passwords.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:StrongPasswordPolicy" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-15T00:00:00" }, "rdfs:label": "CCI-000197" }, { "@id": "d3f:CWE-1164", "@type": "owl:Class", "d3f:cwe-id": "CWE-1164", "rdfs:label": "Irrelevant Code", "rdfs:subClassOf": { "@id": "d3f:CWE-710" } }, { "@id": "d3f:T1114", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:accesses": { "@id": "d3f:Resource" }, "d3f:attack-id": "T1114", "rdfs:label": "Email Collection", "rdfs:subClassOf": [ { "@id": "d3f:CollectionTechnique" }, { "@id": "_:N313096b1bc484af6bc21942508f8a557" } ] }, { "@id": "_:N313096b1bc484af6bc21942508f8a557", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:accesses" }, "owl:someValuesFrom": { "@id": "d3f:Resource" } }, { "@id": "d3f:T1027.004", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1027.004", "d3f:creates": { "@id": "d3f:ExecutableFile" }, "rdfs:label": "Compile After Delivery", "rdfs:subClassOf": [ { "@id": "d3f:T1027" }, { "@id": "_:Nc98f56b373144d1da4278218c783e61c" } ] }, { "@id": "_:Nc98f56b373144d1da4278218c783e61c", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:creates" }, "owl:someValuesFrom": { "@id": "d3f:ExecutableFile" } }, { "@id": "d3f:CWE-917", "@type": "owl:Class", "d3f:cwe-id": "CWE-917", "rdfs:label": "Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')", "rdfs:subClassOf": { "@id": "d3f:CWE-77" } }, { "@id": "d3f:kb-organization", "@type": "owl:AnnotationProperty", "d3f:definition": "x kb-organization y: The reference x was created or owned by the organization y.", "rdfs:label": "kb-organization", "rdfs:subPropertyOf": { "@id": "d3f:d3fend-kb-annotation-property" } }, { "@id": "d3f:CWE-173", "@type": "owl:Class", "d3f:cwe-id": "CWE-173", "rdfs:label": "Improper Handling of Alternate Encoding", "rdfs:subClassOf": { "@id": "d3f:CWE-172" } }, { "@id": "d3f:CWE-366", "@type": "owl:Class", "d3f:cwe-id": "CWE-366", "rdfs:label": "Race Condition within a Thread", "rdfs:subClassOf": { "@id": "d3f:CWE-362" } }, { "@id": "d3f:OSAPIMoveFile", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:invokes": { "@id": "d3f:MoveFile" }, "rdfs:label": "OS API Move File", "rdfs:subClassOf": [ { "@id": "d3f:OSAPIFunction" }, { "@id": "_:N5bec188eced84ee09733d1c7e69e2d9d" } ] }, { "@id": "_:N5bec188eced84ee09733d1c7e69e2d9d", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:invokes" }, "owl:someValuesFrom": { "@id": "d3f:MoveFile" } }, { "@id": "d3f:LinuxMmap", "@type": "owl:Class", "d3f:definition": "Map files or devices into memory.", "rdfs:isDefinedBy": "https://man7.org/linux/man-pages/man2/mmap.2.html", "rdfs:label": "Linux Mmap", "rdfs:subClassOf": { "@id": "d3f:OSAPIAllocateMemory" } }, { "@id": "d3f:CWE-1357", "@type": "owl:Class", "d3f:cwe-id": "CWE-1357", "rdfs:label": "Reliance on Insufficiently Trustworthy Component", "rdfs:subClassOf": { "@id": "d3f:CWE-710" } }, { "@id": "d3f:T1552", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:accesses": { "@id": "d3f:Credential" }, "d3f:attack-id": "T1552", "rdfs:label": "Unsecured Credentials", "rdfs:subClassOf": [ { "@id": "d3f:CredentialAccessTechnique" }, { "@id": "_:N15f4771201474bb5b7893a54dc2e15a9" } ] }, { "@id": "_:N15f4771201474bb5b7893a54dc2e15a9", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:accesses" }, "owl:someValuesFrom": { "@id": "d3f:Credential" } }, { "@id": "d3f:CWE-116", "@type": "owl:Class", "d3f:cwe-id": "CWE-116", "rdfs:label": "Improper Encoding or Escaping of Output", "rdfs:subClassOf": { "@id": "d3f:CWE-707" } }, { "@id": "d3f:CWE-90", "@type": "owl:Class", "d3f:cwe-id": "CWE-90", "rdfs:label": "Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')", "rdfs:subClassOf": { "@id": "d3f:CWE-943" } }, { "@id": "d3f:StoredProcedure", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A stored procedure (also termed proc, storp, sproc, StoPro, StoredProc, StoreProc, sp, or SP) is a subroutine available to applications that access a relational database management system (RDBMS). Such procedures are stored in the database data dictionary.", "rdfs:isDefinedBy": { "@id": "dbr:Stored_procedure" }, "rdfs:label": "Stored Procedure", "rdfs:subClassOf": { "@id": "d3f:Subroutine" } }, { "@id": "d3f:NIST_SP_800-53_R5_SC-2", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:broader": [ { "@id": "d3f:LocalFilePermissions" }, { "@id": "d3f:MandatoryAccessControl" }, { "@id": "d3f:SystemConfigurationPermissions" } ], "d3f:control-name": "Separation of System and User Functionality", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "rdfs:label": "SC-2" }, { "@id": "d3f:T1053.002", "@type": "owl:Class", "d3f:attack-id": "T1053.002", "rdfs:label": "At (Windows) Execution", "rdfs:subClassOf": { "@id": "d3f:T1053" } }, { "@id": "d3f:T1534", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1534", "d3f:produces": { "@id": "d3f:Email" }, "rdfs:label": "Internal Spearphishing", "rdfs:subClassOf": [ { "@id": "d3f:LateralMovementTechnique" }, { "@id": "_:Naaf70e913f634459b4ac1120ee0f306e" } ] }, { "@id": "_:Naaf70e913f634459b4ac1120ee0f306e", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:produces" }, "owl:someValuesFrom": { "@id": "d3f:Email" } }, { "@id": "d3f:InboundInternetDNSResponseTraffic", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "Inbound internet DNS response traffic is DNS response traffic from a host outside a given network initiated on an incoming connection to a host inside that network.", "rdfs:label": "Inbound Internet DNS Response Traffic", "rdfs:subClassOf": { "@id": "d3f:InboundInternetNetworkTraffic" } }, { "@id": "d3f:T1574.001", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1574.001", "d3f:may-create": { "@id": "d3f:SharedLibraryFile" }, "rdfs:label": "DLL Search Order Hijacking", "rdfs:subClassOf": [ { "@id": "d3f:T1574" }, { "@id": "_:Ndc1d8f5dbf2f4009aded2ce6d2a380dc" } ] }, { "@id": "_:Ndc1d8f5dbf2f4009aded2ce6d2a380dc", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-create" }, "owl:someValuesFrom": { "@id": "d3f:SharedLibraryFile" } }, { "@id": "d3f:OSAPICreateFile", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:invokes": { "@id": "d3f:CreateFile" }, "rdfs:label": "OS API Create File", "rdfs:subClassOf": [ { "@id": "d3f:OSAPIFunction" }, { "@id": "_:Ndb000d9a19f84aada886c4d0ef2e01e1" } ] }, { "@id": "_:Ndb000d9a19f84aada886c4d0ef2e01e1", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:invokes" }, "owl:someValuesFrom": { "@id": "d3f:CreateFile" } }, { "@id": "d3f:IntrusionPreventionSystem", "@type": "owl:Class", "d3f:definition": "Intrusion prevention systems (IPS), also known as intrusion detection and prevention systems (IDPS), are network security appliances that monitor network or system activities for malicious activity. The main functions of intrusion prevention systems are to identify malicious activity, log information about this activity, report it and attempt to block or stop it.\n\nIntrusion prevention systems are considered extensions of intrusion detection systems because they both monitor network traffic and/or system activities for malicious activity. The main differences are, unlike intrusion detection systems, intrusion prevention systems are placed in-line and are able to actively prevent or block intrusions that are detected. IPS can take such actions as sending an alarm, dropping detected malicious packets, resetting a connection or blocking traffic from the offending IP address. An IPS also can correct cyclic redundancy check (CRC) errors, defragment packet streams, mitigate TCP sequencing issues, and clean up unwanted transport and network layer options.", "rdfs:isDefinedBy": { "@id": "http://dbpedia.org/resource/Intrusion_detection_system#Intrusion_prevention" }, "rdfs:label": "Intrusion Prevention System", "rdfs:seeAlso": { "@id": "dbr:Intrusion_detection_system" }, "rdfs:subClassOf": { "@id": "d3f:IntrusionDetectionSystem" }, "skos:altLabel": [ "IDPS", "IPS", "Intrusion Detection and Prevention System" ] }, { "@id": "d3f:T1543.003", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1543.003", "d3f:modifies": { "@id": "d3f:SystemConfigurationDatabase" }, "rdfs:label": "Windows Service", "rdfs:subClassOf": [ { "@id": "d3f:T1543" }, { "@id": "_:N852d2370d820417d9cd97059a85060da" } ] }, { "@id": "_:N852d2370d820417d9cd97059a85060da", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:SystemConfigurationDatabase" } }, { "@id": "d3f:T1172", "@type": "owl:Class", "d3f:attack-id": "T1172", "rdfs:label": "Domain Fronting", "rdfs:subClassOf": { "@id": "d3f:CommandAndControlTechnique" } }, { "@id": "d3f:CWE-368", "@type": "owl:Class", "d3f:cwe-id": "CWE-368", "rdfs:label": "Context Switching Race Condition", "rdfs:subClassOf": { "@id": "d3f:CWE-362" } }, { "@id": "d3f:OfficeApplicationFile", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A document file in a format associated with an d3f:OfficeApplication.", "rdfs:label": "Office Application File", "rdfs:seeAlso": "d3f:OfficeApplication", "rdfs:subClassOf": { "@id": "d3f:DocumentFile" } }, { "@id": "d3f:T1027.006", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1027.006", "d3f:creates": { "@id": "d3f:JavaScriptBlob" }, "d3f:hides": { "@id": "d3f:DigitalArtifact" }, "rdfs:label": "HTML Smuggling", "rdfs:subClassOf": [ { "@id": "d3f:T1027" }, { "@id": "_:N6b3ae8576dd446288e9612a5dd8086e8" }, { "@id": "_:Nbaf09f21ab7e46b8877b808dffe33b12" } ] }, { "@id": "_:N6b3ae8576dd446288e9612a5dd8086e8", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:creates" }, "owl:someValuesFrom": { "@id": "d3f:JavaScriptBlob" } }, { "@id": "_:Nbaf09f21ab7e46b8877b808dffe33b12", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:hides" }, "owl:someValuesFrom": { "@id": "d3f:DigitalArtifact" } }, { "@id": "d3f:CCI-000164_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system protects audit information from unauthorized deletion.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:PlatformHardening" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-05-22T00:00:00" }, "rdfs:label": "CCI-000164" }, { "@id": "d3f:First-orderLogic", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-FOL", "d3f:definition": "First-order logic is a collection of formal systems used in mathematics, philosophy, linguistics, and computer science. First-order logic uses quantified variables over non-logical objects, and allows the use of sentences that contain variables.", "d3f:kb-article": "## How it works\n\nFor propositions such as \"Socrates is a man\", one can have expressions in the form \"there exists x such that x is Socrates and x is a man\", where \"there exists\" is a quantifier, while x is a variable. This distinguishes it from propositional logic, which does not use quantifiers or relations.\n\nThe term \"first-order\" distinguishes first-order logic from higher-order logic, in which there are predicates having predicates or functions as arguments, or in which quantification over predicates, functions, or both, are permitted.\n\n## Considerations\n\n- Advantages:\n-- First-order logic is more expressive than propositional logic; one can talk about objects and their properties, relations between objects.\n-- First-order logic is able to make use of variables and quantifiers (e.g., \"for all\" and \"exists\".)\n-- First-order logic supports power forms of reasoning, such as inferring the properties of an unknown object from the properties of known objects.\n\n- Disadvantages:\n-- First-order logic is more difficult to learn and use than propositional logic, due to its greater complexity.\n-- First-order logic is also less tractable than propositional logic in many cases; reasoning about quantifiers and variables adds complexity.\n-- First-order logic can be difficult to apply in practice, due to the need to find appropriate axioms and rules for each application.\n\n### Verification Approach\n\n- Automated theorem provers can assist in formal verification, performing automated reasoning over system modeled in first-order logic and explore a complete space of system behaviors\n- First-order logic may be more expressive than necessary for many types of problems and may be more difficult to verify by SMEs.\n- Theorem provers based in FOL are capable of use in software verification tasks, but an SMT solver such as Z3 might be more appropriate.\n- Defining a set of competency questions (i.e., query use cases for a first-order logic ontology) can help scope the logic required for a complete solution.\n\n### Validation Approach\n\n- Domain SMEs should be identified to review the analytics results and compare them to expected results for a given input.\n- Where possible, an outside team of SMEs should inspect the formal logic specification of a system against its stated requirements and suitability to address its domain problem sets.\n- Defining a set of competency questions and the expected results provides one means of validation.\n\n## References\n\n1. First-order logic. (2023, May 26). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/First-order_logic)\n2. Shapiro, S. and Kissel, T. Classical Logic. (2022). Stanford Encyclopedia of Philosophy. [Link](https://plato.stanford.edu/entries/logic-classical/)\n3. A.I. For Anyone. First-order Logic (n.d.). [Link](https://www.aiforanyone.org/glossary/first-order-logic)\n4. Smith, P. An Introduction to Formal Logic. (2020). [Link](https://doi.org/10.1017/9781108328999)\n5. Gruninger, M. and Fox, M. (1995). Methodology for the Design and Evaluation of Ontologies. [Link](https://www.researchgate.net/publication/2288533_Methodology_for_the_Design_and_Evaluation_of_Ontologies)\n6. Keet, C., Suarez-Figurosa, M., and Poveda-Villalon, M. (2014). Pitfalls in Ontologies and TIPS to Prevent Them. [Link](https://dl.acm.org/doi/10.4018/ijswis.2014040102)\n7. Bjorner, N. et al. The inner magic behind the Z3 theorem prover. (2019) [Link](https://www.microsoft.com/en-us/research/blog/the-inner-magic-behind-the-z3-theorem-prover/)", "d3f:synonym": [ "First-order Predicate Calculus", "FOL", "Quantificational Logic" ], "rdfs:label": "First-order Logic", "rdfs:subClassOf": { "@id": "d3f:PredicateLogic" } }, { "@id": "d3f:CWE-526", "@type": "owl:Class", "d3f:cwe-id": "CWE-526", "rdfs:label": "Cleartext Storage of Sensitive Information in an Environment Variable", "rdfs:subClassOf": { "@id": "d3f:CWE-312" } }, { "@id": "d3f:has-contribution", "@type": "owl:ObjectProperty", "rdfs:label": "has-contribution", "rdfs:subPropertyOf": { "@id": "d3f:d3fend-kb-object-property" } }, { "@id": "d3f:T1152", "@type": "owl:Class", "d3f:attack-id": "T1152", "rdfs:label": "Launchctl", "rdfs:subClassOf": [ { "@id": "d3f:DefenseEvasionTechnique" }, { "@id": "d3f:ExecutionTechnique" }, { "@id": "d3f:PersistenceTechnique" } ] }, { "@id": "d3f:CCI-001414_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system enforces approved authorizations for controlling the flow of information between interconnected systems based on organization-defined information flow control policies.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": [ { "@id": "d3f:InboundTrafficFiltering" }, { "@id": "d3f:OutboundTrafficFiltering" } ], "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-24T00:00:00" }, "rdfs:label": "CCI-001414" }, { "@id": "d3f:d3fend-object-property", "@type": "owl:ObjectProperty", "rdfs:subPropertyOf": { "@id": "owl:topObjectProperty" } }, { "@id": "d3f:ThinClientComputer", "@type": "owl:Class", "d3f:definition": "A thin client is a lightweight computer that has been optimized for establishing a remote connection with a server-based computing environment. The server does most of the work, which can include launching software programs, performing calculations, and storing data. This contrasts with a fat client or a conventional personal computer; the former is also intended for working in a client-server model but has significant local processing power, while the latter aims to perform its function mostly locally. Thin clients are shared computers as the thin client's computing resources are provided by a remote server.", "rdfs:isDefinedBy": { "@id": "dbr:Thin_client" }, "rdfs:label": "Thin Client Computer", "rdfs:subClassOf": { "@id": "d3f:SharedComputer" } }, { "@id": "d3f:CWE-704", "@type": "owl:Class", "d3f:cwe-id": "CWE-704", "rdfs:label": "Incorrect Type Conversion or Cast", "rdfs:subClassOf": { "@id": "d3f:CWE-664" } }, { "@id": "d3f:CWE-39", "@type": "owl:Class", "d3f:cwe-id": "CWE-39", "rdfs:label": "Path Traversal: 'C:dirname'", "rdfs:subClassOf": { "@id": "d3f:CWE-36" } }, { "@id": "d3f:PhysicalLinkMapping", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:NetworkMapping" ], "d3f:d3fend-id": "D3-PLM", "d3f:definition": "Physical link mapping identifies and models the link connectivity of the network devices within a physical network.", "d3f:kb-reference": { "@id": "d3f:Reference-LibreNMSDocsNetworkMapExtension" }, "d3f:maps": [ { "@id": "d3f:NetworkNode" }, { "@id": "d3f:PhysicalLink" } ], "d3f:synonym": "Layer 1 Mapping", "rdfs:label": "Physical Link Mapping", "rdfs:subClassOf": [ { "@id": "d3f:NetworkMapping" }, { "@id": "_:N6fc95af69647425e8819ae98a7e98812" }, { "@id": "_:N6dde21fb22e94fbc857c2604ccdc9427" } ] }, { "@id": "_:N6fc95af69647425e8819ae98a7e98812", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:maps" }, "owl:someValuesFrom": { "@id": "d3f:NetworkNode" } }, { "@id": "_:N6dde21fb22e94fbc857c2604ccdc9427", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:maps" }, "owl:someValuesFrom": { "@id": "d3f:PhysicalLink" } }, { "@id": "d3f:T1542.004", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1542.004", "d3f:modifies": { "@id": "d3f:SystemFirmware" }, "rdfs:label": "ROMMONkit", "rdfs:subClassOf": [ { "@id": "d3f:T1542" }, { "@id": "_:Nb56d3fba15b94653b7005a42854d1883" } ] }, { "@id": "_:Nb56d3fba15b94653b7005a42854d1883", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:SystemFirmware" } }, { "@id": "d3f:Reference-PasswordandKeyRotation-SSH", "@type": [ "owl:NamedIndividual", "d3f:InternetArticleReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://www.ssh.com/academy/iam/password-key-rotation" }, "d3f:kb-organization": "SSH", "d3f:kb-reference-of": { "@id": "d3f:CredentialRotation" }, "d3f:kb-reference-title": "Password and Key Rotation", "rdfs:label": "Reference - Password and Key Rotation - SSH" }, { "@id": "d3f:CWE-823", "@type": "owl:Class", "d3f:cwe-id": "CWE-823", "rdfs:label": "Use of Out-of-range Pointer Offset", "rdfs:subClassOf": { "@id": "d3f:CWE-119" } }, { "@id": "d3f:T1546", "@type": "owl:Class", "d3f:attack-id": "T1546", "rdfs:label": "Event Triggered Execution", "rdfs:subClassOf": [ { "@id": "d3f:PersistenceTechnique" }, { "@id": "d3f:PrivilegeEscalationTechnique" } ] }, { "@id": "d3f:T1589.001", "@type": "owl:Class", "d3f:attack-id": "T1589.001", "rdfs:label": "Credentials", "rdfs:subClassOf": { "@id": "d3f:T1589" } }, { "@id": "d3f:CCI-002715_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system automatically shuts the information system down, restarts the information system, and/or implements organization-defined security safeguards when integrity violations are discovered.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": [ { "@id": "d3f:DriverLoadIntegrityChecking" }, { "@id": "d3f:FileHashing" }, { "@id": "d3f:PointerAuthentication" }, { "@id": "d3f:TPMBootIntegrity" } ], "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-07-11T00:00:00" }, "rdfs:label": "CCI-002715" }, { "@id": "d3f:Reference-IntrusionDetectionUsingAHeartbeat_SophosLtd", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US20180191752A1" }, "d3f:kb-abstract": "A variety of techniques are disclosed for detection of advanced persistent threats and similar malware. In one aspect, the detection of certain network traffic at a gateway is used to trigger a query of an originating endpoint, which can use internal logs to identify a local process that is sourcing the network traffic. In another aspect, an endpoint is configured to periodically generate and transmit a secure heartbeat, so that an interruption of the heartbeat can be used to signal the possible presence of malware. In another aspect, other information such as local and global reputation information is used to provide context for more accurate malware detection.", "d3f:kb-author": "Kenneth D. Ray", "d3f:kb-mitre-analysis": "This patent describes a health monitor deployed on an endpoint that uses a heartbeat to periodically communicate status to a gateway's remote health monitor. The endpoint health monitor issues a heartbeat for satisfactory status of the endpoint using factors such as:\n\n* checking the status of individual software items executing on the endpoint\n* checking that antivirus and other security software is up to date (e. g., with current virus definition files) and running correctly\n* checking the integrity of cryptographic key stores\n* checking other hardware or software components of the endpoint as necessary or helpful for health monitoring\n\nA disappearance of the heartbeat from the endpoint may indicate that the endpoint has been compromised.", "d3f:kb-organization": "Sophos Ltd", "d3f:kb-reference-of": { "@id": "d3f:EndpointHealthBeacon" }, "d3f:kb-reference-title": "Intrusion detection using a heartbeat", "rdfs:label": "Reference - Intrusion detection using a heartbeat - Sophos Ltd" }, { "@id": "d3f:CredentialCompromiseScopeAnalysis", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:UserBehaviorAnalysis" ], "d3f:analyzes": { "@id": "d3f:Credential" }, "d3f:d3fend-id": "D3-CCSA", "d3f:definition": "Determining which credentials may have been compromised by analyzing the user logon history of a particular system.", "d3f:kb-article": "## How it works\n\n#### Memory\nCredentials may be stored in memory for a variety of reasons; on Windows, they may be stored in lsass.exe. Once a credential dumper like mimikatz runs and dumps the memory of lsass.exe, the credentials of every account logged on since boot are potentially compromised.\nWhen such an event occurs, this analytic will give the forensic context to identify compromised users. Those users could potentially be used in later events for additional logons.\n\n\n#### Hard disk\nOperating System may cache a certain number of credentials onto the hard disk to use as a source of truth if it cannot contact the credential server. In many versions of Microsoft Windows, the 10 most recent are cached by default; this setting can be changed in the Microsoft Management Console's Local Security Policy: ```Computer Configuration -> Windows Settings -> Local Policy -> Security Options -> Interactive Logon: Number of previous logons to cache -> 0``` Here we are not concerned with the alteration of the credentials but the fact that they might be read. If the attacker has physical access to the machine they are unlikely to be stopped from reading files on the filesystem.\n\"In the event that the domain controller is unavailable Windows will check the last password hashes that has been cached in order to authenticate the user with the system. These password hashes are cached in the following registry setting:\nHKEY_LOCAL_MACHINE\\SECURITY\\Cache\nMimikatz can retrieve these hashes if the following command is executed:\nlsadump::cache\" [1]\n\nThe Registry Hive, HKEY_LOCAL_MACHINE\\SAM, which is stored in the supporting files %systemroot%\\System32\\Config\\{Sam,sam.log,sam.sav}, contains the SAM file.\n\nDC: This is stored in %systemroot%\\ntds\\ntds.dit. (https://www.ultimatewindowssecurity.com/blog/default.aspx?d=10/2017)\n\nSometimes memory, which contains credentials, could get on the hard disk. Like with hiberfil.sys in Windows. Equivalent on Linux\n\n\nIn Linux, an attacker could read the /etc/shadow file.\n\nReading from /proc directory: mimipenguin, many others.\n\n## Considerations\nEffective implementation requires identifying any location that could end up containing credentials, and detecting an method of potential access to a source of credential data.\n\n1. https://medium.com/blue-team/preventing-mimikatz-attacks-ed283e7ebdd5", "d3f:kb-reference": [ { "@id": "d3f:Reference-AllLoginsSinceLastBoot_MITRE" }, { "@id": "d3f:Reference-SystemsAndMethodsForDetectingCredentialTheft_SymantecCorp" } ], "rdfs:label": "Credential Compromise Scope Analysis", "rdfs:subClassOf": [ { "@id": "d3f:UserBehaviorAnalysis" }, { "@id": "_:Nc6863b8016bd4138ba1bcc44a18c45c3" } ] }, { "@id": "_:Nc6863b8016bd4138ba1bcc44a18c45c3", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:analyzes" }, "owl:someValuesFrom": { "@id": "d3f:Credential" } }, { "@id": "d3f:SoftwareLibrary", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:contains": { "@id": "d3f:SoftwareLibraryFile" }, "d3f:definition": "A software library is a collection of software components that are used to build a software product.", "rdfs:label": "Software Library", "rdfs:seeAlso": { "@id": "https://dbpedia.org/page/Library_(computing)" }, "rdfs:subClassOf": [ { "@id": "d3f:Software" }, { "@id": "_:N9ee8d390b6ae48e897081ade3186d4b2" } ] }, { "@id": "_:N9ee8d390b6ae48e897081ade3186d4b2", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:contains" }, "owl:someValuesFrom": { "@id": "d3f:SoftwareLibraryFile" } }, { "@id": "d3f:Reference-CyberVaccineAndPredictiveMalwareDefensiveMethodsAndSystems", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US10848519B2/" }, "d3f:kb-abstract": "Methods and systems for Predictive Malware Defense (PMD) are described. The systems and methods can utilize advanced machine-learning (ML) techniques to generate malware defenses preemptively. Embodiments of PMD can utilize models, which are trained on features extracted from malware families, to predict possible courses of malware evolution. PMD captures these predicted future evolutions in signatures of as yet unseen malware variants to function as a malware vaccine. These signatures of predicted future malware “evolutions” can be added to the training set of a machine-learning (ML) based malware detection and/or mitigation system so that it can detect these new variants as they arrive.", "d3f:kb-author": "Michael Howard, Avi Pfeifer, Mukesh Dalal, Michael Reposa", "d3f:kb-organization": "Charles River Analytics Inc.", "d3f:kb-reference-of": { "@id": "d3f:FileContentAnalysis" }, "d3f:kb-reference-title": "Cyber vaccine and predictive-malware-defense methods and systems", "rdfs:label": "Reference - Cyber vaccine and predictive-malware-defense methods and systems" }, { "@id": "d3f:CWE-529", "@type": "owl:Class", "d3f:cwe-id": "CWE-529", "rdfs:label": "Exposure of Access Control List Files to an Unauthorized Control Sphere", "rdfs:subClassOf": { "@id": "d3f:CWE-552" } }, { "@id": "d3f:CWE-1282", "@type": "owl:Class", "d3f:cwe-id": "CWE-1282", "rdfs:label": "Assumed-Immutable Data is Stored in Writable Memory", "rdfs:subClassOf": { "@id": "d3f:CWE-668" } }, { "@id": "d3f:Model-freeReinforcementLearning", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-MFRL", "d3f:definition": "In reinforcement learning (RL), a model-free algorithm (as opposed to a model-based one) is an algorithm which does not use the transition probability distribution (and the reward function) associated with the Markov decision process (MDP),which, in RL, represents the problem to be solved. The transition probability distribution (or transition model) and the reward function are often collectively called the \"model\" of the environment (or MDP), hence the name \"model-free\". A model-free RL algorithm can be thought of as an \"explicit\" trial-and-error algorithm. An example of a model-free algorithm is Q-learning.", "d3f:kb-article": "## References\nModel-free (reinforcement learning). Wikipedia. [Link](https://en.wikipedia.org/wiki/Model-free_(reinforcement_learning)).)", "rdfs:label": "Model-free Reinforcement Learning", "rdfs:subClassOf": { "@id": "d3f:ReinforcementLearning" } }, { "@id": "d3f:Distribution-basedClustering", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-DBC", "d3f:definition": "Distribution-based clustering creates and groups data points based on their likely hood of belonging to the same probability distribution (Gaussian, Binomial, etc.) in the data.", "d3f:kb-article": "## References\nAnalytixLabs. (n.d.). Types of Clustering Algorithms. [Link](https://www.analytixlabs.co.in/blog/types-of-clustering-algorithms/#:~:text=Distribution-Based)", "rdfs:label": "Distribution-based Clustering", "rdfs:subClassOf": { "@id": "d3f:ClusterAnalysis" } }, { "@id": "d3f:T1129", "@type": "owl:Class", "d3f:attack-id": "T1129", "rdfs:label": "Shared Modules Execution", "rdfs:subClassOf": { "@id": "d3f:ExecutionTechnique" } }, { "@id": "d3f:CWE-1255", "@type": "owl:Class", "d3f:cwe-id": "CWE-1255", "rdfs:label": "Comparison Logic is Vulnerable to Power Side-Channel Attacks", "rdfs:subClassOf": { "@id": "d3f:CWE-1300" } }, { "@id": "d3f:Reference-RedHatEnterpriseLinux8SecurityTechnicalImplementationGuide", "@type": [ "owl:NamedIndividual", "d3f:GuidelineReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://www.stigviewer.com/stig/red_hat_enterprise_linux_8/" }, "d3f:kb-abstract": "Red Hat Enterprise Linux 8 Security Guidelines", "d3f:kb-reference-of": { "@id": "d3f:ApplicationConfigurationHardening" }, "d3f:kb-reference-title": "Red Hat Enterprise Linux 8 Security Technical Implementation Guide", "rdfs:label": "Reference - Red Hat Enterprise Linux 8 Security Technical Implementation Guide" }, { "@id": "d3f:MemoryExtent", "@type": "owl:Class", "rdfs:label": "Memory Extent", "rdfs:subClassOf": { "@id": "d3f:DigitalArtifact" } }, { "@id": "d3f:Reference-MethodAndSystemForDetectingSuspiciousAdministrativeActivity_VectraNetworksInc", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US20180077186A1" }, "d3f:kb-abstract": "Disclosed is an improved approach for identifying suspicious administrative host activity within a network. Network traffic is examined to learn the behavior of hosts within a network. This provides an effective way of determining whether or not a host is performing suspicious activity over an administrative protocol.", "d3f:kb-author": "Nicolas Beauchesne; Kevin Song-Kai Ni", "d3f:kb-mitre-analysis": "Collect network traffic metadata directed at administrative services over a period of time to establish a baseline. This baseline is then used to determine suspicious activity that falls outside of the established baseline.", "d3f:kb-organization": "Vectra Networks Inc", "d3f:kb-reference-of": { "@id": "d3f:AdministrativeNetworkActivityAnalysis" }, "d3f:kb-reference-title": "Method and system for detecting suspicious administrative activity", "rdfs:label": "Reference - Method and system for detecting suspicious administrative activity - Vectra Networks Inc" }, { "@id": "d3f:CCI-002605_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The organization installs security-relevant software updates within an organization-defined time period of the release of the updates.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:SoftwareUpdate" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-07-11T00:00:00" }, "rdfs:label": "CCI-002605" }, { "@id": "d3f:T1125", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:accesses": { "@id": "d3f:VideoInputDevice" }, "d3f:attack-id": "T1125", "rdfs:label": "Video Capture", "rdfs:subClassOf": [ { "@id": "d3f:CollectionTechnique" }, { "@id": "_:N9de64af2ad5643f0b97b2a795f14de5e" } ] }, { "@id": "_:N9de64af2ad5643f0b97b2a795f14de5e", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:accesses" }, "owl:someValuesFrom": { "@id": "d3f:VideoInputDevice" } }, { "@id": "d3f:MemoryBlock", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:contains": { "@id": "d3f:MemoryWord" }, "d3f:definition": "In computing (specifically data transmission and data storage), a block, sometimes called a physical record, is a sequence of bytes or bits, usually containing some whole number of records, having a maximum length; a block size. Data thus structured are said to be blocked. The process of putting data into blocks is called blocking, while deblocking is the process of extracting data from blocks. Blocked data is normally stored in a data buffer and read or written a whole block at a time.", "d3f:may-contain": { "@id": "d3f:Record" }, "rdfs:isDefinedBy": "https://dbpedia.org/page/Block_(data_storage)", "rdfs:label": "Memory Block", "rdfs:subClassOf": [ { "@id": "d3f:MemoryExtent" }, { "@id": "_:N81bd329621b34757b67b1a879d6d9dba" }, { "@id": "_:N269f8d975c7d4a5ba2e46bbaa0321894" } ] }, { "@id": "_:N81bd329621b34757b67b1a879d6d9dba", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:contains" }, "owl:someValuesFrom": { "@id": "d3f:MemoryWord" } }, { "@id": "_:N269f8d975c7d4a5ba2e46bbaa0321894", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-contain" }, "owl:someValuesFrom": { "@id": "d3f:Record" } }, { "@id": "d3f:AuthorizationLog", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A log of authorization events.", "d3f:records": { "@id": "d3f:NetworkResourceAccess" }, "rdfs:label": "Authorization Log", "rdfs:seeAlso": [ { "@id": "http://wordnet-rdf.princeton.edu/id/00155053-n" }, { "@id": "dbr:Authorization" } ], "rdfs:subClassOf": [ { "@id": "d3f:Log" }, { "@id": "_:Ndb3cea4b86754e19a135e81f65766cd9" } ] }, { "@id": "_:Ndb3cea4b86754e19a135e81f65766cd9", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:records" }, "owl:someValuesFrom": { "@id": "d3f:NetworkResourceAccess" } }, { "@id": "d3f:WebSessionActivityAnalysis", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:UserBehaviorAnalysis" ], "d3f:analyzes": { "@id": "d3f:WebResourceAccess" }, "d3f:d3fend-id": "D3-WSAA", "d3f:definition": "Monitoring changes in user web session behavior by comparing current web session activity to a baseline behavior profile or a catalog of predetermined malicious behavior.", "d3f:kb-article": "## How it works\nUser web session data is collected over a period of time to create a user behavior profile. Data collected includes clicks made on a website, average time between clicks, filling out web forms, order in which pages are viewed, and downloading files. Current user web session behavior is then compared against the use behavior profile to identify anomalies and a likelihood that the current user web session is malicious. Current user web session behavior can also be compared to predetermined known malicious behavior profiles that are developed through analysis of malware in run time at a threat research facility.\n\n## Considerations\n* Potential for false positives from anomalies that are not associated with malicious activity.\n* Attackers may not differentiate their web session activity enough to trigger an alert.", "d3f:kb-reference": [ { "@id": "d3f:Reference-HostIntrusionPreventionSystemUsingSoftwareAndUserBehaviorAnalysis_SophosLtd" }, { "@id": "d3f:Reference-SystemAndMethodForDetectionOfAChangeInBehaviorInTheUseOfAWebsiteThroughVectorVelocityAnalysis_SilverTailSystems" }, { "@id": "d3f:Reference-SystemAndMethodForNetworkSecurityIncludingDetectionOfAttacksThroughPartnerWebsites_EMCIPHoldingCoLLC" }, { "@id": "d3f:Reference-SystemAndMethodThereofForIdentifyingAndRespondingToSecurityIncidentsBasedOnPreemptiveForensics_PaloAltoNetworksInc" } ], "rdfs:label": "Web Session Activity Analysis", "rdfs:subClassOf": [ { "@id": "d3f:UserBehaviorAnalysis" }, { "@id": "_:N38d3789cc27248d59cf9130f6652eba5" } ] }, { "@id": "_:N38d3789cc27248d59cf9130f6652eba5", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:analyzes" }, "owl:someValuesFrom": { "@id": "d3f:WebResourceAccess" } }, { "@id": "d3f:UseCasePrerequisite", "@type": "owl:Class", "rdfs:label": "Use Case Prerequisite", "rdfs:subClassOf": { "@id": "d3f:D3FENDUseCaseThing" } }, { "@id": "d3f:CWE-494", "@type": "owl:Class", "d3f:cwe-id": "CWE-494", "rdfs:label": "Download of Code Without Integrity Check", "rdfs:subClassOf": [ { "@id": "d3f:CWE-345" }, { "@id": "d3f:CWE-669" } ] }, { "@id": "d3f:T1546.014", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1546.014", "d3f:may-create": { "@id": "d3f:PropertyListFile" }, "d3f:may-modify": { "@id": "d3f:PropertyListFile" }, "d3f:modifies": { "@id": "d3f:ConfigurationResource" }, "rdfs:label": "Emond", "rdfs:subClassOf": [ { "@id": "d3f:T1546" }, { "@id": "_:N41b0a6683bed43cab61b8adbb2a6f96a" }, { "@id": "_:N33cbfa1aceec4eb38e0420c2cff02352" }, { "@id": "_:N6aabc88bb88842ae956a80d71fd893e9" } ] }, { "@id": "_:N41b0a6683bed43cab61b8adbb2a6f96a", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-create" }, "owl:someValuesFrom": { "@id": "d3f:PropertyListFile" } }, { "@id": "_:N33cbfa1aceec4eb38e0420c2cff02352", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-modify" }, "owl:someValuesFrom": { "@id": "d3f:PropertyListFile" } }, { "@id": "_:N6aabc88bb88842ae956a80d71fd893e9", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:ConfigurationResource" } }, { "@id": "d3f:CWE-335", "@type": "owl:Class", "d3f:cwe-id": "CWE-335", "rdfs:label": "Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)", "rdfs:subClassOf": { "@id": "d3f:CWE-330" } }, { "@id": "d3f:CWE-708", "@type": "owl:Class", "d3f:cwe-id": "CWE-708", "rdfs:label": "Incorrect Ownership Assignment", "rdfs:subClassOf": { "@id": "d3f:CWE-282" } }, { "@id": "d3f:CWE-1232", "@type": "owl:Class", "d3f:cwe-id": "CWE-1232", "rdfs:label": "Improper Lock Behavior After Power State Transition", "rdfs:subClassOf": { "@id": "d3f:CWE-667" } }, { "@id": "d3f:CWE-688", "@type": "owl:Class", "d3f:cwe-id": "CWE-688", "rdfs:label": "Function Call With Incorrect Variable or Reference as Argument", "rdfs:subClassOf": { "@id": "d3f:CWE-628" } }, { "@id": "d3f:CWE-228", "@type": "owl:Class", "d3f:cwe-id": "CWE-228", "rdfs:label": "Improper Handling of Syntactically Invalid Structure", "rdfs:subClassOf": [ { "@id": "d3f:CWE-703" }, { "@id": "d3f:CWE-707" } ] }, { "@id": "d3f:CreateThread", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:creates": { "@id": "d3f:Thread" }, "d3f:definition": "Threads are an execution model that exists independently from a language, as well as a parallel execution model. They enable a program to control multiple different flows of work that overlap in time.", "rdfs:label": "Create Thread", "rdfs:seeAlso": [ { "@id": "https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createthread" }, { "@id": "dbr:POSIX_Threads" } ], "rdfs:subClassOf": [ { "@id": "d3f:SystemCall" }, { "@id": "_:N8c61eeee60144fe8969e49f9c740b1ca" } ] }, { "@id": "_:N8c61eeee60144fe8969e49f9c740b1ca", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:creates" }, "owl:someValuesFrom": { "@id": "d3f:Thread" } }, { "@id": "d3f:CCI-002218_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system provides access from a single device to computing platforms, applications, or data residing on multiple different security domains, while preventing any information flow between the different security domains.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:DomainTrustPolicy" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-06-24T00:00:00" }, "rdfs:label": "CCI-002218" }, { "@id": "d3f:CCI-002891_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system implements remote disconnect verification at the termination of nonlocal maintenance and diagnostic sessions.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:RemoteTerminalSessionDetection" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-07-22T00:00:00" }, "rdfs:label": "CCI-002891" }, { "@id": "d3f:CWE-783", "@type": "owl:Class", "d3f:cwe-id": "CWE-783", "rdfs:label": "Operator Precedence Logic Error", "rdfs:subClassOf": { "@id": "d3f:CWE-670" } }, { "@id": "d3f:features", "@type": "owl:ObjectProperty", "rdfs:domain": { "@id": "d3f:CapabilityFeatureClaim" }, "rdfs:label": "features", "rdfs:range": { "@id": "d3f:CapabilityFeature" }, "rdfs:subPropertyOf": { "@id": "d3f:claims" } }, { "@id": "d3f:CWE-651", "@type": "owl:Class", "d3f:cwe-id": "CWE-651", "rdfs:label": "Exposure of WSDL File Containing Sensitive Information", "rdfs:subClassOf": { "@id": "d3f:CWE-538" } }, { "@id": "d3f:TFTPServer", "@type": "owl:Class", "d3f:definition": "Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, typically used to automatically transfer configuration or boot files between machines. It is used where user authentication and directory visibility are not required.", "rdfs:isDefinedBy": { "@id": "dbr:Trivial_File_Transfer_Protocol" }, "rdfs:label": "TFTP Server", "rdfs:subClassOf": { "@id": "d3f:Server" } }, { "@id": "d3f:MulticlassClassification", "@type": "owl:Class", "rdfs:label": "Multiclass Classification", "rdfs:subClassOf": { "@id": "d3f:Classifying" } }, { "@id": "d3f:T1139", "@type": "owl:Class", "d3f:attack-id": "T1139", "rdfs:label": "Bash History", "rdfs:subClassOf": { "@id": "d3f:CredentialAccessTechnique" } }, { "@id": "d3f:WindowsNtCreatePagingFile", "@type": "owl:Class", "d3f:definition": "Typically used by Control Panel's \"System\" applet for creating new paged files.", "rdfs:label": "Windows NtCreatePagingFile", "rdfs:seeAlso": "https://j00ru.vexillium.org/syscalls/nt/64/", "rdfs:subClassOf": [ { "@id": "d3f:OSAPICreateFile" }, { "@id": "d3f:OSAPIPrivateFunction" } ] }, { "@id": "d3f:T1518.001", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1518.001", "d3f:may-access": [ { "@id": "d3f:FileSystemMetadata" }, { "@id": "d3f:KernelProcessTable" }, { "@id": "d3f:SystemConfigurationDatabaseRecord" }, { "@id": "d3f:SystemFirewallConfiguration" } ], "d3f:may-invoke": { "@id": "d3f:GetRunningProcesses" }, "rdfs:label": "Security Software Discovery", "rdfs:subClassOf": [ { "@id": "d3f:T1518" }, { "@id": "_:Na5dc9ba268a54addb62f99e6cffd7d1a" }, { "@id": "_:N8253475204a44a72b36e529ee3fbabd1" }, { "@id": "_:N2f6dde072df64dd2a1dbe47ef1496562" }, { "@id": "_:N1bb936c4d9224bc686ce407217107b71" }, { "@id": "_:N0af3c722745c42ea846291051c7c1384" } ] }, { "@id": "_:Na5dc9ba268a54addb62f99e6cffd7d1a", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-access" }, "owl:someValuesFrom": { "@id": "d3f:FileSystemMetadata" } }, { "@id": "_:N8253475204a44a72b36e529ee3fbabd1", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-access" }, "owl:someValuesFrom": { "@id": "d3f:KernelProcessTable" } }, { "@id": "_:N2f6dde072df64dd2a1dbe47ef1496562", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-access" }, "owl:someValuesFrom": { "@id": "d3f:SystemConfigurationDatabaseRecord" } }, { "@id": "_:N1bb936c4d9224bc686ce407217107b71", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-access" }, "owl:someValuesFrom": { "@id": "d3f:SystemFirewallConfiguration" } }, { "@id": "_:N0af3c722745c42ea846291051c7c1384", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-invoke" }, "owl:someValuesFrom": { "@id": "d3f:GetRunningProcesses" } }, { "@id": "d3f:CWE-674", "@type": "owl:Class", "d3f:cwe-id": "CWE-674", "rdfs:label": "Uncontrolled Recursion", "rdfs:subClassOf": { "@id": "d3f:CWE-834" } }, { "@id": "d3f:DHCPNetworkTraffic", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "DHCP Network Traffic is network traffic related to the DHCP protocol, used by network nodes to negotiate and configure either IPv4 or IPv6 addresses.", "rdfs:label": "DHCP Network Traffic", "rdfs:subClassOf": { "@id": "d3f:NetworkTraffic" } }, { "@id": "d3f:CWE-757", "@type": "owl:Class", "d3f:cwe-id": "CWE-757", "rdfs:label": "Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')", "rdfs:subClassOf": { "@id": "d3f:CWE-693" } }, { "@id": "d3f:ApplicationProcess", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "An application process is an instance of an application computer program that is being executed.", "d3f:runs": { "@id": "d3f:Application" }, "rdfs:label": "Application Process", "rdfs:seeAlso": { "@id": "dbr:Application_software" }, "rdfs:subClassOf": [ { "@id": "d3f:UserProcess" }, { "@id": "_:Ne834900dcb3e45f1b6ae43a845aba7f0" } ] }, { "@id": "_:Ne834900dcb3e45f1b6ae43a845aba7f0", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:runs" }, "owl:someValuesFrom": { "@id": "d3f:Application" } }, { "@id": "d3f:Assessment", "@type": "owl:Class", "d3f:definition": "The classification of someone or something with respect to its worth.", "rdfs:isDefinedBy": { "@id": "http://wordnet-rdf.princeton.edu/id/05741528-n" }, "rdfs:label": "Assessment", "rdfs:subClassOf": [ { "@id": "d3f:D3FENDCatalogThing" }, { "@id": "_:Ndd98ffbe41b14e3a8755ac172d3ce077" }, { "@id": "_:Ne236de938d8c4712a412395add828325" } ] }, { "@id": "_:Ndd98ffbe41b14e3a8755ac172d3ce077", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:author" }, "owl:someValuesFrom": { "@id": "d3f:Agent" } }, { "@id": "_:Ne236de938d8c4712a412395add828325", "@type": "owl:Restriction", "owl:allValuesFrom": { "@id": "_:N6d1f130c9baa4bad8ac930b836892436" }, "owl:onProperty": { "@id": "d3f:expectation-rating" } }, { "@id": "_:N6d1f130c9baa4bad8ac930b836892436", "@type": "rdfs:Datatype", "owl:oneOf": { "@list": [ "below", "exceeded", "met" ] } }, { "@id": "d3f:Reference-Finding_phishing_sites", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US8839418B2/" }, "d3f:kb-author": "Geoffrey John Hulten, Paul Stephen Rehfuss, Robert Rounthwaite, Joshua Theodore Goodman, Gopalakrishnan Seshadrinathan, Anthony P. Penta, Manav Mishra, Roderic C. Deyo, Elliott Jeb Haber, David Aaron Ward Snelling", "d3f:kb-reference-of": [ { "@id": "d3f:DomainNameReputationAnalysis" }, { "@id": "d3f:IPReputationAnalysis" }, { "@id": "d3f:URLReputationAnalysis" } ], "d3f:kb-reference-title": "Finding phishing sites", "rdfs:label": "Reference - Finding phishing sites" }, { "@id": "d3f:CopyMemoryFunction", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:copies": { "@id": "d3f:MemoryBlock" }, "d3f:definition": "Copies a memory block from one location to another.", "rdfs:label": "Copy Memory Function", "rdfs:subClassOf": [ { "@id": "d3f:Subroutine" }, { "@id": "_:Nd670b18a846a47a29bf28329e0180565" } ] }, { "@id": "_:Nd670b18a846a47a29bf28329e0180565", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:copies" }, "owl:someValuesFrom": { "@id": "d3f:MemoryBlock" } }, { "@id": "d3f:ScheduledJobAnalysis", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:OperatingSystemMonitoring" ], "d3f:analyzes": { "@id": "d3f:JobSchedule" }, "d3f:d3fend-id": "D3-SJA", "d3f:definition": "Analysis of source files, processes, destination files, or destination servers associated with a scheduled job to detect unauthorized use of job scheduling.", "d3f:kb-article": "## How it works\nScheduled job execution can be utilized by adversaries for the purpose of persistence, conducting remote execution, or gaining privileges. Details of a scheduled job such as associated source files, processes, destination files, or destination servers are first identified and analyzed and then compared against an anti-malware signature database, whitelist, or reputation server. For example, a file associated with a scheduled job to be executed at a specified time or a remote server that is accessed as part of a scheduled task is compared against an anti-malware signature database, whitelist, or reputation server, and if a match is found, execution is denied and an alert is generated.\n\nIn addition to traditional scheduled jobs, triggers can be set to execute a specific command after detecting a specific event in the system, such as with WMI Event Subscriptions in Windows.\n\n## Considerations\nJobs can be scheduled in many different and sometimes creative ways through operating system capabilities.", "d3f:kb-reference": [ { "@id": "d3f:Reference-ExecutionWithAT_MITRE" }, { "@id": "d3f:Reference-ExecutionWithSchtasks_MITRE" }, { "@id": "d3f:Reference-PreventingExecutionOfTaskScheduledMalware_McAfeeLLC" } ], "d3f:synonym": "Scheduled Job Execution", "rdfs:label": "Scheduled Job Analysis", "rdfs:subClassOf": [ { "@id": "d3f:OperatingSystemMonitoring" }, { "@id": "_:N8573196335b1463591f4a2b5f3964fff" } ] }, { "@id": "_:N8573196335b1463591f4a2b5f3964fff", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:analyzes" }, "owl:someValuesFrom": { "@id": "d3f:JobSchedule" } }, { "@id": "d3f:Reference-TrustedAttestationProtocolUseCases", "@type": [ "owl:NamedIndividual", "d3f:SpecificationReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://trustedcomputinggroup.org/wp-content/uploads/TCG_TNC_TAP_Use_Cases_v1r0p35_published.pdf" }, "d3f:kb-article": "## Document Abstract\nThis specification defines the Trusted Platform Module (TPM) a device that enables trust in computing platforms in general. It is broken into parts to make the role of each part clear. All parts are required in order to constitute a complete standard. For a complete definition of all requirements necessary to build a TPM, the designer will need to use the appropriate platform-specific specification to understand all of the requirements for a TPM in a specific application or make appropriate choices as an implementer. Those wishing to create a TPM need to be aware that this specification does not provide a complete picture of the options and commands necessary to implement a TPM. To implement a TPM the designer needs to refer to the relevant platform-specific specification to understand the options and settings required for a TPM in a specific type of platform or make appropriate choices as an implementer.", "d3f:kb-reference-title": "Trusted Attestation Protocol Use Cases", "rdfs:label": "Reference - Trusted Attestation Protocol Use Cases" }, { "@id": "d3f:Reference-CAR-2020-11-011%3ARegistryEditFromScreensaver", "@type": [ "owl:NamedIndividual", "d3f:ExternalKnowledgeBase" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://car.mitre.org/analytics/CAR-2020-11-011/" }, "d3f:kb-abstract": "Adversaries may use screensaver files to run malicious code. This analytic triggers on suspicious edits to the screensaver registry keys, which dictate which .scr file the screensaver runs.", "d3f:kb-author": "MITRE", "d3f:kb-organization": "MITRE", "d3f:kb-reference-of": { "@id": "d3f:UserSessionInitConfigAnalysis" }, "d3f:kb-reference-title": "CAR-2020-11-011: Registry Edit from Screensaver", "rdfs:label": "Reference - CAR-2020-11-011: Registry Edit from Screensaver" }, { "@id": "d3f:CCI-002322_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The organization provides the capability to expeditiously disconnect or disable remote access to the information system within the organization-defined time period.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:RemoteTerminalSessionDetection" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-06-24T00:00:00" }, "rdfs:label": "CCI-002322" }, { "@id": "d3f:IntranetWebNetworkTraffic", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "Intranet web network traffic is network traffic that does not cross a given network's boundaries and uses a standard web protocol.", "d3f:may-contain": { "@id": "d3f:File" }, "rdfs:label": "Intranet Web Network Traffic", "rdfs:seeAlso": { "@id": "dbr:Intranet" }, "rdfs:subClassOf": [ { "@id": "d3f:IntranetNetworkTraffic" }, { "@id": "d3f:WebNetworkTraffic" }, { "@id": "_:Nb4fef886d63e4badba3c9ae8c57cc615" } ] }, { "@id": "_:Nb4fef886d63e4badba3c9ae8c57cc615", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-contain" }, "owl:someValuesFrom": { "@id": "d3f:File" } }, { "@id": "d3f:CWE-118", "@type": "owl:Class", "d3f:cwe-id": "CWE-118", "rdfs:label": "Incorrect Access of Indexable Resource ('Range Error')", "rdfs:subClassOf": { "@id": "d3f:CWE-664" } }, { "@id": "d3f:Reference-NIST-Special-Publication-800-37-Revision-2", "@type": [ "owl:NamedIndividual", "d3f:GuidelineReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://doi.org/10.6028/NIST.SP.800-37r2" }, "d3f:kb-abstract": "This publication describes the Risk Management Framework (RMF) and provides guidelines for applying the RMF to information systems and organizations. The RMF provides a disciplined, structured, and flexible process for managing security and privacy risk that includes information security categorization; control selection, implementation, and assessment; system and common control authorizations; and continuous monitoring. The RMF includes activities to prepare organizations to execute the framework at appropriate risk management levels. The RMF also promotes near real-time risk management and ongoing information system and common control authorization through the implementation of continuous monitoring processes; provides senior leaders and executives with the necessary information to make efficient, cost-effective, risk management decisions about the systems supporting their missions and business functions; and incorporates security and privacy into the system development life cycle. Executing the RMF tasks links essential risk management processes at the system level to risk management processes at the organization level. In addition, it establishes responsibility and accountability for the controls implemented within an organization’s information systems and inherited by those systems.", "d3f:kb-organization": "NIST", "d3f:kb-reference-of": { "@id": "d3f:OperationalRiskAssessment" }, "d3f:kb-reference-title": "NIST Special Publication 800-37 Revision 2 - Risk Management Framework for Information Systems and Organizations", "rdfs:label": "Reference - NIST Special Publication 800-37 Revision 2 - Risk Management Framework for Information Systems and Organizations" }, { "@id": "d3f:CWE-237", "@type": "owl:Class", "d3f:cwe-id": "CWE-237", "rdfs:label": "Improper Handling of Structural Elements", "rdfs:subClassOf": { "@id": "d3f:CWE-228" } }, { "@id": "d3f:NetworkTimeServer", "@type": "owl:Class", "d3f:definition": "A network time server is a server computer that reads the actual time from a reference clock and distributes this information to its clients using a computer network. The time server may be a local network time server or an internet time server. The time server may also be a stand-alone hardware device. It can use NTP (RFC5905) or other protocols.", "rdfs:label": "Network Time Server", "rdfs:seeAlso": { "@id": "dbr:Time_server" }, "rdfs:subClassOf": { "@id": "d3f:Server" } }, { "@id": "d3f:FileHashReputationAnalysis", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:IdentifierReputationAnalysis" ], "d3f:analyzes": { "@id": "d3f:FileHash" }, "d3f:d3fend-id": "D3-FHRA", "d3f:definition": "Analyzing the reputation of a file hash.", "d3f:kb-reference": { "@id": "d3f:Reference-Reputation_of_an_entity_associated_with_a_content_item" }, "rdfs:label": "File Hash Reputation Analysis", "rdfs:subClassOf": [ { "@id": "d3f:IdentifierReputationAnalysis" }, { "@id": "_:Nabcf204c5bfe496ebbe8279664456cf0" } ] }, { "@id": "_:Nabcf204c5bfe496ebbe8279664456cf0", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:analyzes" }, "owl:someValuesFrom": { "@id": "d3f:FileHash" } }, { "@id": "d3f:ShimDatabase", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A application configuration database that contains or points to software shims (e.g., for backward compatibility, patches, etc.)", "rdfs:label": "Shim Database", "rdfs:subClassOf": { "@id": "d3f:ApplicationConfigurationDatabase" } }, { "@id": "d3f:CloudConfiguration", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "Information used to configure the services, parameters, and initial settings for a virtual server instance running in a cloud service..", "rdfs:label": "Cloud Configuration", "rdfs:subClassOf": { "@id": "d3f:ConfigurationResource" }, "skos:altLabel": "Cloud Configuration Information" }, { "@id": "d3f:BashScriptFile", "@type": [ "owl:NamedIndividual", "d3f:ExecutableScript" ], "rdfs:label": "Bash Script File" }, { "@id": "d3f:TerminateProcess", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "On many computer operating systems, a computer process terminates its execution by making an exit system call. More generally, an exit in a multithreading environment means that a thread of execution has stopped running. For resource management, the operating system reclaims resources (memory, files, etc.) that were used by the process. The process is said to be a dead process after it terminates.", "d3f:terminates": { "@id": "d3f:Process" }, "rdfs:isDefinedBy": { "@id": "dbr:Exit_(system_call)" }, "rdfs:label": "Terminate Process", "rdfs:subClassOf": [ { "@id": "d3f:SystemCall" }, { "@id": "_:Nf1308756d6514ac2b6bf531143a23c5a" } ] }, { "@id": "_:Nf1308756d6514ac2b6bf531143a23c5a", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:terminates" }, "owl:someValuesFrom": { "@id": "d3f:Process" } }, { "@id": "d3f:UserDataTransferAnalysis", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:UserBehaviorAnalysis" ], "d3f:analyzes": { "@id": "d3f:ResourceAccess" }, "d3f:d3fend-id": "D3-UDTA", "d3f:definition": "Analyzing the amount of data transferred by a user.", "d3f:kb-article": "## How it works\nUnusual data transfer activity may indicate unauthorized activity. Data transfers can be analyzed by collecting network traffic or application logs.\n\n## Considerations\n* There is a potential for false positives from anomalies that are not associated with unauthorized activity.\n* Attackers that move low and slow may not differentiate their data transfer behavior enough for an alert to trigger.", "d3f:kb-reference": [ { "@id": "d3f:Reference-SystemAndMethodThereofForIdentifyingAndRespondingToSecurityIncidentsBasedOnPreemptiveForensics_PaloAltoNetworksInc" }, { "@id": "d3f:Reference-SystemForImplementingThreatDetectionUsingThreatAndRiskAssessmentOfAsset-actorInteractions_VECTRANETWORKSInc" } ], "rdfs:label": "User Data Transfer Analysis", "rdfs:subClassOf": [ { "@id": "d3f:UserBehaviorAnalysis" }, { "@id": "_:N34ba98aecdbb435ebb400a03b7a6b9e0" } ] }, { "@id": "_:N34ba98aecdbb435ebb400a03b7a6b9e0", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:analyzes" }, "owl:someValuesFrom": { "@id": "d3f:ResourceAccess" } }, { "@id": "d3f:LinuxConnect", "@type": "owl:Class", "d3f:definition": "Initiate a connection on a socket.", "rdfs:isDefinedBy": "https://man7.org/linux/man-pages/man2/connect.2.html", "rdfs:label": "Linux Connect", "rdfs:subClassOf": { "@id": "d3f:OSAPIConnectSocket" } }, { "@id": "d3f:WindowsNtOpenProcess", "@type": "owl:Class", "d3f:definition": "Opens a handle to process obj and sets the access rights to this object.", "rdfs:label": "Windows NtOpenProcess", "rdfs:seeAlso": "https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntddk/nf-ntddk-ntopenprocess", "rdfs:subClassOf": [ { "@id": "d3f:OSAPIPrivateFunction" }, { "@id": "d3f:OSAPITraceProcess" } ] }, { "@id": "d3f:CWE-638", "@type": "owl:Class", "d3f:cwe-id": "CWE-638", "rdfs:label": "Not Using Complete Mediation", "rdfs:subClassOf": [ { "@id": "d3f:CWE-657" }, { "@id": "d3f:CWE-862" } ] }, { "@id": "d3f:Reference-WindowsRemoteManagement_WinRM_MITRE", "@type": [ "owl:NamedIndividual", "d3f:ExternalKnowledgeBase" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "" }, "d3f:kb-abstract": "", "d3f:kb-author": "MITRE", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "MITRE", "d3f:kb-reference-of": { "@id": "d3f:AdministrativeNetworkActivityAnalysis" }, "d3f:kb-reference-title": "CAR-2014-11-006: Windows Remote Management (WinRM)", "rdfs:label": "Reference - CAR-2014-11-006: Windows Remote Management (WinRM) - MITRE" }, { "@id": "d3f:Reference-HowASLRProtectsLinuxSystemsFromBufferOverflowAttacks_NetworkWorld", "@type": [ "owl:NamedIndividual", "d3f:InternetArticleReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://www.networkworld.com/article/3331199/what-does-aslr-do-for-linux.html" }, "d3f:kb-abstract": "ASLR (Address Space Layout Randomization) is a memory exploitation mitigation technique used on both Linux and Windows systems. Learn how to tell if it's running, enable/disable it, and get a view of how it works.", "d3f:kb-author": "Sandra Henry-Stocker", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "Network World", "d3f:kb-reference-of": { "@id": "d3f:SegmentAddressOffsetRandomization" }, "d3f:kb-reference-title": "How ASLR protects Linux systems from buffer overflow attacks", "rdfs:label": "Reference - How ASLR protects Linux systems from buffer overflow attacks - Network World" }, { "@id": "d3f:Reference-ProcessesSpawningCmd.exe_MITRE", "@type": [ "owl:NamedIndividual", "d3f:ExternalKnowledgeBase" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://car.mitre.org/analytics/CAR-2013-02-003/" }, "d3f:kb-abstract": "The Windows Command Prompt (cmd.exe) is a utility that provides a command line interface to Windows operating systems. It provides the ability to run additional programs and also has several built-in commands such as dir, copy, mkdir, and type, as well as batch scripts (.bat). Typically, when a user runs a command prompt, the parent process is explorer.exe or another instance of the prompt. There may be automated programs, logon scripts, or administrative tools that launch instances of the command prompt in order to run scripts or other built-in commands. Spawning the process cmd.exe from certain parents may be more indicative of malice. For example, if Adobe Reader or Outlook launches a command shell, this may suggest that a malicious document has been loaded and should be investigated. Thus, by looking for abnormal parent processes of cmd.exe, it may be possible to detect adversaries.", "d3f:kb-author": "MITRE", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "MITRE", "d3f:kb-reference-of": { "@id": "d3f:ProcessLineageAnalysis" }, "d3f:kb-reference-title": "CAR-2013-02-003: Processes Spawning cmd.exe", "rdfs:label": "Reference - CAR-2013-02-003: Processes Spawning cmd.exe - MITRE" }, { "@id": "d3f:CWE-1115", "@type": "owl:Class", "d3f:cwe-id": "CWE-1115", "rdfs:label": "Source Code Element without Standard Prologue", "rdfs:subClassOf": { "@id": "d3f:CWE-1078" } }, { "@id": "d3f:CWE-771", "@type": "owl:Class", "d3f:cwe-id": "CWE-771", "rdfs:label": "Missing Reference to Active Allocated Resource", "rdfs:subClassOf": { "@id": "d3f:CWE-400" } }, { "@id": "d3f:CWE-377", "@type": "owl:Class", "d3f:cwe-id": "CWE-377", "rdfs:label": "Insecure Temporary File", "rdfs:subClassOf": { "@id": "d3f:CWE-668" } }, { "@id": "d3f:RegOpenKeyW", "@type": [ "owl:NamedIndividual", "d3f:GetSystemConfigValue" ] }, { "@id": "d3f:T1032", "@type": "owl:Class", "d3f:attack-id": "T1032", "rdfs:label": "Standard Cryptographic Protocol", "rdfs:subClassOf": { "@id": "d3f:CommandAndControlTechnique" } }, { "@id": "d3f:Reference-PointerAuthenticationOnARMv8.3", "@type": [ "owl:NamedIndividual", "d3f:SpecificationReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://www.qualcomm.com/media/documents/files/whitepaper-pointer-authentication-on-armv8-3.pdf" }, "d3f:kb-abstract": "The pointer authentication scheme introduced by ARM is a software security primitive that makes it much harder for an attacker to modify protected pointers in memory without being detected. In this document, we will provide more details about the Pointer Authentication mechanism, provide a security analysis, and discuss the implementation of certain software security countermeasures, such as stack protection and control flow integrity, using the Pointer Authentication primitives.", "d3f:kb-author": "Qualcomm Technologies, Inc", "d3f:kb-organization": "Qualcomm Technologies, Inc", "d3f:kb-reference-of": { "@id": "d3f:PointerAuthentication" }, "d3f:kb-reference-title": "Pointer Authentication on ARMv8.3", "rdfs:label": "Reference - Pointer Authentication on ARMv8.3" }, { "@id": "d3f:CCI-001494_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system protects audit tools from unauthorized modification.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": [ { "@id": "d3f:PlatformHardening" }, { "@id": "d3f:SystemConfigurationPermissions" } ], "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-29T00:00:00" }, "rdfs:label": "CCI-001494" }, { "@id": "d3f:CWE-459", "@type": "owl:Class", "d3f:cwe-id": "CWE-459", "rdfs:label": "Incomplete Cleanup", "rdfs:subClassOf": { "@id": "d3f:CWE-404" } }, { "@id": "d3f:use-limits", "@type": "owl:ObjectProperty", "d3f:definition": "x use-limits y: An entity x specifies a designated number of uses beyond which some entity y cannot function or must be terminated.", "rdfs:label": "use-limits", "rdfs:seeAlso": { "@id": "http://wordnet-rdf.princeton.edu/id/13781154-n" }, "rdfs:subPropertyOf": { "@id": "d3f:limits" } }, { "@id": "d3f:T1110.001", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:accesses": { "@id": "d3f:Password" }, "d3f:attack-id": "T1110.001", "d3f:modifies": { "@id": "d3f:AuthenticationLog" }, "d3f:produces": { "@id": "d3f:Authentication" }, "rdfs:label": "Password Guessing", "rdfs:subClassOf": [ { "@id": "d3f:T1110" }, { "@id": "_:N55d24668118a416dbe3a401692ec619a" }, { "@id": "_:N805c7a1552fa49858cb4c90df08f25c1" }, { "@id": "_:N794ca6f1e5e242c89502bb41389bca3b" } ] }, { "@id": "_:N55d24668118a416dbe3a401692ec619a", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:accesses" }, "owl:someValuesFrom": { "@id": "d3f:Password" } }, { "@id": "_:N805c7a1552fa49858cb4c90df08f25c1", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:AuthenticationLog" } }, { "@id": "_:N794ca6f1e5e242c89502bb41389bca3b", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:produces" }, "owl:someValuesFrom": { "@id": "d3f:Authentication" } }, { "@id": "d3f:LinuxSocketcallArgumentSYS_CONNECT", "@type": "owl:Class", "rdfs:isDefinedBy": "https://man7.org/linux/man-pages/man2/socketcall.2.html", "rdfs:label": "Linux Socketcall Argument SYS_CONNECT", "rdfs:subClassOf": { "@id": "d3f:OSAPIConnectSocket" } }, { "@id": "d3f:definition", "@type": "owl:AnnotationProperty", "d3f:definition": "x definition y: The d3fend object x has the definition y.", "rdfs:isDefinedBy": { "@id": "http://purl.obolibrary.org/obo/IAO_0000115" }, "rdfs:label": [ "comment", "definition" ], "rdfs:subPropertyOf": { "@id": "d3f:d3fend-annotation" } }, { "@id": "d3f:DatabaseQuery", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A specific query expressed in SQL, SPARQL, or similar language against a database.", "rdfs:label": "Database Query", "rdfs:subClassOf": { "@id": "d3f:Command" } }, { "@id": "d3f:step-2", "@type": [ "owl:NamedIndividual", "d3f:Step" ], "d3f:creates": { "@id": "d3f:Authentication" }, "d3f:invokes": { "@id": "d3f:ImpersonateUser" }, "rdfs:label": "Step 2 - Impersonate User" }, { "@id": "d3f:T1547.008", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1547.008", "d3f:may-create": { "@id": "d3f:SharedLibraryFile" }, "d3f:modifies": { "@id": "d3f:SystemServiceSoftware" }, "rdfs:label": "LSASS Driver", "rdfs:subClassOf": [ { "@id": "d3f:T1547" }, { "@id": "_:N27388a484a284e4ab0b47e0ccb09cee4" }, { "@id": "_:N3e9b9a309290457086fef37ba2d1f26b" } ] }, { "@id": "_:N27388a484a284e4ab0b47e0ccb09cee4", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-create" }, "owl:someValuesFrom": { "@id": "d3f:SharedLibraryFile" } }, { "@id": "_:N3e9b9a309290457086fef37ba2d1f26b", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:SystemServiceSoftware" } }, { "@id": "d3f:ATTACKMitigation", "@type": "owl:Class", "rdfs:label": "ATTACK Mitigation", "rdfs:subClassOf": [ { "@id": "d3f:ATTACKThing" }, { "@id": "_:N5e1e041b35c04496ad0f00001d01dd3f" }, { "@id": "_:Nf3b9126aa3684ebe877467ff842987d2" } ] }, { "@id": "_:N5e1e041b35c04496ad0f00001d01dd3f", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:semantic-relation" }, "owl:someValuesFrom": { "@id": "d3f:DefensiveTechnique" } }, { "@id": "_:Nf3b9126aa3684ebe877467ff842987d2", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:d3fend-comment" }, "owl:someValuesFrom": { "@id": "xsd:string" } }, { "@id": "d3f:CWE-188", "@type": "owl:Class", "d3f:cwe-id": "CWE-188", "rdfs:label": "Reliance on Data/Memory Layout", "rdfs:subClassOf": [ { "@id": "d3f:CWE-1105" }, { "@id": "d3f:CWE-435" } ] }, { "@id": "d3f:identified-by", "@type": "owl:ObjectProperty", "owl:inverseOf": { "@id": "d3f:identified-by" }, "rdfs:label": "identified-by", "rdfs:subPropertyOf": { "@id": "d3f:associated-with" } }, { "@id": "d3f:T1602.002", "@type": "owl:Class", "d3f:attack-id": "T1602.002", "rdfs:label": "Network Device Configuration Dump", "rdfs:subClassOf": { "@id": "d3f:T1602" } }, { "@id": "d3f:T1218.001", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1218.001", "d3f:invokes": [ { "@id": "d3f:CreateFile" }, { "@id": "d3f:CreateProcess" } ], "rdfs:label": "Compiled HTML File", "rdfs:subClassOf": [ { "@id": "d3f:T1218" }, { "@id": "_:Nb9d6013fcd9e4b7983f2274b7c5b4b5c" }, { "@id": "_:N9865a3d60de546b9ae5c7d959215b6da" } ] }, { "@id": "_:Nb9d6013fcd9e4b7983f2274b7c5b4b5c", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:invokes" }, "owl:someValuesFrom": { "@id": "d3f:CreateFile" } }, { "@id": "_:N9865a3d60de546b9ae5c7d959215b6da", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:invokes" }, "owl:someValuesFrom": { "@id": "d3f:CreateProcess" } }, { "@id": "d3f:CCI-002359_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system implements a reference monitor for organization-defined access control policies that is small enough to be subject to analysis and testing, the completeness of which can be assured.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": [ { "@id": "d3f:MandatoryAccessControl" }, { "@id": "d3f:UserAccountPermissions" } ], "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-06-25T00:00:00" }, "rdfs:label": "CCI-002359" }, { "@id": "d3f:OutboundInternetRPCTraffic", "@type": "owl:Class", "d3f:definition": "Outbound internet RPC traffic is RPC traffic that is: (a) on an outgoing connection initiated from a host within a network to a host outside the network, and (b) using a standard RPC protocol.", "rdfs:label": "Outbound Internet RPC Traffic", "rdfs:seeAlso": [ { "@id": "dbr:Internetworking" }, { "@id": "dbr:Remote_procedure_call" } ], "rdfs:subClassOf": [ { "@id": "d3f:OutboundInternetNetworkTraffic" }, { "@id": "d3f:OutboundNetworkTraffic" }, { "@id": "d3f:RPCNetworkTraffic" } ] }, { "@id": "d3f:ExecutableScript", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "An executable script is written in a scripting language and interpreted at run time. This is in contrast with an executable binary, which contains machine code instructions for a physical CPU or byte code for a virtual machine.", "rdfs:label": "Executable Script", "rdfs:seeAlso": { "@id": "dbr:Executable" }, "rdfs:subClassOf": { "@id": "d3f:ExecutableFile" } }, { "@id": "d3f:T1588.006", "@type": "owl:Class", "d3f:attack-id": "T1588.006", "rdfs:label": "Vulnerabilities", "rdfs:subClassOf": { "@id": "d3f:T1588" } }, { "@id": "d3f:CWE-82", "@type": "owl:Class", "d3f:cwe-id": "CWE-82", "rdfs:label": "Improper Neutralization of Script in Attributes of IMG Tags in a Web Page", "rdfs:subClassOf": { "@id": "d3f:CWE-83" } }, { "@id": "d3f:RemovableMediaDevice", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A removable media device is a hardware device used for computer storage and that is designed to be inserted and removed from the system. It is distinct from other removable media in that all the hardware required to read the data are built into the device. So USB flash drives and external hard drives are removable media devices, whereas tapes and disks are not, as they require additional hardware to perform read/write operations.", "rdfs:label": "Removable Media Device", "rdfs:seeAlso": { "@id": "dbr:Removable_media" }, "rdfs:subClassOf": { "@id": "d3f:HardwareDevice" } }, { "@id": "d3f:CWE-570", "@type": "owl:Class", "d3f:cwe-id": "CWE-570", "rdfs:label": "Expression is Always False", "rdfs:subClassOf": { "@id": "d3f:CWE-710" } }, { "@id": "d3f:CCI-002890_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system implements cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:EncryptedTunnels" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-07-22T00:00:00" }, "rdfs:label": "CCI-002890" }, { "@id": "d3f:may-be-evicted-by", "@type": "owl:ObjectProperty", "d3f:pref-label": "may be evicted by", "owl:inverseOf": { "@id": "d3f:may-evict" }, "rdfs:label": "may-be-evicted-by", "rdfs:subPropertyOf": { "@id": "d3f:attack-may-be-countered-by" } }, { "@id": "d3f:T1066", "@type": "owl:Class", "d3f:attack-id": "T1066", "rdfs:label": "Indicator Removal from Tools", "rdfs:subClassOf": { "@id": "d3f:DefenseEvasionTechnique" } }, { "@id": "d3f:ConferencePaper", "@type": "owl:Class", "rdfs:label": "Conference Paper", "rdfs:subClassOf": { "@id": "d3f:AcademicArticle" } }, { "@id": "d3f:AnalysisOfAlternatives", "@type": "owl:Class", "rdfs:label": "Analysis of Alternatives", "rdfs:subClassOf": [ { "@id": "d3f:D3FENDCatalogThing" }, { "@id": "_:Na5e3fe9d9db240aeb4ca88ec81e3fcea" }, { "@id": "_:Nb64e5993fa0a4a9993365e9a0337b0a3" } ] }, { "@id": "_:Na5e3fe9d9db240aeb4ca88ec81e3fcea", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:analyzes" }, "owl:someValuesFrom": { "@id": "d3f:PortfolioAssessment" } }, { "@id": "_:Nb64e5993fa0a4a9993365e9a0337b0a3", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:author" }, "owl:someValuesFrom": { "@id": "d3f:Agent" } }, { "@id": "d3f:CWE-1248", "@type": "owl:Class", "d3f:cwe-id": "CWE-1248", "rdfs:label": "Semiconductor Defects in Hardware Logic with Security-Sensitive Implications", "rdfs:subClassOf": { "@id": "d3f:CWE-693" } }, { "@id": "d3f:ProxyServer", "@type": "owl:Class", "d3f:definition": "In computer networking, a proxy server is a server application or appliance that acts as an intermediary for requests from clients seeking resources from servers that provide those resources. A proxy server thus functions on behalf of the client when requesting service, potentially masking the true origin of the request to the resource server.", "rdfs:isDefinedBy": { "@id": "dbr:Proxy_server" }, "rdfs:label": "Proxy Server", "rdfs:seeAlso": "https://schema.ocsf.io/objects/network_proxy", "rdfs:subClassOf": [ { "@id": "d3f:NetworkNode" }, { "@id": "d3f:Server" } ] }, { "@id": "d3f:CWE-1045", "@type": "owl:Class", "d3f:cwe-id": "CWE-1045", "rdfs:label": "Parent Class with a Virtual Destructor and a Child Class without a Virtual Destructor", "rdfs:subClassOf": { "@id": "d3f:CWE-1076" } }, { "@id": "d3f:CWE-1073", "@type": "owl:Class", "d3f:cwe-id": "CWE-1073", "rdfs:label": "Non-SQL Invokable Control Element with Excessive Number of Data Resource Accesses", "rdfs:subClassOf": { "@id": "d3f:CWE-405" } }, { "@id": "d3f:CCI-002302_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:broader": [ { "@id": "d3f:MandatoryAccessControl" }, { "@id": "d3f:UserAccountPermissions" } ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system implements organization-defined techniques or technologies with an organization-defined level of assurance in associating security attributes to information.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-06-24T00:00:00" }, "rdfs:label": "CCI-002302" }, { "@id": "d3f:CWE-664", "@type": "owl:Class", "d3f:cwe-id": "CWE-664", "rdfs:label": "Improper Control of a Resource Through its Lifetime", "rdfs:subClassOf": { "@id": "d3f:Weakness" } }, { "@id": "d3f:CWE-278", "@type": "owl:Class", "d3f:cwe-id": "CWE-278", "rdfs:label": "Insecure Preserved Inherited Permissions", "rdfs:subClassOf": { "@id": "d3f:CWE-732" } }, { "@id": "d3f:T1036.002", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1036.002", "d3f:modifies": { "@id": "d3f:FileSystemMetadata" }, "rdfs:label": "Right-to-Left Override", "rdfs:subClassOf": [ { "@id": "d3f:T1036" }, { "@id": "_:Neb61e2f6de4441f7b1238ad53e0030c2" } ] }, { "@id": "_:Neb61e2f6de4441f7b1238ad53e0030c2", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:FileSystemMetadata" } }, { "@id": "d3f:NIST_SP_800-53_R5_AC-6_3", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:control-name": "Least Privilege | Network Access to Privileged Commands", "d3f:exactly": { "@id": "d3f:SystemConfigurationPermissions" }, "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "rdfs:label": "AC-6(3)" }, { "@id": "d3f:CloudUserAccount", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A user account on a given host is a local user account for a given cloud and specified resources within that cloud.", "rdfs:label": "Cloud User Account", "rdfs:subClassOf": { "@id": "d3f:UserAccount" } }, { "@id": "d3f:T1019", "@type": "owl:Class", "d3f:attack-id": "T1019", "rdfs:label": "System Firmware", "rdfs:subClassOf": { "@id": "d3f:PersistenceTechnique" } }, { "@id": "d3f:NIST_SP_800-53_R5_SI-4_4", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:control-name": "System Monitoring | Inbound and Outbound Communications Traffic", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "d3f:narrower": { "@id": "d3f:NetworkTrafficAnalysis" }, "rdfs:label": "SI-4(4)" }, { "@id": "d3f:CWE-552", "@type": "owl:Class", "d3f:cwe-id": "CWE-552", "rdfs:label": "Files or Directories Accessible to External Parties", "rdfs:subClassOf": [ { "@id": "d3f:CWE-285" }, { "@id": "d3f:CWE-668" } ] }, { "@id": "d3f:CWE-782", "@type": "owl:Class", "d3f:cwe-id": "CWE-782", "rdfs:label": "Exposed IOCTL with Insufficient Access Control", "rdfs:subClassOf": { "@id": "d3f:CWE-749" } }, { "@id": "d3f:Step", "@type": "owl:Class", "rdfs:subClassOf": [ { "@id": "d3f:D3FENDThing" }, { "@id": "_:Nf79a2d4f5bb346d38f7956877c2fdbf9" }, { "@id": "_:N2d1f327d17ef4456bfbd07442d7ea77e" }, { "@id": "_:Nbb14488d616342fa8003c63fbfc1dc33" }, { "@id": "_:N3ac405f904c74d099af9a484b4cef952" } ] }, { "@id": "_:Nf79a2d4f5bb346d38f7956877c2fdbf9", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:end" }, "owl:someValuesFrom": { "@id": "d3f:Step" } }, { "@id": "_:N2d1f327d17ef4456bfbd07442d7ea77e", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:fork" }, "owl:someValuesFrom": { "@id": "d3f:Step" } }, { "@id": "_:Nbb14488d616342fa8003c63fbfc1dc33", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-be-associated-with" }, "owl:someValuesFrom": { "@id": "d3f:Artifact" } }, { "@id": "_:N3ac405f904c74d099af9a484b4cef952", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:next" }, "owl:someValuesFrom": { "@id": "d3f:Step" } }, { "@id": "d3f:CWE-285", "@type": "owl:Class", "d3f:cwe-id": "CWE-285", "rdfs:label": "Improper Authorization", "rdfs:subClassOf": { "@id": "d3f:CWE-284" } }, { "@id": "d3f:CWE-1100", "@type": "owl:Class", "d3f:cwe-id": "CWE-1100", "rdfs:label": "Insufficient Isolation of System-Dependent Functions", "rdfs:subClassOf": { "@id": "d3f:CWE-1061" } }, { "@id": "d3f:FingerPrintScannerInputDevice", "@type": "owl:Class", "d3f:definition": "A fingerprint sensor is an electronic device used to capture a digital image of the fingerprint pattern. The captured image is called a live scan. This live scan is digitally processed to create a biometric template (a collection of extracted features) which is stored and used for matching. Many technologies have been used including optical, capacitive, RF, thermal, piezoresistive, ultrasonic, piezoelectric, and MEMS.", "rdfs:isDefinedBy": { "@id": "http://dbpedia.org/resource/Fingerprint#Fingerprint_sensors" }, "rdfs:label": "Finger Print Scanner Input Device", "rdfs:subClassOf": { "@id": "d3f:ImageScannerInputDevice" }, "skos:altLabel": "Fingerprint Sensor" }, { "@id": "d3f:CWE-646", "@type": "owl:Class", "d3f:cwe-id": "CWE-646", "rdfs:label": "Reliance on File Name or Extension of Externally-Supplied File", "rdfs:subClassOf": { "@id": "d3f:CWE-345" } }, { "@id": "d3f:Reference-NISTIR-8011-Volume-1", "@type": [ "owl:NamedIndividual", "d3f:GuidelineReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://doi.org/10.6028/NIST.IR.8011-1" }, "d3f:kb-abstract": "This volume introduces concepts to support automated assessment of most of the security controls in NIST Special Publication (SP) 800-53. Referencing SP 800-53A, the controls are divided into more granular parts (determination statements) to be assessed. The parts of the control assessed by each determination statement are called control items. The control items are then grouped into the appropriate security capabilities. As suggested by SP 800-53 Revision 4, security capabilities are groups of controls that support a common purpose. For effective automated assessment, testable defect checks are defined that bridge the determination statements to the broader security capabilities to be achieved and to the SP 800-53 security control items themselves. The defect checks correspond to security sub-capabilities-called sub-capabilities because each is part of a larger capability. Capabilities and sub-capabilities are both designed with the purpose of addressing a series of attack steps. Automated assessments (in the form of defect checks) are performed using the test assessment method defined in SP 800-53A by comparing a desired and actual state (or behavior).", "d3f:kb-author": "Kelley Dempsey, Paul Eavy, and George Moore", "d3f:kb-organization": "NIST", "d3f:kb-reference-of": { "@id": "d3f:OperationalRiskAssessment" }, "d3f:kb-reference-title": "NIST Interagency Report 8011 Volume 1 - Automation Support for Security Control Assessments", "rdfs:label": "Reference - NISTIR 8011 Volume 1 - Automation Support for Security Control Assessments" }, { "@id": "d3f:T1134", "@type": "owl:Class", "d3f:attack-id": "T1134", "rdfs:label": "Access Token Manipulation", "rdfs:subClassOf": [ { "@id": "d3f:DefenseEvasionTechnique" }, { "@id": "d3f:PrivilegeEscalationTechnique" } ] }, { "@id": "d3f:WindowsNtSuspendProcess", "@type": "owl:Class", "rdfs:label": "Windows NtSuspendProcess", "rdfs:subClassOf": [ { "@id": "d3f:OSAPIPrivateFunction" }, { "@id": "d3f:OSAPISuspendProcess" } ] }, { "@id": "d3f:ServiceDependency", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A service dependency indicates a service has an activity, agent, or another service which relies on it in order to be functional.", "rdfs:label": "Service Dependency", "rdfs:subClassOf": { "@id": "d3f:Dependency" } }, { "@id": "d3f:Reference-CAR-2021-05-003%3ABCDEditFailureRecoveryModification_MITRE", "@type": [ "owl:NamedIndividual", "d3f:ExternalKnowledgeBase" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://car.mitre.org/analytics/CAR-2021-05-003/" }, "d3f:kb-abstract": "This search looks for flags passed to bcdedit.exe modifications to the built-in Windows error recovery boot configurations. This is typically used by ransomware to prevent recovery.", "d3f:kb-author": "MITRE", "d3f:kb-organization": "MITRE", "d3f:kb-reference-of": { "@id": "d3f:ProcessSpawnAnalysis" }, "d3f:kb-reference-title": "CAR-2021-05-003: BCDEdit Failure Recovery Modification", "rdfs:label": "Reference - CAR-2021-05-003: BCDEdit Failure Recovery Modification - MITRE" }, { "@id": "d3f:WindowsNtCreateThreadEx", "@type": "owl:Class", "rdfs:label": "Windows NtCreateThreadEx", "rdfs:subClassOf": [ { "@id": "d3f:OSAPICreateThread" }, { "@id": "d3f:OSAPIPrivateFunction" } ] }, { "@id": "d3f:CertificateAnalysis", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:CertificateAnalysis", "d3f:NetworkTrafficAnalysis" ], "d3f:analyzes": { "@id": "d3f:CertificateFile" }, "d3f:d3fend-id": "D3-CA", "d3f:definition": "Analyzing Public Key Infrastructure certificates to detect if they have been misconfigured or spoofed using both network traffic, certificate fields and third-party logs.", "d3f:kb-article": "## How it works\nCertificate Analysis ensures that the data elements of the certificate are current and anchored in a known trust model. Certificate authorities, revocation lists, and third-party secure logs are used in the analysis. Analysis includes detection of server impersonation, phishing domains, and forged certificates.\n\nTLS certificates are designed to expire to ensure that the cryptographic keys are forced to be changed on a regular basis. The certificates in the trust path also expire and can cause a break in the trust chain. This means that even if a server certificate is updated correctly, intermediate certificates can expire and the trust chain is not maintained. This can cause services to become unavailable.", "d3f:kb-reference": { "@id": "d3f:Reference-SecuringWebTransactions" }, "rdfs:label": "Certificate Analysis", "rdfs:subClassOf": [ { "@id": "d3f:NetworkTrafficAnalysis" }, { "@id": "_:N75926c1d9eb3484d986bd822677a95a8" } ] }, { "@id": "_:N75926c1d9eb3484d986bd822677a95a8", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:analyzes" }, "owl:someValuesFrom": { "@id": "d3f:CertificateFile" } }, { "@id": "d3f:d3fend-process-object-property", "@type": "owl:ObjectProperty", "rdfs:label": "d3fend-process-object-property", "rdfs:subPropertyOf": { "@id": "d3f:d3fend-object-property" } }, { "@id": "d3f:T1136.003", "@type": "owl:Class", "d3f:attack-id": "T1136.003", "rdfs:label": "Cloud Account", "rdfs:subClassOf": { "@id": "d3f:T1136" } }, { "@id": "d3f:PrivilegedUserAccount", "@type": "owl:Class", "d3f:definition": "A privileged account is a user account that has more privileges than ordinary users. Privileged accounts might, for example, be able to install or remove software, upgrade the operating system, or modify system or application configurations. They might also have access to files that are not normally accessible to standard users. Typical examples are root and administrator accounts. But there also service accounts, system accounts, etc. Privileged accounts are especially powerful, and should be monitored especially closely.", "rdfs:isDefinedBy": { "@id": "https://www.ssh.com/iam/user/privileged-account" }, "rdfs:label": "Privileged User Account", "rdfs:seeAlso": { "@id": "https://www.cyberark.com/resources/blog/7-types-of-privileged-accounts-service-accounts-and-more" }, "rdfs:subClassOf": { "@id": "d3f:UserAccount" } }, { "@id": "d3f:SARSA", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-SAR", "d3f:definition": "State-action-reward-state-action (SARSA) is an algorithm for learning a Markov decision process policy, used in the reinforcement learning area of machine learning.", "d3f:kb-article": "## References\nState-action-reward-state-action. Wikipedia. [Link](https://en.wikipedia.org/wiki/State%E2%80%93action%E2%80%93reward%E2%80%93state%E2%80%93action).", "rdfs:isDefinedBy": "https://dbpedia.org/page/State%E2%80%93action%E2%80%93reward%E2%80%93state%E2%80%93action", "rdfs:label": "SARSA", "rdfs:subClassOf": { "@id": "d3f:Model-freeReinforcementLearning" } }, { "@id": "d3f:GraphicsCardFirmware", "@type": "owl:Class", "d3f:definition": "Firmware that is installed on computer graphics card.", "rdfs:label": "Graphics Card Firmware", "rdfs:seeAlso": "d3f:Firmware", "rdfs:subClassOf": { "@id": "d3f:PeripheralFirmware" }, "skos:altLabel": "Video Card Firmware" }, { "@id": "d3f:CWE-762", "@type": "owl:Class", "d3f:cwe-id": "CWE-762", "rdfs:label": "Mismatched Memory Management Routines", "rdfs:subClassOf": { "@id": "d3f:CWE-763" } }, { "@id": "d3f:ProjectedClustering", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-PC", "d3f:definition": "Projected clustering is a dimension reduction subspace clustering method.", "d3f:kb-article": "## References\nGeeksforGeeks. (n.d.). Projected Clustering in Data Analytics. [Link](https://www.geeksforgeeks.org/projected-clustering-in-data-analytics/)", "rdfs:label": "Projected Clustering", "rdfs:subClassOf": { "@id": "d3f:High-dimensionClustering" } }, { "@id": "d3f:T1055.001", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:adds": { "@id": "d3f:SharedLibraryFile" }, "d3f:attack-id": "T1055.001", "d3f:invokes": { "@id": "d3f:SystemCall" }, "d3f:loads": { "@id": "d3f:SharedLibraryFile" }, "rdfs:label": "Dynamic-link Library Injection", "rdfs:subClassOf": [ { "@id": "d3f:T1055" }, { "@id": "_:N29b63f6d7e5344c7aa2b817df6b6bb10" }, { "@id": "_:N5a64c753199740a49a64853c252e8612" }, { "@id": "_:Nac3b7798c29541cc9ff9d6fb48fbc8e2" } ] }, { "@id": "_:N29b63f6d7e5344c7aa2b817df6b6bb10", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:adds" }, "owl:someValuesFrom": { "@id": "d3f:SharedLibraryFile" } }, { "@id": "_:N5a64c753199740a49a64853c252e8612", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:invokes" }, "owl:someValuesFrom": { "@id": "d3f:SystemCall" } }, { "@id": "_:Nac3b7798c29541cc9ff9d6fb48fbc8e2", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:loads" }, "owl:someValuesFrom": { "@id": "d3f:SharedLibraryFile" } }, { "@id": "d3f:CWE-755", "@type": "owl:Class", "d3f:cwe-id": "CWE-755", "rdfs:label": "Improper Handling of Exceptional Conditions", "rdfs:subClassOf": { "@id": "d3f:CWE-703" } }, { "@id": "d3f:EndpointHealthBeacon", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:OperatingSystemMonitoring" ], "d3f:d3fend-id": "D3-EHB", "d3f:definition": "Monitoring the security status of an endpoint by sending periodic messages with health status, where absence of a response may indicate that the endpoint has been compromised.", "d3f:kb-article": "## How it works\nEndpoints are configured to periodically generate and transmit a secure heartbeat that is delivered on a configured schedule and provides endpoint status information. Status information can include software details (version, configuration, etc), endpoint identification (MAC, IP address, machine ID) or other hardware/software configuration information. Interruption of the heartbeat can signal that the endpoint has been compromised.\n\n## Considerations\n* Security of heartbeat messages to ensure message integrity\n* Disappearance of the heartbeat could simply mean that the endpoint is powered off or intentionally disconnected from the network. Therefore other criteria may need to be used to accurately detect endpoint compromise.\n* Attacker presence on the machine may leave the heartbeat intact.\n* An attacker may determine the format of the heartbeat and continue to send it even after the machine is compromised.", "d3f:kb-reference": { "@id": "d3f:Reference-IntrusionDetectionUsingAHeartbeat_SophosLtd" }, "d3f:monitors": { "@id": "d3f:NetworkNode" }, "d3f:synonym": "Endpoint Health Telemetry", "rdfs:label": "Endpoint Health Beacon", "rdfs:subClassOf": [ { "@id": "d3f:OperatingSystemMonitoring" }, { "@id": "_:N06055048444742ba91ba6269b5bd60ed" } ] }, { "@id": "_:N06055048444742ba91ba6269b5bd60ed", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:monitors" }, "owl:someValuesFrom": { "@id": "d3f:NetworkNode" } }, { "@id": "d3f:CWE-112", "@type": "owl:Class", "d3f:cwe-id": "CWE-112", "rdfs:label": "Missing XML Validation", "rdfs:subClassOf": { "@id": "d3f:CWE-1286" } }, { "@id": "d3f:NonlinearRegressionLearning", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-NRL", "d3f:definition": "A supervised learning method that builds a non-linear regression model using training data.", "d3f:kb-article": "## References\nWikipedia. (n.d.). Nonlinear regression. [Link](https://en.wikipedia.org/wiki/Nonlinear_regression)", "rdfs:label": "Nonlinear Regression Learning", "rdfs:seeAlso": "http://d3fend.mitre.org/ontologies/d3fend.owl#NonlinearRegression", "rdfs:subClassOf": { "@id": "d3f:RegressionAnalysisLearning" } }, { "@id": "d3f:T1535", "@type": "owl:Class", "d3f:attack-id": "T1535", "rdfs:label": "Unused/Unsupported Cloud Regions", "rdfs:subClassOf": { "@id": "d3f:DefenseEvasionTechnique" } }, { "@id": "d3f:TimeSeriesAnalysis", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-TSA", "d3f:definition": "Time series analysis comprises methods for analyzing time series data in order to extract meaningful statistics and other characteristics of the data.", "d3f:kb-article": "## References\nWikipedia. (n.d.). Time series. [Link](https://en.wikipedia.org/wiki/Time_series)", "rdfs:label": "Time Series Analysis", "rdfs:subClassOf": { "@id": "d3f:StatisticalMethod" } }, { "@id": "d3f:d3fend-catalog-data-property", "@type": "owl:DatatypeProperty", "rdfs:label": "d3fend-catalog-data-property", "rdfs:subPropertyOf": [ { "@id": "d3f:d3fend-data-property" }, { "@id": "d3f:d3fend-external-control-data-property" } ], "skos:altLabel": { "@language": "en", "@value": "d3fend-vendor-registry-data-property" } }, { "@id": "d3f:CWE-598", "@type": "owl:Class", "d3f:cwe-id": "CWE-598", "rdfs:label": "Use of GET Request Method With Sensitive Query Strings", "rdfs:subClassOf": { "@id": "d3f:CWE-201" } }, { "@id": "d3f:Reference-MalwareDetectionInEventLoops_CrowdstrikeInc", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US20190205530A1" }, "d3f:kb-abstract": "Example techniques locate or identify malware based on events from or at monitored computing devices. A control unit can detect a sequence of events of various types. The control unit can locate a loop within the sequence of events based at least in part on relative frequencies of the event types. The control unit can determine a distribution of event types of the events within the loop, and determining that software running the sequence is associated with malware based at least in part on the distribution of event types within the loop. In some examples, the control unit can locate a point of commonality among a plurality of stack traces associated with respective events within the loop. The control unit can determine a malware module comprising the point of commonality.", "d3f:kb-author": "Daniel W. Brown", "d3f:kb-mitre-analysis": "The patent describes determining if a sequence of events associated with a process are associated with malware. Based on the relative frequency of events, a loop within a sequence of events is located and a distribution of the events within the loop is determined. The distribution of events is then compared against a catalog of distributions to determine if it is associated with malware.", "d3f:kb-organization": "Crowdstrike Inc", "d3f:kb-reference-of": { "@id": "d3f:SystemCallAnalysis" }, "d3f:kb-reference-title": "Malware detection in event loops", "rdfs:label": "Reference - Malware detection in event loops - Crowdstrike Inc" }, { "@id": "d3f:summarizes", "@type": "owl:ObjectProperty", "d3f:definition": "x summarizes y: The sensor x summarizes a set y of events concerning digital artifacts over time", "rdfs:isDefinedBy": { "@id": "http://wordnet-rdf.princeton.edu/id/02758570-v" }, "rdfs:label": "summarizes", "rdfs:subPropertyOf": { "@id": "d3f:associated-with" } }, { "@id": "d3f:Reference-MethodAndApparatusForDetectingMaliciousWebsites_EndgameInc", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US20140331319A1" }, "d3f:kb-abstract": "A method and apparatus for detecting malicious websites is disclosed.", "d3f:kb-author": "John Burnet MUNRO, IV; Jason Aaron Trost; Zachary Daniel HANIF", "d3f:kb-mitre-analysis": "This patent describes a domain classification engine on the host computer that analyzes URLs clicked by a user or entered into a web browser to visit a website. URL analysis is done by using a combination of techniques:\n\n* Feature extraction: A URL is analyzed against features associated with suspicious URLs such as % of longest consecutive digits in a subdomain, % of longest repeated characters in a subdomain, % of vowels in a high level domain.\n\n* Markov analysis: The probability of a digit occurring in normal language given the preceding two digits is determined. For example, if the received URL is google.com, the probability of a 'g' occurring at the beginning of a word, the probability of an 'o' occurring after a \"g, the probability of an \"o' occurring after a 'g' and \"o, and so forth will be determined. The probability of each digit is then multiplied to get a probability for the whole domain name. Probabilities are determined based on a database of existing usage, such as a dictionary, or a list of known good domain names\n\n* Domain names are compared against an existing dataset of known unauthorized domain names.\n\nA rating is developed based on the results of these techniques, and if the rating is over a set threshold, an action is taken such as blocking access or generating an alert.", "d3f:kb-organization": "Endgame Inc", "d3f:kb-reference-of": { "@id": "d3f:URLAnalysis" }, "d3f:kb-reference-title": "Method and Apparatus for Detecting Malicious Websites", "rdfs:label": "Reference - Method and Apparatus for Detecting Malicious Websites - Endgame Inc" }, { "@id": "d3f:GeometricMean", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-GM", "d3f:definition": "The nth root of the product of the data values, where there are n of these. This measure is valid only for data that are measured absolutely on a strictly positive scale.", "d3f:kb-article": "## References\nWikipedia. (n.d.). Central tendency. [Link](https://en.wikipedia.org/wiki/Central_tendency)", "rdfs:label": "Geometric Mean", "rdfs:subClassOf": { "@id": "d3f:CentralTendency" } }, { "@id": "d3f:CWE-300", "@type": "owl:Class", "d3f:cwe-id": "CWE-300", "rdfs:label": "Channel Accessible by Non-Endpoint", "rdfs:subClassOf": { "@id": "d3f:CWE-923" } }, { "@id": "d3f:CCI-001146_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The organization employs NSA-approved cryptography to protect classified information.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": [ { "@id": "d3f:DiskEncryption" }, { "@id": "d3f:FileEncryption" } ], "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-21T00:00:00" }, "rdfs:label": "CCI-001146" }, { "@id": "d3f:Reference-BiometricChallenge-ResponseAuthentication-Accenture", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://www.patentguru.com/US2021110015A1" }, "d3f:kb-abstract": "Secret biometric responses to authentication challenges for MFA.\n\nMethods, systems, and apparatus, including computer programs encoded on computer storage media, for authenticating users based on a sequence of biometric authentication challenges. In one aspect, a process includes receiving a first image of the face of the user and processing the first image according to a first authentication process to determine whether the face of the user shown in the first image matches the face of an authorized user. A second authentication process including a sequence of biometric authentication challenges is identified. The sequence includes at least one facial expression challenge. The user is authenticated in response to determining that the first authentication process is satisfied based on the face of the user shown in the first image matching the face of the authorized user and the second authentication process is satisfied based on the user providing a valid biometric response to each biometric authentication challenge.", "d3f:kb-author": "Ben McCarty, Ellie Daw", "d3f:kb-mitre-analysis": "MITRE Analysis was not found.", "d3f:kb-organization": "Accenture", "d3f:kb-reference-of": { "@id": "d3f:Multi-factorAuthentication" }, "d3f:kb-reference-title": "Biometric Challenge-Response Authentication", "rdfs:label": "Reference - Biometric Challenge-Response Authentication - Accenture" }, { "@id": "d3f:T1018", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1018", "d3f:may-access": { "@id": "d3f:OperatingSystemConfigurationFile" }, "d3f:may-invoke": [ { "@id": "d3f:CreateProcess" }, { "@id": "d3f:CreateSocket" } ], "d3f:produces": { "@id": "d3f:NetworkTraffic" }, "rdfs:label": "Remote System Discovery", "rdfs:subClassOf": [ { "@id": "d3f:DiscoveryTechnique" }, { "@id": "_:N2b2e122ee3a24778828056f1f9bb50d4" }, { "@id": "_:N960a34f14fd946b3902e043839650a51" }, { "@id": "_:N2f986568273b4bc28acf3cb2bcb6ee4f" }, { "@id": "_:N32c42225281c4b58a266d3c1c73b39eb" } ] }, { "@id": "_:N2b2e122ee3a24778828056f1f9bb50d4", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-access" }, "owl:someValuesFrom": { "@id": "d3f:OperatingSystemConfigurationFile" } }, { "@id": "_:N960a34f14fd946b3902e043839650a51", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-invoke" }, "owl:someValuesFrom": { "@id": "d3f:CreateProcess" } }, { "@id": "_:N2f986568273b4bc28acf3cb2bcb6ee4f", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-invoke" }, "owl:someValuesFrom": { "@id": "d3f:CreateSocket" } }, { "@id": "_:N32c42225281c4b58a266d3c1c73b39eb", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:produces" }, "owl:someValuesFrom": { "@id": "d3f:NetworkTraffic" } }, { "@id": "d3f:M1016", "@type": [ "owl:NamedIndividual", "d3f:ATTACKMitigation" ], "d3f:d3fend-comment": "Future D3FEND releases will model the scanning and inventory domains.", "rdfs:label": "Vulnerability Scanning" }, { "@id": "d3f:CWE-551", "@type": "owl:Class", "d3f:cwe-id": "CWE-551", "rdfs:label": "Incorrect Behavior Order: Authorization Before Parsing and Canonicalization", "rdfs:subClassOf": [ { "@id": "d3f:CWE-696" }, { "@id": "d3f:CWE-863" } ] }, { "@id": "d3f:T1055.014", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:accesses": { "@id": "d3f:SharedLibraryFile" }, "d3f:attack-id": "T1055.014", "d3f:invokes": { "@id": "d3f:SystemCall" }, "rdfs:label": "VDSO Hijacking", "rdfs:subClassOf": [ { "@id": "d3f:T1055" }, { "@id": "_:N5409a283f779461097d7e32aa90dbbbc" }, { "@id": "_:N6e96767134b74e07b9ff9a5d2237c45f" } ] }, { "@id": "_:N5409a283f779461097d7e32aa90dbbbc", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:accesses" }, "owl:someValuesFrom": { "@id": "d3f:SharedLibraryFile" } }, { "@id": "_:N6e96767134b74e07b9ff9a5d2237c45f", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:invokes" }, "owl:someValuesFrom": { "@id": "d3f:SystemCall" } }, { "@id": "d3f:CWE-193", "@type": "owl:Class", "d3f:cwe-id": "CWE-193", "rdfs:label": "Off-by-one Error", "rdfs:subClassOf": { "@id": "d3f:CWE-682" } }, { "@id": "d3f:T1194", "@type": "owl:Class", "d3f:attack-id": "T1194", "rdfs:label": "Spearphishing via Service", "rdfs:subClassOf": { "@id": "d3f:InitialAccessTechnique" } }, { "@id": "d3f:OperatingSystemPackagingTool", "@type": "owl:Class", "d3f:definition": "A software packaging tool oriented on building a software package for a particular operating system (e.g. rpmbuild.)", "rdfs:label": "Operating System Packaging Tool", "rdfs:subClassOf": { "@id": "d3f:SoftwarePackagingTool" } }, { "@id": "d3f:SpearmansRankCorrelationCoefficient", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-SRCC", "d3f:synonym": "Spearman's Rho", "rdfs:label": "Spearman's Rank Correlation Coefficient", "rdfs:subClassOf": { "@id": "d3f:RankCorrelationCoefficient" } }, { "@id": "d3f:T1550.001", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1550.001", "d3f:may-produce": { "@id": "d3f:NetworkTraffic" }, "d3f:uses": { "@id": "d3f:AccessToken" }, "rdfs:label": "Application Access Token", "rdfs:subClassOf": [ { "@id": "d3f:T1550" }, { "@id": "_:Nec83026c86ae4d3abba98a497a4a9463" }, { "@id": "_:Nc55602832cbd43aba3e0eed2e212d566" } ] }, { "@id": "_:Nec83026c86ae4d3abba98a497a4a9463", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-produce" }, "owl:someValuesFrom": { "@id": "d3f:NetworkTraffic" } }, { "@id": "_:Nc55602832cbd43aba3e0eed2e212d566", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:uses" }, "owl:someValuesFrom": { "@id": "d3f:AccessToken" } }, { "@id": "d3f:CWE-833", "@type": "owl:Class", "d3f:cwe-id": "CWE-833", "rdfs:label": "Deadlock", "rdfs:subClassOf": { "@id": "d3f:CWE-667" } }, { "@id": "d3f:T1504", "@type": "owl:Class", "d3f:attack-id": "T1504", "rdfs:label": "PowerShell Profile", "rdfs:subClassOf": [ { "@id": "d3f:PersistenceTechnique" }, { "@id": "d3f:PrivilegeEscalationTechnique" } ] }, { "@id": "d3f:NIST_SP_800-53_R5_AC-6_9", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:broader": [ { "@id": "d3f:LocalAccountMonitoring" }, { "@id": "d3f:UserBehaviorAnalysis" } ], "d3f:control-name": "Least Privilege | Log Use of Privileged Functions", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "rdfs:label": "AC-6(9)" }, { "@id": "d3f:CWE-662", "@type": "owl:Class", "d3f:cwe-id": "CWE-662", "rdfs:label": "Improper Synchronization", "rdfs:subClassOf": [ { "@id": "d3f:CWE-664" }, { "@id": "d3f:CWE-691" } ] }, { "@id": "d3f:CCI-000765_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system implements multifactor authentication for network access to privileged accounts.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:Multi-factorAuthentication" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-17T00:00:00" }, "rdfs:label": "CCI-000765" }, { "@id": "d3f:T1015", "@type": "owl:Class", "d3f:attack-id": "T1015", "rdfs:label": "Accessibility Features", "rdfs:subClassOf": [ { "@id": "d3f:PersistenceTechnique" }, { "@id": "d3f:PrivilegeEscalationTechnique" } ] }, { "@id": "d3f:Reference-DebuggersForAccessibilityApplications_MITRE", "@type": [ "owl:NamedIndividual", "d3f:ExternalKnowledgeBase" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://car.mitre.org/analytics/CAR-2014-11-006/" }, "d3f:kb-abstract": "The Windows Registry location HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options allows for parameters to be set for applications during execution. One feature used by malicious actors is the \"Debugger\" option. When a key has this value enabled, a Debugging command line can be specified. Windows will launch the Debugging command line, and pass the original command line in as an argument. Adversaries can set a Debugger for Accessibility Applications. The analytic looks for the original command line as an argument to the Debugger. When the strings \"sethc.exe\", \"utilman.exe\", \"osk.exe\", \"narrator.exe\", and \"Magnify.exe\" are detected in the arguments, but not as the main executable, it is very likely that a Debugger is set.\n\nThis analytic could depend on the possibility of the known strings used as arguments for other applications used in the day-to-day environment. Although the chance of the string \"sethc.exe\" being used as an argument for another application is unlikely, it still is a possibility.", "d3f:kb-author": "MITRE", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "MITRE", "d3f:kb-reference-of": { "@id": "d3f:ProcessLineageAnalysis" }, "d3f:kb-reference-title": "CAR-2014-11-003: Debuggers for Accessibility Applications", "rdfs:label": "Reference - CAR-2014-11-003: Debuggers for Accessibility Applications - MITRE" }, { "@id": "d3f:CCI-002169_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system enforces a role-based access control policy over defined subjects and objects.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:MandatoryAccessControl" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-06-24T00:00:00" }, "rdfs:label": "CCI-002169" }, { "@id": "d3f:SourceCode", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:ReferenceType" ], "rdfs:label": "Source Code", "rdfs:subClassOf": { "@id": "d3f:InformationContentEntity" } }, { "@id": "d3f:CWE-410", "@type": "owl:Class", "d3f:cwe-id": "CWE-410", "rdfs:label": "Insufficient Resource Pool", "rdfs:subClassOf": { "@id": "d3f:CWE-664" } }, { "@id": "d3f:T1098.004", "@type": "owl:Class", "d3f:attack-id": "T1098.004", "rdfs:label": "SSH Authorized Keys", "rdfs:subClassOf": { "@id": "d3f:T1098" } }, { "@id": "d3f:ResamplingEnsemble", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-RE", "d3f:definition": "In the method, the small classes are oversampled and large classes are undersampled. The resampling scale is determined by the ratio of the min class number and max class number. And multiple machine learning methods are selected to construct the ensemble", "d3f:kb-article": "## References\nEnsemble learning. Wikipedia. [Link](https://en.wikipedia.org/wiki/Ensemble_learning).\n\nTorgo, L. (2014). A resampling ensemble algorithm for improved accuracy. *Neurocomputing*, 134, 55-66. [Link](https://www.sciencedirect.com/science/article/pii/S0925231214007644#:~:text=A%20resampling%20ensemble%20algorithm%20is,and%20undersampling%20are%20empirically%20analyzed).", "rdfs:label": "Resampling Ensemble", "rdfs:subClassOf": { "@id": "d3f:EnsembleLearning" } }, { "@id": "d3f:ParametricTests", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-PT", "d3f:definition": "A parametric test relies upon the assumption that the data you want to test is (or approximately is) normally distributed.", "d3f:kb-article": "## References\nNewcastle University. (n.d.). Parametric Hypothesis Tests. [Link](https://www.ncl.ac.uk/webtemplate/ask-assets/external/maths-resources/psychology/parametric-hypothesis-tests.html)", "rdfs:label": "Parametric Tests", "rdfs:subClassOf": { "@id": "d3f:HypothesisTesting" } }, { "@id": "d3f:T1090.004", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1090.004", "d3f:produces": { "@id": "d3f:OutboundInternetEncryptedWebTraffic" }, "rdfs:label": "Domain Fronting", "rdfs:subClassOf": [ { "@id": "d3f:T1090" }, { "@id": "_:N45c91ef97fb14c41aaa5382e816ea701" } ] }, { "@id": "_:N45c91ef97fb14c41aaa5382e816ea701", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:produces" }, "owl:someValuesFrom": { "@id": "d3f:OutboundInternetEncryptedWebTraffic" } }, { "@id": "d3f:CWE-212", "@type": "owl:Class", "d3f:cwe-id": "CWE-212", "rdfs:label": "Improper Removal of Sensitive Information Before Storage or Transfer", "rdfs:subClassOf": { "@id": "d3f:CWE-669" } }, { "@id": "d3f:CCI-002015_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system accepts Personal Identity Verification-I (PIV-I) credentials.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": [ { "@id": "d3f:BiometricAuthentication" }, { "@id": "d3f:Certificate-basedAuthentication" } ], "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-05-03T00:00:00" }, "rdfs:label": "CCI-002015" }, { "@id": "d3f:D3FENDCatalogThing", "@type": "owl:Class", "rdfs:label": "D3FEND Catalog Thing", "rdfs:subClassOf": { "@id": "d3f:D3FENDThing" }, "skos:altLabel": "D3FEND Vendor Registry Thing" }, { "@id": "d3f:Reference-SystemAndMethodForProvidingAnonymousRemailingAndFilteringOfElectronicMail_Nokia", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/JPH11161574A" }, "d3f:kb-abstract": "To make anonymous a sender name present on an actual transmission source address by including an alias transmission source address substitution unit and removing the actual transmission source address from an electronic mail message. SOLUTION: A hash value of the destination address of an electronic mail message is calculated (S330). Then, (n) blank bytes are added to a compressed actual transmission source address (S340). The true length of the actual transmission source address is hidden by adding blank bytes. Further, a 2nd bit field is added to a secret key saved locally in a remailer, and an extended secret key characteristic of the destination address is generated. Then, the compressed actual transmission source address is ciphered according to the data ciphering standards using the extended secret key characteristic of the destination address as a cipher key (S350). Further, the 2nd bit field is added to the ciphered and compressed actual transmission source address (S360).", "d3f:kb-author": "Eran Gabber, Phillip B Gibbons, David Morris Kristol, Yossi Matias, Alain J Mayer", "d3f:kb-organization": "Nokia of America Corp", "d3f:kb-reference-of": { "@id": "d3f:EmailFiltering" }, "d3f:kb-reference-title": "System and method for providing anonymous remailing and filtering of electronic mail", "rdfs:label": "Reference - System and method for providing anonymous remailing and filtering of electronic mail - Nokia" }, { "@id": "d3f:T1559", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1559", "d3f:injects": { "@id": "d3f:InterprocessCommunication" }, "rdfs:label": "Inter-Process Communication Execution", "rdfs:subClassOf": [ { "@id": "d3f:ExecutionTechnique" }, { "@id": "_:Nb75eb1da107f48aab13c97d38da2c493" } ] }, { "@id": "_:Nb75eb1da107f48aab13c97d38da2c493", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:injects" }, "owl:someValuesFrom": { "@id": "d3f:InterprocessCommunication" } }, { "@id": "d3f:NetworkService", "@type": "owl:Class", "d3f:definition": "In computer networking, a network service is an application running at the network application layer and above, that provides data storage, manipulation, presentation, communication or other capability which is often implemented using a client-server or peer-to-peer architecture based on application layer network protocols. Clients and servers will often have a user interface, and sometimes other hardware associated with it.", "rdfs:isDefinedBy": { "@id": "dbr:Network_service" }, "rdfs:label": "Network Service", "rdfs:subClassOf": { "@id": "d3f:ServiceApplicationProcess" } }, { "@id": "d3f:MicrosoftWordDOCXFile", "@type": [ "owl:NamedIndividual", "d3f:DocumentFile" ], "rdfs:label": "Microsoft Word DOCX File" }, { "@id": "d3f:CCI-000163_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system protects audit information from unauthorized modification.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": [ { "@id": "d3f:PlatformHardening" }, { "@id": "d3f:SystemConfigurationPermissions" } ], "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-05-22T00:00:00" }, "rdfs:label": "CCI-000163" }, { "@id": "d3f:T1056.002", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:accesses": { "@id": "d3f:GraphicalUserInterface" }, "d3f:attack-id": "T1056.002", "rdfs:label": "GUI Input Capture", "rdfs:subClassOf": [ { "@id": "d3f:T1056" }, { "@id": "_:N6d16efe1298a4fb68ebc1377f8607599" } ] }, { "@id": "_:N6d16efe1298a4fb68ebc1377f8607599", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:accesses" }, "owl:someValuesFrom": { "@id": "d3f:GraphicalUserInterface" } }, { "@id": "d3f:Reference-SMBEventsMonitoring_MITRE", "@type": [ "owl:NamedIndividual", "d3f:ExternalKnowledgeBase" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://car.mitre.org/analytics/CAR-2013-01-003/" }, "d3f:kb-abstract": "Server Message Block (SMB) is used by Windows to allow for file, pipe, and printer sharing over port 445/tcp. It allows for enumerating, and reading from and writing to file shares for a remote computer. Although it is heavily used by Windows servers for legitimate purposes and by users for file and printer sharing, many adversaries also use SMB to achieve Lateral Movement. Looking at this activity more closely to obtain an adequate sense of situational awareness may make it possible to detect adversaries moving between hosts in a way that deviates from normal activity. Because SMB traffic is heavy in many environments, this analytic may be difficult to turn into something that can be used to quickly detect an APT. In some cases, it may make more sense to run this analytic in a forensic fashion. Looking through and filtering its output after an intrusion has been discovered may be helpful in identifying the scope of compromise.\n\nOutput Description:\nThe source, destination, content, and time of each event.", "d3f:kb-author": "MITRE", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "MITRE", "d3f:kb-reference-of": { "@id": "d3f:IPCTrafficAnalysis" }, "d3f:kb-reference-title": "CAR-2013-01-003: SMB Events Monitoring", "rdfs:label": "Reference - CAR-2013-01-003: SMB Events Monitoring - MITRE" }, { "@id": "d3f:T1606.001", "@type": "owl:Class", "d3f:attack-id": "T1606.001", "rdfs:label": "Web Cookies", "rdfs:subClassOf": { "@id": "d3f:T1606" } }, { "@id": "d3f:CCI-001069_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The organization employs automated mechanisms to detect the presence of unauthorized software on organizational information systems and notify designated organizational officials in accordance with the organization-defined frequency.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": [ { "@id": "d3f:ExecutableAllowlisting" }, { "@id": "d3f:ExecutableDenylisting" } ], "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-21T00:00:00" }, "rdfs:label": "CCI-001069" }, { "@id": "d3f:T1493", "@type": "owl:Class", "d3f:attack-id": "T1493", "rdfs:label": "Transmitted Data Manipulation", "rdfs:subClassOf": { "@id": "d3f:ImpactTechnique" } }, { "@id": "d3f:Reference-TivoliApplicationDependencyDiscoverManager7_3_0DependenciesBetweenResources", "@type": [ "owl:NamedIndividual", "d3f:UserManualReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://www.ibm.com/docs/en/taddm/7.3.0?topic=model-dependencies-between-resources" }, "d3f:kb-organization": "IBM", "d3f:kb-reference-of": [ { "@id": "d3f:DataExchangeMapping" }, { "@id": "d3f:ServiceDependencyMapping" }, { "@id": "d3f:SystemDependencyMapping" } ], "d3f:kb-reference-title": "Tivoli Application Dependency Discovery Manager 7.3.0 - Dependencies between resources", "rdfs:label": "Reference - Tivoli Application Dependency Discovery Manager 7.3.0 - Dependencies between resources" }, { "@id": "d3f:T1587.003", "@type": "owl:Class", "d3f:attack-id": "T1587.003", "rdfs:label": "Digital Certificates", "rdfs:subClassOf": { "@id": "d3f:T1587" } }, { "@id": "d3f:T1131", "@type": "owl:Class", "d3f:attack-id": "T1131", "rdfs:label": "Authentication Package", "rdfs:subClassOf": { "@id": "d3f:PersistenceTechnique" } }, { "@id": "d3f:OperatingSystemLogFile", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "An operating system log file records events that occur in an operating system", "rdfs:isDefinedBy": { "@id": "dbr:Log_file" }, "rdfs:label": "Operating System Log File", "rdfs:seeAlso": "Log File", "rdfs:subClassOf": [ { "@id": "d3f:LogFile" }, { "@id": "d3f:OperatingSystemFile" } ] }, { "@id": "d3f:SystemInitScript", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A script used to initialize and configure elements of the system's environment, applications, services, or its operating system.", "rdfs:label": "System Init Script", "rdfs:subClassOf": [ { "@id": "d3f:ExecutableScript" }, { "@id": "d3f:SystemConfigurationInitResource" }, { "@id": "d3f:SystemInitConfiguration" } ] }, { "@id": "d3f:CWE-1249", "@type": "owl:Class", "d3f:cwe-id": "CWE-1249", "rdfs:label": "Application-Level Admin Tool with Inconsistent View of Underlying Operating System", "rdfs:subClassOf": { "@id": "d3f:CWE-1250" } }, { "@id": "d3f:ImpersonateUser", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:ImpersonateUser" ], "d3f:forges": { "@id": "d3f:UserAccount" }, "rdfs:label": "Impersonate User", "rdfs:subClassOf": [ { "@id": "d3f:SystemCall" }, { "@id": "_:Nb7e197645ea3427d8cc33881d312d91b" } ] }, { "@id": "_:Nb7e197645ea3427d8cc33881d312d91b", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:forges" }, "owl:someValuesFrom": { "@id": "d3f:UserAccount" } }, { "@id": "d3f:CWE-1259", "@type": "owl:Class", "d3f:cwe-id": "CWE-1259", "rdfs:label": "Improper Restriction of Security Token Assignment", "rdfs:subClassOf": { "@id": "d3f:CWE-284" } }, { "@id": "d3f:IntranetMulticastNetworkTraffic", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "Intranet IPC network traffic is multicast network traffic that does not cross a given network's boundaries.", "rdfs:label": "Intranet Multicast Network Traffic", "rdfs:seeAlso": { "@id": "dbr:Multicast" }, "rdfs:subClassOf": { "@id": "d3f:IntranetNetworkTraffic" } }, { "@id": "d3f:kb-reference", "@type": "owl:ObjectProperty", "owl:inverseOf": { "@id": "d3f:kb-reference-of" }, "rdfs:label": "kb-reference", "rdfs:subPropertyOf": { "@id": "d3f:d3fend-kb-object-property" }, "skos:altLabel": "has-technique-reference" }, { "@id": "d3f:CCI-001496_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system implements cryptographic mechanisms to protect the integrity of audit tools.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:FileEncryption" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-29T00:00:00" }, "rdfs:label": "CCI-001496" }, { "@id": "d3f:Reference-DYNAMICBASE_UseAddressSpaceLayoutRandomization_MicrosoftDocs", "@type": [ "owl:NamedIndividual", "d3f:UserManualReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://docs.microsoft.com/en-us/cpp/build/reference/dynamicbase-use-address-space-layout-randomization?view=vs-2019" }, "d3f:kb-author": "Microsoft", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "Microsoft", "d3f:kb-reference-of": { "@id": "d3f:SegmentAddressOffsetRandomization" }, "d3f:kb-reference-title": "/DYNAMICBASE (Use address space layout randomization)", "rdfs:label": "Reference - /DYNAMICBASE (Use address space layout randomization) - Microsoft Docs" }, { "@id": "d3f:CWE-910", "@type": "owl:Class", "d3f:cwe-id": "CWE-910", "rdfs:label": "Use of Expired File Descriptor", "rdfs:subClassOf": { "@id": "d3f:CWE-672" } }, { "@id": "d3f:CCI-001200_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The organization employs cryptographic mechanisms to prevent unauthorized disclosure of information at rest unless otherwise protected by alternative physical measures.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": [ { "@id": "d3f:DiskEncryption" }, { "@id": "d3f:FileEncryption" } ], "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-21T00:00:00" }, "rdfs:label": "CCI-001200" }, { "@id": "d3f:CWE-1120", "@type": "owl:Class", "d3f:cwe-id": "CWE-1120", "rdfs:label": "Excessive Code Complexity", "rdfs:subClassOf": { "@id": "d3f:CWE-710" } }, { "@id": "d3f:DecoyObject", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:DefensiveTechnique" ], "d3f:d3fend-id": "D3-DO", "d3f:definition": "A Decoy Object is created and deployed for the purposes of deceiving attackers.", "d3f:enables": { "@id": "d3f:Deceive" }, "d3f:kb-article": "## Technique Overview\nDecoy objects are typically configured with detectable means of communication but do not have any legitimate business purpose. Any communication via or to these objects should be logged and analyzed to find potential indicators of compromise for a possible past or future attack against other systems.", "d3f:synonym": "Lure", "rdfs:label": "Decoy Object", "rdfs:subClassOf": [ { "@id": "d3f:DefensiveTechnique" }, { "@id": "_:Nd7e5685869194dedaebf2f03fa6f852d" } ] }, { "@id": "_:Nd7e5685869194dedaebf2f03fa6f852d", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:enables" }, "owl:someValuesFrom": { "@id": "d3f:Deceive" } }, { "@id": "d3f:T1550.004", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:adds": { "@id": "d3f:SessionCookie" }, "d3f:attack-id": "T1550.004", "d3f:produces": { "@id": "d3f:WebNetworkTraffic" }, "rdfs:label": "Web Session Cookie", "rdfs:subClassOf": [ { "@id": "d3f:T1550" }, { "@id": "_:Ncf5879ba301540678227009640f5e6d6" }, { "@id": "_:N63bac5f3812a4ceaadbbf45805fe1756" } ] }, { "@id": "_:Ncf5879ba301540678227009640f5e6d6", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:adds" }, "owl:someValuesFrom": { "@id": "d3f:SessionCookie" } }, { "@id": "_:N63bac5f3812a4ceaadbbf45805fe1756", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:produces" }, "owl:someValuesFrom": { "@id": "d3f:WebNetworkTraffic" } }, { "@id": "d3f:JobSchedule", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:contains": { "@id": "d3f:ScheduledJob" }, "d3f:definition": "A job schedule contains specification of tasks to be executed at particular times or time intervals. The schedule is a plan that enacted by a task scheduling process. In Windows, the schedule can be accessed at 'C:\\Windows\\System32\\Tasks' or in the registry. In Linux, the schedule is located at '/etc/crontab'", "d3f:modified-by": { "@id": "d3f:JobSchedulerSoftware" }, "d3f:synonym": "Task Schedule", "rdfs:label": "Job Schedule", "rdfs:seeAlso": [ { "@id": "dbr:Cron" }, { "@id": "dbr:Windows_Task_Scheduler" } ], "rdfs:subClassOf": [ { "@id": "d3f:DigitalArtifact" }, { "@id": "_:N044500d1409a421c8e0fad7f9006670d" }, { "@id": "_:N3a1749a8e2684df19bb87f05a6812845" } ] }, { "@id": "_:N044500d1409a421c8e0fad7f9006670d", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:contains" }, "owl:someValuesFrom": { "@id": "d3f:ScheduledJob" } }, { "@id": "_:N3a1749a8e2684df19bb87f05a6812845", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modified-by" }, "owl:someValuesFrom": { "@id": "d3f:JobSchedulerSoftware" } }, { "@id": "d3f:CCI-000035_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:broader": [ { "@id": "d3f:InboundTrafficFiltering" }, { "@id": "d3f:OutboundTrafficFiltering" } ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system provides the capability for privileged administrators to configure the organization-defined security policy filters to support different security policies.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-14T00:00:00" }, "rdfs:label": "CCI-000035" }, { "@id": "d3f:CredentialRotation", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:CredentialHardening" ], "d3f:d3fend-id": "D3-CRO", "d3f:definition": "Expiring an existing set of credentials and reissuing a new valid set", "d3f:kb-article": "## How it works\n\nManagement servers with enterprise policies for account management provide the ability to change or reset passwords for accounts. Some organizations rotate credentials periodically to limit the risk of stolen credentials.\n\n## Considerations\n\n- When responding to an incident, severity of compromise should be considered to determine what credentials to what accounts should be regenerated\n- If proactively rotating credentials periodically, several factors should be considered to determine the frequency. Also introduces some risk including promoting the creation of weak passwords and poor storage practices for employees and presents challenges in proper tracking.", "d3f:kb-reference": [ { "@id": "d3f:Reference-PasswordandKeyRotation-SSH" }, { "@id": "d3f:Reference-EvictionGuidanceforNetworksAffectedbytheSolarWindsandActiveDirectory/M365Compromise-CISA" } ], "d3f:regenerates": { "@id": "d3f:Credential" }, "rdfs:label": "Credential Rotation", "rdfs:subClassOf": [ { "@id": "d3f:CredentialHardening" }, { "@id": "_:N6a3fe63d780646b4b4331946b593c059" } ] }, { "@id": "_:N6a3fe63d780646b4b4331946b593c059", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:regenerates" }, "owl:someValuesFrom": { "@id": "d3f:Credential" } }, { "@id": "d3f:accessed-by", "@type": "owl:ObjectProperty", "owl:inverseOf": { "@id": "d3f:accesses" }, "rdfs:label": "accessed-by", "rdfs:subPropertyOf": [ { "@id": "d3f:associated-with" }, { "@id": "d3f:may-be-accessed-by" } ] }, { "@id": "d3f:T1045", "@type": "owl:Class", "d3f:attack-id": "T1045", "rdfs:label": "Software Packing", "rdfs:subClassOf": { "@id": "d3f:DefenseEvasionTechnique" } }, { "@id": "d3f:Reference-GenericRegsvr32_MITRE", "@type": [ "owl:NamedIndividual", "d3f:ExternalKnowledgeBase" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://car.mitre.org/analytics/CAR-2019-04-002/" }, "d3f:kb-abstract": "Regsvr32 can be used to execute arbitrary code in the context of a Windows signed binary, which can be used to bypass application whitelisting. This analytic looks for suspicious usage of the tool. It's not likely that you'll get millions of hits, but it does occur during normal activity so some form of baselining would be necessary for this to be an alerting analytic. Alternatively, it can be used for hunt by looking for new or anomalous DLLs manually.", "d3f:kb-author": "MITRE", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "MITRE", "d3f:kb-reference-of": { "@id": "d3f:ProcessLineageAnalysis" }, "d3f:kb-reference-title": "CAR-2019-04-002: Generic Regsvr32", "rdfs:label": "Reference - CAR-2019-04-002: Generic Regsvr32 - MITRE" }, { "@id": "d3f:CCI-002467_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system performs data integrity verification on the name/address resolution responses the system receives from authoritative sources.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:DNSTrafficAnalysis" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-07-02T00:00:00" }, "rdfs:label": "CCI-002467" }, { "@id": "d3f:Semi-supervisedGenerativeModelLearning", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-SSGML", "d3f:definition": "A Semi Supervised Machine Learning model which assume that the distributions take some particular form p(x|y,theta) parameterized by the vector. If these assumptions are incorrect, the unlabeled data may actually decrease the accuracy of the solution relative to what would have been obtained from labeled data alone. However, if the assumptions are correct, then the unlabeled data necessarily improves performance.", "d3f:kb-article": "## References\nWeak supervision. Wikipedia. [Link](https://en.wikipedia.org/wiki/Weak_supervision#Generative_models).", "rdfs:label": "Semi-supervised Generative Model Learning", "rdfs:subClassOf": { "@id": "d3f:IntrinsicallySemi-supervisedLearning" } }, { "@id": "d3f:Reference-PreventingExecutionOfTaskScheduledMalware_McAfeeLLC", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US20160105450A1" }, "d3f:kb-abstract": "A method for preventing malware attacks includes the steps of detecting an attempt on an electronic device to access a task scheduler, determining an entity associated with the attempt to access the task scheduler, determining a malware status of the entity, and, based on the malware status of the entity, allowing or denying the attempted access to the task scheduler. The task scheduler is configured to launch one or more applications at a specified time or interval.", "d3f:kb-author": "Anil Ramabhatta, Harinath Vishwanath Ramachetty, Nandi Dharma Kishore", "d3f:kb-mitre-analysis": "Access to a job scheduler is intercepted using hooking or file filters to identify and analyze the source files, processes, destination files, or destination servers associated with a scheduled job. The identified servers or files associated with a job are compared against an anti-malware signature database or reputation server to determine if it there is a match. If so, execution is denied and an alert is generated.", "d3f:kb-organization": "McAfee LLC", "d3f:kb-reference-of": { "@id": "d3f:ScheduledJobAnalysis" }, "d3f:kb-reference-title": "Preventing execution of task scheduled malware", "rdfs:label": "Reference - Preventing execution of task scheduled malware - McAfee LLC" }, { "@id": "d3f:ApplicationHardening", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:DefensiveTechnique" ], "d3f:d3fend-id": "D3-AH", "d3f:definition": "Application Hardening makes an executable application more resilient to a class of exploits which either introduce new code or execute unwanted existing code. These techniques may be applied at compile-time or on an application binary.", "d3f:enables": { "@id": "d3f:Harden" }, "d3f:kb-article": "## Technique Overview\n\nExploits may, for example, rely on knowledge of addresses in a process's memory, they may alter memory contents, and they may cause a program to use instructions in a way that they were not intended. By, for example, including code that dynamically changes the memory address of data or code on each run, introducing logic to validating the memory contents before certain potentially dangerous flows are executed, or monitoring a program for unusual sequence of instructions, this makes it harder for an attacker to craft a working exploit.", "d3f:synonym": "Process Hardening", "rdfs:label": "Application Hardening", "rdfs:subClassOf": [ { "@id": "d3f:DefensiveTechnique" }, { "@id": "_:Nbb171e54f5534197a857574cd7cd68f2" } ] }, { "@id": "_:Nbb171e54f5534197a857574cd7cd68f2", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:enables" }, "owl:someValuesFrom": { "@id": "d3f:Harden" } }, { "@id": "d3f:CWE-1083", "@type": "owl:Class", "d3f:cwe-id": "CWE-1083", "rdfs:label": "Data Access from Outside Expected Data Manager Component", "rdfs:subClassOf": { "@id": "d3f:CWE-1061" } }, { "@id": "d3f:Firmware", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "In electronic systems and computing, firmware is a type of software that provides control, monitoring and data manipulation of engineered products and systems. Typical examples of devices containing firmware are embedded systems (such as traffic lights, consumer appliances, remote controls and digital watches), computers, computer peripherals, mobile phones, and digital cameras. The firmware contained in these devices provides the low-level control program for the device.", "rdfs:isDefinedBy": { "@id": "dbr:Firmware" }, "rdfs:label": "Firmware", "rdfs:subClassOf": { "@id": "d3f:Software" } }, { "@id": "d3f:T1007", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1007", "d3f:may-invoke": [ { "@id": "d3f:CreateProcess" }, { "@id": "d3f:GetRunningProcesses" } ], "rdfs:label": "System Service Discovery", "rdfs:subClassOf": [ { "@id": "d3f:DiscoveryTechnique" }, { "@id": "_:N0e901dbb8cef44eb93431206793780cc" }, { "@id": "_:N4cb3dfdb424d4520a78812605f2479f8" } ] }, { "@id": "_:N0e901dbb8cef44eb93431206793780cc", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-invoke" }, "owl:someValuesFrom": { "@id": "d3f:CreateProcess" } }, { "@id": "_:N4cb3dfdb424d4520a78812605f2479f8", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-invoke" }, "owl:someValuesFrom": { "@id": "d3f:GetRunningProcesses" } }, { "@id": "d3f:BarcodeScannerInputDevice", "@type": "owl:Class", "d3f:definition": "A barcode reader (or barcode scanner) is an optical scanner that can read printed barcodes, decode the data contained in the barcode and send the data to a computer. Like a flatbed scanner, it consists of a light source, a lens and a light sensor translating for optical impulses into electrical signals. Additionally, nearly all barcode readers contain decoder circuitry that can analyze the barcode's image data provided by the sensor and sending the barcode's content to the scanner's output port.", "rdfs:isDefinedBy": { "@id": "dbr:Barcode_reader" }, "rdfs:label": "Barcode Scanner Input Device", "rdfs:subClassOf": { "@id": "d3f:ImageScannerInputDevice" }, "skos:altLabel": "Barcode Reader" }, { "@id": "d3f:EvictionLatency", "@type": "owl:Class", "rdfs:label": "Eviction Latency", "rdfs:subClassOf": { "@id": "d3f:Latency" } }, { "@id": "d3f:CWE-1260", "@type": "owl:Class", "d3f:cwe-id": "CWE-1260", "rdfs:label": "Improper Handling of Overlap Between Protected Memory Ranges", "rdfs:subClassOf": { "@id": "d3f:CWE-284" } }, { "@id": "d3f:Reference-CAR-2021-04-001%3ACommonWindowsProcessMasquerading_MITRE", "@type": [ "owl:NamedIndividual", "d3f:ExternalKnowledgeBase" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://car.mitre.org/analytics/CAR-2021-04-001/" }, "d3f:kb-abstract": "Masquerading (T1036) is defined by ATT&CK as follows:\n\n“Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.”\n\nMalware authors often use this technique to hide malicious executables behind legitimate Windows executable names (e.g. lsass.exe, svchost.exe, etc).\n\nThere are several sub-techniques, but this analytic focuses on Match Legitimate Name or Location only.", "d3f:kb-author": "MITRE", "d3f:kb-organization": "MITRE", "d3f:kb-reference-of": { "@id": "d3f:ProcessSpawnAnalysis" }, "d3f:kb-reference-title": "CAR-2021-04-001: Common Windows Process Masquerading", "rdfs:label": "Reference - CAR-2021-04-001: Common Windows Process Masquerading - MITRE" }, { "@id": "d3f:T1506", "@type": "owl:Class", "d3f:attack-id": "T1506", "rdfs:label": "Web Session Cookie", "rdfs:subClassOf": [ { "@id": "d3f:DefenseEvasionTechnique" }, { "@id": "d3f:LateralMovementTechnique" } ] }, { "@id": "d3f:CWE-1075", "@type": "owl:Class", "d3f:cwe-id": "CWE-1075", "rdfs:label": "Unconditional Control Flow Transfer outside of Switch Block", "rdfs:subClassOf": { "@id": "d3f:CWE-1120" } }, { "@id": "d3f:T1094", "@type": "owl:Class", "d3f:attack-id": "T1094", "rdfs:label": "Custom Command and Control Protocol", "rdfs:subClassOf": { "@id": "d3f:CommandAndControlTechnique" } }, { "@id": "d3f:label", "@type": "owl:AnnotationProperty", "rdfs:label": { "@language": "en", "@value": "label" }, "rdfs:subPropertyOf": { "@id": "rdfs:label" } }, { "@id": "d3f:ApplicationLayerFirewall", "@type": "owl:Class", "d3f:definition": "An application firewall is a form of firewall that controls input, output, and/or access from, to, or by an application or service. It operates by monitoring and potentially blocking the input, output, or system service calls that do not meet the configured policy of the firewall. The application firewall is typically built to control all network traffic on any OSI layer up to the application layer. It is able to control applications or services specifically, unlike a stateful network firewall, which is - without additional software - unable to control network traffic regarding a specific application. There are two primary categories of application firewalls, network-based application firewalls and host-based application firewalls.", "rdfs:isDefinedBy": { "@id": "dbr:Application_firewall" }, "rdfs:label": "Application Layer Firewall", "rdfs:subClassOf": { "@id": "d3f:Firewall" }, "skos:altLabel": "Application Firewall" }, { "@id": "d3f:PeripheralFirmware", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "Firmware that is installed on computer peripheral devices.", "rdfs:label": "Peripheral Firmware", "rdfs:seeAlso": [ { "@id": "d3f:Firmware" }, { "@id": "dbr:Peripheral" } ], "rdfs:subClassOf": { "@id": "d3f:Firmware" } }, { "@id": "d3f:validates", "@type": "owl:ObjectProperty", "d3f:definition": "x validates y: The technique x proves the digital artifact y is valid; that is, x shows or confirms the validity of y.", "rdfs:isDefinedBy": { "@id": "http://wordnet-rdf.princeton.edu/id/00669142-v" }, "rdfs:label": "validates", "rdfs:subPropertyOf": [ { "@id": "d3f:associated-with" }, { "@id": "d3f:hardens" } ] }, { "@id": "d3f:DecoyFile", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:DecoyObject" ], "d3f:d3fend-id": "D3-DF", "d3f:definition": "A file created for the purposes of deceiving an adversary.", "d3f:kb-article": "## How it works\nThe decoy file is made available as a local or network resource. Accesses to the file may be monitored. The files may be configurations, documents, executables, or other file types.\n\n\n## Considerations\nProperties of the file such as cryptographic checksums, file creation date, file modified date, file size, file owner etc may be modified to improve the credibility of the file.\n\n## Example\n* A CSV file with decoy user credentials is placed on a system. The system or network is then monitored to detect any accesses to the decoy files.", "d3f:kb-reference": [ { "@id": "d3f:Reference-OpenSourceIntelligenceDeceptions_IllusiveNetworksLtd" }, { "@id": "d3f:Reference-SystemAndAMethodForIdentifyingThePresenceOfMalwareAndRansomwareUsingMini-trapsSetAtNetworkEndpoints_FidelisCybersecuritySolutionsInc" }, { "@id": "d3f:Reference-SystemAndMethodsThereofForPreventingRansomwareFromEncryptingDataElementsStoredInAMemoryOfAComputer-basedSystem_PaloAltoNetworksInc" }, { "@id": "d3f:Reference-SupplyChainCyber-deception_Cymmetria,Inc." } ], "d3f:spoofs": { "@id": "d3f:File" }, "rdfs:label": "Decoy File", "rdfs:subClassOf": [ { "@id": "d3f:DecoyObject" }, { "@id": "_:Ne4b1802cf3de42aaa4401ef13e8aff3e" } ] }, { "@id": "_:Ne4b1802cf3de42aaa4401ef13e8aff3e", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:spoofs" }, "owl:someValuesFrom": { "@id": "d3f:File" } }, { "@id": "d3f:ControlCatalog", "@type": "owl:Class", "d3f:definition": "A control catalog is a complete list of protective measures for systems, organizations, or individuals for subject domains (e.g., security and privacy.)", "rdfs:label": "Control Catalog", "rdfs:subClassOf": [ { "@id": "d3f:Catalog" }, { "@id": "_:N99eb908b656445a2aecd2fcb5f6a9444" }, { "@id": "_:N2aac9280bc664802bd720e8c009ecac1" } ] }, { "@id": "_:N99eb908b656445a2aecd2fcb5f6a9444", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:has-member" }, "owl:someValuesFrom": { "@id": "d3f:ExternalControl" } }, { "@id": "_:N2aac9280bc664802bd720e8c009ecac1", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:version" }, "owl:someValuesFrom": { "@id": "_:Nd0bfef0cc12043f38b2ce7db3b78fd5b" } }, { "@id": "_:Nd0bfef0cc12043f38b2ce7db3b78fd5b", "@type": "rdfs:Datatype", "owl:unionOf": { "@list": [ { "@id": "xsd:integer" }, { "@id": "xsd:string" } ] } }, { "@id": "d3f:CWE-208", "@type": "owl:Class", "d3f:cwe-id": "CWE-208", "rdfs:label": "Observable Timing Discrepancy", "rdfs:subClassOf": { "@id": "d3f:CWE-203" } }, { "@id": "d3f:TertiaryStorage", "@type": "owl:Class", "d3f:definition": "Tertiary storage or tertiary memory is memory primarily used for archiving rarely accessed information. It is primarily useful for extraordinarily large data stores. Typical examples include tape libraries and optical jukeboxes.", "rdfs:isDefinedBy": "https://en.wikipedia.org/wiki/Computer_data_storage#Tertiary_storage", "rdfs:label": "Tertiary Storage", "rdfs:subClassOf": [ { "@id": "d3f:HardwareDevice" }, { "@id": "d3f:MemoryBlock" }, { "@id": "d3f:SecondaryStorage" } ] }, { "@id": "d3f:MicrosoftWordDOCBFile", "@type": [ "owl:NamedIndividual", "d3f:DocumentFile" ], "rdfs:label": "Microsoft Word DOCB File" }, { "@id": "d3f:T1223", "@type": "owl:Class", "d3f:attack-id": "T1223", "rdfs:label": "Compiled HTML File", "rdfs:subClassOf": [ { "@id": "d3f:DefenseEvasionTechnique" }, { "@id": "d3f:ExecutionTechnique" } ] }, { "@id": "d3f:CCI-002422_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system maintains the confidentiality and/or integrity of information during reception.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:EncryptedTunnels" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-07-02T00:00:00" }, "rdfs:label": "CCI-002422" }, { "@id": "d3f:DivisiveClustering", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-DC", "d3f:definition": "A divisive clustering approach is a hierarchical, top-down approach to clustering a dataset.", "rdfs:label": "Divisive Clustering", "rdfs:subClassOf": { "@id": "d3f:HierarchicalClustering" } }, { "@id": "d3f:Reference-TrustedCommunicationsWithChildProcesses_MicrosoftTechnologyLicensingLLC", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US20120174210A1" }, "d3f:kb-abstract": "A method to identify a child process to a parent process in an operating system includes obtaining a token and login identifier from the operating system. The parent process creates a remote procedure call communications endpoint to communicate with the child process. Thereafter, a child process is spawned by the parent process. A child-initiated request to communicate with the parent process is then received by the parent process. In order to verify the identity of the child-initiated request, the parent process impersonates the child process and receives as identifier that identifies the requestor child process. The requestor process identifier and the spawned child identifier are compared. Based on the comparison, the parent process responds to the child-initiated request. In another embodiment, process identifiers are used by the parent process to verify the identity of a child process the requests communication with the parent process.", "d3f:kb-author": "Kedarnath Atmaram Dubhashi, Jonathan D. Schwartz, Sambavi Muthukrishnan, Simon Skaria", "d3f:kb-mitre-analysis": "This patent describes a technique for detecting malicious processes that claim to be the child process of a legitimate parent process. During the spawning of a child process, a child process identifier is generated. The child process identifier is a unique identifier that can be used to identify a child process. The child process identifier is transmitted by the security system of the operating system to the parent process. The parent process keeps track of the child process identifier. When a new child-initiated communications request is received by the parent process, the parent process checks if the requesting child process identifier and the child process identifier that the parent process is tracking are the same. If the identifiers are not the same, the parent process refuses the request.", "d3f:kb-organization": "Microsoft Technology Licensing LLC", "d3f:kb-reference-title": "Trusted Communications With Child Processes", "rdfs:label": "Reference - Trusted Communications With Child Processes - Microsoft Technology Licensing LLC" }, { "@id": "d3f:has-recipient", "@type": "owl:ObjectProperty", "d3f:definition": "x has_recipient y: An agent y is the intended recipient and decoder of the information contained in communication x.", "rdfs:isDefinedBy": { "@id": "http://www.ontologyrepository.com/CommonCoreOntologies/has_recipient" }, "rdfs:label": "has-recipient", "rdfs:seeAlso": [ { "@id": "http://wordnet-rdf.princeton.edu/id/09651094-n" }, { "@id": "http://wordnet-rdf.princeton.edu/id/09788768-n" } ], "rdfs:subPropertyOf": { "@id": "d3f:associated-with" } }, { "@id": "d3f:T1014", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1014", "d3f:may-modify": [ { "@id": "d3f:BootSector" }, { "@id": "d3f:Firmware" }, { "@id": "d3f:Kernel" }, { "@id": "d3f:KernelModule" }, { "@id": "d3f:SharedLibraryFile" } ], "rdfs:label": "Rootkit", "rdfs:subClassOf": [ { "@id": "d3f:DefenseEvasionTechnique" }, { "@id": "_:Nfa4b9b23eb404d6bad98c5e2ed27a6db" }, { "@id": "_:N2e5192553b644ef8903725aa685608b0" }, { "@id": "_:Naa903f8f5e51402790938b6391833f0b" }, { "@id": "_:Nffc63197e39247038556a4e4009d90e8" }, { "@id": "_:N6e24a5e6a6674692b3b3415a8a88339f" } ] }, { "@id": "_:Nfa4b9b23eb404d6bad98c5e2ed27a6db", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-modify" }, "owl:someValuesFrom": { "@id": "d3f:BootSector" } }, { "@id": "_:N2e5192553b644ef8903725aa685608b0", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-modify" }, "owl:someValuesFrom": { "@id": "d3f:Firmware" } }, { "@id": "_:Naa903f8f5e51402790938b6391833f0b", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-modify" }, "owl:someValuesFrom": { "@id": "d3f:Kernel" } }, { "@id": "_:Nffc63197e39247038556a4e4009d90e8", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-modify" }, "owl:someValuesFrom": { "@id": "d3f:KernelModule" } }, { "@id": "_:N6e24a5e6a6674692b3b3415a8a88339f", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-modify" }, "owl:someValuesFrom": { "@id": "d3f:SharedLibraryFile" } }, { "@id": "d3f:Classifying", "@type": "owl:Class", "rdfs:label": "Classifying", "rdfs:subClassOf": { "@id": "d3f:AnalyticalPurpose" } }, { "@id": "d3f:CWE-1261", "@type": "owl:Class", "d3f:cwe-id": "CWE-1261", "rdfs:label": "Improper Handling of Single Event Upsets", "rdfs:subClassOf": { "@id": "d3f:CWE-1384" } }, { "@id": "d3f:Reference-CAR-2021-01-003%3AClearingWindowsLogsWithWevtutil_MITRE", "@type": [ "owl:NamedIndividual", "d3f:ExternalKnowledgeBase" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://car.mitre.org/analytics/CAR-2021-01-003/" }, "d3f:kb-abstract": "In an attempt to clear traces after compromising a machine, threat actors often try to clear Windows Event logs. This is often done using “wevtutil”, a legitimate tool provided by Microsoft. This action interferes with event collection and notification, and may lead to a security event going undetected, thereby potentially leading to further compromise of the network.", "d3f:kb-organization": "MITRE", "d3f:kb-reference-of": { "@id": "d3f:ProcessSpawnAnalysis" }, "d3f:kb-reference-title": "CAR-2021-01-003: Clearing Windows Logs with Wevtutil", "rdfs:label": "Reference - CAR-2021-01-003: Clearing Windows Logs with Wevtutil - MITRE" }, { "@id": "d3f:T1567.002", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1567.002", "d3f:produces": { "@id": "d3f:OutboundInternetEncryptedWebTraffic" }, "rdfs:label": "Exfiltration to Cloud Storage", "rdfs:subClassOf": [ { "@id": "d3f:T1567" }, { "@id": "_:N0fbf75ae920646eb8bfee4c0af799118" } ] }, { "@id": "_:N0fbf75ae920646eb8bfee4c0af799118", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:produces" }, "owl:someValuesFrom": { "@id": "d3f:OutboundInternetEncryptedWebTraffic" } }, { "@id": "d3f:Reference-CAR-2020-09-001%3AScheduledTask-FileAccess_MITRE", "@type": [ "owl:NamedIndividual", "d3f:ExternalKnowledgeBase" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://car.mitre.org/analytics/CAR-2020-09-001/" }, "d3f:kb-abstract": "In order to gain persistence, privilege escalation, or remote execution, an adversary may use the Windows Task Scheduler to schedule a command to be run at a specified time, date, and even host. Task Scheduler stores tasks as files in two locations - C:\\Windows\\Tasks (legacy) or C:\\Windows\\System32\\Tasks. Accordingly, this analytic looks for the creation of task files in these two locations.", "d3f:kb-author": "MITRE", "d3f:kb-organization": "MITRE", "d3f:kb-reference-of": { "@id": "d3f:FileCreationAnalysis" }, "d3f:kb-reference-title": "CAR-2020-09-001: Scheduled Task - FileAccess", "rdfs:label": "Reference - CAR-2020-09-001: Scheduled Task - FileAccess - MITRE" }, { "@id": "d3f:Monitoring", "@type": "owl:Class", "d3f:definition": "the act of observing something (and sometimes keeping a record of it)", "rdfs:isDefinedBy": { "@id": "http://wordnet-rdf.princeton.edu/id/00881724-n" }, "rdfs:label": "Monitoring", "rdfs:subClassOf": { "@id": "d3f:D3FENDThing" } }, { "@id": "d3f:EmailRemoval", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:FileRemoval" ], "d3f:d3fend-id": "D3-ER", "d3f:definition": "The email removal technique deletes email files from system storage.", "d3f:deletes": { "@id": "d3f:Email" }, "d3f:kb-article": "## How it works\n\nEmail removal is a technique that can be used to prevent a user from executing malware or responding to phishing attempts. Security software or users themselves may detect malicious or suspicious email in a local or remote mail folder email and then employ this technique.\n\n## Considerations\n\nFor email that needs to be removed, an infosec organization may choose to take additional follow-up actions (such as blocking the sources or notifying providers), rather than only relying on email deletion.\n\nFor the case where users detect likely suspicious email files, the organization should consider implementing a means for reporting these emails to their infosec organization.\n\nEmail files may propagate through many storage systems across the an organization's systems over time, so early detection and blocking helps avoid residual, latent stores of malicous email content in the enterprise.", "d3f:kb-reference": { "@id": "d3f:Reference-SystemAndMethodForScanningRemoteServicesToLocateStoredObjectsWithMalware" }, "d3f:may-access": { "@id": "d3f:MailServer" }, "d3f:synonym": "Email Deletion", "rdfs:label": "Email Removal", "rdfs:subClassOf": [ { "@id": "d3f:FileRemoval" }, { "@id": "_:N720c9715bf0e41719ae675165d060202" }, { "@id": "_:N9cc0978a9d2b424da095c59ae5f728d1" } ] }, { "@id": "_:N720c9715bf0e41719ae675165d060202", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:deletes" }, "owl:someValuesFrom": { "@id": "d3f:Email" } }, { "@id": "_:N9cc0978a9d2b424da095c59ae5f728d1", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-access" }, "owl:someValuesFrom": { "@id": "d3f:MailServer" } }, { "@id": "d3f:sells", "@type": "owl:ObjectProperty", "rdfs:label": "sells", "rdfs:subPropertyOf": { "@id": "d3f:d3fend-catalog-object-property" } }, { "@id": "d3f:BinaryLargeObject", "@type": "owl:Class", "d3f:definition": "A binary large object (BLOB) is a collection of binary data stored as a single entity. Blobs are typically images, audio or other multimedia objects, though sometimes binary executable code is stored as a blob.", "rdfs:isDefinedBy": { "@id": "dbr:Binary_large_object" }, "rdfs:label": "Binary Large Object", "rdfs:subClassOf": { "@id": "d3f:DigitalArtifact" }, "skos:altLabel": [ "BLOB", "Blob" ] }, { "@id": "d3f:T1021", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1021", "d3f:produces": { "@id": "d3f:IntranetNetworkTraffic" }, "rdfs:label": "Remote Services", "rdfs:subClassOf": [ { "@id": "d3f:LateralMovementTechnique" }, { "@id": "_:N17c5167a6d9f4ec183d4261d1f53d4b4" } ] }, { "@id": "_:N17c5167a6d9f4ec183d4261d1f53d4b4", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:produces" }, "owl:someValuesFrom": { "@id": "d3f:IntranetNetworkTraffic" } }, { "@id": "d3f:T1598", "@type": "owl:Class", "d3f:attack-id": "T1598", "rdfs:label": "Phishing for Information", "rdfs:subClassOf": { "@id": "d3f:ReconnaissanceTechnique" } }, { "@id": "d3f:has-contributor", "@type": "owl:ObjectProperty", "rdfs:label": "has-contributor", "rdfs:subPropertyOf": { "@id": "d3f:d3fend-kb-object-property" } }, { "@id": "d3f:may-counter", "@type": "owl:ObjectProperty", "rdfs:label": "may-counter", "rdfs:subPropertyOf": { "@id": "d3f:may-be-associated-with" } }, { "@id": "d3f:CWE-1342", "@type": "owl:Class", "d3f:cwe-id": "CWE-1342", "rdfs:label": "Information Exposure through Microarchitectural State after Transient Execution", "rdfs:subClassOf": { "@id": "d3f:CWE-226" } }, { "@id": "d3f:CWE-1297", "@type": "owl:Class", "d3f:cwe-id": "CWE-1297", "rdfs:label": "Unprotected Confidential Information on Device is Accessible by OSAT Vendors", "rdfs:subClassOf": { "@id": "d3f:CWE-285" } }, { "@id": "d3f:has-weakness", "@type": "owl:ObjectProperty", "owl:inverseOf": { "@id": "d3f:weakness-of" }, "rdfs:label": "has-weakness", "rdfs:subPropertyOf": { "@id": "d3f:may-have-weakness" } }, { "@id": "d3f:CWE-400", "@type": "owl:Class", "d3f:cwe-id": "CWE-400", "rdfs:label": "Uncontrolled Resource Consumption", "rdfs:subClassOf": { "@id": "d3f:CWE-664" } }, { "@id": "d3f:CCI-000386_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The organization employs automated mechanisms to prevent program execution on the information system in accordance with the organization-defined specifications.", "d3f:exactly": { "@id": "d3f:ExecutableDenylisting" }, "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-18T00:00:00" }, "rdfs:label": "CCI-000386" }, { "@id": "d3f:Reference-OSQueryWindowsUserCollectionCode", "@type": [ "owl:NamedIndividual", "d3f:SourceCodeReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://github.com/osquery/osquery/blob/d2be385d71f401c85872f00d479df8f499164c5a/osquery/tables/system/windows/users.cpp" }, "d3f:kb-reference-title": "OS Query Windows User Collection Code", "rdfs:label": "Reference - OS Query Windows User Collection Code" }, { "@id": "d3f:ApplicationConfigurationDatabaseRecord", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A database record holding information used to configure the parameters and initial settings for an application.", "rdfs:label": "Application Configuration Database Record", "rdfs:subClassOf": [ { "@id": "d3f:ApplicationConfiguration" }, { "@id": "d3f:ConfigurationDatabaseRecord" } ] }, { "@id": "d3f:Reference-DataExecutionPrevention_Microsoft", "@type": [ "owl:NamedIndividual", "d3f:UserManualReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://docs.microsoft.com/en-us/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10#data-execution-prevention" }, "d3f:kb-abstract": "Malware depends on its ability to insert a malicious payload into memory with the hope that it will be executed later. Wouldn't it be great if you could prevent malware from running if it wrote to an area that has been allocated solely for the storage of information?\n\nData Execution Prevention (DEP) does exactly that, by substantially reducing the range of memory that malicious code can use for its benefit. DEP uses the No eXecute bit on modern CPUs to mark blocks of memory as read-only so that those blocks can't be used to execute malicious code that may be inserted by means of a vulnerability exploit.", "d3f:kb-author": "Nick Schonning, Daniel Simpson, Marty Hernandez Avedon, Trond B. Krokli, jreeds, jcaparas, Andres Mariano Gorzelany, Tina Burden, Thomas Raya, Justin Hall, justanotheranonymoususer, Liza Poggemeyer, Dani Halfin, imba-tjd (Authors for entire page)", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "Microsoft", "d3f:kb-reference-of": { "@id": "d3f:ProcessSegmentExecutionPrevention" }, "d3f:kb-reference-title": "Mitigate threats by using Windows 10 security features: Data Execution Prevention", "rdfs:label": "Reference - Mitigate threats by using Windows 10 security features: Data Execution Prevention - Microsoft" }, { "@id": "d3f:T1088", "@type": "owl:Class", "d3f:attack-id": "T1088", "rdfs:label": "Bypass User Account Control", "rdfs:subClassOf": [ { "@id": "d3f:DefenseEvasionTechnique" }, { "@id": "d3f:PrivilegeEscalationTechnique" } ] }, { "@id": "d3f:Reference-LUKS1On-DiskFormatSpecificationVersion1.2.3", "@type": [ "owl:NamedIndividual", "d3f:SpecificationReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://mirrors.edge.kernel.org/pub/linux/utils/cryptsetup/LUKS_docs/on-disk-format.pdf" }, "d3f:kb-abstract": "LUKS is short for \"Linux Unified Key Setup\". It has initially been developed to remedy the unpleasantness a user experienced that arise from deriving the encryption setup from changing user space, and forgotten command line arguments. The result of this changes are an unaccessible encryption storage. The reason for this to happen was, a unstandardised way to read, process and set up encryption keys, and if the user was unlucky, he upgraded to an incompatible version of user space tools that needed a good deal of knowledge to use with old encryption volumes.", "d3f:kb-author": "Clemens Fruhwirth", "d3f:kb-reference-of": { "@id": "d3f:DiskEncryption" }, "d3f:kb-reference-title": "LUKS1 On-Disk Format SpecificationVersion 1.2.3", "rdfs:label": "Reference - LUKS1 On-Disk Format SpecificationVersion 1.2.3" }, { "@id": "d3f:FileIntegrityMonitoring", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:FileIntegrityMonitoring" ], "d3f:analyzes": { "@id": "d3f:File" }, "d3f:d3fend-id": "D3-FIM", "d3f:definition": "Detecting any suspicious changes to files in a computer system.", "d3f:kb-article": "## How it Works\nThere are a number of tools in Windows and Unix that can monitor specific files in a system and generate alerts if any artifacts have been created, modified, or removed. They accomplish this by comparing the current artifacts to a previous snapshot.\n\nUnix - Unix systems have a file integrity checker tool called tripwire. Tripwire first initializes a database that serves as a basis for comparison and can then scan the system to compare the state of the current file system against the initial baseline database. Additionally, users can define policies that specify potential violations.\n\nWindows - In Microsoft Azure, file integrity monitoring can be enabled which can track file and registry key creation, removals, and modifications of specific files.\n\n## Considerations\nFiles can change constantly due to the non-static nature of a computer system. File Integrity Monitoring works best when pointed at a narrow scope of critical files to limit the number of unneccessary files that may be modified over the course of normal use. The accuracy and precision of defined policies also affect the efficacy of this technique.", "d3f:kb-reference": [ { "@id": "d3f:Reference-FileIntegrityMonitoringinMicrosoftDefenderforCloud-Microsoft" }, { "@id": "d3f:Reference-Tripwire" } ], "rdfs:label": "File Integrity Monitoring", "rdfs:subClassOf": [ { "@id": "d3f:PlatformMonitoring" }, { "@id": "_:N395cf2c458a84366954767a018d9a5b1" } ] }, { "@id": "_:N395cf2c458a84366954767a018d9a5b1", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:analyzes" }, "owl:someValuesFrom": { "@id": "d3f:File" } }, { "@id": "d3f:Reference-UseOfAnApplicationControllerToMonitorAndControlSoftwareFileAndApplicationEnvironments_SophosLtd", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US20180032727A1" }, "d3f:kb-abstract": "In embodiments of the present invention, a framework for an extensible, file-based security system is described for determining an appropriate application, application environment, and/or access or security control measure based at least in part on a file's reputation. In response to the selection of a file, an application controller may be used to select a software application from two or more software applications to open the selected file, based at least in part on the selected file's reputation. If launched, a software application may be configured to open the file in an environment, such as a virtual machine, quarantined environment, and the like, that is appropriate for the file based at least in part on the reputation information. A software application may be a secure software application configured to manage secure files, or an insecure software application configured to manage insecure files. The selected file, and communications relating to the selected software application, may be managed according to the selected software application's secure or insecure configuration. Further, the selected software application may associate reputation information with all files that are modified and/or created by the selected software application, including at least in part, reputation information matching that of the selected file.", "d3f:kb-author": "Andrew J. Thomas", "d3f:kb-mitre-analysis": "This patent describes received files being open in an environment such as a virtual machine or quarantined environment to associate file reputation information that determines if a file is a threat.", "d3f:kb-organization": "Sophos Ltd", "d3f:kb-reference-of": { "@id": "d3f:DynamicAnalysis" }, "d3f:kb-reference-title": "Use of an application controller to monitor and control software file and application environments", "rdfs:label": "Reference - Use of an application controller to monitor and control software file and application environments - Sophos Ltd" }, { "@id": "d3f:has-sender", "@type": "owl:ObjectProperty", "d3f:definition": "x has_sender y: An agent y is the sender and encoder of the information contained in communication x.", "rdfs:isDefinedBy": { "@id": "http://www.ontologyrepository.com/CommonCoreOntologies/has_sender" }, "rdfs:label": "has-sender", "rdfs:seeAlso": { "@id": "http://wordnet-rdf.princeton.edu/id/10598214-n" }, "rdfs:subPropertyOf": { "@id": "d3f:associated-with" } }, { "@id": "d3f:CWE-1246", "@type": "owl:Class", "d3f:cwe-id": "CWE-1246", "rdfs:label": "Improper Write Handling in Limited-write Non-Volatile Memories", "rdfs:subClassOf": { "@id": "d3f:CWE-400" } }, { "@id": "d3f:Reference-DeterministicMethodForDetectingAndBlockingOfExploitsOnInterpretedCode_K2CyberSecurityInc", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US20190180036A1/en?oq=US-2019180036-A1" }, "d3f:kb-abstract": "In one aspect, a method useful for preventing exploitation of a vulnerability in an interpreted code by monitoring and validating an execution of the interpreted code in a script file by an application server, includes the step of generating a mapping for an incoming network connection to a specified script file to be executed by an application server. The computerized method includes the step of inserting a hook for monitoring an application programming interface (API) call or a privileged instruction executed by the application server. The computerized method includes the step of inserting a validation code configured to validate the API call or the privileged instruction executed by the interpreted code in a script.", "d3f:kb-author": "Jayant Shukla", "d3f:kb-mitre-analysis": "This patent describes a technique for monitoring API calls. During execution of interpreted code the observed API calls are validated against a whitelist of API calls for that interpreted code file. Action is taken if the observed API call is not in accordance with the list.", "d3f:kb-organization": "K2 Cyber Security Inc", "d3f:kb-reference-of": { "@id": "d3f:SystemCallAnalysis" }, "d3f:kb-reference-title": "Deterministic method for detecting and blocking of exploits on interpreted code", "rdfs:label": "Reference - Deterministic method for detecting and blocking of exploits on interpreted code - K2 Cyber Security Inc" }, { "@id": "d3f:OperatingSystemConfigurationFile", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "An operating system configuration file is a file used to configure the operating system.", "rdfs:label": "Operating System Configuration File", "rdfs:seeAlso": [ "Configuration File", { "@id": "dbr:Configuration_file" }, "Operating System" ], "rdfs:subClassOf": [ { "@id": "d3f:ConfigurationFile" }, { "@id": "d3f:OperatingSystemFile" } ], "skos:altLabel": "System Configuration File" }, { "@id": "d3f:CWE-863", "@type": "owl:Class", "d3f:cwe-id": "CWE-863", "rdfs:label": "Incorrect Authorization", "rdfs:subClassOf": { "@id": "d3f:CWE-285" } }, { "@id": "d3f:UserSessionInitConfigAnalysis", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:OperatingSystemMonitoring" ], "d3f:analyzes": { "@id": "d3f:UserInitConfigurationFile" }, "d3f:d3fend-id": "D3-USICA", "d3f:definition": "Analyzing modifications to user session config files such as .bashrc or .bash_profile.", "d3f:kb-reference": [ { "@id": "d3f:Reference-IdentificationAndExtractionOfKeyForensicsIndicatorsOfCompromiseUsingSubject-specificFilesystemViews" }, { "@id": "d3f:Reference-RegistryKeySecurityAndAccessRights" }, { "@id": "d3f:Reference-CAR-2020-09-002%3AComponentObjectModelHijacking_MITRE" }, { "@id": "d3f:Reference-CAR-2020-11-011%3ARegistryEditFromScreensaver" } ], "d3f:synonym": "User Startup Config Analysis", "rdfs:label": "User Session Init Config Analysis", "rdfs:subClassOf": [ { "@id": "d3f:OperatingSystemMonitoring" }, { "@id": "_:Na92df57f04c34612ad864a03db299685" } ] }, { "@id": "_:Na92df57f04c34612ad864a03db299685", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:analyzes" }, "owl:someValuesFrom": { "@id": "d3f:UserInitConfigurationFile" } }, { "@id": "d3f:LinuxUnlink", "@type": "owl:Class", "d3f:definition": "Delete a name and possibly the file it refers to.", "rdfs:isDefinedBy": "https://man7.org/linux/man-pages/man2/unlink.2.html", "rdfs:label": "Linux Unlink", "rdfs:subClassOf": { "@id": "d3f:OSAPIDeleteFile" } }, { "@id": "d3f:LogicalRules", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-LR", "d3f:definition": "A logical rule matches event data or set of values to a conditional expression and results in the determination of a truth value, which may be used to determine the next action or step to take.", "d3f:kb-article": "## How it works\n\nLogic rules define a set of patterns that in some patterns must match input data. If the the conditions are met, then the rule will \"fire\" and some action will be taken, usually notifying a person or another system that the event being monitored needs further processing or attention.\n\n## Key Test Considerations\n\n- **Performance (Accuracy)** Identify instances in data where rule is expected to be triggered. Implement traceability and metrics for individual rule performance. Traceability of cases could be implemented as unit tests or as part of a fine-grained classification performance platform. For simple rule-based matching systems with many rules, individual rules may be unused or may create unusually high false positives (or false negatives relative to expectation.\n\n- **Performance (Computational)** Generate model performance measures (see Classification Performance Measures), esp. a confusion matrix for each rule and identify outliers and relative contribution of rule to overall performance.\n\n## References\n1. Event condition action. (2019, Nov 21). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Event_condition_action).\n2. Business rule. (2023, April 10). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Business_rule).\n3. YARA. (2023, June 5). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/YARA).", "rdfs:label": "Logical Rules", "rdfs:subClassOf": { "@id": "d3f:SymbolicLogic" } }, { "@id": "d3f:NIST_SP_800-53_R5_AC-4_32", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:control-name": "Information Flow Enforcement | Process Requirements for Information Transfer", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "d3f:narrower": [ { "@id": "d3f:InboundTrafficFiltering" }, { "@id": "d3f:OutboundTrafficFiltering" } ], "rdfs:label": "AC-4(32)" }, { "@id": "d3f:ArtifactServer", "@type": "owl:Class", "d3f:definition": "A digital artifact server provides access services to digital artifacts in a repository. It provides an associated set of data management, search and access methods allowing application-independent access to the content.", "rdfs:label": "Artifact Server", "rdfs:seeAlso": [ { "@id": "dbr:Content_management" }, { "@id": "dbr:Content_repository" } ], "rdfs:subClassOf": { "@id": "d3f:WebServer" } }, { "@id": "d3f:CWE-79", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:cwe-id": "CWE-79", "d3f:weakness-of": { "@id": "d3f:UserInputFunction" }, "rdfs:label": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "rdfs:subClassOf": [ { "@id": "d3f:CWE-74" }, { "@id": "_:Nac9d482ef6bb4389a45a8e6bdedf4c23" } ] }, { "@id": "_:Nac9d482ef6bb4389a45a8e6bdedf4c23", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:weakness-of" }, "owl:someValuesFrom": { "@id": "d3f:UserInputFunction" } }, { "@id": "d3f:CWE-293", "@type": "owl:Class", "d3f:cwe-id": "CWE-293", "rdfs:label": "Using Referer Field for Authentication", "rdfs:subClassOf": { "@id": "d3f:CWE-290" } }, { "@id": "d3f:T1035", "@type": "owl:Class", "d3f:attack-id": "T1035", "rdfs:label": "Service Execution", "rdfs:subClassOf": { "@id": "d3f:ExecutionTechnique" } }, { "@id": "d3f:CWE-222", "@type": "owl:Class", "d3f:cwe-id": "CWE-222", "rdfs:label": "Truncation of Security-relevant Information", "rdfs:subClassOf": { "@id": "d3f:CWE-221" } }, { "@id": "d3f:Reference-LibreNMSDocsNetworkMapExtension", "@type": [ "owl:NamedIndividual", "d3f:UserManualReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://docs.librenms.org/Extensions/Network-Map/" }, "d3f:kb-abstract": "LibreNMS has the ability to show you a network map based on:\n* xDP Discovery\n* MAC addresses", "d3f:kb-organization": "LibreNMS.org", "d3f:kb-reference-of": { "@id": "d3f:NetworkMapping" }, "d3f:kb-reference-title": "Libre NMS - Network Map Extension", "rdfs:label": "Reference - Libre NMS - Network Map Extension" }, { "@id": "d3f:Reference-MalwareAnalysisSystem_PaloAltoNetworksInc", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US20150319136A1" }, "d3f:kb-abstract": "In some embodiments, a malware analysis system includes receiving a potential malware sample from a firewall; analyzing the potential malware sample using a virtual machine to determine if the potential malware sample is malware; and automatically generating a signature if the potential malware sample is determined to be malware. In some embodiments, the potential malware sample does not match a preexisting signature, and the malware is a zero-day attack.", "d3f:kb-author": "Huagang Xie; Xinran Wang; Jiangxia Liu", "d3f:kb-mitre-analysis": "This patent describes a VM sandbox environment that uses heuristic based analysis techniques performed in real-time during a file transfer to determine if the file is malicious. A new signature can then be generated and distributed to automatically block future file transfer requests to download the malicious file.", "d3f:kb-organization": "Palo Alto Networks Inc", "d3f:kb-reference-of": { "@id": "d3f:DynamicAnalysis" }, "d3f:kb-reference-title": "Malware analysis system", "rdfs:label": "Reference - Malware analysis system - Palo Alto Networks Inc" }, { "@id": "d3f:NIST_SP_800-53_R5_SA-8_22", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:control-name": "Security and Privacy Engineering Principles | Accountability and Traceability", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "d3f:related": { "@id": "d3f:DomainAccountMonitoring" }, "rdfs:label": "SA-8(22)" }, { "@id": "d3f:K-FoldCross-Validation", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-KFCV", "d3f:definition": "Cross-validation is a resampling procedure used to evaluate machine learning models on a limited data sample. The procedure has a single parameter called k that refers to the number of groups that a given data sample is to be split into. As such, the procedure is often called k-fold cross-validation. When a specific value for k is chosen, it may be used in place of k in the reference to the model, such as k=10 becoming 10-fold cross-validation", "d3f:kb-article": "## References\nK-Fold Cross-Validation. Machine Learning Mastery. [Link](https://machinelearningmastery.com/k-fold-cross-validation/#:~:text=Cross%2Dvalidation%20is%20a%20resampling,k%2Dfold%20cross%2Dvalidation).", "rdfs:label": "K-Fold Cross-Validation", "rdfs:subClassOf": { "@id": "d3f:ResamplingEnsemble" } }, { "@id": "d3f:SubstringMatching", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-SM", "d3f:definition": "String-searching algorithms, sometimes called string-matching algorithms, are an important class of string algorithms that try to find a place where one or several strings (also called patterns) are found within a larger string or text.", "d3f:kb-article": "## References\n1. String-searching algorithm. (2023, April 8). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/String-searching_algorithm)", "rdfs:label": "Substring Matching", "rdfs:subClassOf": { "@id": "d3f:PartialMatching" } }, { "@id": "d3f:SpectralClustering", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-SC", "d3f:definition": "Spectral clustering is a technique that identifies communities of nodes in a graph based on the edges connecting them.", "d3f:kb-article": "## References\nTowards Data Science. (n.d.). Spectral Clustering. [Link](https://towardsdatascience.com/spectral-clustering-aba2640c0d5b)", "rdfs:label": "Spectral Clustering", "rdfs:subClassOf": { "@id": "d3f:Graph-basedClustering" } }, { "@id": "d3f:CWE-1072", "@type": "owl:Class", "d3f:cwe-id": "CWE-1072", "rdfs:label": "Data Resource Access without Use of Connection Pooling", "rdfs:subClassOf": { "@id": "d3f:CWE-405" } }, { "@id": "d3f:T1098.002", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1098.002", "d3f:modifies": { "@id": "d3f:DomainUserAccount" }, "rdfs:label": "Exchange Email Delegate Permissions", "rdfs:subClassOf": [ { "@id": "d3f:T1098" }, { "@id": "_:N9d7e0bac7a9b44bbbaab411b169fa409" } ] }, { "@id": "_:N9d7e0bac7a9b44bbbaab411b169fa409", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:DomainUserAccount" } }, { "@id": "d3f:CWE-234", "@type": "owl:Class", "d3f:cwe-id": "CWE-234", "rdfs:label": "Failure to Handle Missing Parameter", "rdfs:subClassOf": { "@id": "d3f:CWE-233" } }, { "@id": "d3f:T1082", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1082", "d3f:may-access": { "@id": "d3f:DecoyArtifact" }, "d3f:may-invoke": { "@id": "d3f:CreateProcess" }, "rdfs:label": "System Information Discovery", "rdfs:subClassOf": [ { "@id": "d3f:DiscoveryTechnique" }, { "@id": "_:Nffbf98204b4d4794b5e08fd7bafdcaa9" }, { "@id": "_:N390edb4227c8475e8c79f8b8e29313f6" } ] }, { "@id": "_:Nffbf98204b4d4794b5e08fd7bafdcaa9", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-access" }, "owl:someValuesFrom": { "@id": "d3f:DecoyArtifact" } }, { "@id": "_:N390edb4227c8475e8c79f8b8e29313f6", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-invoke" }, "owl:someValuesFrom": { "@id": "d3f:CreateProcess" } }, { "@id": "d3f:CWE-1271", "@type": "owl:Class", "d3f:cwe-id": "CWE-1271", "rdfs:label": "Uninitialized Value on Reset for Registers Holding Security Settings", "rdfs:subClassOf": { "@id": "d3f:CWE-909" } }, { "@id": "d3f:SingularValueDecomposition", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-SVD", "d3f:definition": "Singular Value Decomposition (SVD) is an algorithm that represents a matrix as a linear series of data and to find the set of factors that will best predict an outcome", "d3f:kb-article": "## References\nWikipedia. (n.d.). Singular value decomposition. [Link](https://en.wikipedia.org/wiki/Singular_value_decomposition)", "rdfs:label": "Singular Value Decomposition", "rdfs:subClassOf": { "@id": "d3f:DimensionReduction" } }, { "@id": "d3f:InternetArticleReference", "@type": "owl:Class", "d3f:pref-label": "Internet Article", "rdfs:label": "Internet Article Reference", "rdfs:subClassOf": { "@id": "d3f:TechniqueReference" }, "skos:altLabel": "Internet Blog Reference" }, { "@id": "d3f:NIST_SP_800-53_R5_RA-5", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:broader": { "@id": "d3f:NetworkTrafficAnalysis" }, "d3f:control-name": "Vulnerability Monitoring and Scanning", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "rdfs:label": "RA-5" }, { "@id": "d3f:ScriptApplicationProcess", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A script application process is an application process interpreting an executable script.", "d3f:interprets": { "@id": "d3f:ExecutableScript" }, "rdfs:label": "Script Application Process", "rdfs:subClassOf": [ { "@id": "d3f:ApplicationProcess" }, { "@id": "_:Nb39767e239c2450da454f0d1fbea5706" } ], "skos:altLabel": "Script Process" }, { "@id": "_:Nb39767e239c2450da454f0d1fbea5706", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:interprets" }, "owl:someValuesFrom": { "@id": "d3f:ExecutableScript" } }, { "@id": "d3f:AuthenticationServer", "@type": "owl:Class", "d3f:definition": "An authentication server provides a network service that applications use to authenticate the credentials, usually account names and passwords, of their users. When a client submits a valid set of credentials, it receives a cryptographic ticket that it can subsequently use to access various services. Major authentication algorithms include passwords, Kerberos, and public key encryption.", "rdfs:isDefinedBy": { "@id": "dbr:Authentication_server" }, "rdfs:label": "Authentication Server", "rdfs:subClassOf": { "@id": "d3f:Server" } }, { "@id": "d3f:T1029", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1029", "d3f:produces": { "@id": "d3f:InternetNetworkTraffic" }, "rdfs:label": "Scheduled Transfer", "rdfs:subClassOf": [ { "@id": "d3f:ExfiltrationTechnique" }, { "@id": "_:Nf31b2eee026d40d19021bbababf07e83" } ] }, { "@id": "_:Nf31b2eee026d40d19021bbababf07e83", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:produces" }, "owl:someValuesFrom": { "@id": "d3f:InternetNetworkTraffic" } }, { "@id": "d3f:CWE-754", "@type": "owl:Class", "d3f:cwe-id": "CWE-754", "rdfs:label": "Improper Check for Unusual or Exceptional Conditions", "rdfs:subClassOf": { "@id": "d3f:CWE-703" } }, { "@id": "d3f:CWE-279", "@type": "owl:Class", "d3f:cwe-id": "CWE-279", "rdfs:label": "Incorrect Execution-Assigned Permissions", "rdfs:subClassOf": { "@id": "d3f:CWE-732" } }, { "@id": "d3f:Harden", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:DefensiveTactic" ], "d3f:definition": "The harden tactic is used to increase the opportunity cost of computer network exploitation. Hardening differs from Detection in that it generally is conducted before a system is online and operational.", "d3f:display-order": 0, "d3f:display-priority": 0, "rdfs:label": "Harden", "rdfs:subClassOf": { "@id": "d3f:DefensiveTactic" } }, { "@id": "d3f:EquivalenceMatching", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-EM", "d3f:definition": "Equivalence matching is matching two values, which may be bound to variables, to see if they are equivalent.", "d3f:kb-article": "## How it works\nEquality is a relationship between two quantities or, more generally two mathematical expressions, asserting that the quantities have the same value, or that the expressions represent the same mathematical object.\n\nProgramming languages can have multiple senses of equality that may include, but are not limited to:\n\n- Identity: The objects are identical; often indicated by having values indicating the same logical address.\n- Equality: The values of the expessions and properties are equivalent when evaluated; they do not need to have the same logical address.\n\n## References\n1. Equality (mathematics). (2023, May 31). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Equality_(mathematics)]\n2. Types of Equality. (2007, March 2). In _WikiWikiWeb_. [Link](https://wiki.c2.com/?TypesOfEquality)", "rdfs:label": "Equivalence Matching", "rdfs:subClassOf": { "@id": "d3f:LogicalRules" } }, { "@id": "d3f:CWE-764", "@type": "owl:Class", "d3f:cwe-id": "CWE-764", "rdfs:label": "Multiple Locks of a Critical Resource", "rdfs:subClassOf": [ { "@id": "d3f:CWE-667" }, { "@id": "d3f:CWE-675" } ] }, { "@id": "d3f:CWE-572", "@type": "owl:Class", "d3f:cwe-id": "CWE-572", "rdfs:label": "Call to Thread run() instead of start()", "rdfs:subClassOf": { "@id": "d3f:CWE-821" } }, { "@id": "d3f:T1505", "@type": "owl:Class", "d3f:attack-id": "T1505", "rdfs:label": "Server Software Component", "rdfs:subClassOf": { "@id": "d3f:PersistenceTechnique" } }, { "@id": "d3f:T1583.004", "@type": "owl:Class", "d3f:attack-id": "T1583.004", "rdfs:label": "Server", "rdfs:subClassOf": { "@id": "d3f:T1583" } }, { "@id": "d3f:NIST_SP_800-53_R5_AC-7_3", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:control-name": "Unsuccessful Logon Attempts | Biometric Attempt Limiting", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "d3f:narrower": { "@id": "d3f:AccountLocking" }, "rdfs:label": "AC-7(3)" }, { "@id": "d3f:ServiceApplicationProcess", "@type": [ "owl:Class", "owl:NamedIndividual" ], "rdfs:label": "Service Application Process", "rdfs:subClassOf": { "@id": "d3f:ApplicationProcess" } }, { "@id": "d3f:broader", "@type": "owl:ObjectProperty", "rdfs:label": "broader", "rdfs:subPropertyOf": { "@id": "d3f:semantic-relation" } }, { "@id": "d3f:Reference-SecuritySystemWithMethodologyForInterprocessCommunicationControl_CheckPointSoftwareTechInc", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US20040199763" }, "d3f:kb-abstract": "A security system with methodology for interprocess communication control is described. In one embodiment, a method for controlling interprocess communication is provided that includes steps of: defining rules indicating which system services a given application can invoke; trapping an attempt by a particular application to invoke a particular system service; identifying the particular application that is attempting to invoke the particular system service; and based on identity of the particular application and on the rules indicating which system services a given application can invoke, blocking the attempt when the rules indicate that the particular application cannot invoke the particular system service.", "d3f:kb-author": "Gregor Freund", "d3f:kb-mitre-analysis": "This patent describes a technique for monitoring interprocess communications to prevent malicious applications from requesting system services. API calls are monitored to detect malicious applications attempting to open a communication channel (port) to access system services or sending messages to other applications using user32 API functions. These requests are examined against an external rules engine or whitelist, matches deny or block access and produce an error message such as connection refused or service not available.", "d3f:kb-organization": "Check Point Software Tech Inc", "d3f:kb-reference-of": { "@id": "d3f:IPCTrafficAnalysis" }, "d3f:kb-reference-title": "Security System with Methodology for Interprocess Communication Control", "rdfs:label": "Reference - Security System with Methodology for Interprocess Communication Control - Check Point Software Tech Inc" }, { "@id": "d3f:Reference-MethodAndApparatusForUtilizingATokenForResourceAccess_RsaSecurityInc.", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US5657388A/en" }, "d3f:kb-abstract": "A method and apparatus for utilizing a token which is preferably a \"dumb token\" to provide secure access by authorized users to a selected resource. The token stores a secret user code in machine readable form, which code is read by a token processor. The token processor also receives a time-varying value and an algorithm, both of which may be stored or generated at either the token or the token processor and preferably a secret personal identification code which may be inputted at the token, but is preferably inputted at the token processor. The secret user code, time-varying value and secret personal identification code are then algorithmically combined by the algorithm, preferably in the token processor, to generate a one-time nonpredictable code which is transmitted to a host processor. The host processor utilizes the received one-time nonpredictable code to determine if the user is authorized access to the resource and grants access to the resource if the user is determined to be authorized. The system may be modified to operate in query/response mode. The token processor may be any of a variety of available portable remote processors or may be a device such as a telephone which is equipped with card or other token reader and with processing capability.", "d3f:kb-author": "Kenneth P. Weiss", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "Rsa Security Inc.", "d3f:kb-reference-of": { "@id": "d3f:Multi-factorAuthentication" }, "d3f:kb-reference-title": "Method and apparatus for utilizing a token for resource access", "rdfs:label": "Reference - Method and apparatus for utilizing a token for resource access - Rsa Security Inc." }, { "@id": "d3f:CWE-1330", "@type": "owl:Class", "d3f:cwe-id": "CWE-1330", "rdfs:label": "Remanent Data Readable after Memory Erase", "rdfs:subClassOf": { "@id": "d3f:CWE-1301" } }, { "@id": "d3f:DisplayDeviceDriver", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A device driver for a display adapter.", "d3f:drives": { "@id": "d3f:DisplayAdapter" }, "rdfs:label": "Display Device Driver", "rdfs:seeAlso": [ { "@id": "dbr:Display_adapter" }, { "@id": "dbr:Device_driver" } ], "rdfs:subClassOf": [ { "@id": "d3f:HardwareDriver" }, { "@id": "_:N3069751ceabd4e9e9b8daca4e41892f4" } ] }, { "@id": "_:N3069751ceabd4e9e9b8daca4e41892f4", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:drives" }, "owl:someValuesFrom": { "@id": "d3f:DisplayAdapter" } }, { "@id": "d3f:NIST_SP_800-53_R5_CM-5_6", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:control-name": "Access Restrictions for Change | Limit Library Privileges", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "d3f:narrower": [ { "@id": "d3f:LocalAccountMonitoring" }, { "@id": "d3f:SystemConfigurationPermissions" } ], "rdfs:label": "CM-5(6)" }, { "@id": "d3f:CertificateTrustStore", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:contains": { "@id": "d3f:Certificate" }, "d3f:definition": "A certificate truststore is used to store public certificates used to authenticate clients by the server for an SSL connection.", "rdfs:label": "Certificate Trust Store", "rdfs:seeAlso": [ { "@id": "https://www.educative.io/edpresso/keystore-vs-truststore" }, { "@id": "dbr:Public_key_certificate" } ], "rdfs:subClassOf": [ { "@id": "d3f:TrustStore" }, { "@id": "_:Nf8f947edf42a42939fed07b1ba2d7157" } ] }, { "@id": "_:Nf8f947edf42a42939fed07b1ba2d7157", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:contains" }, "owl:someValuesFrom": { "@id": "d3f:Certificate" } }, { "@id": "d3f:NIST_SP_800-53_R5_RA-5_6", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:control-name": "Vulnerability Monitoring and Scanning | Automated Trend Analyses", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "d3f:narrower": { "@id": "d3f:PlatformHardening" }, "rdfs:label": "RA-5(6)" }, { "@id": "d3f:MathematicalFunction", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "Computes mathematical expressions.", "rdfs:label": "Mathematical Function", "rdfs:subClassOf": { "@id": "d3f:Subroutine" } }, { "@id": "d3f:DynamicAnalysis", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:FileAnalysis" ], "d3f:analyzes": [ { "@id": "d3f:DocumentFile" }, { "@id": "d3f:ExecutableFile" } ], "d3f:d3fend-id": "D3-DA", "d3f:definition": "Executing or opening a file in a synthetic \"sandbox\" environment to determine if the file is a malicious program or if the file exploits another program such as a document reader.", "d3f:kb-article": "## How it works\nAnalyzing the interaction of a piece of code with a system while the code is being executed in a controlled environment such as a sandbox, virtual machine, or simulator. This exposes the natural behavior of the piece of code without requiring the code to be disassembled.\n\n## Considerations\n * Malware often detects a fake environment, then changes its behavior accordingly. For example, it could detect that the system clock is being sped up in an effort to get it to execute commands that it would normally only execute at a later time, or that the hardware manufacturer of the machine is a virtualization provider.\n * Malware can attempt to determine if it is being debugged, and change its behavior accordingly.\n * For maximum fidelity, the simulated and real environments should be as similar as possible because the malware could perform differently in different environments.\n * Sometimes the malware behavior is triggered only under certain conditions (on a specific system date, after a certain time, or after it is sent a specific command) and can't be detected through a short execution in a virtual environment.\n\n## Implementations\n* [Cuckoo Sandbox](https://cuckoosandbox.org)", "d3f:kb-reference": [ { "@id": "d3f:Reference-MalwareAnalysisSystem_PaloAltoNetworksInc" }, { "@id": "d3f:Reference-UseOfAnApplicationControllerToMonitorAndControlSoftwareFileAndApplicationEnvironments_SophosLtd" } ], "d3f:synonym": [ "Malware Sandbox", "Malware Detonation" ], "rdfs:label": "Dynamic Analysis", "rdfs:subClassOf": [ { "@id": "d3f:FileAnalysis" }, { "@id": "_:N884b0885f59a4dc69c71387ade5c7a31" }, { "@id": "_:Nf68228bec350405796b7f70fde7b14f0" } ] }, { "@id": "_:N884b0885f59a4dc69c71387ade5c7a31", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:analyzes" }, "owl:someValuesFrom": { "@id": "d3f:DocumentFile" } }, { "@id": "_:Nf68228bec350405796b7f70fde7b14f0", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:analyzes" }, "owl:someValuesFrom": { "@id": "d3f:ExecutableFile" } }, { "@id": "d3f:RestoreUserAccountAccess", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:RestoreAccess" ], "d3f:d3fend-id": "D3-RUAA", "d3f:definition": "Restoring a user account's access to resources.", "d3f:kb-reference": { "@id": "d3f:Reference-CybersecurityIncidentandVulnerabilityResponsePlaybooks" }, "d3f:restores": { "@id": "d3f:UserAccount" }, "rdfs:label": "Restore User Account Access", "rdfs:subClassOf": [ { "@id": "d3f:RestoreAccess" }, { "@id": "_:N8cafc6e3a9ed47c6ad70661a23b7e59b" } ] }, { "@id": "_:N8cafc6e3a9ed47c6ad70661a23b7e59b", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:restores" }, "owl:someValuesFrom": { "@id": "d3f:UserAccount" } }, { "@id": "d3f:CCI-001090_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system prevents unauthorized and unintended information transfer via shared system resources.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:NetworkTrafficFiltering" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-21T00:00:00" }, "rdfs:label": "CCI-001090" }, { "@id": "d3f:DescriptiveStatistics", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-DS", "d3f:definition": "Descriptive statistics provide simple summaries about the sample and about the observations that have been made.", "d3f:kb-article": "## References\nWikipedia. (n.d.). Descriptive statistics. [Link](https://en.wikipedia.org/wiki/Descriptive_statistics)", "rdfs:label": "Descriptive Statistics", "rdfs:subClassOf": { "@id": "d3f:StatisticalMethod" } }, { "@id": "d3f:ByteSequenceEmulation", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:NetworkTrafficAnalysis" ], "d3f:d3fend-id": "D3-BSE", "d3f:definition": "Analyzing sequences of bytes and determining if they likely represent malicious shellcode.", "d3f:kb-article": "## How it works\n\nBytes are analyzed as if they are machine code instructions, and such instructions that are a common component of known shellcode are noted, such as stack pivots, reads from a Memory Address Table, and system calls for functions that disable protections or execute code. For example, the x86 instruction `b0 0b: mov $11, %ax`, with no further alterations to the `%ax` register, followed by `cd 80: syscall` executes the system call `execve()` in the Linux kernel, which replaces the current process with another one specified -- this is a common action in shellcode, so this sequence would be flagged.\n\nThis technique detects shellcode despite whether or not it would cause a buffer overflow in the target binary.\n\nIf the sequence of bytes contains a sequence similar to that used in malicious shellcode, the entire byte sequence is flagged and a follow-on technique may be invoked.\n\n## Considerations\n\n### False Negatives\nIf the shellcode instructions are far apart, simple implementations might not detect the shellcode.\n\nDue to the nature of assembly instructions not having a defined start or end, implementations which do not process all start sequences (for example, when they a find byte sequence of interest, continue scanning forwards from the end of it) might not detect the shellcode.\n\nThis technique might not detect more complex or obfuscated instructions. For that purpose, Dynamic Analysis or Emulated File Analysis could assist by analyzing the actual instruction function.\n\nThis technique may not detect self-modifying code. To make it harder for a process to modify itself, Process Segment Execution Prevention should be used, while noting its considerations.\n\nThis technique might not detect malicious shellcode which reuses instructions in the target binary for malicious effect, as memory references in the presumed assembly code are not dereferenced. Dynamic Analysis and Emulated File Analysis, when set up properly to fork from the running target binary, might detect this. Process Segment Execution Prevention combined with Segment Address Offset Randomization frequently makes introduction of shellcode through overwriting a saved return pointer more difficult. Call stack depth analysis might detect excessive reuse of instructions in the target binary. Shadow Stack Frames might detect that a stack frame's return address has changed and Stack Frame Canary Verification might detect that the stack frame's return address was overwritten. Other heuristic methods might detect jump-oriented programming shellcode.\n\nWith inserting code directly, that it is not a buffer overflow, and just some place where code is executed either to a file or a write-what-where, the buffer overflow mitigations do not help. Behavioral analysis could detect this, or proper access control could mitigate this.\n\n### False Positives\n\nByte sequences containing code that is never used as machine code are still analyzed and flagged for anomalies, and [eventually](http://mathforum.org/library/drmath/view/55871.html), it is likely that an attack sequence will arise from the sheer volume of bytes transmitted.", "d3f:kb-reference": [ { "@id": "d3f:Reference-Network-BasedBufferOverflowDetectionByExploitCodeAnalysis_InformationSecurityResearchCentre" }, { "@id": "d3f:Reference-Network-levelPolymorphicShellcodeDetectionUsingEmulation" } ], "d3f:synonym": "Shellcode Transmission Detection", "rdfs:label": "Byte Sequence Emulation", "rdfs:subClassOf": { "@id": "d3f:NetworkTrafficAnalysis" } }, { "@id": "d3f:CommandAndControl", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:OffensiveTactic" ], "d3f:display-order": 10, "rdfs:label": "Command And Control", "rdfs:subClassOf": { "@id": "d3f:OffensiveTactic" } }, { "@id": "d3f:Firewall", "@type": "owl:Class", "d3f:definition": "In computing, a firewall is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules. A firewall typically establishes a barrier between a trusted internal network and untrusted external network, such as the Internet. Firewalls are often categorized as either network firewalls or host-based firewalls. Network firewalls filter traffic between two or more networks and run on network hardware. Host-based firewalls run on host computers and control network traffic in and out of those machines. This definition refers to network firewalls.", "rdfs:label": "Firewall", "rdfs:seeAlso": { "@id": "dbr:Firewall_(computing)" }, "rdfs:subClassOf": { "@id": "d3f:NetworkNode" }, "skos:altLabel": "Network Firewall" }, { "@id": "d3f:DefensiveTechniqueClaim", "@type": "owl:Class", "rdfs:label": "Defensive Technique Claim", "rdfs:subClassOf": [ { "@id": "d3f:CapabilityFeatureClaim" }, { "@id": "_:N70406ad7865f4ad69e617cf47da308fa" }, { "@id": "_:Ne2fed538c042411a922b4e32d0eb8abc" } ], "skos:altLabel": "Countermeasure Claim" }, { "@id": "_:N70406ad7865f4ad69e617cf47da308fa", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:cites" }, "owl:someValuesFrom": { "@id": "d3f:InformationContentEntity" } }, { "@id": "_:Ne2fed538c042411a922b4e32d0eb8abc", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:claims" }, "owl:someValuesFrom": { "@id": "d3f:DefensiveTechnique" } }, { "@id": "d3f:T1213.001", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:accesses": { "@id": "d3f:WebFileResource" }, "d3f:attack-id": "T1213.001", "rdfs:label": "Confluence", "rdfs:subClassOf": [ { "@id": "d3f:T1213" }, { "@id": "_:Nce08de4feb144ed4808f543500966b87" } ] }, { "@id": "_:Nce08de4feb144ed4808f543500966b87", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:accesses" }, "owl:someValuesFrom": { "@id": "d3f:WebFileResource" } }, { "@id": "d3f:ArchiveFile", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "An archive file is a file that is composed of one or more computer files along with metadata. Archive files are used to collect multiple data files together into a single file for easier portability and storage, or simply to compress files to use less storage space. Archive files often store directory structures, error detection and correction information, arbitrary comments, and sometimes use built-in encryption.", "rdfs:isDefinedBy": { "@id": "dbr:Archive_file" }, "rdfs:label": "Archive File", "rdfs:subClassOf": { "@id": "d3f:File" } }, { "@id": "d3f:T1052", "@type": "owl:Class", "d3f:attack-id": "T1052", "rdfs:label": "Exfiltration Over Physical Medium", "rdfs:subClassOf": { "@id": "d3f:ExfiltrationTechnique" } }, { "@id": "d3f:DeleteFile", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "Remove a file from a machine.", "d3f:deletes": { "@id": "d3f:File" }, "rdfs:label": "Delete File", "rdfs:subClassOf": [ { "@id": "d3f:SystemCall" }, { "@id": "_:Nf40e826db03b48efa4123f789a2018a9" } ] }, { "@id": "_:Nf40e826db03b48efa4123f789a2018a9", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:deletes" }, "owl:someValuesFrom": { "@id": "d3f:File" } }, { "@id": "d3f:CWE-8", "@type": "owl:Class", "d3f:cwe-id": "CWE-8", "rdfs:label": "J2EE Misconfiguration: Entity Bean Declared Remote", "rdfs:subClassOf": { "@id": "d3f:CWE-668" } }, { "@id": "d3f:Reference-Reputation_of_an_entity_associated_with_a_content_item", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US20060253584A1" }, "d3f:kb-author": "Christopher Dixon, Thomas Pinckney", "d3f:kb-reference-of": { "@id": "d3f:FileHashReputationAnalysis" }, "d3f:kb-reference-title": "Reputation of an entity associated with a content item", "rdfs:label": "Reference - Reputation of an entity associated with a content item" }, { "@id": "d3f:T1162", "@type": "owl:Class", "d3f:attack-id": "T1162", "rdfs:label": "Login Item", "rdfs:subClassOf": { "@id": "d3f:PersistenceTechnique" } }, { "@id": "d3f:deceives", "@type": "owl:ObjectProperty", "rdfs:label": "deceives", "rdfs:subPropertyOf": { "@id": "d3f:counters" } }, { "@id": "d3f:LateralMovementTechnique", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:enables": { "@id": "d3f:LateralMovement" }, "rdfs:label": "Lateral Movement Technique", "rdfs:subClassOf": [ { "@id": "d3f:OffensiveTechnique" }, { "@id": "_:N2a374b35367e4f64b8a31fda6b370d27" } ] }, { "@id": "_:N2a374b35367e4f64b8a31fda6b370d27", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:enables" }, "owl:someValuesFrom": { "@id": "d3f:LateralMovement" } }, { "@id": "d3f:T1542", "@type": "owl:Class", "d3f:attack-id": "T1542", "rdfs:label": "Pre-OS Boot", "rdfs:subClassOf": [ { "@id": "d3f:DefenseEvasionTechnique" }, { "@id": "d3f:PersistenceTechnique" } ] }, { "@id": "d3f:windows-registry-key", "@type": "owl:DatatypeProperty", "d3f:definition": "x value y: The key-value pair x has the key y.", "rdfs:label": "windows-registry-key", "rdfs:subPropertyOf": { "@id": "d3f:windows-registry-data-property" }, "skos:altLabel": "key" }, { "@id": "d3f:T1546.006", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1546.006", "d3f:modifies": { "@id": "d3f:ExecutableBinary" }, "rdfs:label": "LC_LOAD_DYLIB Addition", "rdfs:subClassOf": [ { "@id": "d3f:T1546" }, { "@id": "_:Nf23f7fd23620479b928c7f3f00f3ce2d" } ] }, { "@id": "_:Nf23f7fd23620479b928c7f3f00f3ce2d", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:ExecutableBinary" } }, { "@id": "d3f:MemoryManagementUnit", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:contains": { "@id": "d3f:TranslationLookasideBuffer" }, "d3f:creates": { "@id": "d3f:VirtualAddress" }, "d3f:definition": "A computer’s memory management unit (MMU) is the physical hardware that handles its virtual memory and caching operations. The MMU is usually located within the computer’s central processing unit (CPU), but sometimes operates in a separate integrated chip (IC).", "d3f:manages": [ { "@id": "d3f:PageTable" }, { "@id": "d3f:Storage" } ], "rdfs:isDefinedBy": "https://www.techopedia.com/definition/4768/memory-management-unit-mmu", "rdfs:label": "Memory Management Unit", "rdfs:seeAlso": "https://dbpedia.org/page/Memory_management_unit", "rdfs:subClassOf": [ { "@id": "d3f:ProcessorComponent" }, { "@id": "_:N8b17a8470ad4461d844376cba7fd4650" }, { "@id": "_:N37a853d7352341d9aab79dd563f9d6ca" }, { "@id": "_:N535864316e594be18b136359a6039d1a" }, { "@id": "_:N47c45615e1f140af8fd5cbc6eec45905" } ] }, { "@id": "_:N8b17a8470ad4461d844376cba7fd4650", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:contains" }, "owl:someValuesFrom": { "@id": "d3f:TranslationLookasideBuffer" } }, { "@id": "_:N37a853d7352341d9aab79dd563f9d6ca", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:creates" }, "owl:someValuesFrom": { "@id": "d3f:VirtualAddress" } }, { "@id": "_:N535864316e594be18b136359a6039d1a", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:manages" }, "owl:someValuesFrom": { "@id": "d3f:PageTable" } }, { "@id": "_:N47c45615e1f140af8fd5cbc6eec45905", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:manages" }, "owl:someValuesFrom": { "@id": "d3f:Storage" } }, { "@id": "d3f:CWE-1103", "@type": "owl:Class", "d3f:cwe-id": "CWE-1103", "rdfs:label": "Use of Platform-Dependent Third Party Components", "rdfs:subClassOf": { "@id": "d3f:CWE-758" } }, { "@id": "d3f:CWE-22", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:cwe-id": "CWE-22", "d3f:weakness-of": { "@id": "d3f:UserInputFunction" }, "rdfs:label": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "rdfs:subClassOf": [ { "@id": "d3f:CWE-668" }, { "@id": "d3f:CWE-706" }, { "@id": "_:N0df724ddd81243828edeae0e18f8d465" } ] }, { "@id": "_:N0df724ddd81243828edeae0e18f8d465", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:weakness-of" }, "owl:someValuesFrom": { "@id": "d3f:UserInputFunction" } }, { "@id": "d3f:Multi-factorAuthentication", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:CredentialHardening" ], "d3f:authenticates": { "@id": "d3f:UserAccount" }, "d3f:d3fend-id": "D3-MFA", "d3f:definition": "Requiring proof of two or more pieces of evidence in order to authenticate a user.", "d3f:kb-article": "## How it works\nWhen logging into an account users present two or more credentials that fall into different categories: something you know (password or PIN), something you have (smart card or phone), or something you are (fingerprint).\n\n## Considerations\nMFA configuration steps may vary across accounts and in some cases left up to users to activate and implement.", "d3f:kb-reference": { "@id": "d3f:Reference-MethodAndApparatusForUtilizingATokenForResourceAccess_RsaSecurityInc." }, "rdfs:label": "Multi-factor Authentication", "rdfs:subClassOf": [ { "@id": "d3f:CredentialHardening" }, { "@id": "_:N1744237fc4d345a2823787b84343eccd" } ] }, { "@id": "_:N1744237fc4d345a2823787b84343eccd", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:authenticates" }, "owl:someValuesFrom": { "@id": "d3f:UserAccount" } }, { "@id": "d3f:CWE-1351", "@type": "owl:Class", "d3f:cwe-id": "CWE-1351", "rdfs:label": "Improper Handling of Hardware Behavior in Exceptionally Cold Environments", "rdfs:subClassOf": { "@id": "d3f:CWE-1384" } }, { "@id": "d3f:CWE-142", "@type": "owl:Class", "d3f:cwe-id": "CWE-142", "rdfs:label": "Improper Neutralization of Value Delimiters", "rdfs:subClassOf": { "@id": "d3f:CWE-140" } }, { "@id": "d3f:M1021", "@type": [ "owl:NamedIndividual", "d3f:ATTACKMitigation" ], "d3f:d3fend-comment": "M1021 scope is broad, touches on an wide variety of techniques in d3fend.", "d3f:related": [ { "@id": "d3f:DNSAllowlisting" }, { "@id": "d3f:DNSDenylisting" }, { "@id": "d3f:FileAnalysis" }, { "@id": "d3f:InboundTrafficFiltering" }, { "@id": "d3f:NetworkTrafficAnalysis" }, { "@id": "d3f:OutboundTrafficFiltering" }, { "@id": "d3f:URLAnalysis" } ], "rdfs:label": "Restrict Web-Based Content" }, { "@id": "d3f:ConnectedHoneynet", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:DecoyEnvironment" ], "d3f:d3fend-id": "D3-CHN", "d3f:definition": "A decoy service, system, or environment, that is connected to the enterprise network, and simulates or emulates certain functionality to the network, without exposing full access to a production system.", "d3f:kb-article": "## How it works\nDecoy honeypots are deployed within the enterprise environment that emulate certain services or portions of an OS to attract attackers.\n\n## Considerations\nA connected honeynet provides a tradeoff between emulating certain functionality but not being as sophisticated as an integrated honeynet. The connected honeynet may not provide enough functionality to detect new attack patterns or zero day exploits but could provide enough functionality for specific known vulnerabilities.", "d3f:kb-reference": { "@id": "d3f:Reference-ModificationOfAServerToMimicADeceptionMechanism_AcalvioTechnologiesInc" }, "d3f:spoofs": { "@id": "d3f:LocalAreaNetwork" }, "rdfs:label": "Connected Honeynet", "rdfs:subClassOf": [ { "@id": "d3f:DecoyEnvironment" }, { "@id": "_:N8e497f46313f4f9e9db00bf41a23f490" } ] }, { "@id": "_:N8e497f46313f4f9e9db00bf41a23f490", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:spoofs" }, "owl:someValuesFrom": { "@id": "d3f:LocalAreaNetwork" } }, { "@id": "d3f:SystemDependencyMapping", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:SystemMapping" ], "d3f:d3fend-id": "D3-SYSDM", "d3f:definition": "System dependency mapping identifies and models the dependencies of system components on each other to carry out their function.", "d3f:kb-article": "## How it works\nThe organization collects and models architectural information about the software, hardware, and products and maps the dependencies between systems, including each system's internal components and dependencies.\n\n## Considerations\n* Data exchanges identified in the network mapping efforts usually indicate such dependencies, but may not be part of the intended design.\n* Architectural design artifacts and SMEs may need to be consulted to determine if dependencies are intended or otherwise essential.\n* System depedency mapping can identify internal dependencies of standard and pre-built systems that should be incorporated into a complete system dependency model.\n* System dependencies for critical systems--those supporting critical organizational activities--should be prioritized for supply chain risk analysis.\n* System dependencies should identify the integral components of a given named system and their structure to form a system.\n* System dependencies with a given system may be fixed by a particular product's configuration, and leveraging external knowledge bases about dependencies available (e.g., from package managers) is essential.", "d3f:kb-reference": [ { "@id": "d3f:Reference-CatiaUAFPlugin" }, { "@id": "d3f:Reference-SoftwareVulnerabilityGraphDatabase" }, { "@id": "d3f:Reference-TivoliApplicationDependencyDiscoverManager7_3_0DependenciesBetweenResources" }, { "@id": "d3f:Reference-UnifiedArchitectureFrameworkUAF" } ], "d3f:maps": { "@id": "d3f:SystemDependency" }, "rdfs:label": "System Dependency Mapping", "rdfs:subClassOf": [ { "@id": "d3f:SystemMapping" }, { "@id": "_:N664c0b855293493ab985455f724af4e6" } ] }, { "@id": "_:N664c0b855293493ab985455f724af4e6", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:maps" }, "owl:someValuesFrom": { "@id": "d3f:SystemDependency" } }, { "@id": "d3f:process-property", "@type": "owl:ObjectProperty", "d3f:definition": "x process-property y: Process x has the a process-property y. This is generalization for specific process object properties.", "rdfs:label": "process-property", "rdfs:subPropertyOf": { "@id": "d3f:associated-with" } }, { "@id": "d3f:T1055.009", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:accesses": { "@id": "d3f:OperatingSystemFile" }, "d3f:attack-id": "T1055.009", "d3f:may-modify": { "@id": "d3f:OperatingSystemFile" }, "rdfs:label": "Proc Memory", "rdfs:subClassOf": [ { "@id": "d3f:T1055" }, { "@id": "_:Nd98c601140924c8d86bbedb4df982079" }, { "@id": "_:N3cd0bbba40344edab8d4f4331e004dc6" } ] }, { "@id": "_:Nd98c601140924c8d86bbedb4df982079", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:accesses" }, "owl:someValuesFrom": { "@id": "d3f:OperatingSystemFile" } }, { "@id": "_:N3cd0bbba40344edab8d4f4331e004dc6", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-modify" }, "owl:someValuesFrom": { "@id": "d3f:OperatingSystemFile" } }, { "@id": "d3f:M1049", "@type": [ "owl:NamedIndividual", "d3f:ATTACKMitigation" ], "d3f:d3fend-comment": "Process Analysis and subclasses.", "d3f:related": [ { "@id": "d3f:FileContentRules" }, { "@id": "d3f:FileHashing" }, { "@id": "d3f:ProcessAnalysis" } ], "rdfs:label": "Antivirus/Antimalware" }, { "@id": "d3f:CWE-1079", "@type": "owl:Class", "d3f:cwe-id": "CWE-1079", "rdfs:label": "Parent Class without Virtual Destructor Method", "rdfs:subClassOf": { "@id": "d3f:CWE-1076" } }, { "@id": "d3f:CAPECThing", "@type": "owl:Class", "rdfs:label": "CAPEC Thing" }, { "@id": "d3f:CWE-537", "@type": "owl:Class", "d3f:cwe-id": "CWE-537", "rdfs:label": "Java Runtime Error Message Containing Sensitive Information", "rdfs:subClassOf": { "@id": "d3f:CWE-211" } }, { "@id": "d3f:M1044", "@type": [ "owl:NamedIndividual", "d3f:ATTACKMitigation" ], "d3f:d3fend-comment": "D3-SCF is one possible way to filter library loading.", "d3f:related": { "@id": "d3f:SystemCallFiltering" }, "rdfs:label": "Restrict Library Loading" }, { "@id": "d3f:attack-kb-data-property", "@type": "owl:DatatypeProperty", "rdfs:label": "attack-kb-data-property", "rdfs:subPropertyOf": { "@id": "owl:topDataProperty" }, "skos:altLabel": "attack-kb-property" }, { "@id": "d3f:ImportLibraryFunction", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "Loads an external software library to enable the invocations of its methods.", "d3f:loads": { "@id": "d3f:SharedLibraryFile" }, "rdfs:label": "Import Library Function", "rdfs:subClassOf": [ { "@id": "d3f:Subroutine" }, { "@id": "_:Nb08a488d04dd49e589cdc3c3a69d1ece" } ] }, { "@id": "_:Nb08a488d04dd49e589cdc3c3a69d1ece", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:loads" }, "owl:someValuesFrom": { "@id": "d3f:SharedLibraryFile" } }, { "@id": "d3f:CWE-620", "@type": "owl:Class", "d3f:cwe-id": "CWE-620", "rdfs:label": "Unverified Password Change", "rdfs:subClassOf": { "@id": "d3f:CWE-1390" } }, { "@id": "d3f:ProcessSelf-ModificationDetection", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:ProcessAnalysis" ], "d3f:analyzes": { "@id": "d3f:Process" }, "d3f:d3fend-id": "D3-PSMD", "d3f:definition": "Detects processes that modify, change, or replace their own code at runtime.", "d3f:kb-article": "## How it Works\nA security agent installed on the host machine intercepts API calls between a process and operating system. Intercepted API calls are then compared against attack signatures/patterns to identify API calls that modify executable memory or modify the entry point address of a suspended child process. Attack patterns include:\n\n* Executable code of a suspended child process removed from memory by one or more API calls.\n* New executable code injected and / or loaded into memory of a suspended child process by one or more API calls.\n* Executable code modified by one or more API calls.\n* Next instruction pointer value in memory modified by one or more API calls.\n\n## Considerations\nComparing loaded code segments of processes with what is expected to have been loaded from a file can result in false positives, due to legitimate uses of self-modification for decrypting or uncompressing code segments.", "d3f:kb-reference": { "@id": "d3f:Reference-SystemAndMethodForProcessHollowingDetection_CarbonBlackInc" }, "rdfs:label": "Process Self-Modification Detection", "rdfs:subClassOf": [ { "@id": "d3f:ProcessAnalysis" }, { "@id": "_:Nc4cf2a9d64cb4590b6f1ca969eb954c5" } ] }, { "@id": "_:Nc4cf2a9d64cb4590b6f1ca969eb954c5", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:analyzes" }, "owl:someValuesFrom": { "@id": "d3f:Process" } }, { "@id": "d3f:AMD64CodeSegment", "@type": [ "owl:NamedIndividual", "d3f:ImageCodeSegment", "d3f:ProcessCodeSegment" ], "rdfs:label": "AMD64 Code Segment" }, { "@id": "d3f:CreateSocket", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:creates": { "@id": "d3f:Pipe" }, "d3f:definition": "A create socket system call creates an endpoint for communication and returns a file descriptor that refers to that endpoint.", "rdfs:label": "Create Socket", "rdfs:seeAlso": { "@id": "https://www.man7.org/linux/man-pages/man2/socket.2.html" }, "rdfs:subClassOf": [ { "@id": "d3f:SystemCall" }, { "@id": "_:Na6f07df644d54088a7ff7a4683766c38" } ] }, { "@id": "_:Na6f07df644d54088a7ff7a4683766c38", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:creates" }, "owl:someValuesFrom": { "@id": "d3f:Pipe" } }, { "@id": "_:N1ff554a5f9954cfeb542ac7de06d2dfc", "@type": "owl:AllDisjointClasses", "owl:members": { "@list": [ { "@id": "d3f:Clustering" }, { "@id": "d3f:Grouping" }, { "@id": "d3f:Histogramming" } ] } }, { "@id": "d3f:CCI-000022_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:broader": { "@id": "d3f:MandatoryAccessControl" }, "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system enforces one or more organization-defined nondiscretionary access control policies over an organization-defined set of users and resources.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-05-13T00:00:00" }, "rdfs:label": "CCI-000022" }, { "@id": "d3f:CWE-1265", "@type": "owl:Class", "d3f:cwe-id": "CWE-1265", "rdfs:label": "Unintended Reentrant Invocation of Non-reentrant Code Via Nested Calls", "rdfs:subClassOf": { "@id": "d3f:CWE-691" } }, { "@id": "d3f:CWE-414", "@type": "owl:Class", "d3f:cwe-id": "CWE-414", "rdfs:label": "Missing Lock Check", "rdfs:subClassOf": { "@id": "d3f:CWE-667" } }, { "@id": "d3f:T1137.006", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:adds": { "@id": "d3f:Software" }, "d3f:attack-id": "T1137.006", "d3f:may-modify": { "@id": "d3f:SystemConfigurationDatabase" }, "d3f:modifies": { "@id": "d3f:OfficeApplication" }, "rdfs:label": "Add-ins", "rdfs:subClassOf": [ { "@id": "d3f:T1137" }, { "@id": "_:N71879b9ed9ee47209dc69fd83ff9c435" }, { "@id": "_:N51a845d3f8774411a66347ab1b11c7e9" }, { "@id": "_:N07f988cacec444f9ac72741021178f00" } ] }, { "@id": "_:N71879b9ed9ee47209dc69fd83ff9c435", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:adds" }, "owl:someValuesFrom": { "@id": "d3f:Software" } }, { "@id": "_:N51a845d3f8774411a66347ab1b11c7e9", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-modify" }, "owl:someValuesFrom": { "@id": "d3f:SystemConfigurationDatabase" } }, { "@id": "_:N07f988cacec444f9ac72741021178f00", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:OfficeApplication" } }, { "@id": "d3f:CWE-1078", "@type": "owl:Class", "d3f:cwe-id": "CWE-1078", "rdfs:label": "Inappropriate Source Code Style or Formatting", "rdfs:subClassOf": { "@id": "d3f:CWE-1076" } }, { "@id": "d3f:T1101", "@type": "owl:Class", "d3f:attack-id": "T1101", "rdfs:label": "Security Support Provider", "rdfs:subClassOf": { "@id": "d3f:PersistenceTechnique" } }, { "@id": "d3f:T1112", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1112", "d3f:modifies": { "@id": "d3f:WindowsRegistry" }, "rdfs:label": "Modify Registry", "rdfs:subClassOf": [ { "@id": "d3f:DefenseEvasionTechnique" }, { "@id": "_:N1d7cc097958845e9b1e978a6bdfb7f0d" } ] }, { "@id": "_:N1d7cc097958845e9b1e978a6bdfb7f0d", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:WindowsRegistry" } }, { "@id": "d3f:CWE-110", "@type": "owl:Class", "d3f:cwe-id": "CWE-110", "rdfs:label": "Struts: Validator Without Form Field", "rdfs:subClassOf": { "@id": "d3f:CWE-1164" } }, { "@id": "d3f:MouseInputDevice", "@type": "owl:Class", "d3f:definition": "A computer mouse (plural mice or mouses) is a hand-held pointing device that detects two-dimensional motion relative to a surface. This motion is typically translated into the motion of a pointer on a display, which allows a smooth control of the graphical user interface of a computer. In addition to moving a cursor, computer mice have one or more buttons to allow operations such as selection of a menu item on a display. Mice often also feature other elements, such as touch surfaces and scroll wheels, which enable additional control and dimensional input.", "rdfs:isDefinedBy": { "@id": "dbr:Computer_mouse" }, "rdfs:label": "Mouse Input Device", "rdfs:seeAlso": { "@id": "dbr:Pointing_device" }, "rdfs:subClassOf": { "@id": "d3f:InputDevice" }, "skos:altLabel": "Computer Mouse" }, { "@id": "d3f:description", "@type": "owl:AnnotationProperty", "d3f:definition": "A statement that represents something in words.", "rdfs:isDefinedBy": { "@type": "xsd:anyURI", "@value": "http://wordnet-rdf.princeton.edu/id/06737512-n" }, "rdfs:label": { "@language": "en", "@value": "description" }, "rdfs:subPropertyOf": { "@id": "d3f:d3fend-catalog-annotation-property" } }, { "@id": "d3f:T1068", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1068", "d3f:enables": { "@id": "d3f:PrivilegeEscalation" }, "d3f:may-modify": { "@id": "d3f:StackFrame" }, "d3f:modifies": { "@id": "d3f:ProcessCodeSegment" }, "rdfs:label": "Exploitation for Privilege Escalation", "rdfs:subClassOf": [ { "@id": "d3f:PrivilegeEscalationTechnique" }, { "@id": "_:N6732bc50ca724893a62ff062a198d649" }, { "@id": "_:N273ce74c141a455ba0ac784182c4132e" }, { "@id": "_:N3973ead2a02742d98d118576886e4ca6" } ] }, { "@id": "_:N6732bc50ca724893a62ff062a198d649", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:enables" }, "owl:someValuesFrom": { "@id": "d3f:PrivilegeEscalation" } }, { "@id": "_:N273ce74c141a455ba0ac784182c4132e", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-modify" }, "owl:someValuesFrom": { "@id": "d3f:StackFrame" } }, { "@id": "_:N3973ead2a02742d98d118576886e4ca6", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:ProcessCodeSegment" } }, { "@id": "d3f:StandaloneHoneynet", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:DecoyEnvironment" ], "d3f:d3fend-id": "D3-SHN", "d3f:definition": "An environment created for the purpose of attracting attackers and eliciting their behaviors that is not connected to any production enterprise systems.", "d3f:kb-article": "## How it works\nA standalone honeynet does not directly interact with the real enterprise environment. It may be located near or in some portion of the enterprise address space, but it does not interact with enterprise resources.\n\n## Considerations\nA standalone honeynet is a lower risk to deploy compared to connected or integrated honeynets due to its isolation from the enterprise network. However, this comes at cost in loss of fidelity and realism. Significant extra effort must be made in order to make the environment look realistic.", "d3f:kb-reference": { "@id": "d3f:Reference-DynamicSelectionAndGenerationOfAVirtualCloneForDetonationOfSuspiciousContentWithinAHoneyNetwork_PaloAltoNetworksInc" }, "d3f:spoofs": { "@id": "d3f:IntranetNetwork" }, "rdfs:label": "Standalone Honeynet", "rdfs:subClassOf": [ { "@id": "d3f:DecoyEnvironment" }, { "@id": "_:N1fef9209d46447c9ac82bf216ccffc53" } ] }, { "@id": "_:N1fef9209d46447c9ac82bf216ccffc53", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:spoofs" }, "owl:someValuesFrom": { "@id": "d3f:IntranetNetwork" } }, { "@id": "d3f:non-real-time-eviction", "@type": [ "owl:NamedIndividual", "d3f:EvictionLatency" ], "rdfs:label": "non-real-time-eviction" }, { "@id": "d3f:Reference-RDPConnectionDetection_MITRE", "@type": [ "owl:NamedIndividual", "d3f:ExternalKnowledgeBase" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://car.mitre.org/analytics/CAR-2013-07-002" }, "d3f:kb-abstract": "The Remote Desktop Protocol (RDP), built in to Microsoft operating systems, allows a user to remotely log in to the desktop of another host. It allows for interactive access of the running windows, and forwards key presses, mouse clicks, etc. Network administrators, power users, and end-users may use RDP for day-to-day operations. From an adversary's perspective, RDP provides a means to laterally move to a new host. Determining which RDP connections correspond to adversary activity can be a difficult problem in highly dynamic environments, but will be useful in identifying the scope of a compromise.", "d3f:kb-author": "MITRE", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "MITRE", "d3f:kb-reference-of": { "@id": "d3f:RemoteTerminalSessionDetection" }, "d3f:kb-reference-title": "CAR-2013-07-002: RDP Connection Detection", "rdfs:label": "Reference - CAR-2013-07-002: RDP Connection Detection - MITRE" }, { "@id": "d3f:T1593", "@type": "owl:Class", "d3f:attack-id": "T1593", "rdfs:label": "Search Open Websites/Domains", "rdfs:subClassOf": { "@id": "d3f:ReconnaissanceTechnique" } }, { "@id": "d3f:CCI-001169_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system prevents the download of organization-defined unacceptable mobile code.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:ExecutableDenylisting" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-21T00:00:00" }, "rdfs:label": "CCI-001169" }, { "@id": "d3f:Page", "@type": "owl:Class", "d3f:definition": "A page, memory page, logical page, or virtual page is a fixed-length contiguous block of virtual memory, described by a single entry in the page table. It is the smallest unit of data for memory management in a virtual memory operating system.", "rdfs:isDefinedBy": "https://dbpedia.org/page/Page_(computer_memory)", "rdfs:label": "Page", "rdfs:subClassOf": { "@id": "d3f:MemoryBlock" } }, { "@id": "d3f:CanopyClustering", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-CC", "d3f:definition": "The canopy clustering algorithm is an unsupervised pre-clustering algorithm often used as preprocessing step for the K-means algorithm or the Hierarchical clustering algorithm. It is intended to speed up clustering operations on large data sets.", "d3f:kb-article": "## References\nWikipedia. (n.d.). Canopy clustering algorithm. [Link](https://en.wikipedia.org/wiki/Canopy_clustering_algorithm)", "rdfs:label": "Canopy Clustering", "rdfs:subClassOf": { "@id": "d3f:ClusterAnalysis" } }, { "@id": "d3f:ProbabilisticLogic", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-PL", "d3f:definition": "Probabilistic logic extends traditional logic truth tables with probabilistic expressions.", "d3f:kb-article": "## References\n1. Probabilistic logic. (2023, June 5). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Probabilistic_logic)", "rdfs:label": "Probabilistic Logic", "rdfs:subClassOf": { "@id": "d3f:SymbolicAI" } }, { "@id": "d3f:CWE-122", "@type": "owl:Class", "d3f:cwe-id": "CWE-122", "rdfs:label": "Heap-based Buffer Overflow", "rdfs:subClassOf": [ { "@id": "d3f:CWE-787" }, { "@id": "d3f:CWE-788" } ] }, { "@id": "d3f:CWE-571", "@type": "owl:Class", "d3f:cwe-id": "CWE-571", "rdfs:label": "Expression is Always True", "rdfs:subClassOf": { "@id": "d3f:CWE-710" } }, { "@id": "d3f:Reference-RegistryKeySecurityAndAccessRights", "@type": [ "owl:NamedIndividual", "d3f:UserManualReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry-key-security-and-access-rights" }, "d3f:kb-abstract": "The Windows security model enables you to control access to registry keys. For more information about security, see Access-Control Model.", "d3f:kb-organization": "Microsoft", "d3f:kb-reference-of": { "@id": "d3f:UserSessionInitConfigAnalysis" }, "d3f:kb-reference-title": "Registry Key Security and Access Rights", "rdfs:label": "Reference - Registry Key Security and Access Rights" }, { "@id": "d3f:ImageScannerInputDevice", "@type": "owl:Class", "d3f:definition": "An image scanner -- often abbreviated to just scanner, is a device that optically scans images, printed text, handwriting or an object and converts it to a digital image. Commonly used in offices are variations of the desktop flatbed scanner where the document is placed on a glass window for scanning. Hand-held scanners, where the device is moved by hand, have evolved from text scanning \"wands\" to 3D scanners used for industrial design, reverse engineering, test and measurement, orthotics, gaming and other applications. Mechanically driven scanners that move the document are typically used for large-format documents, where a flatbed design would be impractical.", "rdfs:isDefinedBy": { "@id": "dbr:Image_scanner" }, "rdfs:label": "Image Scanner Input Device", "rdfs:subClassOf": { "@id": "d3f:VideoInputDevice" }, "skos:altLabel": "Scanner" }, { "@id": "d3f:AccessToken", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "In computer systems, an access token contains the security credentials for a login session and identifies the user, the user's groups, the user's privileges, and, in some cases, a particular application. Typically one may be asked to enter the access token (e.g. 40 random characters) rather than the usual password (it therefore should be kept secret just like a password).", "rdfs:label": "Access Token", "rdfs:seeAlso": { "@id": "dbr:Access_token" }, "rdfs:subClassOf": { "@id": "d3f:Credential" }, "skos:altLabel": [ "Ticket", "Token" ] }, { "@id": "d3f:AccessControlList", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A list of permissions attached to an object.", "d3f:restricts": { "@id": "d3f:UserGroup" }, "rdfs:isDefinedBy": { "@id": "dbr:Access-control_list" }, "rdfs:label": "Access Control List", "rdfs:subClassOf": [ { "@id": "d3f:AccessControlConfiguration" }, { "@id": "_:N5a060be8bce342c5b64bb0af2935e11e" } ] }, { "@id": "_:N5a060be8bce342c5b64bb0af2935e11e", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:restricts" }, "owl:someValuesFrom": { "@id": "d3f:UserGroup" } }, { "@id": "d3f:T1569.001", "@type": "owl:Class", "d3f:attack-id": "T1569.001", "rdfs:label": "Launchctl", "rdfs:subClassOf": { "@id": "d3f:T1569" } }, { "@id": "d3f:CWE-827", "@type": "owl:Class", "d3f:cwe-id": "CWE-827", "rdfs:label": "Improper Control of Document Type Definition", "rdfs:subClassOf": [ { "@id": "d3f:CWE-706" }, { "@id": "d3f:CWE-829" } ] }, { "@id": "d3f:CWE-203", "@type": "owl:Class", "d3f:cwe-id": "CWE-203", "rdfs:label": "Observable Discrepancy", "rdfs:subClassOf": { "@id": "d3f:CWE-200" } }, { "@id": "d3f:NTFSJunctionPoint", "@type": "owl:Class", "d3f:definition": "NTFS junction points are are similar to NTFS symlinks but are defined only for directories. Only accepts local absolute paths.", "rdfs:isDefinedBy": { "@id": "dbr:NTFS_links" }, "rdfs:label": "NTFS Junction Point", "rdfs:subClassOf": [ { "@id": "d3f:NTFSLink" }, { "@id": "d3f:SymbolicLink" } ], "skos:altLabel": "Junction Point" }, { "@id": "d3f:may-add", "@type": "owl:ObjectProperty", "d3f:definition": "x may-add y: They entity x may add the thing y; that is, 'x adds y' may be true.", "rdfs:label": "may-add", "rdfs:subPropertyOf": { "@id": "d3f:may-be-associated-with" } }, { "@id": "d3f:LinuxTime", "@type": "owl:Class", "d3f:definition": "Get time in seconds.", "rdfs:isDefinedBy": "https://man7.org/linux/man-pages/man2/time.2.html", "rdfs:label": "Linux Time", "rdfs:subClassOf": { "@id": "d3f:OSAPIGetSystemTime" } }, { "@id": "d3f:CCI-002536_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:broader": { "@id": "d3f:RFShielding" }, "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system protects organization-defined external and internal wireless links from organization-defined types of signal parameter attacks or references to sources for such attacks.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-07-02T00:00:00" }, "rdfs:label": "CCI-002536" }, { "@id": "d3f:UnsupervisedPreprocessing", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-UP", "d3f:definition": "When performing unsupervised learning, the machine is presented with unlabeled data. (Unlabeled data has no target.) Unsupervised learning algorithms seek to discover intrinsic patterns that underlie the data, such as a clustering parameter or a redundant parameter (dimension) that can be reduced.", "d3f:kb-article": "## References\nSAS Institute Inc. (n.d.). Decision Trees. In SAS® Visual Data Mining and Machine Learning.[Link](https://documentation.sas.com/doc/en/vdmmlcdc/8.4/vdmmladvug/n1e4spzcnv1f0fn1vsxhbzgdp1bb.htm).", "rdfs:label": "Unsupervised Preprocessing", "rdfs:subClassOf": { "@id": "d3f:Semi-SupervisedLearning" } }, { "@id": "d3f:CWE-261", "@type": "owl:Class", "d3f:cwe-id": "CWE-261", "rdfs:label": "Weak Encoding for Password", "rdfs:subClassOf": { "@id": "d3f:CWE-522" } }, { "@id": "d3f:CWE-1106", "@type": "owl:Class", "d3f:cwe-id": "CWE-1106", "rdfs:label": "Insufficient Use of Symbolic Constants", "rdfs:subClassOf": { "@id": "d3f:CWE-1078" } }, { "@id": "d3f:Instance-basedTransferLearning", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-IBTL", "d3f:definition": "Instance-based transfer learning methods try to reweight the samples in the source domain in an attempt to correct for marginal distribution differences. These reweighted instances are then directly used in the target domain for training.", "d3f:kb-article": "## References\nGeorgian Impact Blog. (n.d.). Transfer Learning Part 1. [Link](https://medium.com/georgian-impact-blog/transfer-learning-part-1-ed0c174ad6e7#:~:text=Homogeneous%20Transfer%20Learning-,1.,the%20target%20domain%20for%20training).", "rdfs:label": "Instance-based Transfer Learning", "rdfs:subClassOf": { "@id": "d3f:HomogenousTransferLearning" } }, { "@id": "d3f:SomersD", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-SD", "rdfs:label": "Somers' D", "rdfs:subClassOf": { "@id": "d3f:RankCorrelationCoefficient" } }, { "@id": "d3f:T1614", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:accesses": { "@id": "d3f:ConfigurationResource" }, "d3f:attack-id": "T1614", "rdfs:label": "System Location Discovery", "rdfs:subClassOf": [ { "@id": "d3f:DiscoveryTechnique" }, { "@id": "_:N7d41a11b415e4b8b897ca85abf18de88" } ] }, { "@id": "_:N7d41a11b415e4b8b897ca85abf18de88", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:accesses" }, "owl:someValuesFrom": { "@id": "d3f:ConfigurationResource" } }, { "@id": "d3f:StringEquivalenceMatching", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-SEM", "d3f:definition": "String equivalence matching is a type of string pattern matching which is exact; that is, the strings being compared must have the same value for each character in their sequence and be of the same length.", "d3f:kb-article": "## References\n1. String-searching algorithm. (2023, April 8). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/String-searching_algorithm)\n2. Types of Equality. (2007, March 2). In _WikiWikiWeb_. [Link](https://wiki.c2.com/?TypesOfEquality)", "rdfs:label": "String Equivalence Matching", "rdfs:subClassOf": [ { "@id": "d3f:EquivalenceMatching" }, { "@id": "d3f:StringPatternMatching" } ] }, { "@id": "d3f:T1590.006", "@type": "owl:Class", "d3f:attack-id": "T1590.006", "rdfs:label": "Network Security Appliances", "rdfs:subClassOf": { "@id": "d3f:T1590" } }, { "@id": "d3f:M1053", "@type": [ "owl:NamedIndividual", "d3f:ATTACKMitigation" ], "d3f:d3fend-comment": "Comprehensive IT disaster recovery plans are outside the current scope of D3FEND.", "rdfs:label": "Data Backup" }, { "@id": "d3f:process-data-property", "@type": "owl:DatatypeProperty", "d3f:definition": "x process-data-property y: The process x has the data property y.", "rdfs:label": "process-data-property", "rdfs:subPropertyOf": { "@id": "d3f:d3fend-artifact-data-property" } }, { "@id": "d3f:T1181", "@type": "owl:Class", "d3f:attack-id": "T1181", "rdfs:label": "Extra Window Memory Injection", "rdfs:subClassOf": [ { "@id": "d3f:DefenseEvasionTechnique" }, { "@id": "d3f:PrivilegeEscalationTechnique" } ] }, { "@id": "d3f:ExactMatching", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-EM", "d3f:definition": "Exact matching for numeric types is just the simple test for mathematical equivalence of the values being matched.", "d3f:kb-article": "## References\n1. Equality (mathematics). (2023, May 31). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Equality_(mathematics)]", "d3f:synonym": "Numeric Equivalence Matching", "rdfs:label": "Exact Matching", "rdfs:subClassOf": [ { "@id": "d3f:EquivalenceMatching" }, { "@id": "d3f:NumericPatternMatching" } ] }, { "@id": "d3f:PasswordManager", "@type": "owl:Class", "d3f:definition": "A password manager is a software application or hardware that helps a user store and organize passwords. Password managers usually store passwords encrypted, requiring the user to create a master password: a single, ideally very strong password which grants the user access to their entire password database. Some password managers store passwords on the user's computer (called offline password managers), whereas others store data in the provider's cloud (often called online password managers). However offline password managers also offer data storage in the user's own cloud accounts rather than the provider's cloud. While the core functionality of a password manager is to securely store large collections of passwords, many provide additional features such as form filling and password generation.", "rdfs:isDefinedBy": { "@id": "dbr:Password_manager" }, "rdfs:label": "Password Manager", "rdfs:subClassOf": { "@id": "d3f:Application" } }, { "@id": "d3f:CWE-163", "@type": "owl:Class", "d3f:cwe-id": "CWE-163", "rdfs:label": "Improper Neutralization of Multiple Trailing Special Elements", "rdfs:subClassOf": { "@id": "d3f:CWE-162" } }, { "@id": "d3f:SoftwarePatch", "@type": "owl:Class", "d3f:definition": "A patch is a piece of software designed to update a computer program or its supporting data, to fix or improve it. This includes fixing security vulnerabilities and other bugs, with such patches usually called bugfixes or bug fixes, and improving the usability or performance. Although meant to fix problems, poorly designed patches can sometimes introduce new problems (see software regressions). In some special cases updates may knowingly break the functionality, for instance, by removing components for which the update provider is no longer licensed or disabling a device.", "rdfs:isDefinedBy": { "@id": "dbr:Patch_(computing)" }, "rdfs:label": "Software Patch", "rdfs:subClassOf": { "@id": "d3f:Software" }, "skos:altLabel": "Patch" }, { "@id": "d3f:CWE-1304", "@type": "owl:Class", "d3f:cwe-id": "CWE-1304", "rdfs:label": "Improperly Preserved Integrity of Hardware Configuration State During a Power Save/Restore Operation", "rdfs:subClassOf": { "@id": "d3f:CWE-284" } }, { "@id": "d3f:PasswordStore", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A user repository of account passwords, often accessed via a password manager.", "rdfs:label": "Password Store", "rdfs:seeAlso": { "@id": "dbr:Password_manager" }, "rdfs:subClassOf": { "@id": "d3f:PasswordDatabase" } }, { "@id": "d3f:CWE-586", "@type": "owl:Class", "d3f:cwe-id": "CWE-586", "rdfs:label": "Explicit Call to Finalize()", "rdfs:subClassOf": { "@id": "d3f:CWE-1076" } }, { "@id": "d3f:Reference-CAR-2020-11-001%3ABootOrLogonInitializationScripts_MITRE", "@type": [ "owl:NamedIndividual", "d3f:ExternalKnowledgeBase" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://car.mitre.org/analytics/CAR-2020-11-001/" }, "d3f:kb-abstract": "Adversaries may schedule software to run whenever a user logs into the system; this is done to establish persistence and sometimes for lateral movement. This trigger is established through the registry key HKEY_CURRENT_USER\\EnvironmentUserInitMprLogonScript. This signature looks edits to existing keys or creation of new keys in that path. Users purposefully adding benign scripts to this path will result in false positives; that case is rare, however. There are other ways of running a script at startup or login that are not covered in this signature. Note that this signature overlaps with the Windows Sysinternals Autoruns tool, which would also show changes to this registry path.", "d3f:kb-author": "MITRE", "d3f:kb-organization": "MITRE", "d3f:kb-reference-of": { "@id": "d3f:SystemInitConfigAnalysis" }, "d3f:kb-reference-title": "CAR-2020-11-001: Boot or Logon Initialization Scripts", "rdfs:label": "Reference - CAR-2020-11-001: Boot or Logon Initialization Scripts - MITRE" }, { "@id": "d3f:Session", "@type": "owl:Class", "d3f:definition": "In computer science, in particular networking, a session is a semi-permanent interactive information interchange, also known as a dialogue, a conversation or a meeting, between two or more communicating devices, or between a computer and user (see Login session). A session is set up or established at a certain point in time, and then torn down at some later point. An established communication session may involve more than one message in each direction. A session is typically, but not always, stateful, meaning that at least one of the communicating parts needs to save information about the session history in order to be able to communicate, as opposed to stateless communication, where the communication consists of independent requests with responses.", "rdfs:isDefinedBy": { "@id": "dbr:Session_(computer_science)" }, "rdfs:label": "Session", "rdfs:seeAlso": "https://schema.ocsf.io/objects/session", "rdfs:subClassOf": { "@id": "d3f:DigitalArtifact" } }, { "@id": "d3f:TestExecutionTool", "@type": "owl:Class", "d3f:definition": "A test execution tool is a type of software used to test software, hardware or complete systems. Synonyms of test execution tool include test execution engine, test executive, test manager, test sequencer. Two common forms in which a test execution engine may appear are as a: (a) module of a test software suite (test bench) or an integrated development environment, or (b) stand-alone application software.", "rdfs:isDefinedBy": { "@id": "dbr:Test_execution_engine" }, "rdfs:label": "Test Execution Tool", "rdfs:subClassOf": { "@id": "d3f:DeveloperApplication" }, "skos:altLabel": [ "Test Execution Engine", "Test Executive", "Test Manager" ] }, { "@id": "d3f:claimed-by", "@type": "owl:ObjectProperty", "owl:inverseOf": { "@id": "d3f:claims" }, "rdfs:label": "claimed-by", "rdfs:subPropertyOf": { "@id": "d3f:d3fend-catalog-object-property" } }, { "@id": "d3f:CWE-252", "@type": "owl:Class", "d3f:cwe-id": "CWE-252", "rdfs:label": "Unchecked Return Value", "rdfs:subClassOf": { "@id": "d3f:CWE-754" } }, { "@id": "d3f:InternetFileTransferTraffic", "@type": "owl:Class", "d3f:definition": "Internet file transfer network traffic is network traffic related to file transfers between network nodes that crosses a boundary between networks. This includes only network traffic conforming to standard file transfer protocols, not custom transfer protocols.", "rdfs:label": "Internet File Transfer Traffic", "rdfs:subClassOf": [ { "@id": "d3f:FileTransferNetworkTraffic" }, { "@id": "d3f:InternetNetworkTraffic" } ] }, { "@id": "d3f:CWE-1244", "@type": "owl:Class", "d3f:cwe-id": "CWE-1244", "rdfs:label": "Internal Asset Exposed to Unsafe Debug Access Level or State", "rdfs:subClassOf": { "@id": "d3f:CWE-863" } }, { "@id": "d3f:CWE-77", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:cwe-id": "CWE-77", "d3f:weakness-of": { "@id": "d3f:UserInputFunction" }, "rdfs:label": "Improper Neutralization of Special Elements used in a Command ('Command Injection')", "rdfs:subClassOf": [ { "@id": "d3f:CWE-74" }, { "@id": "_:Nfd9270f644ca41c693ea678e5e6eec29" } ] }, { "@id": "_:Nfd9270f644ca41c693ea678e5e6eec29", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:weakness-of" }, "owl:someValuesFrom": { "@id": "d3f:UserInputFunction" } }, { "@id": "d3f:FileShareService", "@type": "owl:Class", "d3f:definition": "A file sharing service (or file share service) provides the ability to share data across a network.", "rdfs:label": "File Share Service", "rdfs:seeAlso": { "@id": "dbr:File_sharing" }, "rdfs:subClassOf": { "@id": "d3f:NetworkService" } }, { "@id": "d3f:Reference-RFC3411-AnArchitectureForDescribingSimpleNetworkManagementProtocolSNMPManagementFrameworks", "@type": [ "owl:NamedIndividual", "d3f:SpecificationReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://https://datatracker.ietf.org/doc/html/rfc3411" }, "d3f:kb-author": "D. Harrington, R. Presuhn, B. Wijnen", "d3f:kb-organization": "Internet Engineering Task Force (IETF)", "d3f:kb-reference-of": { "@id": "d3f:HardwareComponentInventory" }, "d3f:kb-reference-title": "An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks", "rdfs:label": "Reference - An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks" }, { "@id": "d3f:CWE-617", "@type": "owl:Class", "d3f:cwe-id": "CWE-617", "rdfs:label": "Reachable Assertion", "rdfs:subClassOf": { "@id": "d3f:CWE-670" } }, { "@id": "d3f:ReferenceType", "@type": "owl:Class", "rdfs:label": "Reference Type", "rdfs:subClassOf": { "@id": "d3f:D3FENDThing" } }, { "@id": "d3f:CWE-506", "@type": "owl:Class", "d3f:cwe-id": "CWE-506", "rdfs:label": "Embedded Malicious Code", "rdfs:subClassOf": { "@id": "d3f:CWE-912" } }, { "@id": "d3f:Exec", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:executes": { "@id": "d3f:ExecutableBinary" }, "rdfs:label": "Exec", "rdfs:seeAlso": "https://dbpedia.org/page/Exec", "rdfs:subClassOf": [ { "@id": "d3f:SystemCall" }, { "@id": "_:Nc062f7610a264d9d9218ce67166dcfc2" } ] }, { "@id": "_:Nc062f7610a264d9d9218ce67166dcfc2", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:executes" }, "owl:someValuesFrom": { "@id": "d3f:ExecutableBinary" } }, { "@id": "d3f:OutboundInternetEncryptedWebTraffic", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "Outbound internet encrypted web traffic is network traffic using a standard web protocol on an outgoing connection initiated from a host within a network to a host outside the network.", "rdfs:label": "Outbound Internet Encrypted Web Traffic", "rdfs:seeAlso": { "@id": "dbr:Internetworking" }, "rdfs:subClassOf": [ { "@id": "d3f:OutboundInternetEncryptedTraffic" }, { "@id": "d3f:OutboundInternetWebTraffic" } ] }, { "@id": "d3f:Reference-CAR-2020-09-002%3AComponentObjectModelHijacking_MITRE", "@type": [ "owl:NamedIndividual", "d3f:ExternalKnowledgeBase" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://car.mitre.org/analytics/CAR-2020-09-002/" }, "d3f:kb-abstract": "Adversaries may establish persistence or escalate privileges by executing malicious content triggered by hijacked references to Component Object Model (COM) objects. This is typically done by replacing COM object registry entries under the HKEY_CURRENT_USER\\Software\\Classes\\CLSID or HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID keys. Accordingly, this analytic looks for any changes under these keys.", "d3f:kb-author": "MITRE", "d3f:kb-organization": "MITRE", "d3f:kb-reference-of": { "@id": "d3f:UserSessionInitConfigAnalysis" }, "d3f:kb-reference-title": "CAR-2020-09-002: Component Object Model Hijacking", "rdfs:label": "Reference - CAR-2020-09-002: Component Object Model Hijacking - MITRE" }, { "@id": "d3f:CWE-448", "@type": "owl:Class", "d3f:cwe-id": "CWE-448", "rdfs:label": "Obsolete Feature in UI", "rdfs:subClassOf": { "@id": "d3f:CWE-446" } }, { "@id": "d3f:UserAccountPermissions", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:CredentialHardening" ], "d3f:d3fend-id": "D3-UAP", "d3f:definition": "Restricting a user account's access to resources.", "d3f:kb-reference": { "@id": "d3f:Reference-ConfigureUserAccessControlAndPermissions" }, "d3f:restricts": { "@id": "d3f:UserAccount" }, "rdfs:label": "User Account Permissions", "rdfs:subClassOf": [ { "@id": "d3f:CredentialHardening" }, { "@id": "_:Ncbd3f1a39bea44b0bd3cfbca4c5e5931" } ] }, { "@id": "_:Ncbd3f1a39bea44b0bd3cfbca4c5e5931", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:restricts" }, "owl:someValuesFrom": { "@id": "d3f:UserAccount" } }, { "@id": "d3f:RegressionAnalysis", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-RA", "d3f:definition": "Regression analysis is a set of statistical processes for estimating the relationships between a dependent variable (often called the 'outcome' or 'response' variable, or a 'label' in machine learning parlance) and one or more independent variables (often called 'predictors', 'covariates', 'explanatory variables' or 'features').", "d3f:kb-article": "## References\nWikipedia. (n.d.). Regression analysis. [Link](https://en.wikipedia.org/wiki/Regression_analysis)", "rdfs:label": "Regression Analysis", "rdfs:subClassOf": { "@id": "d3f:StatisticalMethod" } }, { "@id": "d3f:CCI-000205_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system enforces minimum password length.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:StrongPasswordPolicy" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-05-22T00:00:00" }, "rdfs:label": "CCI-000205" }, { "@id": "d3f:may-be-associated-with", "@type": "owl:ObjectProperty", "d3f:definition": "x may-be-associated-with y: The subject x and object y may be associated in some way.", "rdfs:label": "may-be-associated-with", "rdfs:seeAlso": { "@id": "http://wordnet-rdf.princeton.edu/id/13804981-n" }, "rdfs:subPropertyOf": { "@id": "d3f:d3fend-object-property" } }, { "@id": "d3f:T1596", "@type": "owl:Class", "d3f:attack-id": "T1596", "rdfs:label": "Search Open Technical Databases", "rdfs:subClassOf": { "@id": "d3f:ReconnaissanceTechnique" } }, { "@id": "d3f:InterquartileRange", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-IR", "d3f:definition": "The interquartile range (IQR) is a measure of statistical dispersion, which is the spread of the data and is defined as the difference between the 75th and 25th percentiles of the data.", "d3f:kb-article": "## References\nWikipedia. (n.d.). Interquartile range. [Link](https://en.wikipedia.org/wiki/Interquartile_range)", "d3f:synonym": "IQR", "rdfs:label": "Interquartile Range", "rdfs:subClassOf": { "@id": "d3f:Variability" } }, { "@id": "d3f:FileRemoval", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:FileEviction" ], "d3f:d3fend-id": "D3-FR", "d3f:definition": "The file removal technique deletes malicious artifacts or programs from a computer system.", "d3f:deletes": { "@id": "d3f:File" }, "d3f:kb-article": "## How it works\n\nAdversaries may place files or programs into a computer's file system to perform malicious actions. As part of the eviction process, these files and programs should be removed to prevent further compromise or reinfection. Examples of malicious types of files are malware which is directly harmful and content files with the intent to deceive users (e.g., phishing.)\n\nOn Windows systems, antivirus (AV) software should be used to safely and permanently remove malicious files. AV software may first quarantine a suspected malicious file, which is the process of moving a file from its original location to a new location and makes changes so that it cannot be executed. Users can then verify that the file is not benign and then permanently delete it.\n\n## Considerations\n\nWhen it is determined that a file should be removed for security purposes, the organization--or systems implementing an organization's policies--may determine that the file should not simply be deleted from the enterprise's mission systems, but be quarantined to a secure system by an approved mechanism, so as to allow follow-up investigation by security staff.\n\nOn Windows systems, deleting a file in File Explorer does not permanently delete a file - it sends it to the Recycle Bin instead. The Recycle Bin must be emptied, or alternative steps must be performed to remove files completely. Even then, in some cases the data may persist in disk, so data shredder tools may be needed to completely wipe a file. Thus, AV tools are recommended.", "d3f:kb-reference": { "@id": "d3f:Reference-HowDoesAntivirusQuarantineWork-SafetyDetectives" }, "d3f:may-access": { "@id": "d3f:FileServer" }, "d3f:synonym": "File Deletion", "rdfs:label": "File Removal", "rdfs:subClassOf": [ { "@id": "d3f:FileEviction" }, { "@id": "_:N15c6a60fda764f1e9882f904b09d72c0" }, { "@id": "_:N8a1b6b032d934c8fbdc885c2f19d92bb" } ] }, { "@id": "_:N15c6a60fda764f1e9882f904b09d72c0", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:deletes" }, "owl:someValuesFrom": { "@id": "d3f:File" } }, { "@id": "_:N8a1b6b032d934c8fbdc885c2f19d92bb", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-access" }, "owl:someValuesFrom": { "@id": "d3f:FileServer" } }, { "@id": "d3f:ExecutableDenylisting", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:ExecutionIsolation" ], "d3f:blocks": { "@id": "d3f:ExecutableFile" }, "d3f:d3fend-id": "D3-EDL", "d3f:definition": "Blocking the execution of files on a host in accordance with defined application policy rules.", "d3f:kb-article": "## How it works\n\n#### Criteria\n\nA policy-enforcing application can register an application for denylisting based on conditions including the following:\n\n* File attributes\n * file name\n * file path\n * file hash\n * file publisher, as obtained from the digital signature\n * permissions of the file\n* File malware scan (eg. Windows SmartScreen)\n* User-File combination\n\nThis may be done to prevent execution of applications which are:\n\n* an old version with known vulnerabilities\n* without a valid license, which could cause legal issues\n* in a directory that is accessible to low-privileged users, that could be accessed by a malware dropper\n* known trojan horse programs\n* too open in their permissions, possibly set to run as a user other than the originator or allowing execution when they should not be\n* a match to the hash of other known malware\n* are detected as undesirable based on a file scan runtime behavior\n\nSystem administrators will customize the rules for the given environment.\n\n#### Backend\n\nThe policy-enforcing program may work by running in kernel mode, and [intercepting] [system calls which execute a process].\n\n## Considerations\n\n* If denylisting is done by filename, filepath, or hash, these mechanisms may be a worthy first line of defense and detection, but could still be evaded by an attacker.\n* Continuous management is needed to keep the denylist up to date, whether it is based on hash, publisher, behavior, or any other digital artifact.\n* Although denylists based on attributes such as file path and virus scan could defend against some threats which they have not been explicitly coded to block, denylists may not provide protection from new, unknown, or zero day attacks.\n\n\n## Examples\nOn a Windows machine the Windows Defender Application Control (WDAC) policy enforcement is run in the kernel and allows for restricting applications.", "d3f:kb-reference": [ { "@id": "d3f:Reference-MethodAndApparatusForIncreasingTheSpeedAtWhichComputerVirusesAreDetected_McAfeeLLC" }, { "@id": "d3f:Reference-ContentExtractorAndAnalysisSystem_Bit9Inc,CarbonBlackInc" } ], "d3f:restricts": { "@id": "d3f:CreateProcess" }, "d3f:synonym": "Executable Blacklisting", "rdfs:label": "Executable Denylisting", "rdfs:subClassOf": [ { "@id": "d3f:ExecutionIsolation" }, { "@id": "_:N22f2b7e0357442a8b135539fc92ebd07" }, { "@id": "_:Nac2101602d8b43e98f2a936f9cfc3981" } ] }, { "@id": "_:N22f2b7e0357442a8b135539fc92ebd07", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:blocks" }, "owl:someValuesFrom": { "@id": "d3f:ExecutableFile" } }, { "@id": "_:Nac2101602d8b43e98f2a936f9cfc3981", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:restricts" }, "owl:someValuesFrom": { "@id": "d3f:CreateProcess" } }, { "@id": "d3f:T1564.006", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1564.006", "d3f:creates": { "@id": "d3f:File" }, "d3f:executes": { "@id": "d3f:VirtualizationSoftware" }, "d3f:may-add": { "@id": "d3f:VirtualizationSoftware" }, "d3f:may-create": { "@id": "d3f:Directory" }, "rdfs:label": "Run Virtual Instance", "rdfs:subClassOf": [ { "@id": "d3f:T1564" }, { "@id": "_:N1a1a3df1eb8e450895767cbd94474c0a" }, { "@id": "_:N1571235549f94bc7a623fc66a9a32896" }, { "@id": "_:N61f64bf67f434791844c945d49afbda1" }, { "@id": "_:N83e21bdf4e5644e4994c9771a67a2022" } ] }, { "@id": "_:N1a1a3df1eb8e450895767cbd94474c0a", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:creates" }, "owl:someValuesFrom": { "@id": "d3f:File" } }, { "@id": "_:N1571235549f94bc7a623fc66a9a32896", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:executes" }, "owl:someValuesFrom": { "@id": "d3f:VirtualizationSoftware" } }, { "@id": "_:N61f64bf67f434791844c945d49afbda1", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-add" }, "owl:someValuesFrom": { "@id": "d3f:VirtualizationSoftware" } }, { "@id": "_:N83e21bdf4e5644e4994c9771a67a2022", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-create" }, "owl:someValuesFrom": { "@id": "d3f:Directory" } }, { "@id": "d3f:CWE-1314", "@type": "owl:Class", "d3f:cwe-id": "CWE-1314", "rdfs:label": "Missing Write Protection for Parametric Data Values", "rdfs:subClassOf": { "@id": "d3f:CWE-862" } }, { "@id": "d3f:Reference-SystemForImplementingThreatDetectionUsingThreatAndRiskAssessmentOfAsset-actorInteractions_VECTRANETWORKSInc", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US20160191559A1" }, "d3f:kb-abstract": "Disclosed is an approach to detect insider threats, by tracking unusual access activity for a specific user or computer with regard to accessing key assets over time. In this way, malicious activity and the different preparation phases of attacks can be identified.", "d3f:kb-author": "Himanshu Mhatre; David Lopes Pegna; Oliver Brdiczka", "d3f:kb-mitre-analysis": "The patent describes an insider threat detection system that analyzes packets sent within a network to identify and isolate malicious behavior. Current network traffic is collected and developed into a baseline that establishes the amount of data sent and received between a specific asset and a host. Current data transfer values are then compared with the baseline to identify anomalies.", "d3f:kb-organization": "VECTRA NETWORKS Inc", "d3f:kb-reference-of": { "@id": "d3f:UserDataTransferAnalysis" }, "d3f:kb-reference-title": "System for implementing threat detection using threat and risk assessment of asset-actor interactions", "rdfs:label": "Reference - System for implementing threat detection using threat and risk assessment of asset-actor interactions - VECTRA NETWORKS Inc" }, { "@id": "d3f:CCI-001133_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system terminates the network connection associated with a communications session at the end of the session or after an organization-defined time period of inactivity.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:SessionDurationAnalysis" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-21T00:00:00" }, "rdfs:label": "CCI-001133" }, { "@id": "d3f:CCI-001936_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system implements multifactor authentication for network access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:Multi-factorAuthentication" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-05-03T00:00:00" }, "rdfs:label": "CCI-001936" }, { "@id": "d3f:Reference-ContainerImageAnalysis", "@type": [ "owl:NamedIndividual", "d3f:InternetArticleReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://media.defense.gov/2021/Aug/03/2002820425/-1/-1/0/CTR_Kubernetes_Hardening_Guidance_1.1_20220315.PDF" }, "d3f:kb-abstract": "Container Images can contain unneeded, unsecured or insecure files.\n By analyzing the container image, we can identify whether it respects\n a specific set of predefined policies.", "d3f:kb-author": "National Security Agency", "d3f:kb-reference-of": { "@id": "d3f:ContainerImageAnalysis" }, "d3f:kb-reference-title": "Kubernetes Hardening Guide", "rdfs:label": "Reference - Container Image Analysis" }, { "@id": "d3f:CCI-000037_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:broader": [ { "@id": "d3f:LocalFilePermissions" }, { "@id": "d3f:MandatoryAccessControl" }, { "@id": "d3f:UserAccountPermissions" } ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The organization implements separation of duties through assigned information system access authorizations.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-14T00:00:00" }, "rdfs:label": "CCI-000037" }, { "@id": "d3f:ExpectedModelChange", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-EMC", "d3f:definition": "Supervised learning establishes a relationship between the known input and output variables to conduct a predictive analysis.", "d3f:kb-article": "nal Consiterations\n\n## References\nIntro to Active Learning. inovex Blog. [Link](https://www.inovex.de/de/blog/intro-to-active-learning/).", "rdfs:label": "Expected Model Change", "rdfs:subClassOf": { "@id": "d3f:ActiveLearning" } }, { "@id": "d3f:Database", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A database is an organized collection of data, generally stored and accessed electronically from a computer system. Where databases are more complex they are often developed using formal design and modeling techniques.", "rdfs:isDefinedBy": { "@id": "dbr:Database" }, "rdfs:label": "Database", "rdfs:seeAlso": { "@id": "dbr:Database" }, "rdfs:subClassOf": { "@id": "d3f:DigitalArtifact" } }, { "@id": "d3f:MarketingMaterial", "@type": [ "owl:NamedIndividual", "d3f:ReferenceType" ], "rdfs:label": "Marketing Material" }, { "@id": "d3f:CCI-002306_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:broader": [ { "@id": "d3f:MandatoryAccessControl" }, { "@id": "d3f:SystemConfigurationPermissions" }, { "@id": "d3f:UserAccountPermissions" } ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system provides authorized individuals the capability to define or change the type of security attributes available for association with subjects.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-06-24T00:00:00" }, "rdfs:label": "CCI-002306" }, { "@id": "d3f:T1546.005", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1546.005", "d3f:executes": { "@id": "d3f:Command" }, "d3f:may-create": { "@id": "d3f:ExecutableScript" }, "d3f:may-modify": { "@id": "d3f:ExecutableScript" }, "d3f:modifies": { "@id": "d3f:EventLog" }, "rdfs:label": "Trap", "rdfs:subClassOf": [ { "@id": "d3f:T1546" }, { "@id": "_:N0e0455c1a28b4787aad2da22b2a9b560" }, { "@id": "_:Nee37a58182ef47988c2b7b247b1dfd1c" }, { "@id": "_:N223300826e794c9da081780be664b8c9" }, { "@id": "_:N53de4fc661e14a56866da961afd6a187" } ] }, { "@id": "_:N0e0455c1a28b4787aad2da22b2a9b560", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:executes" }, "owl:someValuesFrom": { "@id": "d3f:Command" } }, { "@id": "_:Nee37a58182ef47988c2b7b247b1dfd1c", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-create" }, "owl:someValuesFrom": { "@id": "d3f:ExecutableScript" } }, { "@id": "_:N223300826e794c9da081780be664b8c9", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-modify" }, "owl:someValuesFrom": { "@id": "d3f:ExecutableScript" } }, { "@id": "_:N53de4fc661e14a56866da961afd6a187", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:EventLog" } }, { "@id": "d3f:DataInventory", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:AssetInventory" ], "d3f:d3fend-id": "D3-DI", "d3f:definition": "Data inventorying identifies and records the schemas, formats, volumes, and locations of data stored and used on the organization's architecture.", "d3f:inventories": [ { "@id": "d3f:Database" }, { "@id": "d3f:DocumentFile" } ], "d3f:kb-reference": { "@id": "d3f:Reference-DataProcessingAndScanningSystemsForGeneratingAndPopulatingADataInventory" }, "d3f:synonym": [ "Data Discovery", "Data Inventorying" ], "rdfs:label": "Data Inventory", "rdfs:subClassOf": [ { "@id": "d3f:AssetInventory" }, { "@id": "_:N7dc7d169d79440c083e248c2f957df75" }, { "@id": "_:N7b8408f10f7a415da2004cf68cd2b4ba" } ] }, { "@id": "_:N7dc7d169d79440c083e248c2f957df75", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:inventories" }, "owl:someValuesFrom": { "@id": "d3f:Database" } }, { "@id": "_:N7b8408f10f7a415da2004cf68cd2b4ba", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:inventories" }, "owl:someValuesFrom": { "@id": "d3f:DocumentFile" } }, { "@id": "d3f:T1177", "@type": "owl:Class", "d3f:attack-id": "T1177", "rdfs:label": "LSASS Driver", "rdfs:subClassOf": [ { "@id": "d3f:ExecutionTechnique" }, { "@id": "d3f:PersistenceTechnique" } ] }, { "@id": "d3f:CCI-002145_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system enforces organization-defined circumstances and/or usage conditions for organization-defined information system accounts.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:UserAccountPermissions" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-06-24T00:00:00" }, "rdfs:label": "CCI-002145" }, { "@id": "d3f:RelayPatternAnalysis", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:NetworkTrafficAnalysis" ], "d3f:analyzes": { "@id": "d3f:OutboundInternetNetworkTraffic" }, "d3f:d3fend-id": "D3-RPA", "d3f:definition": "The detection of an internal host relaying traffic between the internal network and the external network.", "d3f:kb-article": "## How it works\nA relay may use a variety of proxying, forwarding, or routing technologies to bridge a protected network with an external network. A defensive analytic to detect a relay network may compare the network sessions among multiple hosts. Hosts which have nearly similar network statistics may be part of a relay network. The statistics may include number of bytes sent to and from, time of session initiation, packet size, or packet arrival time data.\n\n## Considerations\n\nComplex intranet VPNs or routing encapsulation may affect the detection analytics. In addition, unwanted packets might not be forwarded, and additional packets may be added at the relay, further complicating detection.", "d3f:kb-reference": { "@id": "d3f:Reference-MaliciousRelayDetectionOnNetworks_VECTRANETWORKSInc" }, "d3f:synonym": "Relay Network Detection", "rdfs:label": "Relay Pattern Analysis", "rdfs:subClassOf": [ { "@id": "d3f:NetworkTrafficAnalysis" }, { "@id": "_:N2cc6acf10a5e47d689ae43c104f68f99" } ] }, { "@id": "_:N2cc6acf10a5e47d689ae43c104f68f99", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:analyzes" }, "owl:someValuesFrom": { "@id": "d3f:OutboundInternetNetworkTraffic" } }, { "@id": "d3f:DefaultUserAccount", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems or default factory/provider set accounts on other types of systems, software, or devices.", "rdfs:label": "Default User Account", "rdfs:seeAlso": { "@id": "https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/local-accounts" }, "rdfs:subClassOf": { "@id": "d3f:UserAccount" } }, { "@id": "d3f:Certificate-basedAuthentication", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:CredentialHardening" ], "d3f:d3fend-id": "D3-CBAN", "d3f:definition": "Requiring a digital certificate in order to authenticate a user.", "rdfs:label": "Certificate-based Authentication", "rdfs:subClassOf": { "@id": "d3f:CredentialHardening" } }, { "@id": "d3f:Book", "@type": [ "owl:NamedIndividual", "d3f:ReferenceType" ], "rdfs:label": "Book" }, { "@id": "d3f:NetworkTrafficPolicyMapping", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:NetworkMapping" ], "d3f:d3fend-id": "D3-NTPM", "d3f:definition": "Network traffic policy mapping identifies and models the allowed pathways of data at the network, tranport, and/or application levels.", "d3f:kb-reference": { "@id": "d3f:Reference-CiscoASR9000AccessListCommands" }, "d3f:maps": { "@id": "d3f:AccessControlConfiguration" }, "d3f:queries": { "@id": "d3f:CollectorAgent" }, "d3f:synonym": [ "Web Security Gateway Policy Mapping", "Firewall Mapping", "DLP Policy Mapping", "IPS Policy Mapping" ], "rdfs:label": "Network Traffic Policy Mapping", "rdfs:subClassOf": [ { "@id": "d3f:NetworkMapping" }, { "@id": "_:N8138ce832a9a4acca0ef03479b0ff8c6" }, { "@id": "_:N84d456faa16544efb20c8bf2df469fd5" } ] }, { "@id": "_:N8138ce832a9a4acca0ef03479b0ff8c6", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:maps" }, "owl:someValuesFrom": { "@id": "d3f:AccessControlConfiguration" } }, { "@id": "_:N84d456faa16544efb20c8bf2df469fd5", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:queries" }, "owl:someValuesFrom": { "@id": "d3f:CollectorAgent" } }, { "@id": "d3f:IntrinsicallySemi-supervisedLearning", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-ISSL", "d3f:definition": "These methods directly optimize an objective function with components for labeled and unlabeled samples and do not rely on any intermediate steps or supervised base learners. Basically, these methods are extension of existing supervised methods to include the effect of unlabeled data samples in the objective function.", "d3f:kb-article": "## References\nBeginner's Guide to Semi-Supervised Learning. Jashish Blog. [Link](http://jashish.com.np/blog/posts/beginners-guide-to-semi-supervised-learning/).", "rdfs:label": "Intrinsically Semi-supervised Learning", "rdfs:subClassOf": { "@id": "d3f:Semi-SupervisedLearning" } }, { "@id": "d3f:Clustering", "@type": "owl:Class", "rdfs:label": "Clustering", "rdfs:subClassOf": { "@id": "d3f:Summarizing" } }, { "@id": "d3f:CWE-243", "@type": "owl:Class", "d3f:cwe-id": "CWE-243", "rdfs:label": "Creation of chroot Jail Without Changing Working Directory", "rdfs:subClassOf": [ { "@id": "d3f:CWE-573" }, { "@id": "d3f:CWE-669" } ] }, { "@id": "d3f:T1126", "@type": "owl:Class", "d3f:attack-id": "T1126", "rdfs:label": "Network Share Connection Removal", "rdfs:subClassOf": { "@id": "d3f:DefenseEvasionTechnique" } }, { "@id": "d3f:CWE-170", "@type": "owl:Class", "d3f:cwe-id": "CWE-170", "rdfs:label": "Improper Null Termination", "rdfs:subClassOf": { "@id": "d3f:CWE-707" } }, { "@id": "d3f:CCI-002617_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The organization removes organization-defined software components (e.g., previous versions) after updated versions have been installed.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:SoftwareUpdate" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-07-11T00:00:00" }, "rdfs:label": "CCI-002617" }, { "@id": "d3f:Reference-CAR-2021-05-001%3AAttemptToAddCertificateToUntrustedStore_MITRE", "@type": [ "owl:NamedIndividual", "d3f:ExternalKnowledgeBase" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://car.mitre.org/analytics/CAR-2021-05-001/" }, "d3f:kb-abstract": "Adversaries may add their own root certificate to the certificate store, to cause the web browser to trust that certificate and not display a security warning when it encounters the previously unseen certificate. This action may be the precursor to malicious activity.", "d3f:kb-author": "MITRE", "d3f:kb-organization": "MITRE", "d3f:kb-reference-of": { "@id": "d3f:ProcessSpawnAnalysis" }, "d3f:kb-reference-title": "CAR-2021-05-001: Attempt To Add Certificate To Untrusted Store", "rdfs:label": "Reference - CAR-2021-05-001: Attempt To Add Certificate To Untrusted Store - MITRE" }, { "@id": "d3f:Reference-CAR-2020-08-001%3ANTFSAlternateDataStreamExecution-SystemUtilities_MITRE", "@type": [ "owl:NamedIndividual", "d3f:ExternalKnowledgeBase" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://car.mitre.org/analytics/CAR-2020-08-001/" }, "d3f:kb-abstract": "NTFS Alternate Data Streams (ADSs) may be used by adversaries as a means of evading security tools by storing malicious data or binaries in file attribute metadata. ADSs are also powerful because they can be directly executed by various Windows tools; accordingly, this analytic looks at common ways of executing ADSs using system utilities such as powershell.", "d3f:kb-author": "MITRE", "d3f:kb-organization": "MITRE", "d3f:kb-reference-of": { "@id": "d3f:ProcessSpawnAnalysis" }, "d3f:kb-reference-title": "CAR-2020-08-001: NTFS Alternate Data Stream Execution - System Utilities", "rdfs:label": "Reference - CAR-2020-08-001: NTFS Alternate Data Stream Execution - System Utilities - MITRE" }, { "@id": "d3f:Reference-SystemAndMethodForProvidingAnActivelyInvalidatedClient-sideNetworkResourceCache_IMVU", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US9578081B2/en" }, "d3f:kb-abstract": "A system and method for providing an actively invalidated client-side network resource cache are disclosed. A particular embodiment includes: a client configured to request, for a client application, data associated with an identifier from a server; the server configured to provide the data associated with the identifier and to establish a queue associated with the identifier at a scalable message queuing system, the client being configured to subscribe to the queue at the scalable message queuing system to receive invalidation information associated with the data; the server being further configured to signal the queue of an invalidation event associated with the data; the scalable message queuing system being configured to convey information indicative of the invalidation event to the client; and the client being further configured to re-request the data associated with the identifier from the server upon receipt of the information indicative of the invalidation event.", "d3f:kb-author": "Jon Watte", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "IMVU", "d3f:kb-reference-of": { "@id": "d3f:AuthenticationCacheInvalidation" }, "d3f:kb-reference-title": "System and method for providing an actively invalidated client-side network resource cache", "rdfs:label": "Reference - System and method for providing an actively invalidated client-side network resource cache - IMVU" }, { "@id": "d3f:AgglomerativeClustering", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-AC", "d3f:definition": "Agglomerative Clustering is a type of hierarchical clustering method where data points are grouped together based on similarity. Initially, each data point is treated as an individual cluster, and then in successive iterations, the closest clusters are merged until only one large cluster remains or until a specified stopping criterion is met.", "d3f:kb-article": "## How it works\n\nAgglomerative clustering starts with each data point as its own cluster. The algorithm then iterates, identifying the two clusters that are closest to each other based on a defined distance metric (e.g., Euclidean, Manhattan). These two clusters are then merged into a single cluster. This process continues iteratively, merging the closest pairs of clusters in each step until all data points are merged into a single cluster or until other stopping criteria are achieved. A dendrogram, which is a tree-like diagram, can be used to represent the sequence of merges, providing a visual representation of the hierarchical structure of data.\n\n## Considerations\n\n- **Choice of Distance Metric**: The outcome can vary significantly depending on the chosen distance metric (e.g., Euclidean, Manhattan).\n\n- **Scalability**: Agglomerative clustering can be computationally intensive for large datasets.\n\n- **Sensitivity**: The method can be sensitive to outliers, which might affect the quality of the clusters formed.\n\n## Key Test Considerations\n\n- **Unsupervised Learning**:\n\n - **Number of Clusters**: Determine an optimal number of clusters using the dendrogram and techniques like the elbow method.\n\n- **Cluster Analysis**:\n\n - **Silhouette Score**: Evaluates how similar an object is to its own cluster compared to other clusters. A higher silhouette score indicates that the object is well matched to its own cluster and poorly matched to neighboring clusters.\n\n - **Dunn Index**: Measures the ratio between the smallest distance between observations not in the same cluster to the largest intra-cluster distance.\n\n- **Hierarchical Clustering**:\n\n - **Cophenetic Correlation Coefficient**: Measures the correlation between the distances of points in feature space and their distances on the dendrogram. Helps assess the fidelity of the dendrogram in preserving pairwise distances between samples.\n\n- **Agglomerative Clustering**:\n\n - **Linkage Criteria**: Test different linkage criteria (e.g., single, complete, average) to determine which produces the most cohesive clusters for the data at hand.\n\n ## Platforms, Tools, or Libraries\n\n- **scikit-learn**:\n\n - A versatile machine learning library in Python.\n\n - The `AgglomerativeClustering` class in scikit-learn provides this functionality.\n\n- **SciPy**:\n\n - A Python library used for scientific and technical computing.\n\n - The `scipy.cluster.hierarchy` module provides functions for hierarchical and\n agglomerative clustering, including the `linkage` and `dendrogram` functions.\n\n- **R**:\n\n - The `hclust` function in the stats package provides agglomerative clustering.\n\n - The `agnes` function in the `cluster` package offers a more extensive implementation.\n\n- **MATLAB**:\n\n - Offers the `linkage` function for hierarchical agglomerative clustering and `dendrogram` for visualization.\n\n- **Weka**:\n\n - A collection of machine learning algorithms for data mining tasks.\n\n - The `HierarchicalClusterer` class provides an implementation of agglomerative clustering.\n\n## References\n\n1. Jain, A. K., & Dubes, R. C. (1988). *Algorithms for clustering data*. Prentice-Hall, Inc.\n\n2. Murtagh, F., & Legendre, P. (2014). Ward’s hierarchical agglomerative clustering method: which algorithms implement Ward’s criterion?. *Journal of Classification*, 31(3), 274-295. [Link](https://link.springer.com/article/10.1007/s00357-014-9161-z).\n\n3. Scikit-learn. (30 Jun 2023). Scikit-learn Documentation: Agglomerative Clustering.\n[Link](https://scikit-learn.org/stable/modules/generated/sklearn.cluster.AgglomerativeClustering.html).", "rdfs:label": "Agglomerative Clustering", "rdfs:subClassOf": { "@id": "d3f:HierarchicalClustering" } }, { "@id": "d3f:Reference-File-modifyingMalwareDetection_CrowdstrikeInc", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US20180121650A1/en?oq=US-2018121650-A1" }, "d3f:kb-abstract": "A security agent implemented on a computing device is described herein. The security agent is configured to detect file-modifying malware by detecting that a process is traversing a directory of the memory of the computing device and detecting that the process is accessing files in the memory according to specified file access patterns. The security agent can also be configured to correlate actions of multiple processes that correspond to a specified file access pattern and detect that one or more of the multiple processes are malware by correlating their behavior.", "d3f:kb-author": "Daniel W. Brown", "d3f:kb-mitre-analysis": "This patent describes a technique for detecting file modifying malware such as wipers and ransomware that overwrite portions of files and encrypt portions of a computer's memory, respectively. Processes that are traversing a directory are identified along with file access patterns. Processes executing on a computing device that are traversing a directory include:\n\n* changing a directory of a process (e.g., iteratively, systematically, repeatedly)\n* detecting that a process is conducting an \"open directory\" operation repeatedly\n* the same process traversing through a directory and recording the locations of data files encountered in each sub - directory\n\nIn addition to identifying processes traversing a directory, particular file access patterns are also detected that may be indicative of malicious behavior including:\n* multiple file types being accessed\n* accessing a large number of files\n* files located in multiple locations in the directory being accessed\n\nIf a process is conducting a traversal of the directory and accessing files according to a defined access pattern associated with malicious behavior, a preventative action is performed.", "d3f:kb-organization": "Crowdstrike Inc", "d3f:kb-reference-of": { "@id": "d3f:FileAccessPatternAnalysis" }, "d3f:kb-reference-title": "File-modifying malware detection", "rdfs:label": "Reference - File-modifying malware detection - Crowdstrike Inc" }, { "@id": "d3f:LogFile", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:contains": { "@id": "d3f:Log" }, "d3f:definition": "A log file is a file that records either events that occur in an operating system or other software runs, or messages between different users of a communication software. Logging is the act of keeping a log. In the simplest case, messages are written to a single log file.\n\nA transaction log is a file (i.e., log) of the communications between a system and the users of that system, or a data collection method that automatically captures the type, content, or time of transactions made by a person from a terminal with that system. For Web searching, a transaction log is an electronic record of interactions that have occurred during a searching episode between a Web search engine and users searching for information on that Web search engine.\n\nMany operating systems, software frameworks and programs include a logging system. A widely used logging standard is syslog, defined in Internet Engineering Task Force (IETF) RFC 5424). The syslog standard enables a dedicated, standardized subsystem to generate, filter, record, and analyze log messages. This relieves software developers of having to design and code their own ad hoc logging systems.", "rdfs:isDefinedBy": { "@id": "dbr:Log_file" }, "rdfs:label": "Log File", "rdfs:seeAlso": { "@id": "http://wordnet-rdf.princeton.edu/id/06515875-n" }, "rdfs:subClassOf": [ { "@id": "d3f:File" }, { "@id": "_:N2440961baf09403f9dc459e935f26eb1" } ] }, { "@id": "_:N2440961baf09403f9dc459e935f26eb1", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:contains" }, "owl:someValuesFrom": { "@id": "d3f:Log" } }, { "@id": "d3f:NIST_SP_800-53_R5_AU-3", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:control-name": "Content of Audit Records", "d3f:exactly": { "@id": "d3f:LocalAccountMonitoring" }, "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "rdfs:label": "AU-3" }, { "@id": "d3f:RemoteProcedureCall", "@type": "owl:Class", "d3f:definition": "In distributed computing a remote procedure call (RPC) is when a computer program causes a procedure (subroutine) to execute in another address space (commonly on another computer on a shared network), which is coded as if it were a normal (local) procedure call, without the programmer explicitly coding the details for the remote interaction. That is, the programmer writes essentially the same code whether the subroutine is local to the executing program, or remote. This is a form of client-server interaction (caller is client, executor is server), typically implemented via a request-response message-passing system. The object-oriented programming analog is remote method invocation (RMI). The RPC model implies a level of location transparency.", "rdfs:isDefinedBy": { "@id": "dbr:Remote_procedure_call" }, "rdfs:label": "Remote Procedure Call", "rdfs:seeAlso": "https://schema.ocsf.io/objects/dce_rpc", "rdfs:subClassOf": { "@id": "d3f:RemoteCommand" } }, { "@id": "d3f:CWE-593", "@type": "owl:Class", "d3f:cwe-id": "CWE-593", "rdfs:label": "Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created", "rdfs:subClassOf": [ { "@id": "d3f:CWE-1390" }, { "@id": "d3f:CWE-666" } ] }, { "@id": "d3f:CWE-407", "@type": "owl:Class", "d3f:cwe-id": "CWE-407", "rdfs:label": "Inefficient Algorithmic Complexity", "rdfs:subClassOf": { "@id": "d3f:CWE-405" } }, { "@id": "d3f:Reference-PrivacyAndSecuritySystemsAndMethodsOfUse", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US10128890B2/en" }, "d3f:kb-author": "Teddy David Thomas", "d3f:kb-reference-title": "Privacy and security systems and methods of use", "rdfs:label": "Reference - Privacy and security systems and methods of use" }, { "@id": "d3f:T1008", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1008", "d3f:produces": { "@id": "d3f:OutboundInternetNetworkTraffic" }, "rdfs:label": "Fallback Channels", "rdfs:subClassOf": [ { "@id": "d3f:CommandAndControlTechnique" }, { "@id": "_:N8646e8d4397d4384ab18d229ef38c9d4" } ] }, { "@id": "_:N8646e8d4397d4384ab18d229ef38c9d4", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:produces" }, "owl:someValuesFrom": { "@id": "d3f:OutboundInternetNetworkTraffic" } }, { "@id": "d3f:EncryptedTunnels", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:NetworkIsolation" ], "d3f:d3fend-id": "D3-ET", "d3f:definition": "Encrypted encapsulation of routable network traffic.", "d3f:isolates": { "@id": "d3f:IntranetNetwork" }, "d3f:kb-reference": { "@id": "d3f:Reference-SecurityArchitectureForTheInternetProtocol" }, "rdfs:label": "Encrypted Tunnels", "rdfs:subClassOf": [ { "@id": "d3f:NetworkIsolation" }, { "@id": "_:N16deceb1b4164df38f1b3815711f6c1a" } ] }, { "@id": "_:N16deceb1b4164df38f1b3815711f6c1a", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:isolates" }, "owl:someValuesFrom": { "@id": "d3f:IntranetNetwork" } }, { "@id": "d3f:NetworkResource", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "In computing, a shared resource, or network share, is a computer resource made available from one host to other hosts on a computer network. It is a device or piece of information on a computer that can be remotely accessed from another computer, typically via a local area network or an enterprise intranet, transparently as if it were a resource in the local machine.Network sharing is made possible by inter-process communication over the network.", "rdfs:label": "Network Resource", "rdfs:seeAlso": { "@id": "dbr:Shared_resource" }, "rdfs:subClassOf": { "@id": "d3f:RemoteResource" }, "skos:altLabel": "Shared Resource" }, { "@id": "d3f:CWE-404", "@type": "owl:Class", "d3f:cwe-id": "CWE-404", "rdfs:label": "Improper Resource Shutdown or Release", "rdfs:subClassOf": { "@id": "d3f:CWE-664" } }, { "@id": "d3f:Reference-AdvancedDeviceMatchingSystem", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US10892951B2/" }, "d3f:kb-abstract": "Disclosed is a device management system for discovery and management of components added to computer systems and sub-systems. The device management system provides for recognizing a newly added component, and determining if the newly added component is already a part of the system inventory. The newly added component is matched with a component currently on the system, based on at least one matching attribute. A point total is calculated for each match level and a final match score is provided. The match score is compared with an aggressiveness level to determine if a match does indeed exist.", "d3f:kb-author": "Rajneesh Jalan, Joseph M. Schmitt, and Marco Simoes", "d3f:kb-organization": "Device42 Inc", "d3f:kb-reference-of": { "@id": "d3f:HardwareComponentInventory" }, "d3f:kb-reference-title": "Advanced device matching system", "rdfs:label": "Reference - Advanced device matching system" }, { "@id": "d3f:CWE-277", "@type": "owl:Class", "d3f:cwe-id": "CWE-277", "rdfs:label": "Insecure Inherited Permissions", "rdfs:subClassOf": { "@id": "d3f:CWE-732" } }, { "@id": "d3f:InternetNetworkTraffic", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "Internet network traffic is network traffic that crosses a boundary between networks. [This is the general sense of inter-networking; It may or may not cross to or from the Internet]", "rdfs:label": "Internet Network Traffic", "rdfs:seeAlso": { "@id": "dbr:Internetworking" }, "rdfs:subClassOf": { "@id": "d3f:NetworkTraffic" } }, { "@id": "d3f:CWE-669", "@type": "owl:Class", "d3f:cwe-id": "CWE-669", "rdfs:label": "Incorrect Resource Transfer Between Spheres", "rdfs:subClassOf": { "@id": "d3f:CWE-664" } }, { "@id": "d3f:AuthenticationFunction", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:authenticates": { "@id": "d3f:UserAccount" }, "d3f:definition": "Authenticates a user account by verifying a presented credential.", "rdfs:label": "Authentication Function", "rdfs:subClassOf": [ { "@id": "d3f:Subroutine" }, { "@id": "_:Nb32aebee883f43ff99b7c9e7088976b6" } ] }, { "@id": "_:Nb32aebee883f43ff99b7c9e7088976b6", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:authenticates" }, "owl:someValuesFrom": { "@id": "d3f:UserAccount" } }, { "@id": "d3f:CCI-002718_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:broader": { "@id": "d3f:FileHashing" }, "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system implements cryptographic mechanisms to detect unauthorized changes to information.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-07-11T00:00:00" }, "rdfs:label": "CCI-002718" }, { "@id": "d3f:NIST_SP_800-53_R5_SA-10_3", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:control-name": "Developer Configuration Management | Hardware Integrity Verification", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "d3f:related": { "@id": "d3f:FirmwareVerification" }, "rdfs:label": "SA-10(3)" }, { "@id": "d3f:analyzes", "@type": "owl:ObjectProperty", "d3f:definition": "x analyzes y: The subject x break down object y into components or essential features, assessing y by quantitative methods, qualitative methods, or both. Usually the analysis is done in terms of some model or framework.", "rdfs:isDefinedBy": { "@id": "http://wordnet-rdf.princeton.edu/id/00738221-v" }, "rdfs:label": "analyzes", "rdfs:subPropertyOf": [ { "@id": "d3f:associated-with" }, { "@id": "d3f:detects" } ] }, { "@id": "d3f:CWE-481", "@type": "owl:Class", "d3f:cwe-id": "CWE-481", "rdfs:label": "Assigning instead of Comparing", "rdfs:subClassOf": { "@id": "d3f:CWE-480" } }, { "@id": "d3f:CWE-487", "@type": "owl:Class", "d3f:cwe-id": "CWE-487", "rdfs:label": "Reliance on Package-level Scope", "rdfs:subClassOf": { "@id": "d3f:CWE-664" } }, { "@id": "d3f:T1180", "@type": "owl:Class", "d3f:attack-id": "T1180", "rdfs:label": "Screensaver", "rdfs:subClassOf": { "@id": "d3f:PersistenceTechnique" } }, { "@id": "d3f:SystemInitProcess", "@type": "owl:Class", "d3f:definition": "A system initialization process is a process that executes to initialize (boot) an operating system.", "rdfs:label": "System Init Process", "rdfs:seeAlso": [ { "@id": "dbr:Booting" }, { "@id": "dbr:Linux_startup_process" }, { "@id": "dbr:Windows_startup_process" } ], "rdfs:subClassOf": { "@id": "d3f:OperatingSystemProcess" }, "skos:altLabel": [ "System Initialization Process", "System Startup Process" ] }, { "@id": "d3f:CCI-001115_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system, at managed interfaces, denies network traffic and audits internal users (or malicious code) posing a threat to external information systems.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": [ { "@id": "d3f:InboundTrafficFiltering" }, { "@id": "d3f:OutboundTrafficFiltering" } ], "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-21T00:00:00" }, "rdfs:label": "CCI-001115" }, { "@id": "d3f:CWE-219", "@type": "owl:Class", "d3f:cwe-id": "CWE-219", "rdfs:label": "Storage of File with Sensitive Data Under Web Root", "rdfs:subClassOf": { "@id": "d3f:CWE-552" } }, { "@id": "d3f:T1547.010", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1547.010", "d3f:modifies": { "@id": "d3f:SystemConfigurationDatabaseRecord" }, "rdfs:label": "Port Monitors", "rdfs:subClassOf": [ { "@id": "d3f:T1547" }, { "@id": "_:N5427e6d99c9b4d14acbad927a5c593cc" } ] }, { "@id": "_:N5427e6d99c9b4d14acbad927a5c593cc", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:SystemConfigurationDatabaseRecord" } }, { "@id": "d3f:CWE-154", "@type": "owl:Class", "d3f:cwe-id": "CWE-154", "rdfs:label": "Improper Neutralization of Variable Name Delimiters", "rdfs:subClassOf": { "@id": "d3f:CWE-138" } }, { "@id": "d3f:CWE-384", "@type": "owl:Class", "d3f:cwe-id": "CWE-384", "rdfs:label": "Session Fixation", "rdfs:subClassOf": { "@id": "d3f:CWE-610" } }, { "@id": "d3f:WindowsNtCreateFile", "@type": "owl:Class", "rdfs:label": "Windows NtCreateFile", "rdfs:seeAlso": "https://j00ru.vexillium.org/syscalls/nt/64/", "rdfs:subClassOf": [ { "@id": "d3f:OSAPICreateFile" }, { "@id": "d3f:OSAPIPrivateFunction" } ] }, { "@id": "d3f:NIST_SP_800-53_R5_SA-10_1", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:control-name": "Developer Configuration Management | Software and Firmware Integrity Verification", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "d3f:related": [ { "@id": "d3f:FirmwareVerification" }, { "@id": "d3f:PlatformHardening" } ], "rdfs:label": "SA-10(1)" }, { "@id": "d3f:T1568.002", "@type": "owl:Class", "d3f:attack-id": "T1568.002", "rdfs:label": "Domain Generation Algorithms", "rdfs:subClassOf": { "@id": "d3f:T1568" } }, { "@id": "d3f:CWE-698", "@type": "owl:Class", "d3f:cwe-id": "CWE-698", "rdfs:label": "Execution After Redirect (EAR)", "rdfs:subClassOf": [ { "@id": "d3f:CWE-670" }, { "@id": "d3f:CWE-705" } ] }, { "@id": "d3f:CentralTendency", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-CT", "d3f:definition": "A measure of central tendency ) is a summary measure that attempts to describe a whole set of data with a single value that represents the middle or centre of its distribution.", "d3f:kb-article": "## References\nAustralian Bureau of Statistics. (n.d.). Measures of Central Tendency. [Link](https://www.abs.gov.au/statistics/understanding-statistics/statistical-terms-and-concepts/measures-central-tendency)\n\nWikipedia. (n.d.). Central tendency. [Link](https://en.wikipedia.org/wiki/Central_tendency)", "rdfs:label": "Central Tendency", "rdfs:subClassOf": { "@id": "d3f:DescriptiveStatistics" } }, { "@id": "d3f:ApplicationRule", "@type": "owl:Class", "d3f:definition": "A configuration of an application which is used to apply logical or data processing functions to data processed by the application.", "rdfs:label": "Application Rule", "rdfs:subClassOf": { "@id": "d3f:ApplicationConfiguration" } }, { "@id": "d3f:DistributionProperties", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-DP", "d3f:definition": "The properties derived from a probability distribution.", "d3f:kb-article": "## References\nWikipedia. (n.d.). Probability distribution. [Link](https://en.wikipedia.org/wiki/Probability_distribution)", "rdfs:label": "Distribution Properties", "rdfs:subClassOf": { "@id": "d3f:DescriptiveStatistics" } }, { "@id": "d3f:CCI-002308_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:broader": [ { "@id": "d3f:MandatoryAccessControl" }, { "@id": "d3f:SystemConfigurationPermissions" }, { "@id": "d3f:UserAccountPermissions" } ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system provides authorized individuals the capability to define or change the type of security attributes available for association with objects.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-06-24T00:00:00" }, "rdfs:label": "CCI-002308" }, { "@id": "d3f:CCI-002409_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system blocks both inbound and outbound communications traffic between organization-defined communication clients that are independently configured by end users and external service providers.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": [ { "@id": "d3f:InboundTrafficFiltering" }, { "@id": "d3f:OutboundTrafficFiltering" } ], "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-07-02T00:00:00" }, "rdfs:label": "CCI-002409" }, { "@id": "d3f:Reference-EnhancingNetworkSecurityByPreventingUser-InitiatedMalwareExecution_", "@type": [ "owl:NamedIndividual", "d3f:AcademicPaperReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://ieeexplore.ieee.org/document/1425209" }, "d3f:kb-abstract": "In this paper, we describe characteristics of the most widely used defense techniques for the blocking of user-initiated malware and why these techniques are insufficient. We then introduce a module verification strategy that will eliminate, or at least severely reduce, this problem by extending the classic \"defense in depth\" network security strategy. We then describe how the augmentation of a standard operating system loader to include references to a database of cryptographic hashes of module executables can be used to implement this strategy. Finally, we describe our efforts towards the creation of a prototype system that implements the module verification strategy.", "d3f:kb-author": "John V. Harrison", "d3f:kb-mitre-analysis": "This paper describes application whitelisting. New software executable code is compared to a database of allowed software to determine if the new executable code should be loaded and executed. A database of cryptographic hashes is first created for all allowed software executables. Prior to loading any new executable code, a hash is computed and compared against the hash database. If the hash for the new code does not appear in the database, the executable is not loaded and executed.", "d3f:kb-organization": "", "d3f:kb-reference-of": { "@id": "d3f:ExecutableAllowlisting" }, "d3f:kb-reference-title": "Enhancing Network Security By Preventing User-Initiated Malware Execution", "rdfs:label": "Reference - Enhancing Network Security By Preventing User-Initiated Malware Execution - MITRE" }, { "@id": "d3f:Reference-SystemAndMethodsThereofForDetectionOfPersistentThreatsInAComputerizedEnvironmentBackground_PaloAltoNetworksIncCyberSecdoLtd", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US20170206358A1/en?oq=US-2017206358-A1" }, "d3f:kb-abstract": "A system is used for detection of advanced persistent and non-persistent threats in a computerized environment. The system is connected to a plurality of user devices coupled to an enterprise's network. The system receives via an interface an electronic notification of at least one event in the operating system of the computer. The system then analyzes the at least one event. The system then generates a causality chain for the at least one event respective of the analysis. The causality chain comprises all the threads that attributed to the at least one event in a chronological order. The system then identifies a main thread that started the causality chain that led to the at least one event. Then, the system determines whether the main thread is associated with malicious software. Upon determination that the main thread is associated with malicious software, the causality chain is marked as infected.", "d3f:kb-author": "Gil BARAK", "d3f:kb-mitre-analysis": "The patent describes detecting malicious events on a host. For each new event (e.x. new file request received from a user device, a change in an existing file in a container) a causality chain is developed for all threads associated with the event. The causality chain identifies the thread that started the process of the event (main thread). If a thread in the causality chain has no parent, i.e. no main thread associated with it, the process is identified as malicious.", "d3f:kb-organization": "Palo Alto Networks IncCyber Secdo Ltd", "d3f:kb-reference-title": "System and methods thereof for detection of persistent threats in a computerized environment background", "rdfs:label": "Reference - System and methods thereof for detection of persistent threats in a computerized environment background - Palo Alto Networks IncCyber Secdo Ltd" }, { "@id": "d3f:d3fend-artifact-data-property", "@type": "owl:DatatypeProperty", "d3f:definition": "x d3fend-artifact-data-property y: The artifact x has the data property y.", "rdfs:domain": { "@id": "d3f:DigitalArtifact" }, "rdfs:label": "d3fend-artifact-data-property", "rdfs:subPropertyOf": { "@id": "d3f:d3fend-data-property" } }, { "@id": "d3f:T1105", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1105", "d3f:definition": "Session is initiated by the client, and may be a custom protocol which is why it is related to generic network traffic instead of file transfer network traffic.", "d3f:produces": { "@id": "d3f:OutboundInternetNetworkTraffic" }, "rdfs:label": "Ingress Tool Transfer", "rdfs:subClassOf": [ { "@id": "d3f:CommandAndControlTechnique" }, { "@id": "_:N1e1b9100c0724d13a424a218dda52981" } ] }, { "@id": "_:N1e1b9100c0724d13a424a218dda52981", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:produces" }, "owl:someValuesFrom": { "@id": "d3f:OutboundInternetNetworkTraffic" } }, { "@id": "d3f:NIST_SP_800-53_R5_MA-4_1", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:control-name": "Nonlocal Maintenance | Logging and Review", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "d3f:narrower": { "@id": "d3f:LocalAccountMonitoring" }, "rdfs:label": "MA-4(1)" }, { "@id": "d3f:CCI-001067_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system implements privileged access authorization to organization-identified information system components for selected organization-defined vulnerability scanning activities.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:PlatformHardening" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-21T00:00:00" }, "rdfs:label": "CCI-001067" }, { "@id": "d3f:CWE-1068", "@type": "owl:Class", "d3f:cwe-id": "CWE-1068", "rdfs:label": "Inconsistency Between Implementation and Documented Design", "rdfs:subClassOf": { "@id": "d3f:CWE-710" } }, { "@id": "d3f:T1059.007", "@type": "owl:Class", "d3f:attack-id": "T1059.007", "rdfs:label": "JavaScript/JScript", "rdfs:subClassOf": { "@id": "d3f:T1059" } }, { "@id": "d3f:Contribution", "@type": "owl:Class", "rdfs:subClassOf": [ { "@id": "d3f:D3FENDThing" }, { "@id": "_:N47c59f19ce5c404b874c6bd705462136" }, { "@id": "_:N0b55d2d610694ab2a68e6b8cbed20288" } ] }, { "@id": "_:N47c59f19ce5c404b874c6bd705462136", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:has-contributor" }, "owl:someValuesFrom": { "@id": "d3f:Agent" } }, { "@id": "_:N0b55d2d610694ab2a68e6b8cbed20288", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:created" }, "owl:someValuesFrom": { "@id": "xsd:dateTime" } }, { "@id": "d3f:d3fend-general-object-property", "@type": "owl:ObjectProperty", "rdfs:label": "d3fend-general-object-property", "rdfs:subPropertyOf": { "@id": "d3f:d3fend-object-property" } }, { "@id": "d3f:CWE-1125", "@type": "owl:Class", "d3f:cwe-id": "CWE-1125", "rdfs:label": "Excessive Attack Surface", "rdfs:subClassOf": { "@id": "d3f:CWE-1120" } }, { "@id": "d3f:PersonalComputer", "@type": "owl:Class", "d3f:definition": "A personal computer (PC) is a multi-purpose computer whose size, capabilities, and price make it feasible for individual use. Personal computers are intended to be operated directly by an end user, rather than by a computer expert or technician. Unlike large, costly minicomputers and mainframes, time-sharing by many people at the same time is not used with personal computers. PCs have in practice become powerful enough that they may be shared by multiple users at any given time, though this is not common practice nor the primary purpose of a PC.", "rdfs:isDefinedBy": { "@id": "dbr:Personal_computer" }, "rdfs:label": "Personal Computer", "rdfs:subClassOf": { "@id": "d3f:ClientComputer" } }, { "@id": "d3f:Reference-HostIntrusionPreventionSystemUsingSoftwareAndUserBehaviorAnalysis_SophosLtd", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US20110023115A1" }, "d3f:kb-abstract": "In embodiments of the present invention improved capabilities are described for threat detection using a behavioral-based host-intrusion prevention method and system for monitoring a user interaction with a computer, software application, operating system, graphic user interface, or some other component or client of a computer network, and performing an action to protect the computer network based at least in part on the user interaction and a computer code process executing during or in association with a computer usage session.", "d3f:kb-author": "Clifford C. Wright", "d3f:kb-mitre-analysis": "The patent describes a technique for performing behavior based threat detection. User and code behavior data is collected and stored to create baseline user and code behavior profiles. User behavior data collected over a user session or over multiple sessions can include a user:\n\n* clicking on a link\n* scrolling down a page\n* opening or closing a window\n* downloading a file\n* saving a file\n* running a file\n* typing a keyword\n\nCode behavior monitored includes code:\n\n* copying itself to a system folder\n* setting a run key to itself in the registry\n* setting a second runkey to itself in the registry in\na different location\n* disabling OS tools in the registry\n* opening a hidden file\n\nThe user interaction and the code process executed during the user session are monitored and compared with predetermined malicious behavior profiles that are typically present in a malicious user session. The predetermined collection of malicious behaviors are created based on analysis of families of malware in run time in a threat research facility. If a match is made an action is taken that can include isolating the computer on which the user interaction occurs and limiting network access to or from the computer.", "d3f:kb-organization": "Sophos Ltd", "d3f:kb-reference-of": [ { "@id": "d3f:ResourceAccessPatternAnalysis" }, { "@id": "d3f:SystemDaemonMonitoring" }, { "@id": "d3f:WebSessionActivityAnalysis" } ], "d3f:kb-reference-title": "Host intrusion prevention system using software and user behavior analysis", "rdfs:label": "Reference - Host intrusion prevention system using software and user behavior analysis - Sophos Ltd" }, { "@id": "d3f:CWE-862", "@type": "owl:Class", "d3f:cwe-id": "CWE-862", "rdfs:comment": "Broad and could apply to all resource accesses.", "rdfs:label": "Missing Authorization", "rdfs:subClassOf": { "@id": "d3f:CWE-285" } }, { "@id": "d3f:CWE-590", "@type": "owl:Class", "d3f:cwe-id": "CWE-590", "rdfs:label": "Free of Memory not on the Heap", "rdfs:subClassOf": { "@id": "d3f:CWE-762" } }, { "@id": "d3f:adds", "@type": "owl:ObjectProperty", "d3f:definition": "x adds y: The subject x adds a data object y, such as a file, to some other digital artifact, such as a directory. Examples include an agent or technique adding a record to a database. or a domain entry to a DNS server.", "rdfs:label": "adds", "rdfs:subPropertyOf": [ { "@id": "d3f:associated-with" }, { "@id": "d3f:may-add" } ] }, { "@id": "d3f:Reference-IsolationOfApplicationsWithinAVirtualMachine_Bromium,Inc.", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US9921860B1" }, "d3f:kb-abstract": "Approaches for launching an application within a virtual machine. In response to receiving a request to launch an application, a device instantiates, without human intervention and based on a policy, a virtual machine in which the application is to be launched. The policy determines which resources of a device, such as a mobile device or computer system, are accessible to the virtual machine. The policy may, but need not, determine whether the virtual machine has access to a type of resource which obligates the user of the device to make a monetary payment for the user of the resource.", "d3f:kb-author": "Gaurav Banga, Sergei Vorobiev, Deepak Khajuria, Vikram Kapoor, Ian Pratt, Simon Crosby, Adrian Taylor", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "Bromium, Inc.", "d3f:kb-reference-of": { "@id": "d3f:Hardware-basedProcessIsolation" }, "d3f:kb-reference-title": "Isolation of applications within a virtual machine", "rdfs:label": "Reference - Isolation of applications within a virtual machine - Bromium, Inc." }, { "@id": "d3f:Reference-CertificateTransparency", "@type": [ "owl:NamedIndividual", "d3f:TechniqueReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://www.certificate-transparency.org/" }, "d3f:kb-abstract": "Google's Certificate Transparency project fixes several structural flaws in the SSL certificate system, which is the main cryptographic system that underlies all HTTPS connections.\n\nThese flaws weaken the reliability and effectiveness of encrypted Internet connections and can compromise critical TLS/SSL mechanisms, including domain validation, end-to-end encryption, and the chains of trust set up by certificate authorities.", "d3f:kb-author": "Google", "d3f:kb-organization": "Google", "d3f:kb-reference-of": { "@id": "d3f:PassiveCertificateAnalysis" }, "d3f:kb-reference-title": "Certificate Transparency", "rdfs:label": "Reference - Certificate Transparency" }, { "@id": "d3f:DecoyArtifact", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A decoy is an imitation digital artifact in any sense of a digital artifact, object, or phenomenon that is intended to deceive a cyber attacker's surveillance devices or mislead their evaluation. Examples include fake files, accounts, hosts (honeypots), and network segments (honeynets).", "d3f:may-contain": { "@id": "d3f:DigitalArtifact" }, "rdfs:label": "Decoy Artifact", "rdfs:seeAlso": [ { "@id": "dbr:Deception_technology" }, { "@id": "https://doi.org/10.1007/978-3-319-25133-2" }, { "@id": "https://shield.mitre.org/" } ], "rdfs:subClassOf": [ { "@id": "d3f:DigitalArtifact" }, { "@id": "_:N17c45adcb7994137a24b539afa87480a" } ], "skos:altLabel": [ "Trap", "Decoy", "Lure", "Decoy Object" ] }, { "@id": "_:N17c45adcb7994137a24b539afa87480a", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-contain" }, "owl:someValuesFrom": { "@id": "d3f:DigitalArtifact" } }, { "@id": "d3f:PageFrame", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:contained-by": { "@id": "d3f:PrimaryStorage" }, "d3f:definition": "A page frame is the smallest fixed-length contiguous block of physical memory into which memory pages are mapped by the operating system.", "rdfs:isDefinedBy": "https://dbpedia.org/page/Page_(computer_memory)", "rdfs:label": "Page Frame", "rdfs:subClassOf": [ { "@id": "d3f:MemoryBlock" }, { "@id": "_:Neee2c68ca4644eb1bf76d326a9d7245b" } ] }, { "@id": "_:Neee2c68ca4644eb1bf76d326a9d7245b", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:contained-by" }, "owl:someValuesFrom": { "@id": "d3f:PrimaryStorage" } }, { "@id": "d3f:CWE-32", "@type": "owl:Class", "d3f:cwe-id": "CWE-32", "rdfs:label": "Path Traversal: '...' (Triple Dot)", "rdfs:subClassOf": { "@id": "d3f:CWE-23" } }, { "@id": "d3f:contained-by", "@type": [ "owl:ObjectProperty", "owl:TransitiveProperty" ], "owl:inverseOf": { "@id": "d3f:contains" }, "rdfs:label": "contained-by", "rdfs:subPropertyOf": [ { "@id": "d3f:associated-with" }, { "@id": "d3f:may-be-contained-by" } ] }, { "@id": "d3f:enumerates", "@type": "owl:ObjectProperty", "d3f:definition": "definition \"x enumerates y: The subject x takes the action of reading from a digital source y to acquire data and create a list of its contents.", "rdfs:label": "enumerates", "rdfs:subPropertyOf": { "@id": "d3f:reads" } }, { "@id": "d3f:T1505.001", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1505.001", "d3f:creates": { "@id": "d3f:StoredProcedure" }, "d3f:invokes": { "@id": "d3f:CreateProcess" }, "rdfs:label": "SQL Stored Procedures", "rdfs:subClassOf": [ { "@id": "d3f:T1505" }, { "@id": "_:N3d6591d15a6e4cdaa0f40878f45686b9" }, { "@id": "_:Ne0bf892591fc43cbb2bebc307cb61d02" } ] }, { "@id": "_:N3d6591d15a6e4cdaa0f40878f45686b9", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:creates" }, "owl:someValuesFrom": { "@id": "d3f:StoredProcedure" } }, { "@id": "_:Ne0bf892591fc43cbb2bebc307cb61d02", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:invokes" }, "owl:someValuesFrom": { "@id": "d3f:CreateProcess" } }, { "@id": "d3f:T1569", "@type": "owl:Class", "d3f:attack-id": "T1569", "d3f:definition": "This technique has been deprecated.", "rdfs:label": "System Services", "rdfs:subClassOf": { "@id": "d3f:ExecutionTechnique" } }, { "@id": "d3f:AdministrativeNetworkTraffic", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "Administrative network traffic is network traffic related to the remote administration or control of hosts or devices through a standard remote administrative protocol. Remote shells, terminals, RDP, and VNC are examples of these protocols, which are typically only used by administrators.", "rdfs:label": "Administrative Network Traffic", "rdfs:seeAlso": { "@id": "dbr:Remote_administration" }, "rdfs:subClassOf": { "@id": "d3f:NetworkTraffic" } }, { "@id": "d3f:CWE-484", "@type": "owl:Class", "d3f:cwe-id": "CWE-484", "rdfs:label": "Omitted Break Statement in Switch", "rdfs:subClassOf": [ { "@id": "d3f:CWE-670" }, { "@id": "d3f:CWE-710" } ] }, { "@id": "d3f:CWE-684", "@type": "owl:Class", "d3f:cwe-id": "CWE-684", "rdfs:label": "Incorrect Provision of Specified Functionality", "rdfs:subClassOf": { "@id": "d3f:CWE-710" } }, { "@id": "d3f:CWE-186", "@type": "owl:Class", "d3f:cwe-id": "CWE-186", "rdfs:label": "Overly Restrictive Regular Expression", "rdfs:subClassOf": { "@id": "d3f:CWE-185" } }, { "@id": "d3f:T1553", "@type": "owl:Class", "d3f:attack-id": "T1553", "rdfs:label": "Subvert Trust Controls", "rdfs:subClassOf": { "@id": "d3f:DefenseEvasionTechnique" } }, { "@id": "d3f:SSHSession", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A Secure Shell Protocol (SSH) session is a session over a secure channel established using SSH to connect a client to a server and establish the remote session.", "rdfs:label": "SSH Session", "rdfs:seeAlso": { "@id": "dbr:Secure_Shell_Protocol" }, "rdfs:subClassOf": { "@id": "d3f:RemoteSession" } }, { "@id": "d3f:d3fend-catalog-object-property", "@type": "owl:ObjectProperty", "rdfs:label": "d3fend-catalog-object-property", "rdfs:subPropertyOf": { "@id": "d3f:d3fend-object-property" }, "skos:altLabel": "d3fend-vendor-registry-object-property" }, { "@id": "d3f:UserBehavior", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:contains": { "@id": "d3f:UserAction" }, "d3f:definition": "A user behavior is a pattern of user actions, or set of such patterns. Modeling and analyzing these patterns and monitoring a users actions for meaningful anomalies is known as user behavior analytics (UBA).", "rdfs:label": "User Behavior", "rdfs:seeAlso": { "@id": "dbr:User_behavior_analytics" }, "rdfs:subClassOf": [ { "@id": "d3f:DigitalArtifact" }, { "@id": "_:N44dd831dda5f494f9522e5926a1d3449" } ] }, { "@id": "_:N44dd831dda5f494f9522e5926a1d3449", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:contains" }, "owl:someValuesFrom": { "@id": "d3f:UserAction" } }, { "@id": "d3f:ConfigurationDatabase", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:contains": { "@id": "d3f:ConfigurationDatabaseRecord" }, "rdfs:label": "Configuration Database", "rdfs:subClassOf": [ { "@id": "d3f:ConfigurationResource" }, { "@id": "_:N941ada0547ba415fb066d4d813ed8f36" } ] }, { "@id": "_:N941ada0547ba415fb066d4d813ed8f36", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:contains" }, "owl:someValuesFrom": { "@id": "d3f:ConfigurationDatabaseRecord" } }, { "@id": "d3f:PasswordFile", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "Simple form of password database held in a single file (e.g., /etc/password)", "rdfs:label": "Password File", "rdfs:subClassOf": [ { "@id": "d3f:File" }, { "@id": "d3f:PasswordDatabase" } ] }, { "@id": "d3f:CWE-332", "@type": "owl:Class", "d3f:cwe-id": "CWE-332", "rdfs:label": "Insufficient Entropy in PRNG", "rdfs:subClassOf": { "@id": "d3f:CWE-331" } }, { "@id": "d3f:CWE-1250", "@type": "owl:Class", "d3f:cwe-id": "CWE-1250", "rdfs:label": "Improper Preservation of Consistency Between Independent Representations of Shared State", "rdfs:subClassOf": { "@id": "d3f:CWE-664" } }, { "@id": "d3f:CWE-1338", "@type": "owl:Class", "d3f:cwe-id": "CWE-1338", "rdfs:label": "Improper Protections Against Hardware Overheating", "rdfs:subClassOf": { "@id": "d3f:CWE-693" } }, { "@id": "d3f:ZeroClientComputer", "@type": "owl:Class", "d3f:definition": "Zero client is also referred as ultra thin client, contains no moving parts but centralizes all processing and storage to just what is running on the server. As a result, it requires no local driver to install, no patch management, and no local operating system licensing fees or updates. The device consumes very little power and is tamper-resistant and completely incapable of storing any data locally, providing a more secure endpoint.", "rdfs:isDefinedBy": { "@id": "http://dbpedia.org/resource/Thin_client#Zero_client" }, "rdfs:label": "Zero Client Computer", "rdfs:subClassOf": { "@id": "d3f:ThinClientComputer" } }, { "@id": "d3f:FirmwareVerification", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:PlatformMonitoring" ], "d3f:d3fend-id": "D3-FV", "d3f:definition": "Cryptographically verifying firmware integrity.", "d3f:kb-article": "## How it works\nCryptographic hash values are computed for system and peripheral firmware. The hash values are compared against precomputed hash values for the identified firmware. A hash value mismatch may indicate that the firmware may have been tampered with or updated with a non-current release indicating a misconfiguration for the system.\n\n## Considerations\n* Requires cryptographically computed hash values of firmware\n* Requires storage of precomputed firmware hash values", "d3f:kb-reference": [ { "@id": "d3f:Reference-FirmwareVerificationEclypsium" }, { "@id": "d3f:Reference-FirmwareVerificationTrapezoid" }, { "@id": "d3f:Reference-PlatformFirmwareResiliencyGuidelines_NIST" } ], "d3f:verifies": { "@id": "d3f:Firmware" }, "rdfs:label": "Firmware Verification", "rdfs:subClassOf": [ { "@id": "d3f:PlatformMonitoring" }, { "@id": "_:N81f10a0f09a344538b0ca06512b46b9f" } ] }, { "@id": "_:N81f10a0f09a344538b0ca06512b46b9f", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:verifies" }, "owl:someValuesFrom": { "@id": "d3f:Firmware" } }, { "@id": "d3f:WebApplicationServer", "@type": "owl:Class", "d3f:definition": "A web application server is a web server that hosts applications. Application server frameworks are software frameworks for building application servers. An application server framework provides both facilities to create web applications and a server environment to run them. In the case of Java application servers, the server behaves like an extended virtual machine for running applications, transparently handling connections to the database on one side, and, often, connections to the Web client on the other.", "rdfs:isDefinedBy": { "@id": "dbr:Application_server" }, "rdfs:label": "Web Application Server", "rdfs:subClassOf": { "@id": "d3f:WebServer" } }, { "@id": "d3f:GatedRecurrentUnit", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-GRU", "d3f:definition": "The GRU is like a long short-term memory (LSTM) with a forget gate, but has fewer parameters than LSTM, as it lacks an output gate. GRU's performance on certain tasks of polyphonic music modeling, speech signal modeling and natural language processing was found to be similar to that of LSTM", "d3f:kb-article": "## References\nWikipedia. (2021, September 20). Gated Recurrent Unit. [Link](https://en.wikipedia.org/wiki/Gated_recurrent_unit)", "rdfs:label": "Gated Recurrent Unit", "rdfs:subClassOf": { "@id": "d3f:RecurrentNeuralNetwork" } }, { "@id": "d3f:Reference-RemoteDesktopLogon_MITRE", "@type": [ "owl:NamedIndividual", "d3f:ExternalKnowledgeBase" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://car.mitre.org/analytics/CAR-2016-04-005/" }, "d3f:kb-abstract": "A remote desktop logon, through RDP, may be typical of a system administrator or IT support, but only from select workstations. Monitoring remote desktop logons and comparing to known/approved originating systems can detect lateral movement of an adversary.", "d3f:kb-author": "MITRE", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "MITRE", "d3f:kb-reference-of": { "@id": "d3f:RemoteTerminalSessionDetection" }, "d3f:kb-reference-title": "CAR-2016-04-005: Remote Desktop Logon", "rdfs:label": "Reference - CAR-2016-04-005: Remote Desktop Logon - MITRE" }, { "@id": "d3f:SoftwarePackagingTool", "@type": "owl:Class", "d3f:definition": "A tool that automates the process of packaging either or both binary code and source code for use on one or more target platforms.", "rdfs:label": "Software Packaging Tool", "rdfs:seeAlso": [ { "@id": "dbr:Build_automation" }, { "@id": "dbr:Package_manager" } ], "rdfs:subClassOf": { "@id": "d3f:BuildTool" } }, { "@id": "d3f:FlashMemory", "@type": "owl:Class", "d3f:definition": "Flash memory is an electronic non-volatile computer memory storage medium that can be electrically erased and reprogrammed.", "rdfs:isDefinedBy": "https://dbpedia.org/page/Flash_memory", "rdfs:label": "Flash Memory", "rdfs:subClassOf": { "@id": "d3f:SecondaryStorage" } }, { "@id": "d3f:DecoyNetworkResource", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:DecoyObject" ], "d3f:d3fend-id": "D3-DNR", "d3f:definition": "Deploying a network resource for the purposes of deceiving an adversary.", "d3f:kb-article": "## How it works\nDecoy network resources are deployed to web application servers, network file shares, or other network based sharing services.\n\nA \"honeypot\" may serve a variety of decoy network resources.\n\n## Considerations\n\n* Developing a deployment and placement strategy for the decoy network resource.\n* Personnel responsible for creation of decoy networks should consider the potential for resource exhaustion through denial of service attacks.\n\n## Examples\n* Honeypots are typically used to mimic a known system with fake vulnerabilities. This may attract attackers to the honeypot.\n* Decoy accounts are also used to scan for attempted logins. The decoy accounts can provide security analysts with the attacker's potential intents and strategies.\n* Tarpits are used to monitor unallocated IP space for unauthorized network activity.", "d3f:kb-reference": [ { "@id": "d3f:Reference-AutomaticallyGeneratingNetworkResourceGroupsAndAssigningCustomizedDecoyPoliciesThereto_IllusiveNetworksLtd" }, { "@id": "d3f:Reference-Deception-BasedResponsesToSecurityAttacks_CrowdstrikeInc" }, { "@id": "d3f:Reference-DynamicSelectionAndGenerationOfAVirtualCloneForDetonationOfSuspiciousContentWithinAHoneyNetwork_PaloAltoNetworksInc" }, { "@id": "d3f:Reference-SystemAndMethodForIdentifyingThePresenceOfMalwareUsingMini-trapsSetAtNetworkEndpoints_FidelisCybersecuritySolutionsInc" } ], "d3f:spoofs": { "@id": "d3f:NetworkResource" }, "rdfs:label": "Decoy Network Resource", "rdfs:subClassOf": [ { "@id": "d3f:DecoyObject" }, { "@id": "_:N8e69ae3f04e1496fa6700c279d04374d" } ] }, { "@id": "_:N8e69ae3f04e1496fa6700c279d04374d", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:spoofs" }, "owl:someValuesFrom": { "@id": "d3f:NetworkResource" } }, { "@id": "d3f:RAM", "@type": "owl:Class", "d3f:definition": "Random-access memory (RAM) is a form of computer memory that can be read and changed in any order, typically used to store working data and machine code.", "d3f:synonym": "Random-access Memory", "rdfs:isDefinedBy": "https://dbpedia.org/page/Random-access_memory", "rdfs:label": "RAM", "rdfs:subClassOf": { "@id": "d3f:PrimaryStorage" } }, { "@id": "d3f:LinuxCloneArgumentCLONE_THREAD", "@type": "owl:Class", "d3f:definition": "A flag parameter to the Clone syscall. If set, the child is placed in the same thread group as the calling process.", "rdfs:isDefinedBy": "https://man7.org/linux/man-pages/man2/clone.2.html", "rdfs:label": "Linux Clone Argument CLONE_THREAD", "rdfs:subClassOf": { "@id": "d3f:OSAPICreateThread" } }, { "@id": "d3f:T1560.001", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1560.001", "d3f:creates": { "@id": "d3f:ArchiveFile" }, "rdfs:label": "Archive via Utility", "rdfs:subClassOf": [ { "@id": "d3f:T1560" }, { "@id": "_:N8ebd752ee5614560bfcceb0aa88d4fb0" } ] }, { "@id": "_:N8ebd752ee5614560bfcceb0aa88d4fb0", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:creates" }, "owl:someValuesFrom": { "@id": "d3f:ArchiveFile" } }, { "@id": "d3f:restores", "@type": "owl:ObjectProperty", "rdfs:label": "restores", "rdfs:subPropertyOf": { "@id": "d3f:associated-with" } }, { "@id": "d3f:OperationalRiskAssessment", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:OperationalActivityMapping" ], "d3f:d3fend-id": "D3-ORA", "d3f:definition": "Operational risk assessment identifies and models the vulnerabilities of, and risks to, an organization's activities individually and as a whole.", "d3f:evaluates": { "@id": "d3f:Organization" }, "d3f:identifies": { "@id": "d3f:Vulnerability" }, "d3f:kb-reference": [ { "@id": "d3f:Reference-MGT516ManagingSecurityVulnerabilitiesEnterpriseAndCloud" }, { "@id": "d3f:Reference-NIST-RMF-Quick-Start-Guide-Assess-Step-FAQ" }, { "@id": "d3f:Reference-NIST-Special-Publication-800-160-Volume-1" }, { "@id": "d3f:Reference-NIST-Special-Publication-800-37-Revision-2" }, { "@id": "d3f:Reference-NIST-Special-Publication-800-53A-Revision-5" }, { "@id": "d3f:Reference-NISTIR-8011-Volume-1" } ], "d3f:synonym": "Mission Risk Assessment", "rdfs:label": "Operational Risk Assessment", "rdfs:subClassOf": [ { "@id": "d3f:OperationalActivityMapping" }, { "@id": "_:Nfd5884d7605943c3924ba4d08330189a" }, { "@id": "_:N4f7120e700144948ad742682be979657" } ] }, { "@id": "_:Nfd5884d7605943c3924ba4d08330189a", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:evaluates" }, "owl:someValuesFrom": { "@id": "d3f:Organization" } }, { "@id": "_:N4f7120e700144948ad742682be979657", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:identifies" }, "owl:someValuesFrom": { "@id": "d3f:Vulnerability" } }, { "@id": "d3f:CWE-453", "@type": "owl:Class", "d3f:cwe-id": "CWE-453", "rdfs:label": "Insecure Default Variable Initialization", "rdfs:subClassOf": { "@id": "d3f:CWE-1188" } }, { "@id": "d3f:BinaryClassification", "@type": "owl:Class", "rdfs:label": "Binary Classification", "rdfs:subClassOf": { "@id": "d3f:Classifying" } }, { "@id": "d3f:CCI-001493_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system protects audit tools from unauthorized access.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:MandatoryAccessControl" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-29T00:00:00" }, "rdfs:label": "CCI-001493" }, { "@id": "d3f:D3FENDUseCase", "@type": "owl:Class", "rdfs:label": "D3FEND Use Case", "rdfs:subClassOf": [ { "@id": "d3f:D3FENDUseCaseThing" }, { "@id": "_:N3e864f9a47344cc09030ddd5dade9a12" }, { "@id": "_:N7316c374664245a9acd0b076abc79c7e" }, { "@id": "_:N69b666effcc24fd4955f6c9a54b3b14c" }, { "@id": "_:Nebfcaf3873044a89a89d1cf1ec804e17" } ] }, { "@id": "_:N3e864f9a47344cc09030ddd5dade9a12", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:has-audience" }, "owl:someValuesFrom": { "@id": "d3f:TargetAudience" } }, { "@id": "_:N7316c374664245a9acd0b076abc79c7e", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:has-goal" }, "owl:someValuesFrom": { "@id": "d3f:UseCaseGoal" } }, { "@id": "_:N69b666effcc24fd4955f6c9a54b3b14c", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:has-prerequisite" }, "owl:someValuesFrom": { "@id": "d3f:UseCasePrerequisite" } }, { "@id": "_:Nebfcaf3873044a89a89d1cf1ec804e17", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:has-procedure" }, "owl:someValuesFrom": { "@id": "d3f:UseCaseProcedure" } }, { "@id": "d3f:FQDNDomainName", "@type": [ "owl:NamedIndividual", "d3f:DomainName" ], "rdfs:label": "FQDN Domain Name" }, { "@id": "d3f:Reference-ComputerWormDefenseSystemAndMethod_FireEyeInc", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US20130036472A1" }, "d3f:kb-abstract": "\"A computer worm defense system comprises multiple containment systems tied together by a management system. Each containment system is deployed on a separate communication network and contains a worm sensor and a blocking system. In various embodiments, the computer worm may be transported from a production network, where the computer worm is not readily identifiable, to an alternate network in the worm sensor where the computer worm may be readily identifiable. Computer worm identifiers generated by a worm sensor of one containment system can be provided not only to the blocking system of the same containment system, but can also be distributed by the management system to blocking systems of other containment systems.\"", "d3f:kb-author": "Ashar Aziz", "d3f:kb-mitre-analysis": "This patent describes network data being copied by a tap and then analyzed in an analysis environment to determine whether the network data is suspicious using a heuristic module. The analysis environment replays transmission of the suspicious network data between a configured replayer and a virtual machine to detect unauthorized activity.", "d3f:kb-organization": "FireEye Inc", "d3f:kb-reference-of": { "@id": "d3f:FileCarving" }, "d3f:kb-reference-title": "Computer Worm Defense System and Method", "rdfs:label": "Reference - Computer Worm Defense System and Method - FireEye Inc" }, { "@id": "d3f:CWE-209", "@type": "owl:Class", "d3f:cwe-id": "CWE-209", "rdfs:label": "Generation of Error Message Containing Sensitive Information", "rdfs:subClassOf": [ { "@id": "d3f:CWE-200" }, { "@id": "d3f:CWE-755" } ] }, { "@id": "d3f:created-by", "@type": "owl:ObjectProperty", "owl:inverseOf": { "@id": "d3f:creates" }, "rdfs:label": "created-by", "rdfs:subPropertyOf": [ { "@id": "d3f:associated-with" }, { "@id": "d3f:may-be-created-by" } ] }, { "@id": "d3f:LogicalLinkMapping", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:NetworkMapping" ], "d3f:d3fend-id": "D3-LLM", "d3f:definition": "Logical link mapping creates a model of existing or previous node-to-node connections using network-layer data or metadata.", "d3f:kb-reference": { "@id": "d3f:Reference-LibreNMSDocsNetworkMapExtension" }, "d3f:maps": [ { "@id": "d3f:LogicalLink" }, { "@id": "d3f:Network" }, { "@id": "d3f:NetworkNode" } ], "rdfs:label": "Logical Link Mapping", "rdfs:subClassOf": [ { "@id": "d3f:NetworkMapping" }, { "@id": "_:Ndb3825db4a0848fd96e3a001e0d47711" }, { "@id": "_:N868065471a124e29929d6a696402d609" }, { "@id": "_:Nbadb6e0af628437e8c2c2a6818e8512d" } ] }, { "@id": "_:Ndb3825db4a0848fd96e3a001e0d47711", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:maps" }, "owl:someValuesFrom": { "@id": "d3f:LogicalLink" } }, { "@id": "_:N868065471a124e29929d6a696402d609", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:maps" }, "owl:someValuesFrom": { "@id": "d3f:Network" } }, { "@id": "_:Nbadb6e0af628437e8c2c2a6818e8512d", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:maps" }, "owl:someValuesFrom": { "@id": "d3f:NetworkNode" } }, { "@id": "d3f:CWE-94", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:cwe-id": "CWE-94", "d3f:may-be-weakness-of": [ { "@id": "d3f:EvalFunction" }, { "@id": "d3f:UserInputFunction" } ], "rdfs:label": "Improper Control of Generation of Code ('Code Injection')", "rdfs:subClassOf": [ { "@id": "d3f:CWE-74" }, { "@id": "d3f:CWE-913" }, { "@id": "_:N9a13ced754f9474eb669f40857ad685f" }, { "@id": "_:N54ca5ec0e6bf4bf0bebbc2adc13de15e" } ] }, { "@id": "_:N9a13ced754f9474eb669f40857ad685f", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-be-weakness-of" }, "owl:someValuesFrom": { "@id": "d3f:EvalFunction" } }, { "@id": "_:N54ca5ec0e6bf4bf0bebbc2adc13de15e", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-be-weakness-of" }, "owl:someValuesFrom": { "@id": "d3f:UserInputFunction" } }, { "@id": "d3f:ObjectFile", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "An object file is a file that contains relocatable machine code.", "rdfs:label": "Object File", "rdfs:seeAlso": { "@id": "dbr:Object_file" }, "rdfs:subClassOf": { "@id": "d3f:File" } }, { "@id": "d3f:Autoencoding", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-AUT", "d3f:definition": "Autoencoders are specific type of deep learning architecture used for learning representation of data, typically for the purpose of dimensionality reduction. This is achieved by designing deep learning architecture that aims that copying input layer at its output layer.", "d3f:kb-article": "## References\nSOCR. (n.d.). ABIDE Autoencoder. [Link](https://socr.umich.edu/HTML5/ABIDE_Autoencoder/#:~:text=In%20simple%20words%2C%20autoencoders%20are,layer%20at%20its%20output%20layer.)", "rdfs:label": "Autoencoding", "rdfs:subClassOf": { "@id": "d3f:DimensionReduction" } }, { "@id": "d3f:kb-reference-title", "@type": "owl:DatatypeProperty", "d3f:definition": "x kb-reference-title y: The d3fend knowledge base reference x has the reference title string y.", "rdfs:domain": { "@id": "d3f:Reference" }, "rdfs:label": "kb-reference-title", "rdfs:range": { "@id": "xsd:string" }, "rdfs:subPropertyOf": { "@id": "d3f:d3fend-kb-data-property" } }, { "@id": "d3f:LinuxOpenAt2ArgumentO_RDONLY-O_WRONLY-O_RDWR", "@type": "owl:Class", "d3f:definition": "Extension of Linux Openat.", "rdfs:isDefinedBy": "https://man7.org/linux/man-pages/man2/openat2.2.html", "rdfs:label": "Linux OpenAt2 Argument O_RDONLY, O_WRONLY, O_RDWR", "rdfs:subClassOf": { "@id": "d3f:OSAPIOpenFile" } }, { "@id": "d3f:T1564.004", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1564.004", "d3f:modifies": { "@id": "d3f:FileSystemMetadata" }, "rdfs:label": "NTFS File Attributes", "rdfs:subClassOf": [ { "@id": "d3f:T1564" }, { "@id": "_:Ndf58ee85e31f47fe93aeb1d7403cfd9c" } ] }, { "@id": "_:Ndf58ee85e31f47fe93aeb1d7403cfd9c", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:FileSystemMetadata" } }, { "@id": "d3f:ServiceApplication", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "An application that provides a set of software functionalities so that multiple clients who can reuse the functionality, provided they are authorized for use of the service.", "rdfs:label": "Service Application", "rdfs:seeAlso": [ { "@id": "dbr:Server_(computing)" }, { "@id": "dbr:Service_(systems_architecture)" } ], "rdfs:subClassOf": { "@id": "d3f:Application" } }, { "@id": "d3f:CWE-1283", "@type": "owl:Class", "d3f:cwe-id": "CWE-1283", "rdfs:label": "Mutable Attestation or Measurement Reporting Data", "rdfs:subClassOf": { "@id": "d3f:CWE-284" } }, { "@id": "d3f:CWE-322", "@type": "owl:Class", "d3f:cwe-id": "CWE-322", "rdfs:label": "Key Exchange without Entity Authentication", "rdfs:subClassOf": { "@id": "d3f:CWE-306" } }, { "@id": "d3f:WindowsShortcutFile", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A Microsoft Windows shortcut file.", "rdfs:label": "Windows Shortcut File", "rdfs:seeAlso": [ { "@id": "http://dbpedia.org/resource/Shortcut_(computing)#Microsoft_Windows" }, { "@id": "http://dbpedia.org/resource/Symbolic_link#Shortcuts" } ], "rdfs:subClassOf": { "@id": "d3f:ShortcutFile" }, "skos:altLabel": "Shell Link" }, { "@id": "d3f:NIST_SP_800-53_R5_SI-3_10", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:control-name": "Malicious Code Protection | Malicious Code Analysis", "d3f:exactly": { "@id": "d3f:DynamicAnalysis" }, "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "rdfs:label": "SI-3(10)" }, { "@id": "d3f:cwe-id", "@type": "owl:AnnotationProperty", "rdfs:label": "cwe-id", "rdfs:subPropertyOf": { "@id": "d3f:cwe-kb-annotation" } }, { "@id": "d3f:CWE-393", "@type": "owl:Class", "d3f:cwe-id": "CWE-393", "rdfs:label": "Return of Wrong Status Code", "rdfs:subClassOf": [ { "@id": "d3f:CWE-684" }, { "@id": "d3f:CWE-703" } ] }, { "@id": "d3f:DomainUserAccount", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A domain user account in Microsoft Windows (2000) defines that user's access to a logical group of network objects (computers, users, devices) that share the same Active Directory databases; that is, a user's access to a domain.", "rdfs:label": "Domain User Account", "rdfs:seeAlso": { "@id": "https://networkencyclopedia.com/global-user-account" }, "rdfs:subClassOf": { "@id": "d3f:UserAccount" } }, { "@id": "d3f:M1019", "@type": [ "owl:NamedIndividual", "d3f:ATTACKMitigation" ], "d3f:d3fend-comment": "Establishing and running a Threat Intelligence Program is outside the scope of D3FEND.", "rdfs:label": "Threat Intelligence Program" }, { "@id": "d3f:CCI-000066_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:broader": { "@id": "d3f:RemoteTerminalSessionDetection" }, "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The organization enforces requirements for remote connections to the information system.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-14T00:00:00" }, "rdfs:label": "CCI-000066" }, { "@id": "d3f:process-command-line-arguments", "@type": "owl:DatatypeProperty", "d3f:definition": "x process-command-line-arguments y: The process x has the process command line arguments data y.", "rdfs:label": "process-command-line-arguments", "rdfs:subPropertyOf": { "@id": "d3f:process-data-property" } }, { "@id": "d3f:CWE-1262", "@type": "owl:Class", "d3f:cwe-id": "CWE-1262", "rdfs:label": "Improper Access Control for Register Interface", "rdfs:subClassOf": { "@id": "d3f:CWE-284" } }, { "@id": "d3f:M1032", "@type": [ "owl:NamedIndividual", "d3f:ATTACKMitigation" ], "d3f:related": { "@id": "d3f:Multi-factorAuthentication" }, "rdfs:label": "Multi-factor Authentication" }, { "@id": "d3f:CWE-397", "@type": "owl:Class", "d3f:cwe-id": "CWE-397", "rdfs:label": "Declaration of Throws for Generic Exception", "rdfs:subClassOf": [ { "@id": "d3f:CWE-221" }, { "@id": "d3f:CWE-703" }, { "@id": "d3f:CWE-705" } ] }, { "@id": "d3f:MemoryAddress", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:addresses": { "@id": "d3f:MemoryWord" }, "d3f:definition": "In computing, a memory address is a reference to a specific memory location used at various levels by software and hardware.", "rdfs:isDefinedBy": "https://dbpedia.org/page/Memory_address", "rdfs:label": "Memory Address", "rdfs:subClassOf": [ { "@id": "d3f:DigitalArtifact" }, { "@id": "_:N4fda1b198f7b419e874cbc4aba137f83" } ] }, { "@id": "_:N4fda1b198f7b419e874cbc4aba137f83", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:addresses" }, "owl:someValuesFrom": { "@id": "d3f:MemoryWord" } }, { "@id": "d3f:WindowsRegistryValue", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:contained-by": { "@id": "d3f:WindowsRegistryKey" }, "d3f:definition": "A Windows Registry Value is a data structure consisting of a name, type, data (as a pointer), and the length. Windows Registry Values are always associated with a Windows Registry Key. They store the actual configuration data for the operating system and the programs that run on the system.", "rdfs:isDefinedBy": "https://learn.microsoft.com/en-us/windows/win32/api/winreg/ns-winreg-valentw", "rdfs:label": "Windows Registry Value", "rdfs:seeAlso": [ "https://learn.microsoft.com/en-us/windows/win32/sysinfo/structure-of-the-registry", "https://schema.ocsf.io/objects/registry_value" ], "rdfs:subClassOf": [ { "@id": "d3f:SystemConfigurationDatabaseRecord" }, { "@id": "_:Nc7fd1d3aa72046bfb7c02166ff74019b" }, { "@id": "_:N92c0786327d14e84999da075bd071503" } ] }, { "@id": "_:Nc7fd1d3aa72046bfb7c02166ff74019b", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:contained-by" }, "owl:someValuesFrom": { "@id": "d3f:WindowsRegistryKey" } }, { "@id": "_:N92c0786327d14e84999da075bd071503", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:windows-registry-value" }, "owl:someValuesFrom": { "@id": "xsd:string" } }, { "@id": "d3f:CCI-002361_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system automatically terminates a user session after organization-defined conditions or trigger events requiring session disconnect.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:ProcessTermination" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-06-26T00:00:00" }, "rdfs:label": "CCI-002361" }, { "@id": "d3f:LinearRegressionLearning", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-LRL", "d3f:definition": "A supervised learning method that builds a linear regression model using training data.", "d3f:kb-article": "## References\n- Gawali, Suvarna. “Linear Regression Algorithm to Make Predictions Easily.” Analytics Vidhya, 22 July 2022, https://www.analyticsvidhya.com/blog/2021/06/linear-regression-in-machine-learning/.\n- Nau, Robert. “Statistical Forecasting: Notes On Regression and Time Series Analysis.” Introduction to Linear Regression Analysis, Duke University Fuqua School of Business, 18 Aug. 2020, https://people.duke.edu/~rnau/regintro.htm.\n- Ng, Ritchie. “Evaluating a Linear Regression Model.” Ritchieng.github.io, 8 Jan. 2023, https://www.ritchieng.com/machine-learning-evaluate-linear-regression-model/.\n- Bochkarev, Alexei. \"A New Typology Design of Performance Metrics to Measure Errors in Machine Learning Regression Algorithms\", 2019, https://www.researchgate.net/publication/330661543_A_New_Typology_Design_of_Performance_Metrics_to_Measure_Errors_in_Machine_Learning_Regression_Algorithms.", "rdfs:label": "Linear Regression Learning", "rdfs:seeAlso": "http://d3fend.mitre.org/ontologies/d3fend.owl#LinearRegression", "rdfs:subClassOf": { "@id": "d3f:RegressionAnalysisLearning" } }, { "@id": "d3f:CredentialEviction", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:DefensiveTechnique" ], "d3f:d3fend-id": "D3-CE", "d3f:definition": "Credential Eviction techniques disable or remove compromised credentials from a computer network.", "d3f:enables": { "@id": "d3f:Evict" }, "rdfs:label": "Credential Eviction", "rdfs:subClassOf": [ { "@id": "d3f:DefensiveTechnique" }, { "@id": "_:Nd9904ed0fd6845e4999961ae2c53e898" } ] }, { "@id": "_:Nd9904ed0fd6845e4999961ae2c53e898", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:enables" }, "owl:someValuesFrom": { "@id": "d3f:Evict" } }, { "@id": "d3f:CWE-95", "@type": "owl:Class", "d3f:cwe-id": "CWE-95", "rdfs:label": "Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", "rdfs:subClassOf": { "@id": "d3f:CWE-94" } }, { "@id": "d3f:deceives-with", "@type": "owl:ObjectProperty", "rdfs:label": "deceives-with", "rdfs:subPropertyOf": { "@id": "d3f:d3fend-tactical-verb-property" } }, { "@id": "d3f:T1074.002", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1074.002", "d3f:modifies": { "@id": "d3f:NetworkResource" }, "rdfs:label": "Remote Data Staging", "rdfs:subClassOf": [ { "@id": "d3f:T1074" }, { "@id": "_:Na70f13f817b546a380d64cdde6549daf" } ] }, { "@id": "_:Na70f13f817b546a380d64cdde6549daf", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:NetworkResource" } }, { "@id": "d3f:CWE-204", "@type": "owl:Class", "d3f:cwe-id": "CWE-204", "rdfs:label": "Observable Response Discrepancy", "rdfs:subClassOf": { "@id": "d3f:CWE-203" } }, { "@id": "d3f:T1546.012", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1546.012", "d3f:modifies": { "@id": "d3f:SystemConfigurationDatabase" }, "rdfs:label": "Image File Execution Options Injection", "rdfs:subClassOf": [ { "@id": "d3f:T1546" }, { "@id": "_:Ne4655f528e0747d898cd646cda219ff4" } ] }, { "@id": "_:Ne4655f528e0747d898cd646cda219ff4", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:SystemConfigurationDatabase" } }, { "@id": "d3f:MacOSKeychain", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "Keychain is the password management system in macOS, developed by Apple. It was introduced with Mac OS 8.6, and has been included in all subsequent versions of the operating system, now known as macOS. A Keychain can contain various types of data: passwords (for websites, FTP servers, SSH accounts, network shares, wireless networks, groupware applications, encrypted disk images), private keys, certificates, and secure notes.", "rdfs:isDefinedBy": { "@id": "dbr:Keychain_(software)" }, "rdfs:label": "MacOS Keychain", "rdfs:subClassOf": { "@id": "d3f:PasswordStore" }, "skos:altLabel": "Keychain" }, { "@id": "d3f:submitter", "@type": "owl:ObjectProperty", "rdfs:label": "submitter", "rdfs:subPropertyOf": { "@id": "d3f:contributor" } }, { "@id": "d3f:K-NearestNeighbors", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-KNN", "d3f:definition": "The k-nearest neighbors algorithm, also known as KNN or k-NN, is a non-parametric, supervised learning classifier, which uses proximity to make classifications or predictions about the grouping of an individual data point.", "d3f:kb-article": "## **How it works**\nThe goal of the k-nearest neighbor algorithm is to identify the nearest neighbors of a given query point, so that we can assign a class label to that point. To determine which data points are closest to a given query point, the distance between the query point and the other data points will need to be calculated. The distance measures used can vary depending on the data set or implementation and help inform decision boundaries, which query points into different regions. Then, by defining the k-value (the number of neighbors to be checked to determine the classification of a specific query point), the data can be assigned its class label.\n\nFor classification problems, a class label is assigned on the basis of a majority vote—i.e. the label that is most frequently represented around a given data point is used (the term “majority vote” is commonly used in literature, however, the technique is more technically considered “plurality voting”). Regression problems use a similar concept as classification problem, but in this case, the average the k nearest neighbors is taken to make a prediction about a classification. The main distinction here is that classification is used for discrete values, whereas regression is used with continuous ones.\n\nUnlike other algorithms that explicitly model the problem, such as linear regression, KNN is instance-based. It means that the algorithm doesn't explicitly learn a model. Instead, it memorizes the training instances and uses them as \"knowledge\" for the prediction phase. It's also worth noting that the KNN algorithm is also part of a family of “lazy learning” models, meaning that it only stores a training dataset versus undergoing a training stage.\n\n## **Considerations**\n\n* **Scaling:** Scaling is a problem as KNN is a lazy algorithm and takes up more memory and storage compared to other classification methods.\n\n* **Implementation and Hyperparameters:** As KNN only requires a k-value and a distance metric, it is often an easy implementation and can adjust will to new training data.\n\n## Key Test Considerations\n\n- **Supervised Learning:**\n\n - **Cross Validation:** As cross validation methods like k-fold, leave-one-out, and stratified cross validation can help validate model performance. However, nuances like pessimism bias in k-fold cross validation or high variability in leave-one-out cross validation may need consideration.\n\n- **Classification:**\n\n - **ROC Curve:** A standard technique used to summarize classifier performance over a range of tradeoffs between true and false positives is the Receiver Operating Characteristic (ROC) curve.\n\n - **Data Imbalance:** Imbalanced data sets where one class significantly outnumbers others, under sampling techniques like SMOTE may be beneficial in sampling minority classes.\n\n- **K-Nearest Neighbor**\n\n - **Choice of K:** The number of neighbors, K, affects the decision boundary. A smaller K can lead to a noisy decision boundary, while a large K can smooth it out, but may also blur class distinctions.\n\n - **K-d Tree:** Exact searching on large datasets can be computationally costly and inefficient. Implementing approximate nearest neighbor algorithms like the K-d tree algorithm.\n\n - **Dimensionality:** KNN does not perform well while using high-dimensional data and can be sensitive to irrelevant features which can lead to overfitting.\n\n - **Distance Metric:** Choosing the appropriate distance metric (Euclidean, Manhattan, MinKowski, Hamming etc.) is essential, based on the nature of the data.\n\n## **References**\n1. IBM. K-Nearest Neighbors Algorithm. [Link](https://www.ibm.com/topics/knn?mhsrc=ibmsearch_a&mhq=k-nearest%20neighbors%20).\n2. Muja, M., & Lowe, D. G. (2014). Scalable nearest neighbor algorithms for high dimensional data. IEEE Transactions on Pattern Analysis and Machine Intelligence. [Link]( https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=6809191).\n3. Chawla, N. V., Bowyer, K. W., Hall, L. O., & Kegelmeyer, W. P. (2002). SMOTE: synthetic minority over-sampling technique. Journal of artificial intelligence research, 16, 321-357. [Link]( https://www.jair.org/index.php/jair/article/view/10302/24590).\n4. Kohavi, R. (1995). A study of cross-validation and bootstrap for accuracy estimation and model selection. Proceedings of the 14th international joint conference on Artificial intelligence . [Link]( https://www.ijcai.org/Proceedings/95-2/Papers/016.pdf).", "rdfs:label": "K-Nearest Neighbors", "rdfs:subClassOf": { "@id": "d3f:Classification" } }, { "@id": "d3f:T1156", "@type": "owl:Class", "d3f:attack-id": "T1156", "rdfs:label": "Malicious Shell Modification", "rdfs:subClassOf": { "@id": "d3f:PersistenceTechnique" } }, { "@id": "d3f:AuthenticationService", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "An authentication service is a mechanism, analogous to the use of passwords on time-sharing systems, for the secure authentication of the identity of network clients by servers and vice versa, without presuming the operating system integrity of either (e.g., Kerberos).", "rdfs:isDefinedBy": { "@id": "https://www.gartner.com/en/information-technology/glossary/authentication-service" }, "rdfs:label": "Authentication Service", "rdfs:seeAlso": { "@id": "dbr:Authentication" }, "rdfs:subClassOf": { "@id": "d3f:ServiceApplicationProcess" } }, { "@id": "d3f:NIST_SP_800-53_R5_AC-5", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:broader": [ { "@id": "d3f:LocalFilePermissions" }, { "@id": "d3f:MandatoryAccessControl" }, { "@id": "d3f:UserAccountPermissions" } ], "d3f:control-name": "Separation of Duties", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "rdfs:label": "AC-5" }, { "@id": "d3f:CWE-796", "@type": "owl:Class", "d3f:cwe-id": "CWE-796", "rdfs:label": "Only Filtering Special Elements Relative to a Marker", "rdfs:subClassOf": { "@id": "d3f:CWE-795" } }, { "@id": "d3f:CWE-157", "@type": "owl:Class", "d3f:cwe-id": "CWE-157", "rdfs:label": "Failure to Sanitize Paired Delimiters", "rdfs:subClassOf": { "@id": "d3f:CWE-138" } }, { "@id": "d3f:T1574.004", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1574.004", "d3f:may-create": { "@id": "d3f:SharedLibraryFile" }, "d3f:may-modify": { "@id": "d3f:SharedLibraryFile" }, "rdfs:label": "Dylib Hijacking", "rdfs:subClassOf": [ { "@id": "d3f:T1574" }, { "@id": "_:Nba3158a9a2cf4223a37c0e98874afd4e" }, { "@id": "_:N6d51adfbd621474199eb11cab92aaa02" } ] }, { "@id": "_:Nba3158a9a2cf4223a37c0e98874afd4e", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-create" }, "owl:someValuesFrom": { "@id": "d3f:SharedLibraryFile" } }, { "@id": "_:N6d51adfbd621474199eb11cab92aaa02", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-modify" }, "owl:someValuesFrom": { "@id": "d3f:SharedLibraryFile" } }, { "@id": "d3f:CWE-161", "@type": "owl:Class", "d3f:cwe-id": "CWE-161", "rdfs:label": "Improper Neutralization of Multiple Leading Special Elements", "rdfs:subClassOf": { "@id": "d3f:CWE-160" } }, { "@id": "d3f:iOSProcess", "@type": [ "owl:NamedIndividual", "d3f:Process" ], "rdfs:label": "iOS Process" }, { "@id": "d3f:BayesianModelAveraging", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-BMA", "d3f:definition": "A parameter estimate (or a prediction of new observations) obtained by averaging the estimates (or predictions) of the different models under consideration, each weighted by its model probability.", "d3f:kb-article": "## References\nEnsemble learning. Wikipedia. [Link](https://en.wikipedia.org/wiki/Ensemble_learning).\n\nBayesian model average: A parameter estimation approach to model agnostic ensemble learning. (2019). Journal of Machine Learning for Modeling and Computing, 1(2), 61-70. [Link](https://journals.sagepub.com/doi/full/10.1177/2515245919898657#:~:text=Bayesian%20model%20average%3A%20A%20parameter,weighted%20by%20its%20model%20probability).", "rdfs:label": "Bayesian Model Averaging", "rdfs:subClassOf": { "@id": "d3f:EnsembleLearning" } }, { "@id": "d3f:Reference-RFC7642SystemForCrossDomainIdentityManagementDefinitionsOverviewConceptsAndRequirements", "@type": [ "owl:NamedIndividual", "d3f:SpecificationReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://datatracker.ietf.org/doc/html/rfc7642" }, "d3f:kb-abstract": "The System for Cross-domain Identity Management (SCIM) specification is designed to manage user identity in cloud-based applications and services in a standardized way to enable interoperability, security, and scalability. The specification suite seeks to build upon experience with existing schemas and deployments, placing specific emphasis on simplicity of development and integration, while applying existing authentication, authorization, and privacy models. The intent of the SCIM specification is to reduce the cost and complexity of user management operations by providing a common user schema and extension model, as well as binding documents to provide patterns for exchanging this schema using standard protocols. In essence, make it fast, cheap, and easy to move users in to, out of, and around the cloud.", "d3f:kb-author": "K. LI, B. Khasnabish, A. Nadalin, Z. Zeltsan", "d3f:kb-organization": "IETF", "d3f:kb-reference-of": { "@id": "d3f:AccessModeling" }, "d3f:kb-reference-title": "RFC7642: System for Cross-domain Identity Management: Definitions, Overview, Concepts, and Requirements", "rdfs:label": "Reference - RFC 7642: System for Cross-domain Identity Management: Definitions, Overview, Concepts, and Requirements" }, { "@id": "d3f:CCI-002262_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:broader": [ { "@id": "d3f:MandatoryAccessControl" }, { "@id": "d3f:UserAccountPermissions" } ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The organization provides the means to associate organization-defined types of security attributes having organization-defined security attribute values with information in storage.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-06-24T00:00:00" }, "rdfs:label": "CCI-002262" }, { "@id": "d3f:CWE-144", "@type": "owl:Class", "d3f:cwe-id": "CWE-144", "rdfs:label": "Improper Neutralization of Line Delimiters", "rdfs:subClassOf": { "@id": "d3f:CWE-140" } }, { "@id": "d3f:Reference-Web-BasedEnterpriseManagement", "@type": [ "owl:NamedIndividual", "d3f:SpecificationReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://www.dmtf.org/standards/wbem" }, "d3f:kb-organization": "Distributed Management Task Force (DMTF)", "d3f:kb-reference-of": [ { "@id": "d3f:ConfigurationInventory" }, { "@id": "d3f:HardwareComponentInventory" }, { "@id": "d3f:NetworkNodeInventory" }, { "@id": "d3f:SoftwareInventory" } ], "d3f:kb-reference-title": "Web-Based Enterprise Management", "rdfs:label": "Reference - Web-Based Enterprise Management" }, { "@id": "d3f:NIST_SP_800-53_R5_AC-4_4", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:control-name": "Information Flow Enforcement | Flow Control of Encrypted Information", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "d3f:narrower": [ { "@id": "d3f:InboundTrafficFiltering" }, { "@id": "d3f:OutboundTrafficFiltering" } ], "rdfs:label": "AC-4(4)" }, { "@id": "d3f:CWE-386", "@type": "owl:Class", "d3f:cwe-id": "CWE-386", "rdfs:label": "Symbolic Name not Mapping to Correct Object", "rdfs:subClassOf": { "@id": "d3f:CWE-706" } }, { "@id": "d3f:OSAPISuspendProcess", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:invokes": { "@id": "d3f:SuspendProcess" }, "rdfs:label": "OS API Suspend Process", "rdfs:subClassOf": [ { "@id": "d3f:OSAPIFunction" }, { "@id": "_:N1afa755dc39241efa518942ab0c38d1a" } ] }, { "@id": "_:N1afa755dc39241efa518942ab0c38d1a", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:invokes" }, "owl:someValuesFrom": { "@id": "d3f:SuspendProcess" } }, { "@id": "d3f:KeyboardInputDevice", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A computer keyboard is a typewriter-style device which uses an arrangement of buttons or keys to act as mechanical levers or electronic switches. Following the decline of punch cards and paper tape, interaction via teleprinter-style keyboards became the main input method for computers. A keyboard is also used to give commands to the operating system of a computer, such as Windows' Control-Alt-Delete combination. Although on Pre-Windows 95 Microsoft operating systems this forced a re-boot, now it brings up a system security options screen.", "rdfs:isDefinedBy": { "@id": "dbr:Computer_keyboard" }, "rdfs:label": "Keyboard Input Device", "rdfs:subClassOf": { "@id": "d3f:InputDevice" }, "skos:altLabel": [ "Computer Keyboard", "Keyboard" ] }, { "@id": "d3f:AccessModeling", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:OperationalActivityMapping" ], "d3f:d3fend-id": "D3-AM", "d3f:definition": "Access modeling identifies and records the access permissions granted to administrators, users, groups, and systems.", "d3f:kb-reference": { "@id": "d3f:Reference-RFC7642SystemForCrossDomainIdentityManagementDefinitionsOverviewConceptsAndRequirements" }, "d3f:maps": [ { "@id": "d3f:AccessControlConfiguration" }, { "@id": "d3f:UserAccount" } ], "rdfs:label": "Access Modeling", "rdfs:subClassOf": [ { "@id": "d3f:OperationalActivityMapping" }, { "@id": "_:Nf41836e909f244afbe3f6ca1c1cf5695" }, { "@id": "_:N3e3ab883445148ab88f704b05530cecd" } ] }, { "@id": "_:Nf41836e909f244afbe3f6ca1c1cf5695", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:maps" }, "owl:someValuesFrom": { "@id": "d3f:AccessControlConfiguration" } }, { "@id": "_:N3e3ab883445148ab88f704b05530cecd", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:maps" }, "owl:someValuesFrom": { "@id": "d3f:UserAccount" } }, { "@id": "d3f:CWE-1243", "@type": "owl:Class", "d3f:cwe-id": "CWE-1243", "rdfs:label": "Sensitive Non-Volatile Information Not Protected During Debug", "rdfs:subClassOf": { "@id": "d3f:CWE-1263" } }, { "@id": "d3f:CART", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-CAR", "d3f:definition": "The CART algorithm is a type of classification algorithm that is required to build a decision tree on the basis of Gini’s impurity index.", "d3f:kb-article": "## References\nClassification and Regression Tree (CART) Algorithm. Analytics Steps. [Link](https://www.analyticssteps.com/blogs/classification-and-regression-tree-cart-algorithm).", "rdfs:label": "CART", "rdfs:subClassOf": { "@id": "d3f:DecisionTree" } }, { "@id": "d3f:T1501", "@type": "owl:Class", "d3f:attack-id": "T1501", "rdfs:label": "Systemd Service", "rdfs:subClassOf": { "@id": "d3f:PersistenceTechnique" } }, { "@id": "d3f:Reference-FWTKDocumentation-Fwtk.org", "@type": [ "owl:NamedIndividual", "d3f:TechniqueReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://web.archive.org/web/20070510153306/http://www.fwtk.org/fwtk/docs/documentation.html#1.1" }, "d3f:kb-abstract": "In case you don't already know, FWTK stands for the FireW all Tool Kit. It is used as a base to create a secure firewall system. If you need good documentation, please read the source code. If you are not familiar with C or do not feel comfortable with performing the configuration and security verification yourself, then I would suggest that you purchase a commercial firewall from a vendor (such as TIS, Checkpoint, Raptor, etc.).\n\nA machine needs other tools to secure it, including, but hardly limited to, tools to check files (tripwire), audit tools (tiger/cops), secure access methods (kerberos/ssh), something to watch logs and machine states (swatch/watcher some to mind) and filtering and routing tools such as screend/ipfilterd/ipacl.\n\nAgain, I would recommend that you do not proceed to build a production FWTK firewall unless you are familiar with UNIX security.", "d3f:kb-author": "fwtk.org", "d3f:kb-organization": "fwtk.org", "d3f:kb-reference-of": { "@id": "d3f:InboundTrafficFiltering" }, "d3f:kb-reference-title": "FWTK Documentation", "rdfs:label": "Reference - FWTK Documentation - fwtk.org" }, { "@id": "d3f:Reference-FirewallsThatFilterBasedUponProtocolCommands_IntelCorp", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US6832256B1" }, "d3f:kb-abstract": "Data transfer is controlled between a first network and a second network of computers by a firewall-proxy combination. Active interpretation of protocol commands exchanged between the first network and the second network is performed to determine specific actions concerning completion of the protocol request. This active firewall-proxy combination may exist on either the first or second network of computers. This method of control provides centralized control and administration for all potentially reachable resources within a network.", "d3f:kb-author": "James E. Toga", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "Intel Corp", "d3f:kb-reference-of": { "@id": "d3f:InboundTrafficFiltering" }, "d3f:kb-reference-title": "Firewalls that filter based upon protocol commands", "rdfs:label": "Reference - Firewalls that filter based upon protocol commands - Intel Corp" }, { "@id": "d3f:T1209", "@type": "owl:Class", "d3f:attack-id": "T1209", "rdfs:label": "Time Providers", "rdfs:subClassOf": { "@id": "d3f:PersistenceTechnique" } }, { "@id": "d3f:CCI-000185_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system, for PKI-based authentication, validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:CredentialHardening" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-15T00:00:00" }, "rdfs:label": "CCI-000185" }, { "@id": "d3f:CWE-302", "@type": "owl:Class", "d3f:cwe-id": "CWE-302", "rdfs:label": "Authentication Bypass by Assumed-Immutable Data", "rdfs:subClassOf": [ { "@id": "d3f:CWE-1390" }, { "@id": "d3f:CWE-807" } ] }, { "@id": "d3f:T1055.004", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1055.004", "d3f:may-invoke": { "@id": "d3f:CreateProcess" }, "rdfs:label": "Asynchronous Procedure Call", "rdfs:subClassOf": [ { "@id": "d3f:T1055" }, { "@id": "_:Na1e81cd0658e4e71bd33e91f7d0142f8" } ] }, { "@id": "_:Na1e81cd0658e4e71bd33e91f7d0142f8", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-invoke" }, "owl:someValuesFrom": { "@id": "d3f:CreateProcess" } }, { "@id": "d3f:CWE-195", "@type": "owl:Class", "d3f:cwe-id": "CWE-195", "rdfs:label": "Signed to Unsigned Conversion Error", "rdfs:subClassOf": { "@id": "d3f:CWE-681" } }, { "@id": "d3f:ReadFile", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A program that needs to access data from a file stored in a file system uses the read system call. The file is identified by a file descriptor that is normally obtained from a previous call to open. This system call reads in data in bytes, the number of which is specified by the caller, from the file and stores then into a buffer supplied by the calling process.", "d3f:reads": { "@id": "d3f:File" }, "rdfs:label": "Read File", "rdfs:seeAlso": { "@id": "dbr:Read_(system_call)" }, "rdfs:subClassOf": [ { "@id": "d3f:SystemCall" }, { "@id": "_:Ncbfa0ace1c974bdebea5c7571b308863" } ] }, { "@id": "_:Ncbfa0ace1c974bdebea5c7571b308863", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:reads" }, "owl:someValuesFrom": { "@id": "d3f:File" } }, { "@id": "d3f:LinuxOpenArgumentO_RDONLY-O_WRONLY-O_RDWR", "@type": "owl:Class", "d3f:definition": "Opens a file specified by pathname.", "rdfs:isDefinedBy": "https://man7.org/linux/man-pages/man2/open.2.html", "rdfs:label": "Linux Open Argument O_RDONLY, O_WRONLY, O_RDWR", "rdfs:subClassOf": { "@id": "d3f:OSAPIOpenFile" } }, { "@id": "d3f:CWE-1173", "@type": "owl:Class", "d3f:cwe-id": "CWE-1173", "rdfs:label": "Improper Use of Validation Framework", "rdfs:subClassOf": { "@id": "d3f:CWE-20" } }, { "@id": "d3f:CWE-323", "@type": "owl:Class", "d3f:cwe-id": "CWE-323", "rdfs:label": "Reusing a Nonce, Key Pair in Encryption", "rdfs:subClassOf": { "@id": "d3f:CWE-344" } }, { "@id": "d3f:RemoteAuthorizationService", "@type": "owl:Class", "d3f:definition": "A remote authorization service provides for the authorization of a user across a network (i.e., remotely).", "rdfs:label": "Remote Authorization Service", "rdfs:subClassOf": { "@id": "d3f:AuthorizationService" } }, { "@id": "d3f:CCI-001178_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system provides additional data origin authentication artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:DomainTrustPolicy" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-21T00:00:00" }, "rdfs:label": "CCI-001178" }, { "@id": "d3f:SystemCallAnalysis", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:ProcessAnalysis" ], "d3f:analyzes": { "@id": "d3f:SystemCall" }, "d3f:d3fend-id": "D3-SCA", "d3f:definition": "Analyzing system calls to determine whether a process is exhibiting unauthorized behavior.", "d3f:kb-article": "## How it works\n\nSystem calls are APIs between a user application and the operating system [1].\n\nBy analyzing a process's use of these APIs, it is, in some cases, possible to ascertain whether a program is exhibiting unauthorized behavior, including trying to escalate its privileges.\n\n### Gathering System Calls\nA common method to capture system calls is to use kernel APIs to hook [2] a process's system call invocations.\n\nThe Linux system call `ptrace` tracks other system calls in a process and allows their alteration; this is made use of by GDB. `strace` utilizes `ptrace` and will print to stdout each system call invoked. Other applications record this data in local or remote databases.\n\nThe log entry for each system call, which may reference additional information such as the date and time, and the process tree for the process which made the system call, is relayed, in real time or post-facto, to an analysis module which consults a catalog or model to determine whether the distribution matches a known-good or known-bad pattern.\n\n\n### Analysis\n\nSystem calls are analyzed with a variety of methods. Some analytics look for specific sequences of instructions, others may apply statistical methods to identify abnormal behavior. Sequences of instructions can be abstracted into conceptually higher order user activities, for example:\n\n* An attacker executes many system calls in a short period of time, with several sequences which could be used to escalate privileges.\n* Getting the contents from a URL, writing to a new file, and then executing the same file.\n* A ransomware program which either uses a loop or creates many threads to: read a specified file, encrypt its contents, create an output file with a similar name to the original file, and delete the unencrypted original.\n\n## Considerations\n\n* Duplicative or extraneous system calls may be added to malware to defeat analytics.\n* Malware could replace API hooking instructions to allow system calls to be made without being monitored.\n* A model built from a training set of system calls and related data may not be updated fast enough to detect new threats.\n\n\n[1] [Syscalls](http://man7.org/linux/man-pages/man2/syscalls.2.html)\n\n[2] [Hooking](http://dbpedia.org/resource/Hooking)", "d3f:kb-reference": [ { "@id": "d3f:Reference-CredentialDumpingViaWindowsTaskManager_MITRE" }, { "@id": "d3f:Reference-DLLInjectionViaLoadLibrary_MITRE" }, { "@id": "d3f:Reference-DeterministicMethodForDetectingAndBlockingOfExploitsOnInterpretedCode_K2CyberSecurityInc" }, { "@id": "d3f:Reference-Hardware-assistedSystemAndMethodForDetectingAndAnalyzingSystemCallsMadeToAnOpertingSystemKernel_EndgameInc" }, { "@id": "d3f:Reference-MalwareDetectionInEventLoops_CrowdstrikeInc" }, { "@id": "d3f:Reference-PostSandboxMethodsAndSystemsForDetectingAndBlockingZero-dayExploitsViaApiCallValidation_K2CyberSecurityInc" }, { "@id": "d3f:Reference-CAR-2020-05-001%3AMiniDumpOfLSASS_MITRE" }, { "@id": "d3f:Reference-CAR-2021-05-011%3ACreateRemoteThreadIntoLSASS_MITRE" } ], "rdfs:label": "System Call Analysis", "rdfs:subClassOf": [ { "@id": "d3f:ProcessAnalysis" }, { "@id": "_:N66ee9ccce9694f4c8cc293d2e577d4fe" } ] }, { "@id": "_:N66ee9ccce9694f4c8cc293d2e577d4fe", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:analyzes" }, "owl:someValuesFrom": { "@id": "d3f:SystemCall" } }, { "@id": "d3f:CCI-001350_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system implements cryptographic mechanisms to protect the integrity of audit information.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:FileEncryption" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-22T00:00:00" }, "rdfs:label": "CCI-001350" }, { "@id": "d3f:CWE-1209", "@type": "owl:Class", "d3f:cwe-id": "CWE-1209", "rdfs:label": "Failure to Disable Reserved Bits", "rdfs:subClassOf": { "@id": "d3f:CWE-710" } }, { "@id": "d3f:T1620", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1620", "d3f:modifies": { "@id": "d3f:ProcessSegment" }, "rdfs:label": "Reflective Code Loading", "rdfs:subClassOf": [ { "@id": "d3f:DefenseEvasionTechnique" }, { "@id": "_:Nc3775e117f8e424a8e54382547497483" } ] }, { "@id": "_:Nc3775e117f8e424a8e54382547497483", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:ProcessSegment" } }, { "@id": "d3f:CWE-13", "@type": "owl:Class", "d3f:cwe-id": "CWE-13", "rdfs:label": "ASP.NET Misconfiguration: Password in Configuration File", "rdfs:subClassOf": { "@id": "d3f:CWE-260" } }, { "@id": "d3f:Reference-SuspiciousArguments_MITRE", "@type": [ "owl:NamedIndividual", "d3f:ExternalKnowledgeBase" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://car.mitre.org/analytics/CAR-2013-07-001/" }, "d3f:kb-abstract": "Malicious actors may rename built-in commands or external tools, such as those provided by SysInternals, to better blend in with the environment. In those cases, the file path name is arbitrary and may blend in well with the background. If the arguments are closely inspected, it may be possible to infer what tools are running and understand what an adversary is doing. When any legitimate software shares the same command lines, it must be whitelisted according to the expected parameters.", "d3f:kb-author": "", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "", "d3f:kb-reference-of": { "@id": "d3f:ProcessSpawnAnalysis" }, "d3f:kb-reference-title": "CAR-2013-07-001: Suspicious Arguments", "rdfs:label": "Reference - CAR-2013-07-001: Suspicious Arguments - MITRE" }, { "@id": "d3f:BayesOptimalClassifier", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-BOC", "d3f:definition": "A probabilistic model that makes the most probable prediction for a new example.", "d3f:kb-article": "## References\nBayes Optimal Classifier. Machine Learning Mastery. [Link](https://machinelearningmastery.com/bayes-optimal-classifier/).\nEnsemble learning. Wikipedia. [Link](https://en.wikipedia.org/wiki/Ensemble_learning).", "rdfs:label": "Bayes Optimal Classifier", "rdfs:subClassOf": { "@id": "d3f:EnsembleLearning" } }, { "@id": "d3f:CWE-29", "@type": "owl:Class", "d3f:cwe-id": "CWE-29", "rdfs:label": "Path Traversal: '\\..\\filename'", "rdfs:subClassOf": { "@id": "d3f:CWE-23" } }, { "@id": "d3f:has-prerequisite", "@type": "owl:ObjectProperty", "rdfs:subPropertyOf": { "@id": "d3f:d3fend-use-case-object-property" } }, { "@id": "d3f:BootRecord", "@type": "owl:Class", "d3f:definition": "A d3f:Record which is an essential component of the early boot (system initialization) process.", "rdfs:label": "Boot Record", "rdfs:subClassOf": { "@id": "d3f:Record" } }, { "@id": "d3f:CWE-1233", "@type": "owl:Class", "d3f:cwe-id": "CWE-1233", "rdfs:label": "Security-Sensitive Hardware Controls with Missing Lock Bit Protection", "rdfs:subClassOf": [ { "@id": "d3f:CWE-284" }, { "@id": "d3f:CWE-667" } ] }, { "@id": "d3f:Log", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A record of events in the order of their occurrence.", "rdfs:isDefinedBy": { "@id": "http://wordnet-rdf.princeton.edu/id/06515215-n" }, "rdfs:label": "Log", "rdfs:seeAlso": { "@id": "dbr:Chronology" }, "rdfs:subClassOf": { "@id": "d3f:DigitalArtifact" }, "skos:altLabel": "Chronology" }, { "@id": "d3f:ModalLogic", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-ML", "d3f:definition": "Modal logic is a collection of formal systems developed to represent statements about necessity and possibility. It plays a major role in philosophy of language, epistemology, metaphysics, and natural language semantics.", "d3f:kb-article": "## References\n1. Modal logic. (2023, June 4). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Modal_logic)", "rdfs:label": "Modal Logic", "rdfs:subClassOf": { "@id": "d3f:SymbolicAI" } }, { "@id": "d3f:OrganizationMapping", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:OperationalActivityMapping" ], "d3f:d3fend-id": "D3-OM", "d3f:definition": "Organization mapping identifies and models the people, roles, and groups with an organization and the relations between them.", "d3f:display-order": 4, "d3f:kb-reference": [ { "@id": "d3f:Reference-CatiaUAFPlugin" }, { "@id": "d3f:Reference-OrganizationalManagementInSAPERPHCM" }, { "@id": "d3f:Reference-UnifiedArchitectureFrameworkUAF" } ], "d3f:maps": [ { "@id": "d3f:Dependency" }, { "@id": "d3f:Organization" }, { "@id": "d3f:Person" } ], "d3f:may-map": { "@id": "d3f:OrganizationalActivity" }, "rdfs:label": "Organization Mapping", "rdfs:subClassOf": [ { "@id": "d3f:OperationalActivityMapping" }, { "@id": "_:N8ddea8636ca84c088dd342ab84cbb5bd" }, { "@id": "_:N16a8e5852ae2494c8358ab7876bc3053" }, { "@id": "_:N655ce76a1c594e608d4bc81193930081" }, { "@id": "_:Nbcae559971bb4770a769fa38db8a7126" } ] }, { "@id": "_:N8ddea8636ca84c088dd342ab84cbb5bd", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:maps" }, "owl:someValuesFrom": { "@id": "d3f:Dependency" } }, { "@id": "_:N16a8e5852ae2494c8358ab7876bc3053", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:maps" }, "owl:someValuesFrom": { "@id": "d3f:Organization" } }, { "@id": "_:N655ce76a1c594e608d4bc81193930081", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:maps" }, "owl:someValuesFrom": { "@id": "d3f:Person" } }, { "@id": "_:Nbcae559971bb4770a769fa38db8a7126", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-map" }, "owl:someValuesFrom": { "@id": "d3f:OrganizationalActivity" } }, { "@id": "d3f:DefenseEvasionTechnique", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:enables": { "@id": "d3f:DefenseEvasion" }, "rdfs:label": "Defense Evasion Technique", "rdfs:subClassOf": [ { "@id": "d3f:OffensiveTechnique" }, { "@id": "_:N9ce207e277294f84a68fa8a3768af641" } ] }, { "@id": "_:N9ce207e277294f84a68fa8a3768af641", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:enables" }, "owl:someValuesFrom": { "@id": "d3f:DefenseEvasion" } }, { "@id": "d3f:CWE-1057", "@type": "owl:Class", "d3f:cwe-id": "CWE-1057", "rdfs:label": "Data Access Operations Outside of Expected Data Manager Component", "rdfs:subClassOf": { "@id": "d3f:CWE-1061" } }, { "@id": "d3f:Reference-UACBypass_MITRE", "@type": [ "owl:NamedIndividual", "d3f:ExternalKnowledgeBase" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://car.mitre.org/analytics/CAR-2019-04-001/" }, "d3f:kb-abstract": "Bypassing user account control (UAC Bypass) is generally done by piggybacking on a system process that has auto-escalate privileges. This analytic looks to detect those cases as described by the open-source UACME tool.", "d3f:kb-author": "MITRE", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "MITRE", "d3f:kb-reference-of": { "@id": "d3f:ProcessLineageAnalysis" }, "d3f:kb-reference-title": "CAR-2019-04-001: UAC Bypass", "rdfs:label": "Reference - CAR-2019-04-001: UAC Bypass - MITRE" }, { "@id": "d3f:M1025", "@type": [ "owl:NamedIndividual", "d3f:ATTACKMitigation" ], "d3f:related": [ { "@id": "d3f:BootloaderAuthentication" }, { "@id": "d3f:DriverLoadIntegrityChecking" }, { "@id": "d3f:MandatoryAccessControl" }, { "@id": "d3f:ProcessSegmentExecutionPrevention" } ], "rdfs:label": "Privileged Process Integrity" }, { "@id": "d3f:T1169", "@type": "owl:Class", "d3f:attack-id": "T1169", "rdfs:label": "Sudo", "rdfs:subClassOf": { "@id": "d3f:PrivilegeEscalationTechnique" } }, { "@id": "d3f:CWE-378", "@type": "owl:Class", "d3f:cwe-id": "CWE-378", "rdfs:label": "Creation of Temporary File With Insecure Permissions", "rdfs:subClassOf": { "@id": "d3f:CWE-377" } }, { "@id": "d3f:PacketLog", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A log of all the network packet data captured from a network by a network sensor (i.e., packet analyzer),", "d3f:records": { "@id": "d3f:NetworkSession" }, "rdfs:label": "Packet Log", "rdfs:seeAlso": { "@id": "dbr:Packet_analyzer" }, "rdfs:subClassOf": [ { "@id": "d3f:Log" }, { "@id": "_:N46d9850f203c42f888ab70a61f17b86c" } ] }, { "@id": "_:N46d9850f203c42f888ab70a61f17b86c", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:records" }, "owl:someValuesFrom": { "@id": "d3f:NetworkSession" } }, { "@id": "d3f:T1124", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1124", "d3f:may-invoke": [ { "@id": "d3f:CreateProcess" }, { "@id": "d3f:GetSystemTime" } ], "rdfs:label": "System Time Discovery", "rdfs:subClassOf": [ { "@id": "d3f:DiscoveryTechnique" }, { "@id": "_:Ne819fa5df61242be8e164d49b676cb62" }, { "@id": "_:Nd69ffb577bc64c2ba619fdb7c4be8071" } ] }, { "@id": "_:Ne819fa5df61242be8e164d49b676cb62", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-invoke" }, "owl:someValuesFrom": { "@id": "d3f:CreateProcess" } }, { "@id": "_:Nd69ffb577bc64c2ba619fdb7c4be8071", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-invoke" }, "owl:someValuesFrom": { "@id": "d3f:GetSystemTime" } }, { "@id": "d3f:T1547.009", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1547.009", "d3f:may-modify": [ { "@id": "d3f:SymbolicLink" }, { "@id": "d3f:UserStartupScriptFile" } ], "rdfs:label": "Shortcut Modification", "rdfs:subClassOf": [ { "@id": "d3f:T1547" }, { "@id": "_:N349bc55064a844598e921e7d2febf993" }, { "@id": "_:Nb97adfb8c4994ca09a054f6b9db11203" } ] }, { "@id": "_:N349bc55064a844598e921e7d2febf993", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-modify" }, "owl:someValuesFrom": { "@id": "d3f:SymbolicLink" } }, { "@id": "_:Nb97adfb8c4994ca09a054f6b9db11203", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-modify" }, "owl:someValuesFrom": { "@id": "d3f:UserStartupScriptFile" } }, { "@id": "d3f:PhysicalAddress", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "In a computer supporting virtual memory, the term physical address is used mostly to differentiate from a virtual address. In particular, in computers utilizing a memory management unit(MMU) to translate memory addresses, the virtual and physical addresses refer to an address before and after translation performed by the MMU, respectively.", "rdfs:isDefinedBy": "https://dbpedia.org/page/Physical_address", "rdfs:label": "Physical Address", "rdfs:subClassOf": { "@id": "d3f:MemoryAddress" } }, { "@id": "d3f:CWE-492", "@type": "owl:Class", "d3f:cwe-id": "CWE-492", "rdfs:label": "Use of Inner Class Containing Sensitive Data", "rdfs:subClassOf": { "@id": "d3f:CWE-668" } }, { "@id": "d3f:CWE-1391", "@type": "owl:Class", "d3f:cwe-id": "CWE-1391", "rdfs:label": "Use of Weak Credentials", "rdfs:subClassOf": { "@id": "d3f:CWE-1390" } }, { "@id": "d3f:T1584.002", "@type": "owl:Class", "d3f:attack-id": "T1584.002", "rdfs:label": "DNS Server", "rdfs:subClassOf": { "@id": "d3f:T1584" } }, { "@id": "d3f:SpecificationReference", "@type": "owl:Class", "d3f:pref-label": "Specification", "rdfs:label": "Specification Reference", "rdfs:subClassOf": { "@id": "d3f:TechniqueReference" } }, { "@id": "d3f:CWE-1089", "@type": "owl:Class", "d3f:cwe-id": "CWE-1089", "rdfs:label": "Large Data Table with Excessive Number of Indices", "rdfs:subClassOf": { "@id": "d3f:CWE-405" } }, { "@id": "d3f:Reference-CybersecurityIncidentandVulnerabilityResponsePlaybooks", "@type": [ "owl:NamedIndividual", "d3f:GuidelineReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://www.cisa.gov/sites/default/files/publications/Federal_Government_Cybersecurity_Incident_and_Vulnerability_Response_Playbooks_508C.pdf" }, "d3f:kb-abstract": "", "d3f:kb-author": "Cybersecurity and Infrastructure Security Agency", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "Cybersecurity and Infrastructure Security Agency", "d3f:kb-reference-title": "Cybersecurity Incident & Vulnerability Response Playbooks", "rdfs:label": "Reference - Cybersecurity Incident and Vulnerability Response Playbooks" }, { "@id": "d3f:CWE-663", "@type": "owl:Class", "d3f:cwe-id": "CWE-663", "rdfs:label": "Use of a Non-reentrant Function in a Concurrent Context", "rdfs:subClassOf": { "@id": "d3f:CWE-662" } }, { "@id": "d3f:CCI-002466_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system requests data integrity verification on the name/address resolution responses the system receives from authoritative sources.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:DomainTrustPolicy" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-07-02T00:00:00" }, "rdfs:label": "CCI-002466" }, { "@id": "d3f:T1100", "@type": "owl:Class", "d3f:attack-id": "T1100", "rdfs:label": "Web Shell", "rdfs:subClassOf": [ { "@id": "d3f:PersistenceTechnique" }, { "@id": "d3f:PrivilegeEscalationTechnique" } ] }, { "@id": "d3f:CredentialAccessTechnique", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:accesses": { "@id": "d3f:Credential" }, "d3f:enables": { "@id": "d3f:CredentialAccess" }, "d3f:may-access": { "@id": "d3f:PasswordFile" }, "d3f:may-invoke": { "@id": "d3f:CreateProcess" }, "rdfs:label": "Credential Access Technique", "rdfs:subClassOf": [ { "@id": "d3f:OffensiveTechnique" }, { "@id": "_:Nba2f3cf775ef4787a0ead68c220eadf9" }, { "@id": "_:N52834256acf84ab08fef6073cd517863" }, { "@id": "_:N59d7fb0501cb4d5880dcad8ee78a7c78" }, { "@id": "_:N7a0ef489afd74ee384f947f42ab86a45" } ] }, { "@id": "_:Nba2f3cf775ef4787a0ead68c220eadf9", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:accesses" }, "owl:someValuesFrom": { "@id": "d3f:Credential" } }, { "@id": "_:N52834256acf84ab08fef6073cd517863", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:enables" }, "owl:someValuesFrom": { "@id": "d3f:CredentialAccess" } }, { "@id": "_:N59d7fb0501cb4d5880dcad8ee78a7c78", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-access" }, "owl:someValuesFrom": { "@id": "d3f:PasswordFile" } }, { "@id": "_:N7a0ef489afd74ee384f947f42ab86a45", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-invoke" }, "owl:someValuesFrom": { "@id": "d3f:CreateProcess" } }, { "@id": "d3f:ProcessImage", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:contains": { "@id": "d3f:ProcessSegment" }, "d3f:definition": "A process image is a copy of a given process's state at a given point in time. It is often used to create persistence within an otherwise volatile system.", "rdfs:isDefinedBy": { "@id": "http://dbpedia.org/resource/System_image#Process_images" }, "rdfs:label": "Process Image", "rdfs:subClassOf": [ { "@id": "d3f:DigitalArtifact" }, { "@id": "_:N197a330b2aca413982b6ce87f4543cc9" } ] }, { "@id": "_:N197a330b2aca413982b6ce87f4543cc9", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:contains" }, "owl:someValuesFrom": { "@id": "d3f:ProcessSegment" } }, { "@id": "d3f:T1578.002", "@type": "owl:Class", "d3f:attack-id": "T1578.002", "rdfs:label": "Create Cloud Instance", "rdfs:subClassOf": { "@id": "d3f:T1578" } }, { "@id": "d3f:T1021.006", "@type": "owl:Class", "d3f:attack-id": "T1021.006", "rdfs:label": "Windows Remote Management", "rdfs:subClassOf": { "@id": "d3f:T1021" } }, { "@id": "d3f:writes", "@type": "owl:ObjectProperty", "d3f:definition": "x writes y: The subject x takes the action of writing to a digital artifact y to store data and placing it into persistent memory for later reference.", "rdfs:label": "writes", "rdfs:seeAlso": { "@id": "http://wordnet-rdf.princeton.edu/id/01000931-v" }, "rdfs:subPropertyOf": { "@id": "d3f:accesses" } }, { "@id": "d3f:CWE-259", "@type": "owl:Class", "d3f:cwe-id": "CWE-259", "rdfs:label": "Use of Hard-coded Password", "rdfs:subClassOf": { "@id": "d3f:CWE-798" } }, { "@id": "d3f:PasswordDatabase", "@type": "owl:Class", "d3f:definition": "A password database is a database that holds passwords for user accounts and is usually encrypted (i.e.., the passwords are hashed). Password databases are found supporting system services (such as SAM) or part of user applications such as password managers.", "rdfs:label": "Password Database", "rdfs:subClassOf": { "@id": "d3f:Database" } }, { "@id": "d3f:Detect", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:DefensiveTactic" ], "d3f:definition": "The detect tactic is used to identify adversary access to or unauthorized activity on computer networks.", "d3f:display-order": 1, "d3f:display-priority": 0, "rdfs:label": "Detect", "rdfs:subClassOf": { "@id": "d3f:DefensiveTactic" } }, { "@id": "d3f:T1565.001", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1565.001", "d3f:modifies": { "@id": "d3f:File" }, "rdfs:label": "Stored Data Manipulation", "rdfs:subClassOf": [ { "@id": "d3f:T1565" }, { "@id": "_:Nc4659480cff942b7ad8de0d586b0b10d" } ] }, { "@id": "_:Nc4659480cff942b7ad8de0d586b0b10d", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:File" } }, { "@id": "d3f:evaluated-by", "@type": "owl:ObjectProperty", "owl:inverseOf": { "@id": "d3f:evaluates" }, "rdfs:label": "evaluated-by", "rdfs:subPropertyOf": { "@id": "d3f:associated-with" } }, { "@id": "d3f:SystemDaemonMonitoring", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:OperatingSystemMonitoring" ], "d3f:d3fend-id": "D3-SDM", "d3f:definition": "Tracking changes to the state or configuration of critical system level processes.", "d3f:kb-article": "## How it works\nAttackers may manipulate system settings or services to disable system logging or monitoring of security tools and events. Firewall and antivirus services are popular targets for attackers. Disabling system logs will also allow an attacker's actions to go unnoticed. Analysis of logs, registries, and process monitoring help defenders locate signs of tampering. Two possible approaches are to monitor hardened system services or to monitor registry updates for modifications to security settings.", "d3f:kb-reference": [ { "@id": "d3f:Reference-HostIntrusionPreventionSystemUsingSoftwareAndUserBehaviorAnalysis_SophosLtd" }, { "@id": "d3f:Reference-MethodUsingKernelModeAssistanceForTheDetectionAndRemovalOfThreatsWhichAreActivelyPreventingDetectionAndRemovalFromARunningSystem_SymantecCorporation" }, { "@id": "d3f:Reference-UserActivityFromStoppingWindowsDefensiveServices_MITRE" } ], "d3f:monitors": { "@id": "d3f:OperatingSystemProcess" }, "rdfs:label": "System Daemon Monitoring", "rdfs:subClassOf": [ { "@id": "d3f:OperatingSystemMonitoring" }, { "@id": "_:N891661f9608a4eaf90fb9d97fba276b0" } ] }, { "@id": "_:N891661f9608a4eaf90fb9d97fba276b0", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:monitors" }, "owl:someValuesFrom": { "@id": "d3f:OperatingSystemProcess" } }, { "@id": "d3f:T1154", "@type": "owl:Class", "d3f:attack-id": "T1154", "rdfs:label": "Trap", "rdfs:subClassOf": [ { "@id": "d3f:ExecutionTechnique" }, { "@id": "d3f:PersistenceTechnique" } ] }, { "@id": "rdfs:seeAlso", "@type": "owl:AnnotationProperty" }, { "@id": "d3f:provider", "@type": "owl:ObjectProperty", "d3f:definition": "x provider y: A provider y is an entity that supplies a service, system, or data resources to a dependent entity x.", "rdfs:isDefinedBy": "http://wordnet-rdf.princeton.edu/id/05901034-n", "rdfs:label": "provider", "rdfs:seeAlso": "http://wordnet-rdf.princeton.edu/id/10696710-n", "rdfs:subPropertyOf": { "@id": "d3f:associated-with" } }, { "@id": "d3f:CWE-1022", "@type": "owl:Class", "d3f:cwe-id": "CWE-1022", "rdfs:label": "Use of Web Link to Untrusted Target with window.opener Access", "rdfs:subClassOf": { "@id": "d3f:CWE-266" } }, { "@id": "d3f:CWE-1273", "@type": "owl:Class", "d3f:cwe-id": "CWE-1273", "rdfs:label": "Device Unlock Credential Sharing", "rdfs:subClassOf": { "@id": "d3f:CWE-200" } }, { "@id": "d3f:Self-organizingMap", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-SOM", "d3f:definition": "A Self-Organizing Map (SOM) is a unsupervised learning model in Artificial Neural Network where the feature maps are the generated two-dimensional discretized form of an input space during the model training (based on competitive learning)", "d3f:kb-article": "## References\nGeeksforGeeks. (n.d.). ANN - Self Organizing Neural Network (SONN). [Link](https://www.geeksforgeeks.org/ann-self-organizing-neural-network-sonn/)", "rdfs:label": "Self-organizing Map", "rdfs:subClassOf": { "@id": "d3f:ANN-basedClustering" } }, { "@id": "d3f:MemoryBoundaryTracking", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:OperatingSystemMonitoring" ], "d3f:analyzes": { "@id": "d3f:ProcessCodeSegment" }, "d3f:d3fend-id": "D3-MBT", "d3f:definition": "Analyzing a call stack for return addresses which point to unexpected memory locations.", "d3f:kb-article": "## How it works\nThis technique monitors for indicators of whether a return address is outside memory previously allocated for an object (i.e. function, module, process, or thread). If so, code that the return address points to is treated as malicious code.\n\n## Considerations\nKernel malware can manipulate memory contents, for example modifying pointers to hide processes, and thereby impact the accuracy of memory allocation information used to perform the analysis.", "d3f:kb-reference": { "@id": "d3f:Reference-InferentialExploitAttemptDetection_CrowdstrikeInc" }, "rdfs:label": "Memory Boundary Tracking", "rdfs:subClassOf": [ { "@id": "d3f:OperatingSystemMonitoring" }, { "@id": "_:N7a607517eaae422ea3967f3102b33bc2" } ] }, { "@id": "_:N7a607517eaae422ea3967f3102b33bc2", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:analyzes" }, "owl:someValuesFrom": { "@id": "d3f:ProcessCodeSegment" } }, { "@id": "d3f:NIST_SP_800-53_R5_AC-6_1", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:control-name": "Least Privilege | Authorize Access to Security Functions", "d3f:exactly": { "@id": "d3f:SystemConfigurationPermissions" }, "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "rdfs:label": "AC-6(1)" }, { "@id": "d3f:Reference-DetectingNetworkReconnaissanceByTrackingIntranetDark-netCommunications_VECTRANETWORKSInc", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US20150264078A1" }, "d3f:kb-abstract": "A method and system for detecting network reconnaissance is disclosed wherein network traffic can be parsed into unidirectional flows that correspond to sessions. A learning module may categorize computing entities inside the network into assets and generate asset data to monitor the computing entities. If one or more computing entities address a flow to an address of a host that no longer exists, ghost asset data may be recorded and updated in the asset data. When a computing entity inside the network contacts an object in the dark-net, the computing entity may be recorded a potential mapper. When the computing entity tries to contact a number of objects in the dark-net, such that a computed threshold is exceeded, the computing entity is identified a malicious entity performing network reconnaissance.", "d3f:kb-author": "Nicolas BEAUCHESNE; Sungwook Yoon", "d3f:kb-mitre-analysis": "This patent describes detecting an attacker performing internal reconnaissance within an organization's network to gather intelligence about the configuration of the network or identify the next target. Network packets are collected (ex. tapped from a network switch) and processed to create flows that are used to map out the network to identify network assets as well as ghost assets (addresses not assigned to a device or an existing device that is temporarily disabled). Once this mapping is complete it is used to monitor the network to determine if an attacker is attempting to connect to a ghost asset. If an attacker attempts to connect to a ghost asset over a threshold (ex. contacting four ghost assets in less than seven minutes), an alert is generated.", "d3f:kb-organization": "VECTRA NETWORKS Inc", "d3f:kb-reference-of": { "@id": "d3f:ConnectionAttemptAnalysis" }, "d3f:kb-reference-title": "Detecting network reconnaissance by tracking intranet dark-net communications", "rdfs:label": "Reference - Detecting network reconnaissance by tracking intranet dark-net communications - VECTRA NETWORKS Inc" }, { "@id": "d3f:ProprietaryLicense", "@type": "owl:Class", "rdfs:label": "Proprietary License", "rdfs:subClassOf": { "@id": "d3f:License" } }, { "@id": "d3f:CWE-326", "@type": "owl:Class", "d3f:cwe-id": "CWE-326", "rdfs:label": "Inadequate Encryption Strength", "rdfs:subClassOf": { "@id": "d3f:CWE-693" } }, { "@id": "d3f:RFTransceiver", "@type": "owl:Class", "rdfs:label": "RF Transceiver", "rdfs:subClassOf": { "@id": "d3f:RFNode" } }, { "@id": "d3f:ShadowStackComparisons", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:ProcessAnalysis" ], "d3f:analyzes": { "@id": "d3f:StackFrame" }, "d3f:d3fend-id": "D3-SSC", "d3f:definition": "Comparing a call stack in system memory with a shadow call stack maintained by the processor to determine unauthorized shellcode activity.", "d3f:kb-article": "## How it works\nThis technique compares the call stack stored in system memory with the shadow call stack maintained in the cache memory of the processor. Mismatches between the two are compared since a return oriented programming attack may only be able to control or spoof the call stack and not the shadow call stack. Mismatches are counted and if the number of mismatches exceeds a certain threshold it is an indication of unauthorized activity and a security response action is performed.\n\n## Considerations\nIf the threshold for detecting a stack anomaly is low, it may not detect a return-oriented attack with just one gadget, such as a return-to-libc or return-to-plt attack. Additionally, this technique may not detect JOP (Jump-oriented programming), as the return instruction is not executed.", "d3f:kb-reference": { "@id": "d3f:Reference-ThreatDetectionForReturnOrientedProgramming_CrowdstrikeInc" }, "rdfs:label": "Shadow Stack Comparisons", "rdfs:subClassOf": [ { "@id": "d3f:ProcessAnalysis" }, { "@id": "_:N4dadf90c17df4f8f92fb1f6ebb0ce289" } ] }, { "@id": "_:N4dadf90c17df4f8f92fb1f6ebb0ce289", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:analyzes" }, "owl:someValuesFrom": { "@id": "d3f:StackFrame" } }, { "@id": "d3f:T1597", "@type": "owl:Class", "d3f:attack-id": "T1597", "rdfs:label": "Search Closed Sources", "rdfs:subClassOf": { "@id": "d3f:ReconnaissanceTechnique" } }, { "@id": "d3f:T1191", "@type": "owl:Class", "d3f:attack-id": "T1191", "rdfs:label": "CMSTP", "rdfs:subClassOf": [ { "@id": "d3f:DefenseEvasionTechnique" }, { "@id": "d3f:ExecutionTechnique" } ] }, { "@id": "d3f:T1052.001", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1052.001", "d3f:modifies": { "@id": "d3f:RemovableMediaDevice" }, "rdfs:label": "Exfiltration over USB", "rdfs:subClassOf": [ { "@id": "d3f:T1052" }, { "@id": "_:N8f1007221f564c23a77f71ac4a48b715" } ] }, { "@id": "_:N8f1007221f564c23a77f71ac4a48b715", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:RemovableMediaDevice" } }, { "@id": "d3f:procedure-1", "@type": [ "owl:NamedIndividual", "d3f:Procedure" ], "d3f:implements": { "@id": "d3f:T1134.001" }, "d3f:start": { "@id": "d3f:step-1" }, "rdfs:label": "Procedure 1 - T1134.001 Access Token Manipulation" }, { "@id": "d3f:CWE-65", "@type": "owl:Class", "d3f:cwe-id": "CWE-65", "rdfs:label": "Windows Hard Link", "rdfs:subClassOf": { "@id": "d3f:CWE-59" } }, { "@id": "d3f:kb-mitre-analysis", "@type": "owl:AnnotationProperty", "d3f:definition": "x kb-mitre-analysis y: The reference x has the mitre d3fend analysis y.", "rdfs:domain": { "@id": "d3f:Reference" }, "rdfs:label": "kb-mitre-analysis", "rdfs:range": { "@id": "xsd:string" }, "rdfs:subPropertyOf": { "@id": "d3f:d3fend-kb-annotation-property" } }, { "@id": "d3f:Reference-IEEE-802_1AB-2016", "@type": [ "owl:NamedIndividual", "d3f:SpecificationReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://standards.ieee.org/ieee/802.1AB/6047/" }, "d3f:kb-organization": "IEEE", "d3f:kb-reference-of": { "@id": "d3f:HardwareComponentInventory" }, "d3f:kb-reference-title": "IEEE Standard for Local and Metropolitan Area Networks - Station and Media Access Control Connectivity Discovery", "rdfs:label": "Reference - IEEE Standard for Local and Metropolitan Area Networks - Station and Media Access Control Connectivity Discovery" }, { "@id": "d3f:CWE-1312", "@type": "owl:Class", "d3f:cwe-id": "CWE-1312", "rdfs:label": "Missing Protection for Mirrored Regions in On-Chip Fabric Firewall", "rdfs:subClassOf": { "@id": "d3f:CWE-284" } }, { "@id": "d3f:StackFrameCanary", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "Stack canaries, named for their analogy to a canary in a coal mine, are used to detect a stack buffer overflow before execution of malicious code can occur. This method works by placing a small integer, the value of which is randomly chosen at program start, in memory just before the stack return pointer. Most buffer overflows overwrite memory from lower to higher memory addresses, so in order to overwrite the return pointer (and thus take control of the process) the canary value must also be overwritten. This value is checked to make sure it has not changed before a routine uses the return pointer on the stack. This technique can greatly increase the difficulty of exploiting a stack buffer overflow because it forces the attacker to gain control of the instruction pointer by some non-traditional means such as corrupting other important variables on the stack.", "rdfs:isDefinedBy": { "@id": "http://dbpedia.org/resource/Stack_buffer_overflow#Stack_canaries" }, "rdfs:label": "Stack Frame Canary", "rdfs:subClassOf": { "@id": "d3f:StackComponent" }, "skos:altLabel": "Stack Canary" }, { "@id": "d3f:CWE-765", "@type": "owl:Class", "d3f:cwe-id": "CWE-765", "rdfs:label": "Multiple Unlocks of a Critical Resource", "rdfs:subClassOf": [ { "@id": "d3f:CWE-667" }, { "@id": "d3f:CWE-675" } ] }, { "@id": "d3f:ReverseProxyServer", "@type": "owl:Class", "d3f:definition": "In computer networks, a reverse proxy is a type of proxy server that retrieves resources on behalf of a client from one or more servers. These resources are then returned to the client, appearing as if they originated from the proxy server itself. Unlike a forward proxy, which is an intermediary for its associated clients to contact any server, a reverse proxy is an intermediary for its associated servers to be contacted by any client. In other words, a proxy acts on behalf of the client(s), while a reverse proxy acts on behalf of the server(s); a reverse proxy is usually an internal-facing proxy used as a 'front-end' to control and protect access to a server on a private network.", "rdfs:isDefinedBy": { "@id": "dbr:Reverse_proxy" }, "rdfs:label": "Reverse Proxy Server", "rdfs:subClassOf": { "@id": "d3f:ProxyServer" } }, { "@id": "d3f:OpenSourceLicense", "@type": "owl:Class", "rdfs:label": "Open Source License", "rdfs:subClassOf": { "@id": "d3f:License" } }, { "@id": "d3f:Forecasting", "@type": "owl:Class", "rdfs:label": "Forecasting", "rdfs:subClassOf": { "@id": "d3f:AnalyticalPurpose" } }, { "@id": "d3f:NIST_SP_800-53_R5_AC-4_17", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:control-name": "Information Flow Enforcement | Domain Authentication", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "d3f:narrower": { "@id": "d3f:DomainTrustPolicy" }, "rdfs:label": "AC-4(17)" }, { "@id": "d3f:LinuxRenameat2", "@type": "owl:Class", "d3f:definition": "Change the name or location of a file. Additional flags argument.", "rdfs:isDefinedBy": "https://man7.org/linux/man-pages/man2/renameat2.2.html", "rdfs:label": "Linux Renameat2", "rdfs:subClassOf": { "@id": "d3f:OSAPIMoveFile" } }, { "@id": "d3f:IdentifierAnalysis", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:DefensiveTechnique" ], "d3f:analyzes": { "@id": "d3f:Identifier" }, "d3f:d3fend-id": "D3-ID", "d3f:definition": "Analyzing identifier artifacts such as IP address, domain names, or URL(I)s.", "d3f:enables": { "@id": "d3f:Detect" }, "rdfs:label": "Identifier Analysis", "rdfs:subClassOf": [ { "@id": "d3f:DefensiveTechnique" }, { "@id": "_:N10ac6316ed9d4d2e8f0a5f2d022b3ec2" }, { "@id": "_:Nd769201adef943509a6291fd92e747cc" } ] }, { "@id": "_:N10ac6316ed9d4d2e8f0a5f2d022b3ec2", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:analyzes" }, "owl:someValuesFrom": { "@id": "d3f:Identifier" } }, { "@id": "_:Nd769201adef943509a6291fd92e747cc", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:enables" }, "owl:someValuesFrom": { "@id": "d3f:Detect" } }, { "@id": "d3f:d3fend-catalog-annotation-property", "@type": "owl:AnnotationProperty", "rdfs:label": "d3fend-catalog-annotation-property", "rdfs:subPropertyOf": { "@id": "d3f:d3fend-annotation" }, "skos:altLabel": "d3fend-vendor-registry-annotation-property" }, { "@id": "d3f:CWE-589", "@type": "owl:Class", "d3f:cwe-id": "CWE-589", "rdfs:label": "Call to Non-ubiquitous API", "rdfs:subClassOf": { "@id": "d3f:CWE-474" } }, { "@id": "d3f:T1205.001", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1205.001", "d3f:produces": { "@id": "d3f:NetworkTraffic" }, "rdfs:label": "Port Knocking", "rdfs:subClassOf": [ { "@id": "d3f:T1205" }, { "@id": "_:Nee9b6b9d6e08471b92d3f0a23dc7c659" } ] }, { "@id": "_:Nee9b6b9d6e08471b92d3f0a23dc7c659", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:produces" }, "owl:someValuesFrom": { "@id": "d3f:NetworkTraffic" } }, { "@id": "d3f:CWE-321", "@type": "owl:Class", "d3f:cwe-id": "CWE-321", "rdfs:label": "Use of Hard-coded Cryptographic Key", "rdfs:subClassOf": { "@id": "d3f:CWE-798" } }, { "@id": "d3f:CWE-561", "@type": "owl:Class", "d3f:cwe-id": "CWE-561", "rdfs:label": "Dead Code", "rdfs:subClassOf": { "@id": "d3f:CWE-1164" } }, { "@id": "d3f:URL", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:addresses": { "@id": "d3f:Resource" }, "d3f:definition": "A Uniform Resource Locator (URL), commonly informally termed a web address (a term which is not defined identically) is a reference to a web resource that specifies its location on a computer network and a mechanism for retrieving it.A URL is a specific type of Uniform Resource Identifier (URI), although many people use the two terms interchangeably. A URL implies the means to access an indicated resource, which is not true of every URI. URLs occur most commonly to reference web pages (http), but are also used for file transfer (ftp), email (mailto), database access (JDBC), and many other applications.", "rdfs:isDefinedBy": { "@id": "dbr:Uniform_Resource_Locator" }, "rdfs:label": "URL", "rdfs:seeAlso": "https://schema.ocsf.io/objects/url", "rdfs:subClassOf": [ { "@id": "d3f:Identifier" }, { "@id": "_:N5be9ab6e038e468c9c00787ba9fe5cc2" } ], "skos:altLabel": "Uniform Resource Locator" }, { "@id": "_:N5be9ab6e038e468c9c00787ba9fe5cc2", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:addresses" }, "owl:someValuesFrom": { "@id": "d3f:Resource" } }, { "@id": "d3f:ShadowStack", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:copy-of": { "@id": "d3f:CallStack" }, "d3f:definition": "A shadow stack is a mechanism for protecting a procedure's stored return address, such as from a stack buffer overflow. The shadow stack itself is a second, separate stack that \"shadows\" the program call stack. In the function prologue, a function stores its return address to both the call stack and the shadow stack. In the function epilogue, a function loads the return address from both the call stack and the shadow stack, and then compares them. If the two records of the return address differ, then an attack is detected.", "rdfs:isDefinedBy": "https://dbpedia.org/page/Shadow_stack", "rdfs:label": "Shadow Stack", "rdfs:subClassOf": [ { "@id": "d3f:DigitalArtifact" }, { "@id": "_:N2fc8f89884f7449a9a203061ccce2c4d" } ] }, { "@id": "_:N2fc8f89884f7449a9a203061ccce2c4d", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:copy-of" }, "owl:someValuesFrom": { "@id": "d3f:CallStack" } }, { "@id": "d3f:Reference-FirmwareEmbeddedMonitoringCodeRedBalloon", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US10657262B1/en" }, "d3f:kb-abstract": "Systems and methods for securing embedded devices via both online and offline defensive strategies. One or more security software components may be injected into firmware binary to create a modified firmware binary, which is functionally- and size-equivalent to the original firmware binary. The security software components may retrieve live forensic information related to embedded devices for use in live hardening of the modified firmware binary while the embedded device is online, dynamically patching the firmware", "d3f:kb-author": "Ang Cui, Salvatore J. Stolfo", "d3f:kb-organization": "Red Balloon Security, Inc", "d3f:kb-reference-of": { "@id": "d3f:FirmwareEmbeddedMonitoringCode" }, "d3f:kb-reference-title": "Method and apparatus for securing embedded device firmware", "rdfs:label": "Reference - Firmware Embedded Monitoring Code Red Balloon" }, { "@id": "d3f:Reference-Deception-BasedResponsesToSecurityAttacks_CrowdstrikeInc", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US20140250524A1/en?oq=US-2014250524-A1" }, "d3f:kb-abstract": "Deception-based techniques for responding to security attacks are described herein. The techniques include transitioning a security attack to a monitored computing device posing as a computing device impacted by the security attack and enabling the adversary to obtain deceptive information from the monitored computing device. Also, the adversary may obtain a document configured to report identifying information of an entity opening the document, thereby identifying the adversary associated with the attack. Further, the techniques include determining that a domain specified in a domain name request is associated with malicious activity and responding to the request with a network address of a monitored computing device to cause the requesting process to communicate with the monitored computing device in place of an adversary server. Additionally, a service may monitor dormant domains names associated with malicious activity and, in response to a change, respond with an alert or a configuration update.", "d3f:kb-author": "Adam S. Meyers; Dmitri Alperovitch; George Robert Kurtz; David F. Diehl; Sven Krasser", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "Crowdstrike Inc", "d3f:kb-reference-of": { "@id": "d3f:DecoyNetworkResource" }, "d3f:kb-reference-title": "Deception-Based Responses to Security Attacks", "rdfs:label": "Reference - Deception-Based Responses to Security Attacks - Crowdstrike Inc" }, { "@id": "d3f:T1547.011", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1547.011", "d3f:modifies": { "@id": "d3f:ApplicationConfigurationFile" }, "rdfs:label": "Plist Modification", "rdfs:subClassOf": [ { "@id": "d3f:T1547" }, { "@id": "_:N29222879cccb4c4b93fc319160e09179" } ] }, { "@id": "_:N29222879cccb4c4b93fc319160e09179", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:ApplicationConfigurationFile" } }, { "@id": "d3f:real-time-analytic", "@type": [ "owl:NamedIndividual", "d3f:AnalyticLatency" ], "rdfs:label": "real-time-analytic" }, { "@id": "d3f:CWE-1317", "@type": "owl:Class", "d3f:cwe-id": "CWE-1317", "rdfs:label": "Improper Access Control in Fabric Bridge", "rdfs:subClassOf": { "@id": "d3f:CWE-284" } }, { "@id": "d3f:SystemFileAnalysis", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:OperatingSystemMonitoring" ], "d3f:analyzes": { "@id": "d3f:OperatingSystemFile" }, "d3f:d3fend-id": "D3-SFA", "d3f:definition": "Monitoring system files such as authentication databases, configuration files, system logs, and system executables for modification or tampering.", "d3f:kb-article": "## How it works\nThis technique ensures the integrity of system owned file resources. System files can impact the behavior below the user level.\n\n\n## Considerations\n* Need to manage the size of log file analysis.\n* False positives are a concern with this technique and filtering will need to be given additional thought.\n* A baseline or snapshot of file checksums should be established for future comparison.", "d3f:kb-reference": [ { "@id": "d3f:Reference-AccessPermissionModification_MITRE" }, { "@id": "d3f:Reference-AutorunDifferences_MITRE" }, { "@id": "d3f:Reference-UserActivityFromClearingEventLogs_MITRE" } ], "rdfs:label": "System File Analysis", "rdfs:subClassOf": [ { "@id": "d3f:OperatingSystemMonitoring" }, { "@id": "_:Nfb7e4c5ba923471585668fd62b0db888" } ] }, { "@id": "_:Nfb7e4c5ba923471585668fd62b0db888", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:analyzes" }, "owl:someValuesFrom": { "@id": "d3f:OperatingSystemFile" } }, { "@id": "d3f:CCI-002613_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The organization installs organization-defined security-relevant software updates automatically to organization-defined information system components.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:SoftwareUpdate" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-07-11T00:00:00" }, "rdfs:label": "CCI-002613" }, { "@id": "d3f:deletes", "@type": "owl:ObjectProperty", "d3f:definition": "x deletes y: A technique or agent x wipes out the digitally or magnetically recorded information of digital object y.", "rdfs:isDefinedBy": { "@id": "http://wordnet-rdf.princeton.edu/id/01001860-v" }, "rdfs:label": "deletes", "rdfs:subPropertyOf": [ { "@id": "d3f:evicts" }, { "@id": "d3f:modifies" } ] }, { "@id": "d3f:M1036", "@type": [ "owl:NamedIndividual", "d3f:ATTACKMitigation" ], "d3f:d3fend-comment": "D3-AZET may be related (is potentially related though not called out in ATT&CK definition.)", "d3f:related": [ { "@id": "d3f:AccountLocking" }, { "@id": "d3f:AuthenticationCacheInvalidation" }, { "@id": "d3f:AuthenticationEventThresholding" } ], "rdfs:label": "Account Use Policies" }, { "@id": "d3f:CWE-509", "@type": "owl:Class", "d3f:cwe-id": "CWE-509", "rdfs:label": "Replicating Malicious Code (Virus or Worm)", "rdfs:subClassOf": { "@id": "d3f:CWE-507" } }, { "@id": "d3f:CWE-187", "@type": "owl:Class", "d3f:cwe-id": "CWE-187", "rdfs:label": "Partial String Comparison", "rdfs:subClassOf": { "@id": "d3f:CWE-1023" } }, { "@id": "d3f:T1559.001", "@type": "owl:Class", "d3f:attack-id": "T1559.001", "rdfs:label": "Component Object Model Execution", "rdfs:subClassOf": { "@id": "d3f:T1559" } }, { "@id": "d3f:CWE-395", "@type": "owl:Class", "d3f:cwe-id": "CWE-395", "rdfs:label": "Use of NullPointerException Catch to Detect NULL Pointer Dereference", "rdfs:subClassOf": [ { "@id": "d3f:CWE-705" }, { "@id": "d3f:CWE-755" } ] }, { "@id": "d3f:T1109", "@type": "owl:Class", "d3f:attack-id": "T1109", "rdfs:label": "Component Firmware", "rdfs:subClassOf": [ { "@id": "d3f:DefenseEvasionTechnique" }, { "@id": "d3f:PersistenceTechnique" } ] }, { "@id": "d3f:CWE-468", "@type": "owl:Class", "d3f:cwe-id": "CWE-468", "rdfs:label": "Incorrect Pointer Scaling", "rdfs:subClassOf": { "@id": "d3f:CWE-682" } }, { "@id": "d3f:CWE-364", "@type": "owl:Class", "d3f:cwe-id": "CWE-364", "rdfs:label": "Signal Handler Race Condition", "rdfs:subClassOf": { "@id": "d3f:CWE-362" } }, { "@id": "d3f:T1090.003", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1090.003", "d3f:produces": { "@id": "d3f:OutboundInternetNetworkTraffic" }, "rdfs:label": "Multi-hop Proxy", "rdfs:subClassOf": [ { "@id": "d3f:T1090" }, { "@id": "_:Nf8ec595dbd5349cb812ed10a07a524b0" } ] }, { "@id": "_:Nf8ec595dbd5349cb812ed10a07a524b0", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:produces" }, "owl:someValuesFrom": { "@id": "d3f:OutboundInternetNetworkTraffic" } }, { "@id": "d3f:T1164", "@type": "owl:Class", "d3f:attack-id": "T1164", "rdfs:label": "Re-opened Applications", "rdfs:subClassOf": { "@id": "d3f:PersistenceTechnique" } }, { "@id": "d3f:RestoreObject", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:DefensiveTechnique" ], "d3f:d3fend-id": "D3-RO", "d3f:definition": "Restoring an object for an entity to access. This is the broadest class for object restoral.", "d3f:enables": { "@id": "d3f:Restore" }, "rdfs:label": "Restore Object", "rdfs:subClassOf": [ { "@id": "d3f:DefensiveTechnique" }, { "@id": "_:Nec909039fd8841b5953669a24bce50d1" } ] }, { "@id": "_:Nec909039fd8841b5953669a24bce50d1", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:enables" }, "owl:someValuesFrom": { "@id": "d3f:Restore" } }, { "@id": "d3f:T1574.012", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:adds": { "@id": "d3f:SharedLibraryFile" }, "d3f:attack-id": "T1574.012", "d3f:modifies": { "@id": "d3f:SystemConfigurationDatabaseRecord" }, "rdfs:label": "COR_PROFILER", "rdfs:subClassOf": [ { "@id": "d3f:T1574" }, { "@id": "_:N78aa9a1d14974adf8324643a1b68f702" }, { "@id": "_:N659c4a1cea9b4a9ba223c218469c3837" } ] }, { "@id": "_:N78aa9a1d14974adf8324643a1b68f702", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:adds" }, "owl:someValuesFrom": { "@id": "d3f:SharedLibraryFile" } }, { "@id": "_:N659c4a1cea9b4a9ba223c218469c3837", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:SystemConfigurationDatabaseRecord" } }, { "@id": "d3f:T1192", "@type": "owl:Class", "d3f:attack-id": "T1192", "rdfs:label": "Spearphishing Link", "rdfs:subClassOf": { "@id": "d3f:InitialAccessTechnique" } }, { "@id": "d3f:EventLog", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "Event logs record events taking place in the execution of a system in order to provide an audit trail that can be used to understand the activity of the system and to diagnose problems. They are essential to understand the activities of complex systems, particularly in the case of applications with little user interaction (such as server applications).", "rdfs:isDefinedBy": { "@id": "http://dbpedia.org/resource/Log_file#Event_logs" }, "rdfs:label": "Event Log", "rdfs:subClassOf": { "@id": "d3f:Log" } }, { "@id": "d3f:M1052", "@type": [ "owl:NamedIndividual", "d3f:ATTACKMitigation" ], "d3f:related": { "@id": "d3f:MandatoryAccessControl" }, "rdfs:label": "User Account Control" }, { "@id": "d3f:T1548.001", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1548.001", "d3f:modifies": { "@id": "d3f:AccessControlConfiguration" }, "rdfs:label": "Setuid and Setgid", "rdfs:subClassOf": [ { "@id": "d3f:T1548" }, { "@id": "_:Nf7d6c95807984645b2282a62a95b75b3" } ] }, { "@id": "_:Nf7d6c95807984645b2282a62a95b75b3", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:AccessControlConfiguration" } }, { "@id": "d3f:Reference-StackSmashingProtection_StackGuard_RedHat", "@type": [ "owl:NamedIndividual", "d3f:InternetArticleReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://access.redhat.com/blogs/766093/posts/3548631" }, "d3f:kb-abstract": "In our previous blog, we saw how arbitrary code execution resulting from stack-buffer overflows can be partly mitigated by marking segments of memory as non-executable, a technology known as Execshield. However stack-buffer overflow exploits can still effectively overwrite the function return address, which leads to several interesting exploitation techniques like ret2libc, ret2gets, and ret2plt. With all of these methods, the function return address is overwritten and attacker controlled code is executed when the program control transfers to overwritten address on the stack.", "d3f:kb-author": "Huzaifa Sidhpurwala", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "Red Hat", "d3f:kb-reference-of": { "@id": "d3f:StackFrameCanaryValidation" }, "d3f:kb-reference-title": "Security Technologies: Stack Smashing Protection (StackGuard)", "rdfs:label": "Reference - Security Technologies: Stack Smashing Protection (StackGuard) - Red Hat" }, { "@id": "d3f:CWE-758", "@type": "owl:Class", "d3f:cwe-id": "CWE-758", "rdfs:label": "Reliance on Undefined, Unspecified, or Implementation-Defined Behavior", "rdfs:subClassOf": { "@id": "d3f:CWE-710" } }, { "@id": "d3f:CWE-73", "@type": "owl:Class", "d3f:cwe-id": "CWE-73", "rdfs:label": "External Control of File Name or Path", "rdfs:subClassOf": [ { "@id": "d3f:CWE-610" }, { "@id": "d3f:CWE-642" } ] }, { "@id": "d3f:CWE-297", "@type": "owl:Class", "d3f:cwe-id": "CWE-297", "rdfs:label": "Improper Validation of Certificate with Host Mismatch", "rdfs:subClassOf": [ { "@id": "d3f:CWE-295" }, { "@id": "d3f:CWE-923" } ] }, { "@id": "d3f:CWE-611", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:cwe-id": "CWE-611", "d3f:weakness-of": { "@id": "d3f:ExternalContentInclusionFunction" }, "rdfs:label": "Improper Restriction of XML External Entity Reference", "rdfs:subClassOf": [ { "@id": "d3f:CWE-610" }, { "@id": "_:N37a84d191c8b44e28be67aa03c26b678" } ] }, { "@id": "_:N37a84d191c8b44e28be67aa03c26b678", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:weakness-of" }, "owl:someValuesFrom": { "@id": "d3f:ExternalContentInclusionFunction" } }, { "@id": "d3f:RegSetKeyValueW", "@type": [ "owl:NamedIndividual", "d3f:SetSystemConfigValue" ] }, { "@id": "d3f:CWE-213", "@type": "owl:Class", "d3f:cwe-id": "CWE-213", "rdfs:label": "Exposure of Sensitive Information Due to Incompatible Policies", "rdfs:subClassOf": { "@id": "d3f:CWE-200" } }, { "@id": "d3f:WindowsNtOpenFile", "@type": "owl:Class", "rdfs:label": "Windows NtOpenFile", "rdfs:seeAlso": "https://j00ru.vexillium.org/syscalls/nt/64/", "rdfs:subClassOf": [ { "@id": "d3f:OSAPIOpenFile" }, { "@id": "d3f:OSAPIPrivateFunction" } ] }, { "@id": "d3f:CWE-1316", "@type": "owl:Class", "d3f:cwe-id": "CWE-1316", "rdfs:label": "Fabric-Address Map Allows Programming of Unwarranted Overlaps of Protected and Unprotected Ranges", "rdfs:subClassOf": { "@id": "d3f:CWE-284" } }, { "@id": "d3f:may-be-hardened-against-by", "@type": "owl:ObjectProperty", "d3f:pref-label": "may be hardened against by", "owl:inverseOf": { "@id": "d3f:may-harden" }, "rdfs:label": "may-be-hardened-against-by", "rdfs:subPropertyOf": { "@id": "d3f:attack-may-be-countered-by" } }, { "@id": "d3f:LinuxPtraceArgumentPTRACEINTERRUPT", "@type": "owl:Class", "d3f:definition": "Stops a tracee.", "rdfs:isDefinedBy": "https://man7.org/linux/man-pages/man2/ptrace.2.html", "rdfs:label": "Linux Ptrace Argument PTRACE_INTERRUPT", "rdfs:subClassOf": { "@id": "d3f:OSAPISuspendProcess" } }, { "@id": "d3f:NIST_SP_800-53_R5_AC-2_1", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:broader": [ { "@id": "d3f:AccountLocking" }, { "@id": "d3f:Multi-factorAuthentication" } ], "d3f:control-name": "Account Management | Automated System Account Management", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "rdfs:label": "AC-2(1)" }, { "@id": "d3f:OrganizationalActivity", "@type": [ "owl:Class", "owl:NamedIndividual" ], "rdfs:label": "Organizational Activity", "rdfs:subClassOf": { "@id": "d3f:Activity" } }, { "@id": "d3f:CCI-001436_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The organization disables organization-defined networking protocols within the information system deemed to be nonsecure except for explicitly identified components in support of specific operational requirements.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": [ { "@id": "d3f:InboundTrafficFiltering" }, { "@id": "d3f:OutboundTrafficFiltering" } ], "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-25T00:00:00" }, "rdfs:label": "CCI-001436" }, { "@id": "d3f:T1562.008", "@type": "owl:Class", "d3f:attack-id": "T1562.008", "rdfs:label": "Disable Cloud Logs", "rdfs:subClassOf": { "@id": "d3f:T1562" } }, { "@id": "d3f:T1518", "@type": "owl:Class", "d3f:attack-id": "T1518", "rdfs:label": "Software Discovery", "rdfs:subClassOf": { "@id": "d3f:DiscoveryTechnique" } }, { "@id": "d3f:OSAPIAllocateMemory", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:invokes": { "@id": "d3f:AllocateMemory" }, "rdfs:label": "OS API Allocate Memory", "rdfs:subClassOf": [ { "@id": "d3f:OSAPIFunction" }, { "@id": "_:Nd86f5c050ee8492c823021090b176ebe" } ] }, { "@id": "_:Nd86f5c050ee8492c823021090b176ebe", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:invokes" }, "owl:someValuesFrom": { "@id": "d3f:AllocateMemory" } }, { "@id": "d3f:Reference-HostDiscoveryCommands_MITRE", "@type": [ "owl:NamedIndividual", "d3f:ExternalKnowledgeBase" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://car.mitre.org/analytics/CAR-2016-03-001/" }, "d3f:kb-abstract": "When entering on a host for the first time, an adversary may try to discover information about the host. There are several built-in Windows commands that can be used to learn about the software configurations, active users, administrators, and networking configuration. These commands should be monitored to identify when an adversary is learning information about the system and environment. The information returned may impact choices an adversary can make when establishing persistence, escalating privileges, or moving laterally.\n\nBecause these commands are built in, they may be run frequently by power users or even by normal users. Thus, an analytic looking at this information should have well-defined white- or blacklists, and should consider looking at an anomaly detection approach, so that this information can be learned dynamically.", "d3f:kb-author": "MITRE", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "MITRE", "d3f:kb-reference-of": { "@id": "d3f:ProcessSpawnAnalysis" }, "d3f:kb-reference-title": "CAR-2016-03-001: Host Discovery Commands", "rdfs:label": "Reference - CAR-2016-03-001: Host Discovery Commands - MITRE" }, { "@id": "d3f:CWE-312", "@type": "owl:Class", "d3f:cwe-id": "CWE-312", "rdfs:label": "Cleartext Storage of Sensitive Information", "rdfs:subClassOf": [ { "@id": "d3f:CWE-311" }, { "@id": "d3f:CWE-922" } ] }, { "@id": "d3f:T1084", "@type": "owl:Class", "d3f:attack-id": "T1084", "rdfs:label": "Windows Management Instrumentation Event Subscription", "rdfs:subClassOf": { "@id": "d3f:PersistenceTechnique" } }, { "@id": "d3f:CWE-1025", "@type": "owl:Class", "d3f:cwe-id": "CWE-1025", "rdfs:label": "Comparison Using Wrong Factors", "rdfs:subClassOf": { "@id": "d3f:CWE-697" } }, { "@id": "d3f:UncertaintySampling", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-US", "d3f:definition": "Makes the utility inversely proportional to the uncertainty of the model with respect to the sample and will work with any model provided it can assess its uncertainty of a predection.", "d3f:kb-article": "## References\nIntro to Active Learning. inovex Blog. [Link](https://www.inovex.de/de/blog/intro-to-active-learning/).", "rdfs:label": "Uncertainty Sampling", "rdfs:subClassOf": { "@id": "d3f:ActiveLearning" } }, { "@id": "d3f:extends", "@type": "owl:ObjectProperty", "d3f:definition": "x extends y: The entity x extend the scope or range or area of entity y, especially in the sense of widen the range of applications.", "rdfs:isDefinedBy": { "@id": "http://wordnet-rdf.princeton.edu/id/00541315-v" }, "rdfs:label": "extends", "rdfs:subPropertyOf": { "@id": "d3f:modifies" } }, { "@id": "d3f:T1553.002", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1553.002", "d3f:enables": { "@id": "d3f:DefenseEvasion" }, "rdfs:label": "Code Signing", "rdfs:subClassOf": [ { "@id": "d3f:T1553" }, { "@id": "_:Nf1e16b6d19b04a64b959ce17dd3a413e" } ] }, { "@id": "_:Nf1e16b6d19b04a64b959ce17dd3a413e", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:enables" }, "owl:someValuesFrom": { "@id": "d3f:DefenseEvasion" } }, { "@id": "d3f:Directory", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "In computing, a directory is a file system cataloging structure which contains references to other computer files, and possibly other directories. On many computers, directories are known as folders, or drawers to provide some relevancy to a workbench or the traditional office file cabinet.", "d3f:may-contain": { "@id": "d3f:File" }, "rdfs:isDefinedBy": { "@id": "dbr:Directory_(computing)" }, "rdfs:label": "Directory", "rdfs:subClassOf": [ { "@id": "d3f:DigitalArtifact" }, { "@id": "_:Ndc5d16a3123142bd9ad8a7b8aba17001" } ] }, { "@id": "_:Ndc5d16a3123142bd9ad8a7b8aba17001", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-contain" }, "owl:someValuesFrom": { "@id": "d3f:File" } }, { "@id": "d3f:HierarchicalClustering", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-HC", "d3f:definition": "Hierarchical clustering (also called hierarchical cluster analysis or HCA) is a method of cluster analysis that seeks to build a hierarchy of clusters.", "d3f:kb-article": "## References\nWikipedia. (2021, August 10). Hierarchical clustering. [Link](https://en.wikipedia.org/wiki/Hierarchical_clustering)\nhtml)", "rdfs:label": "Hierarchical Clustering", "rdfs:subClassOf": { "@id": "d3f:ClusterAnalysis" } }, { "@id": "d3f:Shim", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "In computer programming, a shim is a small library that transparently intercepts API calls and changes the arguments passed, handles the operation itself, or redirects the operation elsewhere. Shims can be used to support an old API in a newer environment, or a new API in an older environment. Shims can also be used for running programs on different software platforms than those for which they were developed.", "rdfs:isDefinedBy": { "@id": "dbr:Shim_(computing)" }, "rdfs:label": "Shim", "rdfs:subClassOf": { "@id": "d3f:Software" } }, { "@id": "d3f:T1083", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:accesses": [ { "@id": "d3f:Directory" }, { "@id": "d3f:File" } ], "d3f:attack-id": "T1083", "rdfs:label": "File and Directory Discovery", "rdfs:subClassOf": [ { "@id": "d3f:DiscoveryTechnique" }, { "@id": "_:N63805963939e4846808889a730b4812e" }, { "@id": "_:N2705ba243d1845e38a356e520bdb60c6" } ] }, { "@id": "_:N63805963939e4846808889a730b4812e", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:accesses" }, "owl:someValuesFrom": { "@id": "d3f:Directory" } }, { "@id": "_:N2705ba243d1845e38a356e520bdb60c6", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:accesses" }, "owl:someValuesFrom": { "@id": "d3f:File" } }, { "@id": "d3f:PropertyListFile", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "In the OS X, iOS, NeXTSTEP, and GNUstep programming frameworks, property list files are files that store serialized objects. Property list files use the filename extension .plist, and thus are often referred to as p-list files. Property list files are often used to store a user's settings. They are also used to store information about bundles and applications, a task served by the resource fork in the old Mac OS.", "rdfs:isDefinedBy": { "@id": "dbr:Property_list" }, "rdfs:label": "Property List File", "rdfs:subClassOf": { "@id": "d3f:ConfigurationFile" }, "skos:altLabel": "Plist File" }, { "@id": "d3f:T1218.013", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1218.013", "d3f:invokes": { "@id": "d3f:CreateThread" }, "d3f:modifies": { "@id": "d3f:ProcessSegment" }, "rdfs:label": "Mavinject", "rdfs:seeAlso": { "@id": "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e" }, "rdfs:subClassOf": [ { "@id": "d3f:T1218" }, { "@id": "_:Nc707d99064454d1ab584e815ba3e0819" }, { "@id": "_:N45ca924582f44d69804159727228edc9" } ] }, { "@id": "_:Nc707d99064454d1ab584e815ba3e0819", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:invokes" }, "owl:someValuesFrom": { "@id": "d3f:CreateThread" } }, { "@id": "_:N45ca924582f44d69804159727228edc9", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:ProcessSegment" } }, { "@id": "d3f:Reference-UserLoginActivityMonitoring_MITRE", "@type": [ "owl:NamedIndividual", "d3f:ExternalKnowledgeBase" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://car.mitre.org/analytics/CAR-2013-10-001/" }, "d3f:kb-abstract": "Monitoring logon and logoff events for hosts on the network is very important for situational awareness. This information can be used as an indicator of unusual activity as well as to corroborate activity seen elsewhere.\n\nCould be applied to a number of different types of monitoring depending on what information is desired. Some use cases include monitoring for all remote connections and building login timelines for users. Logon events are Windows Event Code 4624 for Windows Vista and above, 518 for pre-Vista. Logoff events are 4634 for Windows Vista and above, 538 for pre-Vista.", "d3f:kb-author": "MITRE", "d3f:kb-organization": "MITRE", "d3f:kb-reference-of": { "@id": "d3f:AuthenticationEventThresholding" }, "d3f:kb-reference-title": "CAR-2013-10-001: User Login Activity Monitoring", "rdfs:label": "Reference - CAR-2013-10-001: User Login Activity Monitoring - MITRE" }, { "@id": "d3f:CWE-768", "@type": "owl:Class", "d3f:cwe-id": "CWE-768", "rdfs:label": "Incorrect Short Circuit Evaluation", "rdfs:subClassOf": { "@id": "d3f:CWE-691" } }, { "@id": "d3f:T1547", "@type": "owl:Class", "d3f:attack-id": "T1547", "rdfs:label": "Boot or Logon Autostart Execution", "rdfs:subClassOf": [ { "@id": "d3f:PersistenceTechnique" }, { "@id": "d3f:PrivilegeEscalationTechnique" } ] }, { "@id": "d3f:CWE-1267", "@type": "owl:Class", "d3f:cwe-id": "CWE-1267", "rdfs:label": "Policy Uses Obsolete Encoding", "rdfs:subClassOf": { "@id": "d3f:CWE-284" } }, { "@id": "d3f:T1595.001", "@type": "owl:Class", "d3f:attack-id": "T1595.001", "rdfs:label": "Scanning IP Blocks", "rdfs:subClassOf": { "@id": "d3f:T1595" } }, { "@id": "d3f:CollectorAgent", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A network agent is software installed on a network node or device that transmits information back to a collector agent or management system. Kinds of network agents include SNMP Agent, IPMI agents, WBEM agents, and many proprietary agents capturing network monitoring and management information.", "d3f:synonym": "Exporter", "rdfs:label": "Network Agent", "rdfs:subClassOf": { "@id": "d3f:Software" } }, { "@id": "d3f:CapabilityFeature", "@type": "owl:Class", "d3f:definition": "A distinguishing characteristic of a capability (e.g., performance, portability, or functionality).", "rdfs:label": "Capability Feature", "rdfs:subClassOf": { "@id": "d3f:D3FENDCatalogThing" } }, { "@id": "d3f:CCI-001941_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system implements replay-resistant authentication mechanisms for network access to privileged accounts.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:One-timePassword" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-05-03T00:00:00" }, "rdfs:label": "CCI-001941" }, { "@id": "d3f:QueryByCommittee", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-QBC", "d3f:definition": "Query by Committee (QBC) takes inspiration from ensemble methods. Instead of just one classifier, it takes into account the decision of a committee 𝐶=ℎ1,…,ℎc of classifiers ℎ𝑖. Each classifier has the same target classes, but a different underlying model or a different view on the data.", "d3f:kb-article": "## References\nIntro to Active Learning. inovex Blog. [Link](https://www.inovex.de/de/blog/intro-to-active-learning/).", "rdfs:label": "Query By Committee", "rdfs:subClassOf": { "@id": "d3f:ActiveLearning" } }, { "@id": "d3f:T1547.006", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1547.006", "d3f:modifies": { "@id": "d3f:KernelModule" }, "rdfs:label": "Kernel Modules and Extensions", "rdfs:subClassOf": [ { "@id": "d3f:T1547" }, { "@id": "_:N3b2160cc16824e128a321d709d19119c" } ] }, { "@id": "_:N3b2160cc16824e128a321d709d19119c", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:KernelModule" } }, { "@id": "d3f:T1553.004", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1553.004", "d3f:modifies": { "@id": "d3f:CertificateTrustStore" }, "rdfs:label": "Install Root Certificate", "rdfs:subClassOf": [ { "@id": "d3f:T1553" }, { "@id": "_:Nbc807e5b99e64ed390b37637ef32f74a" } ] }, { "@id": "_:Nbc807e5b99e64ed390b37637ef32f74a", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:CertificateTrustStore" } }, { "@id": "d3f:EncryptedPassword", "@type": "owl:Class", "rdfs:label": "Encrypted Password", "rdfs:subClassOf": [ { "@id": "d3f:EncryptedCredential" }, { "@id": "d3f:Password" } ] }, { "@id": "d3f:T1574.013", "@type": "owl:Class", "d3f:attack-id": "T1574.013", "rdfs:label": "KernelCallbackTable", "rdfs:subClassOf": { "@id": "d3f:T1574" } }, { "@id": "d3f:StringFormatFunction", "@type": "owl:Class", "d3f:definition": "A function which creates a new string based on a format specification and correspondingi specified values.", "rdfs:label": "String Format Function", "rdfs:subClassOf": { "@id": "d3f:Subroutine" } }, { "@id": "d3f:NIST_SP_800-53_R5_SA-10_4", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:control-name": "Developer Configuration Management | Trusted Generation", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "d3f:related": { "@id": "d3f:FirmwareVerification" }, "rdfs:label": "SA-10(4)" }, { "@id": "d3f:NIST_SP_800-53_R3", "@type": [ "owl:NamedIndividual", "d3f:NISTSP800-53ControlCatalog" ], "d3f:archived-at": { "@type": "xsd:anyURI", "@value": "https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/archive/2013-04-30" }, "d3f:version": 3, "rdfs:label": "NIST SP 800-53 R3", "rdfs:seeAlso": "https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/archive/2013-04-30" }, { "@id": "d3f:T1021.004", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1021.004", "d3f:creates": { "@id": "d3f:SSHSession" }, "d3f:produces": { "@id": "d3f:AdministrativeNetworkTraffic" }, "rdfs:label": "SSH", "rdfs:subClassOf": [ { "@id": "d3f:T1021" }, { "@id": "_:N80f5e52965ff441791e54a37e14d2a99" }, { "@id": "_:N3da0b939bcc84920988681ef14184b81" } ] }, { "@id": "_:N80f5e52965ff441791e54a37e14d2a99", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:creates" }, "owl:someValuesFrom": { "@id": "d3f:SSHSession" } }, { "@id": "_:N3da0b939bcc84920988681ef14184b81", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:produces" }, "owl:someValuesFrom": { "@id": "d3f:AdministrativeNetworkTraffic" } }, { "@id": "d3f:CWE-245", "@type": "owl:Class", "d3f:cwe-id": "CWE-245", "rdfs:label": "J2EE Bad Practices: Direct Management of Connections", "rdfs:subClassOf": { "@id": "d3f:CWE-695" } }, { "@id": "d3f:T1497.003", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1497.003", "d3f:may-invoke": { "@id": "d3f:GetSystemTime" }, "d3f:may-run": { "@id": "d3f:SystemTimeApplication" }, "rdfs:label": "Time Based Evasion", "rdfs:subClassOf": [ { "@id": "d3f:T1497" }, { "@id": "_:N3b6693772e734ecab9061d75ca483b42" }, { "@id": "_:Na397f2b050864c47866ced20e8afd99f" } ] }, { "@id": "_:N3b6693772e734ecab9061d75ca483b42", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-invoke" }, "owl:someValuesFrom": { "@id": "d3f:GetSystemTime" } }, { "@id": "_:Na397f2b050864c47866ced20e8afd99f", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-run" }, "owl:someValuesFrom": { "@id": "d3f:SystemTimeApplication" } }, { "@id": "d3f:CWE-88", "@type": "owl:Class", "d3f:cwe-id": "CWE-88", "rdfs:label": "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')", "rdfs:subClassOf": { "@id": "d3f:CWE-77" } }, { "@id": "d3f:CCI-002661_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system monitors inbound communications traffic per organization-defined frequency for unusual or unauthorized activities or conditions.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:InboundTrafficFiltering" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-07-11T00:00:00" }, "rdfs:label": "CCI-002661" }, { "@id": "d3f:publisher", "@type": "owl:ObjectProperty", "owl:inverseOf": { "@id": "d3f:publishes" }, "rdfs:label": "publisher", "rdfs:subPropertyOf": { "@id": "d3f:d3fend-catalog-object-property" } }, { "@id": "d3f:M1028", "@type": [ "owl:NamedIndividual", "d3f:ATTACKMitigation" ], "d3f:related": { "@id": "d3f:PlatformHardening" }, "rdfs:label": "Operating System Configuration" }, { "@id": "d3f:T1091", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1091", "d3f:executes": { "@id": "d3f:RemovableMediaDevice" }, "rdfs:label": "Replication Through Removable Media", "rdfs:subClassOf": [ { "@id": "d3f:InitialAccessTechnique" }, { "@id": "d3f:LateralMovementTechnique" }, { "@id": "_:Nbce8d565c1d947ebacefa581d951b97c" } ] }, { "@id": "_:Nbce8d565c1d947ebacefa581d951b97c", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:executes" }, "owl:someValuesFrom": { "@id": "d3f:RemovableMediaDevice" } }, { "@id": "d3f:CWE-390", "@type": "owl:Class", "d3f:cwe-id": "CWE-390", "rdfs:label": "Detection of Error Condition Without Action", "rdfs:subClassOf": { "@id": "d3f:CWE-755" } }, { "@id": "d3f:DefensiveTactic", "@type": "owl:Class", "d3f:definition": "a plan for attaining a particular goal", "rdfs:isDefinedBy": { "@id": "http://wordnet-rdf.princeton.edu/id/05913746-n" }, "rdfs:label": "Defensive Tactic", "rdfs:subClassOf": [ { "@id": "d3f:D3FENDThing" }, { "@id": "_:N253f645fdfb6447b842129a9fa0d7b7c" } ] }, { "@id": "_:N253f645fdfb6447b842129a9fa0d7b7c", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:enabled-by" }, "owl:someValuesFrom": { "@id": "d3f:DefensiveTechnique" } }, { "@id": "d3f:FileServer", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "The term server highlights the role of the machine in the traditional client-server scheme, where the clients are the workstations using the storage. A file server does not normally perform computational tasks or run programs on behalf of its client workstations. File servers are commonly found in schools and offices, where users use a local area network to connect their client computers.", "rdfs:isDefinedBy": { "@id": "dbr:File_server" }, "rdfs:label": "File Server", "rdfs:subClassOf": { "@id": "d3f:Server" } }, { "@id": "d3f:CCI-001170_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system prevents the automatic execution of mobile code in organization-defined software applications.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:ExecutableDenylisting" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-21T00:00:00" }, "rdfs:label": "CCI-001170" }, { "@id": "d3f:T1204.003", "@type": "owl:Class", "d3f:attack-id": "T1204.003", "rdfs:label": "Malicious Image", "rdfs:subClassOf": { "@id": "d3f:T1204" } }, { "@id": "d3f:T1505.003", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:adds": { "@id": "d3f:WebScriptFile" }, "d3f:attack-id": "T1505.003", "d3f:modifies": { "@id": "d3f:WebServer" }, "d3f:produces": { "@id": "d3f:Process" }, "rdfs:label": "Web Shell", "rdfs:subClassOf": [ { "@id": "d3f:T1505" }, { "@id": "_:N24ba0396ed52443aaed87762d2c25168" }, { "@id": "_:Nf939bfbda0f24dad810bdb9d0163ae1f" }, { "@id": "_:N7a5fb59f9ea94247a0e18d526ba36bf7" } ] }, { "@id": "_:N24ba0396ed52443aaed87762d2c25168", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:adds" }, "owl:someValuesFrom": { "@id": "d3f:WebScriptFile" } }, { "@id": "_:Nf939bfbda0f24dad810bdb9d0163ae1f", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:WebServer" } }, { "@id": "_:N7a5fb59f9ea94247a0e18d526ba36bf7", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:produces" }, "owl:someValuesFrom": { "@id": "d3f:Process" } }, { "@id": "d3f:OrchestrationServer", "@type": "owl:Class", "d3f:definition": "A d3f:Server which is involved with the orchestration of workloads or the execution of orchestrated workloads.", "rdfs:label": "Orchestration Server", "rdfs:seeAlso": { "@id": "dbr:Orchestration_(computing)" }, "rdfs:subClassOf": { "@id": "d3f:Server" } }, { "@id": "d3f:CCI-001957_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:broader": { "@id": "d3f:One-timePassword" }, "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system implements organization-defined out-of-band authentication under organization-defined conditions.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-05-03T00:00:00" }, "rdfs:label": "CCI-001957" }, { "@id": "d3f:CWE-940", "@type": "owl:Class", "d3f:cwe-id": "CWE-940", "rdfs:label": "Improper Verification of Source of a Communication Channel", "rdfs:subClassOf": { "@id": "d3f:CWE-923" } }, { "@id": "d3f:CWE-354", "@type": "owl:Class", "d3f:cwe-id": "CWE-354", "rdfs:label": "Improper Validation of Integrity Check Value", "rdfs:subClassOf": [ { "@id": "d3f:CWE-345" }, { "@id": "d3f:CWE-754" } ] }, { "@id": "d3f:CCI-001150_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system prohibits remote activation of collaborative computing devices, excluding the organization-defined exceptions where remote activation is to be allowed.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:RemoteTerminalSessionDetection" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-21T00:00:00" }, "rdfs:label": "CCI-001150" }, { "@id": "d3f:CWE-510", "@type": "owl:Class", "d3f:cwe-id": "CWE-510", "rdfs:label": "Trapdoor", "rdfs:subClassOf": { "@id": "d3f:CWE-506" } }, { "@id": "d3f:NIST_SP_800-53_R5_AU-15", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:control-name": "Alternate Audit Logging Capability", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "d3f:narrower": { "@id": "d3f:LocalAccountMonitoring" }, "rdfs:label": "AU-15" }, { "@id": "d3f:issued", "@type": "owl:DatatypeProperty", "d3f:definition": "Date of formal issuance of the resource.", "rdfs:label": { "@language": "en", "@value": "date issued" }, "rdfs:range": { "@id": "xsd:dateTime" }, "rdfs:subPropertyOf": { "@id": "d3f:date" } }, { "@id": "d3f:CWE-177", "@type": "owl:Class", "d3f:cwe-id": "CWE-177", "rdfs:label": "Improper Handling of URL Encoding (Hex Encoding)", "rdfs:subClassOf": { "@id": "d3f:CWE-172" } }, { "@id": "d3f:ConfigurationInventory", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:AssetInventory" ], "d3f:d3fend-id": "D3-CI", "d3f:definition": "Configuration inventory identifies and records the configuration of software and hardware and their components throughout the organization.", "d3f:inventories": { "@id": "d3f:ConfigurationResource" }, "d3f:kb-article": "## How it works\n\nThe organization retrieves configuration information through means of SNMP (MIB records), WBEM (CIM records), other protocols, or custom scripts and captures that information in a repository, typically known as a Configuration Management Database (CMDB).\"", "d3f:kb-reference": [ { "@id": "d3f:Reference-Web-BasedEnterpriseManagement" }, { "@id": "d3f:Reference-Windows-Management-Infrastructure" }, { "@id": "d3f:Reference-Windows-Management-Instrumentation" } ], "rdfs:label": "Configuration Inventory", "rdfs:subClassOf": [ { "@id": "d3f:AssetInventory" }, { "@id": "_:N5d8051590fc44f82894cd0253fb3dc78" } ] }, { "@id": "_:N5d8051590fc44f82894cd0253fb3dc78", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:inventories" }, "owl:someValuesFrom": { "@id": "d3f:ConfigurationResource" } }, { "@id": "d3f:has-location", "@type": "owl:ObjectProperty", "d3f:definition": "x has-location y: The entity x is situated in a particular spot or position y.", "rdfs:isDefinedBy": { "@id": "http://wordnet-rdf.princeton.edu/id/02133811-s" }, "rdfs:label": "has-location", "rdfs:seeAlso": { "@id": "http://www.obofoundry.org/ro/#OBO_REL:located_in" }, "rdfs:subPropertyOf": { "@id": "d3f:associated-with" }, "skos:altLabel": "located_in" }, { "@id": "d3f:RandomForest", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-RF", "d3f:definition": "Random Forest is a ML method that combines several other ML methods. At its core, Random Forest is an ensemble method of multiple bootstrapped decision trees filled with training data and random feature selection.", "d3f:kb-article": "## References\nRandom forest. Wikipedia. [Link](https://en.wikipedia.org/wiki/Random_forest).", "rdfs:label": "Random Forest", "rdfs:subClassOf": { "@id": "d3f:BootstrapAggregating" } }, { "@id": "d3f:T1134.002", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1134.002", "d3f:copies": { "@id": "d3f:AccessToken" }, "d3f:may-modify": { "@id": "d3f:EventLog" }, "rdfs:label": "Create Process with Token", "rdfs:subClassOf": [ { "@id": "d3f:T1134" }, { "@id": "_:N0e8e8647578f49b3869db15babde21eb" }, { "@id": "_:Ne019778e3ad9413a8d6dfbb397749cc5" } ] }, { "@id": "_:N0e8e8647578f49b3869db15babde21eb", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:copies" }, "owl:someValuesFrom": { "@id": "d3f:AccessToken" } }, { "@id": "_:Ne019778e3ad9413a8d6dfbb397749cc5", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-modify" }, "owl:someValuesFrom": { "@id": "d3f:EventLog" } }, { "@id": "d3f:NonlinearRegression", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-NR", "d3f:definition": "Nonlinear regression is a form of regression analysis in which observational data are modeled by a function which is a nonlinear combination of the model parameters and depends on one or more independent variables.", "d3f:kb-article": "## References\nWikipedia. (n.d.). Nonlinear regression. [Link](https://en.wikipedia.org/wiki/Nonlinear_regression)", "rdfs:label": "Nonlinear Regression", "rdfs:subClassOf": { "@id": "d3f:RegressionAnalysis" } }, { "@id": "d3f:Pointer", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "In computer science, a pointer is a programming language object, whose value refers to (or \"points to\") another value stored elsewhere in the computer memory using its memory address. A pointer references a location in memory, and obtaining the value stored at that location is known as dereferencing the pointer. As an analogy, a page number in a book's index could be considered a pointer to the corresponding page; dereferencing such a pointer would be done by flipping to the page with the given page number.", "rdfs:isDefinedBy": { "@id": "dbr:Pointer_(computer_programming)" }, "rdfs:label": "Pointer", "rdfs:subClassOf": { "@id": "d3f:DigitalArtifact" } }, { "@id": "d3f:PhysicalLink", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A physical link is a dedicated connection for communication that uses some physical media (electrical, electromagnetic, optical, to include clear spaces or vacuums.) A physical link represents only a single hop (link) in any larger communcations path, circuit, or network.\n\nNOTE: not synonymous with data link as a data link can be over a telecommunications circuit, which may be a virtual circuit composed of multiple phyical links.", "d3f:synonym": "Layer-1 Link", "rdfs:label": "Physical Link", "rdfs:seeAlso": "https://dbpedia.org/resource/Physical_layer", "rdfs:subClassOf": { "@id": "d3f:Link" } }, { "@id": "d3f:T1595", "@type": "owl:Class", "d3f:attack-id": "T1595", "rdfs:label": "Active Scanning", "rdfs:subClassOf": { "@id": "d3f:ReconnaissanceTechnique" } }, { "@id": "d3f:CWE-370", "@type": "owl:Class", "d3f:cwe-id": "CWE-370", "rdfs:label": "Missing Check for Certificate Revocation after Initial Check", "rdfs:subClassOf": { "@id": "d3f:CWE-299" } }, { "@id": "d3f:T1218.003", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1218.003", "d3f:invokes": { "@id": "d3f:CreateProcess" }, "d3f:may-produce": { "@id": "d3f:NetworkTraffic" }, "rdfs:label": "CMSTP", "rdfs:subClassOf": [ { "@id": "d3f:T1218" }, { "@id": "_:N1c7fbdc2839a44f484a64c5436d325a6" }, { "@id": "_:N782a84944f1a4a379d6c7a12a11726ae" } ] }, { "@id": "_:N1c7fbdc2839a44f484a64c5436d325a6", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:invokes" }, "owl:someValuesFrom": { "@id": "d3f:CreateProcess" } }, { "@id": "_:N782a84944f1a4a379d6c7a12a11726ae", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-produce" }, "owl:someValuesFrom": { "@id": "d3f:NetworkTraffic" } }, { "@id": "d3f:T1055.012", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1055.012", "d3f:modifies": { "@id": "d3f:ProcessCodeSegment" }, "rdfs:label": "Process Hollowing", "rdfs:subClassOf": [ { "@id": "d3f:T1055" }, { "@id": "_:N9a673e54685c4aad96de6f270690740b" } ] }, { "@id": "_:N9a673e54685c4aad96de6f270690740b", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:ProcessCodeSegment" } }, { "@id": "d3f:CWE-1291", "@type": "owl:Class", "d3f:cwe-id": "CWE-1291", "rdfs:label": "Public Key Re-Use for Signing both Debug and Production Code", "rdfs:subClassOf": { "@id": "d3f:CWE-693" } }, { "@id": "d3f:JournalArticle", "@type": "owl:Class", "rdfs:label": "Journal Article", "rdfs:subClassOf": { "@id": "d3f:AcademicArticle" } }, { "@id": "d3f:DataDependency", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:synonym": "Transactional Dependency", "rdfs:label": "Data Dependency", "rdfs:subClassOf": { "@id": "d3f:Dependency" } }, { "@id": "d3f:T1046", "@type": "owl:Class", "d3f:attack-id": "T1046", "rdfs:label": "Network Service Scanning", "rdfs:subClassOf": { "@id": "d3f:DiscoveryTechnique" } }, { "@id": "d3f:SharedResourceAccessFunction", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:accesses": { "@id": "d3f:Resource" }, "d3f:definition": "A function which access a shared resource.", "rdfs:label": "Shared Resource Access Function", "rdfs:subClassOf": [ { "@id": "d3f:Subroutine" }, { "@id": "_:N0326b1454d834e2da6091cbd8d927f08" } ] }, { "@id": "_:N0326b1454d834e2da6091cbd8d927f08", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:accesses" }, "owl:someValuesFrom": { "@id": "d3f:Resource" } }, { "@id": "d3f:ForwardProxyServer", "@type": "owl:Class", "d3f:definition": "An forward (or open) proxy is a proxy server that is accessible by any Internet user. Generally, a proxy server only allows users within a network group (i.e. a closed proxy) to store and forward Internet services such as DNS or web pages to reduce and control the bandwidth used by the group. With an open proxy, however, any user on the Internet is able to use this forwarding service.", "rdfs:isDefinedBy": { "@id": "dbr:Open_proxy" }, "rdfs:label": "Forward Proxy Server", "rdfs:subClassOf": { "@id": "d3f:ProxyServer" } }, { "@id": "d3f:CCI-002363_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system provides a logout capability for user-initiated communications sessions whenever authentication is used to gain access to organization-defined information resources.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:ProcessTermination" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-06-26T00:00:00" }, "rdfs:label": "CCI-002363" }, { "@id": "d3f:System", "@type": "owl:Class", "d3f:definition": "An artifact (instrumentality) that combines interrelated interacting artifacts designed to work as a coherent entity. [Note that not all digital artifacts are systems nor are all systems digital artifacts.]", "rdfs:isDefinedBy": "http://wordnet-rdf.princeton.edu/id/04384144-n", "rdfs:label": "System", "rdfs:subClassOf": { "@id": "d3f:Artifact" } }, { "@id": "d3f:T1111", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1111", "d3f:may-access": { "@id": "d3f:SecurityToken" }, "rdfs:label": "Two-Factor Authentication Interception", "rdfs:subClassOf": [ { "@id": "d3f:CredentialAccessTechnique" }, { "@id": "_:Nd00d1aaff3fe4924bfebf8c538eb64c8" } ] }, { "@id": "_:Nd00d1aaff3fe4924bfebf8c538eb64c8", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-access" }, "owl:someValuesFrom": { "@id": "d3f:SecurityToken" } }, { "@id": "d3f:CWE-391", "@type": "owl:Class", "d3f:cwe-id": "CWE-391", "rdfs:label": "Unchecked Error Condition", "rdfs:subClassOf": { "@id": "d3f:CWE-754" } }, { "@id": "d3f:LinuxMunmap", "@type": "owl:Class", "d3f:definition": "Unmap files or devices from memory.", "rdfs:isDefinedBy": "https://man7.org/linux/man-pages/man2/munmap.2.html", "rdfs:label": "Linux Munmap", "rdfs:subClassOf": { "@id": "d3f:OSAPIFreeMemory" } }, { "@id": "d3f:M1051", "@type": [ "owl:NamedIndividual", "d3f:ATTACKMitigation" ], "d3f:related": { "@id": "d3f:SoftwareUpdate" }, "rdfs:label": "Update Software" }, { "@id": "d3f:NTFSSymbolicLink", "@type": "owl:Class", "d3f:definition": "An NTFS symbolic link records the path of another file that the links contents should show. Can accept relative paths. SMB networking (UNC path) and directory support added in NTFS 3.1.", "rdfs:isDefinedBy": { "@id": "dbr:NTFS_links" }, "rdfs:label": "NTFS Symbolic Link", "rdfs:subClassOf": [ { "@id": "d3f:NTFSLink" }, { "@id": "d3f:SymbolicLink" } ], "skos:altLabel": "NTFS Symlink" }, { "@id": "d3f:CWE-1188", "@type": "owl:Class", "d3f:cwe-id": "CWE-1188", "rdfs:label": "Insecure Default Initialization of Resource", "rdfs:subClassOf": { "@id": "d3f:CWE-665" } }, { "@id": "d3f:CWE-1285", "@type": "owl:Class", "d3f:cwe-id": "CWE-1285", "rdfs:label": "Improper Validation of Specified Index, Position, or Offset in Input", "rdfs:subClassOf": { "@id": "d3f:CWE-20" } }, { "@id": "d3f:CCI-000374_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The organization employs automated mechanisms to respond to unauthorized changes to organization-defined configuration settings.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:OperatingSystemMonitoring" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-18T00:00:00" }, "rdfs:label": "CCI-000374" }, { "@id": "d3f:CWE-558", "@type": "owl:Class", "d3f:cwe-id": "CWE-558", "rdfs:label": "Use of getlogin() in Multithreaded Application", "rdfs:subClassOf": { "@id": "d3f:CWE-663" } }, { "@id": "d3f:CWE-85", "@type": "owl:Class", "d3f:cwe-id": "CWE-85", "rdfs:label": "Doubled Character XSS Manipulations", "rdfs:subClassOf": { "@id": "d3f:CWE-79" } }, { "@id": "d3f:CWE-830", "@type": "owl:Class", "d3f:cwe-id": "CWE-830", "rdfs:label": "Inclusion of Web Functionality from an Untrusted Source", "rdfs:subClassOf": { "@id": "d3f:CWE-829" } }, { "@id": "d3f:blocks", "@type": "owl:ObjectProperty", "d3f:definition": "x blocks y: The entity x blocks off the use of digital artifact y by reference to a block or allow list (or both.)", "rdfs:isDefinedBy": { "@id": "http://wordnet-rdf.princeton.edu/id/01480024-v" }, "rdfs:label": "blocks", "rdfs:subPropertyOf": [ { "@id": "d3f:counters" }, { "@id": "d3f:filters" } ] }, { "@id": "d3f:NIST_SP_800-53_R5_AC-4_28", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:control-name": "Information Flow Enforcement | Linear Filter Pipelines", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "d3f:narrower": [ { "@id": "d3f:InboundTrafficFiltering" }, { "@id": "d3f:OutboundTrafficFiltering" } ], "rdfs:label": "AC-4(28)" }, { "@id": "d3f:ReverseResolutionDomainDenylisting", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:DNSDenylisting" ], "d3f:blocks": { "@id": "d3f:InboundInternetDNSResponseTraffic" }, "d3f:d3fend-id": "D3-RRDD", "d3f:definition": "Blocking a reverse DNS lookup's answer's domain name value.", "d3f:kb-article": "## How it works\n\nIn reverse resolution requests, the client sends to a nameserver (such as a DNS server) a query of an IP address, to get a response of the associated domain name(s). This technique drops reverse lookup responses where a domain name matches an entry in the blacklist, either verbatim or as a wildcard subdomain of a higher-level domain on the list. Such domain names might be unwanted because Forward Domain Name Resolution requests to such a blacklisted domain might return an unwanted IP address.\n\nThis technique is useful because relying solely on Forward Resolution Domain Blacklisting will miss instances where the domain in question is forward-resolved in a manner that is not inspected via a subsequent technique (as is likely the case if that resolution is performed with DoH (DNS over HTTPS) or DoT (DNS over TLS)). Additionally, note that responses to forward lookups of that domain are *not* necessarily equal to the original IP in the reverse lookup request, and that future lookups of a string based on this domain may even employ a less-common name resolution protocol, such as NBNS.\n\nThe DNS response can either be blocked by dropping the network traffic with an inline device, or by modifying the value of the response sent by the DNS server. To prevent client applications from hanging on a request, it is common practice to replace malicious values, either with names like \"localhost.\" or the address of a honeypot maintained by the network administrators.\n\n## Considerations\n\n* This technique does not prevent the client from contacting the blacklisted domain or any IP addresses that it might resolve to, only from learning about this domain name via a nameserver lookup.\n* DNS response traffic can be transmitted over many different protocols, which presents a challenge to implementing methods to extract all DNS answer domain name value(s).\n * DNS has historically used UDP port 53, with TCP port 53 instead used for responses over 512 bytes or after a lack of response over UDP.\n * Usage of new protocols to provide confidentiality for DNS traffic, such as DoH (DNS over HTTPS) and DoT (DNS over TLS), complicates collection of the IP address(es) in DNS responses. These protocols have often been enabled in browser settings transparently after a browser update, with DNS requests proxied over one of these cryptographic protocols through a specified host.\n* This technique must be deployed between the application that receives the response and the server which sent the response.\n * DNS responses sent in an encrypted manner, such as using DoH or DoT, will require interception of the TLS connections in order to determine the domain name(s) in the response.\n* Replacing the response is not effective in the case that the nameserver uses a technique to provide integrity of its responses, such as DNSSEC for DNS responses.", "d3f:synonym": "Reverse Resolution Domain Blacklisting", "rdfs:label": "Reverse Resolution Domain Denylisting", "rdfs:subClassOf": [ { "@id": "d3f:DNSDenylisting" }, { "@id": "_:N8675ea38985740c6a044bc6b5e43bade" } ] }, { "@id": "_:N8675ea38985740c6a044bc6b5e43bade", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:blocks" }, "owl:someValuesFrom": { "@id": "d3f:InboundInternetDNSResponseTraffic" } }, { "@id": "d3f:OpticalModem", "@type": "owl:Class", "d3f:definition": "A modem that connects to a fiber optic network is known as an optical network terminal (ONT) or optical network unit (ONU). These are commonly used in fiber to the home installations, installed inside or outside a house to convert the optical medium to a copper Ethernet interface, after which a router or gateway is often installed to perform authentication, routing, NAT, and other typical consumer internet functions, in addition to \"triple play\" features such as telephony and television service.", "rdfs:isDefinedBy": { "@id": "http://dbpedia.org/resource/Modem#Optical_modem" }, "rdfs:label": "Optical Modem", "rdfs:subClassOf": { "@id": "d3f:Modem" } }, { "@id": "d3f:CWE-457", "@type": "owl:Class", "d3f:cwe-id": "CWE-457", "rdfs:label": "Use of Uninitialized Variable", "rdfs:subClassOf": { "@id": "d3f:CWE-908" } }, { "@id": "d3f:T1550", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:accesses": { "@id": "d3f:AuthenticationService" }, "d3f:attack-id": "T1550", "rdfs:label": "Use Alternate Authentication Material", "rdfs:subClassOf": [ { "@id": "d3f:DefenseEvasionTechnique" }, { "@id": "d3f:LateralMovementTechnique" }, { "@id": "_:N50b5b53d261f4c2895e56292ecfe409e" } ] }, { "@id": "_:N50b5b53d261f4c2895e56292ecfe409e", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:accesses" }, "owl:someValuesFrom": { "@id": "d3f:AuthenticationService" } }, { "@id": "d3f:CWE-1224", "@type": "owl:Class", "d3f:cwe-id": "CWE-1224", "rdfs:label": "Improper Restriction of Write-Once Bit Fields", "rdfs:subClassOf": { "@id": "d3f:CWE-284" } }, { "@id": "d3f:T1137.001", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1137.001", "d3f:may-add": { "@id": "d3f:ExecutableScript" }, "d3f:may-modify": [ { "@id": "d3f:ExecutableScript" }, { "@id": "d3f:SystemConfigurationDatabaseRecord" } ], "rdfs:label": "Office Template Macros", "rdfs:subClassOf": [ { "@id": "d3f:T1137" }, { "@id": "_:N91a9c610ef144dff82ad7ffec145ce89" }, { "@id": "_:N154ab723238848839b61b4cf66aad7a0" }, { "@id": "_:Nc220128707a8447ab58bbd277452e46d" } ] }, { "@id": "_:N91a9c610ef144dff82ad7ffec145ce89", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-add" }, "owl:someValuesFrom": { "@id": "d3f:ExecutableScript" } }, { "@id": "_:N154ab723238848839b61b4cf66aad7a0", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-modify" }, "owl:someValuesFrom": { "@id": "d3f:ExecutableScript" } }, { "@id": "_:Nc220128707a8447ab58bbd277452e46d", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-modify" }, "owl:someValuesFrom": { "@id": "d3f:SystemConfigurationDatabaseRecord" } }, { "@id": "d3f:Reference-CAR-2021-05-005%3ABITSAdminDownloadFile_MITRE", "@type": [ "owl:NamedIndividual", "d3f:ExternalKnowledgeBase" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://car.mitre.org/analytics/CAR-2021-05-005/" }, "d3f:kb-abstract": "The following query identifies Microsoft Background Intelligent Transfer Service utility bitsadmin.exe using the transfer parameter to download a remote object. In addition, look for download or upload on the command-line, the switches are not required to perform a transfer. Capture any files downloaded. Review the reputation of the IP or domain used. Typically once executed, a follow on command will be used to execute the dropped file. Note that the network connection or file modification events related will not spawn or create from bitsadmin.exe, but the artifacts will appear in a parallel process of svchost.exe with a command-line similar to svchost.exe -k netsvcs -s BITS. It’s important to review all parallel and child processes to capture any behaviors and artifacts. In some suspicious and malicious instances, BITS jobs will be created. You can use bitsadmin /list /verbose to list out the jobs during investigation.", "d3f:kb-author": "MITRE", "d3f:kb-organization": "MITRE", "d3f:kb-reference-of": { "@id": "d3f:ProcessSpawnAnalysis" }, "d3f:kb-reference-title": "CAR-2021-05-005: BITSAdmin Download File", "rdfs:label": "Reference - CAR-2021-05-005: BITSAdmin Download File - MITRE" }, { "@id": "d3f:T1037.001", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1037.001", "d3f:modifies": { "@id": "d3f:UserInitScript" }, "rdfs:label": "Logon Script (Windows)", "rdfs:subClassOf": [ { "@id": "d3f:T1037" }, { "@id": "_:N8706127da30946f6ab5d5203dc75a65f" } ] }, { "@id": "_:N8706127da30946f6ab5d5203dc75a65f", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:UserInitScript" } }, { "@id": "d3f:WindowsNtDeleteFile", "@type": "owl:Class", "d3f:definition": "Deletes the specified file.", "rdfs:label": "Windows NtDeleteFile", "rdfs:seeAlso": "https://j00ru.vexillium.org/syscalls/nt/64/", "rdfs:subClassOf": [ { "@id": "d3f:OSAPIDeleteFile" }, { "@id": "d3f:OSAPIPrivateFunction" } ] }, { "@id": "d3f:CWE-675", "@type": "owl:Class", "d3f:cwe-id": "CWE-675", "rdfs:label": "Multiple Operations on Resource in Single-Operation Context", "rdfs:subClassOf": { "@id": "d3f:CWE-573" } }, { "@id": "d3f:CWE-20", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:cwe-id": "CWE-20", "d3f:weakness-of": { "@id": "d3f:UserInputFunction" }, "rdfs:label": "Improper Input Validation", "rdfs:subClassOf": [ { "@id": "d3f:CWE-707" }, { "@id": "_:Naf0bc20e59da45659898b7c7268c6499" } ] }, { "@id": "_:Naf0bc20e59da45659898b7c7268c6499", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:weakness-of" }, "owl:someValuesFrom": { "@id": "d3f:UserInputFunction" } }, { "@id": "d3f:CWE-565", "@type": "owl:Class", "d3f:cwe-id": "CWE-565", "rdfs:label": "Reliance on Cookies without Validation and Integrity Checking", "rdfs:subClassOf": [ { "@id": "d3f:CWE-602" }, { "@id": "d3f:CWE-642" } ] }, { "@id": "d3f:RFNode", "@type": "owl:Class", "rdfs:label": "RF Node", "rdfs:subClassOf": { "@id": "d3f:NetworkNode" } }, { "@id": "d3f:Article", "@type": "owl:Class", "rdfs:label": "Article", "rdfs:subClassOf": { "@id": "d3f:Document" } }, { "@id": "d3f:CWE-1266", "@type": "owl:Class", "d3f:cwe-id": "CWE-1266", "rdfs:label": "Improper Scrubbing of Sensitive Data from Decommissioned Device", "rdfs:subClassOf": { "@id": "d3f:CWE-404" } }, { "@id": "d3f:CWE-419", "@type": "owl:Class", "d3f:cwe-id": "CWE-419", "rdfs:label": "Unprotected Primary Channel", "rdfs:subClassOf": { "@id": "d3f:CWE-923" } }, { "@id": "d3f:ARIMAModel", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-AM", "d3f:definition": "An autoregressive integrated moving average (ARIMA) model is a generalization of an autoregressive moving average (ARMA) model.", "d3f:kb-article": "## References\nWikipedia. (n.d.). Autoregressive integrated moving average. [Link](https://en.wikipedia.org/wiki/Autoregressive_integrated_moving_average)", "d3f:synonym": "Autoregressive Integrated Moving Average Model", "rdfs:label": "ARIMA Model", "rdfs:subClassOf": { "@id": "d3f:TimeSeriesAnalysis" } }, { "@id": "d3f:CWE-1258", "@type": "owl:Class", "d3f:cwe-id": "CWE-1258", "rdfs:label": "Exposure of Sensitive System Information Due to Uncleared Debug Information", "rdfs:subClassOf": [ { "@id": "d3f:CWE-200" }, { "@id": "d3f:CWE-212" } ] }, { "@id": "d3f:ConfigurationManagementDatabase", "@type": "owl:Class", "d3f:definition": "A database used to store configuration records throughout their lifecycle. The Configuration Management System (CMS) maintains one or more CMDBs, and each CMDB stores attributes of configuration items (CIs), and relationships with other CIs.", "rdfs:isDefinedBy": "https://web.archive.org/web/20111201040529/http://www.best-management-practice.com/gempdf/itil_glossary_v3_1_24.pdf", "rdfs:label": "Configuration Management Database", "rdfs:seeAlso": [ "https://dbpedia.org/resource/Configuration_management_database", "https://wiki.en.it-processmaps.com/index.php/ITIL_Glossary/_ITIL_Terms_C#Config_Management_Database_.28CMDB.29", "https://www.dmtf.org/standards/cmdbf" ], "rdfs:subClassOf": { "@id": "d3f:ConfigurationDatabase" } }, { "@id": "d3f:T1572", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1572", "d3f:produces": { "@id": "d3f:OutboundInternetNetworkTraffic" }, "rdfs:label": "Protocol Tunneling", "rdfs:subClassOf": [ { "@id": "d3f:CommandAndControlTechnique" }, { "@id": "_:N9e990fd686d944f5b98a0f83269102e4" } ] }, { "@id": "_:N9e990fd686d944f5b98a0f83269102e4", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:produces" }, "owl:someValuesFrom": { "@id": "d3f:OutboundInternetNetworkTraffic" } }, { "@id": "d3f:NIST_SP_800-53_R5_AC-24_1", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:control-name": "Access Control Decisions | Transmit Access Authorization Information", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "d3f:narrower": [ { "@id": "d3f:MandatoryAccessControl" }, { "@id": "d3f:UserAccountPermissions" } ], "rdfs:label": "AC-24(1)" }, { "@id": "d3f:CWE-1315", "@type": "owl:Class", "d3f:cwe-id": "CWE-1315", "rdfs:label": "Improper Setting of Bus Controlling Capability in Fabric End-point", "rdfs:subClassOf": { "@id": "d3f:CWE-284" } }, { "@id": "d3f:BayesianModelCombination", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-BMC", "d3f:definition": "Bayesian model combination (BMC) is an algorithmic correction to Bayesian model averaging (BMA). Instead of sampling each model in the ensemble individually, it samples from the space of possible ensembles (with model weights drawn randomly from a Dirichlet distribution having uniform parameters)", "d3f:kb-article": "## References\nEnsemble learning. Wikipedia. [Link](https://en.wikipedia.org/wiki/Ensemble_learning).\n\nShultz, K. M., & Peterson, L. E. (2011). Model-averaged confidence intervals for ensemble learning. In *International Joint Conference on Neural Networks* (pp. 2677-2684). [Link](https://axon.cs.byu.edu/papers/Kristine.ijcnn2011.pdf).", "rdfs:label": "Bayesian Model Combination", "rdfs:subClassOf": { "@id": "d3f:EnsembleLearning" } }, { "@id": "d3f:NIST_SP_800-53_R5_AC-4_30", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:control-name": "Information Flow Enforcement | Filter Mechanisms Using Multiple Processes", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "d3f:narrower": [ { "@id": "d3f:InboundTrafficFiltering" }, { "@id": "d3f:OutboundTrafficFiltering" } ], "rdfs:label": "AC-4(30)" }, { "@id": "d3f:CWE-191", "@type": "owl:Class", "d3f:cwe-id": "CWE-191", "rdfs:label": "Integer Underflow (Wrap or Wraparound)", "rdfs:subClassOf": { "@id": "d3f:CWE-682" } }, { "@id": "d3f:CCI-000219_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system, when transferring information between different security domains, decomposes information into organization-defined policy-relevant subcomponents for submission to policy enforcement mechanisms.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": [ { "@id": "d3f:InboundTrafficFiltering" }, { "@id": "d3f:OutboundTrafficFiltering" } ], "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-14T00:00:00" }, "rdfs:label": "CCI-000219" }, { "@id": "d3f:M1043", "@type": [ "owl:NamedIndividual", "d3f:ATTACKMitigation" ], "d3f:related": { "@id": "d3f:Hardware-basedProcessIsolation" }, "rdfs:label": "Credential Access Protection" }, { "@id": "d3f:Reference-UserLoggedInToMultipleHosts_MITRE", "@type": [ "owl:NamedIndividual", "d3f:ExternalKnowledgeBase" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://car.mitre.org/analytics/CAR-2013-02-012/" }, "d3f:kb-abstract": "Most users use only one or two machines during the normal course of business. User accounts that log in to multiple machines, especially over a short period of time, may be compromised. Remote logins among multiple machines may be an indicator of Lateral Movement.\n\nCertain users will likely appear as being logged into several machines and may need to be \"whitelisted.\" Such users would include network admins or user names that are common to many hosts.", "d3f:kb-author": "MITRE", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "MITRE", "d3f:kb-reference-of": [ { "@id": "d3f:AuthenticationEventThresholding" }, { "@id": "d3f:AuthorizationEventThresholding" } ], "d3f:kb-reference-title": "CAR-2013-02-012: User Logged in to Multiple Hosts", "rdfs:label": "Reference - CAR-2013-02-012: User Logged in to Multiple Hosts - MITRE" }, { "@id": "d3f:T1056", "@type": "owl:Class", "d3f:attack-id": "T1056", "rdfs:label": "Input Capture", "rdfs:subClassOf": [ { "@id": "d3f:CollectionTechnique" }, { "@id": "d3f:CredentialAccessTechnique" } ] }, { "@id": "d3f:Email", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "An email, or email message, is a document that is sent between computer users across computer networks.", "d3f:may-contain": [ { "@id": "d3f:File" }, { "@id": "d3f:URL" } ], "rdfs:label": "Email", "rdfs:seeAlso": [ "https://schema.ocsf.io/objects/email", { "@id": "dbr:Email" } ], "rdfs:subClassOf": [ { "@id": "d3f:DocumentFile" }, { "@id": "_:Na566cee8c8c14e87aa6b3a0e5bce75dc" }, { "@id": "_:N2950202c7d364dcfb58c11e9ff6bc0cd" } ] }, { "@id": "_:Na566cee8c8c14e87aa6b3a0e5bce75dc", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-contain" }, "owl:someValuesFrom": { "@id": "d3f:File" } }, { "@id": "_:N2950202c7d364dcfb58c11e9ff6bc0cd", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-contain" }, "owl:someValuesFrom": { "@id": "d3f:URL" } }, { "@id": "d3f:T1564.008", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1564.008", "d3f:may-create": { "@id": "d3f:EmailRule" }, "d3f:may-modify": { "@id": "d3f:EmailRule" }, "d3f:modifies": { "@id": "d3f:ApplicationConfiguration" }, "rdfs:label": "Email Hiding Rules", "rdfs:subClassOf": [ { "@id": "d3f:T1564" }, { "@id": "_:N9a1e9dec3dff489e91300b4f12678453" }, { "@id": "_:Ncf639e75963d4db5b463dd3791ac7411" }, { "@id": "_:Naab692923c7f49c5b578934c5c7c671e" } ] }, { "@id": "_:N9a1e9dec3dff489e91300b4f12678453", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-create" }, "owl:someValuesFrom": { "@id": "d3f:EmailRule" } }, { "@id": "_:Ncf639e75963d4db5b463dd3791ac7411", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-modify" }, "owl:someValuesFrom": { "@id": "d3f:EmailRule" } }, { "@id": "_:Naab692923c7f49c5b578934c5c7c671e", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:ApplicationConfiguration" } }, { "@id": "d3f:MedianAbsoluteDeviation", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-MAD", "d3f:definition": "The median absolute deviation (also MAD) is the median of the absolute deviation from the median.", "d3f:kb-article": "## References\nWikipedia. (n.d.). Average absolute deviation. [Link](https://en.wikipedia.org/wiki/Average_absolute_deviation)", "rdfs:label": "Median Absolute Deviation", "rdfs:subClassOf": { "@id": "d3f:AverageAbsoluteDeviation" } }, { "@id": "d3f:CWE-1058", "@type": "owl:Class", "d3f:cwe-id": "CWE-1058", "rdfs:label": "Invokable Control Element in Multi-Thread Context with non-Final Static Storable or Member Element", "rdfs:subClassOf": { "@id": "d3f:CWE-662" } }, { "@id": "d3f:CWE-1384", "@type": "owl:Class", "d3f:cwe-id": "CWE-1384", "rdfs:label": "Improper Handling of Physical or Environmental Conditions", "rdfs:subClassOf": { "@id": "d3f:CWE-703" } }, { "@id": "d3f:GetForegroundWindow", "@type": [ "owl:NamedIndividual", "d3f:GetOpenWindows" ], "rdfs:isDefinedBy": "https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-getforegroundwindow" }, { "@id": "d3f:NIST_SP_800-53_R5_AU-2_1", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:control-name": "Event Logging | Compilation of Audit Records from Multiple Sources", "d3f:exactly": { "@id": "d3f:LocalAccountMonitoring" }, "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "rdfs:label": "AU-2(1)" }, { "@id": "d3f:CWE-1021", "@type": "owl:Class", "d3f:cwe-id": "CWE-1021", "rdfs:label": "Improper Restriction of Rendered UI Layers or Frames", "rdfs:subClassOf": [ { "@id": "d3f:CWE-441" }, { "@id": "d3f:CWE-451" } ] }, { "@id": "d3f:Reference-ExecutionWithSchtasks_MITRE", "@type": [ "owl:NamedIndividual", "d3f:ExternalKnowledgeBase" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://car.mitre.org/analytics/CAR-2013-08-001/" }, "d3f:kb-abstract": "The Windows built-in tool schtasks.exe provides the creation, modification, and running of scheduled tasks on a local or remote computer. It is provided as a more flexible alternative to at.exe, described in CAR-2013-05-004. Although used by adversaries, the tool is also legitimately used by administrators, scripts, and software configurations. The scheduled tasks tool can be used to gain Persistence and can be used in combination with a Lateral Movement technique to remotely gain execution. Additionally, the command has parameters to specify the user and password responsible for creating the task, as well as the user and password combination that the task will run as. The /s flag will cause a task to run as the SYSTEM user, usually indicating privilege escalation.", "d3f:kb-author": "", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "", "d3f:kb-reference-of": { "@id": "d3f:ScheduledJobAnalysis" }, "d3f:kb-reference-title": "CAR-2013-08-001: Execution with schtasks", "rdfs:label": "Reference - CAR-2013-08-001: Execution with schtasks - MITRE" }, { "@id": "d3f:DigitalFingerprint", "@type": "owl:Class", "d3f:definition": "A digital signature uniquely identifies data and has the property that changing a single bit in the data will cause a completely different message digest to be generated.", "rdfs:isDefinedBy": "https://csrc.nist.gov/glossary/term/digital_fingerprint", "rdfs:label": "Digital Fingerprint", "rdfs:seeAlso": "https://schema.ocsf.io/objects/fingerprint", "rdfs:subClassOf": { "@id": "d3f:Identifier" } }, { "@id": "d3f:ServiceProvider", "@type": "owl:Class", "rdfs:label": "Service Provider", "rdfs:subClassOf": [ { "@id": "d3f:Provider" }, { "@id": "_:N0fa75d18a7d4450281db985275866adf" } ] }, { "@id": "_:N0fa75d18a7d4450281db985275866adf", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:provides" }, "owl:someValuesFrom": { "@id": "d3f:Service" } }, { "@id": "d3f:T1598.002", "@type": "owl:Class", "d3f:attack-id": "T1598.002", "rdfs:label": "Spearphishing Attachment", "rdfs:subClassOf": { "@id": "d3f:T1598" } }, { "@id": "d3f:T1079", "@type": "owl:Class", "d3f:attack-id": "T1079", "rdfs:label": "Multilayer Encryption", "rdfs:subClassOf": { "@id": "d3f:CommandAndControlTechnique" } }, { "@id": "d3f:NIST_SP_800-53_R5_AC-2_13", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:control-name": "Account Management | Disable Accounts for High-risk Individuals", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "d3f:narrower": { "@id": "d3f:AccountLocking" }, "rdfs:label": "AC-2(13)" }, { "@id": "d3f:CWE-33", "@type": "owl:Class", "d3f:cwe-id": "CWE-33", "rdfs:label": "Path Traversal: '....' (Multiple Dot)", "rdfs:subClassOf": { "@id": "d3f:CWE-23" } }, { "@id": "d3f:T1597.001", "@type": "owl:Class", "d3f:attack-id": "T1597.001", "rdfs:label": "Threat Intel Vendors", "rdfs:subClassOf": { "@id": "d3f:T1597" } }, { "@id": "d3f:MicrosoftWordDOTMFile", "@type": [ "owl:NamedIndividual", "d3f:DocumentFile" ], "rdfs:label": "Microsoft Word DOTM File" }, { "@id": "d3f:T1608.004", "@type": "owl:Class", "d3f:attack-id": "T1608.004", "rdfs:label": "Drive-by Target", "rdfs:subClassOf": { "@id": "d3f:T1608" } }, { "@id": "d3f:M1045", "@type": [ "owl:NamedIndividual", "d3f:ATTACKMitigation" ], "d3f:related": [ { "@id": "d3f:DriverLoadIntegrityChecking" }, { "@id": "d3f:ExecutableAllowlisting" }, { "@id": "d3f:ServiceBinaryVerification" } ], "rdfs:label": "Code Signing" }, { "@id": "d3f:T1193", "@type": "owl:Class", "d3f:attack-id": "T1193", "rdfs:label": "Spearphishing Attachment", "rdfs:subClassOf": { "@id": "d3f:InitialAccessTechnique" } }, { "@id": "d3f:CWE-239", "@type": "owl:Class", "d3f:cwe-id": "CWE-239", "rdfs:label": "Failure to Handle Incomplete Element", "rdfs:subClassOf": { "@id": "d3f:CWE-237" } }, { "@id": "d3f:CWE-206", "@type": "owl:Class", "d3f:cwe-id": "CWE-206", "rdfs:label": "Observable Internal Behavioral Discrepancy", "rdfs:subClassOf": { "@id": "d3f:CWE-205" } }, { "@id": "d3f:DefensiveTechnique", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:Technique" ], "d3f:definition": "A method which makes a computer system more difficult to attack.", "d3f:display-baseurl": "/technique/", "d3f:synonym": [ "Technical Security Control", "Defensive Capability Feature", "Countermeasure Technique" ], "rdfs:label": "Defensive Technique", "rdfs:seeAlso": { "@id": "https://csrc.nist.gov/glossary/term/security_control" }, "rdfs:subClassOf": [ { "@id": "d3f:CapabilityFeature" }, { "@id": "d3f:D3FENDThing" }, { "@id": "d3f:Technique" }, { "@id": "_:Na93bd49c5b844aa4ba08d06265d10b40" }, { "@id": "_:N690bfa95f8dd42b39d6e3c8d1f1dc316" }, { "@id": "_:N29a81fa7b6d0428f99b039a2d7f89b2c" }, { "@id": "_:N0866de8189644352a6dfe6ab70b03d84" } ] }, { "@id": "_:Na93bd49c5b844aa4ba08d06265d10b40", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:enables" }, "owl:someValuesFrom": { "@id": "d3f:DefensiveTactic" } }, { "@id": "_:N690bfa95f8dd42b39d6e3c8d1f1dc316", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:kb-reference" }, "owl:someValuesFrom": { "@id": "d3f:TechniqueReference" } }, { "@id": "_:N29a81fa7b6d0428f99b039a2d7f89b2c", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:d3fend-id" }, "owl:someValuesFrom": { "@id": "xsd:string" } }, { "@id": "_:N0866de8189644352a6dfe6ab70b03d84", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:date" }, "owl:someValuesFrom": { "@id": "xsd:dateTime" } }, { "@id": "d3f:verifies", "@type": "owl:ObjectProperty", "d3f:definition": "x verifies y: A technique x confirms the truth of a digital artifact y.", "rdfs:isDefinedBy": { "@id": "http://wordnet-rdf.princeton.edu/id/00666401-v" }, "rdfs:label": "verifies", "rdfs:seeAlso": [ { "@id": "dbr:Formal_verification" }, { "@id": "dbr:Runtime_verification" }, { "@id": "http://wordnet-rdf.princeton.edu/id/00665271-v" } ], "rdfs:subPropertyOf": [ { "@id": "d3f:analyzes" }, { "@id": "d3f:associated-with" } ] }, { "@id": "d3f:NIST_SP_800-53_R5_AC-23", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:control-name": "Data Mining Protection", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "d3f:narrower": [ { "@id": "d3f:JobFunctionAccessPatternAnalysis" }, { "@id": "d3f:LocalAccountMonitoring" }, { "@id": "d3f:ResourceAccessPatternAnalysis" }, { "@id": "d3f:UserDataTransferAnalysis" } ], "rdfs:label": "AC-23" }, { "@id": "d3f:ConfigurationDatabaseRecord", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:synonym": "Configuration Record", "rdfs:label": "Configuration Database Record", "rdfs:subClassOf": [ { "@id": "d3f:ConfigurationResource" }, { "@id": "d3f:Record" } ] }, { "@id": "d3f:T1556.005", "@type": "owl:Class", "d3f:attack-id": "T1556.005", "rdfs:label": "Reversible Encryption", "rdfs:subClassOf": { "@id": "d3f:T1556" } }, { "@id": "d3f:T1558.002", "@type": "owl:Class", "d3f:attack-id": "T1558.002", "rdfs:label": "Silver Ticket", "rdfs:subClassOf": { "@id": "d3f:T1558" } }, { "@id": "d3f:RestoreNetworkAccess", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:RestoreAccess" ], "d3f:d3fend-id": "D3-RNA", "d3f:definition": "Restoring a entity's access to a computer network.", "d3f:kb-reference": { "@id": "d3f:Reference-CybersecurityIncidentandVulnerabilityResponsePlaybooks" }, "d3f:restores": { "@id": "d3f:Host" }, "rdfs:label": "Restore Network Access", "rdfs:subClassOf": [ { "@id": "d3f:RestoreAccess" }, { "@id": "_:N0df5edf1496c46ecba6e857aa24411d7" } ] }, { "@id": "_:N0df5edf1496c46ecba6e857aa24411d7", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:restores" }, "owl:someValuesFrom": { "@id": "d3f:Host" } }, { "@id": "d3f:Reference-MethodAndSystemForProvidingSoftwareUpdatesToLocalMachines", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US10474448B2/en" }, "d3f:kb-author": "John Melton Reynolds", "d3f:kb-organization": "Sophos Ltd", "d3f:kb-reference-title": "Method and system for providing software updates to local machines", "rdfs:label": "Reference - Method and system for providing software updates to local machines" }, { "@id": "d3f:synonym", "@type": "owl:AnnotationProperty", "d3f:definition": "an equivalent term.", "rdfs:label": "synonym", "rdfs:subPropertyOf": { "@id": "d3f:d3fend-annotation" } }, { "@id": "d3f:StyleGAN", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-STY", "d3f:definition": "Successor to the ProGAN.", "d3f:kb-article": "## References\nWikipedia. (n.d.). StyleGAN. [Link](https://en.wikipedia.org/wiki/StyleGAN)", "d3f:synonym": "Style GAN", "rdfs:label": "StyleGAN", "rdfs:subClassOf": { "@id": "d3f:ImageSynthesisGAN" } }, { "@id": "d3f:CCI-001424_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:broader": [ { "@id": "d3f:MandatoryAccessControl" }, { "@id": "d3f:UserAccountPermissions" } ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system dynamically associates security attributes with organization-defined subjects in accordance with organization-defined security policies as information is created and combined.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-25T00:00:00" }, "rdfs:label": "CCI-001424" }, { "@id": "d3f:Reference-SMBWriteRequest_MITRE", "@type": [ "owl:NamedIndividual", "d3f:ExternalKnowledgeBase" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://car.mitre.org/analytics/CAR-2013-05-003/" }, "d3f:kb-abstract": "As described in CAR-2013-01-003, SMB provides a means of remotely managing a file system. Adversaries often use SMB to move laterally to a host. SMB is commonly used to upload files. It may be used for staging in Exfiltration or as a Lateral Movement technique. Unlike SMB Reads, SMB Write requests typically require an additional level of access, resulting in less activity. Focusing on SMB Write activity narrows the field to find techniques that actively change remote hosts, instead of passively reading files.", "d3f:kb-author": "", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "", "d3f:kb-reference-of": { "@id": "d3f:IPCTrafficAnalysis" }, "d3f:kb-reference-title": "CAR-2013-05-003: SMB Write Request", "rdfs:label": "Reference - CAR-2013-05-003: SMB Write Request - MITRE" }, { "@id": "d3f:CCI-002355_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:broader": [ { "@id": "d3f:MandatoryAccessControl" }, { "@id": "d3f:UserAccountPermissions" } ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system enforces access control decisions based on organization-defined security attributes that do not include the identity of the user or process acting on behalf of the user.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-06-25T00:00:00" }, "rdfs:label": "CCI-002355" }, { "@id": "d3f:T1586", "@type": "owl:Class", "d3f:attack-id": "T1586", "rdfs:label": "Compromise Accounts", "rdfs:subClassOf": { "@id": "d3f:ResourceDevelopmentTechnique" } }, { "@id": "d3f:CWE-670", "@type": "owl:Class", "d3f:cwe-id": "CWE-670", "rdfs:label": "Always-Incorrect Control Flow Implementation", "rdfs:subClassOf": { "@id": "d3f:CWE-691" } }, { "@id": "d3f:CWE-273", "@type": "owl:Class", "d3f:cwe-id": "CWE-273", "rdfs:label": "Improper Check for Dropped Privileges", "rdfs:subClassOf": [ { "@id": "d3f:CWE-271" }, { "@id": "d3f:CWE-754" } ] }, { "@id": "d3f:T1583.006", "@type": "owl:Class", "d3f:attack-id": "T1583.006", "rdfs:label": "Web Services", "rdfs:subClassOf": { "@id": "d3f:T1583" } }, { "@id": "d3f:CWE-359", "@type": "owl:Class", "d3f:cwe-id": "CWE-359", "rdfs:label": "Exposure of Private Personal Information to an Unauthorized Actor", "rdfs:subClassOf": { "@id": "d3f:CWE-200" } }, { "@id": "d3f:Reference-MaliciousRelayDetectionOnNetworks_VECTRANETWORKSInc", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US20150264083A1" }, "d3f:kb-abstract": "A system and method for detecting malicious relay communications is disclosed. Network communications can be received and analyzed using such network components as a network switch. The received traffic can be parsed into sessions. Relay metadata can be extracted from the sessions and further be used to categorize the sessions into one or more types of relay metadata behaviors. Once a significant amount of sessions are detected an alarm may be triggered and/or alarm data may be generated for analysis by network security administrators.", "d3f:kb-author": "Ryan James PRENGER; Nicolas BEAUCHESNE; Karl Matthew LYNN", "d3f:kb-mitre-analysis": "This patent describes a technique for detecting relay networks, i.e. an attacker outside of the organization's network takes control of an internal host to be used as a source of attacks against other internal targets or exfiltrate data out of the organization. In this defensive technique, metadata from collected network packet captures is extracted to categorize network sessions using known relay behaviors. Information such as the number of bytes sent to and from a potential internal relay host, time of session initiation, packet contents, packet size, flow direction, and packet arrival time statistics are used to categorize the sessions and identify relay behavior. This technique assumes that relay network connections' inter-packet arrival times exhibit a high degree of variance in comparison to standard client-to-server connections. If enough evidence of relay behavior is gathered about a given internal host, the host is identified as suspicious and an alert is generated.", "d3f:kb-organization": "VECTRA NETWORKS Inc", "d3f:kb-reference-of": { "@id": "d3f:RelayPatternAnalysis" }, "d3f:kb-reference-title": "Malicious relay detection on networks", "rdfs:label": "Reference - Malicious relay detection on networks - VECTRA NETWORKS Inc" }, { "@id": "d3f:T1484.001", "@type": "owl:Class", "d3f:attack-id": "T1484.001", "rdfs:label": "Group Policy Modification", "rdfs:subClassOf": { "@id": "d3f:T1484" } }, { "@id": "d3f:CCI-000768_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system implements multifactor authentication for local access to non-privileged accounts.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:Multi-factorAuthentication" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-17T00:00:00" }, "rdfs:label": "CCI-000768" }, { "@id": "d3f:Non-monotonicLogic", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-NML", "d3f:definition": "Non-monotonic logic is a formal logic whose conclusion relation is not monotonic. In other words, non-monotonic logics are devised to capture and represent defeasible inferences (cf. defeasible reasoning), i.e., a kind of inference in which reasoners draw tentative conclusions, enabling reasoners to retract their conclusion(s) based on further evidence.", "d3f:kb-article": "## References\n1. Non-monotonic logic. (2023, June 1). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Non-monotonic_logic)", "rdfs:label": "Non-monotonic Logic", "rdfs:subClassOf": { "@id": "d3f:SymbolicAI" } }, { "@id": "d3f:CCI-001677_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:broader": [ { "@id": "d3f:MessageAuthentication" }, { "@id": "d3f:SenderMTAReputationAnalysis" }, { "@id": "d3f:SenderReputationAnalysis" }, { "@id": "d3f:TransferAgentAuthentication" } ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The organization employs spam protection mechanisms at workstations, servers, or mobile computing devices on the network to detect and take action on unsolicited messages transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2010-05-12T00:00:00" }, "rdfs:label": "CCI-001677" }, { "@id": "d3f:URLAnalysis", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:IdentifierAnalysis" ], "d3f:analyzes": { "@id": "d3f:URL" }, "d3f:d3fend-id": "D3-UA", "d3f:definition": "Determining if a URL is benign or malicious by analyzing the URL or its components.", "d3f:kb-article": "## How it works\n\nURLs may contain components, for example:\n\n * scheme\n * userinfo\n * host name\n * port\n * path\n * query\n * fragment\n\nThese components are used as features in analysis algorithms.\n\nContextual information about a URL such as where it is embedded (ex. emails, files, network protocols), header, path, location, and origin information, as well as information about the content returned from the URL request, may be incorporated into an analytic for URL analysis. For example, if a URL indicates a .pdf file but an executable is actually returned, the combination of these two pieces of information indicates suspicious activity.\n\nAdditional techniques include:\n\n* Extracting features of a URL such as domain name length, ratio of consecutive consonants, percentage of digits in a domain, and number of vowels. Values for each feature are combined to develop a score for the URL.\n* Determining the probability of a character occurring in the URL given the preceding two characters. For example, for google.com, the probability of a 'g' occurring at the beginning of a word, the probability of an 'o' occurring after a \"g, the probability of an o\" occurring after a 'g' and \"o, and so forth. A dictionary or a list of known good domains is used to determine probability. Probabilities are multiplied to develop a score for the URL.\n\nURL analysis may trigger follow-on analytics such as **File Analysis**\n\n## Considerations\n\n* Volume of URLs being analyzed, combined with the speed at which they are analyzed\n* Fidelity of analysis technique at detecting brand new URLs versus analyzing URLs of established domains", "d3f:kb-reference": [ { "@id": "d3f:Reference-MethodAndApparatusForDetectingMaliciousWebsites_EndgameInc" }, { "@id": "d3f:Reference-MethodAndSystemForDetectingRestrictedContentAssociatedWithRetrievedContent_SophosLtd" } ], "rdfs:label": "URL Analysis", "rdfs:subClassOf": [ { "@id": "d3f:IdentifierAnalysis" }, { "@id": "_:N59819ebd2b54436ea818c00a6c3d425a" } ] }, { "@id": "_:N59819ebd2b54436ea818c00a6c3d425a", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:analyzes" }, "owl:someValuesFrom": { "@id": "d3f:URL" } }, { "@id": "d3f:CWE-523", "@type": "owl:Class", "d3f:cwe-id": "CWE-523", "rdfs:label": "Unprotected Transport of Credentials", "rdfs:subClassOf": { "@id": "d3f:CWE-522" } }, { "@id": "d3f:process-ancestor", "@type": [ "owl:ObjectProperty", "owl:TransitiveProperty" ], "d3f:definition": "x process-ancestor y: The process y is a process ancestor of process x, indicating one or more process creation events were conducted were started at process y and subsequently created process x.", "rdfs:label": "process-ancestor", "rdfs:subPropertyOf": { "@id": "d3f:process-property" } }, { "@id": "d3f:contains", "@type": [ "owl:ObjectProperty", "owl:TransitiveProperty" ], "d3f:definition": "x contains y: A core relation that holds between a whole x and its part y. Equivalent to relational concept 'has part' and thus transitive.", "rdfs:isDefinedBy": { "@id": "http://wordnet-rdf.princeton.edu/id/02639021-v" }, "rdfs:label": "contains", "rdfs:subPropertyOf": [ { "@id": "d3f:associated-with" }, { "@id": "d3f:may-contain" } ] }, { "@id": "d3f:OutboundInternetEncryptedTraffic", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "Outbound internet encrypted traffic is encrypted network traffic on an outgoing connection initiated from a host within a network to a host outside the network.", "rdfs:label": "Outbound Internet Encrypted Traffic", "rdfs:seeAlso": { "@id": "dbr:Internetworking" }, "rdfs:subClassOf": { "@id": "d3f:OutboundInternetNetworkTraffic" } }, { "@id": "d3f:CWE-706", "@type": "owl:Class", "d3f:cwe-id": "CWE-706", "rdfs:label": "Use of Incorrectly-Resolved Name or Reference", "rdfs:subClassOf": { "@id": "d3f:CWE-664" } }, { "@id": "d3f:display-baseurl", "@type": "owl:AnnotationProperty", "d3f:definition": "A base string to use as prefix to create a full URL for an entity. The baseurl must end in a forward slash: /", "rdfs:label": "display-baseurl", "rdfs:subPropertyOf": { "@id": "d3f:d3fend-display-annotation" } }, { "@id": "d3f:T1021.003", "@type": "owl:Class", "d3f:attack-id": "T1021.003", "rdfs:label": "Distributed Component Object Model", "rdfs:subClassOf": { "@id": "d3f:T1021" } }, { "@id": "d3f:CCI-000382_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:broader": { "@id": "d3f:PlatformHardening" }, "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The organization configures the information system to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-18T00:00:00" }, "rdfs:label": "CCI-000382" }, { "@id": "d3f:process-environmental-variables", "@type": "owl:DatatypeProperty", "d3f:definition": "x process-environment-variables y: The process x has the process environmental variables data y.", "rdfs:label": "process-environmental-variables", "rdfs:subPropertyOf": { "@id": "d3f:process-data-property" }, "skos:altLabel": "process-environmental-variable" }, { "@id": "d3f:T1543.001", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1543.001", "d3f:creates": { "@id": "d3f:PropertyListFile" }, "rdfs:label": "Launch Agent", "rdfs:subClassOf": [ { "@id": "d3f:T1543" }, { "@id": "_:N6e725fd3aaf74be2ba0b6215abb16209" } ] }, { "@id": "_:N6e725fd3aaf74be2ba0b6215abb16209", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:creates" }, "owl:someValuesFrom": { "@id": "d3f:PropertyListFile" } }, { "@id": "d3f:CWE-280", "@type": "owl:Class", "d3f:cwe-id": "CWE-280", "rdfs:label": "Improper Handling of Insufficient Permissions or Privileges", "rdfs:subClassOf": { "@id": "d3f:CWE-755" } }, { "@id": "d3f:Semi-supervisedCluster-then-label", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-SSCTL", "d3f:definition": "Pre-training methods are aimed to guide the parameters of a network towards interesting regions in model space using unlabeled data, before fine-tuning the parameters with the labeled data.", "d3f:kb-article": "## References\nJashish Shrestha. (n.d.). Beginner's Guide to Semi-Supervised Learning. [Link](http://jashish.com.np/blog/posts/beginners-guide-to-semi-supervised-learning/)", "rdfs:label": "Semi-supervised Cluster-then-label", "rdfs:subClassOf": { "@id": "d3f:UnsupervisedPreprocessing" } }, { "@id": "d3f:CWE-553", "@type": "owl:Class", "d3f:cwe-id": "CWE-553", "rdfs:label": "Command Shell in Externally Accessible Directory", "rdfs:subClassOf": { "@id": "d3f:CWE-552" } }, { "@id": "d3f:VPNServer", "@type": "owl:Class", "d3f:definition": "A VPN server is a type of server that enables hosting and delivery of VPN services.\n\nIt is a combination of VPN hardware and software technologies that provides VPN clients with connectivity to a secure and/or private network, or rather, the VPN.", "rdfs:isDefinedBy": { "@id": "https://www.techopedia.com/definition/30750/vpn-server" }, "rdfs:label": "VPN Server", "rdfs:seeAlso": { "@id": "dbr:Virtual_private_network" }, "rdfs:subClassOf": { "@id": "d3f:Server" } }, { "@id": "d3f:CWE-7", "@type": "owl:Class", "d3f:cwe-id": "CWE-7", "rdfs:label": "J2EE Misconfiguration: Missing Custom Error Page", "rdfs:subClassOf": { "@id": "d3f:CWE-756" } }, { "@id": "d3f:CWE-1042", "@type": "owl:Class", "d3f:cwe-id": "CWE-1042", "rdfs:label": "Static Member Data Element outside of a Singleton Class Element", "rdfs:subClassOf": { "@id": "d3f:CWE-1176" } }, { "@id": "d3f:CWE-915", "@type": "owl:Class", "d3f:cwe-id": "CWE-915", "rdfs:label": "Improperly Controlled Modification of Dynamically-Determined Object Attributes", "rdfs:subClassOf": { "@id": "d3f:CWE-913" } }, { "@id": "d3f:OSAPIConnectSocket", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:invokes": { "@id": "d3f:ConnectSocket" }, "rdfs:label": "OS API Connect Socket", "rdfs:subClassOf": [ { "@id": "d3f:OSAPIFunction" }, { "@id": "_:N5717229c566f4b808f6c31dd52caf3a4" } ] }, { "@id": "_:N5717229c566f4b808f6c31dd52caf3a4", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:invokes" }, "owl:someValuesFrom": { "@id": "d3f:ConnectSocket" } }, { "@id": "d3f:Reference-SystemAndMethodForDetectingHomoglyphAttacksWithASiameseConvolutionalNeuralNetwork_EndgameInc", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US20190019058A1/" }, "d3f:kb-abstract": "The present invention utilizes computer vision technologies to identify potentially malicious URLs and executable files in a computing device. In one embodiment, a Siamese convolutional neural network is trained to identify the relative similarity between image versions of two strings of text. After the training process, a list of strings that are likely to be utilized in malicious attacks are provided (e.g., legitimate URLs for popular websites). When a new string is received, it is converted to an image and then compared against the image of list of strings. The relative similarity is determined, and if the similarity rating falls below a predetermined threshold, an alert is generated indicating that the string is potentially malicious.", "d3f:kb-author": "Jonathan Woodbridge; Anjum Ahuja; Daniel Grant", "d3f:kb-mitre-analysis": "This patent describes a mechanism to detect homoglyph strings that involves training a Siamese convolutional neural network to compare images of strings. Strings of legitimate URLs for websites along with known suspicious stings are converted to images during the training process to create an index. New strings are converted to images and then compared to the index for similarity, if the string deviates beyond a threshold an alert is triggered.", "d3f:kb-organization": "Endgame Inc", "d3f:kb-reference-of": { "@id": "d3f:HomoglyphDetection" }, "d3f:kb-reference-title": "System and method for detecting homoglyph attacks with a siamese convolutional neural network", "rdfs:label": "Reference - System and method for detecting homoglyph attacks with a siamese convolutional neural network - Endgame Inc" }, { "@id": "d3f:Reference-ApparatusForToProvideContentToAndQueryAReverseDomainNameSystemServer", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US20100174829A1/en?oq=20100174829" }, "d3f:kb-abstract": "An apparatus is disclosed for to provide content to and query a reverse domain name system (DNS) server without depending on the kindness of domain name system registrars, registrants. DNS replies are observed by firewalls or filters, analyzed, and transmitted to a reverse domain name system server. An embodiment of the present invention can be within a DNS server or SMTP server.", "d3f:kb-author": "Dean Danko", "d3f:kb-mitre-analysis": "This patent includes the description of a method of blocking email traffic from untrusted domains by analyzing the TCP/IP source IP addresses and blocking traffic for IPs whose reverse lookup response FQDN matches a denylist.", "d3f:kb-reference-of": { "@id": "d3f:ReverseResolutionDomainDenylisting" }, "d3f:kb-reference-title": "Apparatus for to provide content to and query a reverse domain name system server", "rdfs:label": "Reference - Apparatus for to provide content to and query a reverse domain name system server - Barrracuda Networks" }, { "@id": "d3f:T1087.002", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1087.002", "d3f:creates": { "@id": "d3f:DomainUserAccount" }, "rdfs:label": "Domain Account", "rdfs:subClassOf": [ { "@id": "d3f:T1136" }, { "@id": "_:Nef3b756f1b8a49e4b4b5d8652e1b1226" } ] }, { "@id": "_:Nef3b756f1b8a49e4b4b5d8652e1b1226", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:creates" }, "owl:someValuesFrom": { "@id": "d3f:DomainUserAccount" } }, { "@id": "d3f:T1027.002", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1027.002", "d3f:obfuscates": { "@id": "d3f:ExecutableFile" }, "rdfs:label": "Software Packing", "rdfs:subClassOf": [ { "@id": "d3f:T1027" }, { "@id": "_:N6c10e86c36ab46369c1de3bf8457be33" } ] }, { "@id": "_:N6c10e86c36ab46369c1de3bf8457be33", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:obfuscates" }, "owl:someValuesFrom": { "@id": "d3f:ExecutableFile" } }, { "@id": "d3f:T1218.005", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1218.005", "d3f:interprets": { "@id": "d3f:MicrosoftHTMLApplication" }, "d3f:invokes": { "@id": "d3f:CreateProcess" }, "rdfs:label": "Mshta Execution", "rdfs:subClassOf": [ { "@id": "d3f:T1218" }, { "@id": "_:N7b54e1be0c564bafbcd27b4ee718b970" }, { "@id": "_:Nf6758114f76b48cc959ab496464ead99" } ] }, { "@id": "_:N7b54e1be0c564bafbcd27b4ee718b970", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:interprets" }, "owl:someValuesFrom": { "@id": "d3f:MicrosoftHTMLApplication" } }, { "@id": "_:Nf6758114f76b48cc959ab496464ead99", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:invokes" }, "owl:someValuesFrom": { "@id": "d3f:CreateProcess" } }, { "@id": "d3f:BlockDevice", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:contains": [ { "@id": "d3f:BootSector" }, { "@id": "d3f:Partition" }, { "@id": "d3f:PartitionTable" } ], "d3f:definition": "A block device (or block special file) provides buffered access to hardware devices, and provides some abstraction from their specifics.\n\nIEEE Std 1003.1-2017: A file that refers to a device. A block special file is normally distinguished from a character special file by providing access to the device in a manner such that the hardware characteristics of the device are not visible.", "d3f:may-contain": { "@id": "d3f:Volume" }, "rdfs:isDefinedBy": { "@id": "http://dbpedia.org/resource/Device_file#BLOCKDEV" }, "rdfs:label": "Block Device", "rdfs:seeAlso": { "@id": "https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap03.html#tag_03_79" }, "rdfs:subClassOf": [ { "@id": "d3f:DigitalArtifact" }, { "@id": "_:Nf658cb359c6542529efb28360803ade9" }, { "@id": "_:N9cceb99b989244eda8a54190e58b1b33" }, { "@id": "_:N266463f5202b48b4b61fedcf9ed5788a" }, { "@id": "_:N7c75d291bdcd463c9ab70fbc6a6ded61" } ], "skos:altLabel": "Block Special File" }, { "@id": "_:Nf658cb359c6542529efb28360803ade9", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:contains" }, "owl:someValuesFrom": { "@id": "d3f:BootSector" } }, { "@id": "_:N9cceb99b989244eda8a54190e58b1b33", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:contains" }, "owl:someValuesFrom": { "@id": "d3f:Partition" } }, { "@id": "_:N266463f5202b48b4b61fedcf9ed5788a", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:contains" }, "owl:someValuesFrom": { "@id": "d3f:PartitionTable" } }, { "@id": "_:N7c75d291bdcd463c9ab70fbc6a6ded61", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-contain" }, "owl:someValuesFrom": { "@id": "d3f:Volume" } }, { "@id": "d3f:NIST_SP_800-53_R5_AC-17_8", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:broader": { "@id": "d3f:ExecutableDenylisting" }, "d3f:control-name": "Remote Access | Disable Nonsecure Network Protocols", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "rdfs:label": "AC-17(8)" }, { "@id": "d3f:NIST_SP_800-53_R5_SI-3", "@type": [ "owl:NamedIndividual", "d3f:NISTControl" ], "d3f:broader": [ { "@id": "d3f:FileAnalysis" }, { "@id": "d3f:NetworkTrafficAnalysis" }, { "@id": "d3f:PlatformMonitoring" }, { "@id": "d3f:ProcessAnalysis" } ], "d3f:control-name": "Malicious Code Protection", "d3f:member-of": { "@id": "d3f:NIST_SP_800-53_R5" }, "rdfs:label": "SI-3" }, { "@id": "d3f:enables", "@type": "owl:ObjectProperty", "d3f:definition": "x enables y: A top level technique x enables a tactic y, that is, the property indicates that a technique x is used to put a particular tactic y into action. In other words, x renders y capable or able for some task.", "rdfs:isDefinedBy": { "@id": "http://wordnet-rdf.princeton.edu/id/00513958-v" }, "rdfs:label": "enables", "rdfs:subPropertyOf": { "@id": "d3f:associated-with" } }, { "@id": "d3f:CCI-002277_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:broader": [ { "@id": "d3f:MandatoryAccessControl" }, { "@id": "d3f:UserAccountPermissions" } ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system provides authorized individuals (or processes acting on behalf of individuals) the capability to define the value of associated security attributes.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-06-24T00:00:00" }, "rdfs:label": "CCI-002277" }, { "@id": "d3f:PhysicalObject", "@type": "owl:Class", "rdfs:label": "Physical Object", "rdfs:subClassOf": [ { "@id": "d3f:D3FENDThing" }, { "@id": "_:Neb0905555e0c476b97f79662ea39e144" } ] }, { "@id": "_:Neb0905555e0c476b97f79662ea39e144", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:has-location" }, "owl:someValuesFrom": { "@id": "d3f:PhysicalLocation" } }, { "@id": "d3f:Simulation", "@type": "owl:Class", "rdfs:label": "Simulation", "rdfs:subClassOf": { "@id": "d3f:Generation" } }, { "@id": "d3f:ExceptionHandlerPointerValidation", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:ApplicationHardening" ], "d3f:d3fend-id": "D3-EHPV", "d3f:definition": "Validates that a referenced exception handler pointer is a valid exception handler.", "d3f:kb-article": "## How It Works\nWhen a process encounters an exception, it calls an exception handler to deal with the exception. The method by which this exception handler is determined varies by the operating system. The exception handler is called, even if it is the default exception handler to terminate the program and display a message that the program stopped working. In the case that no valid exception handler is found, the program would fail to proceed as normal and could be programmed to terminate.\n\nIn Windows, the address of the exception registration record is stored at the very start of the the Thread Information Block; the GS register points to this structure.\n\nThe exception registration record contains two pointers: a pointer to the next exception registration record should this handler fail to handle the exception, and a pointer to the handler.\n\nA buffer overflow can overwrite the saved return pointer with an invalid location to execute memory; this often triggers the exception handler chain, which could also be corrupted by the buffer overflow. Although Process Exception Handler Validation does not make sure that the exception handler pointer or the code at the exception handler was unaltered, or that the exception handler code is secure, this technique does ensure that the pointer is at least an exception handler that could be called by the program.\n\nWith Process Exception Handler Validation, before the handler is called, it checks the exception handler against a source of valid exception handlers. If the requested handler is not in this list, other techniques such as those in Process Eviction might be invoked, such as Process Termination to end the current process, or Executable Blacklisting to blacklist the potentially vulnerable or malfunctioning executable.\n\n### Runtime valid exception handler source generation\nThe source of valid exception handlers could be generated at runtime, with the risk of the information that is used to determine the validity of exception handlers being compromised.\n\n### Compile-time\nThe source of valid exception handlers could also be generated at compile time or as a binary patch. Given the source code, it would be rather straightforward to find the exceptions, as they are pointed in the catch statement of a try-catch clause and the compiler must already generate the code to call exceptions from this.\n\n## Considerations\nIf the program file can be altered by the attacker, then the security could be bypassed by replacing it with any desired program, without even bypassing SEH.\n\nIf the attacker was already able to overwrite the code for a valid exception handler via other functionality in the program, this defense would not prevent arbitrary code execution.\nIf an exception handler recognized as valid is vulnerable, it would be executed anyway.\n\nSafeSEH might be applied only to some executable files or modules, allowing an attacker to call any piece of code as an exception handler in the unprotected modules.", "d3f:kb-reference": { "@id": "d3f:Reference-SAFESEH_ImageHasSafeExceptionHandlers_MicrosoftDocs" }, "d3f:synonym": "Exception Handler Validation", "d3f:validates": { "@id": "d3f:Pointer" }, "rdfs:label": "Exception Handler Pointer Validation", "rdfs:subClassOf": [ { "@id": "d3f:ApplicationHardening" }, { "@id": "_:Nd15fb62cb6944a86ba89f74e0a22ad1c" } ] }, { "@id": "_:Nd15fb62cb6944a86ba89f74e0a22ad1c", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:validates" }, "owl:someValuesFrom": { "@id": "d3f:Pointer" } }, { "@id": "d3f:Reference-TamperProofMutatingSoftware_ARXANTECHNOLOGIESInc", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/US9262600B2/en?oq=US9262600B2" }, "d3f:kb-abstract": "System and method is disclosed for protecting client software running on a client computer from tampering using a secure server. Prior to or independent of executing the client software, the system integrates self-protection into the client software; removes functions from the client software for execution on the server; develops client software self-protection updates; and periodically distributes the updates. During execution of the client software, the system receives an initial request from the client computer for execution of the removed function; verifies the initial request; and cooperates with the client computer in execution of the client software if verification is successful. If verification is unsuccessful, the system can attempt to update the client software on the client computer; and require a new initial request. Client software can be updated on occurrence of a triggering event. Communications can be encrypted, and the encryption updated. Authenticating checksums can be used for verification.", "d3f:kb-author": "Kevin Dale Morgan", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "ARXAN TECHNOLOGIES Inc", "d3f:kb-reference-of": { "@id": "d3f:ProcessCodeSegmentVerification" }, "d3f:kb-reference-title": "Tamper proof mutating software", "rdfs:label": "Reference - Tamper proof mutating software - ARXAN TECHNOLOGIES Inc" }, { "@id": "d3f:CWE-1114", "@type": "owl:Class", "d3f:cwe-id": "CWE-1114", "rdfs:label": "Inappropriate Whitespace Style", "rdfs:subClassOf": { "@id": "d3f:CWE-1078" } }, { "@id": "d3f:T1543", "@type": "owl:Class", "d3f:attack-id": "T1543", "rdfs:label": "Create or Modify System Process", "rdfs:subClassOf": [ { "@id": "d3f:PersistenceTechnique" }, { "@id": "d3f:PrivilegeEscalationTechnique" } ] }, { "@id": "d3f:CWE-288", "@type": "owl:Class", "d3f:cwe-id": "CWE-288", "rdfs:label": "Authentication Bypass Using an Alternate Path or Channel", "rdfs:subClassOf": { "@id": "d3f:CWE-306" } }, { "@id": "d3f:CWE-49", "@type": "owl:Class", "d3f:cwe-id": "CWE-49", "rdfs:label": "Path Equivalence: 'filename/' (Trailing Slash)", "rdfs:subClassOf": [ { "@id": "d3f:CWE-162" }, { "@id": "d3f:CWE-41" } ] }, { "@id": "d3f:Dependency", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A dependency is the relationship of relying on or being controlled by someone or something else. This class reifies dependencies that correspond to the object property depends-on.", "d3f:dependent": { "@id": "d3f:D3FENDThing" }, "d3f:provider": { "@id": "d3f:D3FENDThing" }, "rdfs:label": "Dependency", "rdfs:seeAlso": [ "http://wordnet-rdf.princeton.edu/id/14024833-n", "https://www.cisa.gov/what-are-dependencies" ], "rdfs:subClassOf": [ { "@id": "d3f:DigitalArtifact" }, { "@id": "_:N81adedb5b0964a378473640c333cb80d" }, { "@id": "_:N41c1586e32004e8a8654e40f93af682c" } ] }, { "@id": "_:N81adedb5b0964a378473640c333cb80d", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:dependent" }, "owl:someValuesFrom": { "@id": "d3f:D3FENDThing" } }, { "@id": "_:N41c1586e32004e8a8654e40f93af682c", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:provider" }, "owl:someValuesFrom": { "@id": "d3f:D3FENDThing" } }, { "@id": "d3f:AnalyticTechnique", "@type": "owl:Class", "d3f:definition": "A process in which a computer examines information using mathematical methods in order to find useful patterns.", "rdfs:isDefinedBy": "https://dictionary.cambridge.org/us/dictionary/english/analytics", "rdfs:label": "Analytic Technique", "rdfs:subClassOf": { "@id": "d3f:D3FENDThing" } }, { "@id": "d3f:CWE-57", "@type": "owl:Class", "d3f:cwe-id": "CWE-57", "rdfs:label": "Path Equivalence: 'fakedir/../realdir/filename'", "rdfs:subClassOf": { "@id": "d3f:CWE-41" } }, { "@id": "d3f:CWE-1253", "@type": "owl:Class", "d3f:cwe-id": "CWE-1253", "rdfs:label": "Incorrect Selection of Fuse Values", "rdfs:subClassOf": { "@id": "d3f:CWE-693" } }, { "@id": "d3f:FileSection", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A file section is one of the portions of a file in which the file is regarded as divided and where together the file sections constitute the whole file.", "rdfs:label": "File Section", "rdfs:seeAlso": { "@id": "http://wordnet-rdf.princeton.edu/id/05876035-n" }, "rdfs:subClassOf": { "@id": "d3f:DigitalArtifact" }, "skos:altLabel": "File Part" }, { "@id": "d3f:LinuxRead", "@type": "owl:Class", "d3f:definition": "Read from a file descriptor.", "rdfs:isDefinedBy": "https://man7.org/linux/man-pages/man2/read.2.html", "rdfs:label": "Linux Read", "rdfs:subClassOf": { "@id": "d3f:OSAPIReadFile" } }, { "@id": "d3f:CWE-54", "@type": "owl:Class", "d3f:cwe-id": "CWE-54", "rdfs:label": "Path Equivalence: 'filedir\\' (Trailing Backslash)", "rdfs:subClassOf": [ { "@id": "d3f:CWE-162" }, { "@id": "d3f:CWE-41" } ] }, { "@id": "d3f:PointerDereferencingFunction", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:addresses": [ { "@id": "d3f:MemoryBlock" }, { "@id": "d3f:Pointer" } ], "d3f:definition": "A function which has an operation which dereferences a pointer.", "rdfs:comment": "Note, this is not the actual code which performs the dereferencing operation internal to an application runtime.", "rdfs:label": "Pointer Dereferencing Function", "rdfs:subClassOf": [ { "@id": "d3f:Subroutine" }, { "@id": "_:Ne128d1207a884509b7e10d4921b7f5a4" }, { "@id": "_:Na1c820bfe8c140e384cb1e38b5e5aeab" } ] }, { "@id": "_:Ne128d1207a884509b7e10d4921b7f5a4", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:addresses" }, "owl:someValuesFrom": { "@id": "d3f:MemoryBlock" } }, { "@id": "_:Na1c820bfe8c140e384cb1e38b5e5aeab", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:addresses" }, "owl:someValuesFrom": { "@id": "d3f:Pointer" } }, { "@id": "d3f:MultilayerPerceptronClassification", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-MPC", "d3f:definition": "A multilayer perceptron (MLP) is a fully connected class of feedforward artificial neural network (ANN).An MLP consists of at least three layers of nodes: an input layer, a hidden layer and an output layer.", "d3f:kb-article": "## References\nMultilayer perceptron. Wikipedia. [Link](https://en.wikipedia.org/wiki/Multilayer_perceptron).", "rdfs:label": "Multilayer Perceptron Classification", "rdfs:subClassOf": { "@id": "d3f:ArtificialNeuralNetClassification" } }, { "@id": "d3f:IPPhone", "@type": "owl:Class", "d3f:definition": "A VoIP phone or IP phone uses voice over IP technologies for placing and transmitting telephone calls over an IP network, such as the Internet, instead of the traditional public switched telephone network (PSTN). Digital IP-based telephone service uses control protocols such as the Session Initiation Protocol (SIP), Skinny Client Control Protocol (SCCP) or various other proprietary protocols.", "rdfs:isDefinedBy": { "@id": "dbr:VoIP_phone" }, "rdfs:label": "IP Phone", "rdfs:subClassOf": { "@id": "d3f:PersonalComputer" }, "skos:altLabel": "VoIP Phone" }, { "@id": "d3f:AssociationRuleLearning", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-ARL", "d3f:definition": "Association rule learning is a rule-based machine learning method for discovering interesting relations between variables in large databases.", "d3f:kb-article": "## References\nAssociation rule learning. (n.d.). Wikipedia. [Link](https://en.wikipedia.org/wiki/Association_rule_learning)", "rdfs:label": "Association Rule Learning", "rdfs:subClassOf": { "@id": "d3f:UnsupervisedLearning" } }, { "@id": "d3f:LinuxWritev", "@type": "owl:Class", "d3f:definition": "Write data into multiple buffers.", "rdfs:isDefinedBy": "https://man7.org/linux/man-pages/man2/writev.2.html", "rdfs:label": "Linux Writev", "rdfs:subClassOf": { "@id": "d3f:OSAPIWriteFile" } }, { "@id": "d3f:CWE-147", "@type": "owl:Class", "d3f:cwe-id": "CWE-147", "rdfs:label": "Improper Neutralization of Input Terminators", "rdfs:subClassOf": { "@id": "d3f:CWE-138" } }, { "@id": "d3f:CWE-156", "@type": "owl:Class", "d3f:cwe-id": "CWE-156", "rdfs:label": "Improper Neutralization of Whitespace", "rdfs:subClassOf": { "@id": "d3f:CWE-138" } }, { "@id": "d3f:T1176", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1176", "d3f:modifies": { "@id": "d3f:BrowserExtension" }, "rdfs:label": "Browser Extensions", "rdfs:subClassOf": [ { "@id": "d3f:PersistenceTechnique" }, { "@id": "_:Nea79bb985f7f4d81b6119d45690a28af" } ] }, { "@id": "_:Nea79bb985f7f4d81b6119d45690a28af", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:BrowserExtension" } }, { "@id": "d3f:SenderReputationAnalysis", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:MessageAnalysis" ], "d3f:analyzes": { "@id": "d3f:Email" }, "d3f:d3fend-id": "D3-SRA", "d3f:definition": "Ascertaining sender reputation based on information associated with a message (e.g. email/instant messaging).", "d3f:kb-article": "## How it works\n\nSender trust rating can be considered an indicator of the level of security risk and/or a trust level associated with a sender. The features considered in determining the trust rating include:\n\n* Length of time sender has sent emails to the enterprise\n* Number of recipients in the enterprise the sender interacts with\n* Sender vs. enterprise originated message ratio\n* Sender messages opened vs. not-opened ratio\n* Number of emails received from this sender\n* Number of emails replied to this sender\n* Number of emails from this sender not opened\n* Number of emails from this sender not opened that contain an attachment\n* Number of emails from this sender not opened that contain a URL\n* Number of emails sent to this sender\n* Number of email replies received from this sender.\n\nHigher values for the number of recipients the sender has interacted with or the number of emails received from the sender, for example, results in a higher trust rating. The trust rating can categorize the sender as unrated, neutral, trusted, suspicious, or malicious.\n\n## Considerations\nLegitimate emails from a sender may receive a lower trust rating over time if the sender's domain gets spoofed and is used to send unauthorized emails.", "d3f:kb-reference": { "@id": "d3f:Reference-SystemsAndMethodsForDetectingAnd_orHandlingTargetedAttacksInTheEmailChannel_GraphusInc" }, "rdfs:label": "Sender Reputation Analysis", "rdfs:subClassOf": [ { "@id": "d3f:MessageAnalysis" }, { "@id": "_:N24ee6fe2d30b47ccba103adecf723856" } ] }, { "@id": "_:N24ee6fe2d30b47ccba103adecf723856", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:analyzes" }, "owl:someValuesFrom": { "@id": "d3f:Email" } }, { "@id": "d3f:fork", "@type": "owl:ObjectProperty", "rdfs:label": "fork", "rdfs:subPropertyOf": { "@id": "d3f:d3fend-process-object-property" } }, { "@id": "d3f:CCI-002463_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system provides data origin artifacts for internal name/address resolution queries.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:DomainTrustPolicy" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-07-02T00:00:00" }, "rdfs:label": "CCI-002463" }, { "@id": "d3f:DocumentFile", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:definition": "A document is a written, drawn, presented or recorded representation of thoughts. An electronic document file is usually used to describe a primarily textual file, along with its structure and design, such as fonts, colors and additional images.", "d3f:may-contain": { "@id": "d3f:ExecutableScript" }, "rdfs:label": "Document File", "rdfs:seeAlso": { "@id": "dbr:Document" }, "rdfs:subClassOf": [ { "@id": "d3f:File" }, { "@id": "_:Nc55534c28ab44517bc73ddbc121b1234" } ] }, { "@id": "_:Nc55534c28ab44517bc73ddbc121b1234", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:may-contain" }, "owl:someValuesFrom": { "@id": "d3f:ExecutableScript" } }, { "@id": "d3f:Density-basedClustering", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-DBC", "d3f:definition": "Density-based clustering connects areas of high example density into clusters. This allows for arbitrary-shaped distributions as long as dense areas can be connected.", "d3f:kb-article": "## References\nGoogle Developers. (n.d.). Clustering algorithms. [Link](https://developers.google.com/machine-learning/clustering/clustering-algorithms)", "rdfs:label": "Density-based Clustering", "rdfs:subClassOf": { "@id": "d3f:ClusterAnalysis" } }, { "@id": "d3f:Mode", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-MOD", "d3f:definition": "The most frequent value in the data set. This is the only central tendency measure that can be used with nominal data, which have purely qualitative category assignments.", "d3f:kb-article": "## References\nWikipedia. (n.d.). Central tendency. [Link](https://en.wikipedia.org/wiki/Central_tendency)", "rdfs:label": "Mode", "rdfs:subClassOf": { "@id": "d3f:CentralTendency" } }, { "@id": "d3f:T1588.004", "@type": "owl:Class", "d3f:attack-id": "T1588.004", "rdfs:label": "Digital Certificates", "rdfs:subClassOf": { "@id": "d3f:T1588" } }, { "@id": "d3f:OSAPIOpenFile", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:invokes": { "@id": "d3f:OpenFile" }, "rdfs:label": "OS API Open File", "rdfs:subClassOf": [ { "@id": "d3f:OSAPIFunction" }, { "@id": "_:Ne6a47ee17325416d8715d2e986cb78f9" } ] }, { "@id": "_:Ne6a47ee17325416d8715d2e986cb78f9", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:invokes" }, "owl:someValuesFrom": { "@id": "d3f:OpenFile" } }, { "@id": "d3f:instructs", "@type": "owl:ObjectProperty", "d3f:definition": "definition \"x instructs y: A subject x delivers machine instructions to object y.\"", "rdfs:label": "instructs", "rdfs:subPropertyOf": { "@id": "d3f:associated-with" } }, { "@id": "d3f:may-be-modified-by", "@type": "owl:ObjectProperty", "owl:inverseOf": { "@id": "d3f:may-modify" }, "rdfs:label": "may-be-modified-by", "rdfs:subPropertyOf": { "@id": "d3f:may-be-associated-with" } }, { "@id": "d3f:DecisionTreeRegression", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-DTR", "d3f:definition": "Decision Trees Regression is asupervised learning method with the goal to create a model that predicts the value of a target variable by learning simple decision rules inferred from the data features", "d3f:kb-article": "## References\nscikit-learn. (n.d.). Decision Trees. [Link](https://scikit-learn.org/stable/modules/tree.html#tree)", "rdfs:label": "Decision Tree Regression", "rdfs:subClassOf": { "@id": "d3f:RegressionAnalysisLearning" } }, { "@id": "d3f:T1552.001", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:accesses": { "@id": "d3f:File" }, "d3f:attack-id": "T1552.001", "rdfs:label": "Credentials in Files", "rdfs:subClassOf": [ { "@id": "d3f:T1552" }, { "@id": "_:N8ac17091ab2f43a7a74f1a6834e2d676" } ] }, { "@id": "_:N8ac17091ab2f43a7a74f1a6834e2d676", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:accesses" }, "owl:someValuesFrom": { "@id": "d3f:File" } }, { "@id": "d3f:CWE-375", "@type": "owl:Class", "d3f:cwe-id": "CWE-375", "rdfs:label": "Returning a Mutable Object to an Untrusted Caller", "rdfs:subClassOf": { "@id": "d3f:CWE-668" } }, { "@id": "d3f:M1020", "@type": [ "owl:NamedIndividual", "d3f:ATTACKMitigation" ], "d3f:d3fend-comment": "D3FEND models this as an infrastructure dependency to support D3-NTA.", "d3f:related": { "@id": "d3f:NetworkTrafficAnalysis" }, "rdfs:label": "SSL/TLS Inspection" }, { "@id": "d3f:T1102", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1102", "d3f:produces": { "@id": "d3f:OutboundInternetWebTraffic" }, "rdfs:label": "Web Service", "rdfs:subClassOf": [ { "@id": "d3f:CommandAndControlTechnique" }, { "@id": "_:Nd5d50490abf84e6e9acb60487b14e804" } ] }, { "@id": "_:Nd5d50490abf84e6e9acb60487b14e804", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:produces" }, "owl:someValuesFrom": { "@id": "d3f:OutboundInternetWebTraffic" } }, { "@id": "d3f:Reference-AllLoginsSinceLastBoot_MITRE", "@type": [ "owl:NamedIndividual", "d3f:ExternalKnowledgeBase" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://car.mitre.org/analytics/CAR-2015-07-001/" }, "d3f:kb-abstract": "Once a credential dumper like mimikatz runs, every user logged on since boot is potentially compromised, because the credentials were accessed via the memory of lsass.exe. When such an event occurs, this analytic will give the forensic context to identify compromised users. Those users could potentially be used in later events for additional logons.\n\nThe time field indicates the first and last time a system reported a user logged into a given system. This means that activity could be intermittent between the times given and should not be considered a duration.", "d3f:kb-author": "MITRE", "d3f:kb-mitre-analysis": "", "d3f:kb-organization": "MITRE", "d3f:kb-reference-of": { "@id": "d3f:CredentialCompromiseScopeAnalysis" }, "d3f:kb-reference-title": "CAR-2015-07-001: All Logins Since Last Boot", "rdfs:label": "Reference - CAR-2015-07-001: All Logins Since Last Boot - MITRE" }, { "@id": "d3f:T1116", "@type": "owl:Class", "d3f:attack-id": "T1116", "rdfs:label": "Code Signing", "rdfs:subClassOf": { "@id": "d3f:DefenseEvasionTechnique" } }, { "@id": "d3f:T1546.013", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1546.013", "d3f:modifies": { "@id": "d3f:PowerShellProfileScript" }, "rdfs:label": "PowerShell Profile", "rdfs:subClassOf": [ { "@id": "d3f:T1546" }, { "@id": "_:Naac59134bdfe42eb886664854cc9e464" } ] }, { "@id": "_:Naac59134bdfe42eb886664854cc9e464", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:PowerShellProfileScript" } }, { "@id": "d3f:CWE-1288", "@type": "owl:Class", "d3f:cwe-id": "CWE-1288", "rdfs:label": "Improper Validation of Consistency within Input", "rdfs:subClassOf": { "@id": "d3f:CWE-20" } }, { "@id": "d3f:GradientBoostedDecisionTree", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:d3fend-id": "D3A-GBDT", "d3f:definition": "A gradient-boosted decision tree is, as in other bagging and boosting methods, a method where the relatively 'weak' machine learning model (a decision tree) is used in an ensemble to form a 'strong' machine learning model.", "d3f:kb-article": "## Reference\n\n1. Google. (28 Sep 2023). Gradient Boosted Decision Trees.\n[Link](https://developers.google.com/machine-learning/decision-forests/intro-to-gbdt).", "rdfs:label": "Gradient-Boosted Decision Tree", "rdfs:subClassOf": { "@id": "d3f:CART" } }, { "@id": "d3f:CCI-000044_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system enforces the organization-defined limit of consecutive invalid logon attempts by a user during the organization-defined time period.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:AccountLocking" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-14T00:00:00" }, "rdfs:label": "CCI-000044" }, { "@id": "d3f:CWE-210", "@type": "owl:Class", "d3f:cwe-id": "CWE-210", "rdfs:label": "Self-generated Error Message Containing Sensitive Information", "rdfs:subClassOf": { "@id": "d3f:CWE-209" } }, { "@id": "d3f:ScriptExecutionAnalysis", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:ProcessAnalysis" ], "d3f:analyzes": { "@id": "d3f:ScriptApplicationProcess" }, "d3f:d3fend-id": "D3-SEA", "d3f:definition": "Analyzing the execution of a script to detect unauthorized user activity.", "d3f:kb-article": "## How it works\nSoftware installed on the host system hooks into a scripting engine to intercept commands before they are executed and block commands if they are determined to be harmful. Pattern matching is used to identify unauthorized commands or in the case of script files, a hash of the file is compared against hashes of known unauthorized script files.\n\n## Considerations\nList of known unauthorized script files or regular expression patterns must be kept up to date to ensure detection of new threats.", "d3f:kb-reference": { "@id": "d3f:Reference-DetectingScript-basedMalware_CrowdstrikeInc" }, "rdfs:label": "Script Execution Analysis", "rdfs:subClassOf": [ { "@id": "d3f:ProcessAnalysis" }, { "@id": "_:N329eb15d345841a185ed04162fe02701" } ] }, { "@id": "_:N329eb15d345841a185ed04162fe02701", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:analyzes" }, "owl:someValuesFrom": { "@id": "d3f:ScriptApplicationProcess" } }, { "@id": "d3f:PeripheralFirmwareVerification", "@type": [ "owl:Class", "owl:NamedIndividual", "d3f:FirmwareVerification" ], "d3f:d3fend-id": "D3-PFV", "d3f:definition": "Cryptographically verifying peripheral firmware integrity.", "d3f:kb-article": "# How it works\nPeripherial firmware is collected and analyzed on a host either periodically or on demand. This information may be collected for future comparisons.\n\nChanges in firmware hash values may indicate that the firmware has been tampered with or that firmware images are not maintained to current baselined versions, or even known vulnerable versions are deployed.\n\n## Considerations\n* Trust baselines will need to be generated for specific devices\n* Changes to trusted configurations will need to be managed across the enterprise", "d3f:kb-reference": [ { "@id": "d3f:Reference-FirmwareVerificationEclypsium" }, { "@id": "d3f:Reference-FirmwareVerificationTrapezoid" } ], "d3f:verifies": { "@id": "d3f:PeripheralFirmware" }, "rdfs:label": "Peripheral Firmware Verification", "rdfs:subClassOf": [ { "@id": "d3f:FirmwareVerification" }, { "@id": "_:N1a34a2662c0d4d1a979d8aa3505ad197" } ] }, { "@id": "_:N1a34a2662c0d4d1a979d8aa3505ad197", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:verifies" }, "owl:someValuesFrom": { "@id": "d3f:PeripheralFirmware" } }, { "@id": "d3f:NetworkCardFirmware", "@type": "owl:Class", "d3f:definition": "Firmware that is installed on a network card (network interface controller).", "rdfs:label": "Network Card Firmware", "rdfs:seeAlso": { "@id": "dbr:Network_interface_controller" }, "rdfs:subClassOf": { "@id": "d3f:PeripheralFirmware" }, "skos:altLabel": "Network Controller Firmware" }, { "@id": "d3f:CWE-309", "@type": "owl:Class", "d3f:cwe-id": "CWE-309", "rdfs:label": "Use of Password System for Primary Authentication", "rdfs:subClassOf": [ { "@id": "d3f:CWE-1390" }, { "@id": "d3f:CWE-654" } ] }, { "@id": "d3f:Reference-SoftwareVulnerabilityGraphDatabase", "@type": [ "owl:NamedIndividual", "d3f:PatentReference" ], "d3f:has-link": { "@type": "xsd:anyURI", "@value": "https://patents.google.com/patent/WO2020028535A1" }, "d3f:kb-abstract": "To analyze open-source code at a large scale, a security domain graph language (\"GL\") has been created that functions as a vulnerability description language and facilitates program analysis queries. The SGL facilitates building and maintaining a graph database to catalogue vulnerabilities found in open-source components. This graphical database can be accessed via a database interface directly or accessed by an agent that interacts with the database interface. To build the graph database, a database interface processes an open-source component and creates graph structures which represent relationships present in the open-source component. The database interface transforms a vulnerability description into a canonical form based on a schema for the graph database and updates the database based on a determination of whether the vulnerability is a duplicate. This ensures quality and consistency of the vulnerability dataset maintained in the graph database.", "d3f:kb-author": "Darius Tsien Wei FOO, Ming Yi ANG, Asankhaya Sharma, Jie Shun YEO", "d3f:kb-organization": "Veracode, Inc.", "d3f:kb-reference-of": [ { "@id": "d3f:AssetVulnerabilityEnumeration" }, { "@id": "d3f:SystemDependencyMapping" }, { "@id": "d3f:SystemVulnerabilityAssessment" } ], "d3f:kb-reference-title": "Software vulnerability graph database", "rdfs:label": "Reference - Software vulnerability graph database" }, { "@id": "d3f:T1546.011", "@type": [ "owl:Class", "owl:NamedIndividual" ], "d3f:attack-id": "T1546.011", "d3f:creates": { "@id": "d3f:Shim" }, "d3f:modifies": { "@id": "d3f:ShimDatabase" }, "rdfs:label": "Application Shimming", "rdfs:subClassOf": [ { "@id": "d3f:T1546" }, { "@id": "_:Nf0bf12655eb94ef5a55aa4060fde127e" }, { "@id": "_:N8659331c18d44768af3fa48ce63236fe" } ] }, { "@id": "_:Nf0bf12655eb94ef5a55aa4060fde127e", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:creates" }, "owl:someValuesFrom": { "@id": "d3f:Shim" } }, { "@id": "_:N8659331c18d44768af3fa48ce63236fe", "@type": "owl:Restriction", "owl:onProperty": { "@id": "d3f:modifies" }, "owl:someValuesFrom": { "@id": "d3f:ShimDatabase" } }, { "@id": "d3f:CWE-282", "@type": "owl:Class", "d3f:cwe-id": "CWE-282", "rdfs:label": "Improper Ownership Management", "rdfs:subClassOf": { "@id": "d3f:CWE-284" } }, { "@id": "d3f:CCI-001767_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The organization employs an allow-all, deny-by-exception policy to prohibit the execution of unauthorized software programs on the information system.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:ExecutableDenylisting" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2013-02-28T00:00:00" }, "rdfs:label": "CCI-001767" }, { "@id": "d3f:CCI-000139_v2022-04-05", "@type": [ "owl:NamedIndividual", "d3f:CCIControl" ], "d3f:contributor": { "@id": "d3f:DISA_FSO" }, "d3f:definition": "The information system alerts designated organization-defined personnel or roles in the event of an audit processing failure.", "d3f:member-of": { "@id": "d3f:CCICatalog_v2022-04-05" }, "d3f:narrower": { "@id": "d3f:SystemDaemonMonitoring" }, "d3f:published": { "@type": "xsd:dateTime", "@value": "2009-09-15T00:00:00" }, "rdfs:label": "CCI-000139" }, { "@id": "d3f:CWE-424", "@type": "owl:Class", "d3f:cwe-id": "CWE-424", "rdfs:label": "Improper Protection of Alternate Path", "rdfs:subClassOf": [ { "@id": "d3f:CWE-638" }, { "@id": "d3f:CWE-693" } ] } ] }